Hi All,
Anyone to have a test file (malware maybe or a script) that can trigger a detection in the MAR MAR Threat Workspace?
BR,
G.A.
Solved! Go to Solution.
There is a very simplest method where you can create a sample file for testing the file as "UNKNOWN".
Follow these steps to create an unknown file reputation
1. Install 7.zip as a program.
2. Create a text file example: RGC.txt
3. Add some text into it and save it, so it isn't blank.
4. Right-click on the file, & expand 7.zip & add to the archive.
5. In the archive section, click the Create SFX archive & hit ok & save it.
6. Go to the newly created .exe & run it, & extract it.
7. From Agent Monitor click on Collect & send props & Send events
8. Check TIE Reputations page to see the file shows as UNKNOWN.
There is a very simplest method where you can create a sample file for testing the file as "UNKNOWN".
Follow these steps to create an unknown file reputation
1. Install 7.zip as a program.
2. Create a text file example: RGC.txt
3. Add some text into it and save it, so it isn't blank.
4. Right-click on the file, & expand 7.zip & add to the archive.
5. In the archive section, click the Create SFX archive & hit ok & save it.
6. Go to the newly created .exe & run it, & extract it.
7. From Agent Monitor click on Collect & send props & Send events
8. Check TIE Reputations page to see the file shows as UNKNOWN.
Thanks, rgc .
Your suggestions is working.
I see the file in TIE Reputations, but I don't see it in MAR Workspace. How long should I expect for the file to show up in MAR? Or am I missing a configuration somewhere? I need to ensure MAR is working properly.
Thanks!
Prechecks for MAR workspace to show the data.
1) Verify trace plugin is enabled in the policy that is applied to the endpoint.
2) The DXL Cloud Databus URL is pointing to a production environment. We can check this from the EPO, Configuration, Server Settings, DXL Cloud Databus, URL [ https://api1.eu1.soc.mcafee.com/cloudproxy/databus/produce]
3) The trace Broker Extension is activated. We can check from the EPO, Configuration, Server Settings, DXL Topology, Broker extension. It must show the "Provides Trace data to the cloud for MAR Workspace" checkbox activated.
4) Ensure client system installed with [MAR client, DXL, ENS TP & ATP] components
5) Select problem system from system tree & verify the DXL LOOKUP is successful [Select System -> Actions -> DXL – Lookup in DXL]
We need to understand the workflow of the workspace
Common Causes with errors from MAR workspace page/Solutions: |
||
From ePO [Source] |
Concerns /Errors |
Solutions |
Go to MAR Health Status, ensure all the categories are in GREEN |
Cloud Storage & services show: Error Fetching Data |
Verify the McAfee® ePO™ Cloud Bridge extensions are installed & up to date. [These extensions shows under ePolicy orchestrator category] |
|
Cloud Storage & services show:Unreachable |
From workspace page, Click on configuration, Move cursor to the name as "cloud account" you will see the pencil mark for EDIT --> click Proceed to Select the location to store the data. |
|
Cloud Storage & services show:Unreachable |
|
Adding to above inputs...............
The workflow of MAR client handles the file as below.
When a file executed on a system, & it is not categorized by any of the McAfee products, this file reputation score is “50” [UNKNOWN].
Only the file is with unknown categorized will be sent to MAR CLOUD. Moreover, we should check the TRACE plugin for this client is enabled MAR policy
The client machine should be installed MAR, MA, DXL, ENS ATP & TP, this file consider as unknown.
Troubleshooting the trace information is captured by MAR client & sent to DXL:
The first step of troubleshooting before re-produce the issue, enable the debug logging for MAR client from MAR policy in ePO.
Policy Catalog ==> Select Active Response 2.x Product ==> Duplicate the policy assigned to system /Group ==> Edit the duplicated policy & click on General TAB uncheck the option “Enable data folder protection” Click on Logger TAB ==> Change the Level “Info – Debug” save & apply this policy.
To reproduce the issue we need a sample unknown file
Follow these steps to create an unknown file reputation
1. Install 7.zip as a program.
2. Create a text file example: RGC.txt
3. Add some text into it and save it, so it isn't blank.
4. Right-click on the file, & expand 7.zip & add to the archive.
5. In the archive section, click the Create SFX archive & hit ok & save it.
6. Go to the newly created .exe & run it, & extract it.
7. From Agent Monitor click on Collect & send props & Send events
8. Check TIE Reputations page to see the file shows as UNKNOWN
We have totally 3 Locations for the customer's data to store in our MAR cloud storage and those areas below.
EU (Frankfurt): https://api1.eu1.soc.mcafee.com/cloudproxy/databus/produce
US East (N. Virginia): https://api1.us2.soc.mcafee.com/cloudproxy/databus/produce
US West (N. California): https://api1.soc.mcafee.com/cloudproxy/databus/produce
To check Workspace location the URL: https://,ePO IP>:8443/remote/propertiesUpdaterCommand.do
type ePO console admin credentials.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA