Adaptive Threat Protection cache reset at every policy enforcement
Last Modified: 2022-07-25 04:40:12 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Adaptive Threat Protection cache reset at every policy enforcement
Technical Articles ID:
KB95290
Last Modified: 2022-07-25 04:40:12 Etc/GMT Environment
Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.x
Problem
When you modify five or more ENS ATP rules, the ATP cache is reset on every policy enforcement. This issue causes higher network traffic to the Global Threat Intelligence (GTI) cloud or Threat Intelligence Exchange (TIE) Server for file reputation requests. On the TIE Server, this issue can also cause a high CPU load. Steps to verify whether you have this issue:
2022-02-09 09:35:30.326Z |Activity|Orchestrator |mfeatp | 10228| 9628|OES |scan_orchestrator.cpp(1087) | Configuring AAC policy 2022-02-09 09:35:30.342Z |Activity|Orchestrator |mfeatp | 10228| 9628|OES |scan_orchestrator.cpp(1123) | Adaptive Threat Protection is Enabled 2022-02-09 09:35:31.842Z |Activity|Orchestrator |mfeatp | 10228| 9628|JTI |jti_native.cpp(687) | Detected JTI configuration change, clearing JCM cache 2022-02-09 09:36:00.580Z |Activity|Orchestrator |mfeatp | 10228| 3500|JTI |jti_native.cpp(687) | Detected JTI configuration change, clearing JCM cache Cause
A specific ATP rule doesn't cause this issue. The issue occurs due to the number of ATP rules with the status being changed from default. If you change five or more ATP rules from default to observe, enable, or disabled, the ATP cache reset occurs on each policy enforcement. The issue doesn't occur if you set five ATP rules to a mix of observe, enable, or disabled.
Solution
This issue is resolved in the ENS 10.7.0 June 2022 Update. Our product software, upgrades, maintenance releases, and documentation are available on the Product Downloads site.
NOTE: You need a valid Grant Number for access. See KB56057 - How to download product updates and documentation for more information about the Product Downloads site, and alternate locations for some products. Workaround 1
Reduce the number of ATP rules modified from default to a maximum of four modified rules with the same state:
Workaround 2
Change the ATP Rule Assignment from Balanced to Productivity:
Affected ProductsLanguages:This article is available in the following languages: |
|