cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iverbuyst
Level 9
Report Inappropriate Content
Message 1 of 2
‎02-03-2021 03:34 AM

ATP (Real Protect Cloud) reputation not updated on TIE server

Jump to solution

Hello,

We recently implemented a TIE/DXL server into our McAfee infrastructure.

We've installed the latest ENS & ATP to some testcomputers and ran the RP-D-TestFile.exe to confirm that ATP & TIE are working properly.

We've noticed that the initial reputation of the RP-D-TestFile.exe is "UNKNOWN" and when executed the ATP (Real Protect Cloud) scanner gives it a "Known Malicious" reputation and acts accordantly. But the TIE reputation of the RP-D-TestFile.exe doesn't change and stays at "UNKNOWN". We would expect that on the TIE Server the  Local Reputation would be changed to "Known Malicious" but this never happens, even after 10 executions and hours of waiting.

Is this normal behaviour our are we missing something?

Best Regards,

Ivan

#TIE #ATP #Real Protect Cloud

0 Kudos
Reply
1 Solution

Accepted Solutions
bbarnes
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2
‎02-03-2021 08:29 AM

Re: ATP (Real Protect Cloud) reputation not updated on TIE server

Jump to solution

Hello iverbuyst, 

 

I do believe what you are seeing is expected. When it comes to creating test files for use in a solution like this we have to be careful to make sure one module does not prevent the test file from running in another. To use your own example there....If TIE were to adopt the malicious rating of the RP-D-TestFile.exe any future executions of that file would be blocked prior to them entering into RP analysis. Making the test file rather useless beyond one test per environment. This is because TIE reputations are evaluated earlier in the workflow. Malicious TIE reps would be actioned and the file would be removed before it ever went to RealProtect for analysis. 

 

If you would like to specifically test the workflow of latest local reputation making it back into TIE I can offer a test?

 

Create a self-extracting archive from a text file with some random characters in it. This will ensure it is a new unknown hash. Execute the file and ensure it shows up on the TIE Reputations page. Change the reputation to malicous... You should not only see the file actioned on the endpoint but the local rep and composite rep should update. 

 

Thanks

Brian

View solution in original post

Reply
1 Reply
bbarnes
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2
‎02-03-2021 08:29 AM

Re: ATP (Real Protect Cloud) reputation not updated on TIE server

Jump to solution

Hello iverbuyst, 

 

I do believe what you are seeing is expected. When it comes to creating test files for use in a solution like this we have to be careful to make sure one module does not prevent the test file from running in another. To use your own example there....If TIE were to adopt the malicious rating of the RP-D-TestFile.exe any future executions of that file would be blocked prior to them entering into RP analysis. Making the test file rather useless beyond one test per environment. This is because TIE reputations are evaluated earlier in the workflow. Malicious TIE reps would be actioned and the file would be removed before it ever went to RealProtect for analysis. 

 

If you would like to specifically test the workflow of latest local reputation making it back into TIE I can offer a test?

 

Create a self-extracting archive from a text file with some random characters in it. This will ensure it is a new unknown hash. Execute the file and ensure it shows up on the TIE Reputations page. Change the reputation to malicous... You should not only see the file actioned on the endpoint but the local rep and composite rep should update. 

 

Thanks

Brian

View solution in original post

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC