cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee blitz
McAfee Employee
Report Inappropriate Content
Message 21 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

The API does not allow for that, you're only able to fill in the "Comment" field.

Regards,

JL Denis

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 22 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Any Change with TIE 1.3?? 🙂

McAfee Employee blitz
McAfee Employee
Report Inappropriate Content
Message 23 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

The ePO web API, which let's you change the reputation and comment, hasn't changed so it would not be possible.

Regards,

JL Denis

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

FYI, with the latest Adaptive Threat Protection Extension Update, there are new Event Descriptions. Also Detecting Product ID is deprecated and one could use Detecting Product Name.

ATP Values.PNG

(If you are using ENS and TIE Module for VSE, the ENS Extension updates and overrides the TIE Module for VSE Extension with these new changes. They both use the same JTIC___1000 Extension in ePO.)

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 25 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi,

we installed this soulution several times. We just figured out a problem with Tomcat if you have a huge amount of Events in EPO and many TIE/Suspect Events. Often the Tomcat Service Needs more and more Memory or completely Brakes.

So we developed a OpenDXL solution to connect directly to the DXL fabric. We can see now any File request to TIE. Based on the query we are asking several Information Repositories for Black and Whitelisting, also including virustotal. The improvement is, we see any DXL request and we are not dependend on a threat Event in EPO. We see now any DXL request from any McAfee endpoint (VSE/ENS/Move), ATD, SIEM, MWG and so on. This Information is used to query several iinformation Repositories. The result of this requests is then processed and the TIE Reputation is updated.

Cheers

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi Thor, that sounds fantastic! Can you share this with the community?

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 27 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Sorry,

but this is not possible. It is a complete System, also with a backbone system in our datacenter. After a client request, the backbone system queries severeal data sources, stores the information in a database and sends the result back to the FireS client at the customer. The customer himself can decide how the information is used and how the TIE reputation is updated.

We are selling this as a service to our customers and are working on a solution where other McAfee partners can use the solution for theire customers.

​, this system is based on the McAfee OpenDXL story and it makes really sense. 🙂

Finally, if you are interested in the solution just send mit a message.

Cheers,

Thorsten

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi!

I do according to the instructions in the first post.

It is necessary to adjust the script work for the program's McAfee Endpoint Security.

I stopped on the creation of an automatic response.

I have the list of products is not specified in the instructions.

2016-05-26_17-11-50.jpg

I use the TIE v1.3.

Module integration McAfee Endpoint Security with TIE installed.

2016-05-26_17-13-16.jpg

What could be the problem?

McAfee Employee blitz
McAfee Employee
Report Inappropriate Content
Message 29 of 53

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi Sergey,

You need to add the following highlighted below.

You're showing the content of the "Master Repository", you need to install the module on one of the endpoint.

If it does not show it's because you have not had any events by that product.

Regards,

JL

Re: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

Hi JL,

I'd like to thank you for providing this convicter script. I receive the error "Missing or incorrect arguments" when I run the script either from the command line or test the registered executable within ePO. I entered the necessary information into the script for it to communicate with ePO and VT. The account has "run as a Batch Job" privileges and full control of the python27 folder. Any suggestions?

Thank you

BLeggett

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community