How to enable Global Threat Intelligence in our products
Technical Articles ID:
KB70130
Last Modified: 2024-02-06 12:37:02 Etc/GMT
Environment
Global Threat Intelligence (GTI) Technology
GTI File Reputation
GTI Message Reputation
GTI Network Connection Reputation
GTI Web Categorization
GTI Web Reputation
Summary
What's GTI?
GTI is a cloud-based threat intelligence service that works with selected products. When GTI detects a potential threat, the following actions take place:
GTI-enabled products query the GTI cloud.
The cloud renders a response in the form of a reputation score or categorization information.
The product takes policy-based action in your environment.
Supported products
We've added GTI support to the following products:
NOTE: This list is updated when further support becomes available.
To enable GTI for your managed products:
Click to expand the following links for information about enabling GTI File Reputation in your product:
ENS is integrated with GTI File Reputation. To enable GTI File Reputation, perform the steps below:
Log on to the ePolicy Orchestrator (ePO) console.
Click Menu, Policy, Policy Catalog.
Select Endpoint Security Threat Prevention from the Product drop-down list.
Select On-Access Scan / On-Demand Scan from the Category drop-down list.
Click the policy.
In the McAfee GTI section, select Enable McAfee GTI.
Select the Sensitivity level to determine whether a detected sample is malware.
Click Save.
Host IPS is integrated with GTI Network IP Connection Reputation. To enable this service, perform the steps below:
In ePO, go to the Policy Catalog.
Select Host Intrusion Prevention 8.0 or later: Firewall under Product.
Select Firewall Options under Categories.
Click Edit corresponding to the policy for which you want to enable GTI.
Select a value from the drop-down list for Incoming/Outgoing TrustedSource Block Threshold.
Trellix IPS is integrated with GTI File and Network Connection Reputation. To enable GTI File Reputation, perform the steps below:
In the Resource Tree, select IPS Settings and select the Malware Detection tab.
Set the GTI File Reputation specific options for the sensor, including DNS servers, Sensitivity Level, and Response Action.
From here, you can also manage options related to the use of custom fingerprints.
Click Save.
Select Enable options.
Set the Enable options per sensor and port or port pair.
For each port or port pair, choose a direction and detection type.
Click Save, and then select Configuration Update for the changes to take effect.
To enable GTI Network Connection reputation, perform the following steps:
In the Manager Resource Tree, select IPS Settings and select the Malware Detection tab.
In the Manager, navigate to My Company/Integration and then Global Threat Intelligence. You can then choose your participation levels, alert details, and technical information.
Network Threat Behavior Analysis is integrated with GTI Network Connection Reputation. To enable this service, perform the steps below:
In the Trellix IPS Manager, navigate to My Company/Integration, and then select Global Threat Intelligence.
You can now configure participation levels, alert details, and technical information as needed.
Security for Exchange is integrated with GTI Message Reputation.
To enable GTI Message Reputation, perform the steps below:
Click Start, Programs, McAfee, Security for Microsoft Exchange, Product Configuration.
Click Settings & Diagnostics.
Click Anti-Spam.
Under McAfee Global Threat Intelligence message reputation, select Enable message reputation.
Click Apply.
To configure GTI locally, perform the following steps:
Click Start, Programs, McAfee, Security for Microsoft Exchange, Product Configuration.
Click Policy Manager, and then select On-Access or On Demand.
Click Master policy.
Click Anti-Virus Scanner.
Under Activation, select Enable.
Under Options, select the anti-virus option you want to configure and click Edit.
Select the Scanner Options you require, and then select Enable Artemis Technology and the needed Sensitivity Level:
Disabled
GTI is turned off
Very Low
For desktops or servers with restricted user rights and a strong security footprint
Low
Minimum recommendation for laptops or desktops or servers with a strong security footprint
Medium
Minimum recommendation for laptops or desktops or servers
High
For deployment to systems or areas that are regularly infected
Very High
In Email and On-Demand Scans on non-operating system volumes
Click Save.
Click Apply.
Refresh the page. The policy setting changes display.
To configure GTI using ePO, perform the steps below:
Log on to the ePO server as an administrator.
Click Systems, System Tree, select the appropriate group, and then select the individual systems.
Click Assigned Policies.
Select the appropriate Product, Category, Policy, and then click Save.
Click Policy Manager, and then select On-Access or On Demand.
Click Master policy.
Click Anti-Virus Scanner.
Under Activation, select Enable.
Under Options, select the anti-virus option that you want to configure and click Edit.
Select the Scanner Options you require, and then select Enable Artemis Technology and the needed Sensitivity Level:
Disabled
GTI is turned off
Very Low
For desktops or servers with restricted user rights and a strong security footprint
Low
Minimum recommendation for laptops or desktops or servers with a strong security footprint
Medium
Minimum recommendation for laptops or desktops or servers
High
For deployment to systems or areas that are regularly infected
Very High
In Email and On-Demand Scans on non-operating system volumes
Click Save.
Select the client computer, and then send an Agent wake-up call.
NOTES:
GTI is supported with Security for Microsoft SharePoint as of version 2.5.
GTI does not replace signature files. DAT files are still needed for further actions such as cleaning and repair.
GTI protection is available only if your computer is connected to the internet. Without internet connectivity, computers are protected by the local DAT files, but GTI isn't active.
GTI uses a small amount of bandwidth and is suitable for use on low-speed connections.
To configure GTI locally, perform the steps below:
Log on to the Microsoft SharePoint server with an Administrator account.
Open the Security for Microsoft SharePoint Server.
Click Policy Manager, then select On-Access or On Demand.
Click Master Policy.
Click Anti-Virus Scanner.
Under Activation, select Enable.
Under Options, select the anti-virus option you want to configure and click Edit.
Select the Basic Options, and then select Enable Artemis Technology and the needed Sensitivity Level.
Disabled
GTI is turned off
Very Low
For desktops or servers with restricted user rights and a strong security footprint
Low
Minimum recommendation for laptops or desktops or servers with a strong security footprint
Medium
Minimum recommendation for laptops or desktops or servers
High
For deployment to systems or areas that are regularly infected
Very High
In Email and On-Demand Scans on non-operating system volumes
Click Save.
Click Apply.
Refresh the page. The policy setting changes display.
To configure GTI using ePO, perform the steps below:
Log on to the ePO server as an Administrator.
Click Systems, System Tree, select the appropriate group, and then select the individual systems.
Click Assigned Policies.
Select the appropriate Product, Category, and Policy, and then click Save.
Click Policy Manager, and then select On-Access or On Demand.
Click Master Policy.
Click Anti-Virus Scanner.
Under Activation, select Enable.
Under Options, select the antivirus option you want to configure and click Edit.
Select the Basic Options, and then select Enable Artemis Technology and the needed Sensitivity Level:
Disabled
GTI is turned off
Very Low
For desktops or servers with restricted user rights and a strong security footprint
Low
Minimum recommendation for laptops or desktops or servers with a strong security footprint
Medium
Minimum recommendation for laptops or desktops or servers
High
For deployment to systems or areas that are regularly infected
Very High
In Email and On-Demand Scans on non-operating system volumes
Click Save.
Select the client computer, and then send an Agent wake-up call.
SiteAdvisor Enterprise is the first version to use GTI URL reputation. To enable this service, perform the steps below:
In ePO, select Menu, Policy, Policy Catalog.
Select Product - SiteAdvisor Enterprise 3.5 or later.
Click Enable or Disable from the policy menu.
VSE is integrated with GTI File Reputation. Lookup levels can be configured through ePO policy or locally through the VSE console. GTI-related settings can be found in the general section of On-Access Scanner (OAS) or Artemis (Heuristic network check for suspicious files).
IMPORTANT:
When checking in packages to ePO, there are three options: Current, Previous, and Evaluation. The default is for all clients to use Current.
To stage deployments, you can assign a group of computers to update from the Evaluation branch. You can then check in the SuperDAT as Evaluation.
To enable GTI in VSE 8.8 using ePO 5.x, perform the steps below:
On-Delivery Email Scan policy:
In ePO, click Menu, Policy, Policy Catalog.
Select VirusScan Enterprise 8.8.0, On Delivery Email Scan Policies.
Select to edit the policy in use, or create a policy.
Select Server or Workstation.
Select the Scan Items tab:
Next to Heuristics, enable Find unknown program threats and trojans.
Next to Artemis (heuristic network check for suspicious files), select the Sensitivity level.
Save the policy.
On-demand scan task:
In ePO, click Menu, Systems, System Tree.
Click the Assigned Client Tasks tab, and then use the Actions menu to create a New Client Task Assignment:
Under Product, select VirusScan Enterprise 8.8.0.
Under Task Type, select On-Demand Scan.
Under Task Name, select Create New Task.
Type a name and description, and then select the Performance tab.
On the Scan Items tab beside Heuristics, enable Find Unknown program threats.
Next to Artemis (heuristic network check for suspicious files), select the Sensitivity level.
Click Save.
To schedule the task to run, click Next.
To review and save the task, click Next, then Save the task.
On-Access Scan policy:
In ePO, click Menu, Policy, Policy Catalog.
Select VirusScan Enterprise 8.8.0, On Access General Policies.
Select to edit the policy in use, or create a policy.
Select Server or Workstation.
Select the General tab, then select the Sensitivity level beside Artemis (heuristic network check for suspicious files).
Save the policy.
Select On-Access Default Processes Policies.
Select to edit the policy in use, or create a policy.
Select to edit the policy for Server or Workstation.
Click the Scan Items tab and enable Find unknown unwanted programs and trojans beside Heuristics.
Save the policy.
Replicate steps g–k On-Access High-Risk / Low-Risk Process Policies.
To configure GTI settings for VSE 8.8 locally, perform the steps below:
Right-click the VSE shield in the taskbar and select VirusScan Console.
Double-click the On-Delivery Email Scanner and select the Scan Items tab:
Enable Find unknown unwanted program threats and trojans and Find unknown macro threats under Heuristics.
Set the Sensitivity level under Artemis (heuristic network check for suspicious files).
Click OK.
Double-click the On-Access Scanner:
Select General Settings and set the Sensitivity level under Artemis (heuristic network check for suspicious files).
Select All Processes and enable Find unknown unwanted program threats and trojans and Find unknown macro threats under Heuristics.
Click OK.
Double-click Full Scan (on-demand scan):
Select Scan Items tab and enable Find unknown unwanted program threats and trojans and Find unknown macro threats under Heuristics.
Select the Performance tab and set the Sensitivity level under Artemis (heuristic network check for suspicious files).
Click Start.
Skyhigh Web Gateway is integrated with GTI File Reputation, web categorization, and web reputation.
To enable GTI File Reputation, perform the steps below:
In the policy screen, in the settings tab to the left, drill down on engines, antimalware, and gateway antimalware.
Under Advanced Settings, click Enable Artemis Queries.
To enable GTI Web Categorization and Reputation, perform the following steps:
Staying in the policy screen and settings tab on the left, drill down to TrustedSource, Default.
To the right, select Do in the cloud rating if local rating yields no result for web categorization and Use default TrustedSource server for in the cloud rating for web reputation.
Geolocation information is only available through cloud look-ups. To enable geolocation, select Only use in the cloud rating services.
