Showing results for 
Show  only  | Search instead for 
Did you mean: 

TIE Case Study: Blocking Malware Dropped by Infected Microsoft Office Documents

No ratings


During a recent POC for McAfee Threat Intelligence Exchange (TIE), a prospect sent us some 0-Day malware and challenged us to show what TIE and ATD would do with these samples. The storyboard below shows how TIE and ATD identified the malware, protected the enterprise and helped with visibility and remediation.


See what happened


1. A user receives an Excel document (in this case via targeted spear phishing) which uses an exploit to download and execute malware. TIE identifies this file as "Unknown" and notifies the user with a prompt (Note:in this example, prompting is enabled but TIE can also be configured to simply block the execution of unknown files).



2. In addition to the user prompt (and independently from the users decision) TIE also submits the unknown file to McAfee Advanced Threat Defense (ATD) for analysis.




3. At this point, "ATD reputation" is not available and the "Enterprise reputation" has not been set.




4. The end user decides to ignore the warning prompt and run the exetuable (Note, in this example, prompting is enabled but TIE can also be configured to simply block the execution of unknown files).




5. ATD finishes its analysis and convicts this file as malicious. This is the first time that this 0-Day has been identified and now TIE can go ahead and immunize your environment.




6. The "ATD Reputation" in TIE gets updated immediately. This changes the overall reputation for the executable to be malicious.




7. When another user receives the same Excel document and opens it, TIE blocks the execution of the malware and prevents an infection.




8. Now that we know that this executable is malicious, we can step up the game and set the "Enterprise Reputation" to "Known Malicious".




9. TIE immediately sends an update to the endpoints and triggers a "clean", meaning the running process is killed and the file is removed from the system.




10. If another user opens the Excel document, the TIE block message changes to reflect the changed "Enterprise Reputation".




11. On top of the actual protection, TIE also offers visibility for Incident Response personell. For example, you can utilize TIE to see where a file ran in your environment.







As you can see in this real world case study, TIE brings a totally new level of protection and visibility to your environment.

To learn more about TIE and how to get your own POC started, visit the TIE Expertcenter page and get in touch with us today.

Labels (1)
Version history
Revision #:
2 of 2
Last update:
‎03-15-2018 01:21 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community