I have some TIE ERROR lines in Orion.log after TIE.set_reupation

  • Hello everyone,


    I have created a script to change automatically a bunch of hashes to whatever reputation I want. Looks like reputations are properly set in TIE Server and also the reputation is working fine. What I mean by that is that I have tested a HASH changed to KNOWN MALCIOUS over DXL and Antivirus automatically deleted that file. Also I have tested another options, like get_file_reputations and I didn't find any error.


    So when I was checking orion.log I saw this ERROR per hash:


    ERROR [core-CommandInvoker-thread-33] command.RemediationHistoryChangeReputationCommand - Cannot execute command

    com.mcafee.tie.server.ext.exception.TieDxlCommunicationException: Error during request handling. Error code: 0

    at com.mcafee.tie.server.ext.service.impl.TieServerDxlCommunicatorImpl.sendTieRequest(TieServerDxlCommunicatorImpl.java:83)

    at com.mcafee.tie.server.ext.service.impl.TieServerBaseCommunicatorImpl.doTieRequest(TieServerBaseCommunicatorImpl.java:156)

    at com.mcafee.tie.server.ext.service.impl.TieServerBaseCommunicatorImpl.doTieRequest(TieServerBaseCommunicatorImpl.java:129)

    at com.mcafee.tie.server.ext.service.impl.TieServerBaseCommunicatorImpl.getFileInfo(TieServerBaseCommunicatorImpl.java:273)

    at com.mcafee.tie.server.ext.service.management.TieManagementServiceImpl.getFileInfo(TieManagementServiceImpl.java:72)

    at com.intel.edr.service.impl.ReputationServiceImpl.getFileInfoBySha1s(ReputationServiceImpl.java:158)

    at com.intel.edr.service.impl.ReputationServiceImpl.getFileInfosBy(ReputationServiceImpl.java:235)

    at com.intel.edr.command.RemediationHistoryChangeReputationCommand.runTask(RemediationHistoryChangeReputationCommand.java:90)

    at com.intel.edr.command.RemediationHistoryChangeReputationCommand.invoke(RemediationHistoryChangeReputationCommand.java:76)

    at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1274)

    at com.mcafee.orion.core.cmd.CommandInvoker$AsyncCommandRunner.call(CommandInvoker.java:1150)

    at java.util.concurrent.FutureTask.run(FutureTask.java:266)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

    at java.lang.Thread.run(Thread.java:748)



    It looks like I have those errors only when the script is changing the reputation and I don't know why since reputations are properly set after the script.

    I have tested a bunch of different configurations with the brokers, but the error is still there.

    I can provide the code if there is any need to do so.


    Can someone explain me why orion.log is genereting those ERRORS?



    Thank you for your time

  • Hi-


    It appears that this is occurring due to an EDR-related listender. Do you have MAR or EDR installed?


    We will work on digging through those extensions and determine what the exact workflow is that is triggering the error message.


    Thanks a lot,

    Chris

  • Hi Eduard-


    No, there is no need to install EDR. I was just curious what product was getting triggered in ePO (MAR or EDR).


    What version of TIE and MAR are you using (extension versions and deployed server versions)?


    Thanks,

    Chris

  • Hi Eduard-


    Once you give us the versions, we will try to reproduce your issue. However, based on the current information, this is most likely a product compatibility issue or defect between TIE and MAR. It might make the most sense to open a support ticket with McAfee to get it resolved quickly.


    Once you provide the version information, we will perform a few tests via the OpenDXL Python client to ensure it is not the component causing the issue.


    Thanks a lot,

    Chris

  • Hello Chris,


    The versions that I am using:


    MAR 2.3 - Hotfix 4

    TIE Server & Platform 2.3.1.125

    DXL Broker 5.0.1.223


    Meanwhile I will test the same script in another configuration with MAR 2.4 and MVISION EDR.



    Regards,

    Eduard

  • Hello Chris,


    I have tested the same script into another smaller infrastructure and with MAR 2.4 and MVISION EDR I don't find any ERROR logs in Orion.

    It is interesting, I never though that this may cause the problem. Update the other one could be a solution, but Its not as easy as it sounds.


    Thanks a lot,

    Eduard

  • Hello Chris,


    No no, I didn't update anything, I just have two ePO environments:


    1 - This is the main one and it is running MAR 2.3 with Hotfix 4. (In this one I found the ERROR lines in Orion)

    2 - This ePO is more oriented to development, and it is running MAR 2.4 and MVISION EDR. Also here is where I tested my script at the beginning and I didn't find any errors in Orion.


    I don't have MVISION EDR installed in the first one. So it makes me thinking that It may be because of MAR 2.3 H4 and updating it, may be a solution but its not that easy.


    I know my English may be confusing, so tell me if there is more need for clarification.



    Thanks a lot,

    Eduard

  • Hi Eduard,


    We tried to reproduce the issue with the versions you mentioned but we could not. It might make the most sense to open a support ticket with McAfee to get it resolved quickly.


    Thanks,

    Viji