@rkokic Please find the information below.
Adaptive Threat Protection
McAfee® Endpoint Security Adaptive Threat Protection (ATP) analyzes content from your enterprise and decides what to do based on file reputation, rules, and reputation thresholds.
Adaptive Threat Protection with next-generation Real Protect scanning, and Dynamic Application Containment, performs automated analysis, to contain, block, or clean files with known malicious or unknown reputations.
Use McAfee® ePolicy Orchestrator® (McAfee® ePO™) to configure, manage, deploy, and enforce Adaptive Threat Protection policies. Configure queries, reports, and dashboards to monitor threat activity within your environment.
The Adaptive Threat Protection module is supported on Windows systems only. Real Protect technology is not supported on some Windows operating systems. See KB82761 for information.
Adaptive Threat Protection also integrates with:
McAfee Threat Intelligence Exchange (TIE) server — A server that stores information about file and certificate reputations, then passes that information to other systems. TIE server is optional. For information about the server, see Threat Intelligence Exchange.
Data Exchange Layer — Clients and brokers that enable bidirectional communication between the Adaptive Threat Protection module on the managed system and the TIE server. Data Exchange Layer is optional — it is required for communication with TIE server. For more information about McAfee Data Exchange Layer integration, see McAfee Data Exchange Layer.
These components are installed as McAfee ePO extensions and add additional new features and reports.
Key benefit: Next-generation scanning and detection performance; automated detection and protection for unknown security threats and malware.
Real Protect scanning performs automated, real-time behavioral analysis to detect zero-day malware which is undetected by static detection methods.. Uses signature-less machine learning with minimal client footprint and performance impact. Real Protect stops known threats by comparison and analysis of established malware attributes, then combats and convicts the unknown using behavioral and memory analysis. Real Protect unpacks executables to detect sophisticated threats using obfuscated code variants.
Improves detection rates up to 30% from legacy based DAT/signature with McAfee GTI detections alone.
Pre-execution, detects malware before it executes
Signature-less static analysis
Compares attributes against millions of samples
Machine learning automates classification
Identifies malicious actions
Real-time behavior classification finds commonalities through identifiable actions
Machine learning automates classification
Augments McAfee endpoint security products for Windows
Dynamic Application Containment (DAC)
Key benefit: Maintains productivity while securing patient zero, isolating the network, and preventing damage to endpoint
Suspicious applications run contained; but DAC monitors, restricts, and blocks potential malicious actions executed the unknown process. DAC defeats “Sandbox-aware” malware, malware is less-likely to detect the containment. DAC also speeds up remediation as detection occurs on the endpoint and remediation of the patient zero endpoint is “not needed” since malware was “already contained”.
DAC defeats “Sandbox-aware” malware, malware is less-likely to detect the containment.
DAC speeds up remediation as detection occurs on the endpoint. Correction of patient zero endpoint is “not needed” since the malware was “already contained”.
Processes are contained if reputation is less than the configured reputation threshold. For example, DAC will contain an unknown process if it has an unknown reputation. Actions of a contained process are constrained by the Block or Report settings configured for enabled Dynamic Application Containment rule. For further information on recommended Dynamic Application Containment rule settings, see KB87843 in the McAfee Knowledge Base. Dynamic Application Containment Rules are created by McAfee Labs Global Threat Intelligence, based on latest unknown malware analysis.
Administrators can create global exclusions based upon process name, MD5 hash, or digital signature. DAC reputation threshold value is set to "Unknown" by default.
When integrated with McAfee Active Response or Advanced Threat Defense, file execution attributes are traced, collected, and reported for real-time analysis. If convicted, DAC will terminate the contained process. If clean, DAC allows the process to run.
If your question is purley ATP related then you define what actions are taken in the ENSATP options policy. The action will also be different if you have observe mode enabled - you will be informed of the action the software is meant to take so i.e. "would block" or "would allow"
My question more revolves around how ATP/TIE reacts to specific reputations...In particular, what happens with an .exe that its reputation is set as Unknown, Most Likely Trusted and Known Trusted. This question was posed to me as we receive alerts for .exe's with these reputations. I understand that the actions/behaviors are monitored but how much for each reputation? Anything else happens? How can ATP actions be monitored?