cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 11 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution
This ID mean that your processus reputation is Unknown..
Maybe you are not able to contact GTI Global reputation McAfee servers.

Do you use a TIE Server ?
cheetah
Level 10
Report Inappropriate Content
Message 12 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution

Actually i dont use an TIE.

if I read it correctly, i can execute a connection test to the GTI server by command.
I did that once and got the following result:

 nslookup sfqpit75pjh525siewar2dtgt5.avts.mcafee.com

Server: UnKnown
Address: 192.168.95.0

Nicht autorisierende Antwort:
Name: sfqpit75pjh525siewar2dtgt5.avts.mcafee.com
Address: 127.0.4.8

jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 13 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution
You will have better result using a TIE Server.

The issue may be come from the a setting in strategy.

If you can provide screenshot of your settings could be better to help u

View solution in original post

cheetah
Level 10
Report Inappropriate Content
Message 14 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution

Good Morning @jmcg 
What I do not understand is that the test file is recognized ONLY, if I put the hook at "Offline Scan use".
If I take this out again, the test file is no longer found and there, although the GTI is achievable.

Except for the GTI attitude, which I also set HIGH, I use the standard setting.

ens1.pngens2.pngens3.pngens4.png

cheetah
Level 10
Report Inappropriate Content
Message 15 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution

@jmcg  I followed your advice and installed a TIE server for me.
Result when testing and executing the 2 test files: Successful!

 

With TIE Server it looks like:

Folgende Aktion wurde für Datei C:\USERS\ADMINISTRATOR\VIDEOS\REALPROTECT-TESTFILE\RP-S TESTFILE.EXE mit Reputation 1 ausgeführt: Säubern
29.05.2019 13:14:49 mfeatp(656.1696) Orchestrator.Action.Activity: Aktionsdetails:: Datei: RP-S TESTFILE.EXE , Modus: Erzwingen , Scanner: Real Protect-Client , Erkennungsname: Real Protect-LS!930dd4b3661c , Reputation: 1 [Als bösartig bekannt] , ActionTaken: Säubern Regel-ID: 0 , Inhaltsversion: Nicht verfügbar
29.05.2019 13:14:54 mfeatp(656.5100) Orchestrator.Action.Activity: Aufforderung zur Angabe der Datei [RP-D TESTFILE.EXE] des Speicherorts [C:\USERS\ADMINISTRATOR\VIDEOS\REALPROTECT-TESTFILE] benutzerdefinierten Texts []
29.05.2019 13:14:56 mfeatp(656.6208) Orchestrator.OES.Activity: AAC policy wird konfiguriert
29.05.2019 13:14:56 mfeatp(656.6208) Orchestrator.OES.Activity: Adaptiver Bedrohungsschutz ist Aktiviert
29.05.2019 13:14:56 mfeatp(656.6208) Orchestrator.RealProtect.Activity: Real Protect-Client-Scanner ist Aktiviert, und Real Protect-Cloud-Scanner ist Aktiviert.
29.05.2019 13:15:06 mfeatp(656.6208) Orchestrator.OES.Activity: AAC policy wird konfiguriert
29.05.2019 13:15:06 mfeatp(656.6208) Orchestrator.OES.Activity: Adaptiver Bedrohungsschutz ist Aktiviert
29.05.2019 13:15:06 mfeatp(656.6208) Orchestrator.RealProtect.Activity: Real Protect-Client-Scanner ist Aktiviert, und Real Protect-Cloud-Scanner ist Aktiviert.
29.05.2019 13:15:06 mfeatp(656.5100) Orchestrator.Action.Activity: Folgende Aktion wurde für Datei C:\USERS\ADMINISTRATOR\VIDEOS\REALPROTECT-TESTFILE\RP-D TESTFILE.EXE mit Reputation 50 ausgeführt: Zulassen
29.05.2019 13:15:06 mfeatp(656.5100) Orchestrator.Action.Activity: Aktionsdetails:: Datei: RP-D TESTFILE.EXE , Modus: Erzwingen , Scanner: On-Execute-Scan , Erkennungsname: ATP/Suspect!cdae0ffbc37f , Reputation: 50 [Unbekannt] , ActionTaken: Zulassen Regel-ID: 0 , Inhaltsversion: Nicht verfügbar
29.05.2019 13:15:06 mfeatp(656.5100) Orchestrator.RealProtect.Activity: Überwachung von Prozess mit Prozess-ID 6248 , Dateipfad C:\USERS\ADMINISTRATOR\VIDEOS\REALPROTECT-TESTFILE\RP-D TESTFILE.EXE , durch Real Protect-Cloud-Scanner
29.05.2019 13:15:43 mfeatp(656.2832) Orchestrator.RepChangeListener.Activity: Real Protect-Cloud-Scanner-Verfolgung abgeschlossen für Prozess-ID 6248 , Datei C:\Users\Administrator\Videos\RealProtect-TestFile\RP-D TestFile.exe mit Grund-ID 7
29.05.2019 13:15:46 mfeatp(656.3340) Orchestrator.Action.Activity: Real Protect-Cloud-Erkennung gefunden, Erkennungsname: Real Protect-eicar.b!E7C634F89877 in Quellprozess-ID: 6248, Quellpfad: C:\WINDOWS, Name der Quelle: EXPLORER.EXE, Zielpfad C:\Users\Administrator\Videos\RealProtect-TestFile, Name des Ziels: RP-D TestFile.exe, Ziel-Hash: E7C634F89877F72DDCF085F9BF0B2B54, Reputation: 1 [Als bösartig bekannt], Quellbenutzer: , Zielbenutzer: , ausgeführte Aktion: Säubern, Inhaltsversion: 1.0, Scan-Modul-Version: 10.6222

 

Whereby a TIE server is not always given and the test files would have to be found without TIE and then deleted.

jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 16 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution
Nice !
jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 17 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution
This is ENS TP policy

You need to put HIGH on ENS ATP Policy

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community