McAfee Threat Intelligence gives complete visibility of new executables and certificates running in your environment with added and endpoint protection that takes local, enterprise and global context into account when determining risky behavior. Now that you are fully aware of the files and associated certificates running in your environment and have been able to explore where possible compromises and threats are occurring let’s take a look at the benefits of the Threat Intelligence Exchange module for VSE.
The TIE Client makes accurate file execution decisions and leverages the combined intelligence from local endpoint context (file, process, and environmental attributes) and the current available collective threat intelligence (for example, organizational prevalence, age, reputation, etc.). When you customize the McAfee Threat Intelligence Exchange VirusScan Enterprise Module based on your organization’s level of risk tolerance at the endpoint, administrators get the flexibility to set execution conditions driven by their specific requirements. This can be as rigid as adhering to a zero-tolerance policy for unknown or ‘grey’ files by setting rules that no file is allowed to execute unless it has a known and acceptable reputation.
The objective of this use case is to demonstrate the power of the TIE Client for zero-day threats. Successful completion of this use case should demonstrate the added intelligence that the TIE client offers.
Based on our research we know that malware tends to hide itself in specific folders. In this use case, we will explore the root of $appdata$\roaming as an indicator of risky behavior.
On the endpoint in explorer navigate to C:\ and select Organize | Folder and Search Options.
On the View tab click Show hidden files, folders, and drives
Move the sample file Roaming.exe to C:\Users\<user>\AppData\Roaming
Execute Roaming.exe from this folder.
The TIE Client rules will block the file from being executed and expose the context as to which rule was triggered under Convicting Rule. In this case ‘Identified suspicious files executing from the roaming folder’
Note: Running from the recycle bin is another good example of a risky behavior we use to help detect malware
To view the added value of the TIE rules across your entire environment select the Dashboard – TIE module for VSE enforced events.
Click into Block Events by Event Type
The Rule Name exposes the added value of the TIE Client by explaining the specific rule that was triggered.
Click on Roaming.exe to view additional information on the block.
To View the TIE rules in more detail go to Menu | Configuration | ServerSettings
Click Threat Intelligence Exchange Module for VSE
Click Edit to view the rule details. To change the rule mode click the checkbox next to a rule and click Actions.
Additional bonus exercise: To demonstrate TIE’s ability to catch all zero-day attacks even further, you may want to manipulate a known file to see what happens. Prerequisites:
Remote Desktop into the client system and run Hackit.exe. Based on the GTI Known Trusted reputation the file will be allowed to run.
Right-click the Hackit icon in the system tray and click Shutdown Hack-it
Open Hackit.exe in your hex editor. Edit something minor such as the text ‘This program cannot be run in DOS mode’ to a different string. You only need to change it enough to change the file hash. Save As a new file name.
Execute the new file and view the block.
Researching the block in the ePO console you will see it is no longer allowed to run based on GTI reputation as it was in our previous step. File execution is blocked based on its unknown reputation.
The added enterprise, global and local context allow the TIE client to apply a set of rules that indicate risky behavior. As seen in this use case a file that is unknown in your environment with no confirmed good reputation is automatically blocked immunizing your enterprise from targeted attacks.