Loading...

Knowledge Center


Threat Intelligence Exchange Module for VirusScan Enterprise blocks files with a "Known Trusted" enterprise reputation as "Unknown"
Technical Articles ID:   KB87439
Last Modified:  2/14/2019
Rated:


Environment

McAfee Threat Intelligence Exchange Module (TIEm) for VirusScan Enterprise (VSE) 1.0.1, 1.0.0
McAfee VirusScan Enterprise (VSE) 8.x
Google Chrome
Adobe

Problem

TIEm for VSE blocks Known Trusted files, including files with a Known Trusted enterprise reputation. The rule reported is TIEM/Suspicious.rule0. The TIEMVE.log shows the MD5 hash calculation failed with an entry similar to:
 
[E] [0x1c94] CHashDataProvider: Failed to calc md5 for C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api 1359
 
The issue occurs when the environment is set to block items with an Unknown reputation. When the MD5 hash calculation fails, the reputation will be Unknown for the transaction even when a Portable Executable (PE) file has a Known Trusted enterprise reputation. Currently the only reported instances have been with Chrome and Adobe files. 

Cause

There is a failure to obtain the proper file path information needed to calculate the MD5 hash.

Solution

This issue is resolved in TIEm for VSE 1.0.2.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Workaround

To avoid issues caused by this MD5 hash calculation failure, exclude the affected files or directories in the VSE Default exclusions.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.