cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SWISS
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 4
‎12-01-2022 07:11 AM

Different result ATD 5.2 with W7 or W10 LTS image and different ADOBE Reader Version on PDF

Different result ATD 5.2 with W7 or W10 LTS image and different ADOBE Reader Version on PDF

 

Hi all,

ATD 5.2 all lastest.

VM's:

1) An existing old image W7 ENT with Adobe Reader 9 or 10 (Analyse: CLEAN | Static)

2) Newer image W10 LTS 1809 with Adobe Reader 10.X  (Analyse: INFORMATIONAL)

* Both VM have the same Options in the profiles!

All done with the tool and optimized, Activated etc. Running

We get DIFFERENT Analyse result for the SAME PDF if we scan then on the two VM.

Worst problem: NO feedback to TIE EPO (All setup good there) for the analyse on the W10 LTS with newer Adobe.

Example PDF from swiss goverment: (Nothing fancy no JS, Links, no images)

atd001.jpg

 

TIE > ATD Reputation UNKNOWN after Analyse:

atd002.jpg

I hope we are not again at the story where Mcafee tells the customer well it's unknown because we are not 100% sure. Then please make it YELLOW/Orange and not Green but NOT unknown.

What concept is behind this logik?

 

atd004.jpg

 

 

 

 

atd003.jpg

 

Greetings from Switzerland
0 Kudos
Reply
3 Replies
hsadi
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎12-02-2022 07:29 AM

Re: Different result ATD 5.2 with W7 or W10 LTS image and different ADOBE Reader Version on PDF

Hi SWISS,

I can see that windows 10 queried TIE for the file reputation, ATD/Sandobox did not analyse the file, but it was the result of TIE being queried. 

In TIE we see that the file has Unknown reputation which reflects the information reputation in ATD

Please check this article for reputation mapping between TIE and ATD

https://kcm.trellix.com/corporate/index?page=content&id=KB84600

Note: ATD score of 0/1/2 is the same as information/Very Low/Low, respectively, which reflect the Unknown reputation in TIE. 

If you have any questions about the Unknown reputation in TIE I would suggest to open a support case with TIE support.

Hope this helps,

 

0 Kudos
Reply
SWISS
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4
‎12-06-2022 04:35 AM

Re: Different result ATD 5.2 with W7 or W10 LTS image and different ADOBE Reader Version on PDF

Its does what it does for EXE/DLL/DOC/XLS but NOT for PDF. For some it does depending on HOW they entry the company (Which way)

For the process "If file is already in TIE".....

I overlooked that he checked TIE before all others. Thought if i change the order where i FIRST scan the sample [1) W7 2) W10] vm or [1) W10 2) W7] then it would change....

However...

 

for the full Trellix customer with Mcafee Security for Exchange with TIE, Webgateway with TIE, DLP activ so no USB all incoming new files would be those two ways.

1) WAN Incoming http/https/smtp/s

2) MGW (Download) with TIE submit or McAfee Security for Exchange with TIE submit

3) File is KNOWN in TIE

4) File is SENT to ATD for Analyse

5) ATD has option analyse with all option "ON" and "Continue to run all Engines even after file is found malicious"

6) Then the FILE is Always already in TIE and ATD just makes a INFORMATIONAL?

Then we don't have to send the PDF file to the ATD

Clearly if file would be malicious the info would be communicated to all endpoints with DXL.

But we also want the INFO in TIE for all files (GOOD/BAD)

Maybe what we want is option:

 

Existing: "Continue to run all Engines even after file is found malicious"

NEW: Continue to run all Engines even after file is found INFORMATIONAL"?

 

 

 

 

 

Greetings from Switzerland
0 Kudos
Reply
hsadi
Employee
Employee
Report Inappropriate Content
Message 4 of 4
‎12-08-2022 08:51 AM

Re: Different result ATD 5.2 with W7 or W10 LTS image and different ADOBE Reader Version on PDF

Hi SWISS,

Jut to clear this misunderstanding, If "Continue to run all Engines even after file is found malicious" is enabled then the file will be scanned by all engines even if the file is information. So, it's not just malicious files, it's for all verdicts.

If you want to suggest more ideas to ATD you need to submit a product enhancement request for the functionalities to be added in ATD in future.

Please follow this article to submit a PER

 https://kcm.trellix.com/corporate/index?page=content&id=KB60021

Please mark this as resolved if you don't have any more questions.

Regards,

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC