cancel
Showing results for 
Search instead for 
Did you mean: 

How works TIE with GTI reputation

Hello,

I am checking about how TIE works with GTI reputation and I've got something disconcerting results.

I have 3 files for test:

- FILE 1: GTI Reputation = Most Likely Malicious

- FILE 2: GTI Reputation = Might be Malicious

- FILE 3: GTI Reputation = Not Set

- SCENARIO 1:

Endpoint Threat Intelligence Policy Set to: Block when reputation threshold reaches:Unknown.

- FILE 1: GTI Reputation = Most Likely Malicious --> BLOCKED

- FILE 2: GTI Reputation = Might be Malicious --> BLOCKED

- FILE 3: GTI Reputation = Not Set --> BLOCKED

- SCENARIO 2:

Endpoint Threat Intelligence Policy Set to: Block when reputation threshold reaches:Might be Malicious.

- FILE 1: GTI Reputation = Most Likely Malicious --> BLOCKED

- FILE 2: GTI Reputation = Might be Malicious --> ALLOWED

- FILE 3: GTI Reputation = Not Set --> ALLOWED

- SCENARIO 3:

Endpoint Threat Intelligence Policy Set to: Block when reputation threshold reaches: Most Likely Malicious.

- FILE 1: GTI Reputation = Most Likely Malicious --> BLOCKED

- FILE 2: GTI Reputation = Might be Malicious --> ALLOWED

- FILE 3: GTI Reputation = Not Set --> ALLOWED

The result is the same for Scenarios 2 and 3.

How I can block 'Might be Malicious' files but not 'Not Set' Files?

O I can block 'Most Likely Malicious and 'Might be Malicious' but not 'Unknown' Files?

Thanks in advance.

Regards,

3 Replies
Highlighted

Re: How works TIE with GTI reputation

Any idea?

Why TIE caches locally GTI reputation and not works properly?

Re: How works TIE with GTI reputation

Check the Server Settings for TIE/ATP settings (ref: KB85694).

Re: How works TIE with GTI reputation

You could also try and see what happens when you select a different set of TIE Rules. If you are using the Balanced rule (formerly: Typical Systems), you will get different results if you select Security (formerly: Low Change Systems). Careful though, especially when rolling this out.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community