I'm currently using TIE with DAC. Some times when I mark a file as Known Trusted within TIE it's local reputation is still only set to 50. So it gets scanned by DAC and causes the file to be blocked. I currently have the policy set to only send unknown files to DAC (Reputation 50). Within the AdaptiveThreatProtection logs I see the comment "Action Taken on File "FILE NAME" with reputation 50 is: Block". How can I change its reputation to 99.
Perhaps you can fix this by setting the file's certificate reputation? Is GTI functioning properly from TIE? You can check this under Server Settings, TIE Topology page if I'm not mistaken.
That's odd. The composite reputation should be the one that is enforced on the clients. The local reputation is the reputation that is determined by the client based on the TIE rules (that include a TIE Server lookup). At least that is how I understand it.
As per the product guide:
On the TIE Reputations page on the File Search tab, you see files with metadata and that are searchable. The page can show the file type by default. The page shows these columns, for example:
• Composite Reputation — Potential effective reputation score based on local reputation (if available) or an estimate based on other reputation scores (if the hash value isn't available at the endpoints).
• Latest Local Reputation — Last effective reputation score informed by the endpoints of a hash.
• Latest Applied Rule — Last content rule applied at the endpoints for determining the effective score of the hash.
Your Latest Local Reputation is Unknown (=50), so the blocking is correct behavior based on that. In my opinion though, the Enterprise Reputation should be respected and result in a composite reputation of 99.
Is your endpoint's DXL connection working? How's the DXL Fabric?
In the System Tree, you can select the system you're testing on and in the Action -> DXL menu, select Lookup in DXL. If it is connected, your DXL connection is working. You can also see the last connection state in the System's properties.
I wasn't completely clear on my last reply (and I may be wrong, too). You do have a composite reputation of 99 for that particular file. However since DAC is blocking the file as if it were Unknown, it's thinking its reputation is 50. So I was wondering if your DXL connection works on that particular endpoint. If that works, you could try testing the same file on another endpoint (and first check DXL is working on that one). Do you get any different results?