2 Replies Latest reply on Nov 15, 2016 1:40 PM by abanaru

    GTI File Reputation - How it works ?




      Curiosity hit me today by wanting to actually see how GTI File Reputation actually works. From all I know this KB is the foundation McAfee KnowledgeBase - FAQs for Global Threat Intelligence File Reputation .

      It's stated that "GTI File Reputation queries are sent in clear text, with additional authentication added as appropriate." so I've went ahead and made a packet capture on a workstation running ENS 10.2 with GTI activated for Threat Prevention.



      I assume is something that internally in ENS is mapped to known good.


      How... what is actually x-0.19-a3000011.20580.16a8.b84.2fc7.200.0.divlrlqgrt8wqej5r3h1fspprv.avts.mcafee .com ? Cause it doesn't look like a hash and I've generated all known hashes for that specific file. Is this a HMAC ?

      What is the protection put in place in case some does a DNS poisoning by adding a malware hash into their own DNS and altering the IN A response so that the malware shows as known good when in fact in GTI is known malicious ?