How Adaptive Threat Protection works

Adaptive Threat Protection uses the local reputation cache, the TIE server, and McAfee GTI for reputation information to determine how to handle files and processes on the client system. ATP uses rules to target live-off-the-land and fileless attacks, and enhanced remediation to roll back changes if attacks occur.

  1. (Managed systems) The administrator configures ATP settings in McAfee ePO and enforces it to the client system.
  2. A user executes a file on the client system.

    Adaptive Threat Protection checks the local reputation cache for the file.

  3. If the file is not in the local reputation cache, ATP queries the TIE server, if available, for the reputation.
  4. If the file is not in the TIE server database, the TIE server queries McAfee GTI for the reputation. If the TIE server is not available, ATP queries McAfee GTI for the reputation.

  5. Depending on the file's reputation and ATP settings:

    • The file is allowed to run.
    • The file is cleaned.
    • The file is blocked.
    • The file is allowed to run in a container.
    • The user is prompted for the action to take.

    For a process with a Known Trusted reputation, Adaptive Threat Protection rules determine the appropriate actions for the process. ATP monitors the process, its children, and ancestors for suspicious behavior, which can indicate a fileless attack, and blocks the process if needed. If the process reputation is Unknown (50) or lower, enhanced remediation backs up changes, and rolls back if the process exhibits malicious behavior.

  6. McAfee GTI returns the latest file reputation information to the TIE server.
  7. The TIE server updates the database and sends the updated reputation information to all ATP-enabled systems to immediately protect your environment.
  8. ATP logs the details then, if managed, generates and sends an event to McAfee ePO.
How it works


The way Adaptive Threat Protection functions depends on whether it communicates with the TIE server and whether it is connected to the Internet and connects directly to McAfee GTI.

If TIE server and Data Exchange Layer are present (Managed systems)

If the TIE server is present, Adaptive Threat Protection uses the Data Exchange Layer framework to share file and threat information instantly across the whole enterprise. You can see the specific system where a threat was first detected and where it went from there, and stop it immediately.

Adaptive Threat Protection with the TIE server enables you to control file reputation at a local level, in your environment. You decide which files can run and which are blocked, and the Data Exchange Layer shares the information immediately throughout your environment.

Note: To prevent business operations from being negatively impacted, McAfee might ignore some reputations in the TIE server, such as setting a Microsoft certificate to Known Malicious.

Adaptive Threat Protection and the TIE server communicate file reputation information and file metadata. The Data Exchange Layer framework immediately passes that information to managed endpoints. It also shares information with other McAfee products that access the Data Exchange Layer, such as McAfee® Enterprise Security Manager (McAfee ESM) and McAfee® Network Security Platform.

Adaptive Threat Protection with TIE server and Data Exchange Layer


If the TIE server and Data Exchange Layer are not present (Managed systems)

Adaptive Threat Protection communicates with McAfee GTI for file reputation information.

Adaptive Threat Protection with McAfee ePO and McAfee GTI


If the TIE server isn't present and the system isn't connected to the Internet, Adaptive Threat Protection determines the file reputation using ATP rules on the local system.

If TIE server and Data Exchange Layer are not present (Self-managed systems)

Adaptive Threat Protection communicates with McAfee GTI for file reputation information.

Adaptive Threat Protection with McAfee GTI


If the TIE server isn't present and the system isn't connected to the Internet, Adaptive Threat Protection determines the file reputation using ATP rules on the local system.