cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 4

Active Response and air-gap enviroment

Jump to solution

Hello,

Is it possible to use Active Response or just the MAR search without connecting to the McAfee cloud?

Can I update the Tie Reputation db manually in order to see my cases in the Active Response Search in an air-gap environment (no internet connection)?

Thanks in advance!

1 Solution

Accepted Solutions
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Active Response and air-gap enviroment

Jump to solution

Hello, 

 

I do not believe so. ENS ATP is the primary endpoint product that will consume TIE reputation. The MAR search capabilities are limited to the information the collectors you call actually collect. I am afraid none of the collectors pull an inventory of TIE reputations into the search results. 

 

The threats area (the part requiring cloud connectivity) does perform this lookup for any acknowledged potential threats. However, it does not do it for ALL files. 

 

I hope this information helps!

Brian

View solution in original post

3 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Active Response and air-gap enviroment

Jump to solution

Hello Blue88Report, 

 

Registration of Active Response and operating the product in a way that will not generate any UI errors does require active cloud connectivity.  MAR search is a feature that does NOT leverage the cloud, it is primarily used instead to store threat and telemetry data. 

 

I am not sure I understand your follow up question:

"Can I update the Tie Reputation db manually in order to see my cases in the Active Response Search in an air-gap environment (no internet connection)?"

 

Active response UI can be used to issue reputation overrides with TIE server. However, that functionality is only available when viewing MAR threats (the cloud connected UI). I am not sure that answers your questions, if you could perhaps clarify I can try to get you a better answer.

 

Thanks 

Brian Barnes

Level 7
Report Inappropriate Content
Message 3 of 4

Re: Active Response and air-gap enviroment

Jump to solution

Hello Brian,

Thanks for the reply!

I'm updating the Tie Reputation manually using the "file override" option. Will it correspond with the Active Repose search in case of any hits?

Thanks in advance!

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Active Response and air-gap enviroment

Jump to solution

Hello, 

 

I do not believe so. ENS ATP is the primary endpoint product that will consume TIE reputation. The MAR search capabilities are limited to the information the collectors you call actually collect. I am afraid none of the collectors pull an inventory of TIE reputations into the search results. 

 

The threats area (the part requiring cloud connectivity) does perform this lookup for any acknowledged potential threats. However, it does not do it for ALL files. 

 

I hope this information helps!

Brian

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community