TIE Server provides a set reputation remote command with the ePolicy Orchestrator (ePO) Web API. It is intended to automate reputation overrides for a given set of files and certificate hashes. Bulk execution is supported and can be audited from the ePO Audit Log. Overrides always have precedence. So, McAfee recommends that you reconcile overrides periodically against other reputations and remove reputations already covered to maintain adaptive capabilities.
The command syntax is
tie.setReputations [fileReps] [certReps]. Specify at least one
fileReps or
certReps; you can specify both in the same payload call. Use
JSON strings to represent files and certificates. Ensure that the hashes are
Base64 encoded, and use one of the following values to specify the reputation:
- 1 (Known Malicious)
- 15 (Most Likely Malicious)
- 30 (Might Be Malicious)
- 50 (Unknown)
- 70 (Might Be Trusted)
- 86 (Most Likely Trusted)
- 99 (Known Trusted)
The following is an example payload that sets the reputation of a single file to Known Trusted:
fileReps = [{"name":"test.exe",
"sha1":"udrarummyjtffybxaflkxzjhpao=",
"md5":"gixbyabniwsaanqznfufxe==",
"sha256":"icidutgqksorrzjvqsepfmkyiambtbufcckwarjmqth==",
"reputation":"99"}]
Attributes
sha1,
md5, and
reputation are mandatory. Attributes
name and
sha256 are optional. It is recommended that you provide as many hash types as possible for a given file. The reason is because integrated products might not honor some hashes.
The following is an example payload that sets the reputation of a single certificate to Known Trusted:
certReps = [{"sha1":"frATnSF1c5s8yw0REAZ4IL5qvSk=", "publicKeySha1":"udrarummyjtffybxaflkxzjhpao=",
"reputation":"99"}]]
Attributes
sha1 and
reputation are mandatory. Attribute
publicKeySha1 is optional.
