TIE reputation check for email attachments
MSME now provides additional threat detection capability by leveraging the TIE reputation check for attachments that are coming through emails at gateway, hub, and mailbox levels.
What is TIE?
Threat Intelligence Exchange increases the protection and detection capabilities in real time by performing a comprehensive and advanced file reputation check, and prevents the threat spreading. The TIE server quickly analyzes the attachments at the gateway, hub, and mailbox level. For information about Threat Intelligence Exchange, see Threat Intelligence Exchange 2.0 Product Guide.
• | Certification reputation |
• | File reputation |
TIE validates the file for certificate reputation score first. If only the certificate reputation is known malicious, the file reputation score is considered.
How MSME works with TIE
• | Known trusted - 99 | • | Might be malicious- 30 |
• | Most likely trusted - 85 | • | Most likely malicious - 15 |
• | Might be trusted - 70 | • | Known malicious - 1 |
• | Unknown - 50 |
When you configure an action for a specific category, the same action is applied for all categories that have a TIE reputation score lower than the specified category. By default, Take actions at and below is set to Might Be Malicious.
For example, when you set Take action at and below to Unknown and action as Replace with Alert for files that have a score of 50, all attachments with a TIE reputation score of 50 or less are replaced with an alert message. You can also select secondary actions for alert.
The reputation scores are locally cached and MSME can use the updated local cache for reputation checks.
When TIE is disabled, scanning action is taken according to the policy settings. When TIE is enabled but the TIE server is unreachable, and the local cache doesn't contain entries for the file, the reputation check from TIE is skipped and email is scanned according to the policy settings.
For more information about how the reputation score is mapped, see the TIE Product Guide.
• | exe |
• | |
• | Microsoft Office documents |
For a list of supported file types, see KB89578.
When the email contains a compressed attachment, the compressed file is extracted and only the supported file types in the attachment are sent for TIE reputation check. For a list of supported compressed file types, see KB89577. |
For other types of files and post TIE reputation check, MSME scans the attachments according to the policy settings. When you release the quarantined item under TIE detections, the file is only scanned for viruses before allowing it. You can view the number of files detected by TIE and the number of files sent to ATD check information on the Dashboard page.
Using Advanced Threat Defense reputation
You can also enable the Advanced Threat Defense detection on selected reputation categories of files and based on the size of the attachment.
When a file is checked for TIE reputation, TIE returns the reputation score and might recommend the file for analysis. MSME sends the file to Advanced Threat Defense based on the category and file size configured in the settings. If there is a revised reputation score for the file, the local cache is updated with that reputation score. The revised score will be used from the next lookup. The default setting for Take action at and below is Might Be Malicious and File Size is 8 MB.
Recommended settings for TIE server deployment for MSME
• | Deploy a
TIE server in secondary configuration to process all TIE reputation requests from
MSME in the same data center as your Exchange server. This enables the
TIE server to process maximum email attachments per second in a dedicated infrastructure.
| ||
• | The reputation traffic is reduced when the MSME servers cache the reputations locally. But, since MSME clears the local cache after service restart, spikes might be experienced. | ||
• | Estimate the requests coming from MSME using the dashboard counters in MSME. For information about how to measure requests per second coming to a TIE server, view the Throughput under Performance Status in the TIE Server Topology Management page under Server Settings in McAfee ePO. You can also view the TIE Server New Files in the TIE Server Data Cleanup page. |