How a reputation is determined

File reputation is the data that comes from different reputation providers in the on-premises environment.

This is how the reputation of a file or certificate is obtained.

  1. A user or system tries to run a file.
  2. Endpoint Security checks the exclusions to determine whether to inspect the file or not.
  3. Endpoint Security inspects the file and can't determine its validity and reputation.
  4. The Adaptive Threat Protection module inspects the file and gathers file and local system properties.
  5. The module checks the local reputation cache for the file hash.
    • If the file hash is found, the module gets the file's prevalence and reputation data from the cache.
    • If the file hash is not found in the local reputation cache, the module queries the TIE server. If the TIE server is not reachable, it queries with McAfee GTI for file reputation. If the hash is found, the module gets the prevalence data (and any available reputations) for that file hash.
    • If the file hash is not found in the TIE server database, the server queries McAfee GTI for the file hash reputation. McAfee GTI sends the available information, for example "unknown" or "malicious," and the server stores that information.

  6. The module evaluates the following metadata to determine the file's reputation, plus all metadata sent, and uses the TIE Content rules to determine local reputation.
    • File and system properties
    • Enterprise age and prevalence data
    • Reputation
  7. The TIE server returns the file hash's enterprise age, prevalence data, and other data points to the client based on the data found. If the file is new to the environment, the server sets the flag to submit metadata on the response. Reputation response can include information from different providers other than McAfee GTI or Enterprise Overrides, for example, McAfee Web Gateway or Advanced Threat Defense.
  8. The client responds according to the settings on the system that is running the file and blocks or allows the file.
  9. The module updates the server with the reputation information and whether the file is blocked or allowed. It also sends threat events to McAfee ePO through the McAfee Agent.
  10. The TIE server publishes the reputation change event for the file hash.

If McAfee Web Gateway is present

If McAfee Web Gateway is present, the following occurs.

  • When downloading files, McAfee Web Gateway sends a report to the TIE server that saves the reputation score in the database.
  • When the server receives a file reputation request from the module, it returns the reputation received from McAfee Web Gateway and other reputation providers.