cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 1 of 4

TIEM Content Rules and Threat Intelligence Exchange module for VSE EPO Server Setting

Hi call,

can anyone explain the dependencies between the TIEM Content Rules inside the "Threat Intelligence Exchange module Content" and the Threat Intelligence Exchange module for VSE Rules in the EPO Server Settings??

The Threat Intelligence Exchange Rule Content Update 392 from 2015-11-26 shows e.g. the following rule:

Rule 62 - Identify an application which reads content files

Description: This rule identifies the main executable file of popular applications which reads content such as PDF documents, Microsoft Office documents, videos, etc. This rule does not assign a reputation but generates metadata about a process for use in subsequent rules.

Default State: Mandatory

This rule is not available under the EPO Server Settings (Threat Intelligence Exchange module for VSE).

How both affect the TIEM functionality??

Any Infos?

Cheers

3 Replies

Re: TIEM Content Rules and Threat Intelligence Exchange module for VSE EPO Server Setting

The rule is in there, but the rule number you see in the release notes are an internal index, and don't match up to the Execution Order you'll see in the policy.  This particular rule is gathering some metadata that is used by later rules.

12-17-2015 9-05-04 AM.png

Scott

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: TIEM Content Rules and Threat Intelligence Exchange module for VSE EPO Server Setting

Hi Scott,

let me summarize in detail.

1) TIEM has access to the AV engine directly. Therefore the information from the engine is available for TIEM.

2) The TIEM content updates are used to definde which metadata and information about executed executalbe code is collected.

3) Information from the TIE Server e.g. Enterprise count or Reputation score  are used to gather additional information.

4) Based on the TIEM policy (System classification e.g. Typical System) this rules are evalutated.

5) If specific rules are triggered a TIESuspect event is generated and sent to EPO.

Anything else missing?? 🙂

Cheers

Re: TIEM Content Rules and Threat Intelligence Exchange module for VSE EPO Server Setting

I think you are correct in spirit, but I would describe it differently.  When the TIEm is calculating local reputation for am executable, each rule is evaluated in order, from top to bottom (based on the system classification, as you mention above).  Each rule may call out for additional details on the file (which may be local metadata such as the execution directory, or data from the TIE server such as reputation of the signing certificate, prevalence in the enterprise, age in the enterprise, etc).  Each rule *may* then attempt to make a local reputation determination.  If a reputation is determined, then we're done.  If not, then the next rule is executed.  If all rules execute and we still haven't finalized a reputation, then we are stuck with "Unknown".

An important distinction is that bits of information are pulled by individual rules.  For example, certificate reputation is fairly high in the rule priority (Rule 8...basically first after some housekeeping rules)  When this rule executes, TIEm only requests the certificate reputation information from TIE Server.  If we get a result here, then TIEm doesn't need to request other information like GTI or Enterprise reputation.  The incremental nature of these rules is important for maintaining performance.  If the majority of the executables are resolved with early rules, then we don't need to incur network or other resources necessary to resolve the lower priority rules.

Scott

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community