Performance issues on Application Control endpoints when GTI and TIE communication fails

Technical Articles ID: KB86638
Last Modified: 3/9/2022

Environment

Application and Change Control (ACC) 8.x, 7.x, 6.x
Global Threat Intelligence (GTI)
Threat Intelligence Exchange (TIE)

Summary

Application Control can work with multiple sources to fetch reputation information for files and certificates. The reputation information helps you make informed decisions about binary files and certificates within your enterprise, and allows you to quickly define policies on the ePolicy Orchestrator (ePO) server.

On the endpoints, this integration allows reputation-based execution. When you execute a file at an endpoint, the software fetches its reputation and the reputation of all certificates associated with the file to determine whether to allow or ban the file execution. The settings configured for your enterprise determine the reputation values that are allowed and banned. By default, Application Control is configured to work with the TIE server and GTI file reputation service to fetch reputation information.

Problem

Performance issues are observed on endpoints when GTI or TIE communication fails with the endpoints. If the endpoints report degraded performance, look for the following errors in the Solidcore.log file:

GTI

Error 12002 --> ERROR_INTERNET_TIMEOUT : The request has timed out
ERROR: gti_http.c : 544: WinHttpReceiveResponse failed, err: 12002
ERROR: gti_http.c : 713: GTI: Request to get reputation from GTI failed, err: 112002
ERROR: gti_reputation.cpp: 196: gti_fetch_cert_reputation failed, err: 112002
12007 --> ERROR_INTERNET_NAME_NOT_RESOLVED : The server name could not be resolved
ERROR: gti_http.c : 528: GTI: WinHttpSendRequest failed, err: 12007
ERROR: gti_http.c : 713: GTI: Request to get reputation from GTI failed, err: 112007

TIE

ERROR: tie_transport.cpp: 1245: TIE: Request to get reputation from TIE timed-out, response not received in 2 sec, err: 11.

NOTE: Error 11 corresponds to the Data Exchange Layer (DXL) error: DXL_WAIT_TIMEOUT.

If five consecutive requests fail while getting the reputation from TIE, the following log entry displays:

SYSTEM: tie_transport.cpp: 84: TIE: setting the TIE state change timer, set TIE responsive on timer expiry.

The following log entries are seen when the TIE state is changed to RESPONSIVE after the timer expiry:

SYSTEM: tie_transport.cpp: 107: TIE: Setting TIE state RESPONSIVE
SYSTEM: tie_transport.cpp: 118: Successfully set TIE to RESPONSIVE

Err: 112029 is an error regarding failure to submit a file to the TIE server using the Windows WinHttpSendRequest API. It appears in the solidcore.log file, similar to the example below. A DXL client issue is the usual cause for this error. Try to reinstall the DXL client.

ERROR: tie_atd.cpp : 423: TIE: failed to send http header for file <filename> Err: 112029

Cause

There are several possible causes that can result in performance issues on the endpoints when GTI and TIE communication fails.

Policy allowing communication with the GTI server isn't enabled on the endpoint.
The endpoint doesn’t have internet access and can't communicate with the GTI server.
See the related article for details KB79640 - Connecting to Global Threat Intelligence.
Firewall-related (ports blocked).
Network-related (packet loss, excessive traffic).

Solution

Disable reputation checking of binaries:

CAUTION: It’s highly recommended that you first investigate and troubleshoot the causes mentioned above. Then, perform the steps below to disable reputation checking of binaries. Consider disabling reputation checking of binaries only as a last resort.

NOTES:

Turn off reputation checking of binaries using the TIE server or GTI service if the errors described in this article are frequently logged in the solidcore.log.
By default, a policy to enable reputation-based execution is applied to all endpoints running the Solidcore client.
The settings in the policy indicate how endpoints communicate with the configured reputation sources.

To disable reputation checking of binaries, use the TIE server or GTI service for endpoints:

For managed systems:

Log on to the ePO console.
Select Menu, Policy, Policy Catalog.
Select the Solidcore 8.3.4: Application Control product.
Select the Application Control Options (Windows) category.
Click the assigned policy and edit it.
On the Reputation tab, under the Reputation section, review the reputation sources for TIE and GTI.
Specify the reputation source. You can use the TIE server, GTI service, or both. If you use both, the TIE server serves as the primary reputation source. The GTI service serves as an alternate source that is used only when the TIE server is unavailable.
Deselect both the options below:
Use Threat Intelligence Exchange (TIE) server
Use Global Threat Intelligence (GTI)
Save the policy.
Apply the policy to the relevant endpoints.

For Standalone systems, run the commands below locally at an administrator command prompt:

To list all ACC features and their status, type the command:

Run sadmin features list -d
To disable the TIE reputation feature, type the command:

sadmin features disable tie-reputation
To disable the GTI reputation feature, type the command:

sadmin features disable gti-reputation

Affected Products

Application and Change Control 8.3.x
Application and Change Control 8.2.x
Application and Change Control 8.1.x
Application and Change Control 8.0.x
Application and Change Control 7.0.x (EOL)
Application and Change Control 6.5.x
Application and Change Control 6.4.x
Application and Change Control 6.3.x
Application and Change Control 6.2.x
Application and Change Control 6.1 (EOL)
Known Issue/Product Defect
Troubleshooting

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro

Knowledge Center

Performance issues on Application Control endpoints when GTI and TIE communication fails

Environment

Summary

Problem

Cause

Solution

Affected Products

Languages:

Title

Title

Knowledge Center

Performance issues on Application Control endpoints when GTI and TIE communication fails

Environment

Summary

Problem

Cause

Solution

Affected Products

Languages:

Choose your region

Title

Title