New to TIE and having a couple of issues.
- Numerous files (around 1000 out of 6000) have their GTI reputation marked as Not Available some have been listed for a couple of days. If I manually refresh them through 'actions' their GTI is refreshed correctly I.e. Known Trusted. Does anyone know why they would not automatically refresh each day? As a temporary solution is there a way to manually refresh all files GTI reputations without going to each individual file through the action menu?
- When setting reputations I noticed that certificate reputations override file reputations. Is there a way to know from the file view when a files certificate has been mark as safe.
- I have managed to test blocking/cleaning 'Known malicious' & 'Most likely malicious' however, I'm not able to get the TIE server to respond to unknown files. Is there somewhere apart from 'Threat Intelligence Exchange module for VSE' policy were this needs to be set to allow for blocking unknown files?
As an ex-Moderator here I can tell tell you that if your question hasn't been answered, it's because nobody knows the answer.
The best thing to do, assuming you or your IT department have a grant number, is contact the Support Portal: Service Portal Home
since TIE 2.0 is available there are some changes and enhancements. Here some information about my point of information.
- unknown vs. not available: Not available means the file is completely unknown in GTI. Unknown means, the file is known in GTI but there is to less information available to classify the file as known good or bad or any other reputation level. Therefore the reputation level is set to unknown.
- TIE Reputations in EPO: The last refresh values are depending on DXL enabled devices. This means if an endpoint, MWG, ATD or NSP analyzes the file a corresponding "last reputation refresh" is updated. Also the GTI information is refreshed if a file was executed on an endpoint and TIE information was requested.
- TIE database: The TIE database is updated completely every 720 minutes (default value). You can change this value in the TIE.properties file using CLI (SSH). There is no "last refresh" value changed under TIE reputations in EPO during this update. A dashboard is available to see where the file reputation was changed.
Hope this helps,
also MWG, if connected to TIE, is able to publish scanned executalbes to TIE. This is cool, because there are two main scenarios why this is an important information.
- Files even they are malicious or not are published to TIE just for reporting.
- If there are some investigations, e.g. a Ransomware infection, MWG generates useful information for analysis (mwg acts as a sensor for TIE)
- GAM detections, which are not possible on the endpoint, are published in TIE and the endpoint just does the enforcement.
As you can see here, MWG has not blocked the file, but the reputation info was updated. Based on design MWG is not able to classify a file as trusted, because even mwg does not detect malicious behavior it is not 100% clear if the file is really clean.
You may add the row "Composite Reputation" under TIE Reputations in EPO to see which "sensor" did the latest reputation update.
I asked the original question and have now changed accounts. Thanks for assisting with this, all the info you provided was very helpful. I found that a lot of my problems were solved with the release of TIE 2.0, and its new functionality. Now I'm just trying to reduce the number of unknown Composite Reputation files shown within TIE. I've opened a new discussion , and would be interested to know if you have any suggestions.