cancel
Showing results for 
Search instead for 
Did you mean: 

How works TIE with GTI reputation

Hello,

I am checking about how TIE works with GTI reputation and I've got something disconcerting results.

I have 3 files for test:

- FILE 1: GTI Reputation = Most Likely Malicious

- FILE 2: GTI Reputation = Might be Malicious

- FILE 3: GTI Reputation = Not Set

- SCENARIO 1:

Endpoint Threat Intelligence Policy Set to: Block when reputation threshold reaches:Unknown.

- FILE 1: GTI Reputation = Most Likely Malicious --> BLOCKED

- FILE 2: GTI Reputation = Might be Malicious --> BLOCKED

- FILE 3: GTI Reputation = Not Set --> BLOCKED

- SCENARIO 2:

Endpoint Threat Intelligence Policy Set to: Block when reputation threshold reaches:Might be Malicious.

- FILE 1: GTI Reputation = Most Likely Malicious --> BLOCKED

- FILE 2: GTI Reputation = Might be Malicious --> ALLOWED

- FILE 3: GTI Reputation = Not Set --> ALLOWED

- SCENARIO 3:

Endpoint Threat Intelligence Policy Set to: Block when reputation threshold reaches: Most Likely Malicious.

- FILE 1: GTI Reputation = Most Likely Malicious --> BLOCKED

- FILE 2: GTI Reputation = Might be Malicious --> ALLOWED

- FILE 3: GTI Reputation = Not Set --> ALLOWED

The result is the same for Scenarios 2 and 3.

How I can block 'Might be Malicious' files but not 'Not Set' Files?

O I can block 'Most Likely Malicious and 'Might be Malicious' but not 'Unknown' Files?

Thanks in advance.

Regards,

3 Replies

Re: How works TIE with GTI reputation

Any idea?

Why TIE caches locally GTI reputation and not works properly?

Highlighted

Re: How works TIE with GTI reputation

Check the Server Settings for TIE/ATP settings (ref: KB85694).

Re: How works TIE with GTI reputation

You could also try and see what happens when you select a different set of TIE Rules. If you are using the Balanced rule (formerly: Typical Systems), you will get different results if you select Security (formerly: Low Change Systems). Careful though, especially when rolling this out.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center