Showing results for 
Search instead for 
Did you mean: 

How to block risky new executables and certificates in your environment with McAfee Threat Intelligence Exchange module for VSE



McAfee Threat Intelligence gives complete visibility of new executables and certificates running in your environment with added and endpoint protection that takes local, enterprise and global context into account when determining risky behavior.  Now that you are fully aware of the files and associated certificates running in your environment and have been able to explore where possible compromises and threats are occurring let’s take a look at the benefits of the Threat Intelligence Exchange module for VSE.




The TIE Client makes accurate file execution decisions and leverages the combined intelligence from local endpoint context (file, process, and environmental attributes) and the current available collective threat intelligence (for example, organizational prevalence, age, reputation, etc.). When you customize the McAfee Threat Intelligence Exchange VirusScan Enterprise Module based on your organization’s level of risk tolerance at the endpoint, administrators get the flexibility to set execution conditions driven by their specific requirements. This can be as rigid as adhering to a zero-tolerance policy for unknown or ‘grey’ files by setting rules that no file is allowed to execute unless it has a known and acceptable reputation.






Sample files Roaming.exe and Hackit.exe found here:



The objective of this use case is to demonstrate the power of the TIE Client for zero-day threats.  Successful completion of this use case should demonstrate the added intelligence that the TIE client offers.

Use Case

Based on our research we know that malware tends to hide itself in specific folders.  In this use case, we will explore the root of $appdata$\roaming as an indicator of risky behavior.

On the endpoint in explorer navigate to C:\ and select Organize | Folder and Search Options.


On the View tab click Show hidden files, folders, and drives


Move the sample file Roaming.exe to C:\Users\<user>\AppData\Roaming

Execute Roaming.exe from this folder.


The TIE Client rules will block the file from being executed and expose the context as to which rule was triggered under Convicting Rule.  In this case ‘Identified suspicious files executing from the roaming folder’

Note: Running from the recycle bin is another good example of a risky behavior we use to help detect malware


To view the added value of the TIE rules across your entire environment select the Dashboard – TIE module for VSE enforced events.

Click into Block Events by Event Type



The Rule Name exposes the added value of the TIE Client by explaining the specific rule that was triggered.

Click on Roaming.exe to view additional information on the block.


To View the TIE rules in more detail go to Menu | Configuration | Server Settings

Click Threat Intelligence Exchange Module for VSE



Click Edit to view the rule details.  To change the rule mode click the checkbox next to a rule and click Actions.



Additional bonus exercise:  To demonstrate TIE’s ability to catch all zero-day attacks even further, you may want to manipulate a known file to see what happens.


Remote Desktop into the client system and run Hackit.exe.  Based on the GTI Known Trusted reputation the file will be allowed to run.


Right-click the Hackit icon in the system tray and click Shutdown Hack-it

hackit shutdown.png

Open Hackit.exe in your hex editor.  Edit something minor such as the text ‘This program cannot be run in DOS mode’ to a different string.  You only need to change it enough to change the file hash.  Save As a new file name.



Execute the new file and view the block.

block Hackit.png

Researching the block in the ePO console you will see it is no longer allowed to run based on GTI reputation as it was in our previous step.  File execution is blocked based on its unknown reputation.





The added enterprise, global and local context allow the TIE client to apply a set of rules that indicate risky behavior.  As seen in this use case a file that is unknown in your environment with no confirmed good reputation is automatically blocked immunizing your enterprise from targeted attacks.

Labels (1)
Tags (2)
Version history
Revision #:
3 of 3
Last update:
‎03-15-2018 01:14 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community