cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor User91972758
Reliable Contributor
Report Inappropriate Content
Message 1 of 9

Machine Not Receiving Proper Reputation - ATP / Real Protect Activity

Jump to solution

There's a program that is trusted via the certificate and is also trusted in its GTI reputation.

There's an endpoint in our environment that is not receiving this reputation and is responding with the following in the ATP logs:

05/20/2019 03:44:11 p.m. mfeatp (4040.7920) <SYSTEM> Orchestrator.Action.Activity: Action Details :: File: ACRORD32.EXE, Mode: Deploy, Parser: Run Analysis, Detection Name: ATP / Suspect! 088c42d5d92e, Reputation: 30 [Possibly malicious], Action taken: Block rule ID: 0, Content version: Not available

According to the following this event just means not enough events being logged -https://docs.mcafee.com/bundle/endpoint-security-10.6.0-installation-guide-unmanaged-windows/page/GU...

I've attempted to remove ATP and re-install ATP to try and update the reputation on this system, but no luck. Any help would be appreciated.

1 Solution

Accepted Solutions
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 4 of 9

Re: Machine Not Receiving Proper Reputation - ATP / Real Protect Activity

Jump to solution

Most ATP blocks which occur even though the reputation has been set in TIE are caused by the dll orchestration - this means that the actual executable displayed has an untrusted/ malicous dll loaded, more on this can be seen here:

https://kc.mcafee.com/corporate/index?page=content&id=KB90588

 

The best thing to do, would be to enable ENS debug logging and submit the logs to support for analysis.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
8 Replies
Highlighted
Reliable Contributor Daniel_S
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: Machine Not Receiving Proper Reputation - ATP / Real Protect Activity

Jump to solution

We see similar behaviour at several customers.

Normally what we see is a 50 - unknown though.

Till today we and McAfee weren´t able to provide a solution.

In any case this only affects a handfull of systems.

Best regards
Dan
Reliable Contributor User91972758
Reliable Contributor
Report Inappropriate Content
Message 3 of 9

Re: Machine Not Receiving Proper Reputation - ATP / Real Protect Activity

Jump to solution
It's a strange occurrence for sure. In my case a co-worker and I are thinking that the issue may be the system's may not be communicating with our DXL server successfully, but we're unsure.

Like you mentioned usually it'll be a rep of 50 for an unknown reputation, so this was kind of odd to see. It's the first time I've seen RealProtect come into play in blocking / quarantining a file. I'll try and update this post with any additional findings or resolutions I might find.
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 4 of 9

Re: Machine Not Receiving Proper Reputation - ATP / Real Protect Activity

Jump to solution

Most ATP blocks which occur even though the reputation has been set in TIE are caused by the dll orchestration - this means that the actual executable displayed has an untrusted/ malicous dll loaded, more on this can be seen here:

https://kc.mcafee.com/corporate/index?page=content&id=KB90588

 

The best thing to do, would be to enable ENS debug logging and submit the logs to support for analysis.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Machine Not Receiving Proper Reputation - ATP / Real Protect Activity

Jump to solution

We encounter this fairly often.  We have rule 250 enabled that is listed in the KB as a workaround.  Even though it's supposed to eventually trust the file, it never does.  

 

Reliable Contributor User91972758
Reliable Contributor
Report Inappropriate Content
Message 6 of 9

Re: Machine Not Receiving Proper Reputation - ATP / Real Protect Activity

Jump to solution

It's unfortunate as we have rule 250 applied in our settings for ATP. I'm working on setting up our debugging logs and I'll be getting something setup for McAfee Support. If I get any kind of updates I'll post here so hopefully we'll have some better clarity on what may be happening.

 

Thanks for the input!

Re: Machine Not Receiving Proper Reputation - ATP / Real Protect Activity

Jump to solution

Where you able to determine anything further after working with support?

Reliable Contributor User91972758
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: Machine Not Receiving Proper Reputation - ATP / Real Protect Activity

Jump to solution
Hi Kvoss,

Unfortunately I haven't had time to open an SR. I currently have debug logging setup on the endpoint and plan to do some recon, then engage support.

Once that's done if we find a solution I'll be sure to update this thread for any insight or conclusions we find.

Zach
Reliable Contributor User91972758
Reliable Contributor
Report Inappropriate Content
Message 9 of 9

Re: Machine Not Receiving Proper Reputation - ATP / Real Protect Activity

Jump to solution

Hi @kvoss987654 I think what had happened here was an issue with the local reputation being set properly on the actual machine. When viewing the ATP Block on ePO It was showing up as Might be trusted. I have an assumption that with it's lowest local reputation being Might be maliciuos that  ATP was pulling the average of the two reputations which caused this application to not run.

What we ended up doing was explicitly marking the file as Known Trusted (enterprise). I've reached out to my end user to verify whether or not this is going to work for them. Hopefully someone else may be able to also confirm / deny this behavior.

I can confirm as well that this endpoint is connecting and communicating with DXL in case this is a question someone may have.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community