Same here and have seen this since beginning we started the TIE project. We first thought it was coming from the ATD Sandbox and some files it gave wrong back or the PROCESS was interrupted at some point (Like when you once reboot the ATD). We also noticed that thise files are a lot of machines in the enterprise.
I have deployed ENS 10.5.1 and recently i have started deployed TIE in test environment and i am facing same issues. in TIE reputations Chrome.exe shows Unknown composite reputation and other reputation either no available or not set. is this normal for popular application like chrome.exe?
further i have integrated it to virus total, but for each file i need to manually retrieve the reputation on virus total tab, isn,t it automatic for all unknown reputation files
I figured it out that when i select the file manually on TIE reputation dashboard and run refresh GTI Reputation manually from action tab, file status is refresh with Known trusted. now i have doubt why dont it gets refresh automatically, is there any settings available for that.
Mcafee has to move now with the TIW and ATD. There are several other problems we currently have and others too. Like the Framework 2.0 Assemblies which on every machine have an other MD5 checksum and are rathed as "Unknown" and this DO not run on strict customer sites.
Wannacry weekend did put some pressure on this and we wan't it working. Those are customer who spent above 250'000.- in Mcafee products.
How do we do that woth the EMPTY files we talk about.
Each one of us OPENS a ticket and escalates?
At least we want to know:
a) Where they come from
b) How i can EXCLUDE/DELETE the Files with a script or with GUI
just an Information from my side. We are supporting many TIE installations. The screenshots here are looking really Special. We do not see this behavior in our internal Environment and also not at the customer. In many cases Company Name, Product Name, File Version are not available in TIE. This is working as designed. From my Point of Information, if a file is known trusted the TIE Server does not request the file Details from the endpoint. But the filename should be available.
How about the TIE Environment, is there anything shown fine in the EPO Server Settings?
How about the ENS Logs
How about the TIE Server Logs directly located on the applliance?
The other customers also with the ATD Sandbox giving back info to the TIE? Or just TIE and MGW?
We at first allways thought those are mandatory GTI Hashes they currently are inestigating BUT only have the MD5 checksums and
Mcafee wants to make sure that the customers already have the HASHES in their TIE envoriments.
We do NOT submit any MD5 or Files to GTI upwards. The customers wants everything ONPREMISE and NO info published to GTI. Maybe thats the difference we have?
Here is one setting...
We have NO ENS Logs because we can't see WHERE it did run on some of those TIE files.
On others ee just see a GUID or the GUID together with clients. Where we see the clients
i asume there is no error in the LOCAL ens Logs. It would be the ones with the GUID.
I am unsure if the GUID has anything to with the Mcafee Agent or KEY. But it should be the AGENT-GUID.
Maybe when the AGENT Migrates from 5.X to upwards the ATP/TIE Modul still works or moves files AROUND
and during that time this happens?
Here are the Versions we run there:
McAfee DXL Client 184.108.40.2065
Endpoint Security Platform 10.5.1.1190
DLP Endpoint 10.0.200.392
Endpoint Security Adaptive Threat Protection 10.5.1.1163
Endpoint Security Threat Prevention 10.5.1.1261
If we do where has it run:
It looks like this is solved for 10.2.X BUT still open to date 10.08.2017 for 10.5.X.
We have the same with the 10.5.1 and lastest version of all involved products EXCEPT DXL client. Some 3.0 Release but not the newest.