In some scenarios, the same Global Threat Intelligence (GTI) file reputation configuration across different products and modules might behave differently because of the core product design. Behavioral differences between products are expected because their inherent feature designs have different needs and actions allowed. This approach allows a layered security approach, with consistent technology provided from GTI file reputation. It also provides the security administrator with the flexibility to determine a system's overall use and security goals.
Example:
You place file "x" on three systems, one with ACC installed, one with ENS Threat Prevention installed, and one with ENS ATP installed. All systems are configured with a "Most Likely Malicious" GTI file reputation. The behavior differs as follows:
- File "x" receives a "block" action from ACC due to the GTI file reputation configured threshold.
- File "x" receives no action from the ENS on-access scan (OAS) and on-demand scan (ODS) scanners.
- File "x", when executed on the system with ENSATP installed, receives a "Real-Protect" threat detection from ATP.
Explanation:
Below is an explanation of why each product and module presents different behavior.
ACC:
ACC queries the GTI file reputation servers to identify straight-forward "block" or "allow" actions determined by the configuration. Because no delete action is called, this behavior is considered nondestructive and can be achieved with classification alone.
For more information, see:
KB85695 - Application Control checks for reputation-based execution and final reputation.
ENS Threat Prevention:
When OAS or ODS scanners encounter a file with an unknown file reputation, they query the file reputation from the GTI file reputation servers. The classification, and other parameters that the Advanced Research Center team provides, contribute to the final conviction of the file. Parts of the additional mechanisms include False Positive Mitigation, as the "delete" and "clean" actions of ENS Threat Prevention are considered destructive.
For more information, see the
Endpoint Security 10.7.x Threat Prevention Product Guide.
ENS ATP:
The ENS ATP module, when presented with a GTI-queried file that meets the file reputation threshold, uses real-time behavioral engine observation of the file to determine a file conviction. These engines include Real Protect, Joint Threat Intelligence, and the ability to submit the file to Intelligent Sandbox (formerly Advanced Threat Defense) for full sandboxing and later Threat Intelligence Exchange reputation conviction.
For more information, see "How Adaptive Threat Protection works" and "How a reputation is determined" in the
Endpoint Security 10.7.x Product Guide - Windows.
ENS Firewall:
The ENS Firewall feature
Block all untrusted executables feature performs executable blocking based on "unsigned" or "unknown" file reputation. See
KB90096 - Explanation of the "Executable verification Rule".