What is experience of companies that have implemented ENS with ATP but without any sandbox solution in place? Let's assume company has implemented ENS and TIE and now as next step is going to implement full ATP power (DAC and RP switched ON) to take control of unknown files.
Does it work? Or the amount of unknown files can never be taken under reasonable control without complementing ATP with sandbox (ATD)?
Hi, thnx for reply. I'm not confused, I know very well those technologies and abbreviations. Have 5 year experience with McAfee products.
I put my questions differently:
ATP modules work togeather and try to determine if the unknown files is bad or good by doing different analyses, calculating final reputation and take action accordingly. All those analyses have been done locally and in McAfee cloud. This is not optimal, because central reputations repository TIE is not complemented with analyses results in endpoint, so every endpoint works separatelly and might make same work with similar results than hundreds of other endpoints in enterprise. And probability of getting false positives is quite high if we set Unknown files to be blocked.
This is the idea of this discussion. Running ATP, but not using sandbox next to it - is such setup optimal enough to implement?
It is actually much more complicated than that on the back end.
There are two reputations involved, file reputation and process reputation. File reputation is what you see in TIE. There are various reputation sources, including GTI and ATD, but ultimately Enterprise reputation trumps though. By default, ATD good reputations don't change an unknown, but you can change this I believe.
The reason reputation is computed locally is because of modules. Let's say that an attack performs a DLL side loading attack. In this case an otherwise good process is now compromised. So in this case the file reputation of the process is changed on the fly by computing a process reputation of unknown due to the untrusted module.
Now, all this being said, that doesn't automatically mean a process is contained. You can have MANY untrusted processes that McAfee won't touch, because there are numerous rules that impact what is and isn't touched, such as, for example, prevelence in the environment. These are JTI rules that you can adjust. In this case, there is general process containment that comes into play, but also DAC rules, which you select whether to enable or disable.