6 Replies Latest reply on Mar 13, 2017 5:14 AM by Troja

    How to update reputation on vast numbers of files?

    cowboy71

      So, got a customer with TIE in their environment and they have 200,000+ files in their database, the bulk of which do not have a reputation.

       

      They would like to set the reputation of all those that do not have an enterprise reputation.

       

      Is there an easy way to do this for such a large number of files? I wish there was a tick box to just "select all" and then set the reputation but no

       

      A thought I had was to export the information to an XML, convert the files with the TIE Hash Importer, then import the files back in.

       

      So I tried that on a test virtual system in the McAfee Security Center. Unfortunately with that system when I tried to export the 2,000 entries in that system to XML, it just locked up the system. I was able to export around 700 entries okay, but any more than that it just hung. Not sure whether that was TIE generally, or just an issue with that system.

       

      Any thoughts would be GREATLY appreciated!

        • 1. Re: How to update reputation on vast numbers of files?
          tkinkead

          Well, this used to exist:

           

          https://community.mcafee.com/docs/DOC-6464

           

          This was a link to a document describe the TIE Scanner, which let you baseline all files on a gold image as good.  It could be leveraged for this purpose, but it no longer seems to be available.  You may want to contact support and see if they can get you a copy of the tool.

          • 2. Re: How to update reputation on vast numbers of files?
            cowboy71

            Ah yes I remember that tool! Strange that the link no longer exists, but if I remember it was a fairly unsupported tool.

            • 3. Re: How to update reputation on vast numbers of files?
              cowboy71

              Came across this GUI version of the Gold Image Tool. Not exactly what I need, but useful!

              Golden Image Tool with GUI

              • 4. Re: How to update reputation on vast numbers of files?
                fabhoo

                hey cowboy,

                 

                maybe "GetClean" is what you looking for?

                 

                 

                "McAfee® GetClean is an initiative to collect and upload clean files from software vendors and customers. You can deploy the McAfee GetClean (GetClean henceforth) tool to submit information on your clean file repositories. Samples and metadata can then be uploaded to McAfee. After processing these samples and metadata, the McAfee Global Threat Intelligence™ database is populated with information about the submitted files. The files then become a part of McAfee test systems where they are scanned before release of any new DAT update."

                 

                I tried it by myself and its very easy to handle... but i didnt had to deal with 200.000+ files ^^

                • 5. Re: How to update reputation on vast numbers of files?
                  johnmoe

                  GetClean will test the files on a system to find ones that McAfee's signatures don't know about, and uploads info about them to McAfee.  They then use that info to test new DAT versions to make sure they don't get false positives on any of them, before releasing the DAT file.  It has nothing to do with TIE, however.

                   

                  For my systems, I built a "gold image" (i.e., fresh and clean build, with a number of our common apps deployed to it), pushed ENS ATP to it, and then ran GetClean on it.  The next day, I checked the system in TIE for certs and files in use on that system, and just marked all as "Known Good".

                   

                  I wouldn't just blanket assume that everything in my environment was "clean", but if you really want to do so, you should be able to check the box for the first item in the list, scroll to the bottom of the list, and shift + click the box for the last item in the list, and then use the Actions to mark all as known good.

                  • 6. Re: How to update reputation on vast numbers of files?
                    Troja

                    Hello,

                    first of all. It makes no sense to set any file which is unknown to a Enterprise Reputation. Because, at this moment you do not know what is the real Status of a file. Therefore it is "Grey". So you can figure out what is the "Grey" or "unknown" in your Company.

                    I suggest only to set a file to a trusted level if you have a trusted Information source.

                     

                    Information source is a trusted clean system:

                    If you have a System like a "golden Image" you can publish any PE in TIE using this Tool: Golden Image Tool with GUI

                    You can set the Enterprise Reputation and also a comment.

                     

                    Information source is virustotal.com

                    This is also possible. There is a POC available here in the community to automatically query virustotal: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically

                    We expanded this Feature with other trusted sources like nist.gov.

                     

                    Information source is any other Systems

                    Since OpenDXL is available you can add the threat Information from any available Information like e.g. checkpoint. We also connected a combination with splunk and Paloalto Firewall. We connected Fireeye with MWG, where MWG Acts as a SSL offloader for fireeye.

                     

                    Finally there is one important question. What are my trusted Reputation Providers.

                    But i strongly recommend not to set any unknown file to a trusted Enterprise Reputation if you do not have any other trusted Information source.

                     

                    Hope this helps,

                    Cheers

                    1 of 1 people found this helpful