1 of 1 people found this helpful
As an ex-Moderator here I can tell tell you that if your question hasn't been answered, it's because nobody knows the answer.
The best thing to do, assuming you or your IT department have a grant number, is contact the Support Portal: Service Portal Home
2 of 2 people found this helpful
since TIE 2.0 is available there are some changes and enhancements. Here some information about my point of information.
- unknown vs. not available: Not available means the file is completely unknown in GTI. Unknown means, the file is known in GTI but there is to less information available to classify the file as known good or bad or any other reputation level. Therefore the reputation level is set to unknown.
- TIE Reputations in EPO: The last refresh values are depending on DXL enabled devices. This means if an endpoint, MWG, ATD or NSP analyzes the file a corresponding "last reputation refresh" is updated. Also the GTI information is refreshed if a file was executed on an endpoint and TIE information was requested.
- TIE database: The TIE database is updated completely every 720 minutes (default value). You can change this value in the TIE.properties file using CLI (SSH). There is no "last refresh" value changed under TIE reputations in EPO during this update. A dashboard is available to see where the file reputation was changed.
Hope this helps,
Thank you Peter;)
also MWG, if connected to TIE, is able to publish scanned executalbes to TIE. This is cool, because there are two main scenarios why this is an important information.
- Files even they are malicious or not are published to TIE just for reporting.
- If there are some investigations, e.g. a Ransomware infection, MWG generates useful information for analysis (mwg acts as a sensor for TIE)
- GAM detections, which are not possible on the endpoint, are published in TIE and the endpoint just does the enforcement.
As you can see here, MWG has not blocked the file, but the reputation info was updated. Based on design MWG is not able to classify a file as trusted, because even mwg does not detect malicious behavior it is not 100% clear if the file is really clean.
You may add the row "Composite Reputation" under TIE Reputations in EPO to see which "sensor" did the latest reputation update.
I asked the original question and have now changed accounts. Thanks for assisting with this, all the info you provided was very helpful. I found that a lot of my problems were solved with the release of TIE 2.0, and its new functionality. Now I'm just trying to reduce the number of unknown Composite Reputation files shown within TIE. I've opened a new discussion Reduce unknown 'Composite Reputation' files, and would be interested to know if you have any suggestions.