1 2 Previous Next 13 Replies Latest reply on Jul 28, 2017 12:27 PM by woody188

    Trusted File blocked as unknown

    cdorman

      Hi,

       

      I'm currently using TIE with DAC. Some times when I mark a file as Known Trusted within TIE it's local reputation is still only set to 50. So it gets scanned by DAC and causes the file to be blocked. I currently have the policy set to only send unknown files to DAC (Reputation 50). Within the AdaptiveThreatProtection logs I see the comment "Action Taken on File "FILE NAME" with reputation 50 is: Block". How can I change its reputation to 99.

       

      Thanks

       

      Colin

        • 1. Re: Trusted File blocked as unknown
          VriendP

          Perhaps you can fix this by setting the file's certificate reputation? Is GTI functioning properly from TIE? You can check this under Server Settings, TIE Topology page if I'm not mistaken.

          • 2. Re: Trusted File blocked as unknown
            cdorman

            The exe's i'm changing reputation's on don't have certificates unfortunately. According to Server Settings everything is working fine:

             

            • 3. Re: Trusted File blocked as unknown
              VriendP

              Looks good to me. What are the file's reputation details (the details when you click the file from the TIE Reputations page)?

              • 5. Re: Trusted File blocked as unknown
                VriendP

                That's odd. The composite reputation should be the one that is enforced on the clients. The local reputation is the reputation that is determined by the client based on the TIE rules (that include a TIE Server lookup). At least that is how I understand it.

                 

                As per the product guide:

                On the TIE Reputations page on the File Search tab, you see files with metadata and that are searchable. The page can show the file type by default. The page shows these columns, for example:

                • Composite Reputation — Potential effective reputation score based on local reputation (if available) or an estimate based on other reputation scores (if the hash value isn't available at the endpoints).

                • Latest Local Reputation — Last effective reputation score informed by the endpoints of a hash.

                • Latest Applied Rule — Last content rule applied at the endpoints for determining the effective score of the hash.

                Your Latest Local Reputation is Unknown (=50), so the blocking is correct behavior based on that. In my opinion though, the Enterprise Reputation should be respected and result in a composite reputation of 99.

                 

                Is your endpoint's DXL connection working? How's the DXL Fabric?

                1 of 1 people found this helpful
                • 6. Re: Trusted File blocked as unknown
                  woody188

                  DXL was the issue for me. Thanks!

                  • 7. Re: Trusted File blocked as unknown
                    cdorman

                    Did you up date the client or the broker or both?

                     

                    thanks

                    • 8. Re: Trusted File blocked as unknown
                      VriendP

                      In the System Tree, you can select the system you're testing on and in the Action -> DXL menu, select Lookup in DXL. If it is connected, your DXL connection is working. You can also see the last connection state in the System's properties.

                       

                      I wasn't completely clear on my last reply (and I may be wrong, too). You do have a composite reputation of 99 for that particular file. However since DAC is blocking the file as if it were Unknown, it's thinking its reputation is 50. So I was wondering if your DXL connection works on that particular endpoint. If that works, you could try testing the same file on another endpoint (and first check DXL is working on that one). Do you get any different results?

                      • 9. Re: Trusted File blocked as unknown
                        Troja

                        Hello,

                        have you checked the LOG file from ENS why the endpoint triggered DAC?
                        It would be interesting which DAC Rule triggered.

                        Cheers

                        1 2 Previous Next