Unknown files are reported as NOT Available
Articoli tecnici ID:
KB94664
Ultima modifica: 7/12/2021
Ambiente
McAfee Threat Intelligence Exchange (TIE) Server 3.x
Problema
You see unknown files on the TIE Reputation page, reported as:
NOT Available
The following errors are recorded in the tieserver.log (/var/McAfee/tieserver/logs/) when debug is enabled:
DETAIL {2021-04-30 10:51:38,969} [DxlServiceRequest-default-thread-116] (JsonUtil.java:95) - traceId: {884f1360-f090-4d57-968c-7e6041b86983}
- response: /mcafee/service/tie/file/info : {"results":[{"gtiReputationLastRefresh":1619779492762,"enterpriseReputationLastRefresh":1619779492762,
"enterpriseCount":1,"prevalent":false,"productName":"EDR Trace","productVersion":"1.0.1.23","company":"McAfee","version":"1.0.1.23","names":
["DataGenerator-3bc99d0f-5c39-48ca-b07a-721ad7d6c047.exe"],"md5":"5DfNKV2T3qLXP1pOm4Y3vg==",
"sha256":"0aGBPbO+oozjZLM6RSbVN1HUxbI+kfYIU1JrRU5jUWY=","certSha1":"",
"profilerFlags":"3001a5:0;3002a5:0;3003a5:0;300465:6a10;3005a5:20;3006a5:1d73dacd68a31c2;300765:1d21556d1e54500;300865:
fffffffffffffffc;300965:0;300a65:0;300b65:10;300c65:0;300da5:fffffffffffffffe;300e65:20604022a2e;300f65:40307292c;301065:6;301165:4f;301265:
4;301365:0;301465:3e00;301565:220;301665:870;3017a5:10020;3019a5:700000004;301a65:7597714d00420006;301b65:
323e828ec8348;301c65:7a4330bb302ba456;3ffea4:0;3fffa8:3b49000000320100;","firstContact":1619779492762,"lastUpdate":1619779499444,
"lastAccess":1619779492762,"fileNameCount":1,"filePathCount":1,"filePaths":["C:\\Users\\obfuscated\\Desktop\\MAR_threat_generator_maker_(1)\\threat-generator-maker\\output\\windows\\amd64\\DataGenerator\\DataGenerator-3bc99d0f-5c39-48ca-b07a-721ad7d6c047.exe"],"size":27152,"signedBits":0,
"detectionCount":0,"localRepMin":0,"localRepMax":0,"localRepSum":0,"localRepCount":0,"promptRepMin":0,"promptRepMax":0,"promptRepSum":0,"promptRepCount":0,"parentRepMin":50,
"parentRepMax":50,"parentRepSum":50,"parentRepCount":1,"goodRepCount":0,"badRepCount":0,"childrenCount":0, "urlRep":{},"fileType":18,"priority":0,"fileFirstAgentGuid":"{1c7252ed-4c9c-4cd1-a2ba-117f4dd1a5f5}","fileParents":["zONcD1uXCxouGgiSpgWNbUxtkcM="],"gtiReputation":0,"enterpriseReputation":0,"sha1":"8FSJPNhqBLojSLy53yG1/ZGblPs="}]}
The following errors are recorded on the client system in the TicLib.log ( C:\ProgramData\McAfee\Endpoint Security\Logs):
2021-04-30 10:45:01.708Z |Debug |TicLib | mfeatp | 4024| 7112| TIC |TIC(0) | Tie [7112] request /mcafee/service/tie/file/update_metadata payload <{"hashes":[{"type":"sha1","value":
"8FSJPNhqBLojSLy53yG1/ZGblPs="}, {"type":"md5","value":"5DfNKV2T3qLXP1pOm4Y3vg=="}, {"type":"sha256","value":"0aGBPbO+oozjZLM6RSbVN1HUxbI+kfYIU1JrRU5jUWY="}],
"localRep":50,"fileType":18,"name":"DataGenerator-3bc99d0f-5c39-48ca-b07a-721ad7d6c047.exe","path":"C:\\Users\\obfuscated\\Desktop\\MAR_threat_generator_maker_(1)
\\threat-generator-maker\\output\\windows\\amd64\\DataGenerator\\DataGenerator-3bc99d0f-5c39-48ca-b07a-721ad7d6c047.exe","localRepRuleId":0,"signedBits":0,
"parentLocalRep":50,"parentSha1":"zONcD1uXCxouGgiSpgWNbUxtkcM=","actorLocalRep":99,"actorSha1":"cuJ8aHitR1BdbZs3DFwODavUTm0=","companyName":"McAfee","productName":
"EDR Trace","productVersion":"1.0.1.23","version":"1.0.1.23","osVersion":42949672960,"contentVersion":419116240322166785,"serverTime":1619779492,"size":27152,"jtiAvProductId":
28622,"ruleEnforcing":1,"objectType":1,"submitMetaData":1,"profilerFlags":"1a5:0;2a5:0;3a5:0;465:6a10;5a5:20;6a5:1d73dacd68a31c2;765:
1d21556d1e54500;865:fffffffffffffffc;965:0;a65:0;b65:10;c65:0;da5:fffffffffffffffe;e65:20604022a2e;f65:40307292c;1065:6;1165:4f;1265:4;1365:0;1465:3e00;1565:220;
1665:870;17a5:10020;19a5:700000004;1a65:7597714d00420006;1b65:323e828ec8348;1c65:7a4330bb302ba456;ffea4:0;fffa8:3b49000000320100"}>
Causa
The Metadata Aggregator for TIE Server is enabled.
NOTE: This option is disabled by default.
See the "Using Update Metadata Aggregation for Local intelligence" section of the Threat Intelligence Exchange Product Guide for more information.
Soluzione
Disable the option that relates to Metadata Aggregation:
- Log on to the ePO console.
- Navigate to Configuration, Server Settings.
- In the left pane, select DXL Topology, and then click Edit.
- Deselect the option Update Metadata Aggregation for Local Intelligence.
- Save your changes.
|
