This document is intended to help the Security Administrator handle scenarios related to files reported by TIE as having Unknown composite reputations.

It is expected that all TIE environments mark some files as having no decision about their reputation score (Unknown). An Unknown is a file that the system is monitoring (not confirmed trusted nor confirmed malicious). Most of these files eventually change their reputation to a defined score (trusted or malicious), but there are always some files left monitored for a relatively prolonged time.

NOTE: A high number of unknown hashes is not necessarily an issue, and becomes a problem only when excessive resources are dedicated to monitoring. For example, the endpoint could experience high CPU usage. ENS might send too many files to ATD. Also, manually reviewing potential threats under these circumstances can become unmanageable, because the excessive number of unknowns causes difficulty in surfacing useful information.

Several factors must be considered when assessing the impact that one or more files have in the organization:

• Reputation: Trusted files are monitored less and use fewer system resources. 
• Prevalence: A single file executed by one or multiple endpoints. 
• Number of executions: Files being executed multiple times are monitored more while their reputation is undetermined.

Assess if certain files require special attention using the processes described in this document (for performance optimization or for threat assessment).

Hypothesis and workflows
Click to expand the section you want to view:

Signed unknowns: There could be benign signed files for which the certificates have not yet been classified

End-entity (leaf) certificates signing files found in the enterprise might not have a definite reputation. If the certificate is confirmed as trusted, all files signed by it are also automatically trusted. Generally, non-leaf certificates are not assigned a reputation, because the reputation is set on the end-entity certificates.

Organizations can use their own certificates, which might not be known to GTI but might still be relevant in the local context; certificates are assessed in order of their Impact.

Understanding certificate impact
TIE defines Impact for a certificate as the sum of the prevalence of all files signed by the certificate. Impact is a useful metric, because it represents the total number of file instances you would expect a change of reputation of the certificate to affect. For example, a certificate that signs two files with prevalence 3 and 5, respectively, has a total impact of 8.

Impact should not be confused with the prevalence of the certificate, which is the number of endpoints where the certificate itself has been found. In the example described, the certificate prevalence is between 5 and 8.

NOTE: Depending on the version of the TIE dashboard used, monitors might display the Maximum of file prevalence instead of the Sum of prevalence. Maximum of prevalence (file with the largest prevalence) is an approximation of the Impact of the certificate that might be used or, when Sum of prevalence is not available.

Proposed workflow

1. Assess the trend of signed unknown files:
   1. Open the TIE server Signed Unknown files dashboard.
   2. Review the Signed Unknown Files monitor.
      
      The Signed Unknown Files monitor displays the number of newly found, signed, unknown files in time. A spike in newly found files could indicate a change in conditions in your environment, such as installs or upgrades of software packages for which the certificate reputations are not yet determined.
       
2. Find certificates with large Impact on unknown files:
   1. Open the TIE server Signed Unknown files dashboard.
   2. Review the Signed Unknown Files per Certificate Subject monitor.
      
      The Signed Unknown Files per Certificate Subject monitor displays files with Unknown composite reputation, grouped by the signing certificate.
       
3. Use alternate monitors to find relevant certificates:
   
   When software packages use multiple certificates, using other methods to group relevant files might be easier.
   
   The Signed Unknown Files by Company and Signed Unknown Files by Product allow you to search using file attributes (Company and Product) to group files instead of the certificate hash. Drilling-down on either of these monitors displays files signed by possibly more than one certificate, but reporting the same Company or Product.
    
4. Assess the reputation of relevant certificates:
   1. Drill-down on the corresponding monitor. A list of files signed by one or more relevant certificates displays.
      Use the information available for the files to make an initial assessment on whether the items should or should not have been trusted. Check ATD reports or VirusTotal reports for the files, when possible.
   2. Navigate to the certificate signing for any of the files in the list and use the certificate details to assess if the file should be trusted.
   3. Use first contact and GTI last refresh to determine if the certificate is recent.
      
      NOTE: GTI classification could still be pending for this certificate.
       
   4. Check the overall impact of the certificate in Certificate details.
      
      Consider:
      • How does this compare to the impact of unknowns only?
      • Are there other files signed by the same certificate with known reputations?
      • Are there any files with malicious reputation?
         
5. Take action, based on the conclusions of your assessment.
   
   If appropriate, Trust the certificate. Set the enterprise reputation for this certificate to Known Trusted.
   
   NOTE: Trust applies to all files signed by this certificate, even new files discovered after the action is taken.
   
   Or, you can decide to trust one or more files instead. Set the enterprise reputation to the individual files instead of for the certificate.
   
   NOTE: The change applies to the specific files selected.

Back to Top
 

Unsigned unknowns: Spiking or trending could be possible

The remaining workflows in this article address Unsigned unknown files, expected to be more common in the field than signed Unknown files. These workflows are based in the TIE Server Unsigned Unknown Files dashboard.

Proposed workflow
Assess the trend of signed unknown files:

1. Open the TIE server Unsigned Unknown files dashboard.
2. Review the Unsigned Unknown Files monitor.
   
   This monitor displays the number of newly found unsigned unknown files in time. Spikes, or an upward trend in this chart, indicate a possible change in the enterprise that should be investigated.
   
   If you see a spike or unexpected trend, use the remaining workflows to investigate further.

Back to Top
 

Active Parents: Possibly benign applications could be generating many new, unclassified files

In TIE, a Parent is the file that originated the Child file on the system.

One possible cause of unknown files is a benign (yet unclassified) application generating many new executable files on the systems.

Proposed workflow

1. Find the most active Parents:
   1. Open the TIE Server Unsigned Unknown Files dashboard.
   2. Review the Most Active Parents of Unknown Files monitor.
      
      This panel shows the files that generated the most Child files with Unknown reputation in the enterprise.
       
   3. Check the Sum of the Enterprise Count column for an assessment of the overall impact of the Parent.
       
2. Review the Child files generated by active Parents:
   1. Drill down on the Active Parents monitor. A list of files with Unknown reputation and generated by the same Parent displays.
   2. Review the prevalence and count of local reputations. Do these files have multiple executions or are they only run once? Are there common patterns in the files generated?
       
3. Assess the Parent:
   1. From any of the Child files, navigate to the Parent (Actions, File Parents), and open the first result.
   2. Review distinctive features of this Parent.
      
      Consider:
      • Is the file an installer?
      • Is the file a compiler?
      • Are there other features that would make it reasonable for it to produce this many Child files?
         
   3. Assess the reputation of the Parent. Does it appear to be correctly classified?
   4. Check the virus total report for the file.
       
4. Take action, based on the conclusions of your assessment:
   • If you conclude that this Parent can only generate trusted files, classify the Parent as a Known Trusted Installer.
     
     NOTE: The reputations of all files previously generated are not affected. Only new files are affected, and are set to Most Likely Trusted reputation.
      
   • Setting the reputation of the Parent to Known or Most Likely Malicious contains the Parent.
     
     NOTE: Previously generated Child files are not affected.
      
   • You can override the reputation on the Child files themselves, but this decision is not carried over to other new files generated by this Parent.

Back to Top
 

Active endpoints: A sandbox, or test, endpoint might be generating many new Unknown files, cluttering the TIE database

A reduced number of endpoints could generate large numbers of Unknown files, when compared to other endpoints. Though only a few endpoints, the overall picture of Unknowns could be affected.

Proposed workflow

1. Find the most active endpoints:
   1. Open the TIE Server Unsigned Unknown Files dashboard.
   2. Review the Most Active Endpoints monitor. This panel displays the endpoints generating the most number of new files in the enterprise.
      
      NOTE: This count includes both Unknowns and other files with Known reputation.
       
   3. Check the Sum of File Count column for an assessment of the overall impact of the endpoint. 
   4. Compare the topmost rows with the rest of the results. Note if there is a significant gap.
       
2. Drill-down on the Active Endpoints monitor. A list of dates with the total count per day displays.
3. Review trends of files found on active endpoints. Note any spikes.
4. Copy the name of the endpoint, then search for this endpoint in the System Tree and open its System Details page.
   
   Consider:
   • Is there in the configuration at this endpoint compared to others?
   • Are there threat events not seen on other endpoints?
   • Are there different products or product versions on this endpoint?
      
5. Review files detected in active endpoints:
   1. While in System details, click Actions, TIE, Show Files used on the system. A list of all files found on this system displays.
   2. Apply a filter on Unknown composite reputation.
   3. Review the count and the list of files, noting a significant number of Unknowns (different from other endpoints).
   4. Review the list for any distinctive features not seen in other endpoints.
       
6. Take action, based on the conclusions of your assessment:
   • Resolve protection product problems by deploying the corresponding products through the McAfee Agent.
   • If the endpoint does not require as much protection as other endpoints, isolate the endpoint by creating a custom Adaptive Threat Prevention policy and disabling Adaptive Threat Protection.
   • Other advanced features such, as MAR hunting scripts, are useful to further investigate the endpoint.

Back to Top
 

Frequently monitored files: Some files with frequent executions could be excessively monitored

Endpoints might excessively monitor files with frequent executions. Files with Unknown reputation, executed frequently, receive the same level of monitoring until their reputation becomes known.

If a file is prevalent, and frequently executed, the endpoint might eventually trust it automatically. If the file is known to the administrator, he or she can speed this process by flagging or reporting the file as trusted, reducing resources spent monitoring this file.
 

NOTE: The following workflow does not significantly address large numbers of unknown hashes. Instead, focus is placed on the impact of individual hashes with pending reputation classification.

Proposed workflow

1. Find the most frequently monitored files:
   1. Open the TIE Server Unsigned Unknown Files dashboard.
   2. Review the Most Monitored Unknown Files monitor. The Most Monitored Unknown Files monitor displays the files with Unknown reputation, for which the highest number of executions were reported to the TIE server (for files discovered in the last 30 days).
      
      The Maximum of Local Reputation Count column displays the total number of reported executions.
       
2. Review the frequently monitored files:
   1. Drill-down on the Most Monitored Unknown Files monitor and select the Details page for each file.
   2. Observe the prevalence and count of local reputations, noting if this file shows excessive executions per endpoint.
      
      Consider:
   • Do you expect the file in question to be trusted?
   • Does this file present any suspicious indicators that make it a potential threat?
      
3. Take action, based on the conclusions of your assessment:
   • If you conclude that the file should be trusted in your organization, override it to Known Trusted.
   • If you conclude that the file should be trusted for all organizations, report it to McAfee using GetClean.
   • If you conclude that the file is a threat, override it to Most Likely Malicious or Known Malicious.

Back to Top