I noticed that the PowerShell script file reputation is not getting populated in our TIE reputations page.
I have created a test PowerShell script and executed it however, the file reputation didn't update in the TIE reputation page.
I would like to understand how the files reputation gets updated in TIE reputation? And the files scanned by which scanner (ATP or OAS) updates the reputation?
Thanks in advance.
Thank you for your post. This is a good question.
Since we are running a PS script on your PC and expecting it to show up on TIE, it would mean that we are expecting ENS ATP should detect/scan the script and catch it's reputation of the file and send it to TIE Server.
However, ATP does scanning on the PE file here, which is a constant, Powershell.exe which is already registered in your TIE Server. The scripts are scanned via AMSI only with enhanced script scanning.
I sincerely hope this clarifies your query.
Thanks for the clarification.
If the ATP is only a process scanner and not the file scanner, I can see some .doc and .xlsx files in the TIE reputation page.
Could you please clarify which scanner scanned these files ? and how the files reputation updates the TIE page? Was it by OAS or Active Response ?
Thank you for your response. That is an interesting point. OAS cannot cascade any information on files to TIE Server. However, the fact that you have word files on the TIE server without you adding it would mean I am wrong with respect to what ATP can send to TIE. May I request you to kindly log a service Request to confirm source of these files added to TIE server? Active response team can confirm this for us.
I have reviewed the .doc file in TIE reputation page and noticed that the machine where the file was identified doesn't have the MAR client installed. So this issue might not be from the MAR and hence raised the SR with TIE team.