Loading...

Knowledge Center

Performance issues on Application Control endpoints when Global Threat Intelligence and Threat Intelligence Exchange communication fails
Technical Articles ID:   KB86638
Last Modified:  5/13/2019

Environment

McAfee Application and Change Control (MACC) 8.x.x, 7.x.x, 6.x.x
McAfee Global Threat Intelligence (GTI)
McAfee Threat Intelligence Exchange (TIE) 

Summary

Application Control can work with multiple sources to fetch reputation information for files and certificates. The reputation information helps you make informed decisions about binary files and certificates within your enterprise, while allowing you to quickly define policies on the ePolicy Orchestrator (ePO) server.

On the endpoints, this integration allows reputation-based execution. When you execute a file at an endpoint, the software fetches its reputation and the reputation of all certificates associated with the file to determine whether to allow or ban the file execution. The settings configured for your enterprise determine the reputation values that are allowed and banned. By default, Application Control is configured to work with the TIE server and GTI file reputation service to fetch reputation information.

Problem

Performance issues are observed on endpoints when GTI or TIE communication fails with the endpoints. If the endpoints report degraded performance, check the Solidcore.log for the following errors:

GTI
Error 12002 --> ERROR_INTERNET_TIMEOUT : The request has timed out
ERROR: gti_http.c : 544: WinHttpReceiveResponse failed, err: 12002
ERROR: gti_http.c : 713: GTI: Request to get reputation from GTI failed, err: 112002
ERROR: gti_reputation.cpp: 196: gti_fetch_cert_reputation failed, err: 112002
12007 --> ERROR_INTERNET_NAME_NOT_RESOLVED : The server name could not be resolved
ERROR: gti_http.c : 528: GTI: WinHttpSendRequest failed, err: 12007
ERROR: gti_http.c : 713: GTI: Request to get reputation from GTI failed, err: 112007


TIE
ERROR: tie_transport.cpp: 1245: TIE: Request to get reputation from TIE timed-out, response not received in 2 sec, err: 11.
The error 11 corresponds to the Data Exchange Layer (DXL) error: DXL_WAIT_TIMEOUT.


If five consecutive requests failed while getting the reputation from TIE, the following log entry displays:
 
SYSTEM: tie_transport.cpp: 84: TIE: setting the TIE state change timer, set TIE responsive on timer expiry.


The following log entries display when the TIE state is changed to RESPONSIVE after the timer expiry:
 
SYSTEM: tie_transport.cpp: 107: TIE: Setting TIE state RESPONSIVE
SYSTEM: tie_transport.cpp: 118: Successfully set TIE to RESPONSIVE


Err: 112029 is an error regarding failure to submit a file to the TIE server using the Windows WinHttpSendRequest API. It appears in the solidcore.log file, similar to the example below. A McAfee DXL client issue is the usual cause for this error. Try reinstalling the DXL client.

U.4011.6155: May 01 2019:12:43:32.153:   ERROR: tie_atd.cpp :  423: TIE: failed to send http header for file <FILENAME>  Err: 112029

Cause

There are several possible causes that can result in performance issues on the endpoints when GTI and TIE communication fails.
  • Policy allowing communication with the GTI server has not been enabled on the endpoint.
  • The endpoint does not have Internet access and unable to communicate with the GTI server.
  • Firewall-related (ports blocked).
  • Network-related (packet loss, excessive traffic).

Solution

CAUTION: McAfee highly recommends that you investigate and troubleshoot the causes mentioned above before you perform the following steps to disable reputation checking of binaries. Consider disabling reputation checking of binaries only as a last resort.

Turn off reputation checking of binaries using the TIE server or GTI service if the errors described in this article are frequently logged in the Solidcore.log. By default, a policy to enable reputation-based execution is applied to all endpoints running the Solidcore client. The settings in the policy indicate how endpoints communicate with the configured reputation sources.

To disable reputation checking of binaries, use the TIE server or GTI service for endpoints:
  1. Log on to the ePO console.
  2. Select Menu, Policy, Policy Catalog.
  3. Select the Solidcore 7.0.0: Application Control product.
  4. Select the Application Control Options (Windows) category.
  5. Click the My Default policy and edit it.
  6. On the Reputation tab, click What's reputation-based execution for information about how reputation is used to determine file execution.
  7. Specify the reputation source. You can use the TIE server, GTI service, or both. If you use both, the TIE server serves as the primary reputation source. The GTI service serves as an alternate source that is used only when the TIE server is unavailable.
  8. Deselect the checkboxes for:
    Use McAfee Threat Intelligence Exchange (TIE) server
    Use McAfee Global Threat Intelligence (McAfee GTI)
  9. Save the policy.
  10. Apply the policy to the relevant endpoints.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.