Composite reputation offers the user a
significant reputation, a potential effective reputation score based on all providers. The following fallback definitions determine this reputation:
- If the file has an enterprise reputation, the composite reputation is the enterprise score.
- The composite has the same value when:
- The file does not have an enterprise reputation.
- But, has an associated certificate enterprise reputation.
- If the file does not have either of the previous reputations, but its latest local reputation is the most recent reputation the file has had, the composite reputation is the latest local.
If none of the previous applies, but the file has an associated clean Global Threat Intelligence (GTI) certificate reputation, then the composite reputation results in this reputation.
When none of the previous conditions are fulfilled, the composite reputation shows, if any, a definitive reputation. The definitive reputation can be Known Malicious, Most Likely Malicious, Most Likely Trusted, Known Trusted, or Known Trusted Installer. The following order applies:
- Definitive GTI
- Definitive ATD
- Definitive CTD
- Definitive MWG
If none of these sources have a definitive reputation, the composite shows the existent non-definitive GTI reputation, namely, Might Be Trusted, or Might Be Malicious. Otherwise, the composite displays any existent reputation, given the following order of precedence:
- Latest Local reputation
- GTI certificate reputation
- GTI reputation
- ATD reputation
- CTD reputation
- MWG reputation
Examples
The following scenarios show how the Composite reputation value changes as the reputation of the file evolves:
Scenario 1: A new file arrives to TIE. GTI does not know the file, so there is no reputation for it.
Order |
Events |
Composite Reputation |
1 |
The file is executed on an endpoint, and its Local Reputation results in Unknown. |
Unknown (Latest Local) |
2 |
No executions are made after the local reputation was received. The file is sent to ATD.
ATD reports the file as Most Likely Malicious. |
Most Likely Malicious (ATD) |
3 |
The file is executed on the endpoint and the Local reputation is Most Likely Malicious. |
Most Likely Malicious (Latest Local) |
4 |
No executions are made after the local reputation was received. TIE Server communicates periodically with GTI to look for any new reputations.
After a few hours, there is a GTI refresh and a Known Malicious Certificate reputation arrives for this file. |
Known Malicious
(GTI certificate) |
Scenario 2: A new file arrives to TIE. GTI does not know the file, so there is no reputation for it. Other files signed by this certificate have the same reputation.
Order |
Events |
Composite Reputation |
1 |
The file is executed on an endpoint, and its Local Reputation results in Unknown. |
Unknown
(Latest Local) |
2 |
No executions are made after the local reputation was received. The file is sent to ATD.
ATD reports the file as Most Likely Malicious. |
Most Likely Malicious (ATD) |
3 |
The file is executed on the endpoint, and the Local reputation is Most Likely Malicious. |
Most Likely Malicious
(Latest Local) |
4 |
No executions are made after the local reputation was received. TIE Server communicates periodically with GTI to look for any new reputations.
After a few hours, there is a GTI refresh and a Known Malicious reputation arrives for this file. |
Known Malicious (GTI) |
Scenario 3: There is a new file originated by the organization. We know that the file is trusted. But, GTI does not know the file so we do not yet have its reputation.
Order |
Events |
Composite Reputation |
1 |
The file is executed on an endpoint, and its Local Reputation results in Unknown. |
Unknown (Latest Local) |
2 |
No executions are made after the local reputation was received. The file is sent to CTD.
CTD reports the file as Most Likely Trusted. |
Most Likely Trusted (CTD) |
3 |
Because it is a trusted file for the organization, and we do not know when the file reaches GTI, we override the file to Known Trusted. |
Known Trusted (Enterprise) |