Unable to fetch the reputation from GTI if there are null or empty MD5s in the database
Last Modified: 2024-01-11 05:28:58 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Unable to fetch the reputation from GTI if there are null or empty MD5s in the database
Technical Articles ID:
KB96061
Last Modified: 2024-01-11 05:28:58 Etc/GMT Environment
Application and Change Control (ACC) 8.x
Problem
ACC sends MD5s to the GTI to get the reputation. But, if there are MD5s with null or empty values present in the set, it doesn't get saved for further processing. It remains unprocessed and leads to a reputation update failure for the other valid binaries as well.
Cause
Currently, this issue is seen with clients having older versions of Windows such as Windows 2000 and Solidcore client version 5.x (End of Life). The XMLs generated in these versions have only a checksum without MD5 stored as an empty string in the database that leads to a failure in updating the reputation of all other binaries.
Solution
To perform the cleanup of data that have empty MD5s from the database, follow the steps below:
a. Get the AgentGuids for which you've empty MD5s.
b. Follow the KB article KB81994 - How to purge the Application Control Inventory for a specific system. Select all necessary c. To delete the data from the remaining tables, execute the script ( NOTE: Execute the script only after you complete the purge task from step 2 below. After cleanup, the reputation starts getting updated and might take a few hours depending on the number of binaries present in the environment.
Or
b. If the reputation of all binaries whose GTI_TTL_EXPIRY_UTC has expired:
NOTE: To avoid reoccurrence of the issue after clean-up, we recommend that you stop the communication between the client (sending null MD5) and ePolicy Orchestrator. AttachmentAffected ProductsLanguages:This article is available in the following languages: |
|