cancel
Showing results for 
Search instead for 
Did you mean: 
bretzeli
Level 11

TIE 2.0/ATD-SANDBOX, Rating from ATD done and good but FILE in TIE stays at LEVEL 50 (Which means NOTRUN)

Jump to solution

* Mcafee EPO 5.3L

* ENS 10.2

* Framework 5.0.4

* Latest TIE-Server Update made and reboot made

Running TIE infrastrcuture.

Sample way it goes>

1) A file is unknown AND thus sent to the ATD-3000 Sandbox

2) ATD-3000 rates the file "Most Likely or Migth be Trusted"

3) Feedback given back to TIE and we see that it's rated from ATD

The "Composite Reputation" however WILL stay at "UNKNOWN" and thus File would not RUN

"Local Reputation average" stays 50 and thus will not run

Our wish (If the ATD rated a FILE as good and TIE has no other inof it should run the file)

* File UNKNOWN 50 will not run (Any new file)

* If so the ATD-3000 will anaylze give Feedback to TIE (Which works)

* TIE will then let the FILE run

Am i complete doing something wrong in concept? has there been a new conecpt for the version 2.0 which we missed?

Regards

Mike

0 Kudos
1 Solution

Accepted Solutions
bretzeli
Level 11

Re: TIE 2.0/ATD-SANDBOX, Rating from ATD done and good but FILE in TIE stays at LEVEL 50 (Which means NOTRUN)

Jump to solution

Hello,

It looks like the TIE CONTENT Update from 20.10.2016 does FIX some things in that direction:

McAfee Threat Intelligence Exchange Security Content Releases | McAfee

Does anybody see a "State" observed? I don't. With this product being so extreme difficult to understand maybe get the "terms" right.

0 Kudos
4 Replies
Troja
Level 14

Re: TIE 2.0/ATD-SANDBOX, Rating from ATD done and good but FILE in TIE stays at LEVEL 50 (Which means NOTRUN)

Jump to solution

Hi ​,

this may be the design of DXL. There is a difference if an endpoint executes a file or you upload the file to ATD manually. I think there is also a knowledge base article available which describes this behavior.

Also, it ATD or MWG are detecting "no malicious behavior" the file is NOT published clean in TIE. This is also made by design, because ATD/MWG cannot guarantee a file is clean even there was no detection.

Cheers

0 Kudos
bretzeli
Level 11

Re: TIE 2.0/ATD-SANDBOX, Rating from ATD done and good but FILE in TIE stays at LEVEL 50 (Which means NOTRUN)

Jump to solution

Hello,

Yes you are correct but in this case:

a) If we UPLOAD the File via GUI or PYTHON (API) scripts to the ATD *AND* the TIE has NOT run the file then we get the [] EMPTY ENTRYS in TIE

b) In my post mentioned files where run by the CLIENTS and then sent to the ATD. The ATD does rate it "Most Likely Trusted" but still the before mentioned stays "UNKNOWN" for some EXE Files.

c) With all DLL for point (b) this is by design but the EXE should change. We have some which change and some not.

Sample DLL:

Today, after i have aproved manual as trsuted those around 15 EXE which where run a on the client sent to ATD and found "Most Likely Trusted" but DID STAY at level 50 back in TIE are gone.

But this may only be because we don't have any new files which firinti that scheme/behaviour.

Did not do any updates on any component since then,

Mike

0 Kudos
Troja
Level 14

Re: TIE 2.0/ATD-SANDBOX, Rating from ATD done and good but FILE in TIE stays at LEVEL 50 (Which means NOTRUN)

Jump to solution

Does this only happen if a file is known trusted by GTI??

Cheers

0 Kudos
bretzeli
Level 11

Re: TIE 2.0/ATD-SANDBOX, Rating from ATD done and good but FILE in TIE stays at LEVEL 50 (Which means NOTRUN)

Jump to solution

Hello,

It looks like the TIE CONTENT Update from 20.10.2016 does FIX some things in that direction:

McAfee Threat Intelligence Exchange Security Content Releases | McAfee

Does anybody see a "State" observed? I don't. With this product being so extreme difficult to understand maybe get the "terms" right.

0 Kudos