I have a McAfee VSE/TIE/ATD setup, which works well for Portable Executables using EXE files. EXEs seen by VSE with no reputation are sent ATD for analysis, which is expected.
What I noticed is that if a DLL is executed by RunDLL32.exe though, a new entry gets created in the TIE server, but it has a reputation of "Unknown". The file is also not submitted to ATD.
Does anyone else has the same problem? If TIE only selectively sends DLL to ATD for analysis, this causes concern as many malware (i.e. NotPetya) executes malicious code by dropping a DLL file and run it using RunDLL32.exe.
I would suggest checking your Threat Intelligence Exchange Server Management Policy in ePO. Under the Sandboxing tab, make sure Windows Dynamic Link Library and Windows Dynamic Link Library (16 bits) are under the Selected File Types.
Thank you for the reply.
I confirm that those files types have been selected, should have mentioned it is the first thing I checked, so it seems to be something else.
Also wanted to mention that after further digging into, I actually see a very small amount of DLLs sent to ATD by TIE. It seems that DLLs are sent to ATD by TIE, but not sure under what conditions.