Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor jacek
Reliable Contributor
Report Inappropriate Content
Message 1 of 2

Thousands of DXL requests

I have very large peaks of DXL requests in dxl.log and on dashboard, which is not normal behavior in my network.

There are peaks with 100 requests per second, with continuous duration for 30-40 minutes.

How can I trace/debug which URL/filenames that are send for analyzing? In dxl.log there is only encrypted hash, which I don't know how to use:

08:13:30.075: dxl_async_request callback for 76: ok


08:13:30.189: dxl_async_request(/mcafee/service/tie/file/reputation,77): DERR_OK


08:13:30.194: dxl_async_request callback for 77: ok


"Enable tracing for DXL" and "Write full message body" option in Troubleshooting tab are enabled.

MWG version:

1 Reply
Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Thousands of DXL requests

Hi ​,

which ruleset are you using. In your MWG Policy you have to configure in detail when TIE should be queried. Also, you have to take care when TIE Information should be updated.

You MUST check your ruleset, only executable files should be queried.

Enclosed some hints, may they help you.

  • The whole ruleset:


Some more Details:



Note: This ruleset is part of a more complex one, where ATD is also configured. Take care with the last rule, where clean files are reported to TIE.

Have you taken a look into the TIE which files are queried by MWG??

As you can see in the first screeshot, i write a log file for any TIE query. So i can check which file was queried. The log is used to improve the TIE ruleset.

Hope this helps,


More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator