V-213330

Discussion

If a Threat Intelligence Exchange (TIE) server is being used in the organization, reputation for files and certificates is fetched from the TIE server. The reputation values control execution at endpoints and are displayed on the Application Control pages on the Trellix ePO console. If the GTI is being used, reputation for files and certificates is fetched from the Trellix GTI. For both methods, the administrator can review the reputation values and make informed decisions for inventory items in the enterprise.

Check Content

Note: This requirement is Not Applicable on a classified SIPRNet or otherwise closed network.

This requirement is only applicable to Windows platforms. For MAC and Linux platforms, this is Not Applicable.

From the ePO server console System Tree, select the "Systems" tab.

Select "This Group and All Subgroups".
Select the asset(s) that need the organization-specific policy.
Select "Actions".
Select "Agent".
Select "Modify Policies on a Single System".

From the product pull-down list, select Solidcore 8.x: Application Control.

From the "Policy" column, select the policy associated with the Category "Application Control Options (Windows)" that is specific for the asset being reviewed.

Select the "Reputation" tab.

Verify the "Use Trellix Global Threat Intelligence (Trellix GTI)" option is selected.

Note: The "Trellix GTI" option must be selected, as a failover, even if an internal Trellix TIE server is configured.

If the "Trellix GTI" option is not selected, this is a finding.