cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mr54
Level 9
Report Inappropriate Content
Message 1 of 6

ATP Threat names pattern meaning

Jump to solution

Hello,

I am looking for an explanatory about ATP threat names. I understand the difference between ATP/JTI and Real Protect detections (that's not my question), but :

  • What differentiates a detection called ATP/Suspect! from a detection called JTI/Suspect. ?
  • With Real Protect, what the difference between :
    • Real Protect-XGPE!
    • Real Protect-PSFL!
    • Real Protect-EC!
    • Real Protect-PEE!
    • Real Protect-SS!
    • Real Protect-LS!
    • and all the pattern names that I forgot

I assume that if there were no differences, names would not change.

Thank you.

mr

1 Solution

Accepted Solutions
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: ATP Threat names pattern meaning

Jump to solution

Hi @mr54,

Adding my 2p here, if you are specifically looking for understanding what each detection names represent, I am afraid we do not have any public facing document to explain the same. Each detection names and the naming conventions are decided by the product team and is not available for public viewing. So , While the name Real Protect certainly would mean that the detection is coming from Real Protect component, we will not be able to differentiate between a realprotect LS detection and a Real Protect XGPE.

Having said that, if it is indeed required for any specific purposes, You can raise an SR and have it queried with the purpose explained and our Support team can re-evaluate and check if the individual detection Names and what it denotes could be provided to you depending on the requirement.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

5 Replies
yaz
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: ATP Threat names pattern meaning

Jump to solution

Hi @mr54 

Thank you for reaching out to McAfee Community.

JTI suspect and ATP suspect refers to the threat that comes from TIE reputations. 

Real protect detection is the one that come from the GTI reputations. 

Details on the reputation based scanning are below. 

https://docs.mcafee.com/bundle/endpoint-security-10.6.0-adaptive-threat-protection-product-guide-win...

Was my reply helpful?

If yes, Please give me a Kudo. 

If I have answered your query, please mark this as solution and we together help other community members.  

 

mr54
Level 9
Report Inappropriate Content
Message 3 of 6

Re: ATP Threat names pattern meaning

Jump to solution

Thank you, bu that's not my question. I wanted to know the difference between two detections to have different pattern names

e.g. what differentiates Real Protect-XGPE! detection from a Real Protect-LS! detection.

By the way, I'm not sure that your answer is correct. To me, ATP and JTI refers to ATP/GTI detections (but I don't know the difference between the two, because I have some ATP/Suspect!xxxxx with rule ID 4, which means that's a GTI detection : see https://kc.mcafee.com/corporate/index?page=content&id=KB82925&actp=null&viewlocale=en_US&locale=en_U...)

 

Real Protect-[...] detections refer to real protect. Not to GTI, but with the documentation, it seems that product is used when file reputation is unknown by TIE and GTI :

image.png

 See: https://docs.mcafee.com/bundle/endpoint-security-10.6.0-adaptive-threat-protection-product-guide-win...

 

 

Rfranci
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: ATP Threat names pattern meaning

Jump to solution

Hi @mr54 ,

ATP GTI detection and ATP JTI detection are 2 different methods.
ATP GTI indicates that the reputation for the file is obtained from McAfee global threat intelligence server.

ATP JTI indicates that the reputation of the file is obtained form McAfee ATP rules /adaptive threat protection rules. To view the rules you can log in to EPO -> server settings -> Adaptive Threat Protection.

ATP rule ID 4 is designed to query ATP GTI server to check for file reputation.
Example for file reputation :
Reputation 1 : Known malicious
Reputation 15 : Most likely malicious 
Reputation 30 :Might be malicious
Reputation 50 : Unknown
Reputation 70 : Might be trusted.
Reputation 85 : Most likely trusted.
Reputation  99 : Known trusted.

Now as per you ATP options policy configuration for file reputation the action would be taken.

I hope you find this helpful
- Rohit Francis

AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: ATP Threat names pattern meaning

Jump to solution

Hi @mr54,

Adding my 2p here, if you are specifically looking for understanding what each detection names represent, I am afraid we do not have any public facing document to explain the same. Each detection names and the naming conventions are decided by the product team and is not available for public viewing. So , While the name Real Protect certainly would mean that the detection is coming from Real Protect component, we will not be able to differentiate between a realprotect LS detection and a Real Protect XGPE.

Having said that, if it is indeed required for any specific purposes, You can raise an SR and have it queried with the purpose explained and our Support team can re-evaluate and check if the individual detection Names and what it denotes could be provided to you depending on the requirement.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

mr54
Level 9
Report Inappropriate Content
Message 6 of 6

Re: ATP Threat names pattern meaning

Jump to solution

Hi @AdithyanT, thanks for you answer.

You have right, I just wanted to understand if there was any logic behind the names.

Because, like I said, two detections that appear to be "identical" (same rule), are differentiated by the beginning of the threat name : one is JTI/Suspect.xxxx and one is ATP/Suspect!xxx. And that is the same with Real Protect. Because, maybe RP-PSL! is associated to a specific process and RP-XGPE! to another, and know what each represent could have been interesting (for reporting, response etc).

I was thinking we would have a better understanding of the events in general, with no any specific purpose.

But thanks for support, you replied to my request!

Regards, mr.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community