cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AlexanderW
Level 8
Report Inappropriate Content
Message 1 of 3
‎05-11-2022 02:48 AM

TIE database growing massively

Jump to solution

Dear community,

I am using the latest TIE version which I connect to several McAfee Web Gateway appliances.

On McAfee Web Gateway I configured a rule which checks if a file TIE.Filereuptation is betweeen 1 and 30
If so it is blocked - otherwise the scanning is continued or stopped (because of good reputation).
If the scanning is continued I check with Gateway antimalware if the file is a possible threat - if yes the event "TIE: Report file reputation" is triggered and the cycle ends.
The ruleset works fine.

But on the ePO server, I can see that the TIE Reputations page is growing massively.
I recreated the TIE server database on Saturday and the database contains now round about 40.000 files (1.500 active clients).
If I navigate to "Queries & Reports > Database Type: TieServerSchma > Files: Files > Single Group Summary Table: Label Type" therer are over 2 million files.
(see screenshot attached).

This huge number of items makes the "Tie Reputations" page extremely slow.
I am sure that there is a wrong configuration here.

Looking at a file on the "TIE Reputations" page the "First Agent" is mostly (99% of the cases) one of our Web Gateway appliances.

How can I configure the TIE server to not store all Web Gateway files in his database?
I would like to have only the files stored that the antimalware module of Gateway reports.

0 Kudos
Reply
1 Solution

Accepted Solutions
bbarnes
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3
‎05-11-2022 07:21 AM

Re: TIE database growing massively

Jump to solution

Hello AlexanderW, 

The issue you are experiencing is unfortunately not entirely uncommon. MWG has the ability to analyze many more file types (and in some cases not even files such as streaming video chunks, etc) for which TIE server will never have any actionable reputation data. The change that you need to make however is on the MWG side and not the side of TIE server. You may be able to get some clearer assistance from that product group as I am unfamiliar with MWG. With that said I can advise on what you need to accomplish, however without the specific how-to instructions. 

Within the MWG rule sets that evaluate against TIE, you need to include an additional condition or filter that only leverages TIE if the file type is executable or DLL. This will ensure that TIE is only asked, when the file type is one that will likely have reputation data available within TIE and by proxy, within GTI. 

 

Thanks

Brian

View solution in original post

Reply
2 Replies
bbarnes
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3
‎05-11-2022 07:21 AM

Re: TIE database growing massively

Jump to solution

Hello AlexanderW, 

The issue you are experiencing is unfortunately not entirely uncommon. MWG has the ability to analyze many more file types (and in some cases not even files such as streaming video chunks, etc) for which TIE server will never have any actionable reputation data. The change that you need to make however is on the MWG side and not the side of TIE server. You may be able to get some clearer assistance from that product group as I am unfamiliar with MWG. With that said I can advise on what you need to accomplish, however without the specific how-to instructions. 

Within the MWG rule sets that evaluate against TIE, you need to include an additional condition or filter that only leverages TIE if the file type is executable or DLL. This will ensure that TIE is only asked, when the file type is one that will likely have reputation data available within TIE and by proxy, within GTI. 

 

Thanks

Brian

Reply
AlexanderW
Level 8
Report Inappropriate Content
Message 3 of 3
‎05-15-2022 11:41 PM

Re: TIE database growing massively

Jump to solution

Hello @bbarnes ,
Thanks for the answer.
Yes, that sounds kind of logical.
I will check our MWG to see if I can set a suitable filter.
I'll get back to you on this.

 

Edit:
What @bbarnes has written in his post is correct.
On the MWG the rule criteria
"MediaType.EnsuredTypes at least one in list Executables " is missing like described in this article:
https://docs.trellix.com/bundle/web-gateway-8.0.x-interface-reference-guide/page/GUID-861ED207-41ED-...

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC