Manualshelf

Product guide

ManualsBrandsMcafee ManualsOtherFIREWALL 2.1-GETTING STARTED
12345678910
The executable file name on the disk (full path) and hash of the process that generated the
connection
This is an optional field and is sent only when file reputation is available.
The user information associated with the process
SID, user type (system users, local users, and domain users) and domain
Executable file reputation
MD5 hash value File version
Confidence level Signer name
Heuristic bitmap Signed time
Evidence string Global Threat Intelligence score
File name (same as the executable file
name)
Product name
File description
Executable file reputation
The McAfee EIA calculates the executable file reputation and stores it into a cache. MD5 is the key for
storing the reputation of a file. The reputation is sent each time the information is available in the
cache.
McAfee EIA receives notification when an application/process initiates traffic. It uses MD5 of the
process to look up and check if the reputation is already available in the cache. If available, it sends
the reputation information along with network and user information in the metadata. If the reputation
is not available, it creates a background task. The task is picked up by one of four (recommended
configuration) worker threads. Upon task completion, the corresponding thread updates the reputation
cache.
McAfee EIA sends only mandatory fields of metadata every time a network connection is opened by an
application. Optional parameters like heuristics are sent when they are available in the reputation
cache.
The information of some of the loaded modules (DLLs) is sent, if its confidence level is above the
configured reputation threshold.
You can configure the speed at which MD5 calculation happens inside McAfee EIA, the number of
worker threads used, the confidence level to identify malicious files (reputation threshold). For more
information see the section, Configure advanced settings.
Communication with a network device
As mentioned earlier, the Endpoint Intelligence Agent can communicate with two supported network
devices, Firewall Enterprise and NTBA. At any given time, McAfee EIA can send metadata to only one
network device for a particular source/destination network, based on configuration.
For information on configuring the network devices, see the following sections: Configure Endpoint
Intelligence Agent on NTBA and Configure Endpoint Intelligence Agent on Firewall Enterprise.
The connection between Endpoint Intelligence Agent and the network device is a DTLS connection. The
Endpoint Intelligence Agent uses heartbeat messages to detect the status of the connection. To save
bandwidth, heartbeat is sent as part of metadata but not as a separate message. If Endpoint
Intelligence Agent does not receive a response, even after sending three heartbeat messages, it
declares the peer as dead.
1
Introduction
How Endpoint Intelligence Agent works
8
Endpoint Intelligence Agent 2.1.0 Product Guide