Loading...

Knowledge Center


How to change reputation scores in Threat Intelligence Exchange
Technical Articles ID:   KB82922
Last Modified:  8/21/2019
Rated:


Environment

McAfee Threat Intelligence Exchange (TIE) Server - all supported versions

For details of TIE Server supported environments, see KB83368.

Summary

If you think that the reputation for a file or certificate needs to be changed, you can report it to McAfee Labs by following the steps in KB68030. You also have the following options to whitelist, blacklist, and reset the reputation for files and certificates with TIE in your environment:
 
Issue Solution     
False detection for a file or certificate
Undetected malicious file or certificate
Remove reputation overrides for a file or certificate Reset the local TIE reputation

Solution

Whitelist a false detection triggered by a TIE rule
If you have a detection by any of the TIE rules, you can change the reputation of the File or Certificate. By modifying the File or Certificate reputation of a file, we can prevent the environment even before the detection is added in the daily definitions.

If you need to whitelist a file, follow these steps:
  1. In the ePolicy Orchestrator (ePO) console, click Menu, and under the Systems Section, select TIE Reputations.
  2. In the file search field, type the name of the relevant file.
  3. Select the relevant file, and then click Actions, File Known Trusted.
 
If you need to whitelist a certificate, follow these steps:
  1. In the ePO console, click Menu, and under the Systems Section, select TIE Reputations.
  2. In the certificate search field, type the name of the relevant certificate.
  3. Select the relevant certificate, and then click ActionsCert Known Trusted.

Solution

Blacklist a potential malicious file or certificate with TIE reputations

If you need to blacklist a file, follow these steps:
  1. In the ePO console, click Menu, and under the Systems Section, select TIE Reputations.
  2. In the file search field, type the name of the relevant file.
  3. Select the relevant file, and then click Actions, File Known Malicious.

    NOTES:
    • If the certificate associated with the file has a known trusted reputation, the override does not take effect. The certificate reputation must be set to Unknown
    • Marking a certificate with a Malicious reputation does not cause the file to be treated as malicious within Endpoint Security. A unique file override of Malicious must also be issued against any file signed by the certificate that you want to have treated as malicious.
 
If you need to blacklist a certificate, follow these steps:
  1. In the ePO console, click Menu, and under the Systems Section, select TIE Reputations.
  2. In the certificate search field, type the name of the relevant certificate.
  3. Select the relevant certificate, and then click Actions, Cert Known Malicious.

Solution

Reset the local TIE reputation
If you manually changed any of the file or certificate reputation values, you can reset them to their current values.

If you need to reset the reputation for a file, follow these steps:
  1. In the ePO console, click Menu, and under the Systems Section, select TIE Reputations.
  2. Under File Overrides, select the relevant file, and then click Actions, Remove Override.
 
If you need to reset the reputation for a certificate, follow these steps:
  1. In the ePO console, click Menu, and under the Systems Section, select TIE Reputations.
  2. Under Certificate Overrides, select the relevant certificate, and then click Actions, Remove Override.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.