cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cybercop
Level 10
Report Inappropriate Content
Message 1 of 8
‎08-06-2019 02:53 AM

Clients still appear to go direct for GTI Lookups

We have implemented TIE and DXL but even though all appears in order and all system are connected to the TIE server, I am still seeing large amounts of lookups going to 161.69.165.19 directly to the proxy server rather than TIE. Logs on the TIE appear to indicate that TIE is doing lookups and the systems that are reported as doing the direct lookups are reporting that they are connected. What am I missing?
0 Kudos
Reply
7 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 8
‎09-23-2019 09:17 PM

Re: Clients still appear to go direct for GTI Lookups

The client machine would directly make a connection to the GTI only if the ATP module is not installed or when the DXL client is unable to connect to the DXL broker.

If you open the ENS console, check the connection status within the Adaptive Threat protection and see if this is listed as 

TIE-ATP.JPG

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 
0 Kudos
Reply
cybercop
Level 10
Report Inappropriate Content
Message 3 of 8
‎09-24-2019 02:42 AM

Re: Clients still appear to go direct for GTI Lookups

The client is reporting that its connecting fine to the DXL broker in ePO.

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 8
‎09-24-2019 08:06 PM

Re: Clients still appear to go direct for GTI Lookups

How the connectivity information in the ATP console ?

0 Kudos
Reply
cybercop
Level 10
Report Inappropriate Content
Message 5 of 8
‎09-25-2019 12:27 AM

Re: Clients still appear to go direct for GTI Lookups

Where do I look? The only thing I can see linked to lookup's is \ProgramData\McAfee\Endpoint Security\Logs\gti_error.log. I am seeing a number of errors in that log like below probably linked to SSL inspection.

httpconnection::SendRequest invalid server certificate.

ATP should be going to the TIE for its reputations...

 

0 Kudos
Reply
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 8
‎09-25-2019 12:49 AM

Re: Clients still appear to go direct for GTI Lookups

Hi @cybercop 

Can you please kindly help us with the specific destination address the endpoint is trying to reach?  The entire list of addresses we use is in this KBA.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
cybercop
Level 10
Report Inappropriate Content
Message 7 of 8
‎09-25-2019 01:10 AM

Re: Clients still appear to go direct for GTI Lookups

Thats the issue. The endpoint is supposed to be going to the TIE Server but it appears that a number don't. I'll log a call with McAfee to check it out. There's a couple of issues with ATP anyway. Thanks for trying.

0 Kudos
Reply
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 8
‎09-25-2019 01:13 AM

Re: Clients still appear to go direct for GTI Lookups

Hi @cybercop 

Thanks for your response. Logging a Service Request is an excellent idea! The reason behind my request to know the destination address is to understand the "type" of look up. Not all GTI look ups are related to determination of file reputation! Hence some of these cannot be sent to GTI.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC