How to change reputation scores in Threat Intelligence Exchange
Technical Articles ID:
KB82922
Last Modified: 2/12/2021
Solution
1
Allow a false detection triggered by a TIE rule
If you have a detection by any of the TIE rules, you can change the reputation of the File or Certificate. Change the reputation by modifying the File, or Certificate reputation of a file. Doing so prevents the environment even before the detection is added in the daily definitions.
To allow a file, follow these steps:
- In the ePolicy Orchestrator (ePO) console, click Menu, and under the Systems Section, select TIE Reputations.
- In the file search field, type the name of the relevant file.
- Select the relevant file, and then click Actions, File Known Trusted.
If you need to allow a certificate, follow these steps:
- In the ePO console, click Menu, and under the Systems Section, select TIE Reputations.
- In the certificate search field, type the name of the relevant certificate.
- Select the relevant certificate, and then click Actions, Cert Known Trusted.
Solution
2
Block a potential malicious file or certificate with TIE reputations.
To block a file, follow these steps:
- In the ePO console, click Menu, and under the Systems Section, select TIE Reputations.
- In the file search field, type the name of the relevant file.
- Select the relevant file, and then click Actions, File Known Malicious.
NOTES:
- If the certificate associated with the file has a known trusted reputation, the override does not take effect. The certificate reputation must be set to Unknown.
- Tagging a certificate with a Malicious reputation does not cause the file to be treated as malicious within Endpoint Security. A unique file override of Malicious must also be issued against any file signed by the certificate that you want to have treated as malicious.
If you need to block a certificate, follow these steps:
- In the ePO console, click Menu, and under the Systems Section, select TIE Reputations.
- In the certificate search field, type the name of the relevant certificate.
- Select the relevant certificate, and then click Actions, Cert Known Malicious.
Solution
3
Reset the local TIE reputation
If you manually changed any of the file, or certificate reputation values, you can reset them to their current values.
Follow the steps below, if you need to reset the reputation for a file:
- In the ePO console, click Menu, and under the Systems Section, select TIE Reputations.
- Under File Overrides, select the relevant file, and then click Actions, Remove Override.
If you need to reset the reputation for a certificate, follow these steps:
- In the ePO console, click Menu, and under the Systems Section, select TIE Reputations.
- Under Certificate Overrides, select the relevant certificate, and then click Actions, Remove Override.
|