How to immediately distribute protection against emerging threats across your environment

Version 7


    Introduction

     

    You may have already noticed this added visibility and control is fast.  Threat details collected from malware encountered at endpoints and network gateways can propagate through the data exchange layer in milliseconds, educating all security components to proactively immunize against newly detected threats.

     

    Video

     

     

    Prerequisites

     

    • Hackit.exe is on the desktop of your client.  Hackit can be found at: http://mcaf.ee/yiuva.
    • TIE module for VSE policy is set to Enforce and block at Unknown

     

    Objective


    The objective of this use case is to demonstrate the speed and distribution in which the Data Exchange Layer is updated.  Successful completion of this use case should demonstrate the near real-time distribution that the Data Exchange Layer offers.


    Use Case

     

    Remote Desktop into the client system and run Hackit.exe.  This populates the TIE reputations page.

    hackit.png

    Right click the Hackit icon in the system tray and click Shutdown Hack-it

    Be ready to click on Hackit.exe as quickly as possible in a future step.

    hackit shutdown.png

     

    Click on Menu | Systems Section | TIE Reputations

    uv2.PNG

    In the File Search tab Enter Hackit.exe in the search field and click Find Files.

    *Note clicking enter will not search.  You must use the mouse to click the Find Files Button.

     

    a.png
    Click the checkbox next to HackIt.exe 

    Capture2.PNG

    Are you ready to be quick?  Click Actions and mark Hackit.exe file as ‘File Most Likely Malicious’

    Move to the next step quickly

    Capture.PNG
      
    Remote Desktop into the client system and attempt to re-run Hackit.exe
      hackit.png
    The execution attempt will be blocked.

    Note that the reputation update was immediately distributed from ePO to the TIE client over the DXL. This kind of communication typically takes less than 1 second. You can repeat the test by changing the file reputation in ePO from “File Most Likely Malicious” to “File Known Trusted”.

    block Hackit.png


    Conclusion


    No more waiting for agent wake up calls, slow dat releases or for the global threatfeed to update!  The speed and distribution of the Data Exchange Layer provides a communication fabric that allows immediate protection across your entire enterprise.