Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to import File and Certificate Reputations into TIE

No ratings


One of the great things about McAfee Threat Intelligence Exchange (TIE) is that it allows you to manipulate Reputations for files and certificates. This allows you to adjust settings for YOUR organization and not rely on just global information.

For example, an in-house custom application can be added (and trusted) manually. Or the Certificate used by your developers can be added.

On the other end, you can react very quickly to emerging threads by importing reputations that you have gathered (for example from IOC and STIX files or from a sandbox analyzer) and setting them as known malicious files. This process can also be scripted and automated. Below are descriptions for the different import methods provided by TIE.


The examples below all show File Reputation imports as they are the most common. All described options also apply to certificate Reputations in the same way.



Manually Importing a single Reputation


TIE gives you and easy and fast way to import single Reputations (probably used most often).

Inside of ePO, navigate to TIE Reputations >> File Overrides >> Actions >> Import Reputations and then enter your Reputation Information






Manually Importing multiple Reputations via XML


Inside of ePO you can import file Reputations in bulk via the UI.

Navigate to TIE Reputations >> File Overrides >> Actions >> Import Reputations and then browse to your XML file containing the Reputations




Creating the XML File


To create your XML file, you need the following elements:

<FileName> = Optional file name

<SHA1Hash> = Required sha1 hash

<MD5Hash> = Required md5 hash

<ReputationLevel> = Required numeric reputation value (see table below)

<Comment> = Optional comment



Possible Values for the Reputation Level


Reputation setting

Numerical value
Known trusted 99
Most likely trusted 85
Might be trusted 70
Unknown 50
Might be malicious 30
Most likely malicious 15
Known malicious 1
Not set 0



Example XML File



<?xml version="1.0" encoding="UTF-8"?>


























        <Comment>Comment for ALTTAB</Comment>














        <Comment>Comment for cabinet.dll</Comment>












        <Comment>Comment for PORTABLEDEVICEAPI</Comment>












        <Comment>Comment for PORTABLEDEVICECONNECTAPI</Comment>







XML File Generator


To assist with the creation and formatting of the XML file, please find attached (at the bottom) the tie_importer.html file. This tool uses javascript in your local browser (store the file and open it in your favorite browser) to assist in formatting multiple Reputations in the correct XML syntax.






Importing Reputations via the ePO web API


The ePO web API allows for automated and scripted aproaches to setting Reputations. For example the McAfee SIEM could use this API to automatically import file reputations into TIE via a script (see python example below).


More details about the ePO web API can be found in the McAfee ePO Web Scripting Guide


The command used to set TIE reputations via the API is tie.setReputations [fileReps] [certReps]

This command will take file or certificate information as parameters.


The parameters need to be formatted as a JSON string. As in the XML import, the sha1, md5 and reputation level are required fields.

Note that the sha1 and md5 hash are base64 encoded binary representations of the values (not ASCII like in the manual import examples!). In the python example below, you can see how the ASCII hash values are decoded as HEX first, before they are base64 encoded and submitted.


JSON fields:

name: Optional file name

sha1: Required base64 encoded sha1 hash

md5: Required base64 encoded md5 hash

reputation: Required reputation as numeric value (see table above)

comment: Optional comment


Example JSON string of file reputation(s):

[{"sha1":"kioq8sbc2dlBtbZQqYiQCSDJ7KU=","md5":"S1w4yxbZvfoMy+yoRkzcQQ==","reputation":"1","comment":"Test Comment","name":"test.exe"}]


Multiple Reputations can be imported at once by combining multiple JSON strings with a comma.

Example 2 JSON string of file reputations combined:





Python Example Script




import mcafee


import sys


import base64












reputation = '1'




#Possible Reputation Values (Need to provide numeric value)


#Known trusted          99


#Most likely trusted    85


#Might be trusted       70


#Unknown                50


#Might be malicious     30


#Most likely malicious  15


#Known malicious        1


#Not set                0




sha1input = sys.argv[1]


md5input = sys.argv[2]




mc = mcafee.client(ePOIP,'8443',ePOUser,ePOUserPwd,'https','json')




sha1base64 =  base64.b64encode(sha1input.decode('hex'))


md5base64 =  base64.b64encode(md5input.decode('hex'))




repString = '[{"sha1":"' + sha1base64 + '","md5":"' + md5base64 + '","reputation":"' + reputation + '"}]'




print 'Adding to TIE Server: ' + repString









Usage: python <sha1hash> <md5hash>






Other useful tools


Especially during PoC and testing cases, you often need a quick way to get the sha1 and md5 hash required for the imports above. There are many hash tools out there (a simple google search will give you plenty of options), but if you need something right now, here is an online tool that does the trick (not endorsed in any way!): Online MD5|SHA1 Hash Generator For File And Text




Labels (1)
Tags (2)
Version history
Revision #:
2 of 2
Last update:
‎03-15-2018 01:22 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community