How Adaptive Threat Protection works

Adaptive Threat Protection uses the local reputation cache, the TIE server, and McAfee GTI for reputation information to determine how to handle files on the client system.

  1. The administrator configures Adaptive Threat Protection settings in McAfee ePO and enforces it to the client system.
  2. A user opens a file on the client system.

    Adaptive Threat Protection checks the local reputation cache for the file.

  3. If the file is not in the local reputation cache: Adaptive Threat Protection queries the TIE server, if available, for the reputation.

  4. If the TIE server is not available or the file is not in the TIE server database, Adaptive Threat Protection queries McAfee GTI for the reputation.

  5. Depending on the file's reputation and Adaptive Threat Protection settings:

    • The file is allowed to open.
    • The file is blocked.
    • The file is allowed to run in a container.
    • The user is prompted for the action to take.
  6. McAfee GTI returns the latest file reputation information to the TIE server.
  7. The TIE server updates the database and sends the updated reputation information to all Adaptive Threat Protection-enabled systems to immediately protect your environment.
  8. Adaptive Threat Protection logs the details, then generates and sends an event to McAfee ePO.
How it works


Adaptive Threat Protection functions differently, depending on whether communicates with the TIE server and whether it is connected to the Internet.

If TIE server and Data Exchange Layer are present

If the TIE server is present, Adaptive Threat Protection uses the Data Exchange Layer framework to share file and threat information instantly across the whole enterprise. You can see the specific system where a threat was first detected and where it went from there, and stop it immediately.

Adaptive Threat Protection with the TIE server enables you to control file reputation at a local level, in your environment. You decide which files can run and which are blocked, and the Data Exchange Layer shares the information immediately throughout your environment.

Adaptive Threat Protection and the server communicate file reputation information. The Data Exchange Layer framework immediately passes that information to managed endpoints. It also shares information with other McAfee products that access the Data Exchange Layer, such as McAfee® Enterprise Security Manager (McAfee ESM) and McAfee® Network Security Platform.

Adaptive Threat Protection with TIE server and Data Exchange Layer


If the TIE server and Data Exchange Layer are not present

Adaptive Threat Protection communicates with McAfee GTI for file reputation information.

Adaptive Threat Protection with McAfee GTI


If the TIE server isn't present and the system isn't connected to the Internet, Adaptive Threat Protection determines the file reputation using information about the local system.