Perhaps you can fix this by setting the file's certificate reputation? Is GTI functioning properly from TIE? You can check this under Server Settings, TIE Topology page if I'm not mistaken.
Looks good to me. What are the file's reputation details (the details when you click the file from the TIE Reputations page)?
1 of 1 people found this helpful
That's odd. The composite reputation should be the one that is enforced on the clients. The local reputation is the reputation that is determined by the client based on the TIE rules (that include a TIE Server lookup). At least that is how I understand it.
As per the product guide:
On the TIE Reputations page on the File Search tab, you see files with metadata and that are searchable. The page can show the file type by default. The page shows these columns, for example:
• Composite Reputation — Potential effective reputation score based on local reputation (if available) or an estimate based on other reputation scores (if the hash value isn't available at the endpoints).
• Latest Local Reputation — Last effective reputation score informed by the endpoints of a hash.
• Latest Applied Rule — Last content rule applied at the endpoints for determining the effective score of the hash.
Your Latest Local Reputation is Unknown (=50), so the blocking is correct behavior based on that. In my opinion though, the Enterprise Reputation should be respected and result in a composite reputation of 99.
Is your endpoint's DXL connection working? How's the DXL Fabric?
DXL was the issue for me. Thanks!
Did you up date the client or the broker or both?
In the System Tree, you can select the system you're testing on and in the Action -> DXL menu, select Lookup in DXL. If it is connected, your DXL connection is working. You can also see the last connection state in the System's properties.
I wasn't completely clear on my last reply (and I may be wrong, too). You do have a composite reputation of 99 for that particular file. However since DAC is blocking the file as if it were Unknown, it's thinking its reputation is 50. So I was wondering if your DXL connection works on that particular endpoint. If that works, you could try testing the same file on another endpoint (and first check DXL is working on that one). Do you get any different results?
have you checked the LOG file from ENS why the endpoint triggered DAC?
It would be interesting which DAC Rule triggered.