Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to control the execution of new files and certificates in your environment with McAfee Threat Intelligence Exchange

No ratings


McAfee Threat Intelligence gives complete visibility of new executables and certificates running in your environment with added and endpoint protection that takes local, enterprise and global context into account when determining risky behavior.  Let’s take action and apply our new Threat Intelligence to make smarter security decisions.

pain point.png

McAfee Threat Intelligence Exchange makes it possible for administrators to easily tailor comprehensive threat intelligence from global intelligence data sources. These can be McAfee Global Threat Intelligence (McAfee GTI) or third-party feeds, with local threat intelligence sourced from real-time and historical event data delivered via endpoints, gateways, and other security components. Customers are empowered to assemble, override, augment, and tune the intelligence source information so that they can customize data for their environment and organization (for example, blacklists and whitelists of files and certificates or certificates assigned to and used by the organization).








The objective of this use case is to demonstrate the informed control that we are giving to the administrator.  Successful completion of this use case will demonstrate the added control that TIE offers against current and future threats.

Use Case

In ePO click on Menu | Systems Section | TIE Reputations 



Log in to the Client system and attempt to run Artemis-Unknown-AllSL.exe.  You will not be able to execute this file as it is unknown and without a reputation.  If the file is not blocked take a look at the prerequisites section of this document.  The TIE module for VSE policy should be set to Enforce and block on Unknown.


For this demo, let’s pretend that you have researched Artemis-Unknown-AllSL.exe further and decided it is not malicious. If you would like it to be allowed to run in your environment, you need to override its current reputation.

In the File Search tab enter Artemis-Unknown in the search field and click Find Files.  Click the checkbox next to Artemis-Unknown-AllSL.exe and click Actions



Mark Artemis-Unknown-AllSL.exe as File Known Trusted.

Note: Setting the reputation to Most Likely Trusted will also work

This sets the Enterprise Reputation which overrides the current block based on unknown.


You will be prompted to Add Comment

Click OK after adding a comment

Log in to the Client system and attempt to run Artemis-Unknown-AllSL.exe.


You will now be able to execute this file.



Note: The reputation update happens immediately and does not require the McAfee Agent to wait for an Agent to Server Communication Interval (ASCI).


Let’s now pretend that you have discovered several different Wireshark versions in your environment, some of which are being used to capture network traffic that you are concerned might be for malicious intent.

Download, Install and Run Wireshark on your endpoint as instructed on
To prevent all tools signed with this certificate from executing you would like to block all executables that are signed by the Wireshark certificate.

To do this you need to set its reputation at the enterprise level.


In ePO go to TIE Reputations | Certificate Search tab enter Wire in the search field and click Find Certificates.

Click the checkbox next to the Wireshark Certificate and click Actions and set the certificate to Most Likely Malicious


You will be prompted to Add Comment

Click OK after adding a comment



Any file signed with the Wireshark certificate will be blocked from executing immediately 
Note: The reputation update happens immediately and does not require the McAfee Agent to wait for an Agent to Server Communication Interval (ASCI).


You also have the ability to immunize your environment before a threat occurs. You can get this intelligence from third party threat feeds, the media, or other security products.

In ePO click on Menu | Systems Section | TIE Reputations | File Overrides

Click Actions | Import Reputations



Filename: MORPH.EXE


SHA-1 Hash:

MD5 Hash:


Set to Most Likely Malicious


Click OK and OK on the confirmation screen

**Reputations can also be imported via xml or ePO API

Note:  There is no specified limit in the file size that can be imported but be aware that every definition will trigger a reputation change event.


Hash tool
Determining the hash of a file allows the administrator to import a reputation before the file ever enters the environment.  As referenced in the Content section a free Hash tool can be found at


Log in to the Client system and attempt to run Morph.exe.


The file is blocked immediately because we set its reputation to Most Likely Malicious in the previous step. This reputation was immediately known by the endpoint because TIE and the DXL operate in real time.

morph block.png




Click Menu | Reporting | TIE Module for VSE Events for additional event details

For Example:  Select Pivot Point: Pivot by Rule to view the number of blocks based on specific TIE Rules.

report vse event.png



The TIE solution gives the administrator immediate control over files and associated certificates executing in their environment as well as the ability to immunize the enterprise with imported threat intelligence.

Labels (1)
Tags (2)
Version history
Revision #:
3 of 3
Last update:
‎03-15-2018 01:15 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community