Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 9
Report Inappropriate Content
Message 1 of 4

Reputation Actions

Can someone explain the actions taken base don the different reputations? (specifically known trusted vs might be trusted vs unknown)

3 Replies

Re: Reputation Actions

@rkokic Please find the information below.

Adaptive Threat Protection

McAfee® Endpoint Security Adaptive Threat Protection (ATP) analyzes content from your enterprise and decides what to do based on file reputation, rules, and reputation thresholds.


Adaptive Threat Protection with next-generation Real Protect scanning, and Dynamic Application Containment, performs automated analysis, to contain, block, or clean files with known malicious or unknown reputations.


Use McAfee® ePolicy Orchestrator® (McAfee® ePO™) to configure, manage, deploy, and enforce Adaptive Threat Protection policies. Configure queries, reports, and dashboards to monitor threat activity within your environment.


The Adaptive Threat Protection module is supported on Windows systems only. Real Protect technology is not supported on some Windows operating systems. See KB82761 for information.


Adaptive Threat Protection also integrates with:


McAfee Threat Intelligence Exchange (TIE) server — A server that stores information about file and certificate reputations, then passes that information to other systems. TIE server is optional. For information about the server, see Threat Intelligence Exchange.


Data Exchange Layer — Clients and brokers that enable bidirectional communication between the Adaptive Threat Protection module on the managed system and the TIE server. Data Exchange Layer is optional — it is required for communication with TIE server. For more information about McAfee Data Exchange Layer integration, see McAfee Data Exchange Layer.


These components are installed as McAfee ePO extensions and add additional new features and reports.



Real Protect


Key benefit: Next-generation scanning and detection performance; automated detection and protection for unknown security threats and malware.


Real Protect scanning performs automated, real-time behavioral analysis to detect zero-day malware which is undetected by static detection methods.. Uses signature-less machine learning with minimal client footprint and performance impact. Real Protect stops known threats by comparison and analysis of established malware attributes, then combats and convicts the unknown using behavioral and memory analysis. Real Protect unpacks executables to detect sophisticated threats using obfuscated code variants.


Improves detection rates up to 30% from legacy based DAT/signature with McAfee GTI detections alone.


Pre-execution, detects malware before it executes

Signature-less static analysis

Compares attributes against millions of samples

Machine learning automates classification


Identifies malicious actions

Real-time behavior classification finds commonalities through identifiable actions

Machine learning automates classification

Genealogy-based repair


Augments McAfee endpoint security products for Windows





Dynamic Application Containment (DAC)

Key benefit: Maintains productivity while securing patient zero, isolating the network, and preventing damage to endpoint


Suspicious applications run contained; but DAC monitors, restricts, and blocks potential malicious actions executed the unknown process.  DAC defeats “Sandbox-aware” malware, malware is less-likely to detect the containment. DAC also speeds up remediation as detection occurs on the endpoint and remediation of the patient zero endpoint is “not needed” since malware was “already contained”.


DAC defeats “Sandbox-aware” malware, malware is less-likely to detect the containment.

DAC speeds up remediation as detection occurs on the endpoint. Correction of patient zero endpoint is “not needed” since the malware was “already contained”.


Processes are contained if reputation is less than the configured reputation threshold. For example, DAC will contain an unknown process if it has an unknown reputation. Actions of a contained process are constrained by the Block or Report settings configured for enabled Dynamic Application Containment rule.  For further information on recommended Dynamic Application Containment rule settings, see KB87843 in the McAfee Knowledge Base.  Dynamic Application Containment Rules are created by McAfee Labs Global Threat Intelligence, based on latest unknown malware analysis.

Administrators can create global exclusions based upon process name, MD5 hash, or digital signature. DAC reputation threshold value is set to "Unknown" by default.


When integrated with McAfee Active Response or Advanced Threat Defense, file execution attributes are traced, collected, and reported for real-time analysis. If convicted, DAC will terminate the contained process.  If clean, DAC allows the process to run.


McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Reputation Actions

If your question is purley ATP related then you define what actions are taken in the ENSATP options policy. The action will also be different if you have observe mode enabled - you will be informed of the action the software is meant to take so i.e. "would block" or "would allow"

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Reputation Actions

My question more revolves around how ATP/TIE reacts to specific reputations...In particular, what happens with an .exe that its reputation is set as Unknown, Most Likely Trusted and Known Trusted.  This question was posed to me as we receive alerts for .exe's with these reputations.  I understand that the actions/behaviors are monitored but how much for each reputation?  Anything else happens?  How can ATP actions be monitored?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community