TIE POC Guide Final

FIELD GUIDE TO SETTING UP POCS V1.
0
JENNIFER VALVERDE
INTEL SECURITY | 2821 Mission College Blvd Santa Clara, CA 95054
ligence Exchange v1.0 Produ

Contents
Introduction................................................................................................................ 2
Purpose...................................................................................................................... 2
Deployment Requirements......................................................................................... 3
Optional Components................................................................................................. 4
Requirements/Pre-Requisites...................................................................................... 5
Installation and Configuration Checklist.....................................................................6
Installation and Configuration of McAfee Threat Intelligence Exchange (TIE) and Data
Exchange Layer (DXL)................................................................................................ 7
Installing the TIE/DXL server................................................................................... 7
Configuring the TIE Solution..................................................................................23
Content Testing with benign samples....................................................................28
User Stories.............................................................................................................. 29
Immediate Visibility Gain insight into executables & certificates run in your
environment.......................................................................................................... 29
The TIE Client A new kind of protection against emerging threats.....................37
Control Take immediate action...........................................................................42
Speed and Distribution Its fast...........................................................................49
Incident Response Patient Zero & Clean Up........................................................52
Appendix.................................................................................................................. 56
McAfee Advanced Threat Defense for Automated Intelligence..............................57
VirusTotal............................................................................................................... 62
Baseline Gold Images with the TIE Scanner..........................................................65
Troubleshooting..................................................................................................... 67
1
Introduction
McAfee Threat Intelligence Exchange provides adaptive prevention for emerging
threats. It quickly analyzes files and content in your environment and makes
informed security decisions based on a file's reputation and your specific criteria to
determine if there is a threat to your environment.
The challenge in today's network environment is the growing number of devices and
systems on a network, and their inability to communicate security information with
each other. Until now, they have acted as separate silos and could not be
intelligently managed as a whole.
Threat Intelligence Exchange changes that. Imagine knowing exactly which
machines have been compromised by a specific file, and then acting immediately to
prevent the threat from spreading throughout your environment, even to remote
networks and systems. You can see exactly on which system the threat was first
seen and where it went from there, and stop it immediately across your entire
environment.
Threat Intelligence Exchange provides the latest technology in detecting and
preventing threats:
A security ecosystem that allows instant communication between endpoints,
systems, and devices in your environment. They send information to the
Threat Intelligence Exchange server where it is then available to endpoints
throughout your environment.
A new kind of endpoint protection that evaluates local, global and enterprise
level intelligence to make smart execution time decisions to allow or block
executables.
Faster detection and protection against security threats and malware.
The ability to immediately block or allow specific files and certificates based
on their threat reputations.
For more information on Threat Intelligence Exchange visit our webpage at

http://www.mcafee.com/us/products/threat-intelligence-exchange.aspx
Purpose
This guide is intended to assist with the setup, configuration, and use of McAfees
Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) version 1.0 for
testing, evaluation or Proof-of-Concept (POC). This guide will walk you through the
pre-requisites, installation, deployment, configuration and most common scenarios
used for testing and getting the most value from TIE and DXL in your environment.
The use cases were designed to demonstrate the most common issues TIE solves at
the near real-time speed DXL offers.
2
Deployment Requirements
McAfee Threat Intelligence Exchange is made up of four major mandatory

components, and a number of smaller optional pieces. The mandatory components
are:
ePO Server
ePO Server is the centralized management system where all configuration,

deployment, configuration, management and reporting occurs. This server
may run on Windows Server 2008 R2 or greater. Both Physical and Virtual is
supported.
TIE Server
The Threat Intelligence Exchange server stores file and certificate reputation
information. It then communicates that information to other systems and
endpoints in your environment as needed. The benefit of context-aware
security is the ability to gather situational and environmental information at
the moment the system is running. The information is then used to
communicate and share file and certificate reputation information to make
real-time, accurate security decisions.
3
Data-exchange layer (DXL)
The data-exchange layer (DXL) allows bidirectional communication between

endpoints on a network. Threat information can be shared immediately with
all other services and devices on the network, reducing the spread of threats.
DXL, together with Threat Intelligence Exchange, shares reputation
information between multiple endpoints, regardless of their location. DXL
works in the background, communicating with services, databases,
endpoints, and applications. It receives and sends encrypted messages about
file metadata throughout your environment to track activity, risks, and
threats in real time. Sharing reputation information as soon as it becomes
available reduces the assumptions that applications and services make about
each other when exchanging information.
TIE/DXL Client (Endpoint)
Agent module that quickly analyzes files and content in your environment
and makes informed security decisions based on a file's reputation, local,
global and enterprise context and your specific policy to determine if there is
a threat to your environment. The TIE Client requires the McAfee Agent and
VSE to be installed.
For a more detailed description of each of the key components please refer to the
product guide.
Optional Components
There are additional components such as Advanced Threat Defense which add value
to the TIE solution that are optional, but may be required for successful completion
of an evaluation. As products are integrated into the DXL the possibilities greatly
increase. Supplemental documentation on optional components and additional
products can be found at in the appendix of this POC Guide.
ATD
If a file's reputation is unknown or is not certain, you can submit it to

Advanced Threat Defense for further analysis. Advanced Threat Defense is
purchased separately and detects zero-day malware and combines anti-virus
signatures, reputation, and real-time emulation defenses. Files can be sent
from Threat Intelligence Exchange to Advanced Threat Defense automatically
based on their reputation level and file size. For additional information on
ATD please take a look at our product page
http://www.mcafee.com/us/products/advanced-threat-defense.aspx
VirusTotal API Key
4
VirusTotal is a free service that analyzes suspicious files and URLs and
facilitates the quick detection of viruses, worms, trojans, and all kinds of
malware. For additional information on Virus Total see
https://www.virustotal.com/
5
Requirements/Pre-Requisites
In order to successfully deploy the McAfee TIE solution for evaluation, the following
is required:
McAfee software
ePO 5.1.1 or later running on Windows Server 2008 R2 or later

McAfee Agent 5.0 or later installed on endpoints
VSE 8.8 with patch 4 hotfix 929019 installed on endpoints
Customer provided
VMware / ESXi server for hosting the TIE/DXL server

Network requirements
IP Address for:
TIE/DXL Server
Ports:
ePO Ports (Default TCP 80, 443, 8081, 8443, 8444, 1433 UDP 8082,
1434) For more detailed information see (KB66797)
TIE Server/DXL Ports (Default 8883, 1883)
Postgres (TCP and UDP 5432)
Private API Key from VirusTotal (See appendix for instructions on obtaining
this)
2 or more Endpoints:
You can install Threat Intelligence Exchange Client on the following operating
systems.
Microsoft Windows Windows 7 (32 and 64 bit)

Windows 8.0 (32 and 64 bit)
Windows 8.1 (32 and 64 bit)
Windows 8.1U1/U2 (32 and 64 bit)
Windows Server 2008 R2
Windows Server 2012/2012 R2
**It is more accurate and interesting in a POC to use a typical system in your
environment for testing. If a live production system is not available we
suggest using VMware physical to virtual conversion to make a copy of a
production system. For additional information regarding vCenter Converter
see http://www.vmware.com/products/converter/features
6
Installation and Configuration Checklist
The TIE Installation Guide can be found on the McAfee download site with a valid
grant number. The installation is fairly quick however the following steps should be
performed in order. This checklist is provided as a reference to give you a forward
look at what steps will be performed as well as a reference to how far along in the
install process you are.
Pre-requisites (need to be installed prior to following the installation steps of this
guide)
Install ePO 5.1.1
Install McAfee Agent 5.0 on 2 or more endpoints
Check in package MA-WIN 5.0.0 Build XXXX Package #x
(ENU-LICENSED-Release-MAIN)
Install extension EPOAGENTMETA.zip
Install and deploy the VSE client to your endpoints
Check the following files into the software repository:
VSE 8.8.0 Build xxxx Package #x (AAA-LICENSED-RELEASE-PATCH 4)
VSE 8.8.0 Build xxxx Package #x (AAA-LICENSED-RELEASE-HOTFIX
929019)
Install extension VSE 8.8.0 Build xxxx Package #x
(AAA-LICENSED-RELEASE-PATCH 4)
Deploy VSE to the Client systems
Create a client task to apply VSE hotfix
POC Guide starts here:

Install TIE/DXL extensions in ePO
DXLBrokerMgmt_1.0.0_Build_xxxx Package #x (ENU-LICENSED-RELEASE-MAIN).zip
DXLClient_1.0.0_Build_xxxxPackage #x (ENU-LICENSED-RELEASE-MAIN).zip
DXLClientMgmt_1.0.0_Build_xxxx Package #x (ENU-LICENSED-RELEASE-MAIN).zip
TIEServerMgmt_1.0.0_Build_xxx Package #x (ENU-LICENSED-RELEASE-MAIN).zip
TIEmMeta.zip
Check in DXL Client Package DXL 1.0.0 Build xxx Package #x

(ENU-LICENSED-RELEASE-MAIN)
Check in JTICAgent.zip
Deploy the TIE/DXL Virtual Server on ESXi server using
TIEServer_1.0.0.xxx.x86_64-MAIN.ova
Complete TIE/DXL server installation
Create a new Registered Server in ePO for the TIE postgres database
Deploy DXL Client using ePO product deployment
Deploy TIE Client using ePO product deployment
Verify the installation
DXL Broker, DXL Client and TIE server visible in the system tree
DXL Client connection state = connected
TIE Server connection state = connected
7
A wildcard search for TIE file or cert reputation returns data (Note: you may
have to execute a few samples on the endpoint to see data in the TIE
reputations page)
Configure TIE server extension in ePO
Add Virus Total API Key to Server Settings
In the Policy Catalog configure GTI, Telemetry, and ATD settings
Configure DXL Broker in ePO server settings
Installation and Configuration of McAfee Threat

Intelligence Exchange (TIE) and Data Exchange Layer
(DXL)
Most of the TIE/DXL installation and configuration can be completed by the
customer prior to arriving on site. If these items are done prior to arriving on site
this can help ensure a successful evaluation with data points to work from.
The installation and configuration assumes:
ePO 5.1.1 is installed and configured

McAfee Agent 5.0 and VSE 8.8 patch 4 with hotfix 929019 are installed and
deployed on the endpoints
ESXi server is accessible for OVA deployment
This section is comprised of 3 main steps:
Installing the TIE/DXL server

Deploying the TIE/DXL endpoint components
Configuring the TIE solution
Installing the TIE/DXL server

VM Specifications for the TIE/DXL server:
The TIE/DXL server is deployed as a Virtual Server. Ensure the virtual machine has
the following hardware specifications. For the purposes of POC, we assume the TIE
server and DXL broker will be installed on the same server:
VMWare ESXi 5.1.0 and above

The OVA (VMWare image) is pre-configured with 16GB of RAM and 8 CPUs.
The ESXi server must be able to handle this configuration.
Sufficient SSD or hard disk for the database (116 GB when thick provisioned)
**The TIE/DXL server is a single McAfee provided OVA file that includes both
components.
Other considerations:
8
Determine the IP address to be used during the POC. Both Manual and DHCP
options are available.
Determine the IP address and administrator username and password of the
ePO server that TIE/DXL will be connecting to.
For a quick video demonstration of the TIE/DXL server deploy and installation go to:
https://mcafee.box.com/s/sie74ncenw9nqo92tbiy
These steps will walk you through downloading, installing and configuring the
McAfee Threat Intelligence Exchange and Data Exchange Layer Server:
Ste Instructions Image or amplifying instructions.

p
1. Upon receiving your
grant number access URL: http://www.mcafee.com/us/downloads/downloads.aspx
the software
download portal from
the following link
2. Enter your grant

number under
Download My
Products and Click
Go
3. Under Software Download TIE_Server_1.0.0.xxx.x86_64-MAIN.ova

downloads click on Note: The VMWare vSphere client will need access to this file
McAfee Threat
Intelligence Download the following extensions and packages from the
Exchange McAfee download site or check in from the Software Manager
in ePO:
Note: These DXLBrokerMgmt_1.0.0_Build_xxxx Package #x.zip
extensions and DXLClient_1.0.0_Build_xxxx Package #x.zip
packages are also DXLClientMgmt_1.0.0_Build_xxx Package #x.zip
available in the ePO help_dxl_100.zip
Software Manager DXL 1.0.0 Build xxxx Package #x.zip
TIEServerMgmt_1.0.0_Build_xxx Package #x.zip
help_tie_100.zip
TIEmMeta.zip
Help_jtic_100.zip
JTICAgent.zip
9
4. In ePO, install the
following extensions:
DXLBrokerMgmt_1.0.0_Buil
d_xxxx Package #x.zip
DXLClient_1.0.0_Build_xxx
x Package #x.zip
DXLClientMgmt_1.0.0_Buil
d_xxxx Package #x.zip
help_dxl_100.zip
TIEServerMgmt_1.0.0_Buil
d_xxx Package #x.zip
help_tie_100.zip
TIEmMeta.zip
help_jtic_100.zip
Select Menu |
Software |
Extensions and
then click Install
Extension
Repeat this process

until all 5 extensions
and 3 help files are
checked in.
When all extensions

are properly installed
you should see:
McAfee DXL
McAfee TIE Server
Threat Intelligence
Exchange module
for VSE
1
0
5. Check the DXL and
TIE package into the
Master Repository
Select Menu|
Software | Master
Repository and then
click Check In
Package
Browse to DXL 1.0.0

Build xxx Package
#x.zip
Click Next and Save
Repeat these steps

for the
JTICAgent.zip
The Master
Repository should
appear as follows
6. Once the product

extension and
packages are
properly checked in
to ePO, you are ready
to install the TIE/DXL
Server.
Open the VMware

vSphere Client.
Select File | Deploy

OVF Template
1
1
7. Browse to the
location of the
TIEServer_1.0.0.xx
x.x86_64-MAIN.ova
file on your
computer, and then
click Next.
Complete the steps

in the wizard,
accepting the default
values.
8. The first time you

power on the virtual
machine and open
the console you will
see the following End
User Agreement
License.
Click enter several

times and Y to
accept and begin the
installation.
9. Create a root
password for the
Threat Intelligence
Exchange virtual
server. The password
must be at least nine
characters.
Press Y to create.
1
2
9. The operational
account will have
limited permissions.
Enter an Account
Name, Real Name,
and Password.
Use the Tab key to

move to the next
field. When finished,
press Y to continue.
10. Only one option

appears on this page,
enter N to continue.
*Note: N is the only

option to move
forward. When only
1 option is present
tab or enter will not
work.
11. Select DHCP or

Manual IP address
configuration. Enter
D for DHCP or M for
Manual. If you select
Manual, enter the
remaining
information.
When finished, enter

Y to continue.
1
3
12. Enter the Hostname
and Domain Name
(if appropriate) of the
computer where you
are installing the
Threat
Intelligence
Exchange server
appliance.
Enter Y to continue.
13. Enter up to three

Time Servers to
synchronize the time
of the Threat
Intelligence
Exchange server. Use
the default servers
listed, or enter the
address for up to
three servers.
14. Enter the IP

Address or fully
qualified domain
name, port, and
account information
for your McAfee ePO
server.
Note: The ePO

server must be
available. At this
point the installation
will begin to
configure the McAfee
Agent.
15. Enter the ePO

Agent Wake-up
Port. The default is
8081.
1
4
16. Select the services to
run on the Threat
Intelligence
Exchange server.
Enter Y for both DXL

Broker, and TIE
Server.
17. A Master server

replicates the Threat
Intelligence
Exchange database
to all Slave servers, if
you have them.
Enter M for
configuration.
Master server replicates the TIE database to all Slave servers, if you
Note: For the POC have them.
only install a Master Write-only Master server does not process reputation requests or
any non-essential functionality beyond writing and maintaining the
database. Because a write-only Master server does not process
requests over the Data Exchange Layer, it increases system
performance by replicating the database, leaving the Data Exchange
Layer requests to the Slave servers.
Slave server processes Data Exchange Layer requests exactly like a
Master server using a database that's replicated from the Master
database. The Slave server must have access to the Master server.
Reporter is a Slave server that does not process reputation
requests. It improves McAfee ePO reporting by replicating the
database information without processing Data Exchange Layer
requests.
18. The Read-Only

Account enables
McAfee ePO to
communicate with
the Threat
Intelligence
Exchange server
postgres database.
You will enter this
information in the
ePO Registered
Servers in a later
step to allow ePO to
Note: the password may only use the following
connect to and
receive data from the characters: a-z A-Z 0-9 ~@#$%^_+=-
1
5
TIE server database.
Enter the Read-Only

Account Name and
the Password.
19. Specify the DXL

Broker Port that the
Data Exchange Layer
uses. Use the default
port 8883, or enter a
port number within
the range shown.
20. Do nothing on this

page. TIE Server
setup is complete.
21. To view TIE database

information in
McAfee ePO reports
and dashboards,
create a new
registered server.
In McAfee ePO, click

Menu |
Configuration |
Registered
Servers, then click
New Server.
In the Server type

drop-down list, click
Database Server.
Enter a Name, for
example, TIE
Database, and then
click Next.
1
6
22. Select the checkbox
for Make this the
default database for
the selected
database type.
Database Vendor:
select
TieServerPostgres.
Host name or IP
address: enter the
host name of the
system where you
installed the TIE
server.
**If you use the host

name, make sure its
registered in DNS.
Since the TIE Server
is Linux, it doesnt
automatically get
registered into DNS
upon creation
Database name:
enter tie. **This is
case sensitive
User name and

password: enter the
read-only postgres
user name and
password you
specified on the
PosgreSQL Read-
Only Account
Setup page during
the TIE server
installation.
Click Test
Connection to verify
the connection
information and user
credentials.
1
7
23. To verify that the
TIE/DXL server is
installed and
communicating
properly, open the
System Tree in ePO.
The TIE Server is
listed as a managed
system.
Note: You may have

to change the Preset
field to This Group
and All Subgroups
to see the TIE Server
entry.
24. Click the TIE server

name, then click the
Products tab. Verify
that the following
products are listed:
Agent
McAfee DXL Broker
McAfee DXL Client
McAfee Threat
Intelligence
Exchange Server
You may have to wait Note: It is important you do not push the McAfee Agent, DXL
for 2 ASCIs for all Cleint or TIE module to the TIE server. The products listed
components to install above will be installed as part of the install process.
and check in
properly. Doing an
Agent Wake-Up Call
with Force
complete policy
and task update
checked can speed
up this process.
25. Click the DXL

Status tab to verify
the TIE Server is
connected.
1
8
26. Click Actions | DXL |
Lookup in DXL
You should see the

TIE server is
Connected
1
9
Installing and verifying the DXL client and McAfee Threat Intelligence
Exchange Module for VSE on your endpoint
Prerequisites for the TIE Client:
McAfee Agent 5.0

Virus Scan 8.8 patch 4 with hotfix 929019
These steps will walk you through installing and verifying the DXL client and McAfee
Threat Intelligence Exchange module for VSE:

p
1. Prior to deploying the
DXL and TIE Client
verify McAfee Agent
5.0 and VSE
8.8.0.1263 are
Note: It is important that the VSE hotfix 929019 is installed. The
installed on your version 8.8.0.1263 indicates it is installed. If it is not yet applied to
endpoint. the endpoint you will see version 8.8.0.1247
Click into the

endpoint in the
System Tree and
click the Products
tab.
2. In McAfee ePO, click

Menu | Software |
Product
Deployment, then
click New
Deployment.
2
0
3. Name the
deployment DXL
For Type select

Fixed
Choose Data
Exchange Layer
Client 1.0.0
package.
Note: This is the

same package that
was checked into the
master repository in
the beginning of the
installation section.
4. Click Select
Systems
The System Selection

screen will pop up.
Select only the
endpoints you wish
to deploy the DXL
client to.
Note: Do not deploy

the DXL client to the
TIE Sever.
When the endpoints

are selected Click OK
5. To complete the
Product Deployment
form select Run
Immediately
2
1
6. At the top of the
Product Deployment
page click Save to
begin deployment
7. Once the product

deployment page
shows successful
completion of DXL on
your endpoint, verify
McAfee DXL Client
appears in the
Products tab of your
system.

Menu | System
Tree
Click the endpoint

and click the
Products tab
Note: You may have

to wait for 2 ASCIs
for all components to
install and check in
properly. Doing an
Agent Wake-Up Call
with Force
complete policy
and task update
checked can speed
up this process.
8. Repeat the same

Product Deployment
process for the TIE
Module for VSE.

Menu | Software |
Product
Deployment, then
click New
Deployment.
2
2
9. Name the
deployment TIE
For Type select

Fixed
Choose the Threat

Intelligence
Exchange module
for VirusScan
Enterprise 1.0.0
package.
Note: This is the

same package that
was checked into the
master repository in
the beginning of the
installation section.
10. Click Select

Systems
The System Selection

screen will pop up.
Select only the
endpoints you wish
to deploy the TIE
module to.
Note: Do not deploy

the TIE Module to the
TIE Sever.
When the endpoints

are selected Click OK
11. To complete the

Product Deployment
form select Run
Immediately
2
3
12. At the top of the
Product Deployment
page click Save to
begin deployment
13. Verify the Product

deployment page
shows successful
completion of TIE on
your endpoint.
Note: You may have

to wait for 2 ASCIs
for all components to
install and check in
properly. Doing an
Agent Wake-Up Call
with Force
complete policy
and task update
checked can speed
up this process.
14. Click into the

endpoint in the
System Tree and
click the Products
tab to verify the
Threat Intelligence
Exchange module for
VSE installation was
successful.
15. Click the DXL

Status tab to verify
the client is
Connected.
16. Click Actions | DXL |

Lookup in DXL
You should see the

endpoint is
Connected
2
4
2
5
Configuring the TIE Solution
Prerequisites
Before completing this section you must have completed the server and client installation
sections. The policies set in this section must be mirrored in order for the use cases in the
next section to perform as documented.
Considerations
For the POC we will be setting the client policy to block at Unknown. In order to
demonstrate the capabilities without compromising safety, the files used in the sample set
are benign. In production, it would be more common that blocking will be set to Might be
Malicious. See below for recommendations:
Block at Unknown: Point of Sale devices, Production Servers where little to no

changes occur
Might be Malicious: Most endpoints would fall into this category (**depending on
risk tolerance of your organization)
Observe mode: Run in observe mode to establish a system baseline and to

populate the TIE server with commonly used files. Once the system policy is
changed to enforce the files that were already evaluated in observe mode would not
be considered new to your environment.
TIE Scanning tool: The TIE Scan tool performs TIE analysis on user-specified files
and folders, and populates a TIE server database with baseline data from a gold
image. The TIE Scanning tool is not an official part of the product and comes with
minimal/no support or documentation. Please refer to the Baseline Gold Images with
the TIE Scanner section of the appendix for more information.
These steps will walk you through TIE server and client extension configuration as
needed for the user story section:

p
1. Configure the TIE
Server Extension
under Menu |
Configuration |
Server Settings |
Threat Intelligence
Exchange Server
Click Edit.
2
6
2. Enter your
VirusTotal
Public/Private Key.
Click Save.
**For more
information on how
to obtain the
VirusTotal
Public/Private Key
see appendix
3. To access the TIE

Server settings
policy, select Menu |
Policy | Policy
Catalog and select
McAfee TIE Server
Management 1.0.0
in the Product
dropdown.
Click into My
Default to edit.
4. On the General tab,

you can enable and
disable GTI
Reputations and set
Proxy and Product
Improvement
Program settings.
For this POC guide to

perform as
documented GTI
reputations must be
Enabled
Note: The Product

Improvement
Program helps
McAfee learn about
threats and prioritize
what is allowed or
blocked.
2
7
5. On the Advanced
Threat Defense
(ATD) tab, you can
configure ATD server
settings. Files can be
sent to ATD for
further evaluation.
This step is not

required if ATD is not
included in the POC.
Check Enabled
Enter the User

name and
Password for the
ATD Server.
Note: The sample will

be submitted from
the TIE Server.
The online help

provides guidance on
each option.
2
8
Client policy, select
Menu | Policy |
Policy Catalog and
select Threat
Intelligence
Exchange Module
for VSE 1.0.0 in the
Product dropdown.
Click My Default to
configure.
7. Configure your Client

policy. Leave Self
Protection Enabled
Self Protection: If
selected, prevents
users on managed
endpoints from
changing Threat
Intelligence
Exchange module
settings.
2
9
8. Set Operation Mode
to Enforce
Operation Mode: Enforce: Enforce the policy per the settings on the page.
Specifies whether the Observe: Collect data as if the policy were enforced and send it to
module applies the the server, but don't actually enforce the policy. This option allows
policy settings on you to see what effect the policy would have without running it.
this page. Disabled: Do not enforce the policy.
9. Check Enable or not

depending on your
preference.
Telemetry Settings: Specify whether file information is sent to
McAfee. Selecting Enabled helps McAfee learn about threats and
For the POC it does
prioritize what is allowed or blocked
not matter which is
chosen.
10. Set Balance Security

for Typical systems
Balance Security High change systems: block and prompt the least
Typical systems: block and prompt more
For: There are three
Low change systems: block and prompt the most
levels that reflect the
amount of risk, or **To enable or disable specific rules for each security level review
security, allowed on the server settings for the TIE module for VSE
the systems that use
this policy.
11. Set Clean at: Known

Malicious
Set Block at: Clean at: Select a file reputation level at which the file is cleaned
Unknown using VirusScan Enterprise and then allowed to run. This option is
available only for High change systems and Typical systems security
levels.
Reputation
**We recommend using Clean at only with known malicious file
Responses for
reputations because Clean at might delete the file.
Executables, DLLs,
Drivers: Specify Block at: Select a file reputation level where files are blocked. When
what happens when a file with this reputation tries to run in your environment, it's
a file with a specific prevented from running but remains in place. If you discover that the
reputation level tries file is safe and you want it to run, you can change its file reputation
to run on a system to a level that is allowed to run, such as Known Safe.
that uses this policy.
3
0
12. Leave End User
Prompting disabled
for the POC
Prompt at: Specify the file reputation level when users are
prompted to allow or block the file. The prompt level must not
conflict with the Clean at or Block at settings. For example, if you
block unknown files, you can't set this field to Might Be Malicious
because it has a higher security threat than Unknown.
Default action: Specify what happens if the user doesn't respond to

the prompt.
Timeout: Specify how long the prompt displays before performing

the Default action.
Custom Prompt Text: Enter text the user sees when a file that
meets the prompting criteria attempts to run. If you don't enter
custom text, a default message is used.
13. Check Enable or not

depending on your
preference.
Use GTI: Get file reputation information from the Global Threat
For the POC it does Intelligence cloud if the module can't access the server.
not matter which is
chosen. Prompting Disabled: If the server is unavailable, disable
prompting so that users don't receive prompts about files with
reputations that are unavailable.
14. If ATD is being used

and configured in the
TIE Server extension,
check submit files to
ATD at Unknown. The files are sent to Advanced Threat Defense when the following
occurs:
The Threat Intelligence Exchange server does not have
This step is not
Advanced Threat Defense information about the file.
required if ATD is not The file is at or below the reputation level you specify.
included in the POC. The file is at or below the file size limit you specify.
3
1
Content Testing with benign samples
Being able to demonstrate the power of Threat Intelligence Exchange without

risking malware execution can be difficult. Below you will find tips, tools and a list
of benign samples used to demonstrate the TIE solution.
Tips
Be cautious when extracting the test files. The test files are benign however the
reputations are set to various levels in GTI. Virus Scan will happily delete them for
you if you aren't careful. This could result in a polite but fairly stern email from your
friendly Security team.
Note: To protect against computer viruses, e-mail programs may prevent sending or
receiving certain types of file attachments. Check your e-mail security settings to
determine how attachments are handled.
Tools
Hash tool - Determining the hash of a file allows the administrator to import a
reputation before the file ever enters the environment. Hash tool:
http://www.keir.net/hash.html
Hex Editor - A hex editor allows a file to be modified enough to change the hash of
the file. When testing samples that are already known trusted, hex editing is a good
way to create a new sample. Hex editor: http://download.cnet.com/HxD-Hex-
Editor/3000-2352_4-10891068.html
Samples
Instructions & Samples: http://mcaf.ee/yiuva
Artemis-High.exe: Hardcoded reputation of Might be Malicious.

Roaming.exe: Triggers a TIE rule when executed from the
$AppData$\Roaming directory
Artemis-Unknown-All.exe: Hardcoded reputation of Unknown
Morph.exe: GTI Known Trusted, ATD Most Likely Malicious. Hash below for
reputation import:
SHA-1 Hash: 0x13ECDDA4F45CD028221AF300EEBB207B60CB5C6C
MD5 Hash: 0xFB36DE68696BC60D9A51B537F97BDAD3
Hackit.exe: Visual executable used in demonstrating zero day attacks and the
kill process. Included in the zip and can also be found at http://hack-
it.en.softonic.com/
Wireshark.exe: Good tool for testing certificate reputation. Download from
https://www.wireshark.org/download.html
3
2
3
3
User Stories
The user story section is designed to demonstrate the most common use cases for
the TIE solution. This section does not include all TIE features and functionality. The
following use cases were designed to be performed in the order documented:
Immediate Visibility Gain insight into new executables and certificates running in
your environment
The TIE Client A new kind of protection against emerging threats
Control Take immediate action
Speed and Distribution Its fast
Incident Response Patient Zero & Clean Up
Immediate Visibility Gain insight into executables & certificates run in

your environment
McAfee Threat Intelligence Exchange brings immediate visibility into the presence of
advanced targeted attacks and emerging threats by automatically assembling
events and valuable context as communicated from the new intelligence based
endpoint client, gateways, and other connected security components.
Pain point McAfee Capability to Solve the Pain

Fragmented visibility TIE baselines and shows you what is actually running in
limited or no the environment.
understanding of what
files are running on TIE synthesizes attack insights into actionable
endpoints intelligence, such as first contact, local prevalence, file
trajectory, and infection artifacts that help guide
investigations and timelines.
Increasing complexity TIE transforms disparate security components to create a

too many siloed single collaborative system that instantly shares
technologies contextual insights while delivering immediate adaptive
threat protection.
Pre-requisites:
Download the set of test samples provided here: http://mcaf.ee/yiuva

For this use case we will be using Artemis-High.exe
Objective
3
4
The objective of this use case is to demonstrate the ability to identify new
executables and certificates that are being run in your environment using McAfee
Threat Intelligence Exchange. Successful completion of this use case demonstrates
the added visibility and information that the TIE solution offers.

p
1. Login to ePO
2. Click on Menu |
Systems Section |
TIE Reputations
3. In the File Search

tab Enter * in the
search field and
click Find Files.
*Note hitting enter

will not search. You
must use the mouse
to click the Find
Files button.
3
5
4. You will see a list of
files that have been
executed on your
endpoints.
You may need to

execute a few files
before this page is
populated.
Each column can be

clicked to sort the
information The TIE reputations page is a collective source of threat intelligence
including ATD from all security products connected to DXL allowing the user visibility
reputation, and the ability to make informed decisions.
comments, hashes
etc.
Clicking to sort by
GTI reputation will
highlight some of
the more interesting
files being
executed.
5. File details can be

added to the initial
search results by
clicking Actions |
Choose Columns
Add columns as
desired.
In the case where

ATD is being used,
add the ATD column
for added
reputation
information.
6. On the endpoint run

the Artemis-
High.exe provided
in the test samples.
The file execution

will be blocked.
3
6
7. In the TIE
Reputations page
search for artemis
You will see the file
was blocked based
off of its GTI
reputation Might be
Malicious.
Click Artemis-
High.exe to
research additional
information about
the executable.
8. The File Details

tab provides
additional
information about
the file properties.
9. The Additional
Information tab
includes data
collected from the
first system to
execute the file.
This includes:
File exists in Add

or Remove
Programs
Registered as a
Service
Registered for
Auto-run
3
7
10. The Virus Total tab
allows the user to
cross reference the
file against
VirusTotal. Click
Retrieve
VirusTotal
Information.
Note: You must

configure your
VirusTotal API Key
for this to work.
See the VirusTotal
section of Appendix
for details.
11. The same steps

apply to
Certificates. In the
TIE Reputations
page of ePO go to
the Certificate
Search tab and
enter * in the
search field and
click Find
Certificates.
*Note hitting enter

must use the mouse
to click the Find
Files button.
12. In this case Dropbox

had been run. You
will have several
certificates to
research. Microsoft
is a very common
one.
Click into a
certificate to
research additional
information.
3
8
13. In order to help
separate real
enterprise threats
from general
background noise in
the environment,
the TIE Server
Dashboard focuses
in on new and
notable information.
14. New files by GTI

reputation
Shows new
executable files by
McAfee GTI
reputation that
attempted to run in
your environment in
the past week. This
report is especially
useful to quickly
see the new files
that were malicious
or unknown in your
environment.
Clicking into the

Not Set portion of
the graph narrows
the files that GTI
does not have a
reputation for. This
makes it easy for an
admin to determine
where to investigate
first.
3
9
15. New files in the
past 30 days
Shows new
executable files that
attempted to run in
your environment in
the past 30 days.
Once TIE has been

running in your
environment for a
few days you will
start to only see
spikes when there is
a possible reason
for concern.
Clicking into a data

point will show new
files by day.
16. Files with changed

GTI reputations
Shows files whose
reputations were
changed in McAfee
GTI in the past
month.
On further research
or new information
received, McAfee
may determine a
reputation change
is needed.
The administrator
may want to
investigate
enterprise overrides
further if the GTI
reputation has
changed.
4
0
17. Systems with new
executable files
Shows the top 10
systems that had
the most new
executable files
attempting to run.
This report shows
systems that are
potentially at risk
for new infections
because they are
accessing the most
new executables.
A high new file

count in on
unexpected system
such as a POS
device or
production server
might alarm the
administrator of
suspicious behavior.
18. Quick file search

Allows you to
search for a specific
file string or hash.
Partial entries will
search for all
occurrences.
Any news alert or

notification of
compromise can be
searched. This is a
quick place to easily
research a specific
file or hash (also
good place to
research results
even from another
security product).
Conclusion
4
1
By working through this use case you are now aware of the immediate visibility that
the TIE solution offers. You can now answer critical security questions:
What is running in my environment?
Where is it running?
When did it run?
Has my environment seen specific malware? Or a recent zero day attack?
Which systems are at most risk from new executables?
Are there systems with unanticipated change?
4
2
The TIE Client A new kind of protection against emerging threats
Now that you are fully aware of the files and associated certificates running in your
environment and have been able to explore where possible compromises and
threats are occurring lets take a look at the benefits of the TIE Client.

Ineffective protection TIE provides organizations with immediate visibility and
protection from attacks. Threats are stopped.
The TIE Client makes accurate file execution decisions and leverages the combined
intelligence from local endpoint context (file, process, and environmental attributes)
and the current available collective threat intelligence (for example, organizational
prevalence, age, reputation, etc.). When you customize the McAfee Threat
Intelligence Exchange VirusScan Enterprise Module based on your organizations
level of risk tolerance at the endpoint, administrators get the flexibility to set
execution conditions driven by their specific requirements. This can be as rigid as
adhering to a zero-tolerance policy for unknown or grey files by setting rules that
no file is allowed to execute unless it has a known and acceptable reputation.
Pre-requisites:
Sample file Roaming.exe and Hackit.exe
Objective
The objective of this use case is to demonstrate the power of the TIE Client for zero
day threats. Successful completion of this use case should demonstrate the added
intelligence that the TIE client offers.

p
4
3
1. Based on our
research we know
that malware tends
to hide itself in
specific folders. In
this use case we
will explore the root
of
$appdata$\roaming
as an indicator of
risky behavior.
On the endpoint in
explorer navigate to
C:\ and select
Organize | Folder
and Search
Options.
On the View tab

click Show hidden
files, folders, and
drives
2. On your endpoint
move the sample
file Roaming.exe
to
C:\Users\<user>\Ap
pData\Roaming
Execute
Roaming.exe from
this folder.
4
4
3. The TIE Client rules
will block the file
from being
executed and
expose the context
as to which rule
was triggered under
Convicting Rule
In this case
Identified
suspicious files
executing from
the roaming
folder
Note: Running from

the recycle bin is
another good
example of a risky
behavior we use to
help detect
malware
4. To view the added

value of the TIE
rules across your
entire environment
select the
Dashboard TIE
module for VSE
enforced events.
Click into Block

Events by Event
Type
5. The Rule Name

exposes the added
value of the TIE
Client by explaining
the specific rule
that was triggered.
Click on
Roaming.exe to
view additional
information on the
block.
4
5
6. To view the TIE
rules in more detail
go to Menu |
Configuration |
Server Settings
Click Threat
Intelligence
Exchange Module
for VSE
7. Click Edit to view

the rule details.
To change the rule

mode click the
checkbox next to a
rule and click
Actions
Additional bonus exercise: To demonstrate TIEs ability to catch all zero day attacks
even further, you may want to manipulate a known file to see what happens.
Pre-requisites:
A hex editor such as HxD (can be downloaded from here http://hxd-hex-

editor.soft32.com/)
Hackit.exe
8. Remote Desktop
into the client
system and run
Hackit.exe.
Based on the GTI

Known Trusted
reputation the file
will be allowed to
4
6
run.
9. Right click the

Hackit icon in the
system tray and
click Shutdown
Hack-it
10. Open Hackit.exe in

your hex editor.
Edit something
minor such as the
text This program
cannot be run in
DOS mode to a
different string.
You only need to

change it enough to
change the file
hash.
Save As a new file

name.
11. Execute the new file

and view the block.
Researching the
block in the ePO
console you will see
it is no longer
allowed to run
based on GTI
reputation as it was
in our previous
step. File execution
is blocked based on
its unknown
reputation.
Conclusion
The added enterprise, global and local context allow the TIE client to apply a set of
rules that indicate risky behavior. As seen in this use case a file that is unknown in
4
7
your environment with no confirmed good reputation is automatically blocked
immunizing your enterprise from targeted attacks.
4
8
Control Take immediate action
Now that you have complete visibility of your environment and endpoint protection
that takes local, enterprise and global context into account when determining risky
behavior lets take action and apply our new Threat Intelligence to make smarter
security decisions.

Lack of control TIE filters out the threat signal from the background
cannot identify or take noise of events in order to identify and control suspicious
actions on the objects
unknown
McAfee Threat Intelligence Exchange makes it possible for administrators to easily

tailor comprehensive threat intelligence from global intelligence data sources. These
can be McAfee Global Threat Intelligence (McAfee GTI) or third-party feeds, with
local threat intelligence sourced from real-time and historical event data delivered
via endpoints, gateways, and other security components. Customers are
empowered to assemble, override, augment, and tune the intelligence source
information so that they can customize data for their environment and organization
(for example, blacklists and whitelists of files and certificates or certificates
assigned to and used by the organization).
Pre-requisites:
For this use case we will be using Artemis-Unknown-AllSL.exe and

Morph.exe
Wireshark installed on the endpoint (for certificate based blocking)
https://www.wireshark.org/download.html
Objective
The objective of this use case is to demonstrate the informed control that we are
giving to the administrator. Successful completion of this use case will demonstrate
the added control that TIE & DXL offers against current and future threats.

p
4
9
1. Click on Menu |
Systems Section |
TIE Reputations

tab enter Artemis-
Unknown in the
search field and
click Find Files.
You will not find any

results since the file
has not been run.
3. Log in to the Client

system and attempt
to run Artemis-
Unknown-
AllSL.exe.
You will not be able

to execute this file
as it is unknown
and without a
reputation.
5
0
4. For this demo, lets
pretend that you
have researched
Artemis-
Unknown-
AllSL.exe further
and decided it is
not malicious. If you
would like it to be
allowed to run in
your environment,
you need to
override its current
reputation.
In the File Search

tab enter Artemis-
Unknown in the
search field a
second time and
click Find Files.
Click the checkbox

next to Artemis-
Unknown-
AllSL.exe and click
Actions
5. Mark Artemis-
Unknown-
AllSL.exe as File
Known Trusted.
Note: Setting the

reputation to Most
Likely Trusted will
also work
This sets the

Enterprise
Reputation which
overrides the
current block based
on unknown.
5
1
6. You will be
prompted to Add
Comment
Click OK

system and attempt
to run Artemis-
Unknown-
AllSL.exe.
You will now be able

to execute this file.
Note: The reputation update happens immediately and does

not require the McAfee Agent to wait for an Agent to Server
Communication Interval (ASCI).
8. Lets now pretend https://www.wireshark.org/download.html

that you have
discovered several
different Wireshark
versions in your
environment, some
of which are being
used to capture
network traffic that
you are concerned
might be for
malicious intent.
Download, Install
and Run Wireshark
on your endpoint as
instructed on
wireshark.org
5
2
9. To prevent all tools
signed with this
certificate from
executing you
would like to block
all executables that
are signed by the
Wireshark
certificate.
To do this you need

to set its reputation
at the enterprise
level.
In ePO go to TIE
Reputations |
Certificate Search
tab Enter Wire in
the search field and
click Find
Certificates.
Click the checkbox

next to the
Wireshark
Certificate and
click Actions and
set the certificate to
Most Likely
Malicious
10. You will be

prompted to Add
Comment
Click OK
5
3
11. Any file signed with
the Wireshark
certificate will be
blocked from
executing
immediately.
Note: The
reputation update
happens
immediately and
does not require the
McAfee Agent to
wait for an Agent to
Server
Communication
Interval (ASCI).
12. You also have the

ability to immunize
your environment
before a threat
occurs. You can get
this intelligence
from third party
threat feeds, the
media, or other
security products.
Click on Menu |
Systems Section |
TIE Reputations |
File Overrides
Click Actions |
Import
Reputations
5
4
13. Enter
Filename:
MORPH.EXE
SHA-1 Hash:
0x13ECDDA4F45CD
028221AF300EEBB
207B60CB5C6C
MD5 Hash:
0xFB36DE68696BC
60D9A51B537F97B
DAD3
Set to Most Likely

Malicious
Click OK and OK on Note: There is no specified limit in the file size that can be
the confirmation imported but be aware that every definition will trigger a
screen reputation change event.
**Reputations can Hash tool

also be imported Determining the hash of a file allows the administrator to
via xml or ePO API import a reputation before the file ever enters the
environment. As referenced in the Content section a free
Hash tool can be found at http://www.keir.net/hash.html

system and attempt
to run Morph.exe.
The file is blocked

immediately
because we set its
reputation to Most
Likely Malicious in
the previous step.
This reputation was
immediately known
by the endpoint
because TIE and
the DXL operate in
real time.
5
5
15. Click Menu |
Reporting | TIE
Module for VSE
Events for
additional event
details
For Example:
Select Pivot Point:
Pivot by Rule to
view the number of
blocks based on
specific TIE Rules.
These events were
generated as part
of the TIE Client use
case.
Conclusion
The TIE solution gives the administrator immediate control over files and associated
certificates executing in their environment as well as the ability to immunize the
enterprise with imported threat intelligence.
5
6
Speed and Distribution Its fast
You may have already noticed this added visibility and control is fast. Threat details
collected from malware encountered at endpoints and network gateways can
propagate through the data exchange layer in milliseconds, educating all security
components to proactively immunize against newly detected threats.

Slow response Reputation changes are instantly published to all of TIE-
dependent on vendor enabled network, gateway, and endpoint components
signatures and without requiring traditional DAT file updates or
content updates interactive policy management.
Pre-requisites:
Use case 1 & 3 have been completed

Hackit.exe is on the desktop of your client
Objective
The objective of this use case is to demonstrate the speed and distribution in which
the Data Exchange Layer is updated. Successful completion of this use case should
demonstrate the near real-time distribution that the Data Exchange Layer offers.
5
7
p
1. Remote Desktop
into the client
system and run
Hackit.exe. This
populates the TIE
reputations page.
Right click the

Hackit icon in the
system tray and
click Shutdown
Hack-it
Be ready to click on
Hackit.exe as
quickly as possible
in a future step.
2. Click on Menu |
Systems Section |
TIE Reputations

tab Enter
Hackit.exe in the
search field and
click Find Files.
*Note clicking enter

must use the
mouse to click the
Find Files Button.
4. Click the checkbox

next to HackIt.exe
5
8
5. Are you ready to be
quick?
Click Actions and

mark Hackit.exe file
as File Most Likely
Malicious
Move to step 6
quickly
6. Remote Desktop
into the client
system and attempt
to re-run
Hackit.exe.
7. The execution
attempt will be
blocked.
Note that the

reputation update
was immediately
distributed from
ePO to the TIE
client over the DXL.
This kind of
communication
typically takes less
than 1 second. You
can repeat the test
by changing the file
reputation in ePO
from File Most
Likely Malicious to
File Known
Trusted.
Conclusion
No more waiting for agent wake up calls, slow dat releases or for the global threat
feed to update! The speed and distribution of the Data Exchange Layer provides a
5
9
communication fabric that allows immediate protection across your entire
enterprise.
6
0
Incident Response Patient Zero & Clean Up
Enterprise details collected from file execution allows administrators to track and
gather additional information around where and when a file entered their enterprise.
Pre-requisites:
Use case 1-4 have been completed

Hackit.exe is on the desktop of your client
Objective
The objective of this use case is to demonstrate the incident response capabilities
and data held within the TIE server. Successful completion of this use case should
demonstrate how to identify when a file first entered your environment as well as
how widespread the file is being executed. You will also be able to take action by
triggering a VSE clean on a known malicious file.

p
1. Remote Desktop
into the client
system and run
Hackit.exe
2. Click on Menu |
Systems Section |
TIE Reputations
6
1
tab Enter
Hackit.exe in the
search field and
click Find Files.
*Note hitting enter

must use the
mouse to click the
Find Files Button.
4. Click the checkbox

next to Hackit.exe
5. Click Actions |
Where Has File
Run
6. The number of
systems this file
was run on will
appear as well as
the First
Reference Date.
Sort the First

Reference Date
column to identify
patient zero
6
2
7. The Management
features of ePO
allow the user to
take appropriate
action at the client
when an incident
arises.
Click into the

endpoint to show
system information.
The Actions button

allows the user to
modify the System
Health settings, Tag
the system, change
the policy etc.
8. In step 1 hackit.exe
was executed. On
the endpoint you
will see the Hack-It
interface, the Hack-
It application
running in Task
Manager, as well as
the Hack-It icon
running in the
system tray.
9. In the Configuring
the TIE solution
section of this guide
we set Clean at
Known Malicious Set Enterprise rep to Known Malicious to terminate the file
for the TIE module wherever it is running and prevent it from running in the
for VSE policy. future.
In this case when a Note: This feature can be disabled by unchecking the Clean at
files Enterprise feature in the TIE module for VSE policy
reputation is set to
Known Malicious
a reputation change
DXL event goes out
immediately. Based
on this policy
setting the TIE
module for VSE
6
3
triggers a VSE
clean.
A VSE clean
includes looking for
running processes
associated with the
file and terminating
them.
10. Lets pretend for

this demo that
Hackit.exe has
become a known
immediate threat to
our environment.
Setting the file to
Known Malicious
will trigger a VSE
clean.
In the TIE
Reputations page
check the box next
to Hackit.exe and
click Actions | File
Known Malicious
11. Return to the

endpoint and
observe the Hack-It
interface, the Hack-
It application
running in Task
Manager, as well as
the Hack-It icon
running in the
system tray have
disappeared.
Conclusion
When a compromise does occur, the knowledge gathered by the TIE server
empowers admins to respond swiftly and accurately. By setting a file to known
malicious the administrator can trigger a VSE clean across the entire environment
while simultaneously ensuring all future encounters are cleaned.
6
4
Appendix
6
5
McAfee Advanced Threat Defense for Automated Intelligence
If a file's reputation is unknown or is not certain, you can submit it to Advanced

Threat Defense for further analysis. McAfee Advanced Threat Defense detects
todays stealthy, zero-day malware with an innovative, layered approach. It
combines low-touch antivirus signatures, reputation, and real-time emulation
defenses with in-depth static code and dynamic, malware analysis (sandboxing) to
analyze the actual behavior of malware. Combined, this represents the strongest
advanced anti-malware technology in the market, and effectively balances the need
for both security and performance. Files can be sent from Threat Intelligence
Exchange to Advanced Threat Defense automatically based on their reputation level
and file size. For additional information on ATD please take a look at our product
page http://www.mcafee.com/us/products/advanced-threat-defense.aspx
If Advanced Threat Defense is present, the following steps occur (based on policy):
Endpoints running McAfee Threat Intelligence Exchange can inspect files on

execution. If that inspection is inconclusive, the file can be sent to McAfee
Advanced Threat Defense for further analysis.
Note: The file is actually sent from the endpoint to the TIE server, and then
the TIE server sends the file to ATD.
After analysis, McAfee Advanced Threat Defense will publish the files
reputation to the DXL. At that point, the endpoint (and all other products on
the DXL) will be notified if it is malicious.
Pre-requisites:
ATD is configured in the TIE Server Management Policy.

Note: This configuration was implemented earlier in this document
Download the set of test samples provided here: http://mcaf.ee/yiuva
For this use case we will be using Artemis-Unknown-All.exe
6
6
Objective
The objective of this guide is to demonstrate automation capabilities when
integrating with McAfee Advanced Threat Defense. ATD eliminates the need for
administrators to review file executions in ePO. It further eliminates the need to
make decisions about whether the file is good or bad by making the determination
and then publishing the reputation to the DXL all with zero administrator
involvement. Successful completion of this use case should demonstrate any ATD
conviction will automatically immunize your entire environment.

p
Server settings
policy, select Menu |
Policy |Policy
Catalog and select
McAfee TIE Server
Management 1.0.0
in the Product
dropdown.
Click into My
Default to edit.
2. This step was also

performed in the
Configuring the TIE
solution section of
this document.
The steps are

repeated here in the
case that McAfee
ATD is added later in
the product
evaluation.
On the Advanced
Threat Defense
(ATD) tab configure
ATD server settings.
Files can be sent to
ATD for further
evaluation.
Check Enabled
6
7
Enter the User
name and
Password for the
ATD Server.
Note: The sample will

be submitted from
the TIE Server.
The online help

provides guidance on
each option.

Client policy, select
Menu | Policy |
Policy Catalog and
select Threat
Intelligence
Exchange Module
for VSE 1.0.0 in the
Product dropdown.
4. Check submit files to

ATD at Unknown
The files are sent to Advanced Threat Defense when the following
occurs:
The Threat Intelligence Exchange server does not have
Advanced Threat Defense information about the file.
The file is at or below the reputation level you specify.
The file is at or below the file size limit you specify.
The file has not already been submitted to ATD by another
endpoint or security product in your environment.
6
8
5. In TIE Reputations
click Actions,
Choose Columns
Add ATD
Reputation and
click Save
6. On your endpoint
execute Artemis-
Unknown-All.exe.
Also note that the files execution will be blocked on the
This sample will be endpoint because we set the policy to block on unknown. So in
sent to ATD this case, the end user will be protected and the file will go to
because it has an ATD for further analysis.
unknown reputation
and we set the
policy to send to
ATD if files have an
unknown
reputation.
7. The sample file will

be sent from the
client to the TIE
server. The TIE
Server then submits
the sample to ATD.
In ATD you will see
Artemis-
Unknown-All.exe
8. Wait for the file to

be analyzed. The
ATD Analysis
Results will expose
the sample results
as well as the
reason.
6
9
9. In ePO under TIE
Reputations you will
see the Known
Malicious
reputation
determined by ATD.
Conclusion
McAfee Advanced Threat Defense connects your security ecosystem by sharing
reputation information over the DXL. When an administrator does not want the
hassle of researching each unknown or risky file McAfee ATD can offload that
responsibility. ATD also improves the efficiency of your security ecosystem. Sharing
reputation information means that all future encounters of a file will already have a
reputation and will not have to be analyzed again.
7
0
VirusTotal
VirusTotal (https://www.virustotal.com) is a free service that analyzes suspicious files and

URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.
With a very large database of highly regarded information McAfee TIE has integrated this 3 rd
party feed as the first of our integrations.
In order to take advantage of the VirusTotal integration you will need a private or public API
key. Public Keys are free. To obtain your public key take the following steps.

p
1. You do not need to

ask for a public API https://www.virustotal.com/en/#signup
key, in order to get
one you just have
to register in the
VirusTotal
Community.
2. Fill in the required

registration
information.
Click Sign up.
3. You will receive a

confirmation screen
advising an e-mail
was sent.
Click Close
7
1
4. The e-mail received
will appear as
follows.
Click the activation

link
5. You will receive a

confirmation screen
Click Sign in
6. Enter Username
and password
Click Sign in.
7. Once you are

successfully logged
in click your
username in the
upper right corner.
Click My API key
8. Note your API Key

to configure TIE to
gain access.
This API Key is used

in the TIE Server
Configuration.
7
2
9. A public API key
comes with the
following
properties.
You may learn more

about its
functionality in the
public API
documentation
7
3
Baseline Gold Images with the TIE Scanner
The TIE Scan tool performs TIE analysis on user-specified files and folders, and
populates a TIE server database. The Tie Scanning tool is not an official part of the
product and comes with minimal/no support or documentation.
Pre-requisites:
The endpoint must contain the McAfee Agent 5.0 and be connected to the TIE
Server over DXL.
TIEScanner.exe included in the package
Objective
The objective of this use case is to populate the TIE server with files already known
to the environment to establish a baseline.

p
1. Place TIEScanner.exe
on the gold image
that you would like to
use for your
baseline.
2. A pop-up requests a
location of the
extracted files.
Browse and click OK
when done.
Several files will be

extracted to this
location. For
additional
information review
the
ReadMeTieScan.txt
3. Open a command ex1: tiescan c:\ /recurse <- This will scan the C drive
prompt, navigate to ex2: tiescan c:\windows\notepad.exe <- This will scan
the folder you notepad
extracted to in the
last step and run:
TIEScan <file|folder>
[/recurse]
7
4
4. Depending on the
size of the directory
the scan could take
several hours. When
complete the TIE
Scanning tool will
detach. At this point
the scan is complete.
7
5
Troubleshooting
Troubleshoot the installation

If you experience problems installing and accessing the Threat Intelligence
Exchange module for VirusScan Enterprise, server, or the Data Exchange Layer
client, follow these steps:
1. In McAfee ePO, click

Menu | System
Tree, then select
the checkbox for
the Threat
Intelligence
Exchange server.
2. Click Wake Up
Agents
On the Wake Up
McAfee Agent page,
select the checkbox
Force complete
policy and task
update, then click
OK.
This sends the

server properties
from the Threat
Intelligence
Exchange appliance
to McAfee ePO.
3. Verify that this task

completed in the
server task log
7
6
4. In the System Tree,
click the server
name, then click
the Products tab.
Verify that the
following
products are listed:
McAfee DXL
Broker
McAfee DXL Client
McAfee Threat
Intelligence
Exchange Server
5. Click Menu |
Automation |
Server Tasks and
run the task: Apply
TIESERVER tags
to TIE Server
In the System tree,

verify that the
TIESERVER tag has
been applied to the
system.
6. Click Menu |
Automation |
Server Tasks and
run the task:
Manage DXL
Brokers
In the System Tree,

verify that the
DXLBROKER tag
has been applied to
the system.
7
7
7. After the tags have
been successfully
applied, click
System Tree, select
the Threat
Intelligence
Exchange server,
then click Wake Up
Agents.
8. On the Wake Up
McAfee Agent page,
select the checkbox
Force complete
policy and task
update, then click
OK.
9. Verify that this task

completed in the
server task log
10. Click Menu |

Configuration |
Server Settings,
then click DXL
Client for ePO.
Verify that the

Connection State is
Connected.
7
8
11. To verify that the
DXL and TIE
services are
running, on the
virtual machine
open a Console
window, log in and
enter service
dxlbroker status
then enter service

tieserver status
You should see both

services running.
12. In the System Tree,

select the Threat
Intelligence
Exchange server
and from the
Actions menu, click
DXL | Lookup in
DXL.
Verify that the

Connection State is
Connected
Logfiles
Threat Intelligence Exchange server: /var/McAfee/tieserver/logs/tieserver.log

Threat Intelligence Exchange module for VirusScan Enterprise:
%programdata%\McAfee\TIEM
Data Exchange Layer Client: %programdata%\McAfee\Data_eXchange_Layer
Data Exchange Layer Broker: /var/McAfee/dxlbroker/logs/dxlbroker.log
Reconfiguring using scripts
7
9
Scripts are available to reconfigure the Threat Intelligence Exchange server, Data
Exchange Layer brokers, and the McAfee Agent.
Accessing the scripts
The scripts are located in the /home/<username> directory. They must be executed
with sudo permissions, for example sudo /home/myname/change-hostname.
8
0

TIE POC Guide Final

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

TIE POC Guide Final

Hochgeladen von

Copyright:

Verfügbare Formate

FIELD GUIDE TO SETTING UP POCS V1.

INTEL SECURITY | 2821 Mission College Blvd Santa Clara, CA 95054

ligence Exchange v1.0 Produ

For more information on Threat Intelligence Exchange visit our webpage at

McAfee Threat Intelligence Exchange is made up of four major mandatory

ePO Server is the centralized management system where all configuration,

The data-exchange layer (DXL) allows bidirectional communication between

If a file's reputation is unknown or is not certain, you can submit it to

VirusTotal API Key

ePO 5.1.1 or later running on Windows Server 2008 R2 or later

VMware / ESXi server for hosting the TIE/DXL server

Microsoft Windows Windows 7 (32 and 64 bit)

POC Guide starts here:

Check in DXL Client Package DXL 1.0.0 Build xxx Package #x

Installation and Configuration of McAfee Threat

ePO 5.1.1 is installed and configured

This section is comprised of 3 main steps:

Installing the TIE/DXL server

Installing the TIE/DXL server

VMWare ESXi 5.1.0 and above

Ste Instructions Image or amplifying instructions.

2. Enter your grant

3. Under Software Download TIE_Server_1.0.0.xxx.x86_64-MAIN.ova

Repeat this process

When all extensions

McAfee TIE Server

Browse to DXL 1.0.0

Click Next and Save

Repeat these steps

6. Once the product

Open the VMware

Select File | Deploy

Complete the steps

8. The first time you

Click enter several

Use the Tab key to

10. Only one option

*Note: N is the only

11. Select DHCP or

When finished, enter

13. Enter up to three

14. Enter the IP

Note: The ePO

15. Enter the ePO

Enter Y for both DXL

17. A Master server

18. The Read-Only

Enter the Read-Only

19. Specify the DXL

20. Do nothing on this

21. To view TIE database

In McAfee ePO, click

In the Server type

**If you use the host

User name and

Note: You may have

24. Click the TIE server

25. Click the DXL

You should see the

McAfee Agent 5.0

Ste Instructions Image or amplifying instructions.

Click into the

2. In McAfee ePO, click

For Type select