Unknown files are reported as NOT Available
Technical Articles ID:
KB94664
Last Modified: 7/12/2021
Environment
McAfee Threat Intelligence Exchange (TIE) Server 3.x
Problem
You see unknown files on the TIE Reputation page, reported as:
NOT Available
The following errors are recorded in the tieserver.log (/var/McAfee/tieserver/logs/) when debug is enabled:
DETAIL {2021-04-30 10:51:38,969} [DxlServiceRequest-default-thread-116] (JsonUtil.java:95) - traceId: {884f1360-f090-4d57-968c-7e6041b86983}
- response: /mcafee/service/tie/file/info : {"results":[{"gtiReputationLastRefresh":1619779492762,"enterpriseReputationLastRefresh":1619779492762,
"enterpriseCount":1,"prevalent":false,"productName":"EDR Trace","productVersion":"1.0.1.23","company":"McAfee","version":"1.0.1.23","names":
["DataGenerator-3bc99d0f-5c39-48ca-b07a-721ad7d6c047.exe"],"md5":"5DfNKV2T3qLXP1pOm4Y3vg==",
"sha256":"0aGBPbO+oozjZLM6RSbVN1HUxbI+kfYIU1JrRU5jUWY=","certSha1":"",
"profilerFlags":"3001a5:0;3002a5:0;3003a5:0;300465:6a10;3005a5:20;3006a5:1d73dacd68a31c2;300765:1d21556d1e54500;300865:
fffffffffffffffc;300965:0;300a65:0;300b65:10;300c65:0;300da5:fffffffffffffffe;300e65:20604022a2e;300f65:40307292c;301065:6;301165:4f;301265:
4;301365:0;301465:3e00;301565:220;301665:870;3017a5:10020;3019a5:700000004;301a65:7597714d00420006;301b65:
323e828ec8348;301c65:7a4330bb302ba456;3ffea4:0;3fffa8:3b49000000320100;","firstContact":1619779492762,"lastUpdate":1619779499444,
"lastAccess":1619779492762,"fileNameCount":1,"filePathCount":1,"filePaths":["C:\\Users\\obfuscated\\Desktop\\MAR_threat_generator_maker_(1)\\threat-generator-maker\\output\\windows\\amd64\\DataGenerator\\DataGenerator-3bc99d0f-5c39-48ca-b07a-721ad7d6c047.exe"],"size":27152,"signedBits":0,
"detectionCount":0,"localRepMin":0,"localRepMax":0,"localRepSum":0,"localRepCount":0,"promptRepMin":0,"promptRepMax":0,"promptRepSum":0,"promptRepCount":0,"parentRepMin":50,
"parentRepMax":50,"parentRepSum":50,"parentRepCount":1,"goodRepCount":0,"badRepCount":0,"childrenCount":0, "urlRep":{},"fileType":18,"priority":0,"fileFirstAgentGuid":"{1c7252ed-4c9c-4cd1-a2ba-117f4dd1a5f5}","fileParents":["zONcD1uXCxouGgiSpgWNbUxtkcM="],"gtiReputation":0,"enterpriseReputation":0,"sha1":"8FSJPNhqBLojSLy53yG1/ZGblPs="}]}
The following errors are recorded on the client system in the TicLib.log ( C:\ProgramData\McAfee\Endpoint Security\Logs):
2021-04-30 10:45:01.708Z |Debug |TicLib | mfeatp | 4024| 7112| TIC |TIC(0) | Tie [7112] request /mcafee/service/tie/file/update_metadata payload <{"hashes":[{"type":"sha1","value":
"8FSJPNhqBLojSLy53yG1/ZGblPs="}, {"type":"md5","value":"5DfNKV2T3qLXP1pOm4Y3vg=="}, {"type":"sha256","value":"0aGBPbO+oozjZLM6RSbVN1HUxbI+kfYIU1JrRU5jUWY="}],
"localRep":50,"fileType":18,"name":"DataGenerator-3bc99d0f-5c39-48ca-b07a-721ad7d6c047.exe","path":"C:\\Users\\obfuscated\\Desktop\\MAR_threat_generator_maker_(1)
\\threat-generator-maker\\output\\windows\\amd64\\DataGenerator\\DataGenerator-3bc99d0f-5c39-48ca-b07a-721ad7d6c047.exe","localRepRuleId":0,"signedBits":0,
"parentLocalRep":50,"parentSha1":"zONcD1uXCxouGgiSpgWNbUxtkcM=","actorLocalRep":99,"actorSha1":"cuJ8aHitR1BdbZs3DFwODavUTm0=","companyName":"McAfee","productName":
"EDR Trace","productVersion":"1.0.1.23","version":"1.0.1.23","osVersion":42949672960,"contentVersion":419116240322166785,"serverTime":1619779492,"size":27152,"jtiAvProductId":
28622,"ruleEnforcing":1,"objectType":1,"submitMetaData":1,"profilerFlags":"1a5:0;2a5:0;3a5:0;465:6a10;5a5:20;6a5:1d73dacd68a31c2;765:
1d21556d1e54500;865:fffffffffffffffc;965:0;a65:0;b65:10;c65:0;da5:fffffffffffffffe;e65:20604022a2e;f65:40307292c;1065:6;1165:4f;1265:4;1365:0;1465:3e00;1565:220;
1665:870;17a5:10020;19a5:700000004;1a65:7597714d00420006;1b65:323e828ec8348;1c65:7a4330bb302ba456;ffea4:0;fffa8:3b49000000320100"}>
Cause
The Metadata Aggregator for TIE Server is enabled.
NOTE: This option is disabled by default.
See the "Using Update Metadata Aggregation for Local intelligence" section of the Threat Intelligence Exchange Product Guide for more information.
Solution
Disable the option that relates to Metadata Aggregation:
- Log on to the ePO console.
- Navigate to Configuration, Server Settings.
- In the left pane, select DXL Topology, and then click Edit.
- Deselect the option Update Metadata Aggregation for Local Intelligence.
- Save your changes.
|