Well, this used to exist:
This was a link to a document describe the TIE Scanner, which let you baseline all files on a gold image as good. It could be leveraged for this purpose, but it no longer seems to be available. You may want to contact support and see if they can get you a copy of the tool.
Ah yes I remember that tool! Strange that the link no longer exists, but if I remember it was a fairly unsupported tool.
maybe "GetClean" is what you looking for?
"McAfee® GetClean is an initiative to collect and upload clean files from software vendors and customers. You can deploy the McAfee GetClean (GetClean henceforth) tool to submit information on your clean file repositories. Samples and metadata can then be uploaded to McAfee. After processing these samples and metadata, the McAfee Global Threat Intelligence™ database is populated with information about the submitted files. The files then become a part of McAfee test systems where they are scanned before release of any new DAT update."
I tried it by myself and its very easy to handle... but i didnt had to deal with 200.000+ files ^^
GetClean will test the files on a system to find ones that McAfee's signatures don't know about, and uploads info about them to McAfee. They then use that info to test new DAT versions to make sure they don't get false positives on any of them, before releasing the DAT file. It has nothing to do with TIE, however.
For my systems, I built a "gold image" (i.e., fresh and clean build, with a number of our common apps deployed to it), pushed ENS ATP to it, and then ran GetClean on it. The next day, I checked the system in TIE for certs and files in use on that system, and just marked all as "Known Good".
I wouldn't just blanket assume that everything in my environment was "clean", but if you really want to do so, you should be able to check the box for the first item in the list, scroll to the bottom of the list, and shift + click the box for the last item in the list, and then use the Actions to mark all as known good.
1 of 1 people found this helpful
first of all. It makes no sense to set any file which is unknown to a Enterprise Reputation. Because, at this moment you do not know what is the real Status of a file. Therefore it is "Grey". So you can figure out what is the "Grey" or "unknown" in your Company.
I suggest only to set a file to a trusted level if you have a trusted Information source.
Information source is a trusted clean system:
If you have a System like a "golden Image" you can publish any PE in TIE using this Tool: Golden Image Tool with GUI
You can set the Enterprise Reputation and also a comment.
Information source is virustotal.com
This is also possible. There is a POC available here in the community to automatically query virustotal: Convicter – Utilize VirusTotal with TIE/DXL to convict files automatically
We expanded this Feature with other trusted sources like nist.gov.
Information source is any other Systems
Since OpenDXL is available you can add the threat Information from any available Information like e.g. checkpoint. We also connected a combination with splunk and Paloalto Firewall. We connected Fireeye with MWG, where MWG Acts as a SSL offloader for fireeye.
Finally there is one important question. What are my trusted Reputation Providers.
But i strongly recommend not to set any unknown file to a trusted Enterprise Reputation if you do not have any other trusted Information source.
Hope this helps,