3 Replies Latest reply on Mar 22, 2017 2:49 AM by VriendP

    How works TIE with GTI reputation

    ansanchez

      Hello,

       

      I am checking about how TIE works with GTI reputation and I've got something disconcerting results.

       

      I have 3 files for test:

       

      - FILE 1: GTI Reputation = Most Likely Malicious

      - FILE 2: GTI Reputation = Might be Malicious

      - FILE 3: GTI Reputation = Not Set

       

       

      - SCENARIO 1:

       

      Endpoint Threat Intelligence Policy Set to: Block when reputation threshold reaches:Unknown.

       

      - FILE 1: GTI Reputation = Most Likely Malicious --> BLOCKED

      - FILE 2: GTI Reputation = Might be Malicious --> BLOCKED

      - FILE 3: GTI Reputation = Not Set --> BLOCKED

       

       

      - SCENARIO 2:

       

      Endpoint Threat Intelligence Policy Set to: Block when reputation threshold reaches:Might be Malicious.

       

      - FILE 1: GTI Reputation = Most Likely Malicious --> BLOCKED

      - FILE 2: GTI Reputation = Might be Malicious --> ALLOWED

      - FILE 3: GTI Reputation = Not Set --> ALLOWED

       

       

      - SCENARIO 3:

       

      Endpoint Threat Intelligence Policy Set to: Block when reputation threshold reaches: Most Likely Malicious.

       

      - FILE 1: GTI Reputation = Most Likely Malicious --> BLOCKED

      - FILE 2: GTI Reputation = Might be Malicious --> ALLOWED

      - FILE 3: GTI Reputation = Not Set --> ALLOWED

       

       

       

      The result is the same for Scenarios 2 and 3.

       

      How I can block 'Might be Malicious' files but not 'Not Set' Files?

      O I can block 'Most Likely Malicious and 'Might be Malicious' but not 'Unknown' Files?

       

       

      Thanks in advance.

       

      Regards,