Loading...

Knowledge Center


Application Control checks for reputation-based execution and final reputation
Technical Articles ID:   KB85695
Last Modified:  12/8/2016
Rated:


Environment

McAfee Application Control (MAC) 8.0.0, 7.0.x

Summary

This article describes Application Control reputation-based execution and final reputation. For information on relevant user interface enhancements in Application Control 7.0.x, see KB86182.
 
  • Reputation-based execution for files
    When you execute a file on an endpoint, Application Control performs multiple checks in a set order for the file and allows or bans execution for the file based on the result of the checks. Application Control starts with the check that has the highest precedence and moves down the list to determine whether to allow or block the file.
  • Final reputation for files
    Application Control considers values and parameters provided by the configured reputation sources and performs multiple checks in a set order starting with the check that has the highest precedence and moves down the list to determine the final reputation for files in the ePO console.
Reputation-based execution for files:
Here are the checks performed to determine whether to allow or block a file.
 
Precedence Order Check Description
1 File unauthorized check If the file is always unauthorized by name, the file is not allowed to execute. This is specifically set by a rule.
2 Banned SHA1 If the file is banned by SHA1, the file is not allowed to execute. This is set by a rule.
3 Threat Intelligence Exchange (TIE) reputation If the TIE server is configured based on the reputation settings for your enterprise, these checks are performed. For more information on configuring reputation settings, see the "File and certificate reputation" section in PD26169 - Change Control and Application Control 7.0.0 Product Guide - ePolicy Orchestrator Managed Mode.
  1. Check whether the binary file is signed.
    • If yes, fetch the reputation for all certificates associated with the file.
    • If not, use the file reputation to allow or deny execution.
  2. Verify whether the reputation for any associated certificate is set to Unknown on the TIE server.
    • If yes, ignore the certificate reputation and use the file reputation to allow or deny file execution.
    • If not, compute the reputation based on the reputation of all certificates associated with the file, and use the resultant reputation to allow or deny file execution.
NOTE: Trusted reputation takes precedence over malicious reputation while determining the resultant certificate reputation. For example, if a file is signed by two malicious and one trusted certificate, the resultant reputation based on certificates associated with the file is trusted.

If the resultant reputation for certificates associated with the file or file reputation is:
  • Known Trusted, Most Likely Trusted, Might be Trusted - File is allowed to execute.
  • Might be Malicious, Most Likely Malicious, Known Malicious - File is not allowed to execute.
  • Unknown - Certificate reputation is ignored and file reputation is used to determine execution. If file reputation is Unknown, Application Control proceeds with the next check.
  • Not set - Application Control proceeds with the next check.
4 File authorized check If the file is always authorized by file name, the file is allowed to execute. This is specifically set by a rule.
5 Allowed SHA1 If the file is allowed by SHA1, it is allowed to execute. This is set by a rule.
6 Allowed certificate If the certificate associated with a binary file is allowed, the file is allowed to execute. This is set by a rule.

NOTE: This check does not apply to script files.
7 McAfee GTI reputation These checks are performed:
  1. Check whether the file is signed with one or more certificates.
    • If yes and the reputation for any associated certificate is not set on the TIE server, fetch the GTI reputation for certificates associated with the file from the TIE server or McAfee GTI file reputation service .
    • If not, fetch the file GTI reputation from the TIE server or McAfee GTI file reputation service to allow or deny execution.
     
    NOTE: If the certificate reputation on the TIE server is set to Unknown, the McAfee GTI certificate reputation is not checked. Similarly, if the file reputation on the TIE server is set to Unknown, the McAfee GTI file reputation is not checked for the file.
     
  2. Compute the reputation based on the reputation of all certificates associated with the file. Use the resultant reputation to allow or deny file execution. If certificate reputation is not available, fetch the file GTI reputation from the TIE server or McAfee GTI file reputation service to allow or deny execution.
NOTE: Trusted reputation takes precedence over malicious reputation while determining the resultant certificate reputation. For example, if a file is signed by two malicious and one trusted certificate, the resultant reputation based on the certificates associated with the file is trusted.

If the resultant reputation for certificates associated with the file or file reputation is:
  • Known Trusted, Most Likely Trusted, Might be Trusted - File is allowed to execute.
  • Might be Malicious, Most Likely Malicious, Known Malicious - File is not allowed to execute.
  • Unknown - Application Control proceeds with the next check.
  • Not set - Application Control proceeds with the next check.
8 Advanced Threat Defense (ATD) reputation If ATD is configured in your setup, the TIE server integrates in real time with ATD to provide detailed assessment and data on malware classification. If ATD is configured and the reputation received is:
  • Might be Malicious, Most Likely Malicious, Known Malicious - File is not allowed to execute.
  • Unknown - Application Control proceeds with the next check.
  • Not set - Application Control proceeds with the next check.
9 Updater rule If the file or its parent process is set as an updater, it is allowed to execute.
10 Update mode If the endpoint is running in Update mode, the file is allowed to execute.
11 User permissions If the user has the required permissions or is added as a trusted user, the user can execute the file.
12 Volume status If the file is stored on a trusted volume, the file is allowed to execute. If the volume is defined as a trusted network path, the file is not allowed to execute.
13 Removable media If the file is stored on removable media, the file is not allowed to run.
14 Whitelist Application Control checks the whitelist:
  • If the file is present in the whitelist, the file is allowed to execute.
  • If the file is not present in the whitelist, Application Control checks the skiplist rules.
    • If a corresponding rule for the file is present in the skiplist, the file is allowed to execute.
    • If no rule is present for the file in the skiplist, the file is not allowed to execute.
 
NOTES:
  • For more information on the workflow for reputation-based execution for files, see the "Reputation-based workflow" section in PD26169 - Change Control and McAfee Application Control 7.0.0 Product Guide - ePolicy Orchestrator Managed Mode.
  • For information about rule creation, see the "Allow or ban a binary file" section in PD26169 - Change Control and McAfee Application Control 7.0.0 Product Guide - ePolicy Orchestrator Managed Mode.
Final reputation for files:
Here is a diagram illustrating how the final reputation is determined for a file.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.