Application Control checks for reputation-based execution and final reputation
技术文章 ID:
KB85695
上次修改时间: 1/14/2020
环境
McAfee Application and Change Control (MACC) 8.0.0, 7.0.x
摘要
This article describes MACC reputation-based execution and final reputation. For information about relevant user interface enhancements in MACC 7.0.x, see KB86182.
- Reputation-based execution for files
When you execute a file on an endpoint, MACC performs multiple checks in a set order for the file. It allows or bans execution for the file based on the result of the checks. MACC starts at the highest precedence check and moves down the list to determine whether to allow or block the file.
- Final reputation for files
MACC considers values and parameters provided by the configured reputation sources performing multiple checks in a set order. MACC starts with the highest precedence check and moves down the list to determine the final reputation for files in the ePO console.
Reputation-based execution for files:
Here are the checks performed to determine whether to allow or block a file.
Precedence Order |
Check |
Description |
1 |
File unauthorized check |
If the file is always unauthorized by name, the file is not allowed to execute. This check is specifically set by a rule. |
2 |
Banned SHA-1 |
If the file is banned by SHA-1, the file is not allowed to execute. This check is set by a rule. |
3 |
Threat Intelligence Exchange (TIE) reputation |
If the TIE server is configured based on the reputation settings for your enterprise, these checks are performed. For more information about configuring reputation settings, see the "File and certificate reputation" section in PD26169 - Change Control and McAfee Application Control 7.0.0 Product Guide - ePolicy Orchestrator-Managed Mode.
- Determine if the binary file is signed.
- If yes, fetch the reputation for all certificates associated with the file.
- If not, use the file reputation to allow or deny execution.
- Verify whether the reputation for any associated certificate is set to Unknown on the TIE server.
- If yes, ignore the certificate reputation and use the file reputation to allow or deny file execution.
- If not, compute the reputation based on the reputation of all certificates associated with the file. Use the resultant reputation to allow or deny file execution.
NOTE: Trusted reputation takes precedence over malicious reputation while determining the resultant certificate reputation. For example, if a file is signed by two malicious certificates and one trusted certificate, the resultant reputation based on certificates associated with the file is trusted.
If the resultant reputation for certificates associated with the file or file reputation is:
- Known Trusted, Most Likely Trusted, Might be Trusted - File is allowed to execute.
- Might be Malicious, Most Likely Malicious, Known Malicious - File is not allowed to execute.
- Unknown - Certificate reputation is ignored and file reputation is used to determine execution. If file reputation is Unknown, MACC continues with the next check.
- Not set - MACC continues with the next check.
|
4 |
File authorized check |
If the file is always authorized by file name, the file is allowed to execute. This check is specifically set by a rule. |
5 |
Allowed SHA-1 |
If the file is allowed by SHA-1, it is allowed to execute. This check is set by a rule. |
6 |
Allowed certificate |
If the certificate associated with a binary file is allowed, the file is allowed to execute. This check is set by a rule.
NOTE: This check does not apply to script files. |
7 |
McAfee GTI reputation |
These checks are performed:
- Determine whether the file is signed with one or more certificates.
- If yes and the reputation for any associated certificate isn't set on the TIE server, fetch the GTI reputation for certificates associated with the file. The GTI reputation can be acquired from the TIE server or McAfee GTI file reputation service.
- If not, fetch the file GTI reputation from the TIE server or McAfee GTI file reputation service to allow or deny execution.
NOTE: If the certificate reputation on the TIE server is set to Unknown, the McAfee GTI certificate reputation is not checked. Similarly, if the file reputation on the TIE server is set to Unknown, the McAfee GTI file reputation is not checked for the file.
- Compute the reputation based on the reputation of all certificates associated with the file. Use the resultant reputation to allow or deny file execution. If certificate reputation is not available, fetch the file GTI reputation from the TIE server or McAfee GTI file reputation service to allow or deny execution.
NOTE: Trusted reputation takes precedence over malicious reputation while determining the resultant certificate reputation. For example, if a file is signed by two malicious certificates and one trusted certificate, the resultant reputation based on the certificates associated with the file is trusted.
If the resultant reputation for certificates associated with the file or file reputation is:
- Known Trusted, Most Likely Trusted, Might be Trusted - File is allowed to execute.
- Might be Malicious, Most Likely Malicious, Known Malicious - File is not allowed to execute.
- Unknown - MACC continues with the next check.
- Not set - MACC continues with the next check.
|
8 |
Advanced Threat Defense (ATD) reputation |
If ATD is configured in your setup, the TIE server integrates in real time with ATD to provide detailed assessment and data on malware classification. If ATD is configured and the reputation received is:
- Might be Malicious, Most Likely Malicious, Known Malicious - File is not allowed to execute.
- Unknown - MACC continues with the next check.
- Not set - MACC continues with the next check.
|
9 |
Updater rule |
If the file or its parent process is set as an updater, it is allowed to execute. |
10 |
Update mode |
If the endpoint is running in Update mode, the file is allowed to execute. |
11 |
User permissions |
If the user has the needed permissions or is added as a trusted user, the user can execute the file. |
12 |
Volume status |
If the file is stored on a trusted volume, the file is allowed to execute. If the volume is defined as a trusted network path, the file is not allowed to execute. |
13 |
Removable media |
If the file is stored on removable media, the file is not allowed to run. |
14 |
Whitelist |
MACC checks the whitelist:
- If the file is present in the whitelist, the file is allowed to execute.
- If the file is not present in the whitelist, MACC checks the skiplist rules.
- If a corresponding rule for the file is present in the skiplist, the file is allowed to execute.
- If no rule is present for the file in the skiplist, the file is not allowed to execute.
|
NOTES:
- For more information about the workflow for reputation-based execution for files, see the "Reputation-based workflow" section in PD26169 - Change Control and McAfee Application Control 7.0.0 Product Guide - ePolicy Orchestrator-Managed Mode.
- For information about rule creation, see the "Allow or ban a binary file" section in PD26169 - Change Control and McAfee Application Control 7.0.0 Product Guide - ePolicy Orchestrator-Managed Mode.
Final reputation for files:
Attached to this article is a diagram showing how final reputation for files is determined.
|