cancel
Showing results for 
Search instead for 
Did you mean: 

How to block risky new executables and certificates in your environment with McAfee Threat Intelligence Exchange module for VSE

 

Introduction


McAfee Threat Intelligence gives complete visibility of new executables and certificates running in your environment with added and endpoint protection that takes local, enterprise and global context into account when determining risky behavior.  Now that you are fully aware of the files and associated certificates running in your environment and have been able to explore where possible compromises and threats are occurring let’s take a look at the benefits of the Threat Intelligence Exchange module for VSE.

 

uc2.PNG

 

The TIE Client makes accurate file execution decisions and leverages the combined intelligence from local endpoint context (file, process, and environmental attributes) and the current available collective threat intelligence (for example, organizational prevalence, age, reputation, etc.). When you customize the McAfee Threat Intelligence Exchange VirusScan Enterprise Module based on your organization’s level of risk tolerance at the endpoint, administrators get the flexibility to set execution conditions driven by their specific requirements. This can be as rigid as adhering to a zero-tolerance policy for unknown or ‘grey’ files by setting rules that no file is allowed to execute unless it has a known and acceptable reputation.

 

uc2a.PNG

Video

 

Prerequisites


Sample files Roaming.exe and Hackit.exe found here: http://mcaf.ee/yiuva.

 

Objective

The objective of this use case is to demonstrate the power of the TIE Client for zero-day threats.  Successful completion of this use case should demonstrate the added intelligence that the TIE client offers.

Use Case

Based on our research we know that malware tends to hide itself in specific folders.  In this use case, we will explore the root of $appdata$\roaming as an indicator of risky behavior.

On the endpoint in explorer navigate to C:\ and select Organize | Folder and Search Options.

u5.png

On the View tab click Show hidden files, folders, and drives

u6.png

Move the sample file Roaming.exe to C:\Users\<user>\AppData\Roaming

Execute Roaming.exe from this folder.

u7.png

The TIE Client rules will block the file from being executed and expose the context as to which rule was triggered under Convicting Rule.  In this case ‘Identified suspicious files executing from the roaming folder’

Note: Running from the recycle bin is another good example of a risky behavior we use to help detect malware

u8.PNG

 
To view the added value of the TIE rules across your entire environment select the Dashboard – TIE module for VSE enforced events.

Click into Block Events by Event Type

UC23.png

 


The Rule Name exposes the added value of the TIE Client by explaining the specific rule that was triggered.

Click on Roaming.exe to view additional information on the block.

u9.png


To View the TIE rules in more detail go to Menu | Configuration | Server Settings

Click Threat Intelligence Exchange Module for VSE

UC25.png

 

Click Edit to view the rule details.  To change the rule mode click the checkbox next to a rule and click Actions.

uc26.png

 

Additional bonus exercise:  To demonstrate TIE’s ability to catch all zero-day attacks even further, you may want to manipulate a known file to see what happens.
Prerequisites:

 

Remote Desktop into the client system and run Hackit.exe.  Based on the GTI Known Trusted reputation the file will be allowed to run.

hackit.png

Right-click the Hackit icon in the system tray and click Shutdown Hack-it

hackit shutdown.png

Open Hackit.exe in your hex editor.  Edit something minor such as the text ‘This program cannot be run in DOS mode’ to a different string.  You only need to change it enough to change the file hash.  Save As a new file name.

hexhack.png

 

Execute the new file and view the block.

block Hackit.png

Researching the block in the ePO console you will see it is no longer allowed to run based on GTI reputation as it was in our previous step.  File execution is blocked based on its unknown reputation.

 

uc28a.png

 

Conclusion

The added enterprise, global and local context allow the TIE client to apply a set of rules that indicate risky behavior.  As seen in this use case a file that is unknown in your environment with no confirmed good reputation is automatically blocked immunizing your enterprise from targeted attacks.

Labels (1)
Tags (2)
Contributors
Version history
Revision #:
3 of 3
Last update:
‎03-15-2018 01:14 PM
Updated by: