cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 11
Report Inappropriate Content
Message 1 of 5

TIE Deployment Query

Hi All,

I have a query in deployment of TIE. I deployed DLX client 2.2.0.205to one of my workstation and it shows as connected, post which is deployed VSE 8.8 patch 7 and TIE module for VSE 1.0.1 .140, refer to the screenshot. I did an EICAR test on my test machine but in the threat event logs it shows detecting product as VSE and not TIE. Is there anything that i am missing ?

This is urgent i need to test this before rolling out in production environment.

Your response will be highly appreciated.

Thanks,

Ali

4 Replies
Highlighted

Re: TIE Deployment Query

That looks correct.  VSE has a detection for the EICAR file, so you wouldn't expect TIE to be the detecting product.

Try creating a custom exe, loading it into TIE, setting the enterprise reputation as Known Malicious, and then attempt to execute that custom exe on one of your client systems with TIE for VSE installed. 

When I was testing TIE, I had dozens of custom exes.  Some only ran once, some looped permanently (to see what would happen when I updated the reputation), etc. 

Highlighted
Level 11
Report Inappropriate Content
Message 3 of 5

Re: TIE Deployment Query

Hi.

Thanks i got it working. i downloaded a romaing.exe file saved it under user/appdata/roaming executed the file and boom the detection product was TIE i can see the event in TIE module for VSE events but under TIE reputation i can see romaing.exe but reputation shows unknown. i have set the policy to enforcement. That's something which is need to understand.

Thanks,

Ali

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: TIE Deployment Query

Hi ​,

let´s talk about the fundamental functinality of TIE. Not any file is visible under TIE reputations. Why this is?

- Client executes a files.

- If the file is known in the engine/signature no query to TIE is made. Therefore no information.

- If the file is NOT known in the engine/signature the endpoint queries TIE. If also unknown by TIE, GTI is queried.

- After an unknown file is excuted, the TIE server also "asks" for Metadata. This is the detailed information about the file you can see under TIE Reputations.

Hope this helps,

Cheers

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

Re: TIE Deployment Query

Hi syedali,

just for info. TIE has no "Scanning Engine". TIE holds the information delivered by EPO (additional 3rd Party feeds), Endpoints, Gateway Products, Advanced Threat Defense, STIX Information (automated STIX will be added) and any 3rd Party Information delivered by SIA Partners.

The protocoll used for Information Exchange is DXL (Data Exchange Layer).

Hope this helps,

Cheers

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community