cancel
Showing results for 
Search instead for 
Did you mean: 
rkokic
Level 8
Report Inappropriate Content
Message 1 of 3

Reputation Actions

Can someone explain the actions taken base don the different reputations? (specifically known trusted vs might be trusted vs unknown)

2 Replies
vnaidu
Level 11
Report Inappropriate Content
Message 2 of 3

Re: Reputation Actions

@rkokic Please find the information below.

Adaptive Threat Protection

McAfee® Endpoint Security Adaptive Threat Protection (ATP) analyzes content from your enterprise and decides what to do based on file reputation, rules, and reputation thresholds.

 

Adaptive Threat Protection with next-generation Real Protect scanning, and Dynamic Application Containment, performs automated analysis, to contain, block, or clean files with known malicious or unknown reputations.

 

Use McAfee® ePolicy Orchestrator® (McAfee® ePO™) to configure, manage, deploy, and enforce Adaptive Threat Protection policies. Configure queries, reports, and dashboards to monitor threat activity within your environment.

 

The Adaptive Threat Protection module is supported on Windows systems only. Real Protect technology is not supported on some Windows operating systems. See KB82761 for information.

 

Adaptive Threat Protection also integrates with:

 

McAfee Threat Intelligence Exchange (TIE) server — A server that stores information about file and certificate reputations, then passes that information to other systems. TIE server is optional. For information about the server, see Threat Intelligence Exchange.

 

Data Exchange Layer — Clients and brokers that enable bidirectional communication between the Adaptive Threat Protection module on the managed system and the TIE server. Data Exchange Layer is optional — it is required for communication with TIE server. For more information about McAfee Data Exchange Layer integration, see McAfee Data Exchange Layer.

 

These components are installed as McAfee ePO extensions and add additional new features and reports.

 

 

Real Protect

 

Key benefit: Next-generation scanning and detection performance; automated detection and protection for unknown security threats and malware.

 

Real Protect scanning performs automated, real-time behavioral analysis to detect zero-day malware which is undetected by static detection methods.. Uses signature-less machine learning with minimal client footprint and performance impact. Real Protect stops known threats by comparison and analysis of established malware attributes, then combats and convicts the unknown using behavioral and memory analysis. Real Protect unpacks executables to detect sophisticated threats using obfuscated code variants.

 

Improves detection rates up to 30% from legacy based DAT/signature with McAfee GTI detections alone.

 

Pre-execution, detects malware before it executes

Signature-less static analysis

Compares attributes against millions of samples

Machine learning automates classification

 

Identifies malicious actions

Real-time behavior classification finds commonalities through identifiable actions

Machine learning automates classification

Genealogy-based repair

 

Augments McAfee endpoint security products for Windows

 

 

 

 

Dynamic Application Containment (DAC)

Key benefit: Maintains productivity while securing patient zero, isolating the network, and preventing damage to endpoint

 

Suspicious applications run contained; but DAC monitors, restricts, and blocks potential malicious actions executed the unknown process.  DAC defeats “Sandbox-aware” malware, malware is less-likely to detect the containment. DAC also speeds up remediation as detection occurs on the endpoint and remediation of the patient zero endpoint is “not needed” since malware was “already contained”.

 

DAC defeats “Sandbox-aware” malware, malware is less-likely to detect the containment.

DAC speeds up remediation as detection occurs on the endpoint. Correction of patient zero endpoint is “not needed” since the malware was “already contained”.

 

Processes are contained if reputation is less than the configured reputation threshold. For example, DAC will contain an unknown process if it has an unknown reputation. Actions of a contained process are constrained by the Block or Report settings configured for enabled Dynamic Application Containment rule.  For further information on recommended Dynamic Application Containment rule settings, see KB87843 in the McAfee Knowledge Base.  Dynamic Application Containment Rules are created by McAfee Labs Global Threat Intelligence, based on latest unknown malware analysis.

Administrators can create global exclusions based upon process name, MD5 hash, or digital signature. DAC reputation threshold value is set to "Unknown" by default.

 

When integrated with McAfee Active Response or Advanced Threat Defense, file execution attributes are traced, collected, and reported for real-time analysis. If convicted, DAC will terminate the contained process.  If clean, DAC allows the process to run.

126319_ENS_10_5_modules_ATP.png

Venu
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: Reputation Actions

If your question is purley ATP related then you define what actions are taken in the ENSATP options policy. The action will also be different if you have observe mode enabled - you will be informed of the action the software is meant to take so i.e. "would block" or "would allow"

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.