How Adaptive Threat Protection works

Adaptive Threat Protection uses rules to determine which actions to take based on multiple datapoints such as reputations, local intelligence, and contextual information. You can manage the rules independently.

Adaptive Threat Protection functions differently, depending on whether it is communicating with TIE:

  • If TIE server is available, Adaptive Threat Protection uses the Data Exchange Layer framework to share file and threat information instantly across the whole enterprise. You can see the specific system where a threat was first detected, where it went from there, and stop it immediately.

    Adaptive Threat Protection with TIE server enables you to control file reputation at a local level, in your environment. You decide which files can run and which are blocked, and the Data Exchange Layer shares the information immediately throughout your environment.

  • If TIE server isn't available and the system is connected to the Internet, Adaptive Threat Protection uses McAfee GTI for reputation decisions.
  • If TIE server isn't available and the system isn't connected to the Internet, Adaptive Threat Protection determines the file reputation using information about the local system.

Scenarios for using Adaptive Threat Protection

  • Immediately block a fileAdaptive Threat Protection alerts the network administrator of an unknown file in the environment. Instead of sending the file information to McAfee for analysis, the administrator blocks the file immediately. The administrator can then use TIE server, if available, to learn how many systems ran the file and Advanced Threat Defense to determine whether the file is a threat.
  • Allow a custom file to run — A company routinely uses a file whose default reputation is suspicious or malicious, for example a custom file created for the company. Because this file is allowed, instead of sending the file information to McAfee and receiving an updated DAT file, the administrator can change the file's reputation to trusted and allow it to run without warnings or prompts.
  • Allow a file to run in a container — When a company first uses a file whose reputation is not known, the administrator can specify to allow it to run in a container. In this case, the administrator configures the containment rules in the Dynamic Application Containment settings. Containment rules define which actions the contained application is prevented from performing.