2 Replies Latest reply on Nov 15, 2016 1:40 PM by abanaru

    GTI File Reputation - How it works ?

    abanaru

      Hello,

       

      Curiosity hit me today by wanting to actually see how GTI File Reputation actually works. From all I know this KB is the foundation McAfee KnowledgeBase - FAQs for Global Threat Intelligence File Reputation .

      It's stated that "GTI File Reputation queries are sent in clear text, with additional authentication added as appropriate." so I've went ahead and made a packet capture on a workstation running ENS 10.2 with GTI activated for Threat Prevention.

       

      DNS.PNG

      I assume 127.129.0.128 is something that internally in ENS is mapped to known good.

       

      How... what is actually x-0.19-a3000011.20580.16a8.b84.2fc7.200.0.divlrlqgrt8wqej5r3h1fspprv.avts.mcafee .com ? Cause it doesn't look like a hash and I've generated all known hashes for that specific file. Is this a HMAC ?

      What is the protection put in place in case some does a DNS poisoning by adding a malware hash into their own DNS and altering the IN A response so that the malware shows as known good when in fact in GTI is known malicious ?

       

      Andrei