How Threat Intelligence Exchange works
Threat Intelligence Exchange is the first product to use the Data Exchange Layer framework to share
file and threat information instantly across the entire network environment.
In the past, you sent an unknown file or certificate to McAfee for analysis, then updated the file
information throughout the network days later. Threat Intelligence Exchange enables file reputation to
be controlled at a local level, your environment. You decide which files can run and which are blocked.
The Data Exchange Layer shares the information immediately throughout your environment.
Scenarios for using Threat Intelligence Exchange
• Immediately block a file — Threat Intelligence Exchange alerts the network administrator of an
unknown file in the environment. Instead of sending the file information to McAfee for analysis, the
administrator can block the file. With the file prevented from running, the administrator can use
Threat Intelligence Exchange to learn whether the file is a threat and how many systems ran the
file.
• Allow a custom file to run — A company routinely uses a file whose default reputation is
malicious, for example a custom file created for the company. Because this file is allowed, instead
of sending the file information to McAfee and receiving an updated DAT file, the administrator can
change the file's reputation to trusted and allow it to run without warnings or prompting.
• Import known reputations — A company has several files that are trusted and used regularly,
and other files that are not allowed. Because the reputations are already known and set, the
administrator can import that list of files and their reputations directly into the Threat Intelligence
Exchange database and those reputations are used immediately with no further action.
• Find additional information about a file — Threat Intelligence Exchange notifies the network
administrator of an unknown file. The administrator looks at the available reputation details for the
file, then wants to learn more about it. The administrator can access VirusTotal from the Threat
Intelligence Exchange module for VirusScan Enterprise to see more detailed information about the
file.
How a reputation is determined
File and certificate reputation is determined when a file attempts to run on a managed system.
These steps occur when determining a file or certificate's reputation.
1
The end user or system attempts to run a file.
2
VirusScan Enterprise inspects the file and can't determine its validity and reputation.
3
The module for VirusScan Enterprise inspects the file and gathers file and local system properties
of interest.
4
The module checks the local reputation cache for the file hash. If the file hash is found, the module
gets the enterprise prevalence and reputation data for the file from the cache.
5
If the file hash is not found in the local reputation cache, the module then queries the Threat
Intelligence Exchange server for the file hash. If the hash is found, the module gets the enterprise
prevalence data (and any available reputations) for that file hash.
Overview
How Threat Intelligence Exchange works
1
McAfee Threat Intelligence Exchange 1.0.0 Product Guide
11
(15 pages)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals