This article the workflow for MOVE AV Multi-Platform works with the TIE option enabled in the MOVE policy.

Locate the Enable TIE option is located under the MOVE Multi-Platform policy:

1. Log on to the ePO console
2. Open the MOVE AntiVirus 4.9.2 Policy.
3. Go to Policy Category, Shared Cloud Solutions, My Default.
   
   This option enables or disables the TIE feature built into the MOVE client, and not the MOVE SVM and OSS servers.
   
   

MOVE client sends a file for scanning:

1. MOVE checks to see if the TIE option is enabled. 
2. If TIE is enabled, MOVE looks for the reputations using the SVM and the TIE Server.
3. If TIE isn’t enabled, MOVE sends the file to SVM for scanning.

MOVE client scanning:

1. When the file scan is performed on the MOVE client, it first checks with the local cache. The local cache is always running in memory, which is cleared when the system is restarted.
2. If the local cache didn't find the reputations of the file, it sends the information to MOVE SVM/OSS server.
3. MOVE SVM checks the local cache, and then sends the file to TIE the reputation score.
4. The MOVE client communicates to the SVM with regular TCP logic. It doesn't use the MOVE client DXL connection to the SVM. The MOVE client uses the regular file scanning and file reputation request, whereas the MOVE SVM or OSS reaches TIE through a DXL connection.

Log Analysis:
Examples from the logs showing this scenario:

NOTE: The content below is visible only when debug logging is enabled on both the MOVE client and server.
 
INFO: scan_sign.c :  260: Signature status 0 for C:\test\EtwConsumer.exe: 0
DETAIL: scan.c      : 5066: Untrusted for file: \Device\HarddiskVolume4\test\EtwConsumer.exe
DETAIL: scan.c      : 3459: Value of tie_enabled: [1] with tie_action: [2], value of pe_file: [1] for file: \Device\HarddiskVolume4\test\EtwConsumer.exe
DETAIL: scan.c      : 3526: Going for a tie reputation lookup  for file \Device\HarddiskVolume4\test\EtwConsumer.exe with file cksum: c53fbe6e353abee45a43f86f4bbb822bd7c3c8af

DETAIL: scan.c      : 3540: Size of cert metadata buffer: 0 for file: \Device\HarddiskVolume4\test\EtwConsumer.exe
DETAIL: scan.c      : 3110: srv_conn FFFFC6077DA9B120: MD5 checksum: (37c03254296c127085341db8b18302d2) for file: \Device\HarddiskVolume4\test\EtwConsumer.exe
DETAIL: scan.c      : 3115: srv_conn FFFFC6077DA9B120: SHA1 checksum: (c53fbe6e353abee45a43f86f4bbb822bd7c3c8af) for file: \Device\HarddiskVolume4\test\EtwConsumer.exe
DETAIL: scan.c      : 3120: srv_conn FFFFC6077DA9B120: SHA256 checksum: (08ae9eba2dead85453d9a75d85169e59108c9540268b7387dbce7bf769e8a2b9) for file: \Device\HarddiskVolume4\test\EtwConsumer.exe


MVSERVER.log from MOVE SVM or OSS server:

The SVM takes request from the MOVE client and checks with the local SVM cache. If it doesn't find a reputation, it contacts the TIE component through the DXL channel.

DETAIL: avs_tie.cpp : 3993: Request type: [FILE_REPUTATION] payload: {"hashes":[{"value":"xT++bjU6vuRaQ/hvS7uCK9fDyK8=","type":"sha1"},{"value":"N8AyVClsEnCFNB24sYMC0g==","type":"md5"},{"value":"CK6eui3q2FRT2addhRaeWRCMlUAmi3OH285792noork=","type":"sha256"}]} for cksum: [c53fbe6e353abee45a43f86f4bbb822bd7c3c8af].
DETAIL: svc_socket.c: 1684: [TIE FLOW] 10.x.x.x: Time taken for Tie response for file rep for cksum request : ( c53fbe6e353abee45a43f86f4bbb822bd7c3c8af ) is : 0.685304(s)
DETAIL: avs_tie.cpp : 1942: Received reputation response payload: {"props":{"submitMetaData":1,"serverTime":1635487650},"reputations":[{"providerId":3,"trustLevel":0,"createDate":1635487650,"attributes":{"2101652":"0","2123156":"0","2098277":"0","2102165":"1635487650","2114965":"0","2111893":"2","2139285":"216172786408751223"}},{"providerId":1,"trustLevel":0,"createDate":1635487650,"attributes":{"2120340":"0"}}]} for cksum: [c53fbe6e353abee45a43f86f4bbb822bd7c3c8af] lookup.


The information received on the MOVE server is sent to the MOVE client:

INFO: svc_socket.c: 2575: Processed req: TIE REPUTATION LOOKUP ID, from 10.x.x.x,  with cksum: c53fbe6e353abee45a43f86f4bbb822bd7c3c8af, tie reputation resp: [0] err code: 2. total req time: 0.702081 sec, thread wait time: 0.000005 (s).
DETAIL: svc_socket.c: 4171: 10.x.x.x: Received checksum request for c53fbe6e353abee45a43f86f4bbb822bd7c3c8af
DETAIL: svc_socket.c: 1159: 10.x.x.x: Sent response for cksum request ( c53fbe6e353abee45a43f86f4bbb822bd7c3c8af ) resp ( 2 )
INFO: svc_socket.c: 2592: Processed req: CKSUM, from 10.57.103.176 for cksum: c53fbe6e353abee45a43f86f4bbb822bd7c3c8af. cksum resp: NO_ENTRY, File scan resp: UNKNOWN, err code: 0. total req time: 0.002955 sec, thread wait time: 0.000005 (s).

The SVM is updated with the new file information to its local cache. This action helps for the next scan to respond to the same checksum from the cache, rather then sending a request to TIE from SVM:

DETAIL: svc_socket.c:  802: [TIE FLOW] tie_avg_response_time isn’t above the threshold of 3(s)
DETAIL: svc_socket.c: 1285: [TIE FLOW] 10.x.x.x: [CERT CACHE HIT]Sent response for cert rep for cksum request ( 2673ea6cc23beffda49ac715b121544098a1284c ) rep_score ( 85 )


You see the following in the logs when the MOVE client has the TIE option enabled, and the file is scanned on the client system through the above process. None of the TIE components have the reputations for this file, so the file is sent from the MOVE client to the SVM for scanning:

DETAIL: scan.c      : 4159: sent file: \Device\HarddiskVolume4\test\EtwConsumer.exe, total sent : 23552 bytes
INFO: scan_sign.c :  766: Verifying publisher trust for C:\test\EtwConsumer.exe