cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Has this been tested with ePO 5.3? I'm seeing different variables {listOfAgentGUID} and {listOfTargetFileName} in lieu of the suggested {agentGUID} and {targetFileName} used in the Automated Response wizard.

Also please confirm in convicter.py file, if the username, password and VT API key values should be enclosed in double quotes "" and if the server IP address and port should be enclosed in single quotes ''.

Across four different ePO 5.3 systems, I am seeing the response trigger in the ePO server event log and email alerts, but no Python log.txt file created or increase in the VT API usage counters.

Thank you in advance.

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 12 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi,

i saw this behavior if the used user for the registered executable is not allowed to "run as a Batch Job".

- Python27.exe was executed

- Python27 crashed

- Therefore no LOG file

- In this case there is no error in the EPO GUI visible.

Check your Windows LOGs if there is any Trouble with the python27.exe.

Cheers

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Any update on

  

  

Has this been tested with ePO 5.3? I'm seeing different variables {listOfAgentGUID} and {listOfTargetFileName} in lieu of the suggested {agentGUID} and {targetFileName} used in the Automated Response wizard.

Also please confirm in convicter.py file, if the username, password and VT API key values should be enclosed in double quotes "" and if the server IP address and port should be enclosed in single quotes ''.

Across four different ePO 5.3 systems, I am seeing the response trigger in the ePO server event log and email alerts, but no Python log.txt file created or increase in the VT API usage counters.

Thank you in advance.

jj4sec
Level 11
Report Inappropriate Content
Message 14 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Finally something that works from the first time

Fantastic tool

Only thing missing :

* make this officially supported

* make the license in virustotal included in the TIE license

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

I also would like to see official support for the VT Convicter. But as for a VT license, I don't see that working because the VT API key is licensed based upon lookup rate. Every organization will have different lookup rates regardless of size or number of TIE licenses.

Highlighted
Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 16 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi ,

i think there will not be any support for the VT Convicter Script. It is an example how Python can be used to add 3rd Party Information to TIE. So feel free to change the script, add functionality or other sources.

We designed a service for customers to query our server. This server queries other "information repositories" additional to VT. Also the customer is able wo weight any AV vendor. All this information is than used to calculate a reputation score. 🙂

VT: Yes, if you want to query more than 4 hashes per minute you need another VT license. We also covered this with our VT service.

Cheers

georgec
Level 13
Report Inappropriate Content
Message 17 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi,

Any way I can query files with "unknown" reputation? The ones that don't trigger the TIE rules? Right now it seems you're limited only to files which generate threat events...

Thanks,

George

McAfee Employee blitz
McAfee Employee
Report Inappropriate Content
Message 18 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

The "Automatic Response" is based on an event received from the client, so unfortunately, if there's no event, we cannot trigger a lookup to VT.

Regards,

JL Denis

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 19 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi,

you can do the following.

- Set tie TIE Module to Observation Mode.

- Block any file which is unknown.

Now for any unknown executed file a TIE/Suspect Event is generated and you can query virustotal.

But, this should only be used on specific clients.

Cheers

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 20 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi all,

dies anyone know how to write file infos like Company Name, Product Name and File Version to the TIE database?

Cheers

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community