Showing results for 
Search instead for 
Did you mean: 

How to identify new executables and certificates running in your environment with McAfee Threat Intelligence Exchange


McAfee Threat Intelligence Exchange brings immediate visibility into the presence of advanced targeted attacks and emerging threats by automatically assembling events and valuable context as communicated from the new intelligence-based endpoint client, gateways, and other connected security components.




Download the set of test samples provided here For this use case, we will be using Aremis-High.exe



The objective of this use case is to demonstrate the ability to identify new executables and certificates that are being run in your environment using McAfee Threat Intelligence Exchange.  Successful completion of this use case demonstrates the added visibility and information that the TIE solution offers.


Use Case

Login to ePO.


Click on Menu | Systems Section | TIE Reputations


In the File Search tab Enter * in the search field and click Find Files.

*Note hitting enter will not search.  You must use the mouse to click the Find Files button.

You will see a list of files that have been executed on your endpoints.  You may need to execute a few files before this page is populated.  Each column can be clicked to sort the information including ATD reputation, comments, hashes etc.

Clicking to sort by GTI reputation will highlight some of the more interesting files being executed.  The TIE reputations page is a collective source of threat intelligence from all security products connected to DXL allowing the user visibility and the ability to make informed decisions.


File details can be added to the initial search results by clicking Actions | Choose Columns.  Add columns as desired.  In the case where ATD is being used, add the ATD column for added reputation information.


On the endpoint run the Artemis-High.exe provided in the test samples.  The file execution will be blocked.



In the TIE Reputations page search for Artemis.  You will see the file was blocked based off of its GTI reputation 'Might be Malicious'.  Click Artemis-High.exe to research additional information about the executable.



  The File Details tab provides additional information about the file properties.


The Additional Information tab includes data collected from the first system to execute the file.  This includes:

  • File exists in “Add or Remove Programs”
  • Registered as a Service
  • Registered for Auto-run


The Virus Total tab allows the user to cross-reference the file against VirusTotal.  Click Retrieve VirusTotal Information.

Note:  You must configure your VirusTotal API Key for this to work.  For details on how to get a VirusTotal public API Key see



The same steps apply to Certificates.  In the TIE Reputations page of ePO go to the Certificate Search tab and enter * in the search field and click Find Certificates.

*Note hitting enter will not search.  You must use the mouse to click the Find Files button.


In this case, Dropbox had been run.  You will have several certificates to research.  Microsoft is a very common one.

Click into a certificate to research additional information.




In order to help separate real enterprise threats from general background noise in the environment, the TIE Server Dashboard focuses in on new and notable information.



New files by GTI reputation — Shows new executable files by McAfee GTI reputation that attempted to run in your environment in the past week. This report is especially useful to quickly see the new files that were malicious or unknown in your environment.


Clicking into the Not Set portion of the graph narrows the files that GTI does not have a reputation for.  This makes it easy for an admin to determine where to investigate first.


New files in the past 30 days — Shows new executable files that attempted to run in your environment in the past 30 days.

Once TIE has been running in your environment for a few days you will start to only see spikes when there is a possible reason for concern.


Clicking into a data point will show new files by day.



Files with changed GTI reputations — Shows files whose reputations were changed in McAfee GTI in the past month.

On further research or new information received, McAfee may determine a reputation change is needed.  The administrator may want to investigate enterprise overrides further if the GTI reputation has changed.





Systems with new executable files — Shows the top 10 systems that had the newest executable files attempting to run. This report shows systems that are potentially at risk for new infections because they are accessing the newest executables.

A high new file count in on unexpected systems such as a POS device or production server might alarm the administrator of suspicious behavior.




Quick file search — Allows you to search for a specific file string or hash.  Partial entries will search for all occurrences.

Any news alert or notification of compromise can be searched.  This is a quick place to easily research a specific file or hash (also good place to research results even from another security product).





By working through this use case you are now aware of the immediate visibility that the TIE solution offers.  You can now answer critical security questions:

  • What is running in my environment?
  • Where is it running?
  • When did it run?
  • Has my environment seen specific malware?  Or a recent zero-day attack?
  • Which systems are at most risk from new executables?
  • Are there systems with unanticipated change?
Labels (1)
Tags (2)
Version history
Revision #:
3 of 3
Last update:
‎03-15-2018 01:13 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community