How a reputation is determined

When determining the reputation of a file or certificate, Adaptive Threat Protection uses pre-execution scanning and post-execution monitoring.

Pre-execution process scanning



  1. A portable executable (PE) file is loaded for execution in a process.
  2. Endpoint Security checks the exclusions to determine whether to inspect the file.
  3. Adaptive Threat Protection inspects the file and gathers file and local system properties.
  4. Adaptive Threat Protection checks the local reputation cache for the file hash.
    • If the file hash is in the local reputation cache, Adaptive Threat Protection gets the file's prevalence and reputation data from the cache and takes the associated action.
    • If the file hash isn't in the cache, Adaptive Threat Protection gets the file's prevalence and reputation data from the TIE server.

      For information, see the TIE server documentation.

    • If Advanced Threat Defense is present and enabled, see If sandboxing is enabled (Advanced Threat Defense) below.
  5. If Adaptive Threat Protection rules determine the final reputation, Adaptive Threat Protection updates the TIE server with the latest reputation information and takes the associated action.
  6. If Adaptive Threat Protection doesn't have the final reputation, the Real Protect client-based scanner scans the file.
    • If the Real Protect client-based scanner determines the final reputation, Adaptive Threat Protection updates the TIE server with the latest reputation information and takes the associated action.
    • If the Real Protect client-based scanner doesn't determine the final reputation, the file reputation is Unknown. Adaptive Threat Protection allows the process to launch and starts post-execution monitoring.

Post-execution process monitoring



  1. The process starts running.
    • If the file reputation is known, Adaptive Threat Protection takes the configured action (Contain, Block, or Clean).
    • If the reputation is Unknown, Adaptive Threat Protection allows the process to launch.
  2. If enabled, the Real Protect cloud-based scanner monitors the running process.

    If the process exhibits malicious behavior, Real Protect cloud-based scanner takes remediation. Otherwise, it continues monitoring the process.

  3. If Dynamic Application Containment is enabled, the process runs in a container.

    Containment rules determine the actions that the process can take. If the process triggers enough Block containment rules to exhibit suspicious behavior, Dynamic Application Containment lowers the reputation, which might result in the process being cleaned.

If sandboxing is enabled (Advanced Threat Defense)

If Advanced Threat Defense is present and enabled, the following process occurs.

  1. If the file is new to the environment and the system running the file has access to Advanced Threat Defense, the TIE server sends the file to Advanced Threat Defense for scanning. Then, the TIE server keeps polling for analysis reports until they are available.
    Note: You can enable one reputation provider or both from the Policy Catalog page in McAfee ePO.
  2. Advanced Threat Defense scans the file and sends file reputation results to the TIE server through the Data Exchange Layer. The server also updates the database and sends the updated reputation information to all Adaptive Threat Protection-enabled systems to immediately protect your environment. Adaptive Threat Protection or any other McAfee product can initiate this process. The TIE server processes the reputation and saves it in the database.

If McAfee Web Gateway is present

If McAfee Web Gateway is present, the following occurs.

  • When downloading files, McAfee Web Gateway sends a report to the TIE server that saves the reputation score in the database.
  • When the server receives a file reputation request from the module, it returns the reputation received from McAfee Web Gateway and other reputation providers.

If Endpoint Security Web Control is present

  • When you download a file, Web Control sends a message to the TIE server with the URL of the download location, the URL reputation from McAfee GTI, and the hash value of the file.

    The information is available on the Associated URL tab on the hash information page.

  • When the TIE server receives a file reputation request, it returns this information as part of its response.