Solved! Go to Solution.
Dat reputation gti requests are made over port 443, which is ssl encrypted communication. There is no identifiable information sent to be worried about. Your updates may come from your epo server to your endpoints, but the reputation check will occur over internet to validate there are no known issues with the dat file.
ENS/TIE/VSE and other point products use GTI for heuristics scanning (also known as artemis or the sensitivity level in the on access scanning policies). These are simply dns requests that send a hash of the file in question to our servers. That is the only info sent and contains no information that can be of any value to anyone else.
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Yes, those are gti addresses. See KB53735. See also KB55986 for dat reputation gti and health check communication, which is over 443 and encrypted.
Regarding gti:
Any suspicious files found that do not trigger existing signature DAT files, GTI sends a DNS request to a central database server. McAfee Labs hosts the server. This server is continually updated when new malware is found. When the GTI Cloud at McAfee Labs receives the request from the GTI File Reputation enabled endpoint, it determines whether this program is suspicious and responds appropriately.
I have privacy concerns - what information is sent to McAfee?
The data sent never includes any part of any file scanned, so there is no chance of any information leaks. Any lookup is performed only on suspicious files and consists of a 32-byte fingerprint generated and sent to the GTI Cloud. A response is given if the fingerprint is determined to be a malicious file.
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Thanks for the articles, they were very helpful...though i have more questions..
Im looking more towards the communication between my endpoint devices and the GTI
1-My endpoint devices take updates from ePO.. In which case do they communicate directly to GTI Over the internet ?
2-Regarding checking unknown file reputation from GTI, does this happen only in case where I am using TIE or it happens in ENS also?
3. They are communicating over TLS 1.1. Is it safe? as TLS 1.1 is vulnerable.
Dat reputation gti requests are made over port 443, which is ssl encrypted communication. There is no identifiable information sent to be worried about. Your updates may come from your epo server to your endpoints, but the reputation check will occur over internet to validate there are no known issues with the dat file.
ENS/TIE/VSE and other point products use GTI for heuristics scanning (also known as artemis or the sensitivity level in the on access scanning policies). These are simply dns requests that send a hash of the file in question to our servers. That is the only info sent and contains no information that can be of any value to anyone else.
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Glad to assist!
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Hi, I also wanted to know why this communication is happening over TLS1.1? We need to remove TLS 1.1 from our devices as it is vulnerable. Why is McAfee using a vulnerable protocol?
Correction on the above post.... why is it happening over TLS1.0. It is Is vulnerable*
This may answer your question. Upgrade to ENS 10.7
https://kc.mcafee.com/agent/index?page=content&id=KB91763
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA