Has this been tested with ePO 5.3? I'm seeing different variables {listOfAgentGUID} and {listOfTargetFileName} in lieu of the suggested {agentGUID} and {targetFileName} used in the Automated Response wizard.
Also please confirm in convicter.py file, if the username, password and VT API key values should be enclosed in double quotes "" and if the server IP address and port should be enclosed in single quotes ''.
Across four different ePO 5.3 systems, I am seeing the response trigger in the ePO server event log and email alerts, but no Python log.txt file created or increase in the VT API usage counters.
Thank you in advance.
Hi,
i saw this behavior if the used user for the registered executable is not allowed to "run as a Batch Job".
- Python27.exe was executed
- Python27 crashed
- Therefore no LOG file
- In this case there is no error in the EPO GUI visible.
Check your Windows LOGs if there is any Trouble with the python27.exe.
Cheers
Any update on
Sean Slattery Aug 25, 2015 10:22 PM (in response to JL Denis)
Has this been tested with ePO 5.3? I'm seeing different variables {listOfAgentGUID} and {listOfTargetFileName} in lieu of the suggested {agentGUID} and {targetFileName} used in the Automated Response wizard.
Also please confirm in convicter.py file, if the username, password and VT API key values should be enclosed in double quotes "" and if the server IP address and port should be enclosed in single quotes ''.
Across four different ePO 5.3 systems, I am seeing the response trigger in the ePO server event log and email alerts, but no Python log.txt file created or increase in the VT API usage counters.
Thank you in advance.
Finally something that works from the first time
Fantastic tool
Only thing missing :
* make this officially supported
* make the license in virustotal included in the TIE license
I also would like to see official support for the VT Convicter. But as for a VT license, I don't see that working because the VT API key is licensed based upon lookup rate. Every organization will have different lookup rates regardless of size or number of TIE licenses.
i think there will not be any support for the VT Convicter Script. It is an example how Python can be used to add 3rd Party Information to TIE. So feel free to change the script, add functionality or other sources.
We designed a service for customers to query our server. This server queries other "information repositories" additional to VT. Also the customer is able wo weight any AV vendor. All this information is than used to calculate a reputation score. 🙂
VT: Yes, if you want to query more than 4 hashes per minute you need another VT license. We also covered this with our VT service.
Cheers
Hi,
Any way I can query files with "unknown" reputation? The ones that don't trigger the TIE rules? Right now it seems you're limited only to files which generate threat events...
Thanks,
George
The "Automatic Response" is based on an event received from the client, so unfortunately, if there's no event, we cannot trigger a lookup to VT.
Regards,
JL Denis
Hi,
you can do the following.
- Set tie TIE Module to Observation Mode.
- Block any file which is unknown.
Now for any unknown executed file a TIE/Suspect Event is generated and you can query virustotal.
But, this should only be used on specific clients.
Cheers
Hi all,
dies anyone know how to write file infos like Company Name, Product Name and File Version to the TIE database?
Cheers
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA