cancel
Showing results for 
Search instead for 
Did you mean: 

Framepkg.exe reputation with TIE?

Hi all,

I am having minor problems with GTI reputation for FRAMEPKG.EXE with TIE server and Dynamic Application Containment.

When I check the TIE reputations in EPO for FRAMEPKG.EXE for the version 5.x agents, some of the versions have no reputation listed including 5.0.4.449.  Some versions are listed as "most likely trusted". 

I am using Dynamic Application Containment for files that are "unknown" by TIE.  So when FRAMEPKG.EXE has no reputation in TIE, it gets contained, and then gets shutdown when it triggers DAC rules (as many installers do).

For the moment I have set the Enterprise reputation to "Known Trusted" for each framepkg.exe version in my environment which resolves the problem and allows the agent to install without DAC stopping it, however I would have thought that McAfee would ensure their components have a reputation in GTI to prevent deployment issues?

9 Replies
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

Re: Framepkg.exe reputation with TIE?

Hi Darren

                 If you could inform me of the particular product you are referring to. I can move this discussion to a more appropriate area, to get better assistance.

Thank you,

CD

Cliff
McAfee Volunteer

Re: Framepkg.exe reputation with TIE?

Hello,  I am referring to Threat Intelligence Exchange Server version 2.0.1.178.

Best Regards

Darren

Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 4 of 10

Re: Framepkg.exe reputation with TIE?

Thank you,

                I will move it to that specific area so you will receive faster assistance.

​ or ​  Could you kindly assist this user?

Cliff
McAfee Volunteer
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 5 of 10

Re: Framepkg.exe reputation with TIE?

Moved from  Community Support to Threat Intelligence Exchange (TIE) > Discussions

For better exposure and assistance.

Cliff
McAfee Volunteer
Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 6 of 10

Re: Framepkg.exe reputation with TIE?

Hello,

if you copy your framepkg.exe file from EPO master repository it is never listed in TIE als trusted. The file is signed by the EPO CA which is unique. There is also the sitelist.xml file included in the framepkg.exe which is always unique. Therefore TIE will never show this file as known trusted by Default.

We added the McAfee certificates to the Exclusion list in the Dynamic Application Containment Policy. You may test this if it helps.

Capture.GIF
I saw the exclusions in a Default Policy when testing CLoud EPO. I noticed no Problem with TIE/DAC so far with this exclusions, even i have not marked framepkg.exe as trusted.

Question 1: on which reputation threshold you are triggering DAC?

Capture.GIF

Question 2: Which DAC rules are active?

Capture.GIF

I activated the rules based on the "ens_10-5_BETA_DAC_rule_configuration_guide_v1.docx" and it is available in the Group.

Hope this helps,

Cheers

Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 7 of 10

Re: Framepkg.exe reputation with TIE?

Thank you Thorsten

Cheers,

CD

Cliff
McAfee Volunteer

Re: Framepkg.exe reputation with TIE?

Thanks for the info that's very useful.  I will join the 10.5 Beta group and read the guides.  I am triggering DAC on "unknown" and was following DAC rules based on best practice guide https://kc.mcafee.com/corporate/index?page=content&id=KB87843 although I have since removed some of those rules.

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 9 of 10

Re: Framepkg.exe reputation with TIE?

Let us know if it was helpful, otherwise we can take a look to fix it 🙂

Re: Framepkg.exe reputation with TIE?

One thing I'm not so sure on is where to find the McAfee EPO CA certificate for Framepkg.exe?  I am using EPO 5.3.2 Build 156 On Premise and deploying the agents from EPO.  TIE reputations shows no signatures?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community