I have a query in deployment of TIE. I deployed DLX client 184.108.40.206to one of my workstation and it shows as connected, post which is deployed VSE 8.8 patch 7 and TIE module for VSE 1.0.1 .140, refer to the screenshot. I did an EICAR test on my test machine but in the threat event logs it shows detecting product as VSE and not TIE. Is there anything that i am missing ?
This is urgent i need to test this before rolling out in production environment.
Your response will be highly appreciated.
That looks correct. VSE has a detection for the EICAR file, so you wouldn't expect TIE to be the detecting product.
Try creating a custom exe, loading it into TIE, setting the enterprise reputation as Known Malicious, and then attempt to execute that custom exe on one of your client systems with TIE for VSE installed.
When I was testing TIE, I had dozens of custom exes. Some only ran once, some looped permanently (to see what would happen when I updated the reputation), etc.
Thanks i got it working. i downloaded a romaing.exe file saved it under user/appdata/roaming executed the file and boom the detection product was TIE i can see the event in TIE module for VSE events but under TIE reputation i can see romaing.exe but reputation shows unknown. i have set the policy to enforcement. That's something which is need to understand.
let´s talk about the fundamental functinality of TIE. Not any file is visible under TIE reputations. Why this is?
- Client executes a files.
- If the file is known in the engine/signature no query to TIE is made. Therefore no information.
- If the file is NOT known in the engine/signature the endpoint queries TIE. If also unknown by TIE, GTI is queried.
- After an unknown file is excuted, the TIE server also "asks" for Metadata. This is the detailed information about the file you can see under TIE Reputations.
Hope this helps,
just for info. TIE has no "Scanning Engine". TIE holds the information delivered by EPO (additional 3rd Party feeds), Endpoints, Gateway Products, Advanced Threat Defense, STIX Information (automated STIX will be added) and any 3rd Party Information delivered by SIA Partners.
The protocoll used for Information Exchange is DXL (Data Exchange Layer).
Hope this helps,