We recently implemented TIE and MAR into our environment. TIE's reputation building has been very useful, but we have run into one major roadblock: ENS ATP being unable to block MANUALLY IMPORTED REPUTATIONS of .PDF or .DOCX files.
Our SOC typically will find known malicious files, so our assumption was that we could input all proper hash values of the file, and have the ENS ATP module block these files from being ran. After talking with McAfee Support, I was told this wasn't possible (we would have to use ATD to sandbox the files, then based off of ATD's findings, it could block).
So my thought was: Can I create a collector that somehow pulls in TIE reputations? If so, I could make a trigger that says "If TIE reputation is KNOWN MALICIOUS, then REMOVE FILE". From brief testing, I am able to block .PDF and .DOCX files with MAR, so this could be the solution to our problem.
Maybe there's an easier way? Maybe someone else has already found a way to do this? We are just looking to fully utilize our new products.
Unfortunately, I have not received any information. I have a case open with McAfee Enterprise Support regarding MAR triggers in general, so hopefully I can pose this question to the Support representatives and get some guidance. Will report back any further info!
TIE only works with PE files at the client level, so it won't be able to help.
About the only way to do what you are wanting is through a script reaction utilizing the APIs. It probably isn't the best solution.
Your best bet is to use MAR to block the behavior of the macros with Triggers, so blocking Office from executing cmd, powershell, regsvr32,Mshta, wscript, etc. If you find false positives in your environment whitelist by cmdline. Taking this approach you protect yourself from the known and unknown. Be sure to watch dropped Files with wmi executions, scheduled task runs and registry run/runonce as well through correlation rules.
Not the answer you wanted I'm sure but hopefully helpful.
Sure... for example, you might say:
Process name equals "cmd.exe" and Process parentname equals "winword.exe" and Process cmdline not contains "IKnowThisIsNormal"
You can also do "Process parent_cmdline not contains" as well, or the various other parameters.