I am having minor problems with GTI reputation for FRAMEPKG.EXE with TIE server and Dynamic Application Containment.
When I check the TIE reputations in EPO for FRAMEPKG.EXE for the version 5.x agents, some of the versions have no reputation listed including 22.214.171.1249. Some versions are listed as "most likely trusted".
I am using Dynamic Application Containment for files that are "unknown" by TIE. So when FRAMEPKG.EXE has no reputation in TIE, it gets contained, and then gets shutdown when it triggers DAC rules (as many installers do).
For the moment I have set the Enterprise reputation to "Known Trusted" for each framepkg.exe version in my environment which resolves the problem and allows the agent to install without DAC stopping it, however I would have thought that McAfee would ensure their components have a reputation in GTI to prevent deployment issues?
If you could inform me of the particular product you are referring to. I can move this discussion to a more appropriate area, to get better assistance.
if you copy your framepkg.exe file from EPO master repository it is never listed in TIE als trusted. The file is signed by the EPO CA which is unique. There is also the sitelist.xml file included in the framepkg.exe which is always unique. Therefore TIE will never show this file as known trusted by Default.
We added the McAfee certificates to the Exclusion list in the Dynamic Application Containment Policy. You may test this if it helps.
I saw the exclusions in a Default Policy when testing CLoud EPO. I noticed no Problem with TIE/DAC so far with this exclusions, even i have not marked framepkg.exe as trusted.
Question 1: on which reputation threshold you are triggering DAC?
Question 2: Which DAC rules are active?
Hope this helps,
Thanks for the info that's very useful. I will join the 10.5 Beta group and read the guides. I am triggering DAC on "unknown" and was following DAC rules based on best practice guide https://kc.mcafee.com/corporate/index?page=content&id=KB87843 although I have since removed some of those rules.
One thing I'm not so sure on is where to find the McAfee EPO CA certificate for Framepkg.exe? I am using EPO 5.3.2 Build 156 On Premise and deploying the agents from EPO. TIE reputations shows no signatures?