Thanks, rgc .

Your suggestions is working.

I see the file in TIE Reputations, but I don't see it in MAR Workspace.  How long should I expect for the file to show up in MAR?  Or am I missing a configuration somewhere?  I need to ensure MAR is working properly.

Thanks!

Prechecks for MAR workspace to show the data.

1) Verify trace plugin is enabled in the policy that is applied to the endpoint.

2) The DXL Cloud Databus URL is pointing to a production environment. We can check this from the EPO, Configuration, Server Settings, DXL Cloud Databus, URL [ https://api1.eu1.soc.mcafee.com/cloudproxy/databus/produce]

3) The trace Broker Extension is activated. We can check from the EPO, Configuration, Server Settings, DXL Topology, Broker extension. It must show the "Provides Trace data to the cloud for MAR Workspace" checkbox activated.

4) Ensure client system installed with [MAR client, DXL, ENS TP & ATP] components

5) Select problem system from system tree & verify the DXL LOOKUP is successful [Select System -> Actions -> DXL – Lookup in DXL]

1. 6) Register a cloud account with your email address & update the details under ePO  à Server settings à McAfee® ePO™ Cloud Bridge à Edit & update the details

We need to understand the workflow of the workspace

Adding to above inputs...............

The workflow of MAR client handles the file as below.

When a file executed on a system, & it is not categorized by any of the McAfee products, this file reputation score is “50”  [UNKNOWN].

Only the file is with unknown categorized will be sent to MAR CLOUD. Moreover, we should check the TRACE plugin for this client is enabled MAR policy

The client machine should be installed MAR, MA, DXL, ENS ATP & TP, this file consider as unknown.

Troubleshooting the trace information is captured by MAR client & sent to DXL:

The first step of troubleshooting before re-produce the issue, enable the debug logging for MAR client from MAR policy in ePO.

Policy Catalog ==> Select Active Response 2.x Product ==> Duplicate the policy assigned to system /Group ==> Edit the duplicated policy & click on General TAB uncheck the option “Enable data folder protection”  Click on Logger TAB ==> Change the Level “Info – Debug” save & apply this policy.

To reproduce the issue we need a sample unknown file

Follow these steps to create an unknown file reputation

1. Install 7.zip as a program.

2. Create a text file example: RGC.txt

3. Add some text into it and save it, so it isn't blank.

4. Right-click on the file, & expand 7.zip & add to the archive.

5. In the archive section, click the Create SFX archive & hit ok & save it.

6. Go to the newly created .exe & run it, & extract it.

7. From Agent Monitor click on Collect & send props & Send events

8. Check TIE Reputations page to see the file shows as UNKNOWN

We have totally 3 Locations for the customer's data to store in our MAR cloud storage and those areas below.

EU (Frankfurt): https://api1.eu1.soc.mcafee.com/cloudproxy/databus/produce

US East (N. Virginia): https://api1.us2.soc.mcafee.com/cloudproxy/databus/produce

US West (N. California): https://api1.soc.mcafee.com/cloudproxy/databus/produce

To check Workspace location the URL: https://,ePO IP>:8443/remote/propertiesUpdaterCommand.do
type ePO console admin credentials.