1 2 Previous Next 13 Replies Latest reply on Jul 28, 2017 12:27 PM by woody188

    Trusted File blocked as unknown




      I'm currently using TIE with DAC. Some times when I mark a file as Known Trusted within TIE it's local reputation is still only set to 50. So it gets scanned by DAC and causes the file to be blocked. I currently have the policy set to only send unknown files to DAC (Reputation 50). Within the AdaptiveThreatProtection logs I see the comment "Action Taken on File "FILE NAME" with reputation 50 is: Block". How can I change its reputation to 99.





        • 1. Re: Trusted File blocked as unknown

          Perhaps you can fix this by setting the file's certificate reputation? Is GTI functioning properly from TIE? You can check this under Server Settings, TIE Topology page if I'm not mistaken.

          • 2. Re: Trusted File blocked as unknown

            The exe's i'm changing reputation's on don't have certificates unfortunately. According to Server Settings everything is working fine:


            • 3. Re: Trusted File blocked as unknown

              Looks good to me. What are the file's reputation details (the details when you click the file from the TIE Reputations page)?

              • 5. Re: Trusted File blocked as unknown

                That's odd. The composite reputation should be the one that is enforced on the clients. The local reputation is the reputation that is determined by the client based on the TIE rules (that include a TIE Server lookup). At least that is how I understand it.


                As per the product guide:

                On the TIE Reputations page on the File Search tab, you see files with metadata and that are searchable. The page can show the file type by default. The page shows these columns, for example:

                • Composite Reputation — Potential effective reputation score based on local reputation (if available) or an estimate based on other reputation scores (if the hash value isn't available at the endpoints).

                • Latest Local Reputation — Last effective reputation score informed by the endpoints of a hash.

                • Latest Applied Rule — Last content rule applied at the endpoints for determining the effective score of the hash.

                Your Latest Local Reputation is Unknown (=50), so the blocking is correct behavior based on that. In my opinion though, the Enterprise Reputation should be respected and result in a composite reputation of 99.


                Is your endpoint's DXL connection working? How's the DXL Fabric?

                1 of 1 people found this helpful
                • 6. Re: Trusted File blocked as unknown

                  DXL was the issue for me. Thanks!

                  • 7. Re: Trusted File blocked as unknown

                    Did you up date the client or the broker or both?



                    • 8. Re: Trusted File blocked as unknown

                      In the System Tree, you can select the system you're testing on and in the Action -> DXL menu, select Lookup in DXL. If it is connected, your DXL connection is working. You can also see the last connection state in the System's properties.


                      I wasn't completely clear on my last reply (and I may be wrong, too). You do have a composite reputation of 99 for that particular file. However since DAC is blocking the file as if it were Unknown, it's thinking its reputation is 50. So I was wondering if your DXL connection works on that particular endpoint. If that works, you could try testing the same file on another endpoint (and first check DXL is working on that one). Do you get any different results?

                      • 9. Re: Trusted File blocked as unknown


                        have you checked the LOG file from ENS why the endpoint triggered DAC?
                        It would be interesting which DAC Rule triggered.


                        1 2 Previous Next