cancel
Showing results for 
Search instead for 
Did you mean: 
cdorman
Level 7
Report Inappropriate Content
Message 1 of 14

Trusted File blocked as unknown

Hi,

I'm currently using TIE with DAC. Some times when I mark a file as Known Trusted within TIE it's local reputation is still only set to 50. So it gets scanned by DAC and causes the file to be blocked. I currently have the policy set to only send unknown files to DAC (Reputation 50). Within the AdaptiveThreatProtection logs I see the comment "Action Taken on File "FILE NAME" with reputation 50 is: Block". How can I change its reputation to 99.

Thanks

Colin

13 Replies
VriendP
Level 7
Report Inappropriate Content
Message 2 of 14

Re: Trusted File blocked as unknown

Perhaps you can fix this by setting the file's certificate reputation? Is GTI functioning properly from TIE? You can check this under Server Settings, TIE Topology page if I'm not mistaken.

cdorman
Level 7
Report Inappropriate Content
Message 3 of 14

Re: Trusted File blocked as unknown

The exe's i'm changing reputation's on don't have certificates unfortunately. According to Server Settings everything is working fine:

VriendP
Level 7
Report Inappropriate Content
Message 4 of 14

Re: Trusted File blocked as unknown

Looks good to me. What are the file's reputation details (the details when you click the file from the TIE Reputations page)?

cdorman
Level 7
Report Inappropriate Content
Message 5 of 14

Re: Trusted File blocked as unknown

VriendP
Level 7
Report Inappropriate Content
Message 6 of 14

Re: Trusted File blocked as unknown

That's odd. The composite reputation should be the one that is enforced on the clients. The local reputation is the reputation that is determined by the client based on the TIE rules (that include a TIE Server lookup). At least that is how I understand it.

As per the product guide:

On the TIE Reputations page on the File Search tab, you see files with metadata and that are searchable. The page can show the file type by default. The page shows these columns, for example:

• Composite Reputation — Potential effective reputation score based on local reputation (if available) or an estimate based on other reputation scores (if the hash value isn't available at the endpoints).

• Latest Local Reputation — Last effective reputation score informed by the endpoints of a hash.

• Latest Applied Rule — Last content rule applied at the endpoints for determining the effective score of the hash.

Your Latest Local Reputation is Unknown (=50), so the blocking is correct behavior based on that. In my opinion though, the Enterprise Reputation should be respected and result in a composite reputation of 99.

Is your endpoint's DXL connection working? How's the DXL Fabric?

woody188
Level 10
Report Inappropriate Content
Message 7 of 14

Re: Trusted File blocked as unknown

DXL was the issue for me. Thanks!

cdorman
Level 7
Report Inappropriate Content
Message 8 of 14

Re: Trusted File blocked as unknown

Did you up date the client or the broker or both?

thanks

VriendP
Level 7
Report Inappropriate Content
Message 9 of 14

Re: Trusted File blocked as unknown

In the System Tree, you can select the system you're testing on and in the Action -> DXL menu, select Lookup in DXL. If it is connected, your DXL connection is working. You can also see the last connection state in the System's properties.

I wasn't completely clear on my last reply (and I may be wrong, too). You do have a composite reputation of 99 for that particular file. However since DAC is blocking the file as if it were Unknown, it's thinking its reputation is 50. So I was wondering if your DXL connection works on that particular endpoint. If that works, you could try testing the same file on another endpoint (and first check DXL is working on that one). Do you get any different results?

Re: Trusted File blocked as unknown

Hi VriendP,

DXL shows as connected on PC in question.

thanks

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community