I have a McAfee VSE/TIE/ATD setup, which works well for Portable Executables using EXE files. EXEs seen by VSE with no reputation are sent ATD for analysis, which is expected.
What I noticed is that if a DLL is executed by RunDLL32.exe though, a new entry gets created in the TIE server, but it has a reputation of "Unknown". The file is also not submitted to ATD.
Does anyone else has the same problem? If TIE only selectively sends DLL to ATD for analysis, this causes concern as many malware (i.e. NotPetya) executes malicious code by dropping a DLL file and run it using RunDLL32.exe.
I would suggest checking your Threat Intelligence Exchange Server Management Policy in ePO. Under the Sandboxing tab, make sure Windows Dynamic Link Library and Windows Dynamic Link Library (16 bits) are under the Selected File Types.