TIE Server provides a set reputation remote command with the ePolicy Orchestrator (ePO) Web API. It's intended to automate reputation overrides for a given set of files and certificate hashes. Bulk execution is supported and can be audited from the ePO Audit Log. Overrides always have precedence. So, we recommend that you reconcile overrides periodically against other reputations and remove reputations already covered to maintain adaptive capabilities.
The command syntax is
tie.setReputations [fileReps] [certReps]. Specify at least one
fileReps or
certReps; you can specify both in the same payload call. Use
JSON strings to represent files and certificates. Make sure that the hashes are
Base64 encoded, and use one of the following values to specify the reputation:
- 1 (Known Malicious)
- 15 (Most Likely Malicious)
- 30 (Might Be Malicious)
- 50 (Unknown)
- 70 (Might Be Trusted)
- 86 (Most Likely Trusted)
- 99 (Known Trusted)
The following is an example payload that sets the reputation of a single file to Known Trusted:
fileReps = [{"name":"test.exe",
"sha1":"udrarummyjtffybxaflkxzjhpao=",
"md5":"gixbyabniwsaanqznfufxe==",
"sha256":"icidutgqksorrzjvqsepfmkyiambtbufcckwarjmqth==",
"reputation":"99"}]
One of the following hash type is mandatory:
sha1,
md5, sha256, or
reputation. The attributes
name and the additional hash types
are optional. It's recommended that you provide as many hash types as possible for a given file. The reason is because integrated products might not honor some hashes.
The following is an example payload that sets the reputation of a single certificate to Known Trusted:
certReps = [{"sha1":"frATnSF1c5s8yw0REAZ4IL5qvSk=", "publicKeySha1":"udrarummyjtffybxaflkxzjhpao=",
"reputation":"99"}]]
The attributes
sha1 and
reputation are mandatory. The attribute
publicKeySha1 is optional.