Options page

Configure settings for the Adaptive Threat Protection module.

Table 1: Option definitions
Section Option Definition
Adaptive Threat Protection Enable Adaptive Threat Protection Enables the Adaptive Threat Protection module.

(Enabled by default)

Allow the Threat Intelligence Exchange server to collect anonymous diagnostic and usage data Allows the TIE server to send anonymous file information to McAfee.
Use McAfee GTI file reputation if the Threat Intelligence Exchange server is not reachable Gets file reputation information from the Global Threat Intelligence proxy if the TIE server is unavailable.
Prevent users from changing settings (Threat Intelligence Exchange 1.0 clients only) Prevents users on managed systems from changing Threat Intelligence Exchange 1.0 settings.
Rule Assignment Productivity Assigns the Productivity rule group.

Use this group for high-change systems with frequent installations and updates of trusted software.

This group uses the least number of rules. Users experience minimum prompts and blocks when new files are detected.

Balanced Assigns the Balanced rule group.

Use this group for typical business systems with infrequent new software and changes.

This group uses more rules — and users experience more prompts and blocks — than the Productivity group.

Security Assigns the Security rule group.

Use this group for low-change systems, such as IT-managed systems and servers with tight control.

Users experience more prompts and blocks than with the Balanced group.

Real Protect Scanning Enable client-based scanning Enables client-based Real Protect scanning, which uses machine learning on the client system to determine whether the file matches known malware. If the client system is connected to the Internet, Real Protect sends telemetry information to the cloud, but doesn't use the cloud for analysis.

If the client system is using TIE for reputations, it doesn't require Internet connectivity to mitigate false positives.

Tip: Best practice: Select this option unless Support advises you to deselect it to mitigate false positives.

The Real Protect technology is not supported on some Windows operating systems. See KB82761 for information.

Enable cloud-based scanning Enables cloud-based Real Protect scanning, which collects and sends the attributes of the file and its behavioral information to the machine-learning system in the cloud for analysis.

This option requires Internet connectivity to mitigate false positives using McAfee GTI reputation.

Tip: Best practice: Disable cloud-based Real Protect on systems that aren't connected to the Internet.

The Real Protect technology is not supported on some Windows operating systems. See KB82761 for information.

Action Enforcement Enable Observe mode Generates Adaptive Threat Protection events — Would Block, Would Clean, or Would Contain — and sends them to the server, but doesn't enforce actions.

Enable Observe mode temporarily on a few systems only while tuning Adaptive Threat Protection.

CAUTION: Because enabling this mode causes Adaptive Threat Protection to generate events but not enforce actions, your systems might be vulnerable to threats.
Trigger Dynamic Application Containment when reputation threshold reaches Contains applications when the reputation reaches the specified threshold:
  • Might Be Trusted
  • Unknown (Default for the Security rule group)
  • Might Be Malicious (Default for the Balanced rule group)
  • Most Likely Malicious (Default for the Productivity rule group)
  • Known Malicious

The Dynamic Application Containment reputation threshold must be higher than the block and clean thresholds. For example, if the block threshold is set to Known Malicious, the Dynamic Application Containment threshold must be set to Most Likely Malicious or higher.

When an application with the specified reputation threshold tries to run in your environment, Dynamic Application Containment allows it to run in a container and blocks or logs unsafe actions, based on containment rules.

If configured, Dynamic Application Containment updates the Event Log on the client and sends an event to McAfee ePO to notify when:

  • An application has been contained.
  • A contained application attempts to violate the containment rules.

Block when reputation threshold reaches Blocks files when the file reputation reaches a specific threshold, and specifies the threshold:
  • Might Be Trusted
  • Unknown
  • Might Be Malicious (Default for the Security rule group)
  • Most Likely Malicious (Default for the Balanced rule group)
  • Known Malicious (Default for the Productivity rule group)

When a file with the specified reputation threshold tries to run in your environment, it's prevented from running but remains in place. If a file is safe and you want it to run, change its reputation to a level that allows it to run, like Might be Trusted.

Clean when reputation threshold reaches Cleans files when the file reputation reaches a specific threshold, and specifies the threshold:
  • Might Be Malicious
  • Most Likely Malicious
  • Known Malicious (Default for the Balanced and Security rule groups)

The default for the Productivity rule group is deselected.

Tip: Best practice: Use this option with Known Malicious file reputations because a file might be removed when cleaned.
Table 2: Advanced options Show Advanced Hide Advanced
Section Option Description
Threat Detection User Messaging Display threat notifications to the user Displays threat notifications to the user.
Notify the user when reputation threshold reaches Notifies the user when the file reputation reaches a specified threshold:
  • Most Likely Trusted
  • Might Be Trusted (Default for the Security rule group)
  • Unknown (Default for the Balanced rule group)
  • Might Be Malicious (Default for the Productivity rule group)
  • Most Likely Malicious
  • Known Malicious

The prompt level can't conflict with the clean or block settings. For example, if you block unknown files, you can't set this field to Might Be Trusted because it is a higher threshold than Unknown.

Default action Specifies the action to take if the user doesn't respond to the prompt:
  • Allow
  • Block
Specify length (minutes) of timeout Specifies the number of minutes to display the prompt before performing the default action.

The default is 5 minutes.

Message Specifies the message that the user sees when a file, which meets the prompting criteria, tries to run.
Disable threat notifications if the Threat Intelligence Exchange server is not reachable Disables prompts when the TIE server is unreachable so that users don't receive prompts about files whose reputations are unavailable.
Advanced Threat Defense Send files not yet verified to McAfee Advanced Threat Defense for analysis Sends executable files to McAfee Advanced Threat Defense for analysis.

When enabled, Adaptive Threat Protection sends files securely over HTTPS using port 443 to Advanced Threat Defense when:

  • The TIE server doesn't have Advanced Threat Defense information about the file.
  • The file is at or below the specified reputation level.
  • The file is at or below the specified file size limit.

If HTTPS fails, Adaptive Threat Protection sends files over HTTP.

Specify information for the Advanced Threat Defense server in the management policy for the TIE server.

Submit files when reputation threshold reaches Submits files to Advanced Threat Defense when the file reputation reaches a specified threshold:
  • Most Likely Trusted
  • Unknown
  • Most Likely Malicious

The default for all rule groups is Unknown.

Limit size (MB) to Limits the size of the files sent to Advanced Threat Defense to between 1 MB and 10 MB.

The default is 5 MB.