How a reputation is determined

File and certificate reputation is determined when a file attempts to run on a managed system.

These steps occur in determining a file or certificate's reputation.

  1. A user or system attempts to run a file.
  2. Endpoint Security checks the exclusions to determine whether to inspect the file.
  3. Endpoint Security inspects the file and can't determine its validity and reputation.
  4. The Adaptive Threat Protection module inspects the file and gathers file and local system properties of interest.
  5. The module checks the local reputation cache for the file hash. If the file hash is found, the module gets the enterprise prevalence and reputation data for the file from the cache.
    • If the file hash is not found in the local reputation cache, the module queries the TIE server. If the hash is found, the module gets the enterprise prevalence data (and any available reputations) for that file hash.
    • If the file hash is not found in the TIE server or database, the server queries McAfee GTI for the file hash reputation. McAfee GTI sends the information it has available, for example "unknown" or "malicious," and the server stores that information.

      The server sends the file for scanning if both of the following are true:

      • Advanced Threat Defense is available or activated as reputation provider, the server looks locally if the Advanced Threat Defense reputation is present; if not, it marks the file as candidate for submission.
      • The policy on the endpoint is configured to send the file to Advanced Threat Defense.

      See the additional steps under If Advanced Threat Defense is present.

  6. The server returns the file Hash's enterprise age, prevalence data, and reputation to the module based on the data that was found. If the file is new to the environment, the server also sends a first instance flag to the Adaptive Threat Protection module. If McAfee Web Gateway is present and eventually sends a reputation score, TIE server returns the reputation of the file.
  7. The module evaluates this metadata to determine the file's reputation:
    • File and system properties
    • Enterprise age and prevalence data
    • Reputation
  8. The module acts based on the policy assigned to the system that is running the file.
  9. The module updates the server with the reputation information and whether the file is blocked, allowed, or contained. It also sends threat events to McAfee ePO through the McAfee Agent.
  10. The server publishes the reputation change event for the file hash.

If Advanced Threat Defense is present

If Advanced Threat Defense is present, the following process occurs.

  1. If the system is configured to send files to Advanced Threat Defense and the file is new to the environment, the system sends the file to the TIE server. The TIE server then sends it to Advanced Threat Defense for scanning.
  2. Advanced Threat Defense scans the file and sends file reputation results to the TIE server using the Data Exchange Layer. The server also updates the database and sends the updated reputation information to all Adaptive Threat Protection-enabled systems to immediately protect your environment. Adaptive Threat Protection or any other McAfee product can initiate this process. In either case, Adaptive Threat Protection processes the reputation and saves it in the database.

For information about how Advanced Threat Defense is integrated with Adaptive Threat Protection, see McAfee Advanced Threat Defense Product Guide.

If McAfee Web Gateway is present

If McAfee Web Gateway is present, the following occurs.

  • When downloading files, McAfee Web Gateway sends a report to the TIE server that saves the reputation score in the database. When the server receives a file reputation request from the module, it returns the reputation received from McAfee Web Gateway and other reputation providers, too.
    Attention: For information about how McAfee Web Gateway exchanges information using a TIE server, see the chapter on proxies in the McAfee Web Gateway Product Guide.

When is the cache flushed?

  • The whole Adaptive Threat Protection cache is flushed when the rules configuration changes:
    • The state of one or more rules has changed, for example from enabled to disabled.
    • The rule set assignment has changed, such as from Balanced to Security.
  • An individual file or certificate cache is flushed when:
    • The cache is over 30 days old.
    • The file has changed on the disk.
    • The TIE server publishes a reputation change event.

    The next time Adaptive Threat Protection receives notice for the file, the reputation is recalculated.