Showing results for 
Search instead for 
Did you mean: 

How to identify and remediate systems impacted by a new threat with McAfee Threat Intelligence Exchange


Enterprise details collected from file execution allows administrators to track and gather additional information around where and when a file entered their enterprise.







The objective of this use case is to demonstrate the incident response capabilities and data held within the TIE server.  Successful completion of this use case should demonstrate how to identify when a file first entered your environment as well as how widespread the file is being executed.   You will also be able to take action by triggering a VSE clean on a known malicious file.

Use Case


Remote Desktop into the client system and run Hackit.exe


Click on Menu | Systems Section | TIE Reputations 

 tie rep.png


In the File Search tab Enter Hackit.exe in the search field and click Find Files.


*Note hitting enter will not search.  You must use the mouse to click the Apply Button.

Click the checkbox next Hackit.exe  

Click Actions | Where Has File Run 

where has file run.PNG
The number of systems this file was run on will appear as well as the First Reference Date.

Sort the First Reference Date column to identify patient zero


The Management features of ePO allow the user to take appropriate action at the client when an incident arises.  Click into the endpoint to show system information.

The Actions button allows the user to modify the System Health settings, Tag the system, change the policy etc.

In the begining of this use case hackit.exe was executed.  On the endpoint you will see the Hack-It interface


The Hack-It application running in Task Manager


As well as the Hack-It icon running in the system tray


When TIE module for VSE policy has the Clean feature enabled and a file’s Enterprise reputation is set to Known Malicious a reputation change DXL event goes out immediately


Note:  This feature can be disabled by unchecking the Clean at feature in the TIE module for VSE policy



Based on this policy setting the TIE module for VSE triggers a VSE clean.

A VSE clean includes looking for running processes associated with the file and terminating them.

Let’s pretend for this demo that Hackit.exe has become a known immediate threat to our environment.  Setting the file to File Known Malicious will trigger a VSE clean.

In the TIE Reputations page check the box next to Hackit.exe


Click Actions | File Known Malicious 
hack mal.png

Return to the endpoint and observe the Hack-It interface, the Hack-It application running in Task Manager, as well as the Hack-It icon running in the system tray disappear.





When a compromise does occur, the knowledge gathered by the TIE server empowers admins to respond swiftly and accurately.  By setting a file to known malicious the administrator can trigger a VSE clean across the entire environment while simultaneously ensuring all future encounters are cleaned.

Labels (1)
Tags (2)
Version history
Revision #:
3 of 3
Last update:
‎04-03-2018 06:25 AM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community