MOVE AV Multi-Platform workflow when the TIE policy option is enabled
Last Modified: 2022-01-13 14:03:13 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
MOVE AV Multi-Platform workflow when the TIE policy option is enabled
Technical Articles ID:
KB95154
Last Modified: 2022-01-13 14:03:13 Etc/GMT Environment
Management for Optimized Virtual Environments (MOVE) MOVE MOVE MOVE AV Multi-Platform Security Virtual Machine (SVM) Threat Intelligence Exchange (TIE) Summary
This article the workflow for MOVE AV Multi-Platform works with the TIE option enabled in the MOVE policy. Locate the Enable TIE option is located under the MOVE Multi-Platform policy:
MOVE client sends a file for scanning:
MOVE client scanning:
Log Analysis: Examples from the logs showing this scenario: NOTE: The content below is visible only when debug logging is enabled on both the MOVE client and server. MVAgent.log from the MOVE client
DETAIL: scan.c : 5066: Untrusted for file: \Device\HarddiskVolume4\test\EtwConsumer.exe DETAIL: scan.c : 3459: Value of tie_enabled: [1] with tie_action: [2], value of pe_file: [1] for file: \Device\HarddiskVolume4\test\EtwConsumer.exe DETAIL: scan.c : 3526: Going for a tie reputation lookup for file \Device\HarddiskVolume4\test\EtwConsumer.exe with file cksum: c53fbe6e353abee45a43f86f4bbb822bd7c3c8af DETAIL: scan.c : 3540: Size of cert metadata buffer: 0 for file: \Device\HarddiskVolume4\test\EtwConsumer.exe DETAIL: scan.c : 3110: srv_conn FFFFC6077DA9B120: MD5 checksum: (37c03254296c127085341db8b18302d2) for file: \Device\HarddiskVolume4\test\EtwConsumer.exe DETAIL: scan.c : 3115: srv_conn FFFFC6077DA9B120: SHA1 checksum: (c53fbe6e353abee45a43f86f4bbb822bd7c3c8af) for file: \Device\HarddiskVolume4\test\EtwConsumer.exe DETAIL: scan.c : 3120: srv_conn FFFFC6077DA9B120: SHA256 checksum: (08ae9eba2dead85453d9a75d85169e59108c9540268b7387dbce7bf769e8a2b9) for file: \Device\HarddiskVolume4\test\EtwConsumer.exe MVSERVER.log from MOVE SVM or OSS server: The SVM takes request from the MOVE client and checks with the local SVM cache. If it doesn't find a reputation, it contacts the TIE component through the DXL channel. DETAIL: svc_socket.c: 1684: [TIE FLOW] 10.x.x.x: Time taken for Tie response for file rep for cksum request : ( c53fbe6e353abee45a43f86f4bbb822bd7c3c8af ) is : 0.685304(s) DETAIL: avs_tie.cpp : 1942: Received reputation response payload: {"props":{"submitMetaData":1,"serverTime":1635487650},"reputations":[{"providerId":3,"trustLevel":0,"createDate":1635487650,"attributes":{"2101652":"0","2123156":"0","2098277":"0","2102165":"1635487650","2114965":"0","2111893":"2","2139285":"216172786408751223"}},{"providerId":1,"trustLevel":0,"createDate":1635487650,"attributes":{"2120340":"0"}}]} for cksum: [c53fbe6e353abee45a43f86f4bbb822bd7c3c8af] lookup. The information received on the MOVE server is sent to the MOVE client: DETAIL: svc_socket.c: 4171: 10.x.x.x: Received checksum request for c53fbe6e353abee45a43f86f4bbb822bd7c3c8af DETAIL: svc_socket.c: 1159: 10.x.x.x: Sent response for cksum request ( c53fbe6e353abee45a43f86f4bbb822bd7c3c8af ) resp ( 2 ) INFO: svc_socket.c: 2592: Processed req: CKSUM, from 10.57.103.176 for cksum: c53fbe6e353abee45a43f86f4bbb822bd7c3c8af. cksum resp: NO_ENTRY, File scan resp: UNKNOWN, err code: 0. total req time: 0.002955 sec, thread wait time: 0.000005 (s). The SVM is updated with the new file information to its local cache. This action helps for the next scan to respond to the same checksum from the cache, rather then sending a request to TIE from SVM: DETAIL: svc_socket.c: 1285: [TIE FLOW] 10.x.x.x: [CERT CACHE HIT]Sent response for cert rep for cksum request ( 2673ea6cc23beffda49ac715b121544098a1284c ) rep_score ( 85 ) You see the following in the logs when the MOVE client has the TIE option enabled, and the file is scanned on the client system through the above process. None of the TIE components have the reputations for this file, so the file is sent from the MOVE client to the SVM for scanning: DETAIL: scan.c : 4159: sent file: \Device\HarddiskVolume4\test\EtwConsumer.exe, total sent : 23552 bytes INFO: scan_sign.c : 766: Verifying publisher trust for C:\test\EtwConsumer.exe Affected ProductsLanguages:This article is available in the following languages: |
|