Posts by iMasck

    Hello everyone,


    I would like to ask what can I do with OpenDXL. What I mean by that, is if I can send some data to the server where my ePO environment is installed, and write that data to an SQL Database. Or is just that OpenDXL have only pre-built functionalities?


    Thanks in advance.

    Hello Chris,


    No no, I didn't update anything, I just have two ePO environments:


    1 - This is the main one and it is running MAR 2.3 with Hotfix 4. (In this one I found the ERROR lines in Orion)

    2 - This ePO is more oriented to development, and it is running MAR 2.4 and MVISION EDR. Also here is where I tested my script at the beginning and I didn't find any errors in Orion.


    I don't have MVISION EDR installed in the first one. So it makes me thinking that It may be because of MAR 2.3 H4 and updating it, may be a solution but its not that easy.


    I know my English may be confusing, so tell me if there is more need for clarification.



    Thanks a lot,

    Eduard

    Hello everyone,


    I have created a script to change automatically a bunch of hashes to whatever reputation I want. Looks like reputations are properly set in TIE Server and also the reputation is working fine. What I mean by that is that I have tested a HASH changed to KNOWN MALCIOUS over DXL and Antivirus automatically deleted that file. Also I have tested another options, like get_file_reputations and I didn't find any error.


    So when I was checking orion.log I saw this ERROR per hash:


    ERROR [core-CommandInvoker-thread-33] command.RemediationHistoryChangeReputationCommand - Cannot execute command

    com.mcafee.tie.server.ext.exception.TieDxlCommunicationException: Error during request handling. Error code: 0

    at com.mcafee.tie.server.ext.service.impl.TieServerDxlCommunicatorImpl.sendTieRequest(TieServerDxlCommunicatorImpl.java:83)

    at com.mcafee.tie.server.ext.service.impl.TieServerBaseCommunicatorImpl.doTieRequest(TieServerBaseCommunicatorImpl.java:156)

    at com.mcafee.tie.server.ext.service.impl.TieServerBaseCommunicatorImpl.doTieRequest(TieServerBaseCommunicatorImpl.java:129)

    at com.mcafee.tie.server.ext.service.impl.TieServerBaseCommunicatorImpl.getFileInfo(TieServerBaseCommunicatorImpl.java:273)

    at com.mcafee.tie.server.ext.service.management.TieManagementServiceImpl.getFileInfo(TieManagementServiceImpl.java:72)

    at com.intel.edr.service.impl.ReputationServiceImpl.getFileInfoBySha1s(ReputationServiceImpl.java:158)

    at com.intel.edr.service.impl.ReputationServiceImpl.getFileInfosBy(ReputationServiceImpl.java:235)

    at com.intel.edr.command.RemediationHistoryChangeReputationCommand.runTask(RemediationHistoryChangeReputationCommand.java:90)

    at com.intel.edr.command.RemediationHistoryChangeReputationCommand.invoke(RemediationHistoryChangeReputationCommand.java:76)

    at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1274)

    at com.mcafee.orion.core.cmd.CommandInvoker$AsyncCommandRunner.call(CommandInvoker.java:1150)

    at java.util.concurrent.FutureTask.run(FutureTask.java:266)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

    at java.lang.Thread.run(Thread.java:748)



    It looks like I have those errors only when the script is changing the reputation and I don't know why since reputations are properly set after the script.

    I have tested a bunch of different configurations with the brokers, but the error is still there.

    I can provide the code if there is any need to do so.


    Can someone explain me why orion.log is genereting those ERRORS?



    Thank you for your time