3 Replies Latest reply on Mar 15, 2016 7:13 AM by Troja

    McAfee TIE rules

    georgec

      What's the update cycle on the TIE Content rules? Other vendors use 200+ rules to detect suspicions behavior...

        • 1. Re: McAfee TIE rules
          georgec

          Anyone?

          • 2. Re: McAfee TIE rules
            Scott Taschler

            Hi George,

             

            It's difficult to compare the rules that TIE uses to the rule sets used by other vendors, since TIE is not used in isolation.  TIE is designed to complement McAfee Endpoint Security or VirusScan, which include their own libraries of heuristics designed to identify and stop suspicious/malicious application behaviors. 

             

            The effectiveness of TIE's rules are continuously monitored by McAfee Labs, and may be tweaked or augmented at any time (similar to the heuristics included in the VirusScan engine and DATs).  There is not a set update cycle.

             

            Scott

            • 3. Re: McAfee TIE rules
              Troja

              Hi georgec,

              the TIE content rules are only one of the mechanism to detect malicious behavior. Not any TIE Content rule detects behavior, many of them are only collecting meta data for later analysis.

              a) Additonal you have the Exchange module for VSE Engine Rules, which you can find in the server settings of EPO.

              b) It also depends if your system is classified as High Change System, Typical System or Low Change Systems. (TIEM Policy)

               

              Finally you have the TIE server with much more logic like the enterprise count, first seen, last seen and much more.

              Therefore, i think, you cannot compare this 1:1.

               

              Additional some more information how the reputation is determined.

               

              How a reputation is determined

              File and certificate reputation is determined when a file attempts to run on a managed system.

              These steps occur in determining a file or certificate's reputation.

              1. A user or system attempts to run a file.
              2. VirusScan Enterprise inspects the file and can't determine its validity and reputation.
              3. The module for VirusScan Enterprise inspects the file and gathers file and local system properties of interest.
              4. The module checks the local reputation cache for the file Hash. If the file Hash is found, the module gets the enterprise prevalence and reputation data for the file from the cache.
              5. If the file Hash is not found in the local reputation cache, the module queries the TIE server. If the Hash is found, the module gets the enterprise prevalence data (and any available reputations) for that file Hash.
              6. If the file Hash is not found in the TIE cache or database, the server queries McAfee GTI for the file Hash reputation. If found, McAfee GTI sends the information back to the server. If Advanced Threat Defense is present and the file Hash was not found in McAfee GTI, or if the policy on the endpoint indicates that the file should be sent to Advanced Threat Defense, the server sends the file for scanning. See the additional steps under If Advanced Threat Defense is present.
              7. The server returns the file Hash's enterprise age, prevalence data, and reputation to the module based on the data that was found. If this is the first time the file is seen in the environment, the server also sends a first instance flag to the module.
              8. The module evaluates this metadata to determine the file's reputation:
                • File and system properties
                • Enterprise age and prevalence data
                • Reputation
              9. The module takes action based on the policy assigned to the system that is running the file.
              10. The module updates the server with the reputation information and whether the file is allowed or blocked. It also sends threat events to McAfee ePO via the McAfee Agent.
              11. The server publishes the reputation change event for the file Hash.

               

              If Advanced Threat Defense is present

              If Advanced Threat Defense is present, the following process occurs.

              1. If the system running the file has access to Advanced Threat Defense and this is the first time the file is seen in the environment, the Threat Intelligence Exchange server sends the file to Advanced Threat Defense for scanning.
              2. Advanced Threat Defense scans the file and sends file reputation results to the TIE server using the Data Exchange Layer. The server also updates the database and sends the updated reputation information to all TIE-enabled systems to immediately protect your environment.

               

               

              Hope this helps,

              Cheers