Is there a way to verify via a log file on the ATD appliance that an analyzed file has been published to the DXL Broker?
I am currently trying to troubleshoot why a file analyzed and found to be malware with a severity of 4 is not being sent to a TIE server. If I look on the DXL Broker I do not see the report stored and available to subscribers like TIE. So, I am trying to find out if a report was created and successfully sent from ATD to the DXL Broker.
Any help/information is greatly appreciated.
it depends on the Version of ATD you are using. Some things are important.
- DXL Version 126.96.36.1990
- TIE 1.1.1
- ATD Version 188.8.131.52.50610
Afterwards configure the following Settings in the ATD GUI.
Now you need the following two EPO extensions. This extensions are enabling the following Features.
- If ATD detects a threat an EPO threat Event is Generated.
- Files uploaded to ATD are visible under TIE reputations.
At the moment i do not know if this extensions are public. I will check this. If yes i will post the extensions. You can ask your McAfee representative for the extensions as well.
If the extensions are installed ATD is able to add Files to TIE Reputations.
Everything is exactly as you have laid it out. However, we do not have the ePO extension as product management told us that there was a problem with the extension and it was not ready/available for us to use.
In fact we are seeing some files evaluated by ATD show up on the TIE Reputation page with a rating from ATD, but it seems random. For example a severity 5 analyzed via static analysis we will see, but a Severity 5 convicted by GAM or DAT down selector will not be seen on the TIE Reputation page or a Severity 4 convicted by Dynamic also doesn't seemed to be sent to TIE.
That is why I was trying to figure if there is a problem and with no report on the broker I am focusing my attention on the ATD box. Does that make any sense?
yes, i opened a case for this behavior. Got an Information like this....
Many thanks for your response.
I wanted to reproduce the issue and then gather the logs from the endpoint and from ePO to verify that the file is correctly sent to ePO Server and discard any problem with the DXL communication. But, based on your email, you are confirming that the file is correctly received. So let's leave that part aside.
Now, regarding the question, TIE rules will first query the enterprise for the reputation. This is by design. And if there is none (aka “not set”), it will fall back to GTI (if allowed and enabled by policy). If all the rules ran and still were unable to determine the reputation, the rules will finish and the local reputation on the TIE Client for the file will be “unknown”.
So, in short words, an “unknown” results mean that the file does not exist on our database and on our servers and that the rules were not able to determine the reputation of it. This is an expected behavior by design and not a problem.
To clarify even more, please find attached an image explaining the way TIE works and narrows down the “unknown” detections.
I hope this information answers your question. When possible, please kindly let me know is you are happy to archive this case.
My question was, why ATD Reputaion is not visible und TIE Reputation. One Conclusio was, if ATD detects a L2 detection the file might not be clean as well. Therefore such a value is not added to TIE. From my side this is bullshit, because i want to know if the file was inspected by ATD and what was the detection score.
there are somen changes since the latest versions of TIE/DXL and ATD.
You can see now if the ATD reputation is set to unknonw or not available.
unknown: ATD has analyzed the file but no bad behavior.
not available: no info from ATD.
At the moment i do not know if there is any Debugging LOG available for any DXL "broadcast".