Advanced Threat Defense 3.4.8 Product Guide
Contents
1. McAfee Advanced Threat Defense 3 4 8 Product Guide 185 186 Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 10 In the Memory for the Virtual Machine window set 2048 MB as the memory Hew much memory would you le bo use fer the virtua machine Specfy the amount of memory allocated to this virtual machine The memory size must be a multiple gf 4 MB Memory for this virtual machine A Ma a D Magnum recommended memory Za 5EM J a Recommended memory 2048 MA A Guest 05 recommended minimum 1024 MA window Step 11 In the Network Type leave the default selection Mew Virtual Machine Wizard Nebwork Type What type of network de you want to acd Give the guest operabirg evatem direct access to an external Etherret network The guest must have its own IP address on the external network Give the guest operating system access to the host computer s dial up ar external Ethemnet network connection using the host s IF address Connect the guest aperating system to a private w iual network on the host computer Do not use 4 netbrork connechor McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 8 Step Details Step 12 In the Select 1 0 Controller Types leave the Mew Virtual Machine Wizard default selection select 1 0 Controller Types Which2. McAfee Advanced Threat Defense 3 4 8 Product Guide 163 5 Creating analyzer VM Create a VMDK file for Windows 2008 Server Step Details Step 17 Complete the e Power on this virtual machine after creation Select this option following in the Ready to Create Virtual Machine window e Click Finish This step might take around 30 minutes to complete Mew Virtual Machine Wizard Ready to Create Virtual Machine Chek Finish to create the virtual machine and start netaling Windows Server 2008 x64 and then VMware Took The virtual machine wil be oreabed weth the following settings Name vil tualachine image Location COl Woki Version Workstation 9 0 Operabng System Windows Server 2008 x64 Hard Disk 1468 Pre allocated Memory 3072 MB Network Adapter MAT Other Devices COD USB Controller Printer Sound Card Mew Virtual Machine Wizard Ready to Create Virtual Machine Chek Ansh to create the virtual machine and start netaling Windows Server 2008 164 and then VMesre Took The virtual machine wil be rested with the following settings virtualMachinelmage il Vibware Workstation Bower on this virtual machine after gestion Step 18 If the Removable Devices Windows begins to install which might take around 15 minutes pop up window is displayed select Do not show this hint again and click OK 164 McAfee Advanced Threat Defense 3 4
3. Option Definition name Company Optionally enter the organization to which the user belongs Phone Optionally enter the user s phone number Address Optionally enter the user s address for communication State Optionally enter the corresponding State for the address you entered Country Optionally enter the corresponding Country for the address you entered Default Select the analyzer profile that must be used for files submitted by the user le heal Users who manually submit files can override this setting by selecting a different oe analyzer profile at the time of file submission User Type Select user type from the drop down list For example select NSP if you want to Submit samples using Network Security Platform Sensor Roles e Admin User Select to assign super user rights in the McAfee Advanced Threat Defense web application Users with this role can access all menus and create other users e Web Access This role enables a user to submit files using the McAfee Advanced Threat Defense web application and view the results Users with this role can access all features but can only view their own user profile Also when they manually submit files they can assign only the analyzer profiles that they created FTP Access Select to assign access to the FTP server hosted on the McAfee Advanced Threat Defense Appliance to submit files for analysis You must login to the FTP server as atdadmin user before upl
4. Step 44 To analyze PDF 1 Install Adobe Reader 9 0 in the VM Reader to the native host 2 Open Adobe Reader and click Accept Press the Accept button to agree to the Licer Warranty Disclaimer and Software License Agreement THIS DOCUMENT INCLUDES WARRANTY INFORMATION PART THE USE OF ADOBE SOFTWARE PART I PART L WARRANTY DISCLAIMER THE SOFTWARE AND OTHER INFORMATION EREL i AND ITS SUPPLIERS AND CERTIFICATE AUTHORITIES DO NOT OR RESULTS YOU MAY OBTAIN BY USING THE SOFTWARE CER THIRD FARTY OFFERINGS EXCEPT TO THE EXTENT ANY WARR TERM CANNOT OR MAY NOT BE EXCLUDED OR LIMITED BY LA JURISDICTION ADOBE AND ITS SUPPLIERS AND CERTIFICATE CONDITIONS REPRESENTATIONS OR TERMS EXPRESS OR IMF CUSTOM USAGE OR OTHERWISE AS TO ANY MATTER INCLUL NONINFRINGEMENT OF THIRD PARTY RIGHTS MERCHANTABD PETE TETE Tmn oe ee ss 2 eee TT E FE TET TITLET McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 8 Step Details 3 a In Adobe Reader select Edit Preferences General and deselect Check for updates b In Adobe Reader select Help Check for updates Preferences and deselect Adobe Updates Categories Bait Tools Documents ene tingle bey acceleratorn to accen tools Full Sereen 4 Creste kinks from URLS hoe Mabe Mand tool select text amp images Page Display oF laos Hand tool read arbrcies 30 amp Multmedia Mabe
5. Creating analyzer VM Create a VMDK file for Windows 7 Step Details ar 27 Enable FTP on the 1 Select Sites and right click Default Web Site and remove Confirm by In the virtualMachineImage select Start Control Panel System and Security Administrative Tools Double click Internet Information Services IIS Manager expand the tree under Hostname and complete the following clicking Yes P 43 WIN ATSICOPATSC WIN ATSICOP4TSC Administrator e Mn Application Pools a 6 Sites e Explore Edit Permissions 2 Fi Add Application Add Virtual Directory Edit Bindings y Refresh Add FTP Publishing Rename e Switch to Content View Q Are you sure that you want to remove the selected site e o cane 2 Right click Sites and select Add FTP Site Then complete the following 43 WIN ATSICOP4TSC WIN AT5ICOP4TSC Administrator vn de i aii Pools el Add Web Site Refresh Switch to Content View a For FTP site name enter root b Physical Path C McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 7 Step Details c Click Next Add FTP Ste ws Site Information FTP site name Es Foot Content Directory Piysical path Mert Cancel 3 For Bindings and SSL Settings select No SSL For all other fields leave the default values and click Next Add FTP Ste y
6. Step 42 To analyze PDF files download Adobe Reader to the native host and copy it to the VM This procedure uses Adobe Reader 9 0 as an example 1 Install Adobe Reader 9 0 in the VM 2 Open Adobe Reader and click Accept Press the Accept button to agree to the Licer THIS DOCUMENT INCLUDES WARRANTY INFORMATION PART THE USE OF ADOBE SOFTWARE PART IM PART L WARRANTY DISCLAIMER THE SOFTWARE AND OTHER INFORMATION 5 DELIVERED I0 AND ITS SUPPLIERS AND CERTIFICATE AUTHORITIES DO NOT OR RESULTS YOU MAY OBTAIN BY USING THE SOFTWARE CER THIRD PARTY OFFERINGS EXCEPT TO THE EXTENT ANY WARR TERM CANNOT OR MAY NOT BE EXCLUDED OR LIMITED BY LA CONDITIONS REPRESENTATIONS OR TERMS EXPRESS OR IMP CUSTOM USAGE OR OTHERWISE AS TO ANY MATTER INCLUL NONINFRINGEMENT OF THIRD PARTY RIGHTS MERCHANTABD PS TETE Se se oe ee ss eee 3 a In Adobe Reader select Edit Preferences General and deselect Check for updates b In Adobe Reader select Help Check for updates Preferences and deselect Adobe Updates Care Kia Tie Dora rn Lhe meee HE Full Sree A Credle bandos bere LN Terin al bliir Hiini bd ui sr F kuiba land isa na 0 hereda biper Hasj ica oe abad hise iriri kool pri TS lor Uber leri eee TEL CETE Agra rire Least ad Dis mt hes A a bra O Very 0 hierro mr Tur Print Whe Teka Hs sf O Fare bs Uberaba hr gery desd ry Heh het A IA rat Ender ad Sur irh peer ipali Pagik rr Lia card ti
7. Specify the criteria for the data to be displayed in the monitors a Specify the time period for the information to be displayed in the monitors For example you can select to view the information for the past one hour By default data for the past 14 days is shown This field does not affect the System Health and System Information monitors b To refresh the monitors now click 312 McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware 8 Working with the Advanced Threat Defense Dashboard Click to edit the dashboard settings Table 8 11 Dashboard settings Option Definition Monitors Select the monitors that you want to see on the Dashboard Automatic Refresh Set the frequency at which the Dashboard should automatically refresh itself If you want to refresh the dashboard only manually select Disabled When required to refresh the Dashboard click lx This enables you to view the snapshot of the Dashboard at a specific point in time Layout Specify the number of columns into which you want to organize the Dashboard OK Click to save and apply the Dashboard settings Cancel Click to retain the last saved settings i Click ae to save the dashboard settings 3 Optionally set the display settings for each monitor To collapse a monitor click To hide a monitor click To change the display format of a monitor click Malware analysis monitors The following are
8. 1 Select Policy Analyzer Profile If you have web access you can view only the analyzer profiles that you created If you have admin access you can view all the analyzer profiles currently in the database 2 Select the required record and click Edit The Analyzer Profile page is displayed 3 Make the changes to the required fields and click Save The changes affect the corresponding users even if they are currently logged on McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 Integration with McAfee ePO for OS profiling Delete analyzer profiles Before you begin Make sure the users to whom you have assigned this analyzer profile are not currently logged on to McAfee Advanced Threat Defense Task 1 Select Policy Analyzer Profile If you have web access you can view only the analyzer profiles that you created If you have admin access you can view all the analyzer profiles currently in the database Select the required record and click Delete Click Yes to confirm deletion Integration with McAfee ePO for OS profiling Integrating Advanced Threat Defense and McAfee ePO enables Advanced Threat Defense to correctly identify the target host environment and use the corresponding analyzer VM for dynamic analysis To determine the analyzer VM for a file submitted by Network Security Platform or McAfee Web Gateway Advanced Threat Defens
9. 2 Select Tools Internet Options and for Home page select Use Blank or Use new tab based on the version of Internet Explorer General Security Privacy Content Connections Programs Advanced Home page To create home page tabs type each address on ite own line lt i sboutblank Use default Browsing history 3 Go to the Advanced tab of the Internet Options and locate Security 4 Select Allow active content to run in files on My Computer General Security Privacy Content Connections Programs Advarx Settings i Printing A Print background colors and images Search from the Address bar Go not submit unknown addresses to your auto search pn Just display the results in the main window amp Security Allow active content from CDs to run on My Computer low actve content to run in files on My Computer Allow software to run or instal even if the sgnature is inv 5 Click OK Step 51 To dynamically analyze Flash files SWF install the required version of Adobe Flash 1 Goto https community mcafee com docs DOC 6859 2 Refer Adobe flash player installation guidance docx 180 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 8 Step Details Step 52 Shut down virtualMachinelmage by selecting Start Shut down Step 53 Go to the location that you provided in step 8 to find
10. CLI commands for McAfee Advanced Threat Defense 343 Issue of CLI commands oe Cs As ses O How to issue a command through T M E Issuing a command through SSH oia amp 343 Logging on to the McAfee Advanced Threat Dete ss Appliances using an SSH dnt Sa wm Oa Auto complete 1 1 2 ee ee ee ee ee ke ee ee 344 SiS o 6 ws ow 4 amp a Bh a ow ew a we a we we we we ee ew we we a w at ow we amp amp w a Mandatory commands 344 LOJON TOE ELL a y e p p g he ee oe ee eo wee he oe eo oe eo oe de SED Meaning of eu ue ee we oe wo E oO Managing the disks of McAfee avarice Threat Dee Appliance oe ees ae ee a a Je List of CLIcommands 1 we ee ke 346 AMAS ao 8 oe Ae ee ee ee A ee ee es el we o A SLOCOUNLGr lt 2 e a E e 2 gia ew kG amp Fa oe ae w Be we B46 DACKUP TEPOS a s s mom ab ok amp amp we we 2 da BO bk ew ee a eB GE amp a 46 backup reports date 1 1 ww ee ee ee a 347 Blacklist s a ea r ee ek ee ee B47 clearstats all amp 4 4 amp OB amp amp amp ew B ae ee ew a e aw we eS BS we 348 cleafstats A a a ra ss as sas dra we ee ss amp BSE clearstats lb amp ace ae wee Ke HY Se eee GS RE eee ERE ee we 348 clearstats tepublisher 2 a ee ee ee ee eee 349 cluster withdraw 2 1 ww ek 349 createDefaultVms 1 1 ww ek ee ke ee 349 GD Teall s ia e mo amp Be amp ss ow we he oe ws we amp oe we eB et we
11. Configuring Advanced Threat Defense for malware analysis Integration with McAfee ePO for OS profiling Task 1 Select Manage Configuration ePO Login DXL Setting The ePO Login DXL Setting page displays ePO User Credentials Enable ePO Login Enable OS Profiling Login ID admin Password AAA TT IP Address ci E Submit Test ePO Login DAL Setting F Enable DXL communication DXL Status Apply Test Connection Publish Threat Events to ePO F Enable Threat Event Publisher Publisher Status Apply 2 Select Enable ePO Login McAfee Advanced Threat Defense 3 4 8 Product Guide 245 6 Configuring Advanced Threat Defense for malware analysis Configure McAfee ePO integration to publish threat events 3 If you require OS profiling service from McAfee ePO select Enable OS Profiling 4 Enter the details in the appropriate fields Option Definition Login ID Enter the McAfee ePO logon name that Advanced Threat Defense uses to access the McAfee ePO server McAfee recommends that you create a McAfee ePO user account with View only permissions required for integration Password Enter the password corresponding to the Logon ID that you entered IP Address Enter the IPv4 address of the McAfee ePO server Contact your McAfee ePO administrator for the 1P address Port Number Specify the HTTPS listening port on the McAfee ePO server used for the Advanced Threat Defense McAfee ePO communication Contac
12. McAfee Advanced Threat Defense 3 4 8 Product Guide 327 328 Clustering McAfee Advanced Threat Defense Appliances How the Advanced Threat Defense cluster works e If Backup is not serving as Active Primary Administrator deletes the previously configured Backup and adds a new node with backup role e If Backup is serving as Active Primary Administrator destroys the cluster and reconfigures Advanced Threat Defense nodes with the new roles Process flow for Network Security Platform Consider a scenario where a Sensor is inline between the endpoints on your network and the Web This Sensor is integrated with a Advanced Threat Defense cluster consisting of 3 Advanced Threat Defense Appliances Web Manager Sensor Figure 9 3 Network Security Platform integrated with an Advanced Threat Defense cluster Number Description 1 The endpoints attempt to download files from the Web The inline monitoring ports detect this activity 2 For a given file the Sensor withholds the last packet from being forwarded to the endpoint and simultaneously streams the file packets to the primary Advanced Threat Defense for analysis For this purpose the Sensor and the primary Advanced Threat Defense use their management ports 3 After the entire file is with the primary Advanced Threat Defense it distributes this file to one of the appliances in the cluster For all communication the members in the cluster use their mana
13. Step 5 In the Guest Operating System Installation window select either Installer disc or Installer disc image file iso browse and select the ISO image and then click Next New Virtual Machine Wizard Guest Operating System Installation A virtual machine is ike a physical computer it needs an operating system How well you install the guest operating system instal from installer de E DVD RW Drive E a ingtaler dec image fle 150 C n eT A i m ri J Windows 7 364 detected This operating system will use Easy Install What s this i vell ingtal the operating system later The virtual machine wall be created with a blank hard disk Hep lt Back text gt canei McAfee Advanced Threat Defense 3 4 8 Product Guide 133 134 Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 6 Enter the information in the Easy Install Information window and then click Next e Windows product key Enter the license key of the Windows operating system for which you are creating the VMDK file Full name You must enter administrator as the Full name e Password You must enter cr cker42 as the password This is the password that Advanced Threat Defense uses to log on to the VM Confirm Enter cr cker42 again to confirm e Log on automatically requires a password Deselect this box New Virtual Machine Wizard Easy Install Informati
14. b In the Add FTP Site wizard enter the following under Binding and SSL settings a IP address Select All Unassigned from the drop down b Port Enter the port number c Select Start FTP site automatically d Click Next E Internet Information Services IIS Manager oOo PR OWIN MLAHIMMSTRT Sites P Add FTP Site File View Binding and SSL Settings e 111 pe J 3 Start Pag E 83 wina p Binding EP Applic IP Address Port S sites All Unassigned r 21 E D Enable Virtual Host Names Virtual Host example ftp contoso com M Start FTP site automatically VIEW pevos e c In the Add FTP Site wizard select required fields under Authentication Authorization and Permissions and click Finish McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 2008 Server Step Details WIN AA TT ST Add FTP Site Step 28 select Start Run enter netplwiz and press OK Type the name of a program folder docurnent or internet netplwiz McAfee Advanced Threat Defense 3 4 8 Product Guide 171 172 Creating analyzer VM Create a VMDK file for Windows 2008 Server a user name and password to use this computer and click Apply Step 30 In the Automatically Log On pop up window complete the following and then press OK in the message boxes Step Details Step 29 In the Us
15. e Total CRC errors sent e Total other errors sent e IP address of the port e MAC address of the port e Whether the port is used to provide Internet access to analyzer VMs e If configured to provide Internet access to analzyer VMs then the corresponding gateway for this traffic show logconfig Use this command to list the current debug mode employed for debugging Syntax show logconfig This command has no parameters Sample Output Logging is ON mode send to syslog show pdflinks Use this command to view whether or not validation operation is performed by GTI on links embedded inside PDFs during dynamic analysis Syntax show pdflinks This command has no parameters Sample Output GTI validation of PDF URLs is OFF set IPAddressSwap When you submit samples for analysis through NSP the source and destination IP information is swapped for the submitted samples In order to reverse this aberration caused by NSP McAfee Advanced Threat Defense enables set IPAddressSwap command This command nullifies the swap effect of NSP and displays the correct the source and destination IP information for samples submitted through NSP However in case of samples submitted from NGFW to McAfee Advanced Threat Defense the source and destination IP information are displayed correctly Hence based on the preference user can use the following command to enable or disable IPAddressSwap Syntax set IPAddressSwap lt enable gt lt di
16. 12 A security solution that relies on a single method or process might not be adequate to provide complete and reliable protection from malware attacks You might need a multi layered solution that involves various techniques and products The solution can include pattern matching global reputation program emulation static analysis and dynamic analysis All these layers must be seamlessly integrated and provide you with a single point of control for easy configuration and management For example pattern matching might not detect zero day attacks Similarly static analysis takes less time than dynamic analysis However malware can avoid static analysis by code obfuscation Malware can escape dynamic analysis too by delaying execution or take an alternate execution path if the malware detects that it is being run in a sandbox environment This is why a reliable protection from malware requires a multi level approach There are other industry leading McAfee anti malware products for the web network and endpoints However McAfee recognizes that a robust anti malware solution requires a multi layered approach the result of which is Advanced Threat Defense The Advanced Threat Defense solution primarily consists of the Advanced Threat Defense Appliance and the pre installed software The Advanced Threat Defense Appliance is available in two models The standard model is the ATD 3000 The high end model is the ATD 6000 Advanced Threat Defense
17. Details So Windows Firewall Genetal Entactr Advanced upload lo tl ed gro This setting blocks al outside macer bom connecting to thes conputs wath the sepion of Foie pected on thee Escepitora tate Pont allow eaceplions Sealed hit ethan you connect bo pubie nabworks in less jatii eskom such ss sports You val not be noted when ardors Fitas blocks meagre Seleciura on the Esceplora Lab vd be 9 Avec wang thes seting Turrang off ndo Faapasi mahs ha compubs Make vulreraok lo viudas 30 Piua Cms Step 32 Click Start and right click My Computer Then select Manage Services and Applications Services Then double click Telnet ola EDEA P m ii me Talnet H d Fortea Logo aed Arto Erabi 4 n Lear ha log on ba Hz Ayris i E hra Morager baaie yar pepa Wa nae 4 d muppets maricas OR Tenet daria MySay Accounis ieira LM tessd 5d inaa a Ha Earrrable oE Dark Cobrar app rene weer acum bo ie Maar epee prega rd be urea F ther Ry annie TCP Servi ds cercas pij ipb iE serie E disabled are enans iha rast Cord p ACE plo da an E ad o shart uv rr g El Tangar rrian Evari Hi derbi o Teck Schack A 44 Cond TOP Bees He Y ins ng Sarie Fie old ares p E Hy Iris nines Berti hacer ada usd iru F eee e Sf shall Hadew Cesk McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2003 Server Table 5 3 Creat
18. E OMA y etc ER E Sub AAH g by WAED E eke E b SHG E AO eb a AO E Sub nUr g ODA FO e mb DEE G DADO sb ME E 04100 eb MAT AA e Sub OMA ADO A Terrasa Orca e liado Pin e Linkers E ee E ria D irii A b rbai Er b Vip E MA e akr A e elec losin de o E wrieh pae Wri E eT e ng g mH H x Figure 8 14 Layout of the subroutines relationships The graph depicts an overview of the complexity of the sample as seen by the cross reference of function calls The following shows more detail on the function names and their addresses as seen by zooming in he gar Em A E E TA a a Figure 8 15 Zoom in on the layout McAfee Advanced Threat Defense 3 4 8 Product Guide 309 310 Analyzing malware View the analysis results Two colors are used to indicate the executed path The red dash lines show the non executed path and the blue solid lines show the executed path According to the preceding control graph the subroutine Sub_004017A0 at virtual address 0x004017A0 was executed and is shown with a blue solid line pointing to the Sub_004017A0 box However the subroutine GetVersion was not called potentially as there is a red dash line pointing to it The Sub_004017A0 subroutine is making 11 calls as there are 11 lines coming out of this box Seven of these 11 calls were executed during dynamic analysis One of them is calling Sub_00401780 as there is a blue solid line pointing
19. Ez t uu wi Tura oll comput A e a Thh ber rob oo thp me m as irr gP iby ee Figure 5 9 Shut down the VM 6 Click Disconnect once activation is complete McAfee Advanced Threat Defense 3 4 8 Product Guide 225 5 Creating analyzer VM Managing VM profiles 7 Click Validate Image validation is in progress Check status Image winXPsp3 img Name winXPsp3 Description Windows XP SP3 F Default Profile x Maximum licenses 3 Save Delete Cancel Figure 5 10 Validating the image file The following message is displayed 5n flash not exist OK After importing the VMDK file to Advanced Threat Defense Appliance the windows VM needs to be reactivated as the MAC ID changes once the software is imported to a different hardware Refer KB83738 to resolve the issue Once validated Advanced Threat Defense ensures that the VM is adapted to the Advanced Threat Defense Appliance hardware Also it checks if the VM is working fine configures the required networking details checks the applications installed and so on If the VM is found to work fine the validation is successful Click Check Status to view the image validation log You can proceed to create the VM profile only if the validation is successful If the validation fails review the validation log for the reason Then create a new VMDK with the correct settings and redo the process of creating the analyzer VM Sm Java exist OK Sn flash not exist OK 50
20. Java Security Advanced version of the Java platform The optic gt Updates are obtained and applied Before do The Java Update mechanism ensures y 7 MotiFy Me Step 61 In the Java Update Warning dialog select Do Not Check and then click OK in the Java Control Panel You have chosen to stop automatically checking for A updates and will miss future security updates We strongly recomend letting Jara perdia check for never erre tp ensure wou heres Khe most secure and Fashest Javea eeperience Tack Piia Step 62 In the Windows Run dialog enter msconfig Type the name of a program Folder document or ff triternet resource and Windows will open i for you McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Details Step 63 In the System Configuration utility go to the Startup tab U sa tem Configurailon Miliy Garena STEM IAG MIA PE BOOT Sarim Hap took Location LN ebrio i tirerai eri robes Crean Piet REL Se Te eriver Amiri el Prog Palei HUMP WARE Mircea indo iCurrentvar Cibona Aiea HELIO A ee arado T Ronen ios CARE A MOR Conan Sho Ooms RE F Deselect reader_s and jusched and then click OK reader_sl is displayed
21. Label Description 1 USB ports 2 USB ports 3 Management port This is the eth O interface The set appliance and set mgmtport commands apply to this interface For example when you use the set appliance ip command the corresponding IP address is assigned to this interface Additional I O module ports connectors These are the eth 1 eth 2 and eth 3 interfaces respectively These interfaces are disabled by default e To enable or disable an interface use the set intfport command For example set intfport 1 enable to enable eth 1 e To assign the IP details to an interface use set intfport lt eth 1 2 or 3 gt ip lt IPv4 address gt lt subnet mask gt For example set intfport 1 ip 10 10 10 10 255 255 255 0 e You cannot assign the default gateway to this port However you can configure a route on this interface to route the traffic to the desired gateway To configure a route use route add network lt IPv4 subnet gt netmask lt netmask gt gateway lt IPv4 address gt intfport 1 For example route add network 10 10 10 0 netmask 255 255 255 0 gateway 10 10 10 1 intfport 1 This command routes all traffic from the 10 10 10 0 command to 10 10 10 1 through eth 1 Video connector NIC 1 currently not used NIC 2 currently not used RJ45 serial A port I O module ports connectors not used Add in adapter slots from riser card RMM4 NIC port Power supply module 2 Pow
22. Name virtualMachinelmage 2 _ Customize Hardware Power on fis virtual machine after creation Step 18 If the Removable Devices pop up window is displayed select Do not show this hint again and click OK Windows begins to install which might take around 15 minutes 140 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 19 If the Set Network Location window is displayed select Public Network and select Close Ll E Set Metwork Lecation Slee a location lor he Network network Thr comple n centre o bee Fito will nomial art ihe coil reparo settings brad on Hheneteords kasii a Home nebrork y Yale computes on ihe aeb are dl pour hoe ad you cop ce Tem Thar a bue home netsh Dom chose the for public planet pich e coffes shop cr aro Viork network F al the eR pues on in Seti ae li le nnd pee Hei o Them thait gine eg peer Dont chase the Por pater places ph ps coffes shop cr aro Public network F pia ae recorde Coe 0 the eh Per cep ya re coe hyp or pipari o yo hras mobile bryadband Wir 6 5 peblr rebaort ano m rat rari Treat all futura netaccris that connect to am pubik amd don mk ma sgar Fep me horae Cancel Step 20 Stop the VMware Tools installation The VMware Tools are not compatible with Advanced Threat Defense If you did not stop the VMware Tools installation yo
23. Task 1 Select Analysis Manual Upload 2 In the Manual Upload page specify the details according to your requirement Manual Upload URL pm http male 4 Analyzer Profile Analyzer Profile 1 Submit Advanced Figure 8 6 Submit a URL for malware analysis McAfee Advanced Threat Defense 3 4 8 Product Guide 291 292 Analyzing malware Analyze URLs Table 8 3 Option definitions Option URL Upload method Definition Select an upload method from the drop down list e URL The URL is analyzed directly on the VM analyzer e URL Download The file referred to by the URL is downloaded to the Advanced Threat Defense appliance and the downloaded file is sent to the VM analyzer for analysis Only HTTP HTTPS and FTP are supported So specify the protocol identifier in the URL Preferably enter the entire URL When Advanced Threat Defense dynamically analyzes the URL the browser might add any missing items For example if you enter http google com the browser in the analyzer VM might correct it to http www google com Analyzer Profile Select the required analyzer profile for the sample D Only those analyzer profiles that have sandbox and malware Internet access are listed Advanced Click to specify user interactive mode for analyzing the URL The Advanced option is available only when you manually submit the file using Advanced Threat Defense web application Upon execution some malware
24. Understanding Advanced Threat Defense cluster Clustering Advanced Threat Defense Appliances is a feature which is available from release 3 2 0 To create a cluster of Advanced Threat Defense Appliances you need two or more functional Advanced Threat Defense Appliances Among these Advanced Threat Defense Appliances identify the Primary Advanced Threat Defense Appliance All other Advanced Threat Defense Appliances act as the secondary With release 3 4 2 a node which is in the same L2 network as Primary Advanced Threat Defense Appliance can be directly added as a Backup node which takes over as Primary node if original Primary node is down You use the web application of the Primary node to integrate these Advanced Threat Defense Appliances to form the cluster Each Advanced Threat Defense Appliance in a cluster is referred to as a node The Primary node or the primary Advanced Threat Defense Appliance acts as the external interface for the cluster That is the Primary node is virtually associated to the IP address of the cluster from the standpoint of configuration and file submission The integrated products and users access the primary node to submit files for analysis and retrieve the results and reports The Primary node is also the template and control center for the cluster It is responsible for load balancing the files among all nodes and for retrieving the reports of analyzed files If Backup node is present in cluster then these integr
25. User Name The user name that McAfee Advanced Threat Defense must use to access the FTP server Password The password for accessing the FTP server e Test to verify if McAfee Advanced Threat Defense is able to communicate with the specified FTP server using the specified protocol FTP or SFTP Save Creates the user record with the information you provided If you configure an FTP server for result output make sure that the test connection is successful before you click Save Cancel Closes the User Management page without saving the changes Edit Users If you are assigned the admin user role you can edit the user profiles If you intend to modify the mandatory fields then as a best practice make sure the corresponding user is not logged on If you are assigned only the web access or Restful access roles only your user profile is available for editing Task 1 Select Manage User Management The current list of users is displayed 2 Select the required user record and click Edit The User Management page is displayed 3 Make the changes to the required fields and click Save For information on the fields see Add users on page 39 Delete Users If you are assigned the admin user role you can delete user records Make sure that the corresponding user is not logged on D You cannot delete any predefined user records which are the admin user record the user record for Network Security Platform
26. Close Tab Ctrl W Connect to Server Ctri L Wirtualize a Physical Machine Export to OVF Map Virtual Disks e Exit Step 3 In the New Virtual Machine Wizard window select Custom Advanced and click Next F Nes Wirtual Machine Wizard Welcome to the New Virtual Machine Wizard hat type of configurabon do you want Iypical recommended Create a Workstation 10 0 virtual machine ina few easy steps Custom advanced Create a virtual machine with advanced opbons such as a SCS controller type virtual disk type and compatbdlty wath oe Weare producte YmWare Workstation McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 4 In the Choose the Virtual Machine Hardware Compatibility window select Workstation 9 0 from the Hardware compatibility drop down list For other fields leave the default values and click Next me Mew Virtual Machine Wizard Ez Choose the Virtual Machine Hardware Compatibility Which hardware features are needed for this virtual machine Virtual machine hardware compatibility Hardware compatibility Workstation 9 0 x Compatible with ESx Server Compatible products Lumetations 5 1 54 GCE memory Fusi n 5 0 A picass Fusion 6 0 10 mebwork adsobers Weorkstaton 10 0 2 TB disk sue Workstation 9 0 Mo SATA devices
27. Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 19 Enter the following details in the Windows Setup window Details e Name Enter root e Organization Leave this blank and click Next mida Se by Personalize Your Sotware Setup wae Fa ndomabon you pride about youtsel lo personales your Arado Step 20 Enter a valid product key and click Next win dows Setup Your Product Ley ou Product Ke uniquelp derti es your copy of arado McAfee Advanced Threat Defense 3 4 8 Product Guide 111 112 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 21 Select Per Server licensing mode and enter the valid number of concurrent connections as per your license Details timba Seti Licensing Modes Wires Saree 200 suppors Mo Kaning modes de Select the icerde mode pou wan bo use m m m m m m Pit sien Munibet of corcurenl conri Each cormecton must have ts cen Chen Anoe License P Per Device or Per ger Each deke or we mut have ie oam Obert Acess Linen To amd molabor of the Liconsa Agena use Lic neng which ls localed an Alina liar Too lo record the numbel of Cent Access Lesraas pachik chak Hews _ Step 22 Enter t
28. Enhanced ro pad ca meirg Tias Li cab carta plese e Vor pees Step 57 Download the following 1 Download Microsoft Visual C 2005 Redistributable Package o led ll then x86 from http www microsoft com en us download details aspx id 3387and install it 2 Download Microsoft Visual C 2008 Redistributable Package x86 from http www microsoft com en us download details aspx id 5582and install it 3 Download Microsoft Visual C 2010 Redistributable Package x86 from http www microsoft com en us download details aspx id 5555and install it 4 Download Microsoft NET Framework 2 0 Service Pack 2 x86 version from http www microsoft com en us download details aspx id 1639and install it Step 58 To analyze JAR files 1 Goto https community mcafee com docs DOC 6858 download and install Java Runtime Environment 2 Refer Java installation guidance docx McAfee Advanced Threat Defense 3 4 8 Product Guide 127 128 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 59 Open Java in the Control Panel Details O reses Es Game Controllers E Contral Fana d Internet Options Ai Administrative Tools I Ja Keyboard EO Lan ai ls oo 3 Printers and Faxes Step 60 In the Update tab deselect Check for Updates Automatically Java Control Panel Update
29. McAfee Advanced Threat Defense 3 4 8 Type the name of a program Folder document or Internet resource and Windows will open it for you Open msconfigl la _cencet_ Coronss Product Guide Creating analyzer VM 5 Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Details Step 65 In the System Configuration utility go to the Startup tab U sa tem Configurailon Wilii y Garena STEM JIA MIA E BOOT Sarim Hap took Cd Localia a n l LN ht EL MSF CALE iret eines Ciara iferan Pla VA HELMIS TE Mircea ince Currerdver Prog Palei HUMOR Mircea indo iCurrentvaer ya Fike Com HELMSOF av Prosa ara Current CARRERA ACR Corn Sara tte le Jl ema Deselect reader_s and jusched and then click OK Step 66 In the System Configuration dialog click Restart System Configuration Yeu must restart your computer for some of the changes made by System Configuration to take effect Resat Exit Without Restart Step 67 In the System Configuration Utility dialog select Don t show this message or launch the System Configuration Utility when 4 You have used the System Configuration Unity bo make changes to the way Windows starts Windows start and click OK The System Configuration Liity is currently in Diagnostic ar Selective Startup mode causing this messa bo b
30. Play sounds in webpages _ Show image download placeholders Show pictures amp Security Allow active content from CDs to run on My Computer Allow active content to run in files on My Computer _ Allow software to run or install even if the signature is 5 Click OK Step 52 To dynamically analyze Flash files SWF install the required version of Adobe Flash 1 Goto https community mcafee com docs DOC 6859 2 Refer Adobe flash player installation guidance docx 218 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Import a VMDK file into Advanced Threat Defense Step Details Step 53 Shut down the VM Step 54 Go to the location that you provided in step 8 to find the VMDK file named as virtualMachinelmage flat vmdk Import a VMDK file into Advanced Threat Defense Before you begin e You have the VMDK file at hand e The operating system has all the applications that you require such as Microsoft Office applications Adobe PDF Reader and so on e The VMDK file does not contain any spaces in its file name If it contains any spaces the VMDK to image file conversion will fail subsequently To create an analyzer VM you must first import the corresponding VMDK file into Advanced Threat Defense By default you can use only SFTP to import the VMDK file To use FTP you must enable it using the set ftp CLI command See s
31. Restarting lighttpd service route add delete network CLI commands are available for adding and deleting static route to McAfee Advanced Threat Defense To add a port route add network lt network ip gt netmask lt netmask gt gateway lt gateway ip gt intfport lt port number 1 gt lt port number 2 gt lt port number 3 gt Example route add network 1 1 1 0 netmask 255 255 255 0 gateway 1 1 1 1 intfport 1 To delete a port route delete network lt network ip gt netmask lt netmask gt gateway lt gateway ip gt intfport lt port number 1 gt lt port number 2 gt lt port number 3 gt Example route delete network 1 1 1 0 netmask 255 255 255 0 gateway 1 1 1 1 intfport 1 samplefilter This command is specific to Network Security Platform Sensors Use this command to prevent Sensors from sending unsupported file types to McAfee Advanced Threat Defense for analysis Syntax samplefilter lt status gt lt enable gt lt disable gt 358 McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands Parameter Description status displays whether the sample filtering feature is enabled or disabled currently By default it is enabled enable sets the sample filtering on When it is enabled McAfee Advanced Threat Defense considers only the supported file types from Network Security Platform for analysis Refer to Analyzing malware on page 5 for the list of
32. Sample Output set pdflinks enable Enable pdflinks operation pdflinks lt enable gt lt disable gt set filesizes Enables McAfee Advanced Threat Defense user to change the minimum and maximum file size as per their requirement Syntax set filesizes lt type number gt lt minimum size gt lt maximum size gt lt restart engine gt Parameter Description type number Type of file submitted for analysis minimum size Minimum file size maximum size Maximum file size restart engine Uses a value of 1 or O 1 Restart AMAS service this is required for NSP and NGFW integration O Keeps AMAS service running use this when submission is through GUI RestAPI The below table describes the different file types and their respective Type number Minimum File size and Maximum File size Type File description Minimum Maximum number size size 1 Windows portable executable PE exe dll or sys file 1024 10000000 2 PDF document file with pdf extension 2048 25000000 3 Java class data file with class extension 1024 5000000 4 Microsoft Office older files with doc ppt or xls 5120 10000000 extension 5 Microsfot rich text format file with rtf extension 1024 10000000 6 Zip file APK file or newer Microsoft Office file 200 20000000 with docx pptx or xlsx extension JPEG image file 5120 1000000 PNG image file 5120 1000000 GIF image bitm
33. Scan Complete 6 Host verification PASS 2014 06 12 07 55 12 533 INFO Validating the WM host is done successfully 2014 06 12 07 oS 55 12 534 INFO The image has been validated successfully Figure 5 11 Image validation log Customer can delete the img files directly from Advanced Threat Defense interface This will delete any unnecessary image files stored in the back end Only admin role users can delete the image files Non admin users cannot delete the file An image can be deleted only if it is not in use No vms were created Use the following steps to delete unwanted images Policy VMProfile New Select the img file from drop down Delete If the selected image is in use then the following message appears The image file is in use and cannot be removed 226 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Managing VM profiles 8 Create the VM profile for the VM that you created by entering the appropriate information in the respective fields Table 5 4 Option definitions Option name Definition Name The name of the image file is automatically displayed as the name for the VM profile You cannot modify it Description Optionally provide a detailed description of the VM profile Default Profile The first time you must select it to make the VM profile the default one Subsequently you can select or ignore it For a file if the target host
34. Table 10 1 CLI commands for managing the disks Command Description copyto backup Copies the software version on the active disk to the backup disk For example if you find the current active software version to be stable you can back it up to the backup disk This command works only if the Appliance had been booted from the active disk copyto active Copies the software version from the backup disk to the active disk However you must restart the McAfee Advanced Threat Defense Appliance for it to load this new image from the active disk D This command works only if the Appliance had been booted from the backup disk reboot backup Reboots the Appliance with the software version on the backup disk reboot active Reboots the Appliance with the software version on the active disk List of CLI commands 346 This section lists McAfee Advanced Threat Defense CLI commands in the alphabetical order amas Use this command to restart start stop the amas services Syntax amas lt word gt Parameter Description lt WORD gt The amas service you want to stop Example amas start stop restart atdcounter Dsiplays the engine specific counter e g files sent and processed by GTI MAV GAM Amas and so on Syntax atdcounter This command has no parameters backup reports Use this command to create a backup of the McAfee Advanced Threat Defense reports on an external FTP SFTP server
35. This monitor shows the version numbers of the software components related to Advanced Threat Defense System Information MATD Version 3 0 1 130821 04 McAfee AV DAT Version 7177 McAfee AV Engine Version 5600 McAfee GAM DAT Version 2122 McAfee GAM Engine Version 7001 1202 1796 Figure 8 26 System Information monitor 318 McAfee Advanced Threat Defense 3 4 8 Product Guide Clustering McAfee Advanced Threat Defense Appliances When you have a very heavy load of files to be analyzed for malicious content you can cluster two or more McAfee Advanced Threat Defense Appliances So the analysis load is efficiently balanced between the McAfee Advanced Threat Defense Appliances nodes in the cluster Consider multiple inline Sensors submitting hundreds of files per second to one McAfee Advanced Threat Defense Appliance In the blocking mode a Sensor waits for up to 6 seconds for McAfee Advanced Threat Defense to analyze a file After this time period the Sensor forwards the file to the target endpoint Faster response from McAfee Advanced Threat Defense could be accomplished by clustering McAfee Advanced Threat Defense Appliances for load balancing Contents gt Understanding Advanced Threat Defense cluster Pre requisites and considerations gt Network connections for an Advanced Threat Defense cluster gt How the Advanced Threat Defense cluster works Configuring an Advanced Threat Defense cluster high level steps
36. You can specify this criteria based on time or number For example you can select to view the status for files submitted in the last 5 minutes or for the last 100 samples To refresh the Analysis Status page now click i 3 Filter the displayed records to locate the required ones McAfee Advanced Threat Defense 3 4 8 Product Guide 293 294 Analyzing malware Configure the Analysis Status page Table 8 4 Filtering options Option Search Definition Specify the parameter that you want to use to filter the records Click Search and select one or more of the following parameters e Set the criteria to display records on the Analysis Status page e File Name Select if you want to filter based on the starting characters of the file name For example if you select this option and enter cal as the search string then the status for files names that start with cal are listed MD5 Select if you want to filter based on the starting characters of the MD5 hash value VM Profile Select if you want to filter based on the VM profiles available File Type The type of file format that is submitted for analysis Analyzer Profile The analyzer profile that was referred to for the analysis If the file was analyzed only by a static method that is displayed User The log on name of the user who submitted the file for analysis Source IP The IP of the host that sent the analyzed file This is relevant only for files au
37. displaying the records sorted as per the chosen block Top 10 File Types by Volume This monitor shows the count of top 10 file types based on their volume In the tabular format it shows the percentage for each type In the chart it also shows the count of malicious not malicious and not rated files Top 10 File Types by Volume Sot a Acct POF aa HTML Document Image File 4 MS Ofiike Suie M Maliciaus E Not Malicious Mat Rated Other 4 Plain Text RAR Archive Win3 Ee NN ees Winia Exe XML Document 0 25 50 TO 100 125 150 Figure 8 17 Top 10 File Types by volume monitor e The malicious not malicious and not rated file counts are indicated using different colors e To hide the malicious or not malicious files click the corresponding severity level in the legend e Move the mouse over a particular block in the chart to view the number of files that make up that block 60 This monitor has drill down capabilties Once you click the mouse over a particular block Advanced Threat Defense takes you to Analysis Results page displaying the records sorted as per the chosen block Profile Usage This monitor shows the number of times each analyzer profile has been used for analyzing files Profile Usage Analyzer Profile No of Files File type not supported 5 StaticAnalysis 10 android 1 winvsplx64 1 winXPsp3 70 Figure 8 18 Analyzer Profile Usage monitor 314 McAfee Advanced Threat Def
38. download it as a file to your client computer The contents of the report are the same in both the methods e To view the Disassembly Results report in the Advanced Threat Defense web application select Analysis Analysis Results In the Analysis Results page click and select Disassembly Results To use this option you must have enabled the Disassembly Results option in the corresponding analyzer profile To download the report as a file click in the Analysis Results page and select Complete Results Download the lt sample_name gt zip file This zip file contains a file named as lt file name gt _detail asm in the AnalysisLog folder The Zip Report contains this asm file regardless of whether you have enabled Disassembly Results option in the corresponding analyzer profile The Disassembly Results report provides the assembler instructions along with any static standard library call names like printf and Windows system DLL API call names embedded in the listing If the global variables such as string text are referenced in the code these string texts are also listed Table 8 10 A section of a sample Disassembly Results report Column 1 Column 2 Column 3 00401010 e8 1f2c0000 call 00403c34 Call URLDownloadToFileA The virtual address of the instruction is shown in column 1 the binary instruction in column 2 and the assembly instruction with comments is in column 3 In the preceding example the call 00403034 instructi
39. full for full duplex Example set intfport 1 speed 100 duplex full set IPAddressSwap When you submit samples for analysis through NSP the source and destination IP information is swapped for the submitted samples In order to reverse this aberration caused by NSP McAfee Advanced Threat Defense enables set IPAddressSwap command This command nullifies the swap effect of NSP and displays the correct the source and destination IP information for samples submitted through NSP However in case of samples submitted from NGFW to McAfee Advanced Threat Defense the source and destination IP information are displayed correctly Hence based on the preference user can use the following command to enable or disable IPAddressSwap McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands Syntax set IPAddressSwap lt enable gt lt disable gt By default set IPAddressSwap is enabled Example set IPAddressSwap enable See also show IPAddressSwap set malware intfport Configure the required port to route Internet traffic from an analyzer VM Before you run this command make sure that the required port is enabled and configured with an IP address Syntax set malware intfport lt 1 gt lt 2 gt lt 3 gt gateway A B C D Example set malware intfport 1 10 10 10 252 Run the show intfport 1 and verify the Malware Interface Port and Malware Gateway entries M
40. select Click here to accept the Microsoft Software License Terms and click Continue You musa accept thee Microsoft Sofware License Terms in onde MICROSOFT SOFTWARE LK EMNSE TERRA MECROSOFT OFFICE COMPATIBILITY PACK FOR ARE EXCE These icense terms are an agreement between Microsoft Corp Pieace read hemi They apply bo the pofteere named above v ake apply to ary Microsolt a updabes a supple merti gt ptermet besed series are foe the sottware unless other terms accompany those Rere EF LEA THE SOFTWARE YOU ACCEPT THESE TERMAS FYI If you comply wath these boense berms you hue the nights be 1 INSTALLATION AND USE RGHTS You may install and yrr 2 SCOPE OF LICENSE Tre ofre E led not sole Thi reserves all other nights Links applicable bra gees you more Biia permited in thei agreement ln dewey 66 you rik you bo use tin certain ways You pray not ewok around any bechnical len abens m the icftware feverse engineer decompile co deaemble the sorthwaare eo they imitation McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2008 Server Step Details Step 42 To analyze PDF files download Adobe Reader to the native host and copy it to the VM This procedure uses Adobe Reader 9 0 as an example 1 Install Adobe Reader 9 0 in the VM 2 Open Adobe Reader and click Accept Press the Accept button to agree to the Licer ADOBE SYST
41. winkPsp3 CCEIDOELOP CR S3AS35 7269 5FF7 44400 425 KB 161 69 7 20 152 66 252 1 winxXPsp3 CCE1DDE107C7343372695FF744A00 425 KB 10 40 246 189 152 66 252 1 winxXPsp3 5F320F6EADA41B65E140 120564466 178 KB 161 69 7 20 172 233 12 1 winxPsp3 5F320FP6 4D0441B65E140120564466 178 KB 10 40 246 189 172 233 12 1 winXPsp3 75D0456C3 98B113CB48CDE309197 103 KB 161 69 7 20 50 56 241 141 Figure 8 8 Status of files submitted for analysis If you do not have admin permissions only those files that you submitted are listed A user with admin permissions can view the samples submitted by all users D Click on Export CSV to export locally the status of completed files in CSV format 2 Specify the criteria for viewing and refreshing the records in the Analysis Results page a Set the criteria to display records in the Analysis Results page By default the results for the files completed in the last 24 hours are shown You can specify this criteria based on time or number For example you can select to view the files for which the analysis was completed in the last 5 minutes or for the last 100 completed files b Set the frequency at which the Analysis Results page must refresh itself The default refresh interval is 1 minute c To refresh the Analysis Results page now click Lined 296 McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware 8 View the analysis results Table 8 6 Column definitions Co
42. 1 Under lt Microsoft Office Application gt File Option Trust Center Trusted Locations select the desired Path under User Locations click on Subfolders of this location are also trusted and click OK Trust Center Y 2S T d Publish rusted Publishers ee Trusted Locations Warning All these locations are treated as trusted sources for opening files If you change or add a location make sure Trusted Documents that the new location is secure Path Description Date Modified Add ins User Locations ActiveX Settings c sen AppData Roaming Microsoft Templates Word 2010 default location User Templates C Program Files x66 Microsoft Office Templates Word 2010 default location Application Templa Macro Settings Ci AppData Roaming MicrosoftiWord Startup Word 2010 default location StartUp Protected View Microsoft Office Trusted Location Message Bar Warning This location will be treated as a trusted source for opening files If you change or add a location make sure that the new location is secure File Block Settings Path Privacy Options Cal V Subfolders of this location are also trusted Description Date and Time Created 12 12 2014 2 11 PM Path C Users ashepsen AppData Roaming Microsoft Templates Description Word 2010 default location User Templates Date Modified Sub Folders Disallowed Add new location Remove Modify Allow Trusted Locations on my netwo
43. 1 n J Login ID J Default Analyzer Profile Figure 4 2 Select the required column names 3 To sort the user records list based on a particular column name click the column heading You can sort the records in the ascending or descending order Alternatively move the mouse over the right corner of a column heading and click the drop down arrow Then select Sort Ascending or Sort Descending 4 To view the complete details of a specific user select the record and click Edit Add users If you have the admin user role you can create the following types of users e Users with admin role in the McAfee Advanced Threat Defense web application e Non admin users in the McAfee Advanced Threat Defense web application e Users with access to the FTP server hosted on the McAfee Advanced Threat Defense Appliance e Access to the RESTful APIs of the McAfee Advanced Threat Defense web application McAfee Advanced Threat Defense 3 4 8 Product Guide 39 Managing Advanced Threat Defense Managing McAfee Advanced Threat Defense users Task 1 Select Manage User Management New The User Management page is displayed User Credentials Password Rules y Username nsp Minimum 8 characters long p d Pia At least 1 uppercase character aSSwora At least 1 number At least 1 special character amp Confirm Password eccccccecese Cannot be as same as username User Type STAND_ALONE v l _ _STAND_ALONE F Allow M
44. 3 Locate pdf and double click on it Chose Adobe Reader 9 0 as the default PDF reader Click on an extension to view t Reader How do you want to open Microsoft Corporation y pe y Keep using Reader Adobe Reader 9 0 Step 46 To analyze JAR files download and install Java Runtime Environment 1 Goto https community mcafee com docs DOC 6858 2 Refer Java installation guidance docx McAfee Advanced Threat Defense 3 4 8 214 Product Guide Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 47 Open Java in Control Panel Center E Notification Area Icons tion and Tools e Personalization ey Programs and Features Step 48 In the Update tab deselect Check for Updates Automatically The Java Update mechanism ensures y version of the Java platform The optic updates are obtained and applied Motify Me Before do _ Check for Updates Automatically Click the Update Now button below t appear in the system tray if an update over the icon to see the status of the 1 Step 49 In the Java Update Warning dialog select Do Not Check and then click OK in the Java Control Panel McAfee Advanced Threat Defense 3 4 8 You have chosen to stop automatically checking for updates and will miss future security updates We strongly recommend keting Java periodicaly check for newer versions bo ere you have e most secure and
45. 30 Use TLS 1 0 E gt Restore Dedaults m me 5 Click OK Step 67 To dynamically analyze Flash files SWF download the required version of Adobe Flash 1 Goto https community mcafee com docs DOC 6859 2 Refer Adobe flash player installation guidance docx Step 68 Shut down virtualMachineImage by selecting Start Shut down Shut down OK Step 69 Go to the location that you provided in step 7 to find the VMDK file named as virtualMachinelmage flat vmdk Create a VMDK file for Windows 7 Before you begin e Download VMware Workstation 9 0 or above from http www vmware com products workstation workstation evaluation and install it e Make sure that you have the ISO image of Windows 7 SP1 32 or 64 bit for which you need to create the VMDK file Windows Enterprise edition and Windows Professional are supported e Make sure you have the license key for the operating system Use this procedure to create VMDK files from an ISO image of Windows 7 SP1 32 or 64 bit McAfee Advanced Threat Defense 3 4 8 Product Guide 131 132 Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 1 Start the VMware Workstation This procedure uses VMware Workstation 10 as an example Step 2 In the VMware Workstation page select File New Virtual Machine Elle Edit View VM Tabs Help El New Virtual Machine Ctrl N YZ New Window Open Ctrl 0
46. 4 8 Product Guide Contents Upgrade ATD software from 3 4 8 to higher 0 ew ew ew ew 50 Upgrade the Android analyzer VM ww wee ee ke ee B2 View the Upgrade log ww ew a ee ee ee ee D5 Troubleshooting cee e See ee eee eee we ee ee eB Export Advanced Threat Defense fogs a ee ee ee E ee es Recreate the analyzer VMS aa ww a a a a a ee eee ee 57 Delete the analysis results cent ee ewe a ee a we BO Back up and restore the Advanced Threat DEIENE PN eaa ea e ee e a a a ee OO Schedule a database backup o A as Is sa e g Restore a database backup Specific packu file cee ean eee E Oe Restore a database backup Previous backup file 2 2 ws es a ss 64 Creating analyzer VM 67 Create a VMDK file for Windows XP ww a ee ee 74 Create a VMDK file for Windows 2003 Server 1 1 we 101 Create a VMDK file for Windows 7 ww we ee a ee 1311 Create a VMDK file for Windows 2008 Server 1 eee ee ee 156 Create a VMDK file for Windows 8 eee eeeeeeeewe wee use Gl Import a VMDK file into Advanced Threat Damne SA 86 new oe eo ee ee eee ee oe ee Convert the VMDK file to an image file 1 ee 219 Managing VM profiles s s s 6 s s esmas Ew d dda dpd dd a i 222 View VM profiles 2 a a 223 Create VM profiles a a a a a ee kk ee ee ee es 224 Edit YM prom
47. AO deleteblackliSt ooo 349 deletesamplereport ke ee ee ee ee 349 diskcleanup ww ee ee ee ee ee ee 350 MISC e y ct Baw eee a ee Se et ee ee ss eS ee we a ee ee 190 docfilterstatus ua essa desa 2 bow bee ad eB owe eo ae DO Elle y dos oe ee ee ew oe be he be ee ee ee oe es e ee amp S BOON factorvderaultS 3 e e mias ee A See ee eRe Ss we ee o BSL filetypefilter e eee 31 ftiptest USER NAME ds os e da amp asas asas EA ss 352 gti restart s s s s a a w s m a AAA A OZ NEG s s b amp w a e doe A a oe a we a Oe heuristic analysis s s a a sxs we ee we owe SE we we we HR Ee we Ee eS wa BOS NO redio e eo p a 2 ow 2 oe we a oe oe ey ok ek oe oe ee Oe ee a a OS install MSU a e ase ee Re ee ee ee a we a 354 IpstatS 6 oe 1 me ee ew ew ee a ew a a a 354 Sig 5 2 aa amp be oa ww oe oe oa ee ee oe le oe aa oe oe a oe ee OOF lowseveritystatus 2 mues be amp ww amp be we Bw we Ew we Be we me Bw ss BSS NSIOOKUDs e e wae wee wee Pee ween ee ee es eee eh ee es s a a oY eee ET aw ow eee oe Oe oe ee ee we Ooo DING 6 a 6 Ww So ae ws os ek we ae a ae we A Ass oh ew me ee BOO QUIE gt aen ee baeeen Ree tuwe weeeaue eh Oe ee ee amp 90 EDOD s Ga ha we ew Me hee ea a eae he eer ee ha ee wee O remove eee oe fe eo oe Sf oe eee we oe ee oe ee oe Be OOO et idess Le kek A A ee eee ee Oe removeSampleInwaiting ew ee ee ee e
48. Application Startup Search MT Show splash sereen Security j i aah sl A Security Enhanced Use only certified plug ins Currently in Certified Mode Yes Spelling Tracker Trust Manager Units Upd ater I Enable Protected Mode at startup D Create Protected Mode log file Select Default POF Handler F Don t show messages while viewing a document View log EE Contents gt Create a VMDK file for Windows XP gt Create a VMDK file for Windows 2003 Server gt Create a VMDK file for Windows 7 gt Create a VMDK file for Windows 2008 Server gt Create a VMDK file for Windows 8 gt Import a VMDK file into Advanced Threat Defense gt Convert the VMDK file to an image file McAfee Advanced Threat Defense 3 4 8 Product Guide 73 Creating analyzer VM Create a VMDK file for Windows XP Managing VM profiles gt View the System log Create a VMDK file for Windows XP 74 Before you begin e Download VMware Workstation 9 0 or above from http www vmware com products workstation workstation evaluation and install it e Make sure you have the ISO image of Windows XP SP2 or SP3 operating system for which you need to create the VMDK file Only Windows Professional is supported e Make sure you have the license key for the operating system Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image Step Details Step 1 Start the VMware Workstation This procedu
49. Clustering McAfee Advanced Threat Defense Appliances 9 Configuring an Advanced Threat Defense cluster high level steps 3 To view the status of the files analyzed by the primary node click Analysis Status 4 To view the status of files analyzed by a specific secondary node click the corresponding ATD ID For the details of the options in the Analysis Status page see Configure the Analysis Status page on page 293 Monitor analysis results for an Advanced Threat Defense cluster The Analysis Results page of the primary node displays the analysis results for files analyzed by each node In a secondary node only those files analyzed by that secondary node are displayed Similar to a standalone Advanced Threat Defense you can view the results of samples that you submitted If you have admin rights you can view the results for samples submitted by any user Task 1 Log on as the admin user in one of the nodes of the Advanced Threat Defense cluster 2 Select Analysis Analysis Results The Analysis Results expands to display the secondary nodes of the cluster Analysis Results corresponds to the primary node The secondary nodes are listed under Analysis Results with their ATD ID and their management port IP address Analysis Status 4 Analysis Results ATD Id 2 ATD Id 3 1 Manual Upload 3 To view the results of the files analyzed by the primary node click Analysis Results 4 To view the results of files analyzed by a speci
50. Defense is more than the threshold set the samples submitted by McAfee Email Gateway are rejected Follow the steps below to configure the maximum wait time for analyzing samples received from McAfee Email 1 Go to Manage ATD Configuration Common Settings 2 In the Performance Tuning area set the threshold wait time McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 Enable Common Criteria setting Enable Common Criteria setting Follow below steps to enable Common Criteria CC mode in Advanced Threat Defense Task 1 Goto Manage Configuration Common Criteria and select Enable Logging Enter the appropriate information in the respective fields 2 In the Off box system log area enter the appropriate information in the respective fields Option name Definition IP Address IP address of the syslog server Port Listening port number for the syslog server Default port is 6514 Protocol Select TCP TLS Encryption from the drop down list Certificate File Upload a valid certificate in PEM CRT format D Certificate uploaded for Syslog Setting is validated against key length signature algorithm and expiry date In case of a problem with certificate Advanced Threat Defense displays an error message 3 In the Logging Features area make sure Audit Log is checked By default Audit Log is enabled 4 Click Submit 5 Make sure FIPS mode is en
51. Installer desc eld DVD AW Drive E h Could not detect which operating system is in this disc image fou wil need to speofy which operating system will be installed wil irgtal the operabng selem Be The virtual machine vell be created with a blank hard disk ie Came Hep McAfee Advanced Threat Defense 3 4 8 Product Guide 103 104 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 6 In the Select a Guest Operating System window select the corresponding version Details New Virtual Machine Wizard Select a Guest Operating System Which operating system mill be metalled on the virtual medine G Microsoft Windows Linn Movel Met are Weware ESE Other Version Windows Server 2003 Standard Editon mp lt psek text gt Cancei Step 7 Enter the information in the Name the Virtual Machine window and then click Next e Virtual Machine name You must enter virtualMachineImage as the name e Location Browse and select the folder where you want to create the VMDK file Mew Virtual Machine Wizard Name the Virtual Machine hat mame would you ike to use for thee vrtual machine h H Lo aru bl ad a mip See a j as cir Brave The default location can be changed at Edit gt Preferences McA
52. Microsoft Office applications you must install the McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 41 In the Compatibility Pack for the 2007 Office system dialog select Click here to accept the Microsoft Software License Terms and click Continue You mus accept thee Microsoft Sofware License Terms in onde MICROSOFT SOFTWARE LICENSE TERRA MICROSOFT OFFICE COMPATIBILITY PACK FOR ACR EXCE These icense terms are an agreement between Microsoft Corp Please read hemi They aeply bo the oofterere named above v ake apply bo ay Microsoft updates supplements gt htere beed senices are a tupporl HRK A foe the sofware unless other terms accompany those fer EF LEA THE SOFTWARE YOU ACCEPT THESE TERMAS IF YI If you comply wath these boense terms you hiwe the ngtis be 1 INSTALLATION AMD USE RGHTE You may install and rpe 2 SLOPE OF LICENSE Tre cote 6 lemme not sokl Thi reserves H other nghts Linkess applicable bra gres you more expressly permited in the agreement Un dog sa you rik YoU bo use jt in certain ways You pray nat ewok around any bechnical len abens m the clara feverse engineer decompile co desemble the sobbware 0c Hae breatatione McAfee Advanced Threat Defense 3 4 8 Product Guide 151 152 Creating analyzer VM Create a VMDK file for Windows 7 Step Details
53. PEM CRT format using Browse button for Audit function In non CC mode any valid certificate along with key can be uploaded as no check on key length or signature algorithm is performed However in CC mode key length should be 2048 and above and D signature algorithm should be minimum SHA256 with RSA Encryption Default listening port for Audit function is 6514 and protocol used for same is TCP TLS Encryption Web server supports TLS1 0 TLS1 1 and TLS1 2 protocols 3 Click Test Connection When the Test connection successful message appears click OK If we select UDP as Protocol from the drop down list then Test Connection tab is disabled as UDP uses a simple connectionless transmission model rendering the connection status unverifiable 4 In the Statistic to Log area make these selections and entries as per requirement Select Analysis Results Select a level from the Severity Level drop down list Select CPU Utilization and specify Threshold level in the respective Threshold drop down Select Memory Utilization and specify Threshold level in the respective Threshold drop down Select HDD Utilization and specify Threshold level in the respective Threshold drop down Select Interface Status to receive information regarding interface link status If you want to store the logon logoff information with a time stamp select User Login Logout Select Audit Log to view logs for administrative actions performed on Advanced Threat Defen
54. Setting Password Setting Password Minimum Characters 8 lt gt Submit Reset System User s Password Reset Password Configure Telemetry The Telemetry feature allows Advanced Threat Defense to collect data about malware and Subsequently send the respective reports to McAfee GTI server The feature also allows Advanced Threat Defense to collect data about the Advanced Threat Defense Appliance Broadly the data captured by Advanced Threat Defense can be classified under the following two categories e Telemetry data for McAfee GTI McAfee Labs McAfee Labs requires analysis results from Advanced Threat Defense as telemetry to update their databases in order to categorize the samples malware which were analyzed by Advanced Threat Defense The telemetry data contain various information related to the samples analyzed The list of data collected for McAfee labs is as follows SHA 1 of sample SHA 256 of sample MD5 hash value of sample Advanced Threat Defense detection score Digital signature data from sample Parent metadata corresponding to dropped files Advanced Threat Defense product information Advanced Threat Defense analyzing option scores URL visited by file IPv4 address visited by file Product version that the sample belongs to Publisher name of the sample Product name that the sample belongs to File version of the sample OS name and OS version on which the file was found on e Telemetry data for the Adva
55. Submit Download MIB Files 4 Click Submit The SNMP setting has been saved successfully message is displayed All the associated MIB files of respective entities or objects can be downloaded locally by clicking on Download MIB Files Integration with McAfee Next Generation Firewall McAfee Next Generation Firewall integrates security features with high availability and manageability It integrates application control Intrusion Prevention System IPS and evasion prevention into a single affordable solution Following steps should be performed by McAfee Next Generation Firewall customer in order to integrate McAfee Next Generation Firewall with McAfee Advanced Threat Defense 1 Create a user called ngfw on Advanced Threat Defense after logging into Advanced Threat Defense as admin This user has the same privileges as the nsp user 2 Restart amas from the CLI 3 Use ngfw user on SCM to make REST API calls There is no change to the existing SOFA protocol for file submission Since a user called ngfw exists all file submissions via the SOFA channel is assumed to be from McAfee NGFW appliances Configure proxy servers for Internet connectivity Advanced Threat Defense connects to different proxy servers for Internet connectivity Based on the source of the traffic Advanced Threat Defense determines the proxy server on which the Internet access requests from the traffic have to be routed 254 McAfee Advanced
56. The Advanced Threat Defense software in the active or backup disk The log files and diagnostic files The information pertaining to the network in which the Advanced Threat Defense Appliance is present That is appliance IP subnet mask gateway appliance name if any and so on Schedule a database backup You can schedule automatic backups on a daily weekly or monthly frequency The time taken for the backup process to complete is usually a few minutes However it varies based on the size of the data involved McAfee recommends that you choose a time when the analysis load on the Advanced Threat Defense is likely to be less Before you begin e You must be the admin user in Advanced Threat Defense web application e You must have a configured FTP server for storing the backups and you are aware of the directory in which you want to store the backups e You must have the IPv4 address of the FTP server the user name and the password for Advanced Threat Defense to access that FTP server A password can contain only following special characters Q Also the user name has write access to the directory that you plan to use e Communication over SFTP or FTP must be possible between Advanced Threat Defense and the FTP server Because the backup feature is configurable for the admin user only the FTP server settings in the Backup Scheduler Setting page and the FTP Result Output settings on the User Managemen
57. The description of the characteristics of the analyzer profile OS Name Corresponds to the name of the VM profile specified in the analyzer profile Automatically Select OS lita if you have selected the Automatically SelectOS option in the analyzer profile 2 Hide the unneeded columns a Move the mouse over the right corner of a column heading and click the drop down arrow b Select Columns c Select only the required column names from the list You can click a column heading and drag it to the required position McAfee Advanced Threat Defense 3 4 8 Product Guide 239 6 Configuring Advanced Threat Defense for malware analysis Managing analyzer profiles 3 To sort the records based on a particular column name click the column heading You can sort the records in the ascending or descending order Alternatively move the mouse over the right corner of a column heading and click the drop down arrow Then select Sort Ascending or Sort Descending 4 To view the complete details of a specific analyzer profile select the record and click View Create analyzer profiles Before you begin e If you intend to select the dynamic analysis option in the analyzer profile make sure that you have created the required VM profile VM profiles are also required if you want to use the Automatically Select OS option e If you want to enable Internet access to samples then you need admin user privileges 240 McAfee Advance
58. Threat Defense Appliance name can be an alphanumeric character string up to 25 characters The string must begin with a letter and can include hyphens underscores and periods but not spaces To set the management port IP address and subnet mask of the Advanced Threat Defense Appliance type set appliance ip lt A B C D gt lt E F G H gt Specify a 32 bit address written as four eight bit numbers separated by periods as in lt A B C D gt where A B C or D is an eight bit number between 0 255 lt E F G H gt represents the subnet mask Example set appliance ip 10 34 2 8 255 255 255 0 Advanced Threat Defense Appliance must not be assigned the following three class C network IP addresses e 192 168 50 07 24 e 192 1608 55 07 24 AA SS secs Oi 22 O After you set the IP address the first time or when you modify the IP address you must restart the Advanced Threat Defense Appliance Set the address of the default gateway set appliance gateway lt A B C D gt Use the same convention as for the set appliance ip command Example set appliance gateway 12 34 2 1 McAfee Advanced Threat Defense 3 4 8 Product Guide Setting up the Advanced Threat Defense Appliance 2 Setting up Advanced Threat Defense 8 Set the port speed and duplex settings for the management port using one of the following commands e set mgmtport auto Sets the management port in auto mode for speed and duplex e set mgmtport speed 10 100 dup
59. VMDK file for Windows 8 Step Details Step 34 In the Automatically sign in pop up window complete the following and then press OK in the message boxes e Username Enter Administrator e Password Enter cr cker42 e Confirm Password Enter cr cker42 User Accounts You can sel up pour computer so thet users do not have to type a user name and password to sign in To do this specify a user that wall be automatecally signed in below User name Adminebrator Ez Parga rd Confirm Password Step 35 Download Sigcheck on to your computer the native host from http technet microsoft com en us sysinternals bb897441 aspx The VM that you created has the Windows Firewall switch off as well as there is no anti virus installed on it Therefore it is recommended that you download the programs and components on to the native host first and then copy them to the VM in VMware Workstation Step 36 Extract sigcheck zip to C WINDOWS system32 location Select a Destination and Extract Files Files will be extracted to this folder CAWindows System32 Show extracted files when complete Step 37 In Windows Explorer go to C WINDOWS system32 and double click sigcheck exe McAfee Advanced Threat Defense 3 4 8 Applicatio Home Share View Mana T di t Computer Local Disk t wr Favorites Name Desktop m sigcheck de Downloads S signdry dl
60. Virtual Machine Wizard Haa large de you want thet disk lo be Alocatirg the ful capacity can enhance performance but requires al of the physical disk space to be available right now If you do not allocate all the space now She wrtual disk starts small and grows amp you add data to it Spit virtual disk into multiple files Salting She disk makes teaser to move the virtual machine to another He Beck text gt Cancel 188 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 8 Step Details Step 16 In the Specify Disk file window make sure Mew Virtual Machine Wizard virtualMachineImage vmdk n is displayed by default and Specify Disk File click Next Where would you like to store the disk file If you specified a different Dik Fle name for Virtual Machine name that name is displayed here One 24 09 disk file eal be created using the fle name provided here rias chnelmage vmdk McAfee Advanced Threat Defense 3 4 8 Product Guide 189 5 Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 17 Complete the e Power on this virtual machine after creation Select this option following in the Ready to Create Virtual Machine window Click Finish This step might take around 30 minutes to complete Ready to Create Virtual Machine Chek Finish to create the virtual machine ara start retali
61. Wizard PES Hame the Virtual Machine hat mame would you ike to use for this vrtual machine vituaMacinelmage Location isi Sfp aS ish Ser ae ai a are a rd HOWE The default location can be changed al Edit gt Preferences lt Back penxt gt Cancel McAfee Advanced Threat Defense 3 4 8 Product Guide 77 78 Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 9 In the Processor Configuration window leave the default values and click Next Details New Virtual Machine Wizard Processor Configuration Processors Number of processors Number of pones per processor Total processor cores Step 10 In the Memory for the Virtual Machine window set 1024 MB as the memory New Virtual Machine Wizard Memory for the Virtual Machine How much memory would you ike to use for thes virtus machine Soeoty the amount of memory alocabed to this vrival machine The memory size must be a multiple of 4 M8 Memory for this virtual machine 1074 5 Me a Mac mum recommended memory MM Recommended memory 312 MB O Guest OS recommended minut 128 ME McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 11
62. analysis A progress page informs your users that the requested file is being analyzed for malware Based on the malware severity level reported by McAfee Advanced Threat Defense McAfee Web Gateway determines if the file is allowed or blocked If it is blocked the reasons are displayed for your users You can view the details of the malware that was detected in the log file advanced Threat Defense Passes object on for scanning Provides scanning result Requests web object Forwards reguest Allows or blocks access to object Sends object in response Web Your network Figure 1 4 Integration with McAfee Web Gateway This design ensures that only those files that require an in depth analysis are sent to McAfee Advanced Threat Defense This balances your users experience in terms of download speed and security For information on how to integrate McAfee Advanced Threat Defense and McAfee Web Gateway see the McAfee Web Gateway Product Guide version 7 4 Integration with McAfee ePolicy Orchestrator McAfee ePO This integration enables McAfee Advanced Threat Defense to retrieve information regarding the target host Knowing the operating system on the target host enables it to select a similar virtual environment for dynamic analysis Integration with McAfee Next Generation Firewall McAfee NGFW McAfee Next Generation Firewall integrates security features with high availab
63. and the user record for McAfee Web Gateway Task 1 Select Manage User Management The current list of users is displayed McAfee Advanced Threat Defense 3 4 8 Product Guide 2 3 Managing Advanced Threat Defense 4 Monitoring the Advanced Threat Defense performance Select the required user record and click Delete Click Yes to confirm deletion Monitoring the Advanced Threat Defense performance You can use the following options to monitor the performance of Advanced Threat Defense Use the monitors on the Advanced Threat Defense dashboard to continuously monitor the performance See Advanced Threat Defense performance monitors on page 317 Use the status command in the Advanced Threat Defense Appliance CLI See CLI commands for McAfee Advanced Threat Defense on page 6 Upgrade Advanced Threat Defense and Android VM This section provides information on how to upgrade the Advanced Threat Defense version as well as the Android version for the default Android analyzer VM We strongly recommend you to upgrade your Advanced Threat Defense software to 3 4 2 32 or a later version Following are the upgrade paths to upgrade Advanced Threat Defense software to 3 4 8 If the current version is below than 3 4 2 32 and you want to upgrade to 3 4 8 you upgrade the Advanced Threat Defense to 3 4 2 32 or above and then upgrade to 3 4 8 If the current version is 3 4 2 32 you can directly upgrade to 3 4 8 See Upgrade ATD so
64. any other node in the cluster Advanced Threat Defense determines the wait time for a submitted sample before it gets picked for analysis The wait time is calculated based on the current sample analysis rate of the nodes For samples submitted through MEG a threshold wait time of 780 seconds is allotted Advanced Threat Defense rejects all the incoming samples from MEG until the wait time drops below this threshold value How the Advanced Threat Defense cluster works Recall that when you cluster Advanced Threat Defense Appliances the primary node acts as the template and control center for the entire cluster After you define the cluster you use the primary node to manage the configuration for the cluster D Backup node behaves as a secondary node for all configuration processes For the sake of explanation the entire Advanced Threat Defense configuration can be classified as the following e Synchronized configuration Certain configurations can only be done using the primary node When you save these configurations the primary node sends a snapshot of its current configuration as a file to all secondary nodes The secondaries save these settings in their database This synchronization process does not affect the file analysis capabilities of an Advanced Threat Defense Appliance The primary node has the latest version of the configuration file If the version of the configuration file does not match between the primary and a s
65. as opposed to a less burdened node The primary node transfers files to be analyzed by the secondary node through the eth 0 interface and uses the same to retrieve results When cluster configuration changes are made using the primary node they are synchronized across the secondary nodes and the backup node through the eth 0 interface In this example eth 1 is used to provide network access to malware running on the analyzer VMs This isolates the network traffic generated by malware from the production network to which eth 0 interfaces are connected A local database is maintained at the Primary node which lists the MD5 hash value along with corresponding node id of the samples blacklisted by Advanced Threat Defense Node id is the primary identifier of a node that processes a particular sample Whenever a sample is submitted to Advanced Threat Defense the Primary node looks for an existing entry of this sample in its newly created database If the MD5 hash value of a sample matches with an existing one in the database this previously blacklisted sample is sent to the node based on the corresponding node id of the sample McAfee Advanced Threat Defense 3 4 8 Product Guide Clustering McAfee Advanced Threat Defense Appliances 9 How the Advanced Threat Defense cluster works This approach ensures that every previously submitted blacklisted sample reaches the node that analyzed it earlier hence avoiding re analysis of the blacklisted samples by
66. breaks away from the cluster after upgrade Syslog events for Load Balancing Syslog events are generated for state transition happening for Primary Backup nodes These events are generated in 5 minutes time interval once the state is changed Below is a sample output for syslog event generated when state of Primary Backup node changes from Active to Health Bad and vice versa bec 13 02 20 01 MATDMTC1U 014 ATD2ESM 771 LB Alert ATD IP 10 213 248 14 Timestamp 2014 12 13 10 17 39 Old State ACTIVE New State HEALTH BAD Dec 13 10 00 02 MATDMIC1U 014 ATD2ESM 23873 LB Alert ATD IP LOZ2L3 240 109 Timestamp o 2014 12 13 17 30 37 Old State HEALTH BAD New State ACTIVE Similarily syslog events are generated for the following scenarios e When Primary Backup node has Load Balancing services status Down Up e When Load Balancing node state changes from Active to Down and vice versa e When there is a configuration mismatch on Backup node from Primary node e When there is a SW version mismatch on Backup node from Primary node How to destroy Advanced Threat Defense cluster Below section deals with procedures to destroy a cluster in following scenarios e Primary is active For destroying cluster when primary node is active administrator logs on to Load Balancing page of Advanced Threat Defense to remove withdraw all other nodes Backup Secondary one by one Once all the node
67. checks if analysis results are already available for a file based on its MD5 hash value If yes then it provides the available result to Network Security Manager instead of re analyzing the file The same result is displayed in Advanced Threat Defense as well The re analysis function applies to all supported file types supported by Sensors whereas the heuristic filter apply only to PDF files submitted by Sensors set heuristic analysis command displays configuration setting re analysis OFF message This message is applicable only if the Advanced Threat Defense is integrated with Network Security Platform devices If you integrate Advanced Threat Defense with non NSP device s you can safely ignore this message Use the set command to enable or disable heuristic analysis for files submitted by a Sensor Syntax set heuristic analysis lt enable gt Syntax set heuristic analysis lt disable gt http_redirect The http redirect command can be used to enable or disable redirecting of http request to https on browser Secure access to Advanced Threat Defense Appliance is ignored when http redirect is disabled Syntax Set hite redirect McAfee Advanced Threat Defense 3 4 8 Product Guide 353 10 354 CLI commands for McAfee Advanced Threat Defense List of CLI commands The http to https redirection can either be enabled or disabled using this command Any sample submitted during the command execution is rejected as igh
68. complete function applies to this command You must type the command in full to execute it This command has no parameters e You are warned that the operation will clear McAfee Advanced Threat Defense Appliance and you must confirm the action The warning occurs since the McAfee Advanced Threat Defense Appliance returns to its clean pre configured state thus losing all current configuration settings in both the active and backup disks Once you confirm this command immediately clears all your configuration settings including samples results logs and analyzer VM images in both the active and backup disks e The current software version in the backup disk is applied on the active disk Syntax factorydefaults filetypefilter Use this command if you want Advanced Threat Defense to consider the file based on the extension the file carries and not only by the file header before sending it for dynamic analysis McAfee Advanced Threat Defense 3 4 8 Product Guide 351 10 CLI commands for McAfee Advanced Threat Defense List of CLI commands Syntax filetypefilter lt enable gt lt disable gt lt status gt Parameter Description status Displays whether the filetypefilter feature is enabled or disabled currently By default it is disabled enable Sets the sample filtering on When it is enabled Advanced Threat Defense considers following supported file types for analysis 7Z ace apk arj bat cab cgi chm cla
69. computer Do no use a network cometon i i Mep Bak Next gt Step 12 In the Select 1 0 Controller Types leave the default selection New Virtual Machine Wizard Select 1 0 Controller Types Which SCSI controller type would you like to use AO controler types SCSI Controller SusLogic Not avaiable for 64 bit quests Next gt McAfee Advanced Threat Defense 3 4 8 Product Guide 161 5 Creating analyzer VM Create a VMDK file for Windows 2008 Server Step Details Step 13 In the Select a Disk Type page select IDE and click Next New Virtual Machine Wizard as SCSI disks are not Select a Disk Type compatible with Advanced What hind of disk do you want to create Threat Defense Virtual disk type e DE ian SATA Not supported on Workstation 9 0 Wis Step 14 In the Select a Disk window select Create a new virtual Mew Virtual Machine Wizard disk and click Next Select a Deck Which disk do you want to use Disk Create a new vrtual disk A s irtual disk is composed of one or more fles on the host fle system wuch vell appear as a single hard disk to the quest operabing system Virtual disks can easily be copied or moved on the same host or between hosts Choose this onion bo reuse a previously configured disk Use a physical disk for advanced users A bo one the virtual machine direct access t
70. configuration high level steps 235 273 overview 231 McAfee Advanced Threat Defense accessing web application 36 advantages 17 backup and restore 58 dashboard 312 deployment options 14 disks 345 Product Guide 377 Index McAfee Advanced Threat Defense continued performance monitoring 43 performance monitors 317 software import 44 46 48 50 solution description 12 upgrade 44 46 48 50 user management 37 254 McAfee Advanced Threat Defense Appliance hardware specifications 25 important information 20 setting up 19 26 McAfee ServicePortal accessing 10 monitors malware analysis 313 VM creation status 316 Network Simulator 236 O OpenIOC 298 overview 11 P port numbers used 26 process flow 243 246 R real Internet mode 236 reports analysis summary 298 disassembly results 304 dropped files 304 logic path graph 305 S sample analysis 283 Sensor logon ssh 344 ServicePortal finding product documentation 10 simulation mode 236 static analysis 231 STIX 298 support bundle 56 system requirements client 35 q technical support finding product information 10 378 McAfee Advanced Threat Defense 3 4 8 terminologies 231 troubleshooting 55 U upload files manual 284 SFTP 289 web application 284 upload samples manual 284 SFTP 289 web application 284 upload URLs manual 290 user interactive mode 285 287 web application 290 user 231 user API log 310 user interactive mode 285 287 V
71. e CPU Utilization e User Login Logout e Memory Utilization e Audit Log e HDD Utilization e HTTPS Session Log Once the user defined threshold limit exceeds for CPU Utilization Memory Utilization and HDD Utilization syslog events are generated and sent to SIEM receiver Minimum threshold level supported is 30 Maximum threshold level supported is 90 By default the threshold percentage displayed under Syslog Setting page is 75 Whenever the interface link goes down or comes up syslog events are generated and sent to SIEM receiver Analysis results and logon logoff events are sent to the SIEM receiver After syslog events are generated and sent to SIEM receiver the information are parsed and sent to ESM The summary is then displayed on the ESM user interface The SIEM receiver and ESM can be on separate appliances or can be together in a virtual environment Task 1 Select Manage Configuration Syslog Setting McAfee Advanced Threat Defense 3 4 8 Product Guide 257 258 Configuring Advanced Threat Defense for malware analysis Configure Syslog Setting 2 In the Off box system log area make these selections and entries Select Enable IP Address IP address of the syslog server Port Listening port number for the syslog server default is 514 Protocol Select a protocol from the drop down list Default protocol used for Audit function is TCP TLS Encryption Certificate File Upload a valid certificate in
72. e PL Albedo PA hdr 4 Close the Windows Defender message box O Windows Defender has been turned off and isn t monitoring your computer If you re using another spp to check for mabcious or unwanted software use Acon Center to check that apps status 194 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 8 Step Details Step 24 Disable first Sign in animation 1 Press the Windows key and R simultaneously which is the shortcut to open the Run dialog box 2 In the Run dialog box enter gpedit msc and press Enter The Local Group Policy Editor opens le ee im yee ep Pe de Compa Conan dl Lor Coro 3 Select Computer Configuration Administrative Templates System Logon and then open Show first sign in animation Fim Acton Wim Help dls Bal a Stem a O Arita Derved Asi gt El Dein iaiia Siro Fiol ga in rra b 0 Dene Bakis i n E lem oa PI ugn m 3 Dek Mv Cocke a E Tem of peiure ppd gayi 3 hi Requirarrente Es Amiyn a default deman fare E Distbabed COR O Dir niei 3 Ent lyen Lajia di least Wire Sereer E Windceaw or iman AT de Exdude cosdential prrsdess Es Do ret proma tha begacy run E Do nat proces the nun arene E O Enhee hege Thi policy tin sires you to E Tem of app notifica ona on E Fie clei control whether umr mem Hha Arit E Tem of Windoas Sarhan 5
73. eie CT PiP mirit potentiality om Tht Mabira Feat Teacher cari ies llo rod epi Flare diploped ros yo id dor a arado or ar in in ari Gera Espartira E nisa Pila Probectian 1 Carcin Procedure Tall aira eto questions Phat E Me Activa shtai Es i j Stree Tre Serine diplered hee you iniba Ea Eriable Perseterd Tira j nearest Doirani Plan tubos lo coket inhormadion lel Scents Windows rest 1 i ep ltd a ai are hating dos i pris E Dita CA Mp Mirco ar A ha Compas 3 z A Fi Planea Boot huele 3 Pe F row enable ihi ostia arid Pel Yerba e morra chy dl die Configuration IA i Pr Vi cote wh F TA adira AHNE E 3 Select Disabled and click OK 4 Close the Group policy object editor window Step 30 Complete the following steps only for Windows Server 2003 SP1 For Windows Server 2003 SP2 you must not execute this step 1 Go to http support microsoft com hotfix KBHotfix aspx kbnum 899260 amp kbIn en us and install the hotfix corresponding to your version of Windows Server 2003 2 Restart the computer 3 In the Windows command prompt enter tlntsvr service and press Enter McAfee Advanced Threat Defense 3 4 8 Product Guide 115 116 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 31 In the virtualMachinelmage select Start Control Panel Windows Firewall OFF
74. environment is not available or if the required analyzer VM is not available Advanced Threat Defense uses this VM to dynamically analyze the file Maximum Licenses Enter the number of concurrent user licenses that you possess You must factor in the operating system as well as the applications in the image file Consider that the image file is a Windows 7 machine with Microsoft Office installed You have 3 concurrent licenses for Windows 7 and 2 for Microsoft Office In this case you must enter 2 as the maximum licenses This is one of the factors that determine the number of concurrent analyzer VMs that Advanced Threat Defense creates from the image file The maximum analyzer VMs supported on an ATD 3000 is 30 and on an ATD 6000 it is 60 That is the cumulative value of Maximum Licenses in all the VM profiles must not exceed 30 for an ATD 3000 and 60 for an ATD 6000 including the default Android analyzer VM So you can have up to 29 licenses for Windows analyzer VMs in an ATD 3000 and 59 in case of ATD 6000 Save Creates the VM profile record with the information you provided When you click Save the VM creation starts in the background running as a daemon and the VM profile is listed in the VM Profile page O Even if the newly created VM profile is listed in the VM Profile page it might take 10 15 minutes before the analyzer VM and VM profile are ready for use Cancel Closes the VM Profile page withou
75. fastest Java experience Product Guide 215 5 Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 50 Disable jusched and reader_sl 1 Press the Windows key and R simultaneously which is the shortcut to open the Run dialog box In the Windows Run dialog enter msconfig and click OK zp Type the name of a program folder document or Internet resource and Windows will open it for you Open mscontig har EP This task will be created with administrative privileges a 2 In the System Configuration utility go to the Startup tab General Boot Services Startup Tools To manage startup items use the Startup s 3 Click Open Task Manager 4 If Java TM Update Scheduler jusched is listed select it and click Disable 5 If Adobe Acrobat SpeedLauncher reader_sl is listed select it and click Disable File Options Vies Processes Performance App hetory Startup Users Details Services di Hame Publisher tatus EA Jeva TA Update Scheduler Oracle Corporation y VMware Tools Core Service VMware Inc A A Fewer details Disable Disable 6 In the System Configuration dialog select Don t show this message again and click Restart 216 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 8 Step Details You may need to restart your computer to apply these change
76. folder document or internet resource and Windows will open it for you msconfg This task will be created with administrative privileges Open lor cm oenen McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 2008 Server Step Step 48 In the System Configuration utility go to the Startup tab Gereral Goot serio Start Toate hava TA Platform SE Ae Wp Orai Ompra Corra Lae Jake Cogan Al HELHEOFTA ARE C PRERNA D Pregramiia a Mir Step 49 In the System Configuration dialog select Don t show this message again and click Restart You may need to restart your computer to apply these changes Exit without restart McAfee Advanced Threat Defense 3 4 8 Product Guide 179 5 Creating analyzer VM Create a VMDK file for Windows 2008 Server Step Details Step 50 Open the default browser and set it up for malware analysis This procedure uses Internet Explorer as an example 1 Make sure the pop up blocker is turned on In Internet Explorer select Tools Pop up Blocker Turn on Pop up Blocker Proc PS Delete Broesnq Heston Che Shaft Del cire hi F jP rente Browsing Reopen Let Broweng praon hPa altering Chie Shita F IinPrivate Pheng Settings Pop up Blocker E i Tum Of Pep ue Blecka Amarcreen Alter i Bep op Becker Saingi Mange Add ens
77. fp Y User Mame i Password PEPA Full Path File Name O Previous backup file Restore Figure 4 9 Specific backup file 2 Select Specific backup file Enter the appropriate information in the respective fields Table 4 1 Restore a specific backup file Option name Definition Remote IP The IPv4 address of the FTP server Protocol Select if you want the Advanced Threat Defense to use FTP or SFTP to transfer the backup file to the FTP server User Name The user name that Advanced Threat Defense must use to access the FTP server Make sure that this user name has write access to the specified folder Password The corresponding password Full Path File Name Complete location of previously created file and file name must be given in order to restore the backup Restoration fails if the backup file is not available at the specified location on the backup server 3 Click Restore McAfee Advanced Threat Defense 3 4 8 Product Guide 63 64 Managing Advanced Threat Defense Back up and restore the Advanced Threat Defense database Restore a database backup Previous backup file Before you begin Make sure that you configured the FTP IP address directory path and user credentials on the Backup Scheduler Setting page and the test connection is working for the specified configuration You can restore a backup only from the same FTP server that you used for taking the backup Make sure that t
78. from Sub_004017A0 to Sub_00401780 Calls to Sub_00401410 printf Sub_00401882 and Sub_00401320 were not executed and shown with red dashed line pointing at them The Sub_00401780 subroutine is making only one unique call as there is only one line coming out from this box This call was executed during dynamic analysis User API Log The User API Logs are contained in various files e The log file contains the Windows user level DLL API calls made directly by the analyzed file during dynamic analysis To view this file in the Advanced Threat Defense web application select Analysis Analysis Results Then click and select User API Log Alternatively click select Complete Results Download the lt sample_name gt zip file This zip file contains the same information in the lt sample name gt log file in the AnalysisLog folder The content of the log file includes the following e A record of all systems DLL API calling sequence e An address which indicates the approximate calling address where the DLL API call was made e Optional input and output parameters and return code for key systems DLL API calls e The following are the other files containing the dynamic execution logs All these files are contained in the lt sample name gt zip file e lt sample name gt ntv txt file This file contains the Windows Zw version of native system services API calling sequence during the dynamic analysis The API name typically starts with Zw a
79. in yEd Graph Editor 3 Click Ok 306 McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware 8 View the analysis results When you open the lt file name gt _logicpath gml file in yEd Graph Editor initially you might see many rectangle boxes overlapping each other or a single rectangle box as shown in the following example Y vtest32 Jogicpathgm yEd gt File Edit View Layout Tools Grouping Windows Help HOSS RAE OT AAAQAT ROME G Sub 0040501 See A Sub_D00406082 i Dod0406 Sau _ 00406112 E 00006112 a aa aao a aaa aaa aa Figure 8 12 Open lt file name gt _logicpath gml file McAfee Advanced Threat Defense 3 4 8 Product Guide 307 a Analyzing malware View the analysis results In the yEd Graph Editor select Layout Hierarchical Y Incremental Hierarchic Layout E Figure 8 13 Incremental Hierarchic Layout dialog 308 McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware a View the analysis results In the Incremental Hierarchic Layout dialog click Ok without changing any of the default settings The following example shows the complete layout of the relationship of all subroutines detected during static disassembly processed Fie Edt View Layout Teoh Geeuping Windowt Help o o DOHA AA ARANA y Leah Text 6 ab DOC Boe a e Sub PAE E 0 AE e Sub DA e AZ Q_ QO BF A E Eu pimi ee 117 _ b Sub DA OA E ub MEGHE F eke e Sub HEGO AA y mA
80. is now complete Select Enable Fallback in case the configured LDAP server is not reachable and the authentication D channel needs to be routed to Advanced Threat Defense local database For cliadmin users Enable Fallback is always enabled LDAP authentication is used for SFTP communication with Advanced Threat Defense The fallback feature is not supported when SFTP communication is used Configure SNMP setting The SNMP service allows users to obtain integral values for the following quantifiable attributes of the Advanced Threat Defense components This information enables users to manage Advanced Threat Defense resources in an efficient manner 252 McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 Configure SNMP setting e CPU Utilization e Interface Counter e Memory Utilization e System Temperature e HDD System Space Utilization e Number of samples in waiting queue e HDD Data Space Utilization e Number of samples under analysis You issue snmpget command in the command prompt or any MIB browser to retrieve the numeric value for the above mentioned attributes You can also configure SNMP services to receive SNMP TRAPS for the following attributes SNMP TRAPS are alert messages that notify users that the integral values of the following attributes has reached or exceeded the user defined limit for that attribute Traps are sent every 60 seconds if the integral va
81. it E Manage Fo heras fhe Ma nage Your Server Mere Tod a shave ler To add erode shart the eli Vo Ser a Gead brad vas redes cad bry dira de or rre ab rode Se inde Carnie Dito irim E 4 Managing Your Server Roles Security i 3 After you hare added rode rebum ba ho paga al rr bras Par bi ened niama Lo help perl PER car ly airina Eolo Ser flo By Hoir hares been ackded bo thit aereas To add a Halo pad k role did Add ce rra A ee Fira Depry Le of Cua Tasku Mira 1 Whats e Male Ainge E Urt depis Hi oep at epee al AAA McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 29 Complete the following steps Details 1 Select Start Run and enter gpedit msc 2 In the Group policy object editor window select Computer Configuration Administrative Templates System and double click Display Shutdown Event Tracker a Gosp Pacs Gi pect Pio sil x 3190 rre Temple Winks Comporerir SA Displey Slutdown Event Taarer Setting sl EE oer tias al Error Aep Bos Bipkyy Prog e pros Ele Protect Li a a rota Fs c Sp De ean leet ee J j Mat Leger AI bee Pancho Miralo 3 iWirciora Tira Service ES croup Pokey Profmniona or Binds Server 2000 Eirberel irar Pali Foral jad ai DN enin Anhi J A EPT Daa E Sete
82. mentioned in the VM Profile field Once Windows 64 bit is set as default VM PE32 files go into Windows 64 bit VM and not into Windows 32 bit VM Archive Password Enter the password for Advanced Threat Defense to unzip a password protected malware sample Confirm Password Minimum Run Time sec Re enter the password for confirmation Specify the minimum time duration for which Advanced Threat Defense should dynamically analyze the sample The default value is 5 seconds The maximum value allowed is 600 seconds If the file stops executing before this time period dynamic analysis is stopped Maximum Run Time sec Specify the maximum time duration for which Advanced Threat Defense should dynamically analyze the sample The default value is 180 seconds The maximum value allowed is 600 seconds If the file does not stop execution before this time period expires the dynamic analysis is stopped Analysis Summary Select to include the Analysis Summary report in the analysis results See View the Threat Analysis report on page 298 Packet captures Select to capture the network packets if the file attempts to communicate during dynamic analysis The pcap file is provided in the complete results zip file Dropped Files Select to generate the Files Created in Sandbox report See Dropped files report on page 304 Disassembly Results Select if you want Advanced Threat Defense to generate the disasse
83. mun programe snd supports vaias TOPAP Tehel E i Lise ha aliii Pa bo executable a o CWNDO WS oystem i ivme Rae tle Startup hype Adom hy A Pen Eu Pe a Er ss Serios Mate Siopphj Er Lie ting slot y You can ppecdy the chert parameters the apply nhen pou slat the rence Al from here Pr Stet parsppelers Mos ox VP Caos Step 26 Enable FTP on the VM In the virtualMachineImage Windows Components Wizard select Start Control Panel Add or Wirin Conpancala remove Programs Add or remove You can add of remove components of Windows XP Windows components To add 0 remove a component click Fe checkbosw cheded bos mesns thes only age re ee To ree what s inched na component cick ela Comporente A Binter Explore OMB A O MY inerea information Services 115 125 MB a Hanagenen and Monitoring Took 20 MB E Message Queuing 010 MA AGA Eardrara mama Diescaphion Irecludes v ndows Aea and iea for pour compubal Total disk space quid HE HE Soon svadeble on dak oa SME McAfee Advanced Threat Defense 3 4 8 Product Guide 85 86 Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 27 In the Windows Components wizard double click Internet Information Services IIS Details Windows Components Wizard Internet Information Services 115 To add of remove a component dick t
84. of a valid command and then press Enter For example typing pas and pressing Tab would result in the CLI auto completing the entry with the command passwd If the partially entered text matches multiple options the CLI displays all available matching commands CLI syntax 344 You issue commands at the command prompt as shown lt command gt lt value gt e Values that you must enter are enclosed in angle brackets lt gt e Optional keywords or values are enclosed in square brackets e Options are shown separated by a line e Variables are indicated by italics Do not type the lt or symbols Mandatory commands There are certain commands that must be executed on the McAfee Advanced Threat Defense Appliance before it is fully operational The remaining commands in this chapter are optional and will assume default values for their parameters unless they are executed with other specific parameter values These are the required commands e set appliance name e set appliance ip McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 Log on to the CLI e set appliance gateway is also required if any of the following are true e If the McAfee Advanced Threat Defense Appliance is on a different network than the McAfee products you plan to integrate e If you plan to access McAfee Advanced Threat Defense from a different network either using an SSH client o
85. of files for which the data needs to be captured This storage of information in McAfee ePO facilitates debugging and support activities Users must install the ATDThreatEvent extension on McAfee ePO in order to facilitate publishing of threat events by Advanced Threat Defense Integration with McAfee ePO to publish threat events is Supported with McAfee ePO 5 1 1 or later 246 McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 Configure McAfee ePO integration to publish threat events The following data is sent to McAfee ePO from Advanced Threat Defense e ATD s w version e IOC Indicators of compromise file e JobID e MD5 value e Task ID e Time stamp e ATD IP address e Size e Source IP address e Severity Task 1 Select Manage ePO login DXL Setting ePO User Credentials Enable ePO Login Enable OS Profiling Login ID admin Password seeeeecessseeeees IP Address cS Port Number 8445 Submit Test ePO Login DXL Setting F Enable DXL communication DXL Status DOWN Apply Test Connection Publish Threat Events to ePO E Enable Threat Event Publisher Publisher Status DOWN Apply 2 Enter the details in the ePO User Credentials and DXL Setting areas McAfee Advanced Threat Defense 3 4 8 Product Guide 247 Configuring Advanced Threat Defense for malware analysis Integration with Data Exchange Layer 3 In the Publish Threat Events to ePO area e Sele
86. of the analysis it provides a detailed report as required by the user Advanced Threat Defense does dynamic analysis after the Static analysis is done By default if static analysis identifies the malware Advanced Threat Defense does not perform dynamic analysis However you can configure Advanced Threat Defense to perform dynamic analysis regardless of the results from static analysis You can also configure only dynamic analysis without static analysis Dynamic analysis includes the disassembly listing feature of Advanced Threat Defense as well This feature can generate the disassembly code of PE files for you to analyze the sample further Analyzer VM This is the virtual machine on the Advanced Threat Defense that is used for dynamic analysis To create the analyzer VMs you need to create the VMDK file with the required operating system and applications Then using SFTP you import this file into the Advanced Threat Defense Appliance Only the following operating systems are supported to create the analyzer VMs e Microsoft Windows XP 32 bit Service Pack 2 e Microsoft Windows XP 32 bit Service Pack 3 e Microsoft Windows Server 2003 32 bit Service Pack 1 e Microsoft Windows Server 2003 32 bit Service Pack 2 e Microsoft Windows Server 2008 R2 Service Pack 1 e Microsoft Windows 7 32 bit Service Pack 1 e Microsoft Windows 7 64 bit Service Pack 1 e Microsoft Windows 8 0 Pro 32 bit e Microsoft Windows 8 0 Pro 64 bit e Android 2 3 b
87. or script that use the Advanced Threat Defense REST APIs With 3 4 2 release Cluster IP is point of contact for these integrated products if user chooses to configure a backup node 8 Create the McAfee Advanced Threat Defense cluster on page 331 9 Submit files and URLs to the Advanced Threat Defense cluster 10 View the analysis results for an Advanced Threat Defense cluster 11 Manage configurations for the cluster Create the McAfee Advanced Threat Defense cluster Before you begin e You have reviewed Configuring an Advanced Threat Defense cluster high level steps on page 330 e You have admin user rights for the primary node s web application e The primary and secondary nodes are not part of any other cluster e The software version active version of all nodes that you plan to use are an exact match Task 1 Identify an Advanced Threat Defense Appliance as the primary node and log on to its web application Use a user name that has admin rights McAfee Advanced Threat Defense 3 4 8 Product Guide 331 9 Clustering McAfee Advanced Threat Defense Appliances Configuring an Advanced Threat Defense cluster high level steps 2 Select Manage Load Balancing The Load Balancing Cluster Setting page displays 3 In the Node IP address field enter the management port IP address of the primary node select Primary from the drop down and click Add Node 4 Confirm if you want to create the cluster Advanced
88. provided in step 8 to find the VMDK file named as virtualMachinelmage flat vmdk Create a VMDK file for Windows 2003 Server Before you begin e Download VMware Workstation 9 0 or above from http www vmware com products workstation workstation evaluation and install it e Make sure that you have the ISO image of Windows 2003 Server SP1 or SP2 for which you need to create the VMDK file Only Windows 2003 Server Enterprise edition is supported e Make sure you have the license key for the operating system McAfee Advanced Threat Defense 3 4 8 Product Guide 101 102 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image Step Step 1 Start the VMware Workstation Details This procedure uses VMware Workstation 10 as an example Step 2 In the VMware Workstation page select File New Virtual Machine File Edit View VM Tabs Help 3 New Virtual Machine Ctrl N fa New Window Open Ctrl 0 Close Tab Ctrl W Connect to Server Ctrl L Virtualize a Physical Machine e Export to OVF J Map Virtual Disks Exit Step 3 In the New Virtual Machine Wizard window select Custom Advanced and click Next McAfee Advanced Threat Defense 3 4 8 7 i Nes Wirtual Machine Wizard Welcome to the New Virtual Machine Wizard hat type of configurabon do you want Typical recommend
89. proxy server The DNS queries from analyzer VMs are come to this DNS server Alternate DNS Server Enter the IPv4 address of the secondary DNS proxy server If the analyzer VM is unable to reach the primary DNS server the DNS queries come to the secondary DNS server Test Click verify if Advanced Threat Defense is able to reach either the preferred or the alternate DNS server Submit Click to save the configuration in the database Make sure that the test connection is successful before you click Submit D After any DNS configuration change use CLI command amas restart to restart the amas services Configure date and time settings 262 Before you begin e You need admin user privileges to view or set the date and time settings e If you plan to use domain names of Network Security Protocol servers make sure you have configured the DNS servers correctly in Advanced Threat Defense You can set the date and time on the Advanced Threat Defense Appliance as per your requirement in the Date and Time Settings page Advanced Threat Defense uses the date and time that you configure for all its functional and display purposes The date and time in the Advanced Threat Defense web application user interfaces reports log files and CLI are all as per the date and time that you specify For example the timestamp in the Analysis Status and Analysis Results pages are as per the date and time that you configure You c
90. published analysis results from the Advanced Threat Defense Tasks e Export Advanced Threat Defense logs on page 56 e Recreate the analyzer VMs on page 57 e Delete the analysis results on page 58 Export Advanced Threat Defense logs If you face issues using Advanced Threat Defense you can export the log files and provide them to McAfee support for analysis and troubleshooting You can export system logs diagnostic logs and additional miscellaneous logs The system logs help to troubleshoot issues related to features operations events and so on The diagnostic logs are needed to troubleshoot critical issues such as system crashes in Advanced Threat Defense O You cannot read the contents of system or diagnostic log files All these logs are intended for McAfee support Task 1 In the Troubleshooting page click Log files to download the system logs and Diagnostic File to download the diagnostic logs 2 To download the network packet capture file click Network Capture The network capture action stops automatically once the file size reaches 10 megabyte McAfee Advanced Threat Defense 3 4 8 Product Guide Managing Advanced Threat Defense 4 Troubleshooting 3 To download the additional miscellaneous information and logs click Support Bundle enter the ticket number and click OK LY ao Troubleshooting HTTP Proxy Setting as Creation System Log Lu Era LH Eng Create WMs Date and Time Setting Reset Report Analysis Le
91. require user input This is typically done to check if the malware is being analyzed in a sandbox In the absence of user input the malware might take an alternative execution path or even might suspend further execution If you select this option you can access the actual analyzer VM on which the malware is executed and provide the required input This is similar to executing files in user interactive mode See Upload URLs for analysis in user interactive mode on page 285 Submit Click to upload the URL to Advanced Threat Defense for analysis A message box is displayed after the URL is uploaded successfully e File Name The URL that you submitted e File Size Size of the sample e MD5 The MD5 hash value as computed by Advanced Threat Defense e Mime Type 3 Click Submit McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware Configure the Analysis Status page Configure the Analysis Status page Task 1 Select Analysis Analysis Status The Analysis Status page lists the status for the submitted files Analysis Status Analysis Status Analysis Results Samples Manual Upload imitted Time 4 10 24 11 08 33 MDT 4 10 24 11 08 33 MDT 4 10 24 11 07 10 MDT 4 10 24 11 07 10 MDT 4 10 24 11 07 10 MDT 4 10 24 11 07 10 MDT 4 4 10 24 11 07 08 MDT po 11 07 07 MDT 4 10 24 11 06 57 MDT Status Completed Completed Completed Analyzing Completed Analyzing Completed Complet
92. requirement e Enable the heuristic filter for PDF files e Disable the re analyze option for all supported file types Use the show command to know the current status By default heuristic analysis is disabled Syntax show heuristic analysis When heuristic analysis is disabled the following are the settings Setting Description Heuristic This is a feature of Advanced Threat Defense When turned on Advanced Threat filtering is Defense does a heuristic analysis of a PDF file MS Office 2007 Word and MS OFF Office 2007 Excel file submitted by a channel like Network Security Sensor Web Gateway or Email Gateway That is it examines the structure of the files for any malicious content such as embedded Java scripts embedded exe files or any redirections Only if there are heuristic abnormalities in the file it is considered for malware analysis as per the corresponding analyzer profile If there are no abnormalities the file is treated as clean That is a severity rating of zero information is assigned In networks where there is a very high flow of PDF files the heuristic filter can reduce the load on Advanced Threat Defense by filtering off files that do not have any suspicious content configuration By default Advanced Threat Defense analyses all the supported files submitted setting by a Sensor even if the files have already been analyzed When re analysis is set re analysis ON to OFF Advanced Threat Defense
93. resetuladminpasswd Use this command to reset the password for the admin user of McAfee Advanced Threat Defense web application When you execute this command the password is reset to the default value which is admin Note that the currently logged on sessions are not affected A change in password affects only new logon attempts Syntax resetuiadminpasswd Press Y to confirm or N to cancel resetusertimeout Enables users to log on to McAfee Advanced Threat Defense web application without waiting for the timer to expire Syntax resetusertimeout lt WORD gt McAfee Advanced Threat Defense 3 4 8 Product Guide 357 10 CLI commands for McAfee Advanced Threat Defense List of CLI commands Parameter Description lt WORD gt The McAfee Advanced Threat Defense web application user name for which you want to remove the logon timer If this action is successful the message Reset done is displayed Example resetusertimeout admin restart network Use this command to restart network on the McAfee Advanced Threat Defense Restart amas after using this command Syntax restart network This command has no parameters revertwebcertificate Use this command to revert back uploaded web certificate to the default certificate Syntax revertwebcertificate This command has no parameters The following information is displayed using this command revertwebcertificate Successfully reverted back web certificate to default
94. same host or betwen hosts Choose this anion bo reuse a previously configured disk Lise a physical desk for advanced users A bo give the virbual machine direct acoess to a local hard Hp lt Back bext gt Cancel McAfee Advanced Threat Defense 3 4 8 Product Guide 107 108 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 14 Specify the details in the Specify Disk Capacity window and then click Next Step 15 In the Specify Disk file window make sure virtualMachinelmage vmdk is displayed by default and click Next If you specified a different name for Virtual Machine name that name is displayed here Details e Maximum disk size GB For Windows 2003 Server the maximum disk size can be 30 GB however you must enter 5 GB for optimal performance e Select Allocate all disk space now e Select Store virtual disk as a single file Mew Virtual Machine Wizard 24 How large do you want this disk to be Masmum desk are GB Recommended size for Windows XP Professional 40 GB J Allocate al disk space now Allocating the full capacity can enhance performance but requires all of the physical disk apace to be availabe right now If you do not allocate all the apace now the virtual disk starts mal and goas as you add data to it T Store virtua
95. submit files and to integrate with other products such as Network Security Platform and Web Gateway The Primary node or the primary Advanced Threat Defense Appliance acts as the external interface for the cluster That is the Primary node is virtually associated to the IP address of the cluster from the standpoint of configuration and file submission If you integrate Network Security Platform Web Gateway and Email Gateway with the secondary nodes these nodes function like standalone Advanced Threat Defense Appliances If Backup node is present in cluster then these integrated products need to be configured with cluster IP address D Integrating an Advanced Threat Defense cluster with Email Gateway is supported with release 3 4 2 e Ifthe Primary node is down the Backup node takes over Backup node must be in same L2 network as Primary node e User can view the Analysis Status and Analysis Results of all the nodes in cluster from Active node that is Primary node or Backup node e You can wipe out all cluster related configurations from a node and make it as a standalone box cluster withdraw command is used to destroy cluster using CLI It is permitted to run at all nodes Primary Backup Secondary This command can be used in scenarios where normal means of removing a node Remove Node Withdraw From Cluster does not remove that node from cluster See also cluster withdraw on page 349 Network connections for an Advanced Threat Defens
96. system for which you are creating the VMDK file e Fullname You must enter administrator as the Full name e Password You must enter cr cker42 as the password This is the password that Advanced Threat Defense uses to log on to the VM e Confirm Enter cr cker42 again to confirm e Log on automatically requires a password Deselect this box New Virtual Machine Wizard Ez Easy Install Information This 6 used bo install Windows MP Professional Windews product key Personals iin Full name admmetrator Password are optional Confirm TFT Log on automatically requires a password McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Details message displays click Yes Step 7 If the VMware Workstation You have entered a Full Name that may conflict with a built in account in the quest operating system Ifit does conflict you may be asked for a new Full Name by the installer Would you like to continue Pl Do not show this message again and then click Next Step 8 Enter the information in the Name the Virtual Machine window e Virtual Machine name You must enter virtualMachinelmage as the name e Location Browse and select the folder where you want to create the VMDK file Mew Virtual Machine
97. the Threat Analysis report which provides the severity scores for various characteristics of a typical malware Table 8 9 Behavior classification section Label Description Persistence Installation Boot Some malware have the capability to remain on the infected host This is Survival referred to as persistence Installation boot survival refers to the capability of the malware to sustain even after a restart Hiding Camouflage This refers to the capability of the malware to evade detection and removal Stealthness Detection and Removal Protection Security Solution This refers to the capability of the malware to bypass or mislead detecting Mechanism bypass methods and engines Some malware has anti disassembly code which can termination and removal Anti confuse or delay malware analysis Some malware attempt to determine if Debugging VM Detection they are being executed in a sandbox If true they might take a different execution path This score indicates the presence of such code in the malware Spreading Indicates the capability of the malware to spread across the network Exploiting Shellcode Indicates the presence of shellcode that can exploit a running program Networking Indicates the network related behavior of the malware during dynamic analysis For example the malware might have triggered DNS queries or created sockets If there is a severity score provided for this characteristic correlate with
98. the VMDK file named as virtualMachinelmage flat vmdk Create a VMDK file for Windows 8 Before you begin e Download VMware Worksta workstation evaluation and tion 9 0 or above from http www vmware com products workstation install it McAfee recommends version 9 or 10 e Make sure that you have the ISO image of Windows 8 32 bit or 64 bit for which you need to create the VMDK file Only Windows 8 Pro is supported This procedure uses Windows 8 Pro English version as an example e Make sure you have the de possess You must activate Threat Defense tails to activate the operating system based on the type of license you the operating system before you import the VMDK file into Advanced Use this procedure to create VMDK files from an ISO image of Windows 8 Pro 32 bit or 64 bit Step Details Step 1 Start the VMware This procedure uses VMware Workstation 10 as an example Workstation Step 2 In the VMware Workstation page select File New Virtual Machine File Edit View WM Jabs Help ED New Virtual Machine Ctrl N 13 New Window Open Ctri O Close Tab Ctrl W Ey T la Connect to Server Ctrl L Virtualize a Physical Machine kk Export to OVE Map Virtual Disks Exit McAfee Advanced Threat Defense 3 4 8 Product Guide 181 182 Creating analyzer VM Create a VMDK file for Windows 8 Custom Advanced and click Next Step 4 In the Choose th
99. the check box shaded bow mear that ony pmi inf the component vall bs inetelled To res what s included in component chk Daak Sutcomponends of amt Infomation Senices iS Y gt Common Files 1 0 MB gg Documertador 235 MB EJ Ba Fie Trate Protocol FTE Senice gt FeontPage 2000 Seras Extensi n 4 3 M8 i Ey Iva reat Dead lh Sh era 5 nal 1 3 MB PA SMTP aro 1 1 MB Po ered Wide eet Ser ace 23MB Discnpior Fira supper lo Hese FTP pier Led bo upload and deveridoad Mec Total dek spsce requred 51 8 HE Space avrelable on cick 200 HB Step 38 In the Windows Components Wizard click Finish to finish installing FTP Windows Components Wizard Completing the Windows Components Wizard Tou have tuoi conpieied the Arado Lormporants 15d lo coa ha ud Gk Frida McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Details Step 39 Select Start Control Panel Switch to Classic View Administrative Tools and double click Internet Information Services Address My Administrative Tools Component Servidas Fart rot EF a Computer Management mal of i Be File and Folder Taske ES Rename this fie Mawe this File Py Copy this File AN Publish this File to the ted 3 E mail this File HE Delete this fie gt O
100. the feature is turned on 8 Yi Ji NET Framework 3 5 includes NET 2 0 and 3 0 de Windows Communication Foundation HTTP Activation EA Windows Communication Foundation Non HTTP Activa le NET Framework 4 5 Advanced Services i I i Arta Misses arras la Mies Cee 5 Press OK 6 If the following message is displayed select Download files from Windows Update Windows needs files from Windows Update to finish installing some features Download files from Windows Update Dont connect to Windows Update No changes wal be made to your PC This operation might take around 5 minutes to complete Applying changes A confirmation message is displayed when the operation completes Windows completed the requested changes McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 8 McAfee Advanced Threat Defense 3 4 8 Step Details P 26 Edit the power 1 Open the Control Panel and from the View by drop down select Small options Icons 2 Click Power Options E Language EM Loc E Network and Sharing Center El Noti MM Performance Information and Tools e Pers gt Power Options ter Proc PP Region ME Rerr E Speech Recognition Stor 3 Click Choose when to turn off the display gt T a t Control Panel All Cor Control Panel Home Choose Require a password on wakeup A power p manages Choose what the powe
101. the same file re entering your network is reduced Even the first time when a zero day malware is downloaded you can contain it by quarantining the affected hosts until they are cleaned and remediated Packing can change the composition of the code or enable a malware to evade reverse engineering So proper unpacking is very critical to get the actual malware code for analysis Advanced Threat Defense is capable of unpacking the code such that the original code is secured for static analysis McAfee Advanced Threat Defense 3 4 8 Product Guide 17 18 Malware detection and McAfee Advanced Threat Defense The Advanced Threat Defense solution McAfee Advanced Threat Defense 3 4 8 Product Guide Setting up the Advanced Threat Defense Appliance Review this chapter for information regarding the Advanced Threat Defense Appliance and how to set it up Contents gt About Advanced Threat Defense Appliance gt Functions of a Advanced Threat Defense Appliance gt Before you install the Advanced Threat Defense Appliance gt Hardware specifications and environmental requests gt Setting up Advanced Threat Defense About Advanced Threat Defense Appliance Depending on the model the Advanced Threat Defense Appliance is a 1 U or 2 U rack dense chassis with Intel Xeon E5 2600 product family processor The McAfee Advanced Threat Defense Appliance runs on a pre installed hardened Linux kernel 3 6 0 and comes preloaded with the
102. to the guest operating system Virtua disks can easly be copied or moved on the same host or between hosts Chasse thi omtion do reuse a previously configured disk Choose this apfion to give the virtual machine direct access to a local hard isk Step 15 Specify the details in the Specify Disk Capacity window and then click Next e Maximum disk size GB For Windows 7 the maximum disk size can be 30 GB However for optimal performance you must enter 14 GB and 12 GB for Windows 7 64 bit and Windows 7 32 bit respectively e Select Allocate all disk space now e Select Store virtual disk as a single file New Virtual Machine Wizard E EEEE m How large do you want this disk to ber Maxim disk size GEN 14 lt Recommended size for Windows 7 x64 60 GE 7 Allocate al disk space now Alecating the ful capacity can enhance performance but requires al of the physical desk space to be available nght mow IF you do not allocate al the space now the virtual disk starts small and grows as you add data to it Store virtual disk as a single file Spitting the disk makes it easter bo mowe the virtual machine to another computer but may reduce performance with wery lange diks McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 7 Step Details Step 16 In the Specify Disk file window make sure virtualMachineImage
103. versions of McAfee Gateway Anti Malware Engine e Whitelist and blacklist entries e Custom YARA rules e Database backup and restore configurations e Any configuration done using the CLI Log on to each node in the cluster to change these configurations Make sure that these configurations are same in all nodes of the cluster McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense The McAfee Advanced Threat Defense Appliance supports command line interface CLI commands for tasks such as network configuration restarting the Appliance and resetting the Appliance to factory defaults Contents gt Issue of CLI commands gt CLI syntax gt Log on to the CLI gt Meaning of gt Managing the disks of McAfee Advanced Threat Defense Appliance List of CLI commands Issue of CLI commands You can issue CLI commands locally from the McAfee Advanced Threat Defense Appliance console or remotely through SSH How to issue a command through the console For information on how to set up the console for a McAfee Advanced Threat Defense Appliance see Configure network information for Advanced Threat Defense Appliance on page 31 When the documentation indicates that you must perform an operation on the Appliance it signifies that you must perform the operation from the command line of a console host connecting to the McAfee Advanced Threat Defense Appliance For examp
104. vmdk is displayed by default and Specify Disk File click Next Where would you ike to store the disk fle New Virtual Machine Wizard If you specified a different name for Virtual Machine name that name is displayed here Cask File One 1468 disk file wil be created using he fe name provided here vrtualMachineimage wk Browse McAfee Advanced Threat Defense 3 4 8 Product Guide 139 5 Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 17 Complete the following in the Ready to Create Virtual Machine window e Power on this virtual machine after creation Select this option e Click Finish This step might take around 30 minutes to complete New Virtual Machine Wizard Zi Ready to Create Virtual Machine lick Finish to create the virtual machine and start installing Windows 7 64 and fen Ware Toc The virtual machine vil be created with the following settings Mame vriusMachinelmage gt Location Ciara 0 a fe a dd a ra a koa Versi n Workstabor 9 0 Operating System Windows 7 1054 Hard Disk 1465 Pre allocated Memory 3072 MB Nebeork Adapter MAT Devies ODDO USB Controler Printer Sound Card hi Power on this virtual machine after creabon lt Back Finish cancel Mew Virtual Machine Wizard es ta and then Wiware Took The virtual machine wil be created with the following settings
105. with Advanced Threat Defense Then when these products detect a file download they automatically submit the file to Advanced Threat Defense before allowing the download to complete So for these products default user profiles are available in Advanced Threat Defense For each user you define the default analyzer profile which in turn can contain the VM profile If you use the Advanced Threat Defense for uploading files for analysis you can override this default profile at the time of file submission For other users Advanced Threat Defense uses the default profiles 234 McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 High level steps for configuring malware analysis High level steps for configuring malware analysis This section provides the high level steps on how to configure Advanced Threat Defense for malware analysis and reporting Figure 6 1 Summarized steps for configuring malware analysis 1 Set up the Advanced Threat Defense Appliance and ensure that it is up and running e Based on your deployment option make sure the Advanced Threat Defense Appliance has the required network connections For example if you integrate it with Network Security Platform make sure the Sensor Manager and the Advanced Threat Defense Appliance are able to communicate with each other e Make sure the required static analysis modules such as the McAfee Gateway Anti Malware
106. 0 GB v Allocate al dsk space now Allocating the full capacity can enhance performance but requires all of the physical disk apace to be availabe right now If you do not allocate all the space now the virtual disk starts small and goas as you add data to it Y Store virtual disk as a single file Spit virtual disk into multiple files Selting the disk makes it eager lo move the virtual machine to another computer but may reduce performance with very large disks _ hp lt Back Next gt Cancel Mew Virtual Machine Wizard es Specify Disk File Where would you like to store the disk fle One 568 disk file wall be treated using the fle name provided here vrivalMschine mage vmdk Browse Help Bad Mext gt Cancel McAfee Advanced Threat Defense 3 4 8 Product Guide 81 5 Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 17 Complete the following in the Ready to Create Virtual Machine window Details e Power on this virtual machine after creation Select this option e Click Finish This step might take around 30 minutes to complete Mew Virtual Machine Wizard Ready to Create Virtual Machine Cid Finish to create the virtual machine and start installing Windows XP The virtual machine vil be created with Sie following settings Mame vi tualMachrelmage Laatia C
107. 01_ 054 pu pu 1 a o i Version Workstahen 5 0 Operating System Windows XP Professional Hard Disk 5 GB Pre allocated ii Mor y 1024 MB i Network Adapter NAT Other Devices CODO USE Controller Printer Sound Card Customize Hardware i 7 Power on this virtual machine after oreation cbk _ Fns comcel Hew Virtual Machine Wizard z ide Finish to create the virtual machine and start installing Windows XP Professonal and then VMware Tools J Bower on this wrtual machine after cesbon Step 18 If the Removable Devices pop up window is displayed select Do not show this hint again and click OK Windows begins to install which might take around 15 minutes 82 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 19 Click OK if the following error message is displayed Setup cannot continue until you enter your name Administrator and Guest are not allowable names to use Details Primal Fea olla Sebup Loss he infomation you provide about poutak lo perionakes your Ando aF sofia ee Type yoa ful rama and fhe name of pou company or osganizabion i Back Hesi gt Step 20 Enter the following details in the Windows XP Professional Setup page e Name Enter root e Organization Leave t
108. 04 C Fie She Shisdigew Sarin irakin when signing bs E Do net mumernka cormaciod to ha PE for then fora barren A B e E pou amable the polky ritira 5 Enarrerate bacal ieii on dorr emu Policy inate wail cee the snimati E Hada entry painit Toe Port Upa C irene Commu EI Alia uie clase began O acu F pru drahe the pole hrg A Do se san dotada en D ape uriers ell mot bot The arimati n qu Do net dpi Bs Cali 10 Ron hee prograrra ot verlo E you dont configure thes pobcy H Abarat mast for the netesark af E Leveled a Ware all cee the ha i Aba mira bin har A Logon imaan when Cora heey 4 Select Disabled and then click OK E Show first sign in animation Previous C Mot Configured Comment C Enabled Disabled supported on At least Windows Server 2012 Windows McAfee Advanced Threat Defense 3 4 8 Product Guide 195 196 Creating analyzer VM Create a VMDK file for Windows 8 Step Details McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 8 Step Details Step 25 Press the Windows key and X simultaneously and then select Control Panel Programs Programs and Features Turn Windows feature on or off and complete the following 1 Select Internet Information Services FTP server and select FTP Extensibility 2 Select Internet Information Services Web Management Tools and select IIS Managem
109. 07 Office system version of Microsoft Office For example to open a docx file using Office 2003 you need the corresponding compatibility MECROSOFT SOFTWARE LICENSE TERMS MICROSOFT GFACE COMMPATIBILITY PACE POE AAR EXCE You must accept thee Microsoft Sotiware License Terms in orde pack installed These icense terms are an agreement between Microsoft Com Please read themi They tho thee oofheere named ab W Go to http p a heb as www microsoft com en us tum download details aspx Intemet besed services and id 3 and download the e ee een ee required Microsoft Office BY USING THE SOFTWARE YOU ACCEPT THESE TERMAS IF YC Loy H wou compl wath theese boense terms you hywe the ighis be compatibility pack for 1 INSTALLATION AND USE RIGHTS eee Word Excel and 2 SCOPE OF LICENSE The sofiwawe le licensed not sokl This ml rights 5 cabida loves op OL TI PowerPoint File Formats a tai iy Then install them on the A e a ea a WOIE AWGURA any binna liermtabecn mt are virtual machine feverne plate decompile on deacpemble the sothware exc Bae breetation F Click bere to accept the Miceosott Software License Terms McAfee Advanced Threat Defense 3 4 8 Product Guide 211 212 Creating analyzer VM Create a VMDK file for Windows 8 Step Details files download Adobe and copy it to the VM This procedure uses Adobe Reader 9 0 as an example
110. 3 4 8 Upgrade ATD software from 3 4 8 to higher Before you begin e Make sure that the current version of Advanced Threat Defense is 3 4 8 e Make sure that the system 3 4 8 x msu Advanced Threat Defense software that you want to use is extracted and that you can access it from your client computer e You have the credentials to log on as the admin user in the Advanced Threat Defense web application e You have the credentials to log on to the Advanced Threat Defense CLI using SSH e You have the credentials to SFTP to the Advanced Threat Defense Appliance e For the admin user record select Allow Multiple Logins in the User Management page e LDAP configuration must be disabled before upgrading the ATD device beyond version 3 4 8 96 e For the atdadmin user the gidNumber value must be 1024 in the LDAP server Task 1 Log on to the Advanced Threat Defense Appliance using an FTP client such as FileZilla Log on as the atdadmin user Using SFTP upload the system lt version number gt msu file to the root directory of Advanced Threat Defense Make sure that the transfer mode is binary After the file is uploaded log on to the Advanced Threat Defense web application as the admin user and select Manage Software Management Under System Software select the system lt version number gt msu file Make sure that Reset Database is deselected in case of upgrades and click Install 50 McAfee Advanced Threat Def
111. 372 SNOW UOO s s s enas bw ewe we hw we Be ce be ewe Re E SHOW VERSION o mm wok oe ne asas ee Oa ka a ee ee oe oe OTe Show waittime 2 1 1 ww ke 373 shutdown A 2 nba sas asa Ass 3723 SEARS dm me e e e e e a de ge a om ee e he ee a e de Gs ees we e AS terminal 2 e o sas ass ass e a Update avdat mo s s a amp a Ww A A AA a sa w B74 ViGQusts ou a amp woe eas ee ss as Ass sas SoS WOLCHGOG lt 6 4 amp lt 6 8 Esos a ak Ea a me Oe Oe ee ek OE set malware intfport mgmt 2 2 ww ee eke 3 4 McAfee Advanced Threat Defense 3 4 8 Product Guide Contents whitelist lt lt oo Bos oe ew ee ee eee ee a ass aa esse Index 377 McAfee Advanced Threat Defense 3 4 8 Product Guide Preface This guide provides the information you need to work with your McAfee product Contents gt About this guide gt Find product documentation About this guide This information describes the guide s target audience the typographical conventions and icons used in this guide and how the guide is organized Audience McAfee documentation is carefully researched and written for the target audience The information in this guide is intended primarily for e Administrators People who implement and enforce the company s security program e Users People who use the computer where the software is running and can access some or all of its features Conventions This guide uses these typographical con
112. 4 94 39030 on 3 0 4 94 39031 e The time taken for the backup restore process to complete is usually a few minutes However it varies based on the size of the data involved McAfee Advanced Threat Defense 3 4 8 Product Guide Managing Advanced Threat Defense 4 Back up and restore the Advanced Threat Defense database Task 1 Select Manage Backup and Restore Restore The Restore Management page is displayed Previous backup file Backup Time Filename Backup Server 1P Address 2014 08 11 19 24 01 matd_3 2 1 29 40655_2014_08_11_07_24 10 71 119 123 2014 08 11 12 37 01 matd_3 2 1 28 40648_2014 08 11 12 37 10 71 119 123 Restore Figure 4 10 List of available backup files Table 4 2 Restore previous backup files Option name Definition File Name The name which Advanced Threat Defense assigned to the backup file Do not attempt to change the file name in the FTP server Backup Server IP Address The IP address of the FTP server in which the backup files are stored Backup Time Time stamp of when the backup was taken Restore Select the required backup file and click Restore to restore the data from that backup file When you have more than one backup file you can select the backup files that you want to restore using the radio buttons 2 To view the logs related to restore select Manage Logs Syslog 2014 06 D06 15 12 45 starting vmeorzator db 2014 D6 06 15 13 00 Amas Databas
113. 40 Ibs to lt 80 Ibs e Non palletized Free Fall Height 18 inches e Palletized single product Free Fall Height NA Vibration Unpackaged 5 Hz to 500 Hz 2 20 g Unpackaged 5 Hz to 500 Hz 2 20 g RMS random RMS random Packaged 5 Hz to 500 Hz 1 09 g RMS random ESD 12 KV except I O port 8 KV Air Discharged 12 0 kV per Intel Environmental test Contact Discharge 8 0 kV specification System cooling e 460 Watt Max 1570 BTU hour 460 Watt Max 1570 BTU hour requirement in BTU Hr e 750 Watt Max 2560 BTU hour e 750 Watt Max 2560 BTU hour Memory 192 GB 256 GB Port numbers Table 2 1 Port numbers Client Server Default port Configurable Description Any desktop Advanced Threat TCP 443 No Access Advanced Threat Defense HTTPS Defense web application Any FTP Advanced Threat TCP 22 SFTP No Access the FTP server on client Defense Advanced Threat Defense Sensor Advanced Threat TCP 8505 No Communication channel Defense between a Sensor and Advanced Threat Defense Manager Advanced Threat TCP 443 No Communication between Defense HTTPS the Manager and Advanced Threat Defense through the RESTful APIs Advanced McAfee ePO TCP 8443 Yes Host information queries Threat Defense Advanced tunnel message TCP 443 No File Reputation queries Threat Defense trustedsource org HTTPS Advanced List smartfilter TCP 80 HTTP No URL updates Threat Defense com Any SSH Advanced Threat TCP 2222 No CLI access clien
114. 49 Click Agree for Sigcheck License Agreement After you click on Agree no confirmation message is displayed Details SigCheck License Agreement You can also une the acceplevda Gonmend re patch lo accep the ELLA SYSINTERNALS SOFTWARE LICENSE TERMS These Gere terre are an agreement beben Syainternab a walh owned subsidiary of Microsoft Corporation and you Plesse read them Trey apih to ha sofware you are downiadhg from Systinternab com which includes the media on which you received it Fary The terme aka apply to any Sysinternals updates supplements internet based services and Step 50 Run the MergeIDE batch file on the VM mada Download MergelDE zip from https www virtualbox org attachment wiki Migrate_Windows MergelDE zip on to the native computer and then copy it to the VM 2 Extract MergeIDE zip and run the MergelDE batch file in the VM 3 If prompted select Run in the warning message 4 Close Windows Explorer McAfee Advanced Threat Defense 3 4 8 Product Guide 123 124 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 51 Disable Windows updates Details 1 Select Start Control Panel System Automatic Updates 2 In the System Properties window select Turn off Automatic Updates ajx Gereral Computer Hama Harckaare Adwanced Autom
115. 5 C to 35 C Altitude Support operation up to 3050 Support operation up to 3050 meters meters 10 000 feet 10 000 feet Safety Certification UL 1950 CSA C22 2 No 950 UL 1950 CSA C22 2 No 950 EN 60950 IEC 950 EN 60825 EN 60950 IEC 950 EN 60825 21CFR1040 CB license and report 21CFR1040 CB license and report covering all national country covering all national country deviations deviations EMI Certification FCC Part 15 Class A CFR 47 FCC Part 15 Class A CFR 47 USA USA ICES 003 Class A Canada ICES 003 Class A Canada EN55022 EN55022 Class A Europe CISPR22 Class A Europe CISPR22 Class A Class A Int l Int l Acoustic noise Sound power 7 0 BA in operating Sound power 7 0 BA in operating conditions at typical office ambient conditions at typical office ambient temperature 23 2 degrees C temperature 23 2 degrees C Shock operating Half sine 2 g peak 11 milliseconds Half sine 2 g peak 11 milliseconds Shock unpackaged Trapezoidal 25 g velocity change Trapezoidal 25 g velocity change is 136 inches second 240 lbs to lt 80 based on packaged weight Ibs McAfee Advanced Threat Defense 3 4 8 Product Guide 25 2 Setting up the Advanced Threat Defense Appliance Setting up Advanced Threat Defense Specifics ATD 3000 ATD 6000 Shock packaged Non palletized free fall in height 24 Product Weight gt 40 to lt 80 inches 2
116. 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2008 Server Step Details Step 19 If the Initial Configuration Tasks window is displayed AAA select Do not show this window at ij Perton the follo tach do inca con Ius the server ET WindoasServersan logon and click Close q __ _ _ _ _ _ _ ________ Provide Computer Intormathe Weg tros rro timers k ipi ime prr leer for ls nign nag Laa Para Lima iia E _ sarpubrr ose TE aa hamr gF lipiate his terem H oder va Aird BE dl ari Poe a ee E Dsrical rl canal A ee fed ted plan E Customize This Serves eee a ie lr Iim a AA FAT 5 E Dony a pa ero gor 2 Step 20 Stop the VMware Tools installation 128 Vmware Toots Setup lola gl The VMware Tools are not compatible with Advanced Threat Defense If you did not stop the VMware Tools installation you can continue with the VMDK file creation process but make sure it is uninstalled when the VMDK file is ready Step 21 If the Server Manager window is displayed select Do not show me this console at logon and close the window pu da F ie sara a A A a a PAPA E ed A A E m gt ra ed aa ee rai Siero Ej inven A a T eer Sony Dh ee re io De hears fhe rn en A las I ds Pieter cid ahi del m ger E eee lre Pad pa a cl Tud dei a Eee DA a ee Ti Pesci E Ti a ir Siem Soop ere Le Miniman Fran on E codo use 4 Chil hem Fira e see e sn mie 2a 4 El A
117. Advanced Threat Defense software The Advanced Threat Defense Appliance is available in the following models e ATD 3000 This standard model is a 1U chassis e ATD 6000 This high end model is a 2U chassis Functions of a Advanced Threat Defense Appliance The Advanced Threat Defense Appliances are purpose built scalable and flexible high performance servers designed to analyze suspicious files for malware The following are the primary functions of the Advanced Threat Defense Appliance e Host the Advanced Threat Defense software that analyzes files for malware e Host the Advanced Threat Defense web application e Host the virtual machines used for dynamic analysis of suspicious files For the performance values related to ATD 3000 and ATD 6000 contact McAfee support McAfee Advanced Threat Defense 3 4 8 Product Guide 19 Setting up the Advanced Threat Defense Appliance Before you install the Advanced Threat Defense Appliance Before you install the Advanced Threat Defense Appliance This section describes the tasks that you must complete before you begin to install a Advanced Threat Defense 20 Read all the provided documentation before installation Make sure that you have selected a suitable location for installing the Advanced Threat Defense Appliance Check that you have all the necessary equipment and components outlined in this document Familiarize yourself with the McAfee Advanced Threat Defense Applian
118. Advanced Threat Defense enables you to use your own YARA rules to identify and classify malware You can therefore import your own descriptions of malware into Advanced Threat Defense Custom Behavioral Rules also enable you to customize the detection capabilities of Advanced Threat Defense to suit your needs For example you can use Custom Behavioral Rules if you would like certain registry operations to be reported as a particular severity level rather than the default severity level assigned by Advanced Threat Defense You can also write Custom Behavioral Rules to catch zero day or near zero day malware You can write your own Custom Behavioral Rules or use the YARA rules from a third party Dd In this section the word sample refers to both files and URLs that have been submitted to Advanced Threat Defense for malware analysis You can store your Custom Behavioral Rules in a text file You can name this file such that it enables you track modifications to your Custom Behavioral Rules set You import this text file into Advanced Threat Defense through the web application user interface Assuming you have enabled all analyze options with custom YARA rules Advanced Threat Defense processes the sample files and URLs in the following order of priority 1 Local whitelist 2 Local blacklist 3 McAfee GTI 4 McAfee Gateway Anti Malware Engine 5 McAfee Anti Malware Engine 6 Custom Yara Scanner 7 Dynamic Analysis McAfee Advanced Threat Defens
119. Conger eo McAfee Advanced Threat Defense 3 4 8 Product Guide 165 166 Creating analyzer VM Create a VMDK file for Windows 2008 Server Step Details Step 22 Complete the following 1 In the Windows Run window enter gpedit msc and press Enter 2 In the Local Group Policy Editor window select Computer Configuration Administrative Templates System and then double click Display Shutdown Event Tracker a Loa fine Par Piro Che play Shutdown Ever Traer ae 4 J El ira iga aj Tbs hay E cond 1 ee Dip Frome fo rutas Pakicra Bolen Saree i Contra Pare a ei SEN lr de s nj Ai a Mircea nda F E kras Fie Prone Ll Pra pr ria Gare rar y mg HE ge fen me ae a Tire Service y pr Y Craderriada Dala Dran Srila om Deria Dent Hr Diti Tha uien Ever The oan Du 1 Alco Dibus Trac r n PO a PA Du not mioa encrypt Alea on Do oa barn oiT ee nee EE E 15 Erin Para bee ra Seno Folder Esdirechor desde la coberta ty ariaa Shuidoen Beant Tracer Ey EA IEA HE ls ll E A LE A E El j F el val al F F Dira Coral 1 De reat ci n Mimo Pour Dret O 5 TF pau rai E E Ad L Ariric peiiini urania ATA Pala 3 In the Display Shutdown Event Tracker Properties dialog select Disabled and click OK Step 23 In the VM turn off the Windows Firewall 1 Select Start Control Panel Windows Firewall Turn on Windows Firewall On or Off 2 Select
120. Create a VMDK file for Windows 2008 Server Step Details Step 5 In the Guest Operating System Installation window select either Installer disc or Installer disc image file iso browse and select the ISO image and then click Next Mew Virtual Machine Wizard Guest Operating System Installation d sirbual machine E ke 4 physical computer it needs a opera ira system How val you install the guest operating system install from Trataler dize dli DVO RW Drive Es D Installer disc image file iso C 001_Workpaa ses ema Je Windows Server 2009 x64 detected This operating system val use Easy install Ahats this wil ingtall the operating system later The virtual machine val be crested with a blank hard disk Help lt Back text gt Cancel Step 6 Enter the information in the Easy Install Information window and then click Next e Windows product key Enter the license key of the Windows operating system for which you are creating the VMDK file e Version of Windows to install Select the Standard version e Full name You must enter administrator as the Full name e Password You must enter cr cker42 as the password This is the password that Advanced Threat Defense uses to log on to the VM e Confirm Enter cr cker42 again to confirm e Log on automatically requires a password Deselect this box Mew Virtual Machine Wizard Easy Install Information The
121. Details a Li pe here to search hal E Mb My Computer E O agian Ep Shared VMs Close Tab Mark as Favorite Rename Remove 4 Power b Removable Devices 7 Pause co Send Ctri Alt Del Grab Input snapshot 4 E Capture Screen 7 Manage i Reinstall VMware Tools Settings Step 37 In the Virtual Machine Settings window select CD DVD IDE Virtual Machine Settings TT Hardware Options Device Summary A Memory 1GB d Processors 1 Cel Hard Disk IDE 5 GB Preallocated my CD DVD IDE Auto detect Network Adapter NAT USB Controller Present Sound Card Auto detect Printer Present El Display Auto detect McAfee Advanced Threat Defense 3 4 8 Product Guide 119 120 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 38 In the Use ISO image file field browse to the ISO file that you used and press OK Close Windows Explorer if it opens Details Conecto Use physical dive rho detect E CUECA E y Use 150 image file C 01_Work MATDIMATD 3 0 2 w Browse Step 39 In the virtualMachineImage select Start Control Panel Administrative Tools Internet Information Services IIS Manager Step 40 In the Internet Information Services IIS Manager window expand below Inte
122. E file which has undergone dynamic analysis If Advanced Threat Defense detects the file to be low severity it does not display the dynamic analysis score in the report under Sandbox in the Down Selector s Analysis section Advanced Threat Defense also does not consider the dynamic analysis score for computing the final score However the details of the dynamic analysis such as files opened and files created are included in the report The lowseveritystatus hide command affects only the score displayed in the report and does not affect how the results are displayed in the Analysis Results page nslookup Displays nslookup query result for a given domain name You can use this to verify if McAfee Advanced Threat Defense is able to perform nslookup queries correctly Syntax nslookup lt WORD gt Parameter Description lt WORD gt The domain name for which you want to query for nslookup Example nslookup mcafee com passwd Changes the password of the CLI user cliadmin A password must be between 8 and 25 characters in length and can consist of any alphanumeric character or symbol You are asked to enter the current password before changing to a new password Syntax passwd ping Pings a network host or domain name You can specify an IPv4 address to ping network host and domain name if you wish to ping domain name McAfee Advanced Threat Defense 3 4 8 Product Guide 355 10 356 CLI commands fo
123. E used to metal Windows Server 64 Windows product key ETELE 7 MN Veson of Windows to install Persanalze Windows Full name adeiristrator Password TETTEIT Confirm EEE Log on gubomaticaly requires a paseword Hep ak text gt cone McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2008 Server Step Details Step 7 If the VMware Workstation message displays click Yes VMware Workstation You have entered a Full Name that may conflict with a built n account in the quest operating system If it does conflict you may be asked for a new Full Name by the installer Would you like to continue Pl Do not show this message again Step 8 Enter the information in the Name the Virtual Machine window and then click Next e Virtual Machine name You must enter virtualMachinelImage as the name e Location Browse and select the folder where you want to create the VMDK file Mew Virtual Machine Wizard Es Name the Virtual Machine heat mame would you ike to use for this vrtual machine Virtual rae Vi tal ache mage Loca Gown ia oe A crows The default location can be changed al Edit gt Preferences Back et gt Cancel McAfee Advanced Threat Defense 3 4 8 Product Guide 159 160 Creating analyzer VM Create a VMDK file for Windows 2008 Server Step D
124. EMS INCORPORATED THIS DOCUMENT INCLUDES WARRANTY INFORMATION PART THE USE OF ADOBE SOFTWARE PART I PART L WARRANTY DISCLAIMER THE SOFTWARE AND OTHER INFORMATION 5 DELIVERED I0 AND ITS SUPPLIERS AND CERTIFICATE AUTHORITIES DO NOT OR RESULTS YOU MAY OBTAIN BY USING THE SOFTWARE CER THIRD PARTY OFFERINGS EXCEPT TO THE EXTENT ANY WARR TERM CANNOT OR MAY NOT BE EXCLUDED OR LIMITED BY LA CONDITIONS REPRESENTATIONS OR TERMS EXPRESS OR IMP CUSTOM USAGE OR OTHERWISE AS TO ANY MATTER INCLUL NONINFRINGEMENT OF THIRD PARTY RIGHTS MERCHANTABI ai TETE a mm oe ae ss ees TT E eee eee 3 a In Adobe Reader select Edit Preferences General and deselect Check for updates b In Adobe Reader select Help Check for updates Preferences and deselect Adobe Updates Brar Taeger Ema Tasi Denaras Lier mein b eo hull eves 2 Cen bois bore 18 Jemal bleit Had a a Pa Du d T Hada band isd na 20 Be Pairs bbe Hed fot un aoomnbety labor Lebel ke pal Edel oe hori lher eee rra dm innate led Biel mid Wi Tiere Last mp Dis ol aber e A hanna 04 barre 0 Meare Vues Prin hated Habs a Terr pai Tarika Miedo Pot gery desd rq pop nm A A Rep Ele rl fee le peer a l Parir Lis enh carted al E a Ear ag E y Check la aaiim Step 43 To analyze JAR files download and install Java Runtime Environment McAfee Advanced Threat Defense 3 4 8 1 Goto https community mcafee com docs DOC 6858 2 Refer Java install
125. ESM 22415 CPU Alert CPU Usage 46 0 CPU Threshold 30 0 Sample for Memory Utilization log events that is displayed in ESM Dec 8 13 45 04 ATD 3000 ATD2ESM 2922 Memory Alert Memory Usage 46 4 Memory Threshold 30 0 Sample for HDD Utilization log events that is displayed in ESM Dec 8 12 50 02 ATD 3000 ATD2HSM 22415 Disk Alert Data Disk Usage 42 7 Disk Usage Threshold 30 0 Dec g 12250202 ATD 3000 ATD2HSM 224159 lt Disk Alert System Disk Usage 02 3 Disk Usage Threshold 30 0 Sample for Interface Status log events that is displayed in ESM Interface can either be ethO eth1 eth2 eth3 depending on the configuration and the Interface Status shows either interface is up or down Dec 8 17 20 03 ATD 3000 ATD2ESM 16594 Link Alert ethO Link Down Dec g 11209203 ATD 3000 ATDZESM 170090 LA Alert eta Link Up Sample for User Login Logout log events that is displayed in ESM 260 McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 Configure DNS setting lt LeL gt Aug 20 00 33 42 ATD 3000 MATD LOG 6902 3 TAction Successful user login User meg UseriD s 9 Fimestemp 2014 08 20 Ulcoscd2 Client 10 213 248 120 Sample for Audit Log events that is displayed in ESM 2015 03 26T01 55 02 783269 05 30 MATD2U0XX 243 ATD2ESM 16638 Type Audit Msgld s M CC 0 1 0 R
126. Engine are up to date Create the analyzer VMs and the VM profiles See Creating analyzer VM on page 4 Create the analyzer profiles that you need See Managing analyzer profiles on page 239 If you want Advanced Threat Defense to upload the results to an FTP server configure it and have the details with you before you create the profiles for the corresponding users Create the required user profiles See Add users on page 39 Log on to Advanced Threat Defense web application using the credentials of a user you created and upload a sample file for analysis This is to check if you have configured Advanced Threat Defense as required See Upload files for analysis using Advanced Threat Defense web application on page 284 In the Analysis Status page monitor the status of the analysis See Configure the Analysis Status page on page 293 After the analysis is complete view the report in the Analysis Results page See View the analysis results on page 295 How Advanced Threat Defense analyzes malware This section explains a typical workflow when Advanced Threat Defense analyzes files for malware Consider that you have uploaded a file manually using Advanced Threat Defense web application 1 Assuming the file format is supported Advanced Threat Defense unpacks the file and calculates the MD5 hash value Advanced Threat Defense applies the analyzer profile that you specified during file upload Based on the configuration in the
127. Hand tool use moust wheel rooming Accobily C Make Select tool select images before text Foams Use foced resolution for Snapihot tool maes Set leferrart Meararing 20 Measuring 30 Mestunmg Gen Prini Multimedios apay Show page thumbnai in Pre dialog Multmedia Trust legacy earth Secunity Applicaton Startup Secundty Enhanced Show splash screen Tracker Use only cerid plug ins Currently in Ce Trust Manager m McAfee Advanced Threat Defense 3 4 8 Product Guide 213 Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 45 Set Adobe Reader 9 as the default application to open PDF files 1 In the Control Panel icons view select Default Programs T t Control Panel All Control Panel lterns Adjust your computer s settings pr Action Center fa Adminietratre Tools Be BitLocker Drive Encryption Ei Color Management 2 Date and Time Eaj Default Programs EA Devices and Printers m Display MU Family Safety 2 File History 2 Select Associate a file type or protocol with a program T gc AN Control Panel tems Default Programs pis Choose the programs that Windows uses Set your default programs Make a program the default for all file types and 7 LF A Change AutoPlay settings Play CDs or other media automatically a Set program access amd computer defaults Control socess to certain programs and set defa
128. In the Network Type window leave the default selection Details New Virtual Machine Wizard I Metwork Type What type of network de you want to add Use bridged networking Give the guest opera ing system direct access lo an external Ethernet I nebrork The guest must have ts own P address on he extemal network l Use network address translation NAT Give the guest operating system access to the host computer s dialup or external Ethernet network cormection using the hosts F address Use hoet only networking i Connect the quest operating system to a private virtual network on the host Do no use a nebwerk connection o_o A Step 12 In the Select I O Controller Types leave the default selection New Virtual Machine Wizard Ir Select 1 0 Controller Types Which SCSI controller type maid you like to use LSI Logic McAfee Advanced Threat Defense 3 4 8 Product Guide 79 80 Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 13 In the Select a Disk Type page select IDE and click Next SCSI disks are not compatible with Advanced Threat Defense Details New Virtual Machine Wizard PE select a Disk Type What land of disk do you want to create Virtual disk type a DE SATA Not supported on Workstation 9 0 vg Step 14 In the Select a Disk window s
129. McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 Configure Syslog Setting 2 Inthe Malware Site Proxy area enter the appropriate information in the respective fields Option name Definition Enable Proxy Select to connect Advanced Threat Defense to a proxy server for Internet connectivity User Name Enter the user name that Advanced Threat Defense uses for the proxied Internet connection Password Enter the corresponding password Proxy IP Address Enter the IPv4 address of the proxy server Port Number Enter the port number on which the proxy server is listening for incoming connections Copy above settings Select to replicate the proxy settings made in the GTI HTTP Proxy Settings section Test Click to verify if Advanced Threat Defense is able to reach the configured HTTP proxy server over the specified port Submit Click to save the proxy settings in the database Make sure that the test connection is successful before you click Submit Configure Syslog Setting The syslog mechanism transfers the analysis result events over the syslog channel to Security Information and Event Management SIEM like McAfee Enterprise Security Manager McAfee ESM This is done for all the files analyzed by Advanced Threat Defense You can configure an external syslog server to which the following information is sent e Analysis Results e Interface Status
130. OWNLOADED THE SOFTWARE PACKAGE IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT DO NOT INSTALL THE SOFTWARE IF APPLICABLE YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND 2 McAfee Advanced Threat Defense 3 4 8 Product Guide Contents Preface 9 About this guide 9 Audience 9 Conventions e 9 Find product documentation 1 1 we ee ee ee 10 1 Malware detection and McAfee Advanced Threat Defense 11 The malware threat scenario ee a ee ee ee ee ee 11 The Advanced Threat Defense solution 1 ww ee ee ee 12 McAfee Advanced Threat Defense deployment options 14 Advanced Threat Defense advantages 1 we ee ee 17 2 Setting up the Advanced Threat Defense Appliance 19 About Advanced Threat Defense Appliance ee 19 Functions of a Advanced Threat Defense Appliance ee ee ee 19 Before you install the Advanced Threat Defense Appliance 20 Warnings and cautions 21 Usage FeSIFICTIONS i d s a ou amp amp e rs AL Unpack the shipment 1 ww ee ee 2 Check your shipment ee ee 22 Hardware specifications and environmental requests ee ee ee ee ee 25 Port numbers as 4 amp amp amp amp amp ee eR oH A Ee RY amp we Se w 26 Setting up Advanced Threa
131. Off and then click OK McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2008 Server Step Details a 24 Enable the Telnet 1 In the virtualMachineImage select Start Administrative Tools Server eature Manager 2 In the Server Manager window right click Features and select Add Features l Server Manager PB Event viewer GaP Relabi ity and Performance ie Device Manager 3 In the Add Features Wizard select Telnet Server I Select one or more features to install on this server Features _ Quality Windows Audio Video Experience O Remote Asso tance Remote Differential Compression E A Remote Server Administrator Tools Installed LC Removable Storage Manager L_ RPC over HTTP Proxy L Simple TCP IP Services _ SMTP Server _ SNMP Services _ Storage Manager for SANs C Subsystem for UNIX based Applications L Telnet Client _ TFTP Client O Windows Internal Database Windows PowerShel Aspe Dr eee A Hk ee Las ETa kallai J rs T al Aa Pa te ml i El um L m Li dt 4 Click Next and then Install 5 Click Close after installation succeeds Step 25 Select Start Administrative Tools Services Then double click Telnet CA es mios Bm gt mu im Local Ei Gervas local 1 e 25 i Pai Era i he fe Deret A TEPI hB He P D Erpbis premie 1er de bg on i he APA PE nun AAA m
132. SCS controller type would you ike to use 1 0 controler types S05 Controller Buel oc Mot avaiable for 64 bit guests Lel Logic Step 13 In the Select a Disk Type page select IDE and A ee click Next Select a Disk Type SCSI disks are not What kind of disk do you want to create compatible with Advanced Threat Sas Defense pE SATA Hot supported on Workstation 9 0 Wis McAfee Advanced Threat Defense 3 4 8 Product Guide 187 5 Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 14 In the Select a Disk window select Create a new virtual disk and click Next Mew Virtual Machine Wizard Select a Disk Which disk de you want bo use A virtual disk 5 composed of one or more files on the host file system which will appear as a single hard disk to the guest operating system Virtual disks can easiy be copied or moved on the same host or between hoes Choose this option to rause a previously configured disk Lise a physical disk for advanced users Choose this apGon to gree he virtual machine drett access to a local hard disk Step 15 Specify the details in the Specify Disk Capacity window and then click Next e Maximum disk size GB For Windows 8 64 bit and 32 bit the disk size can be 30 GB however you must enter 24 GB for optimal performance e Select Allocate all disk space now e Select Store virtual disk as a single file Mew
133. SO image and then click Next Mew Virtual Machine Wizard _ A virtual machine is like a physical computer it needs an operating eben Hee vall you metal the guest operating syebes gli DYD RW Drive E Installer dec image He 20 C01 een eee ee Are ISO s DV J Windows w54 detected will ingtal the operating system later The virtual machine will be created with a blank hard dsk HS 222 McAfee Advanced Threat Defense 3 4 8 Product Guide 183 5 Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 6 Enter the information in the Easy Install Information window and then click Next e Windows product key Enter the license key of the Windows operating system for which you are creating the VMDK file For volume license you can leave it empty Click Yes if the following message is displayed subsequently You did not enter a Windows product key Windows wil instal without one but must be manually activated later Would you like to continue Do not show this message again e Full name Enter administrator as the Full name e Password Enter crfecker42 as the password Advanced Threat Defense uses this password to log on to the VM e Confirm Enter cr cker42 again to confirm e Log on automatically requires a password Deselect this box New Virtual Machine Wizard Easy Install Information This is usad to insta
134. Server SP1 or SP2 ISO image continued Step Details Step 55 In the Compatibility Pack for the 2007 Office system dialog select re Click here to accept the Microsoft Software Compatibility Pack for the 2007 Office system License Terms and click OK You must accept the Microsoft Software License Terms in order MICROSOFT SOFTWARE LICENSE TERMS MICROSOFT OFFICE COMPATIBILITY PACK FOR WORD EXC These license terms are an agreement between Microsoft Cor them They apply to the software named above which inchuc Updates supplements Internet based services and e support services For this software unless other terms accompany those items BY USING THE SOFTWARE YOU ACCEPT THESE TERMS IF IF you comply with these license terms you have the rights be 1 INSTALLATION AND USE RIGHTS You may install and use 2 SCOPE OF LICENSE The software is licensed not sold Th other rights Unless applicable law gives you more rights desp agreement In doing so you must comply with any technical Work around any technical limitations in the software reverse engineer decompile or disassemble the software e limitation make more copies of the software than specified in this agre publish the software for others to copy rent lease or lend the software transfer the software or this agreement to any third party use the software For commercial software hosting services Click
135. The name of the file that you submitted for analysis McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware 8 View the analysis results Table 8 5 Column definitions continued Column VM Profile Definition The VM profile used for dynamic analysis If the file was analyzed only by a static method that is displayed MD5 The MD5 hash value of the file as calculated by Advanced Threat Defense Analyzer Profile The analyzer profile that was referred to for the analysis If the file was analyzed only by a static method that is displayed User The log on name of the user who submitted the file for analysis Source IP The IP of the host that sent the analyzed file This is relevant only for files automatically submitted by other McAfee products such as Network Security Platform Destination IP The IP of the targeted host Similar to the source IP this is not relevant for manually submitted files 4 Hide the columns that you do not require a Move the mouse over the right corner of a column heading and click the drop down arrow b Select Columns c Select only the required column names from the list Gi You can click a column heading and drag it to the required position 5 To sort the records based on a particular column name click the column heading You can sort the records in the ascending or descending order Alternatively move the mouse over the right c
136. Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 Configure proxy servers for Internet connectivity These proxy servers can be configured on Advanced Threat Defense to handle Internet access requests e GTIHTTP Proxy This setting is relevant for those analyzer profiles which have GTI Reputation enabled in their Analyzing Options Advanced Threat Defense sends a query to a McAfee GTI server to fetch McAfee GTI score for the suspicious file being analyzed If the customer network is protected under proxy specify the proxy server details here so that the McAfee GTI queries can be sent out e Malware Site Proxy This setting is applicable when samples being analyzed at analyzer VMs request Internet access The proxy server specified under Malware Site Proxy handles the request Because the traffic from an analyzer VM might be malicious you might want to segregate this traffic from your production network Tasks e Specify Proxy Settings for Global Threat Intelligence traffic on page 255 e Specify Malware Site Proxy Settings for Malware traffic on page 256 Specify Proxy Settings for Global Threat Intelligence traffic Task 1 Select Manage Configuration Proxy Settings On the Proxy Settings page GTI HTTP Proxy section is displayed Proxy Settings GTI HTTP Proxy Enable Proxy User Name matd Password ereeeeneee Proxy IP Address Port Number 8080 Submit Test Figure 6 5 Pro
137. Threat Defense sets itself as the primary node for the cluster 5 In the Node IP address field enter the management port IP address of a secondary node select Secondary and click Add Node 6 Click Yes to add the secondary node When you click Yes in the confirmation message box the primary node saves its configuration in a file and sends this to the secondary node This file contains those configurations which this document refers to as synchronized configuration See How the Advanced Threat Defense cluster D works on page 323 for information on synchronized configuration The secondary uses this configuration file to overwrite the corresponding configuration in its database So make sure that you have taken a backup of the secondary s configuration before you proceed When you remove the secondary from the cluster it retains the primary node s configuration 7 Following a similar procedure add the other secondary nodes 8 In the Cluster IP address field enter cluster IP address and click Save Select Backup from the drop down and enter the management port IP address of the Backup node in the Node IP address field Click on Add Node Backup node will now be added The details of all nodes in the cluster are displayed in a table Similar to other tables in the Advanced Threat Defense web application user interfaces you can sort the columns as well as hide or display the required columns pad Balancing Clu Setting Configure LB Nod
138. Type PE32 executable console x86 64 md5 GAFSF4E3601156A59F050AAB4FAB5153 sha 1 T1BBBA1H7B gt 39H1E193C6740B61F2A32E30ADDOLA size 56832 Timestamp 2014 12 15 Lie 2a 12 parent archive Now Available o eLectors TEngine Sandbox MalwareName Malware Dynamic Severity S Verdict TSeverity 5 Description Sample 1s malicious stats TIDT O Category Persistence Installation Boot Survival Severity S y 1D i1 Category Hiding Camouflage Stealthiness Detection and Removal Protection Severity 0 ID 2 Category Security Solution Mechanism bypass termination and removal Anti Debugging VM Detection Severity 5 CTD 3 Category Spreading Severit o V2 ID AN Category Exploiting Shiellcode Severity 0 LID gt 5 Category Networking Severity 3 1 LD 6 Category Data Spying Shitting Keylogging Ebanking Fraud Severity 4 Behavior Created content under Windows system directory Deleted AV auto run registry key Created a socket bound to a specific service provider and listen to an open port Installed low level keyboard hook procedure Deleted a key from auto run registry entry Altered auto run registry entry that executed at next Windows boot Sample for CPU Utilization log events that is displayed in ESM Dec 8 12 50 02 ATD 3000 ATD2
139. Using the Advanced Threat Defense web application you can e Monitor the state and performance of the Advanced Threat Defense Appliance e Manage Advanced Threat Defense users and their permissions e Configure Advanced Threat Defense for malware analysis e Manually upload files to be analyzed e Monitor the progress of the analysis and subsequently view the results Contents gt McAfee Advanced Threat Defense client requirements Access the Advanced Threat Defense Appliance web application McAfee Advanced Threat Defense client requirements The following are the system requirements for client systems connecting to the Advanced Threat Defense web application e Client operating system Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows 7 and Microsoft Windows 8 0 e Browsers Internet Explorer 10 and later Google Chrome 40 0 2214 115 to 46 0 2490 71 and Mozilla Firefox 36 0 4 to 41 0 2 Browser settings for HTML5 support User interactive mode XMode is used for activation of VM images and manual submission of files This mode works with any browser that support HTML5 Canvas You do not need to install Java to use the XMode feature Google Chrome version 44 0 2403 and higher and Mozilla Firefox version 40 0 3 and higher are supported Microsoft Internet Explorer is not supported McAfee Advanced Threat Defense 3 4 8 Product Guide 35 Accessing Advanced Threat Defens
140. XL broker Clients such as Security Information and Event Management SIEM that subscribe to this topic can fetch analysis reports from McAfee DXL broker to build a robust security reputation database Subscribing clients can refer to this database and treat files entering their network according to the analysis report of the files McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 Integration with Data Exchange Layer 1 Advanced Threat Defense gets the sample files from different channels like Network Security Platform Web Gateway and so on for analysis 2 The analysis summary is then sent to the McAfee DXL broker for further on demand distribution to subscribing clients The following diagram explains Advanced Threat Defense and McAfee DXL integration Samples Samples Samples Analysis Report for PE files Analysis Report for PE files Figure 6 4 Advanced Threat Defense Data Exchange Layer Integration If you want your Advanced Threat Defense to have exclusive rights to publish on the Advanced Threat Defense topic then you must install the ATDDXLTagging extension on McAfee ePO This restricts publishing on the Advanced Threat Defense topic by any other sender McAfee DXL integration with McAfee ePO is supported with McAfee ePO 5 1 1 or later McAfee Advanced Threat Defense 3 4 8 Product Guide 249 6 Configuring Advanced Threat Defense for malware analy
141. a Step 46 Download Sigcheck on to your computer the native host from http technet microsoft com en us sysinternals bb897441 aspx The VM that you created has the Windows Firewall switch off as well as there is no anti virus installed on it Therefore it is recommended that you download the programs and components on to the native host first and then copy them to the VM in VMware Workstation Step 47 Extract sigcheck zip to C WINDOWS system32 location Fiz Egi iw Feeries Toos Help Q ma eo Sole Ey Folders EI bi D CAIDOS systema Folders 8k A wm_mode d a E meson a tpordonc a El emptyregadb S mui M3 TPVMMonden dil El arroompat ES Network Diagnostic e Honi El nscompest cent A TPH 5 CONFIG NT 58 Offline Web Pagas I re fall a E ochestth SS TRUH Honipn di EFT ACHE gt Poerhiat A Truon Tdi mapati 5 prefetch S Trvtwaz di Spid PNF E ES Registration A TPP Rondeu di i pertccos E recat Aj TEW Panra El nerfhoos z a A mig dl Aerangis J mari Sj Mr nudo med Step 48 In Windows Explorer go to C WINDOWS system32 and double click sigcheck exe Step 49 If prompted click Run in the warning message McAfee Advanced Threat Defense 3 4 8 Product Guide 93 5 Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 50 Click Agree for Sigcheck License Agreement Af
142. abled See set fips on page 363 for instructions on how to enable the FIPS mode While in CC mode FIPS mode must be enabled 6 Make sure http redirect is enabled See http_redirect on page 353 command for instructions on how to enable the command While in CC mode http redirect mode must be enabled 7 Go to Manage Configuration Common Criteria select Enable Common Criteria Mode and click Submit Audit function starts as Advanced Threat Defense boots up and stops with Advanced Threat Defense shutdown The function restarts in the following two scenarios e Change in Syslog certificate e Manual change in Date and Time information In Common Criteria CC mode SSH access stops working and all opened SSH sessions are D destroyed Console access through console port or VGA port is available irrespective of CC non CC mode SSH access is allowed in non CC mode and can be managed from remote On enabling CC mode load balancing feature gets disabled hence load balancing related configurations in Advanced Threat Defense user interface cannot be seen D CC Enabled Advanced Threat Defense can only be integrated with CC Enabled NSP build McAfee Advanced Threat Defense 3 4 8 Product Guide 271 6 Configuring Advanced Threat Defense for malware analysis Enable Common Criteria setting 272 McAfee Advanced Threat Defense 3 4 8 Product Guide Update content on Advanced Threat Defense You use the Advanced Threat Defense web application to upl
143. administrative actions for example configuration change session establishment session termination and so on are performed These log entries are displayed in a tabular form You can use this information for troubleshooting purposes e After you click Submit in the Syslog Setting page select Manage Logs Audit Log to view the log entries A maximum of 1000 events are displayed in Advanced Threat Defense user interface with latest events at the top More events are available in the configured syslog server You cannot print or export the log entries Configure DNS setting When being executed some files might send DNS queries to resolve names Mostly such queries are an attempt by malware to determine if they are being run in a sandbox environment If the DNS query fails the file might take an alternate path When Advanced Threat Defense dynamically analyzes such a file you might want to provide a proxy DNS service in order to bring out the actual behavior of the file McAfee Advanced Threat Defense 3 4 8 Product Guide 261 Configuring Advanced Threat Defense for malware analysis Configure date and time settings Task 1 Select Manage Configuration DNS Setting The DNS Setting page is displayed 2 Enter the appropriate information in the respective fields Option name Definition Domain Enter the Active Directory domain name for example McAfee com Preferred DNS Server Enter the IPv4 address of the primary DNS
144. ailures e Count of the number of static analysis responses sent e Count of the number of dynamic analysis responses sent e Count of scan request received e MD5 of the last file that was streamed by the Sensor show route This command is used to show routes that you configured using the route add command as well as the system IP routing table Syntax show route The details from a sample output of the command in the following table McAfee Advanced Threat Defense 3 4 8 Product Guide 371 10 CLI commands for McAfee Advanced Threat Defense List of CLI commands Table 10 2 System IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10 10 10 0 0 0 0 0 255 255 255 0 U 0 0 0 mgmt 11 11 11 0 0 0 0 0 255 255 255 0 U 0 0 0 mgmt 12 12 0 0 0 0 0 0 255 255 0 0 U 0 0 0 mgmt 13 0 0 0 0 0 0 0 255 0 0 0 U 0 0 0 mgmt 0 0 0 0 10 10 10 253 0 0 0 0 UG 0 0 0 mgmt show stixreportstatus This command shows the current status of the stixreportstatus This command has no parameter Syntax show stixreportstatus Sample Output STIX reporting is OFF show tcpdump Use this command to display the current status of packet capture functionality The maximum file size for the capture is 10MB Syntax show tcpdump This command has no parameters Sample Output TCPdump is not running show ui timeout Displays the McAfee Advanced Threat Defense web application client timeout in seconds Syntax sho
145. al server To do so you must configure the Advanced Threat Defense Appliance with the required network information Task 1 Plug a console cable RJ45 to DB9 serial to the console port RJ45 serial A port at the back panel of the Advanced Threat Defense Appliance fiiia Laptop or terminal 4 DES connection a ma W a a Jamii Figure 2 15 Connect the console port 2 Connect the other end of the cable directly to the COM port of the computer or port of the terminal server you are using to configure the Advanced Threat Defense Appliance McAfee Advanced Threat Defense 3 4 8 Product Guide 31 Setting up the Advanced Threat Defense Appliance Setting up Advanced Threat Defense 3 Run the HyperTerminal from a Microsoft Windows based computer with the following settings Name Setting Baud rate 115200 Number of Bits 8 Parity None Stop Bits 1 Control Flow None 4 At the logon prompt log on to the Advanced Threat Defense Appliance using the default user name 6 cliadmin and password atdadmin D You can type help or to access instructions on using the built in command syntax help For a list of all commands type list At the command prompt type set appliance name lt Name gt to set the name of the Advanced Threat Defense Appliance D You need to type the values between lt gt characters excluding the lt gt characters Example set appliance name matd appliance 1 The Advanced
146. all open it For you Open rundil32 netplwiz dll Usersfundil Step 43 In the User Accounts window deselect Users must enter a user name and password to use this computer and click Apply User Accounts FIR Users Advanced Use the list below bo grant or deny users access Lo pour computer and to change passwords and other settings Users must enter a user name and password bo use this computer Users For this computer Liver Nome Group Administrator Administrators ILBA_AOOT DCACECASI3 Guests Password For Administrator i To change your password press Cr 4k Del snd select Change Password McAfee Advanced Threat Defense 3 4 8 Product Guide 121 122 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 44 In the Automatically Log On pop up window complete the following and then press OK in the message boxes Details e Username Enter Administrator e Password Enter cr cker42 e Confirm Password Enter cr cker42 Automatically Log On user name and password to log on To do this specify a user that i A You can set up your computer so that users do not have bo type a wil be automaticaly logged on beo Liser name Administrator PEDIDA Password Confirm Password Step 45 Download Sigcheck on to your computer the native host from ht
147. alware analysis monitors 2 1 ww ee ee ee ee 313 VM Creation Status monitor 1 1 a ee ee ee eee ee 3166 Advanced Threat Defense performance monitors 2 2 2 2 ew ew es 317 9 Clustering McAfee Advanced Threat Defense Appliances 319 Understanding Advanced Threat Defense cluster we ee eee ee ee 319 Pre requisites and considerations ste eb eo ek ee we we ewe es we ZU Network connections for an Advanced Threat Detense duta _Reee eee et tee ee amp Bee How the Advanced Threat Defense cluster works 1 we ee ee 323 How to destroy Advanced Threat Defense cluster 2 ew we we ee ee 326 Process flow for Network Security Platform a ew ee ee ee ee 328 Process flow for McAfee Web Gateway ew ee ee 329 Configuring an Advanced Threat Defense cluster high level steps 330 Create the McAfee Advanced Threat Defense cluster 331 Monitor the status of an Advanced Threat Defense cluster 335 Submitting samples to an Advanced Threat Defense cluster 340 Monitor analysis status for an Advanced Threat Defense cluster 340 Monitor analysis results for an Advanced Threat Defense cluster 341 Modifying configurations for a Advanced Threat Defense cluster 341 McAfee Advanced Threat Defense 3 4 8 Product Guide 10 Contents
148. alysis Custom YARA Rule Descrpton that you entered as metadata im the rule O Hid cc Custom TARA Rule Name O Created conte O lloca create C Created named mutex object E Inbal m m mie om Figure 7 5 Custom Behavioral Rules name and description in the reports c Enter a severity value for the behavior described by the YARA rule Severity value must be an integer from 1 5 with 5 indicating most malicious behavior Severity values are irrelevant for helper rules McAfee Advanced Threat Defense 3 4 8 Product Guide 277 7 Update content on Advanced Threat Defense Defining Custom Behavioral Rules 5 From the Analysis Analysis Results page open the user API log report of the sample which you plan to use as a reference to create the Custom Behavioral Rules Analysis Results Samples Reports Submitted Time a a Me Na DALE CLAN MAT al Analysis Summary HTML Analysis Summary PDF Dropped Files Disassembly Results Logic Path Graph User API Log com plete Results Figure 7 6 User API log as a reference for custom YARA rules 6 Enter the strings and conditions according to YARA syntax s _ File Edit Format View Help fCreateDirectory A 4017FC c test_dir ret 1 RemovebirectoryA 40180F c test_dir ret 1 ffGetProchddress 8618455 70486000 RegCreateKeyA rule custom TARA 61 meta Classification 32 Description CUSTOM yara test crea
149. alysis Report If the malware severity is 3 and above then it contains OpenIOC and STIX formats as well You can identify these files by the malware file name The malware file name is appended to _summary html _summary json _Summary txt _summary xml _Summary ioc and _summary stix xml McAfee Advanced Threat Defense 3 4 8 Product Guide 299 a Analyzing malware View the analysis results The various sections of the HTML format of the Analysis Summary report are outlined here Threat Analysis Report Figure 8 9 Threat Analysis Report Table 8 7 Threat Analysis report sections Item Description 1 Summary This section displays the details of the sample file This includes the name hash values SHA 1 Hash identifier file size in bytes and so on 2 Engine Analysis section This section provides the results from the analyzing methods used for the file This section also displays the overall severity level for the file 3 Behavior classification This section provides the severity scores for various characteristics of a typical malware 300 McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware 8 View the analysis results Table 8 7 Threat Analysis report sections continued Item Description 4 Dynamic Analysis section This section displays the percentage of the file code that was executed For example the file might have taken an alternative path during execution due to which some p
150. ame root Content Directory Physical path 6 For Bindings and SSL Settings select No SSL For all other fields leave the default values and click Next McAfee Advanced Threat Defense 3 4 8 Product Guide 203 204 Creating analyzer VM Create a VMDK file for Windows 8 Step Details les Riding and SS Settings Erdrag P idii Port l limas red a Erei Virtual Heg Morros of Geet ETP ie hhn micah 55 w pi E Allow EL Papine S31 TA ceia Prramn Mei Carcul 7 For Authentication and Authorization Information complete the following a Select Basic b For Allow access to select All Users c For Permissions select both Read and Write and then click Finish d Close the Internet Information Services IIS Manager led Authentication and Au Authentication _ Anonymous Basic Authorization Allow access to All users Permissions Read i Write McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 30 Turn off automatic updating for Windows 1 Press the Windows key and X simultaneously and then select Control Panel Windows Update Change 2 Select Never check for updates not recommended and click OK Windows Update y Turn on automatic updating Updates are rol bring milalled automatically Tum on aurtorrestic updehng tu help proa th perry and perfor
151. ameter Description lt A B C D indicates an IPv4 address followed by a netmask The netmask strips the host ID E F G H gt from the IP address leaving only the network ID Each netmask consists of binary ones decimal 255 to mask the network ID and binary zeroes decimal 0 to retain the host ID of the IP address For example the default netmask setting for a Class C address is 255 255 255 0 Example set appliance ip 192 34 2 8 2595 2559 0 0 set appliance name Sets the name of the McAfee Advanced Threat Defense Appliance This name is used to identify the McAfee Advanced Threat Defense Appliance if you integrate it with Network Security Platform Syntax set appliance name lt WORD gt Parameter Description lt WORD gt indicates a case sensitive character string up to 25 characters The string can include hyphens underscores and periods and must begin with a letter Example set appliance name SanJose MATDI set stixreportstatus Use this command to enable or disable the STIX report generation This command has no parameters Syntax set stixreportstatus lt enable gt lt disable gt By default stixreportstatus is disabled Example set stixreportstatus lt enable gt See also show stixreportstatus on page 372 set tcpdump Use this command to set packet capture functionality Syntax set tcpdump set tcpdump lt start gt lt port options sepearted by underscore gt McAfee Advanced Threat De
152. an either manually specify the date and time or configure Network Time Protocol NTP servers as the time source for Advanced Threat Defense If you specify NTP servers you can configure up to 3 Network Time Protocol NTP servers In this case Advanced Threat Defense acts as an NTP client and synchronizes with the highest priority NTP server that is available e By default synchronization with NTP servers is enabled in Advanced Threat Defense Also pool ntp org is configured as the default NTP server The default time zone is Pacific Standard Time UTC 8 e When you upgrade from a previous version without selecting the Reset Database option the date and time settings from the previously installed version are preserved If you upgrade with the Reset Database option selected the default date and time settings as described above are set e At any point in time there must be at least one valid NTP server specified in the Date and Time Settings page of Advanced Threat Defense You can add edit or delete the list of NTP servers specified in Advanced Threat Defense McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 Configure date and time settings e Based on the access available to Advanced Threat Defense you can specify public NTP servers or the ones locally on your network e You can specify the domain name or the IPv4 address of NTP servers If you specify the domain names t
153. anagement port IP address of the node Model The Advanced Threat Defense appliance model type It could be either ATD 3000 or ATD 6000 Role Indicates if a node is a primary or a secondary or a backup node It also indicates which node is currently behaving as Active node McAfee Advanced Threat Defense 3 4 8 Product Guide 333 334 Clustering McAfee Advanced Threat Defense Appliances Configuring an Advanced Threat Defense cluster high level steps Table 9 1 Option definitions continued Option Definition Config When you save any of the synchronized configuration the primary node sends its Version configuration file to the secondary nodes and also versions this configuration file for reference For each node the version number of its latest configuration file is displayed If the version number of a secondary node does not match with that of the primary it indicates a possible difference in how the secondary node is configured So the status color for that secondary node turns to amber The reason is also mentioned in the State column Also the primary node automatically pushes its configuration file to that node This ensures that all nodes are configured similarly concerning synchronized configuration S W Version Indicates the Advanced Threat Defense software version of the nodes The complete software version must exactly match for all nodes If not the status turns to amber for the corr
154. analyzer profile it determines the modules to use for static analysis and checks the file against those modules McAfee Advanced Threat Defense 3 4 8 Product Guide 235 236 Configuring Advanced Threat Defense for malware analysis How Advanced Threat Defense analyzes malware 4 If the file is found to be malicious during static analysis Advanced Threat Defense stops further analysis and generates the required reports This however depends on how you have configured the corresponding analyzer profile 5 If the static analysis does not report any malware or if you had configured Advanced Threat Defense to perform dynamic analysis regardless of the results from static analysis Advanced Threat Defense initiates dynamic analysis for the file 6 It executes the file in the corresponding analyzer VMs and records every behavior The analyzer VM is determined based on the VM profile in the analyzer profile 7 If the file is fully executed or if the maximum execution period expires Advanced Threat Defense prepares the required reports 8 After dynamic analysis is complete it sets the analyzer VMs to their baseline version so that they can be used for the next file in queue Internet access to sample files When being dynamically analyzed a sample might access a resource on the Internet For example the sample might attempt to download additional malicious code or attempt to upload information that it collected from the host machine in thi
155. ap file 5120 1000000 10 Microsoft DOS executable file with com extension 1024 5000000 11 Flash file with swf extension 1024 5000000 12 7 zip compressed archive file with 7z extension 200 10000000 13 RAR compress archive file with rar extension 200 10000000 14 Microsoft cabinet compressed archive file with cab 200 10000000 and msi extension 15 Miscellaneous text or script files for 100 1000000 example js bat vbs xml py url htm etc 362 McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands For example if you want to change minimum file size of JPEG image file to 300 bytes then the command set filesizes 7 300 1000000 0 changes the minimum file size of JPEG image file to 300 bytes In case the file size specified by you is beyond the minimum or maximum value listed in the above D table the following error message is displayed The lt max gt lt min gt file size value lt numeric value specified gt is invalid set fips Enable or disable FIPS mode This command has no parameters Restart the McAfee Advanced Threat Defense Appliance when you enable or disable FIPS mode Syntax set fips lt enable gt lt disable gt set ftp When you upload files for analysis using an FTP client or when you import a VMDK file into McAfee Advanced Threat Defense to create an analyzer VM you use SFTP since FTP is not supported by default However if you
156. apcephor cd fet pat hor u ALS a y ERES EES i Se Den alira ecole pin feet he abe een Cerne faked Pip en nd ee Berki th ee Y Cheng Se ee Security Caries Manage Secunty cet Fa blocks pogar Sal alerts me gri 42 interes Option ODN rl iiine Ar the eta 7 e Midi vet Firewall ind lee Y Ur cl Step 24 In the virtualMachineImage VM click A Coah ARTA Start and right click My Computer Fle bmm Wes Winde Hep TE Then select Manage Services and e CATE M anu Applications Services Then as ere double click Telnet owe tere sram m F ee ee Dubin Pa I TTET Lay F tl Supa pario ti ai fn gy E da a cb Ear EA rr E 3 oP Decre ar E bi Dea Catragmanter eee eee rta Evert Heth Tracka pub ppm ici dei carril ici Sarina aparta depesd on E ral falta start esk Sehed TERA m MICA rine Hs Enable ms ta Control iy hre Prides T McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Details Step 25 In the Telnet Properties Local Computer window D0 Telnet Properties Local Computer gt you must select Automatic from lt gt the Startup type drop down list pigi o Then select Apply Start OK MN cenicerame ThiSe me ie s p fiplion Enable a remote use bo log on bo the computa and a ed F lec
157. apter provides the steps for creating an analyzer VM and the VM profile Any security software or low level utility tool on an analyzer VM might interfere with the dynamic analysis of the sample file The sample file execution might itself be terminated during dynamic analysis As a result the reports might not capture the full behavior of the sample file If you need to D find out the complete behavior of a sample file do not patch the operating system of the analyzer VM or install any security software on it If you need to find out the effect of the sample file specific to your network use your Common Operating Environment COE image with the regular security software to create the analyzer VMs The high level steps for creating an analyzer VM and the VM profile are as follows 1 Create an ISO image of the corresponding operating system You must also have the license key for that operating system For example to create an Windows 7 analyzer VM you must have an ISO image of Windows 7 and the license key Only the following operating systems are supported to create the analyzer VMs e Microsoft Windows XP 32 bit Service Pack 2 e Microsoft Windows XP 32 bit Service Pack 3 e Microsoft Windows Server 2003 32 bit Service Pack 1 e Microsoft Windows Server 2003 32 bit Service Pack 2 e Microsoft Windows Server 2008 R2 Service Pack 1 e Microsoft Windows 7 32 bit Service Pack 1 e Microsoft Windows 7 64 bit Service Pack 1 e Microsoft Windo
158. arcripsior 11LGame 2 Microsoft Office version 2003 Product ama 117TH PDF Reader version 10 Warsion Dafa Fila ara ler farang Mane Lia pipa Sample Submitted om 2013 09 18 23 22 53 Ciriginal Name LLAME Time Taken 2 seconds A A A La pyrigat 8 Sees Baltexe activated but not infected Figure 8 10 Analysis Environment section e The time when the sample was submitted as per Advanced Threat Defense Appliance s clock e The time taken to analyze the file and generate the reports e On the right hand side a table provides the properties of the file This includes information such as e Signed or unsigned for the digital signature of the file e Publisher s name if available e Version details e Original name of the file so that you can search other sources such as the web e Baitexe process infected or not At the end of each analysis Advanced Threat Defense creates an additional bait process called Baitexe This Baitexe program calls two APIs beep and sleep only continuously If this Baitexe process is infected by the previously executed sample the behavior of Baitexe is different In this case a message Baitexe activated and infected is displayed If the Baitexe process is not infected at all the message Baitexe activated but not infected is displayed 302 McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware 8 View the analysis results Behavior classification section This is a section in
159. art of the code was not executed at all This section also provides a brief executive behavior summary with the corresponding severity levels indicates a very low severity behavior indicates a low severity behavior indicates a medium severity behavior indicates a high severity behavior indicates a very high severity behavior 5 Processes analyzed in this sample This section lists all the files that were executed when dynamically analyzing the sample file It also provides the reason how each file got to be executed along with their severity score The Reason column indicates which other file or process created or opened this file If there is only one file in the sample the reason displayed is loaded by MATD Analyzer If the sample file is a zip file containing multiple files or if a file opens other files the reason for the first file is created by lt file name gt amp loaded by MATD Analyzer For the subsequent files the Reason column indicates all the files processes that created it and all the files processes that opened it The Severity column indicates the severity level based on dynamic analysis for each file e DOVO indicates a severity score of O and a threat level of informational This is the severity for white listed files e DDOL indicates a severity score of 1 and a threat level of very low e DOI indicates a severity score of 2 and a threat level of low GOOL indicates a severi
160. ary nodes The secondary nodes save these settings in their database and use these settings later This configuration file is assigned a version number This version number is the Config Version listed in the Load Balancing Cluster Setting page The primary node sends the configuration file over a secure communication channel to the secondary nodes You can verify the State column in the Load Balancing Cluster Setting page to verify if the configuration file was successfully applied on a secondary node Alternatively you can click Sync All Nodes in the Load Balancing Cluster Setting page for the primary node to send the configuration file to all available nodes If a secondary node is down it is indicated in the State column When the primary node synchronizes configuration for the cluster it sends the complete synchronized data to all available nodes in the cluster That is you cannot selectively synchronize secondary nodes D Neither can you select the configurations that you want sent to the secondary nodes However the configuration synchronization process does not affect the load balancing or file analysis processes of a Advanced Threat Defense Appliance Unsynchronized configuration The following are the settings that fall under this category e McAfee Advanced Threat Defense software version e Creating analyzer VM on page 4 e Managing VM profiles on page 222 e DAT and engine versions of McAfee Anti Malware Engine e DAT and engine
161. ase If there is no matching record the primary node checks the secondary nodes where the file is being analyzed or is in the queue Then the primary node sends the task details back to Web Gateway without analyzing the corresponding file again Configuring an Advanced Threat Defense cluster high level steps Follow these high level steps to configure an Advanced Threat Defense cluster 1 Identify the Advanced Threat Defense Appliances that you want to use to create the cluster You can add additional secondary nodes to a working Advanced Threat Defense cluster Make sure that the Advanced Threat Defense Appliances meet the requirements as discussed in Pre requisites and considerations on page 320 Identify an unassigned IP address which is in the same L2 network as are Primary node and Backup node This IP address is assigned to the cluster Out of the Advanced Threat Defense Appliances identify the one that you plan to use as the primary node All other Advanced Threat Defense Appliances are secondary nodes Once you define the cluster you cannot change the primary node without redefining the cluster itself Similarly once Backup node is added it cannot be changed unless it is removed from Cluster 330 McAfee Advanced Threat Defense 3 4 8 Product Guide Clustering McAfee Advanced Threat Defense Appliances 9 Configuring an Advanced Threat Defense cluster high level steps Factor in the following when you decide on the prima
162. atchdog lt off gt Disables the watchdog Use it if the Appliance reboots continuously due to repeated system failure lt status gt Displays the status of the watchdog process set malware intfport mgmt By default Internet access to analyzer VMs is through the McAfee Advanced Threat Defense s management port eth 0 Use this command if you had configured a different port for routing Internet traffic and want to revert to the management port Syntax set malware intfport mgmt Run the show intfport mgmt and verify the Malware Interface Port and Malware Gateway entries McAfee Advanced Threat Defense uses the management port to provide Internet access to analyzer VMs See Internet access to sample files on page 236 McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands whitelist Use the following commands to manage the whitelist of McAfee Advanced Threat Defense Syntax e To add an MD5 to the whitelist use whitelist add lt md5 gt Example whitelist add 254A40A56A6E68636E1465AF7C42B71F e To delete an MD5 from the whitelist use whitelist delete lt md5 gt Example whitelist delete 254A40A56A6E28836E1465AF7C42B71F e To check if an MD5 is present in the whitelist use whitelist query lt md5 gt Example whitelist query 254A40A56A6E28636E1465AF7C42B71F e To check the status if checking the whitelist status is currently enabled use
163. ated drawbacks Android is currently one of the top targets for malware developers With this integration the Android based handheld devices on your network are also protected You can dynamically analyze the files downloaded by your Android devices such as smartphones and tablets Files are concurrently analyzed by various engines So it is possible for known malware to be blocked in almost real time When Advanced Threat Defense dynamically analyzes a file it selects the analyzer virtual machine that uses the same operating system and other applications as that of the target host This is achieved through its integration with McAfee ePO or through passive device profiling feature of Network Security Platform This enables you to identify the exact impact on a targeted host so that you can take the required remedial measures This also means that Advanced Threat Defense executes the file only the required virtual machine reserving its resources for other files Consider a host downloaded a zero day malware but a Sensor that detected this file downloaded Submitted it to Advanced Threat Defense After a dynamic analysis Advanced Threat Defense determines the file to be malicious Based on how you have configured the Advanced Malware policy it is possible for the Manager to add this malware to the blacklist of all the Sensors in your organization s network This file also might be on the blacklist of Advanced Threat Defense Thus the chances of
164. ated products need to be configured with cluster IP address McAfee Advanced Threat Defense 3 4 8 Product Guide 319 9 Clustering McAfee Advanced Threat Defense Appliances Pre requisites and considerations As mentioned earlier clustering Advanced Threat Defense Appliances serves to load balance the files and provides a high availability of secondary nodes If the Primary node is down for some reason the Backup node takes over the responsibilities of Primary 60 node and becomes active taking the cluster IP address from Primary node After revival the Primary node waits as backup till the time the Backup node goes down At any point of time Backup node also receives and analyzes the samples like any other node Pre requisites and considerations e There can be a maximum of 10 nodes in a cluster including the primary node e You must use the eth 0 interfaces management ports of the Advanced Threat Defense Appliances for cluster communication Also for best performance the eth 0 interfaces of all nodes must be in the same layer 2 of the OSI reference model To locate the eth 0 interfaces in your Appliance see Check your shipment on page 22 e The nodes must be homogenous regarding the following e Advanced Threat Defense software version The software versions of all nodes must exactly match e Analyzer VMs All nodes must have the same analyzer VMs Before you configure the cluster make sure the VM profiles are exactly the
165. atic Update Remote Helo peotect pour PC Windows can regularly check for important updates and install them for you Tuning on Automate Updates may automaticaly update Windows Update sollwere Arel before any other updates C Automatic recommended A Automalicaly dosnioad recommended updates hor my computer and install thee Download updates for me bul let me choose wher to retal them Motify me but don t automatically dosnload or install hem Tun off Automatic Updates You computer vall be more vulnerable unless pou install updates regularly Install updates from the windows Update web site Oe usdsles aan halle PIEL He hed es toes a 3 Click Apply and then OK Step 52 To analyze Microsoft Word Excel and Powerpoint files install Microsoft Office 2003 on the virtual machine if Microsoft Office XP Setup PEcrosolt Office XF Professional with FrontPage Choose which applcstions For sebup to betal Select the Office XP applications you would llos installed Fl Microsott word Merest Excel E Microsoft PowerPoint C Microsoft Guttook 3 Microsoft Access 3 Microsoft FrontPage Install sopbesbore eth the bppecel options Ghose detaded iretalsbon options For each application Specs Requred onc 157 Pb Specs Avalable on 1537 Hb C ee McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file fo
166. ation guidance docx Product Guide 177 Creating analyzer VM Create a VMDK file for Windows 2008 Server Step Details Step 44 Open Java in Control Panel eepe Control Panel Programs Control Panel Home kal Programs an System and Security Uninstall a progra Run programs mi Network and Internet Hardware and Sound e Default Progr Change default s e Programs Make a file type a User Accounts and Farnil Gih y E Desktop Gad Appearance and Add EA to tk Personalization Restore desktop Clock Language and Region Java 32 bit Ease of Access j Step 45 In the Update tab deselect Check for Updates Automatically Es The Java Update mechanism ensures you have the most updated version of the Java platform The options below let you control how updates are obtained and applied Notify Me Advanced Glick the Update Now button below to check for updates An icon will appear in the system tray if an update e available Move the cursor Step 46 In the Java Update Warning dialog select Do Not Check and then click OK in the Java Control Panel You have chosen to AAN updates and will miss future security updates A We stongly recommend letting Java peodcaly check for eee versions bo enaure wou hare fhe meet secure and fastest laws epee Chedi Monthly Bonet Check Step 47 In the Windows Run dialog enter msconfig e Type the name of a program
167. b of the Internet Options and locate Security 4 Select Allow active content to run in files on My Computer McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2003 Server Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Details Internet Optio ns General Security Privacy Content Connections Programs Advanced Seething y Just display the results in the main wancow a 8 Just go to the most likely site Security Allow active content from CDs to run on My Computes fic acie content torun m ies on Mp Comparte lc zolbuare to pur of iratall ever if the signature is invalid Check fot publsher s certificate tevocshon Check hu server ceb iicabe revocation requires restart Check for signatures on downloaded programes Do nol sawe encrppled pages bo dick Emply Temporary Internet Files folder when browser is closed Enable Integrated Windows Authentication requires restart Enable Prolle Aszistarit f Use SSL 2 0 Use SSL 3 0 Use TLS 1 0 we gt Restore Details SEDO 5 Click OK Step 69 To dynamically analyze 1 Goto https community mcafee com docs DOC 6859 Flash files SWF install the required version of Adobe Flash 2 Refer Adobe flash player installation guidance docx Step 70 Shut down virtualMachineImage by selecting Start Shut down Step 71 Go to the location that you
168. bles from the Advanced Threat Defense Appliance to the rack McAfee Advanced Threat Defense 3 4 8 Product Guide 27 2 Setting up the Advanced Threat Defense Appliance Setting up Advanced Threat Defense Task 1 2 3 4 At the front of the rack position the right or the left mounting rail on the corresponding side so that its mounting bracket aligns with the required rack holes Ensure that you follow the safety warnings When identifying where you want the Advanced Threat O Defense Appliance to go in the rack remember that you should always load the rack from the bottom up If you are installing multiple Advanced Threat Defense Appliance start with the lowest available position first Figure 2 8 Slide rail installation At the back of the rack pull the back mounting bracket extending the mounting rail so that it aligns with the required rack holes D Ensure that the mounting rails are at the same level on each side of the rack Figure 2 9 Install rail to rack Clip the rail to the rack and secure it Repeat these steps to secure the second mounting rail to the rack 28 McAfee Advanced Threat Defense 3 4 8 Product Guide Setting up the Advanced Threat Defense Appliance 2 Setting up Advanced Threat Defense 5 Slide both the rails to full extent Figure 2 10 Full extend slide 6 With help from another person lift the Advanced Threat Defense Appliance and install the chassis to the rail simultaneously on b
169. bost anly networking Connect the quest operating system to a private virtual network on the host Do no use a pebwerk connection map eak C hets C cn McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 12 In the Select I O Controller Types leave the New Virtual Machine Wizard Ez default selection Select 1 0 Controller Types Which SCSI controller type would you like to use AO controler types SCSI Controller Busiocic Not avaiable for 64 bit quests Silog E LSI Logic 345 Recommended Hep gak Next gt canoa Step 13 In the Select a Disk Type page select IDE and New Virtual Machine Wizard a click Next select a Disk Type SCSI disks are not A IA 60 compatible with a McAfee Advanced ee Threat Defense a DE SATA Net supported on Workstation 9 0 Wa lt Back ext gt Cancel McAfee Advanced Threat Defense 3 4 8 Product Guide 137 138 Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 14 In the Select a Disk o window select Create a new Hew Virtual Machine Wizard Ez virtual disk and click Next Which disk do you want bo wee Disk Wi Create a new virtual disk A virtual disk is composed of one or more fles on the host fle system which vell appear as a single hard disk
170. bove including custom YARA rules Down Selector s Analysis Engrne GTI File Reputation Gateway 4no Malware ano Habla re Custom Yara Sandbox Final Threat Mame Seventy None None None CO E CO This sample is malicious final severity level 4 Figure 7 2 Final score influenced by custom YARA rule score Considerations e Advanced Threat Defense supports custom YARA rules only from Advanced Threat Defense release 3 2 0 e Advanced Threat Defense 3 2 0 supports YARA version 1 0 only So all YARA features documented in YARA User s Manual for version 1 0 are supported e Advanced Threat Defense 3 4 8 supports YARA version 3 0 McAfee Advanced Threat Defense 3 4 8 Product Guide 275 7 Update content on Advanced Threat Defense Defining Custom Behavioral Rules e In an Advanced Threat Defense cluster setup each node maintains its set of Custom Behavioral Rules separately That is the custom YARA rules that you define in the primary node are not sent to the secondary nodes automatically e There is no limit on the number of rules that you can include in your Custom Behavioral Rules file Neither is there a limit on the size of this file However the number of rules and their complexity might affect the performance of Advanced Threat Defense Create the Custom Behavioral Rules file Before you begin e You are familiar with all features of Custom Behavioral Rules that Advanced Threat Defense currently supports e You have identifi
171. c Analysis Dynamic Analysis 32 bit Portable exe dll scr ocx Sys com cpl exe dll SCr OCX SyS com cpl Executables PE files 64 bit PE files Microsoft Office doc docx xls xlsx ppt pptx rtf doc docx xls xlSx ppt pptx rtf Suite documents Adobe PDF files Adobe Flash files SWF PDF files Adobe Flash files SWF Compressed cab 7Z zip rar msi zip cab 7Z msi files Android apk apk application package Java Java Archives JAR CLASS Java Script Java Archives JAR CLASS Java Script Java bin files Java bin files Image files jpeg png gif Not supported Other file types cmd bat vbs xml url htm cmd bat vbs xml url Atm Upload files for analysis using Advanced Threat Defense web application Before you begin Make sure that the required analyzer profile is available When you use the Advanced Threat Defense web application to submit a file for analysis you must select an analyzer profile This analyzer profile overrides the default analyzer profile associated with your user account Task 1 Select Analysis Manual Upload 2 On the Manual Upload page specify the details as per your requirement 284 McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware 8 Analyze files Table 8 2 Option definitions Option File Definition Either drag and drop the malware file from Windows Explorer or c
172. cAfee Advanced Threat Defense uses the configured port to provide Internet access to analyzer VMs See Internet access to sample files on page 236 set mgmtport auto Configures the network port to auto negotiate the connection between the McAfee Advanced Threat Defense Appliance and the immediate network device This command has no parameters Syntax set mgmtport auto Default Value By default the network port is set to auto auto negotiate set mgmtport speed and duplex Configures the network port to match the speed of the network device connecting to the McAfee Advanced Threat Defense Appliance and to run in full or half duplex mode Syntax set mgmtport lt speed lt 10 100 gt duplex lt full half gt gt Parameter Description lt 10 100 gt sets the speed on the Ethernet network port The speed value can be either 10 or 100 Mbps To set the speed to 1000 Mbps use the set mgmtport auto command lt half full gt sets the duplex setting on the Ethernet network port Set the value half for half duplex and full for full duplex Default Value By default the network port is set to auto auto negotiate McAfee Advanced Threat Defense 3 4 8 Product Guide 361 10 CLI commands for McAfee Advanced Threat Defense List of CLI commands set pdflinks Use this command to enable or disable validation operation performed by GTI on links embedded inside PDFs during dynamic analysis Syntax set
173. ce network access card ports and connectors as described in this document Make sure you have the following information available when you configure the Advanced Threat Defense Appliance e IPv4 address that you want to assign to the Appliance e Network mask e Default gateway address McAfee Advanced Threat Defense 3 4 8 Product Guide Setting up the Advanced Threat Defense Appliance 2 Before you install the Advanced Threat Defense Appliance Warnings and cautions Read and follow these safety warnings when you install the Advanced Threat Defense Appliance Failure to observe these safety warnings could result in serious physical injury Advanced Threat Defense Appliance power on off the push button on off power switch on the front panel of the Advanced Threat Defense Appliance does not turn off the AC power To remove AC power from the Advanced Threat Defense Appliance you must unplug the AC power cord from either the power supply or wall outlet for both the power supplies The power supplies in your system might produce high voltages and energy hazards which can cause O bodily harm Only trained service technicians are authorized to remove the covers and access any of the components inside the system Hazardous conditions devices and cables Hazardous electrical conditions might be present on power telephone and communication cables Turn off the Advanced Threat Defense Appliance and disconnect telecommunications system
174. ced Threat Defense is not part of a cluster Syntax lbstats For the details see Monitor the status of an Advanced Threat Defense cluster on page 335 list Lists all the CLI commands available to users Syntax list This command has no parameters McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands lowseveritystatus Advanced Threat Defense treats severity 1 and 2 samples as low severity and severity 3 4 and 5 as malicious By default if you configure dynamic analysis the dynamic analysis score is displayed in the Summary report for all samples This score also affects the final score for that sample If necessary you can use the lowseveritystatus command to alter this behavior For example for low severity samples that are dynamically analyzed Advanced Threat Defense does not display the dynamic analysis score in the summary report nor consider this score for computing the final score The lowseveritystatus command applies only to non PE samples such as Microsoft Word documents and PDF files Syntax lowseveritystatus lt show gt lt hide gt Example lowseveritystatus hide Parameter Description show This is the default behavior If a sample is dynamically analyzed Advanced Threat Defense displays the dynamic analysis score in the report It also considers this score to compute the final score hide Assume that the sample is a non P
175. changes itself to standalone state and Active Primary removes the entry of the node from the cluster In case of target node being down at the time of removal the entry of the target node is removed from the cluster by Active Primary but once that node comes up administrator needs to login to the removed node and do a manual cluster withdraw in Load Balancing page of Advanced Threat Defense the role of removed node is then changed to standalone e Withdraw from Cluster at Secondary Backup Node This option is active for all the secondary backup nodes to withdraw that particular node from Load Balancing After withdrawal the entry of the removed node is not deleted from the primary node Administrator needs to login to primary node and remove that node manually Please note this node comes to Down Heartbeat not received state in primary only after Heart Beat HB timeout and remains as it is until removed as it has been withdrawn from the secondary e CLI command cluster withdraw This command is used to destroy cluster using CLI command prompt It is permitted to run at all nodes Primary Backup Secondary It wipes out all cluster related configurations from that node and makes it a standalone box This command can be used in scenarios where normal means of removing a node Remove Node Withdraw From Cluster does not remove that node from cluster See also cluster withdraw on page 349 Methods for configuring node to serve as backup
176. ck To back up immediately you can use the show command on the Advanced Threat Defense CLI to know the current time on Advanced Threat Defense Then with Daily as the backup frequency you can specify a time accordingly to back up immediately e Weekly Select to back up once a week e Day of the week Select the day when you want to back up e Time Specify the time of the backup on the selected day e Monthly Select to backup once a month e Day of Month Select the date when you want to back up For example if you select 5 Advanced Threat Defense backs up the database on the fifth of every month You can only specify a date up to 28 This avoids invalid dates such as February 30 e Time Specify the time of the backup on the selected date Last Backup Time stamp of the last successful backup Remote IP The IPv4 address of the FTP server Protocol Select if you want Advanced Threat Defense to use FTP or SFTP to transfer the backup file to the FTP server Path The directory where Advanced Threat Defense must save the file on the FTP server For example to save the file at the root directory enter the directory enter User Name The user name that Advanced Threat Defense must use to access the FTP server Make sure that this user name has write access to the specified folder Password The corresponding password A password can contain only following special characters amp Test Click to make sure that A
177. click Edit The VM Profile page is displayed 3 Make the changes to the required fields and click Save 228 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 View the System log Delete VM profiles Before you begin e To delete a VM profile either you must have created it or you must have admin user role e Make sure the VM profile you want to delete is not specified in the analyzer profiles Task 1 Select Policy VM Profile The currently available VM profiles are displayed 2 Select the required record and click Delete 3 Click Yes to confirm deletion View the System log When you create a VM profile using the VM Profile page Advanced Threat Defense creates an analyzer VM from the image file you selected in the VM profile record Simultaneously it prints the related logs which you can view in the Advanced Threat Defense web application Through these log entries you can view what is happening as the analyzer VM is being created You can use this information for troubleshooting purposes e After you click Save in the VM Profile page select Manage Logs System to view the VM creation log entries McAfee Advanced Threat Defense 3 4 8 Product Guide 229 5 Creating analyzer VM View the System log 230 McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis After you install Advanced Threat Defense Appliance on you
178. condary for analysis status and results using unique task ID McAfee Advanced Threat Defense 3 4 8 Product Guide 325 9 Clustering McAfee Advanced Threat Defense Appliances How the Advanced Threat Defense cluster works How to upgrade the Advanced Threat Defense software for the nodes in a cluster Following is the recommended procedure to upgrade the Advanced Threat Defense software for the nodes in a cluster 1 Ina typical load balancing scenario first upgrade software of Backup node The node remains a part of the cluster however due to version mismatch incoming samples are not submitted to this node The samples are distributed only between Primary and secondary nodes The status column of Backup node in the Load balancing page displays the following message Node is on different software version 2 Upgrade secondary nodes After you upgrade more than 50 percent of the secondary nodes upgrade Primary node 3 Since Primary node remains down during upgrade Backup node takes over the Active role and distributes the incoming samples between Backup node Active and the upgraded secondary nodes Even after the upgrade of Primary node Backup node continues to assume the Active role 4 Upgrade the remaining secondary nodes Do not select Reset Database when you upgrade any of the nodes If this option is selected for the primary node the cluster goes down after upgrade If the Reset Database option is selected for a secondary node it
179. configured for a user under the FTP results output setting interface ports Syntax backup reports This command has no parameters McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands backup reports date This command creates a backup of the McAfee Advanced Threat Defense reports for a particular date range on an external FTP SFTP server configured for a user under the FTP results output setting Syntax backup reports date lt yyyy mm dd gt Parameter Description yyyy mm dd yyyy mm dd __ The date range for which you want to create a backup for reports Example 2014 07 10 2014 07 12 Blacklist Use the following commands to manage the blacklist of McAfee Advanced Threat Defense Syntax e To add an MD5 to the blacklist use blacklist add lt md5 gt lt score gt lt file name gt lt malware name gt lt Eng I1D gt lt OSs ID gt Parameter Description lt md5 gt The MD5 hash value of a malware that you want to add to the blacklist lt score gt The malware severity score A valid value is from 3 to 5 lt file_name gt The file name for the MDS lt malware_ name gt The malware name for the MD5 lt Eng ID gt The numerical ID for the engine that detected the malware Following is the numerical coding Sandbox 0 GTI 1 GAM 2 Anti Malware 4 lt OS ID gt The numerical ID of the operating syste
180. ct Enable Threat Event Publisher e From the Severity Level drop down list select a severity level based on your requirement 4 Click Apply When the Publish Threat Events Setting updated successfully message appears click OK D After you click the Apply tab Advanced Threat Defense checks if connection between Advanced Threat Defense and McAfee ePO broker channel is established or not The Publisher Status indicator tells whether Advanced Threat Defense is publishing reports to McAfee ePO or not See also Configure McAfee ePO integration on page 244 Integration with Data Exchange Layer 248 McAfee Data Exchange Layer McAfee DXL includes client software and one or more brokers that allow bidirectional communication between endpoints on a network The McAfee DXL client is installed on each managed endpoint so that threat information can be shared immediately with all other services and devices reducing the spread of threats Integrating Advanced Threat Defense with McAfee DXL enables Advanced Threat Defense to send the analysis report of the samples analyzed at Advanced Threat Defense to the McAfee DXL broker Analysis reports of samples that meet the following are sent to McAfee DXL e Portable executable PE files with a severity score greater than or equal to 2 e Non PE files with a severity score greater than or equal to 3 These analysis reports are published to a topic located at mcafee event atd file report on the McAfee D
181. ct Guide 221 5 Creating analyzer VM Managing VM profiles If you had not provided the Image Name then the image file is assigned the default name based on the operating system If you had provided an Image Name the name that you provided is appended to the default name Image Conversion Log 2014 06 11 08 19 50 657 INFO File conversion from raw vmdk to img in progress 2014 06 11 08 20 42 507 INFO img file created successfully win2k3sp2_WithPDF img 2014 06 11 08 20 42 670 INFO Moving of image file done successfully Figure 5 5 Image conversion log entries Managing VM profiles After you convert the imported VMDK file to an image file you create a VM profile for that image file You cannot associate this VM profile with any other image file Similarly once associated you cannot change the VM profile for an image file VM profiles contain the operating system and applications in an image file This enables you to identify the images that you uploaded to Advanced Threat Defense and then use the appropriate image for dynamically analyzing a file You can also specify the number of licenses that you possess for the operating system and the applications Advanced Threat Defense factors this in when creating concurrent analyzer VMs from the corresponding image file 222 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Managing VM profiles You use the Advanced Threat Defense web applicatio
182. d Appheations to programs might be unavailable E b E internet Information Sel thes service is disabled any services Themes DI Services thet explicthy depend on A will fail to amp Thread i McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 28 In the Telnet Properties Local Computer dialog select Automatic from the Startup type list Then select Apply Start OK Description bles a remote user to log on to this computer and a ia programs and supports various TCP IP Telnet Path to executable Startup type Automatic we uma coef service artos options Service status Stopped Start Stop Pause FAesume You can specify the start parameters that apply when you start the service Fom hara Lar pararmele OK Cred a Description Enables a remote user to log on to this computer and a nun programa and supports va ous TCP IP Telnet Path to executable CoMiindowe Syetemn 32 ria wr ene Help me configure service startup options Pause Rasurrs McAfee Advanced Threat Defense 3 4 8 Product Guide 201 202 Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 29 Enable FTP on Windows 8 1 Press the Windows key and X simultaneously and then select Control Panel System and Security Administrative Tools Ho
183. d Threat Defense 3 4 8 Product Guide Task 1 Configuring Advanced Threat Defense for malware analysis 6 Managing analyzer profiles Select Policy Analyzer Profile New 2 Enter the appropriate information in the respective fields Option name Definition Name Enter the name for the analyzer profile It should allow you to easily identify the characteristics of that analyzer profile Description Optionally provide a detailed description of the analyzer profile VM Profile Select the VM profile Advanced Threat Defense must use for dynamically analyzing a file Automatically Select OS If you want Advanced Threat Defense to automatically select the VM profile for Windows 32 bit and Windows 64 bit select Enable and then select the VM profiles from the Windows 32 bit VM Profile and Windows 64 bit VM Profile Consider that for VM Profile you have selected Android You have enabled Automatically Select OS For Windows 32 bit VM Profile you have selected Windows XP SP3 and for Windows 64 bit VM Profile you have selected Windows 7 SP1 64 bit Now when an apk file is detected the Android analyzer VM is used for dynamically analyzing the file Similarly for a PE32 file Windows XP SP3 is used For a PE64 file Windows 7 SP1 64 bit analyzer VM is used If Advanced Threat Defense is unable to determine the operating system for this analyzer profile or if the determined analyzer VM is not available it uses the VM
184. d as win2k3sp1_with_PDF If you attempt to create multiple analyzer VMs of the same operating system then every time the image file is named using the default name for the operating system Therefore the same image file D is overwritten every time instead of creating a new analyzer VM of the same operating system This is why it is mandatory to provide Image Name when creating multiple analyzer VMs of the same operating system 4 Select the corresponding operating system from the Operating System drop down 220 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Convert the VMDK file to an image file 5 Click Convert The time taken for this conversion depends on the size of the VMDK file For a 15 GB file an ATD 3000 might take around five minutes Image Management VMDK Image virtualMachineImage flat_test vmdk se Image Name WithPDF Operating System Windows 2003 SP1 hai Convert Image Conversion Logs w Jey Select Log Figure 5 2 VMDK to image file conversion After the conversion is complete a message is displayed _WITHPUP SP1 Info x Ll z 1 j Image conversion is done OK Figure 5 3 Confirmation message 6 To view the logs related to image conversion select the image name from the Select Log list and click View Image Conversion Logs Select Log win2k3sp2_WithPDF w View Figure 5 4 Select the image file to view the logs McAfee Advanced Threat Defense 3 4 8 Produ
185. ding on the number of analyzer VMs 11 Verify the data and configurations from your earlier version are preserved The software version you upgraded to is now stored in the active disk of Advanced Threat Defense Appliance D Whitelist status is disabled after you upgrade to Advanced Threat Defense 3 4 8 x Upgrade the Android analyzer VM Before you begin e Make sure that the current version of Advanced Threat Defense is 3 4 8 e Make sure that the android 4 3 msu is extracted and that you can access it from your client computer e You have the credentials to log on as the admin user in the Advanced Threat Defense web application e You have the credentials to log on to the Advanced Threat Defense CLI using SSH e You have the credentials to SFTP to the Advanced Threat Defense Appliance e For the admin user record select Allow Multiple Logins in the User Management page Using the Advanced Threat Defense web application you can upgrade the Android analyzer VM to version 4 3 Task 1 Log on to the Advanced Threat Defense Appliance using an FTP client such as FileZilla Log on as the atdadmin user 2 Using SFTP upload the android 4 3 msu file to the root directory of Advanced Threat Defense Make sure that the transfer mode is binary 3 After the file is uploaded log on to the Advanced Threat Defense web application as the admin user and select Manage Software Management McAfee Advanced Threat Defense 3 4 8 Pr
186. ding or descending order Alternatively move the mouse over the right corner of a column heading and click the drop down arrow Then select Sort Ascending or Sort Descending By default very high severity files are shown at the top of the list To save the Analysis Results page settings click H View the Threat Analysis report The Threat Analysis report is an executive brief detailing key behaviors of the sample file This report is available in HTML text PDF XML JSON Open Indicators of Compromise OpenIOC and Structured Threat Information eXpression STIX formats The HTML text and PDF formats are mainly for you to review the analysis report You can access the HTML and PDF formats from the Advanced Threat Defense web application The HTML and text formats are also available in the reports zip file for the sample which you can download to your client computer The XML and JSON formats provide well known malware behavior tags for high level programming script to extract key information Network Security Platform and McAfee Web Gateway use the JSON formats to display the report details in their user interfaces If the severity level of the sample is 3 and above then the Threat Analysis report is available in OpenIOC ioc and STIX stix xml formats OpenIOC and STIX formats are universally recognized formats for sharing threat information These formats enable you to effectively share the Analysis Summary reports with other sec
187. distribution by Active Primary Figure 9 2 Advanced Threat Defense Appliances in a cluster How are the individual files in a zip file analyzed by an Advanced Threat Defense cluster When you submit a file or URL Advanced Threat Defense assigns it a unique job ID and a task ID These IDs are incremental integers When you submit a zip file the component files are extracted and analyzed separately The job ID for all component files of a zip file is the same as that of the zip file s job ID However the task ID varies for each component file When you submit a zip file to an Advanced Threat Defense cluster the primary node identifies the node to which it should distribute the next file and sends the entire zip file to that node The node that received the zip file extracts the component files and analyses them This applies to zip files within a zip file as well e Ifa Sensor submits the zip file Advanced Threat Defense generates a cumulative report for the entire zip file That is one report for one zip file is sent to the Manager when it queries for the report In case of Web Gateway zip files are not supported e If you submit a zip file to the primary node using its web application for example individual reports are generated for the component files in the zip file Then the primary node extracts the component files in the zip and distributes them all to the same node for analysis The primary polls the corresponding se
188. dvanced Threat Defense database Managing McAfee Advanced Threat Defense users You can create user accounts for McAfee Advanced Threat Defense with different permissions and configuration settings These permissions and settings depend on the user s role with respect to malware analysis using McAfee Advanced Threat Defense Using the McAfee Advanced Threat Defense web application you can create user accounts for e Users who use the McAfee Advanced Threat Defense web application for submitting files for analysis and for viewing the results of the analysis e Users who upload the files to the FTP server hosted on the McAfee Advanced Threat Defense Appliance e Users who directly use the RESTful APIs for uploading files For more information see the McAfee Advanced Threat Defense RESTful APIs Reference Guide In the user record you also specify the default analyzer profile If you are using the McAfee Advanced Threat Defense web application to upload you can override this selection when you actually upload a file For each user you can also configure the FTP server details to which you want McAfee Advanced Threat Defense to upload the results of the analysis e There are five default user records e Default Admin This is the default super user account You can use this account to initially configure the McAfee Advanced Threat Defense web application The logon name is admin and the default password is admin User is forced to cha
189. dvanced Threat Defense is able to access the specified FTP server using the selected protocol and user credentials You can schedule a backup successfully only if the test connection succeeds Submit Click to schedule the backup McAfee Advanced Threat Defense 3 4 8 Product Guide 61 4 Managing Advanced Threat Defense Back up and restore the Advanced Threat Defense database 3 To view the logs related to backup select Manage Logs Syslog to view the details such as the start and end time stamps System Log 2014 06 06 09 10 02 Backup starts 2014 06 06 09 10 04 Backup done Figure 4 8 Logs related to backup The backup is stored in a password protected zip file in the specified directory in the FTP server 67 Do not try to unzip or tamper with this file If the file gets corrupted you might not be able to restore the database backup using that file Restore a database backup Specific backup file Before you begin e Make sure that you configured the FTP IP address directory path and user credentials on the Backup Scheduler Setting page and the test connection is working for the specified configuration You can restore a backup only from the same FTP server that you used for taking the backup e Make sure that the corresponding backup file that you plan to restore is available on the FTP server at the specified directory e Asa precaution make sure that there is no other user logged on to Advanced Threat Def
190. e Update content on Advanced Threat Defense 7 Enable or disable Custom Behavioral Rules Enable or disable Custom Behavioral Rules Before you begin You have imported the Custom Behavioral rules text file into Advanced Threat Defense After you import the Custom Behavioral Rules you can disable the them when not required For example you might want to disable them for reasons such as troubleshooting Task 1 Select Manage Custom Behavioral Rules 2 Deselect or select the Enable Custom Behavioral Rules checkbox If you want to enable the Custom Behavioral rules that are currently present in the Advanced Threat Defense database select Enable Custom Behavioral Rules and click Submit That is you need not import the Custom Behavioral rules text file again Update DAT version for McAfee Gateway Anti Malware and Anti Virus Advanced Threat Defense allows you to import a maximum of two versions of DAT for Gateway Anti Malware Engine and Anti Virus at any given time The DAT version uploaded later becomes Current by default rendering the previous one as Backup The DAT file designated as Current is used for malware detection Task 1 Select Manage Image amp Software Content Update 2 Click Download Update Package in the upper right corner of your screen or alternatively download the update package from the following link https contentsecurity mcafee com update Follow the subsequent instructions to download the lat
191. e Submitted Time The time stamp when the file was submitted for analysis Severity The severity of the submitted file File Name The name of the file that you submitted for analysis User The log on name of the user who submitted the file for analysis Analyzer Profile The analyzer profile that was referred to for the analysis McAfee Advanced Threat Defense 3 4 8 Product Guide 297 298 Analyzing malware View the analysis results Table 8 6 Column definitions continued Column Definition VM Profile The VM profile used for the dynamic analysis If only static was used that is displayed Hash The MD5 hash value of the file as calculated by Advanced Threat Defense File Size The size of the analyzed file in KB Source IP The IP of the host that sent the analyzed file This is relevant only for files automatically submitted by other McAfee products such as Network Security Platform DestinationIP The IP of the targeted host Similar to the source IP this is not relevant for manually submitted files 3 Choose to hide the columns that you do not require a Move the mouse over the right corner of a column heading and click the drop down arrow b Select Columns c Select only the required column names from the list D You can click a column heading and drag it to the required position 4 To sort the records based on a particular column name click the column heading You can sort the records in the ascen
192. e Virtual Machine Hardware Compatibility window select Workstation 9 0 from the Hardware compatibility drop down list For other fields leave the default values and click Next Step Details Step 3 In the New Virtual Machine Wizard window Select a Machine Wizard E Welcome to the New Virtual Machine Wizard what type of configurabon do you want Typical recommended Create a Workstation 10 0 virtual machine ina few easy steps Custom advanced Creste a virtual machine with advanced opbons such as a SCS controller type LA eee virtua disk type and compatiblity wath vmware older VMware products Workstation 3 Next gt Cancel Mew Virtual Machine Wizard om Choose the Virtual Machine Hardware Compatibility Which hardware features are needed for this virtual machine Virtual machine hardware compatibility Hardware compatiodty Workstation 9 0 Compatible with on Carey Compatible products Limitations ESN 5 1 64 GB memory Fusion 5 0 A processors Fusion 6 0 10 network adapters Workstaton 10 0 2 TE disk sue Workstation 9 0 Mo SATA devices McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 5 In the Guest Operating System Installation window select Installer disc image file iso browse and select the I
193. e the default values and click Next Processor Configuration Specfr the number of processors for this virtual machine nr nn New Virtual Machine Wizard ot Processors Number of processors i Number of comes pr CIONES 1 Total processor cores 1 McAfee Advanced Threat Defense 3 4 8 Product Guide 135 136 Creating analyzer VM Create a VMDK file for Windows 7 How much memory would you like to use for this virtual machine ated to this virtual machine The memory sre must be a multiple of 4 FB 3 Ge 16 GE E GE 468 L Maximum recommended memory i fol 108 d 5952 MB 108 lt 513 MB la Recommended memory 1238 HE He O Guest OS recommended minimum 312 HB 1024 MA 16 MB E MB HB lt Back tent gt Cancel Step Details Step 10 In the Memory for the Virtual Machine window set New Virtual Machine Wizard z 3072 MB as the memory i Memory for the Virtual Machine Step 11 In the Network Type window leave the default selection New Virtual Machine Wizard Metwork Type What type of network do you want to add Use bridged networking Give the guest operating system direct access lo an external Ethernet nebrork The guest must have its own P address on the extemal netreork Use network address translation NAT Ge the guest operating system access bo the host computer s dial up or external Ethernet nebwork commection using the hosts IP ades Lise
194. e 3 4 8 Product Guide Update content on Advanced Threat Defense 7 Defining Custom Behavioral Rules 8 Custom Behavioral Rules These are user managed YARA rules 9 Internal YARA rules These are internal YARA rules which are defined by McAfee and updated only during Advanced Threat Defense software upgrades if necessary You cannot view or download these rules 67 McAfee Advanced Threat Defense checks a sample against YARA rules only if the sample is dynamically analyzed meta ClassMfcabon 42 Descoption Changed access protection of pages lo RWRWE and injected into Severity 4 SInings Sniget Nij7w GetProcessHeap ntquery Nil AwyQuerySysteminformaton Process Thread sntopen Nij w OpenProcess sntalloc Nt Aw Allocate VirtualMemory ntwrte Nij2w WinteVirtualMemory 0 0A F H6 12 0 5 1 0 9A E jf 4 Sservice swchost csrss lsass spootsv isermcesiwnlogonjlexplorerllexplorelwinswc i exe nocase condition all of them and or any iin 1 ntquery Antopen gt Gntquery i sequence of query open and tor any iim 1 Fntopen Msernce gt Gntopen service name for MiOpenProcess Figure 7 1 A sample Custom Behavioral Rules After you import your Custom Behavioral Rules into Advanced Threat Defense the malware detection and classification are based on these rules as well Final severity result of sample analysis is determined as a maximum value from analysis methods mentioned a
195. e Check OK 2014 06 07 01 44 01 Backup starts 2014 06 07 01 44 Sur cra 2014 06 07 01 59 Restore starts 2014 06 07 01 59 36f Got backup fie matd_3 0 5 63148578_2014_06_07_01_44 ap 2014 06 07 01 59 2014 06 07 02 00 2014 06 07 02 00 2014 06 07 02 00 2014 06 07 02 00 2014 06 07 02 00 2014 06 07 02 15 2014 06 07 02 19 2014 06 07 02 15 2014 06 07 02 20 52 Restore DA and config Miles 2014 06 07 02 20 52 Restore done 2014 06 07 02 20 52 Starting AMAS 2014 06 07 02 20 53 Ames Databaze Check OF dad nn FS AU UL Pi E E ie mo Stopping AMAS 4 Restore DE ard config file Restore done Starting AMAS Amas Database Check OK AMOS started Restore starts Got backup Tie matd_3 0 5 63 38978_2014_06_07_ 01_44 zip Stopping AHAS ds las Lal Lal Lal Lal Lal ANS eal LF O A poa Ln Ln Poll El Figure 4 11 Logs related to data restore The processes related to sample analysis are stopped before the restore process and restarted after the restore process McAfee Advanced Threat Defense 3 4 8 Product Guide 65 66 Managing Advanced Threat Defense Back up and restore the Advanced Threat Defense database McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM For dynamic analysis Advanced Threat Defense executes a suspicious file in a secure virtual machine VM and monitors its behavior for malicious activities This VM is referred to as an analyzer VM This ch
196. e Detection Package you want to import 4 Click Upload to import the file If you delete the Current file the Backup file automatically assumes the role of the Current Click Revert to reinstate the Backup file as the Current file 282 McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware After you have configured Advanced Threat Defense you can upload files and URLs for analysis You can monitor the status of malware analysis using Advanced Threat Defense web application and then view the results Contents gt Analyze files gt Analyze URLs gt Configure the Analysis Status page gt View the analysis results gt Working with the Advanced Threat Defense Dashboard Analyze files Advanced Threat Defense analyzes the various files submitted to it via different channels The analysis includes Static analysis and Dynamic analysis based on the configuration in the analyzer profile e The following are the methods you can follow to submit files e Manually upload the file using the Advanced Threat Defense web application e Post the file on the FTP server hosted on the Advanced Threat Defense Appliance e Use the RESTful APIs of the Advanced Threat Defense web application to upload the file See the McAfee Advanced Threat Defense APIs Reference Guide e Integrate Advanced Threat Defense with Network Security Platform and McAfee Web Gateway Then these applications automatically submit samples to Ad
197. e IP address Backup v Add Node Cluster IP address 7 77 719 549 Save LB Cluster LB Cluster Nodes ATD 1D 1P Address Mode Role Config Version S W Versior State ATD 3000 Primary Active 1540606796 Up and Ready a 2 i ATD 3000 Backup 1540606796 Up and Ready ATD 3000 Secondary 1540606796 Up and Ready Figure 9 5 Advanced Threat Defense cluster creation Except for ATD ID IP Address Role and Withdraw From Cluster none of the options are available in the Load Balancing Cluster Setting page for the secondary nodes 332 McAfee Advanced Threat Defense 3 4 8 Product Guide Clustering McAfee Advanced Threat Defense Appliances 9 Configuring an Advanced Threat Defense cluster high level steps Table 9 1 Option definitions Option Definition Node IP address Enter the management port IP address of the Advanced Threat Defense Appliance that you want to add to the cluster Drop Down Select Primary Backup Secondary as per the requirement Add Node Click to add the primary secondary and backup node to the cluster The primary node or secondary node IP address is the IP address that you use to access the Advanced Threat Defense web application Cluster IP address Enter the cluster IP address to be used by Active node Primary node or Backup node Save Click to save the cluster IP before adding Backup node Indicates the status of a node O KA Indicates that the node is up and ready I
198. e VMDK file into the Advanced Threat Defense Appliance 4 Convert the VMDK file into an image img file 5 Create the VM and the VM profile If you already have a VMDK file it must be a single file that contains all the files required to create the VM The following table specifies the maximum number of VMs that can be created based on different Windows flavor 68 McAfee Advanced Threat Defense 3 4 8 Product Guide Table 5 1 Number of VMs per OS Creating analyzer VM OS Windows Platform ATD 3000 Number of VMs ATD 6000 Number of VMs WinXP SP2 5 GB 29 59 WinXP SP3 5 GB 29 59 Windows 2003 SP1 5 GB 29 59 Windows 2003 SP2 5 GB 29 59 Windows 2008 64bit SP1 14 GB 29 59 Windows 7 32bit 14 GB 29 59 Windows 7 64bit 14 GB 29 59 Windows 8 32bit 24 GB 29 59 Windows 8 64bit 24 GB 29 59 Android VM is default with all Advanced Threat Defense Appliance installations Also the Windows platforms listed in the table above shows hard disk space occupied in the base default form if you wish install updates and patches then you must chose your OS keeping the hard disk space constraint in mind McAfee Advanced Threat Defense 3 4 8 Product Guide 69 Creating analyzer VM Below is the Microsoft Office setting that needs to be enabled after installing Microsoft Office versions 2003 2007 2010 or 2013 The below steps enable Auto Macros functionality in Microsoft Office
199. e a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 33 In the Telnet Properties Local Computer window you must select Automatic from the Startup type drop down list Then select Apply Start OK Step 34 Enable FTP on the VM Details Telnet Properties Local Computer General Log On Recovery Dependencies Service name Tint5w Display name Telnet Desernption pables a remote user lo log on to this computer and a i un progamme and supports vanous TCPAP Telnet Falf bo execulabile CAWINDOW S epstema2 lintevt exe Sialup type Service sbalus Stopped Start Hon Pare Resume You can specify the start parameters that apply wher pou start the service fom hara 1 In the virtualMachineImage select Start Control Panel Add or remove Programs Add Remove Windows components pee Programs Winds E omponents Sirari indire Lompananiz AO od or eee CEN od A To akiai ieee d Coie Geet Fe check A hide bis reira hE oy en To oes als rd na componen cich de Serres MA Corto 1 5 Hb MY Eva Seraces 11 HB la Serie TAHA El Descen Includes AGPMET Interest nigran Jeraces MEL sd thee pobosbon Server Conable Total dick se ques Ad MB Detal Space resil on dirk 10161 Mb im 2 Double click Application Server 3 Double click Internet Information Services IIS McAfee Advanced Thr
200. e analysis results Dropped files report You can download a zip file containing all the files that the sample created or touched during dynamic analysis You can download these files using one of the following methods In the Analysis Results page Analysis Analysis Results click and select Dropped Files Download the dropfiles zip file which contains the files that the sample created in the sandbox To use this option you must have enabled the Dropped Files option in the corresponding analyzer profile After you click select Complete Results Download the lt sample_name gt zip file This zip file contains the same dropfiles zip inside the AnalysisLog folder The Complete Results contains the dropfiles zip regardless of whether you have enabled Dropped Files option in the corresponding analyzer profile Disassembly Results The Disassembly Results report provides the disassembly output listing for Portable Executable PE files This report is generated based on the sample file after the unpacking process has completed It provides detail information about the malware file such as the PE header information The Disassembly Results report includes the following information e Date and time of the creation of the sample file e File PE and Optional Header information e Different section headers information e The Intel disassembly listing You can view the Disassembly Results report in the Advanced Threat Defense web application or
201. e cluster Figure 9 1 An example Advanced Threat Defense cluster deployment McAfee Advanced Threat Defense 3 4 8 Product Guide 321 322 Clustering McAfee Advanced Threat Defense Appliances Network connections for an Advanced Threat Defense cluster ag S Manager ee r T A NSM MWG Internet access for samples Advanced Threat Defense Primary e x Eth O eth a LA ry 10 10 10 10 24 20 20 20 20 24 WA Router Router L2 gt switch L2 switch Eth 0 Eth 1 Eth 0 Eth 1 10 os aa 15 Po a e 25 10 10 10 15 20 20 20 25 24 24 i re Threat Advanced Threat Advanced Threat Defense Defense Defense Secondary 1 Secondary 2 Backup Eth O Eth 1 y Se A 10 10 10 15 24 20 20 20 25 24 In the example illustrated above the eth 0 interfaces of all nodes are connected to the same switch L2 network Eth 0 interface of the primary acts as the management interface of the cluster whereas the eth 0 of the secondary and backup node are used to exchange information with the primary The Backup node acts as a secondary node till the time the Primary node goes down for some reason and the Backup node assumes the active primary node role The primary node load balances the files received on the eth 0 interface among the secondary nodes based on the number of files submitted to a node A highly burdened node receives lesser number of samples for processing
202. e communication between ATD and NSP e If encryption is enabled on ATD and NSP the data sent from NSP to ATD is encrypted and uses an AES128 SHA cipher e Login to Sensor s CLI and enter into debug mode e Execute set amchannelencryption on e Login to ATD CLI and execute set nsp ssl channel encryption enable e If encryption is disabled on ATD and NSP the data sent from NSP to ATD is not encrypted and uses a NULL SHA cipher e Login to Sensor s CLI and enter into debug mode e Execute set amchannelencryption off e Login to ATD CLI and execute set nsp ssl channel encryption disable set appliance gateway Specifies IPv4 address of the gateway for the McAfee Advanced Threat Defense Appliance Syntax set appliance gateway lt A B C D gt Parameter Description lt A B C D gt a 32 bit address written as four eight bit numbers separated by periods A B C or D represents an eight bit number between 0 255 Example set appliance gateway 192 34 2 8 McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands set appliance ip Specifies the McAfee Advanced Threat Defense Appliance IPv4 address and subnet mask Changing the IP address requires a restart for the changes to take effect See the reboot command for instructions on how to reboot the McAfee Advanced Threat Defense Appliance Syntax set appliance ip lt A B C D E F G H gt Par
203. e ee 357 resetuiadminpasswd ww ee a a ee 357 resetusertimeout a ee ee ee 3597 restart network a 2 ww ee 358 revertwebcertificate we ee ee 358 route add delete network 0 ee ee ee ee 358 samplefilter A O O G set appliance dns A B c D E FG H WORD SE E A S McAfee Advanced Threat Defense 3 4 8 Product Guide Contents set gti dns check a a ss Be we rada i a a a asa 39 SEL INBIDOFE a acs a se a m e Rw ee Be Se A ss sas e o 2 ODD set intfport auto a a a a a 360 set intfport ip a a a a 3600 set intfport speed duplex a a a ee ee ee ee ee et 360 set IPAddressSwap ee ee ee ee ee eee ee 360 set malware intfport 2 we ee 361 set Mamtport auto 2 scs a s a Wo e aod esas e a we we oe hw w a BOL set mgmtport speed and duplex 1 ee ee ee 361 set pdflinksS a a a a AR a A a AAA 2 amp 362 set filesizes m4 a a a a aaa amp 362 OLDS a Awe Boke ses sd a a e se e ss Ass BOO 30 A eet ew ee ee Ra ek baw re te et hk ee ok ee E Sei headerlod s e s s w bw eo we Hw ew ss 6 BES Set locoone 2 2 owe ee ew ea a we we we oe Oe oe oe ee ee we we LOS set heuristic_analysis ww ew ke ee 3644 set nsp ssl channel encrypti0N 1 we ee ee ee ee 364 set appliance gateway ww ee ee 3644 Set appliance IPs s s ow wee oe eB oe e oe Rw 2 oC aw we ss we BOD set appliance name 1 ew ee e
204. e ee ee 365 set SUXPEDOMSIGUUS wow as e E Ewe oF we ee Ww we ew Ee ee ew eS we Re we ow 00 SECECDOUMD s s 4 a a esa o owe A we Roe ee ww we a OO set uilog 2 2 ew ee ee ee ee 366 Set ui timeout 1 2 we 366 set whitelist 1 ke ee ek ee ee eee 306 SNOW o a Yaw ee eke we BAe AR Be oe Boe ee ee assess 66 Show dat version 2 1 1 a ee ee 367 SNOW GUS StaluUS s 4 we amp w 2 amp Aw bee we eR Ke BG A we ss OL show epo stats NSP a o we we ew we ew we Oe we we ee 367 Show filequeue 1 we ke ee 368 show filesizes s m om om as AAA a sa O SROW TIDS so e s d wd ono de a oH eh ee ad edb ee dh des oe e Oe SHOW o a s a eee ke eee ee eM ee eee Ree ee Ree eee we we we 2 OOD show headerlog 1 ww cs dede aa we ew ss BED SNOW MISLOFY i cs s 3 ud ee ew eo ew be oe 6 ee eee As OS Show heuristic_analysis 1 ke ee ee ee ee 369 Show intfport 1 1 ww ek ke 369 SHOW IGOGCONNIG e s wos we a oe oe ee eee ee eS ee ss STO SHOW pAMNKS s w a w r n elsa eH ee ee we Eh we ee ss e B70 set IPAddressSwap 1 we ee ee ee 370 SOW oll a eee a ds oe ew 2 6 eae ae a ke ee we as ee OO show nsp scandetails 1 ww ee ee ee ee 371 show route 6 mo macros meo A oe eww Oe we a ee wee Rw me wow a ow BZD Show stixreportstatus a a a 1 ew ee ee 372 SHOW MCOdUIND s 5 s Bt oe ke eo ss eo ee ee Oe oe ee re show ui timeout 4 e amp amp masas Hw amp e sa
205. e file you want to submit for analysis or drag and drop the file into the specified box Manual Upload Manual Upload File w Browse Analyzer Profile Submit Advanced Figure 8 4 Submit the file In the Analyzer Profile field select the required analyzer profile from the drop down list 4 Click Advanced and select Skip files if previously analyzed Browse Advanced Control User Interactive Mode XMode Skip files if previously analyzed oK Cancel Figure 8 5 Skip files if previously analyzed Click OK then click Submit The sample is uploaded to McAfee Advanced Threat Defense and a success message with the details specifying that the submitted file was previously analyzed is displayed 288 McAfee Advanced Threat Defense 3 4 8 Product Guide Analyze Analyzing malware 8 Analyze URLs 6 Click OK in the Uploaded File Successfully dialog box Sample analysis is not skipped in the following scenarios e If Analyzer Profile is modified after the last analysis e If the submitted sample was analyzed more than three days ago e If the samples are submitted via URL Download method If a previously analyzed zip file is submitted again a single sample from the zip with highest severity is displayed Upload files for analysis using SFTP Before you begin e Your user name has FTP Access privilege This is required to access the FTP server hosted on Advanced Threat Defense e You have cr
206. e output System Health Status good Sample files received count 300 Sample files submitted count 300 GTI Scanner files submitted count 50 GAM Scanner files submitted count 100 MAV Scanner files submitted count 200 Sandbox files submitted count 25 Sandbox files finished count 25 Sample files finished count 300 Sample files error count o0 McAfee Advanced Threat Defense 3 4 8 Product Guide 373 10 374 CLI commands for McAfee Advanced Threat Defense List of CLI commands terminal Set the number of lines for display on the screen of McAfee Advanced Threat Defense Syntax terminal lt length gt no Parameter Description lt length gt Sets the number of lines for display on the screen The value ranges from O 512 no Negates the previous command or sets the default value update_avdat By default McAfee Advanced Threat Defense updates the DAT files for McAfee Gateway Anti Malware Engine and McAfee Anti Malware Engine every 90 minutes To update these files immediately use the update avdat command This command has no parameters Syntax update avdat vmlist Displays list of all the VMs configured on the McAfee Advanced Threat Defense Syntax vmlist watchdog The watchdog process reboots the McAfee Advanced Threat Defense Appliance whenever an unrecoverable failure is detected Syntax watchdog lt on off status gt Parameter Description lt on gt Enables the w
207. e prohibits the use of Advanced Threat Defense Appliance for anything other than operating the Advanced Threat Defense solution e McAfee prohibits the modification or installation of any hardware or software on the Advanced Threat Defense Appliance that is not part of the normal operation of Advanced Threat Defense Unpack the shipment 1 Open the crate 2 Remove the first accessory box McAfee Advanced Threat Defense 3 4 8 Product Guide 21 2 Setting up the Advanced Threat Defense Appliance Before you install the Advanced Threat Defense Appliance 10 11 12 Verify you have received all parts as listed in Check your shipment on page 22 Remove the Advanced Threat Defense Appliance Place the Advanced Threat Defense Appliance as close to the installation site as possible Position the box with the text upright Open the top flaps of the box Remove the accessory box within the Advanced Threat Defense Appliance box Remove the slide rail kit Pull out the packing material surrounding the Advanced Threat Defense Appliance Remove the Advanced Threat Defense Appliance from the anti static bag Save the box and packing materials for later use in case you need to move or ship the Advanced Threat Defense Appliance Check your shipment The following accessories are shipped in the Advanced Threat Defense Appliance crate Advanced Threat Defense Appliance Accessories itemized on the Content Sheet Set of tool less slide rails Fro
208. e uses the following sources of information in the same order of priority 1 4 Advanced Threat Defense queries McAfee ePO for the operating system of a host based on its IP address If information from this source or the corresponding analyzer VM is not available it goes to the next source If Device Profiling is enabled the Sensor provides the operating system and application details when forwarding a file for analysis If information from this source or the corresponding analyzer VM is not available it goes to the next source From the analyzer profile in the corresponding user record Advanced Threat Defense determines the VM profile If information from this source or if the corresponding analyzer VM is not available it goes to the next source You can select a VM profile in your setup as the default When Advanced Threat Defense receives host information for a particular IP address from McAfee ePO it caches this detail The cached IP address to host information data has a time to live TTL value of 48 hours For the first 24 hours Advanced Threat Defense uses just the host information in the cache For the second 24 hours Advanced Threat Defense uses the host information from the cache but also queries McAfee ePO and updates its cache This updated information is valid for the next 48 hours If the cached information is more than 48 hours old it treats it as if there is no cached information for the corresponding IP addr
209. e web application Access the Advanced Threat Defense Appliance web application You need to modify Firefox settings to use the HTML5 feature 1 2 From the Firefox Home page click Options Advanced Certificates View Certificates From the Certificate Manager window click Servers Click Add Exception and type https lt Host ATD IP address gt 6080 and click Get Certificate Click Confirm Security Exception and then OK Click Activation or XMode Access the Advanced Threat Defense Appliance web application 36 Task 1 From a client computer open a session using one of the supported browsers 2 Use the following to access the Advanced Threat Defense web application e URL https lt Advanced Threat Defense Appliance host name or IP address gt e Default user name admin e Password admin 3 Click Log In 4 A new window appears prompting admin user to change the administrator default password Change the default password McAfee Advanced Threat Defense 3 4 8 Product Guide Managing Advanced Threat Defense You use the Advanced Threat Defense web application to manage configurations such as user accounts and to monitor the Advanced Threat Defense Appliance s system health Contents Managing McAfee Advanced Threat Defense users gt Monitoring the Advanced Threat Defense performance gt Upgrade Advanced Threat Defense and Android VM gt Troubleshooting gt Back up and restore the A
210. each node If you are creating a new VM profile make sure you create this VM profile in all the nodes before you select this new VM profile in any of the analyzer profiles If you need to modify an existing VM profile make sure you immediately do the same modification in each node Finally recreate the cluster e VM profiles e DAT and engine versions of McAfee Anti Malware Engine e DAT and engine versions of McAfee Gateway Anti Malware Engine e Whitelist and blacklist entries e Time zone e Ina Advanced Threat Defense cluster setup each node maintains its set of custom YARA rules That is the custom YARA rules that you define in the primary node are not sent to the secondary nodes automatically D Configuration changes made through the CLI are not exchanged Make the same changes in each node individually 324 McAfee Advanced Threat Defense 3 4 8 Product Guide Clustering McAfee Advanced Threat Defense Appliances 9 How the Advanced Threat Defense cluster works When treated as part of a cluster the secondary nodes are transparent to users and integrated products e Itis possible for you to use a secondary Advanced Threat Defense directly for file submission and report retrieval However you are not allowed to modify any of the synchronized configurations e Both files and URLs submitted for analysis are distributed to achieve load balancing Active Primary Samples Secondaries Backup Primary 4 Load
211. eat Defense 3 4 8 Product Guide 117 5 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 1SO image continued Step Details Step 35 In the Internet Information 1 Select Common Files Services IIS pop up window complete the following 2 Select File Transfer Protocol FTP Service 3 Select Internet Information Services Manager click OK and then click Next in the Windows Components Wizard A fuld or Remore Programs Ta akao ara a comparan FAP P tp pot pill tb pa the component vall be installed To ree what s moudad in a component chek Scomponsnis of Intemel Information Senaces 1151 O 42 Background Inteligert Trarefer Serace BITS Serve Extensions UIH il gt Common Files 1 048 al Fis Tensile Protocol FTP Senace 001 HB JO af FroniPaga 002 Server E densions 14 1 MB Cl d intemal Parsing 10 ME lr ESINATP Service OMe Dempioi Microsoft Management Console mapin dor the IS edeuneiratnee Total dick equred 15 MB ipi PUERRO PENITA 1875 0 MB ee eT cmn 118 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 36 In the VMware Workstation right click on the VM which in this example is virtualMachinelmage Then select Settings
212. eat Defense do have the capability to perform custom whitelisting as well This includes the McAfee Web Gateway and the McAfee Network Security Platform Local Blacklist This is the list of MD5 hash values of known malware stored in the Advanced Threat Defense database When Advanced Threat Defense detects a malware through its heuristic McAfee Gateway Anti Malware engine or through dynamic analysis it updates the local blacklist with the file s MD5 hash value A file is added to this list automatically only when its malware severity as determined by Advanced Threat Defense is medium high or very high There are commands to manage the entries in the blacklist McAfee GTI This is a global threat correlation engine and intelligence base of global messaging and communication behavior which enables the protection of the customers against both known and emerging electronic threats across all threat areas The communication behavior includes the reputation volume and network traffic patterns Advanced Threat Defense uses both the IP Reputation and File Reputation features of GTI D DNS must be configured for GTI to run For File Reputation queries to succeed make sure Advanced Threat Defense is able to D communicate with tunnel message trustedsource org over HTTPS TCP 443 Advanced Threat Defense retrieves the URL updates from List smartfilter com over HTTP TCP 80 McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanc
213. eated the required analyzer profile that you want to use e You have installed an FTP client on your machine Using SFTP you can upload the supported file types to the FTP server on Advanced Threat Defense 67 By default FTP is not a supported protocol for uploading samples To use FTP to upload files you must enable it using the set ftp CLI command See set ftp on page 363 Task 1 Open your FTP client and connect to Advanced Threat Defense using the following information e Host Enter the IP address of Advanced Threat Defense e User name Enter your Advanced Threat Defense user name e Password Enter your Advanced Threat Defense password e Port Enter 22 which is the standard port for SFTP For FTP enter 21 2 Upload the files from the local site to the remote site which is on Advanced Threat Defense 3 In the Advanced Threat Defense web application select Analysis Analysis Status to monitor the status of the uploaded files URLs Similar to how you submit a file for analysis you can submit URL to Advanced Threat Defense for analysis in this release Advanced Threat Defense analyzes the URL in an analyzer VM determined by the user profile and reports the file analysis results Advanced Threat Defense uses only the local blacklist and dynamic analysis for the downloaded file In addition the McAfee GTI reputation of the URL is reported The behavior of the browser when opening the URL is also analyzed for
214. econdary node the primary node pushes the configuration file automatically to that secondary The following configurations are synchronized automatically between all nodes e Analyzer profiles e User management e McAfee ePO DXL integration details e Proxy Settings e DNS settings e System time based on the settings in the Date and Time Settings page If you manually modify the time the same is set on all nodes If you configure NTP servers the same NTP servers are used for all nodes However time zone is not synchronized The web application pages for the configurations listed above are disabled in both secondary and Backup nodes McAfee Advanced Threat Defense 3 4 8 Product Guide 323 9 Clustering McAfee Advanced Threat Defense Appliances How the Advanced Threat Defense cluster works e Unsynchronized configuration The following are not synchronized automatically Use the individual nodes to configure these e Advanced Threat Defense software version e Analyzer VMs Before you configure the cluster make sure the VM profiles are exactly the same in all the nodes of the cluster All the settings in the VM profiles including the VM profile name must be the same across the nodes When you create a new VM profile or modify an existing one after cluster creation recall that VM profile related changes are not propagated to all the nodes automatically First dismantle the cluster Then manually make the exact change in
215. ed Create a Workstation 10 0 virtual machine ina few easy steps Custom advanced Create a virtual machine with advanced opbons such as a SCS controller type wrtual disk type and compatiblity wiih vmware oder vere products Workstation Next gt Cancel Product Guide Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 4 In the Choose the Virtual Machine Hardware Compatibility window select Workstation 9 0 from the Hardware compatibility drop down list For other fields leave the default values and click Next Details A Mew Virtual Machine Wizard a Choose the Virtual Machine Hardware Compatibility Which hardware features are needed for this virtual machine Virtual machine hardware compatibility Hardware compatiaity Workstation 9 0 Compatible with ESX Server Compatible products Limitations ES 5 1 54 GE memory A processors 10 network adapbers 2 TB disk sue Mo SATA devices Ca ea Cr Step 5 In the Guest Operating System Installation window select either Installer disc or Installer disc image file iso browse and select the ISO image and then click Next Mew Virtual Machine Wizard Arta madine E ike a physical computer it needs an operating ayatam How wall you metal the guest operating system install for
216. ed Analyzing File Name AdbeRdrUpd11009_incr msp 2dc1c6ab937c5221c3ff0c719b5c5e5d surefire booter 2 16 jar maven plugin annotations 3 2 jar surefire booter 2 16 jar bead7ff759485924df2257ea048d6385 am_engine_patch1_e54b94a9ea73dd maven surefire plugin 2 16 jar Figure 8 7 Status of files submitted for analysis User nsp nsp nsp nsp nsp nsp nsp nsp nsp Last 24 hours y Refresh every 1 minute C Case Sensitive Search By VM Profile Below minimu Below minimu File type not s winXPsp3 File type not s winXPsp3 winXPsp3 winXPsp3 winXPsp3 Analyzer Profile Analyzer Profile 1 Analyzer Profile 1 Analyzer Profile 1 Analyzer Profile 1 Analyzer Profile 1 Search MD5 2DC1C6AB937C52 2DC1C6AB937C52 F75BBOF2D75CDEF BEAD7FF75948592 F75BBOF2D75CDEF BEAD7FF75948592 374CE8FO8FAE3 19 374CE8FO8FAE3 19 364CDA98D192CDi If you do not have administrative permissions only those files that you submitted are listed A user with administrative permissions can view the samples provided by any user 2 From the drop down lists select the criteria for viewing and refreshing the status of files being analyzed e Set the criteria to display records on the Analysis Status page The default refresh interval is 1 minute e Set the frequency at which the Analysis Status page is refreshed By default results from the last 24 hours are displayed
217. ed Threat Defense for malware analysis 6 Terminologies e Gateway Anti Malware McAfee Gateway Anti Malware Engine analyzes the behavior of web sites web site code and downloaded Web 2 0 content in real time to preemptively detect and block malicious web attacks It protects businesses from modern blended attacks including viruses worms adware spyware riskware and other crimeware threats without relying on virus signatures McAfee Gateway Anti Malware Engine is embedded within Advanced Threat Defense to provide real time malware detection e Anti Malware McAfee Anti Malware Engine is embedded within Advanced Threat Defense The DAT is updated automatically based on the network connectivity of Advanced Threat Defense Static analysis also involves analysis through reverse engineering of the malicious code This includes analyzing all the instructions and properties to identify the intended behaviors which might not surface immediately This also provides detailed malware classification information widens the security cover and can identify associated malware that leverages code re use 60 By default Advanced Threat Defense downloads the updates for McAfee Gateway Anti Malware Engine and McAfee Anti Malware Engine every 90 minutes Manual update of DAT is not allowed Dynamic analysis In this case Advanced Threat Defense executes the file in a secure VM and monitors its behavior to check how malicious the file is At the end
218. ed and that you can access it from your client computer e You have the credentials to log on as the admin user in the Advanced Threat Defense web application e You have the credentials to log on to the Advanced Threat Defense CLI using SSH e You have the credentials to SFTP to the Advanced Threat Defense Appliance e For the admin user record select Allow Multiple Logins in the User Management page Task 1 Log on to the Advanced Threat Defense Appliance using an FTP client such as FileZilla Log on as the atdadmin user 2 Using SFTP upload the system lt version number gt msu file to the root directory of Advanced Threat Defense Make sure that the transfer mode is binary 3 After the file is uploaded log on to the Advanced Threat Defense web application as the admin user and select Manage Software Management 4 Under System Software select the system lt version number gt msu file 5 Make sure that Reset Database is deselected in case of upgrades and click Install McAfee Advanced Threat Defense 3 4 8 Product Guide Managing Advanced Threat Defense 4 Upgrade Advanced Threat Defense and Android VM 6 A confirmation message is displayed click OK Status x lt st be uploadd 3 System Software file was validated successfully Installation will start shortly 104 msu OK The system software is installed and the status is displayed in the browser HH Login ID Password Status Installati
219. ed samples at a configured time e disable When executed disables the daily task to remove original samples from newly completed sample files at the configured time Syntax remove samples all lt now gt lt enable gt lt disable gt Example 1 ATD 6000 gt remove samples all now Removing all sample files now 10 sample files removed Example 2 ATD 6000 gt remove samples all enable 11 37 14 McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands Removing all sample files now 14 sample files removed Setting up daily task to remove newly completed sample files at 11 37 14 Example 3 ATD 6000 gt remove samples all disable Disabling daily task removenetworkaddress This command removes IP subnet mask and gateway address from Advanced Threat Defense Appliance The changes are reflected after the box is rebooted This is a hidden command useful for Support personnel Syntax removenetworkaddress This command has no parameters Example ATD 6000 gt removenetworkaddress Remove the appliance network addresses Please enter Y to confirm removeSampleiInWaiting Use this command to remove all the sample waiting to be analyzed by McAfee Advanced Threat Defense Syntax removeSampleInWaiting This command has no parameters The following information is displayed using this command Starting the sample queue cleaning The cleaning is done
220. ed the user API log of the sample that you want to use as a reference for creating your Custom Behavioral Rules Advanced Threat Defense applies the Custom Behavioral Rules on the User API log of an analyzed sample To create Custom Behavioral Rules to catch a specific behavior you can use the user API log of a sample that caused the same behavior You can use YARA rules to catch runtime DLLs file operations registry operations process operations and other operations reported in analysis summary report for a sample For example to catch a specific runtime DLL see a sample s user API log and write a YARA rule for that DLL Task 1 Create a text file and open it in a text editor such as Windows Notepad 2 Enter the comments in the text file to track the APIs or data that are the sources for your Custom Behavioral Rules a custom yara Notepad File Edit Format View Help fCreateDirectorgA 4B17FC ciitest dir ret l fRemoveDirectoryA S6186F c test_ dir ret l FAGetProc ddress 401845 756486566 RegLbreatekeyA Figure 7 3 Comments for the custom YARA rules file 3 Write the first rule and provide it a name 4 Enter the metadata for the rule 276 McAfee Advanced Threat Defense 3 4 8 Product Guide Update content on Advanced Threat Defense 7 Defining Custom Behavioral Rules Metadata is mandatory for standard rules and optional for helper rules Regarding custom YARA rules metadata can contain classif
221. efense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 Managing analyzer profiles Managing analyzer profiles When a file is manually or automatically submitted to Advanced Threat Defense for analysis it uses the corresponding analyzer profile to determine how the file needs to be analyzed and what needs to be reported in the analysis results You specify the VM profile in the analyzer profile You also define how the file is to be analyzed for malware and the reports to be published Thus an analyzer profile contains all the critical user configuration on how to analyze a file You use the Advanced Threat Defense web application to manage analyzer profiles Analyzer profile VM profile Run time parameters Archive password Minimum and maximum run time Reports logs and artifacts Analysis options Figure 6 3 Contents of an analyzer profile View analyzer profiles Based on your user role you can view the existing analyzer profiles in the Advanced Threat Defense web application Task 1 Select Policy Analyzer Profile If you have web access you can view only the analyzer profiles that you created If you have admin access you can view all the analyzer profiles currently in the database Column name Definition Select Select to edit or delete the corresponding analyzer profile Name Name that you have assigned to the analyzer profile Description
222. elect Create a new virtual disk and click Next Mew Virtual Machine Wizard pa Select a Disk which disk do you want bo use Disk Create a new wrtual disk A virtual disk is composed of one or more Ges on the host fle system which vall appear as a single hard disk to the guest operasng system Virtual disks can easly be copeed or moved on he same host or between hosts Choose this anion to reuse a previously configured disk Lise a physical desk for advanced Users a bo give the virbual machine direct access to a local hard McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 15 Specify the details in the Specify Disk Capacity window and then click Next Step 16 In the Specify Disk file window make sure virtualMachinelmage vmdk is displayed by default and click Next If you specified a different name for Virtual Machine name that name is displayed here Details e Maximum disk size GB For Windows XP the maximum disk size can be 30 GB however you must enter 5 GB for optimal performance e Select Allocate all disk space now e Select Store virtual disk as a single file Mew Virtual Machine Wizard 25 How large do you want this disk to be Masiu dak ime GE 5 a Recommended size for Windows XP Professional 4
223. ement and Monitoring Took OMB O sf Message Queuing 010 MB A a SY Fanke Diescapiion Includes Windows coronas ond iea for pour compubal 55 GHE oad SMB Total dak pace required psoe malahi on disk OME mzaa Y Step 36 In the Windows Components wizard double click Internet Information Services IIS Windows Components Wizard L internet Information Services 115 To add on remove a componert click the check DC eee ee ol de component vil be relaled To cee wha included in a comporerdt cick Detak Subcomporents of Intemet Inicamaton Serve MEL O Fis Transler Protocol FTP Serna CA FrontPage 2000 Server Extensions O y intere infomation Series Snagein O wee SHTP Seni O gl won Wide wab Set vce Description Instat Required 115 program files 56 8 MB 2119 5 MB Total disk opens required Spece avadable on dek Product Guide McAfee Advanced Threat Defense 3 4 8 89 90 Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 37 In the Internet Information Services IIS pop up window complete the following Details 1 Select File Transfer Protocol FTP Service 2 Select Common Files 3 Select Internet Information Services Snap In click OK and then click Next Windows Components Wizard E r Internet Information Services 115 To add or esos a component clack
224. enable gt lt disable gt Example ATD 6000 gt set gti dns check enable DNS access check is now enabled ATD 6000 gt set gti dns check disable DNS access check 1s now disabled set intfport Use this command to enable or disable McAfee Advanced Threat Defense interface ports Syntax McAfee Advanced Threat Defense 3 4 8 Product Guide 359 10 360 CLI commands for McAfee Advanced Threat Defense List of CLI commands set intfport lt 1 gt lt 2 gt lt 3 gt lt enable gt lt disable gt Example set intfport 1 enable set intfport auto Sets an interface port to auto negotiate the connection with the immediate network device Syntax set intfport lt 1 gt lt 2 gt lt 3 gt auto Example set intfport 1 auto set intfport ip Sets an IP address to an interface port Syntax ser IntCIport lt 1l gt lt 2 gt lt 3 gt Ip A B C Ber Gen Example Sec In roort L 1010 1010 25562599 2006 0 set intfport speed duplex Set the speed and duplex setting on the specified interface port Syntax set intfport lt 1 gt lt 2 gt lt 3 gt speed lt 10 100 gt duplex lt half full gt Parameter Description lt 1 gt lt 2 gt lt 3 gt Enter an interface port ID for which you want to set the speed and duplex lt 10 100 gt Sets the speed on the interface port The speed value can be either 10 or 100 lt half full gt Sets the duplex setting on the interface port Set the value half for half duplex and
225. ense 3 4 8 Product Guide Analyzing malware 8 Working with the Advanced Threat Defense Dashboard Top 5 Recent Malware by File Name In this monitor you can view the names of five malicious files detected in your network with the most severe ones listed on top This information might enable further research such as finding more information about these files on the web e The listed malware files are sorted based on their severity level in the descending order e The first column displays the file names The second column displays the severity level Top 5 Recent Malware by Filename A X File Name Severity mal_sample exe HAE pdf MS09 072_MSWordRecordParsingBuff recr pal HAE pdf Figure 8 19 Top 5 Recent Malware by File Name monitor Top 10 Malware by Threat Name In this monitor you can view the names of ten most severe malware files in your network by threat name Top 10 Malware by Threat Name gt X e RON BackDoor FCFDia PWS2bot FFAIC25BD4339622E ZeroAccess FBEI6619E464549 TE D An amisM5BC1DIDIFFC Anemis D66740C65452 Win32 Suspicious RDON Generic PWS ylb2m W32 Sality genz Artemis 094A054461F6 Artemis DE 140948 0 1 Figure 8 20 Top 10 Malware by Threat Name This monitor has drill down capabilties Once you click the mouse over a particular block Advanced Threat Defense takes you to Analysis Results page displaying the records sorted as per the chosen block McAfee Advanced Threat Defe
226. ense 3 4 8 Product Guide Managing Advanced Threat Defense 4 Upgrade Advanced Threat Defense and Android VM 6 A confirmation message is displayed click OK Status x lt st be uploadd 3 System Software file was validated successfully Installation will start shortly 104 msu OK The system software is installed and the status is displayed in the browser HH Login ID Password Status Installation is in progress Please wait D It takes a minimum of 20 minutes for the system software installation to complete 7 After the software is installed Advanced Threat Defense Appliance restarts A relevant message is displayed The Appliance restarts on its own The message that is displayed is only for your information Status q J J The system is going down for reboot now OK D If you are not able to view these messages clear the browser cache 8 Wait for Advanced Threat Defense Appliance to start Log on to the CLI and verify the software version 9 Verify the version in the Advanced Threat Defense web application McAfee Advanced Threat Defense 3 4 8 Product Guide 51 Managing Advanced Threat Defense Upgrade Advanced Threat Defense and Android VM 10 Log on to the web application and in the System Log page verify that the vmcreator task is invoked When you upgrade to Advanced Threat Defense 3 4 8 x all analyzer VMs are automatically re created This process might take some time to complete depen
227. ense during the restoration window Factor in the Advanced Threat Defense web application REST APIs and CLI e Make sure that Advanced Threat Defense is not analyzing any sample files or URLs at the time of restoration Also make sure no integrated product user or script is Submitting samples during the restoration window e Make sure that you do not restore a backup during the backup window e Make sure that there is no Advanced Threat Defense software upgrade happening during the restoration window Using Specific backup file you can restore the backup file that is present in the FTP server to any Advanced Threat Defense appliance This is useful when the Advanced Threat Defense appliance gets corrupted You cannot restore a backup from an earlier or later version of Advanced Threat Defense software All numbers in the version must exactly match For example you cannot restore a backup from 3 0 4 94 39030 on 3 0 4 94 39031 62 McAfee Advanced Threat Defense 3 4 8 Product Guide Managing Advanced Threat Defense 4 Back up and restore the Advanced Threat Defense database Task 1 Select Manage Restore amp Backup Restore Restore Management To restore Advanced Threat Defense s configuration please select a backup file using either the Specific backup file settings or select from a list of previously backed files hosted on your remote FTP server Specific backup file Remote IP di 718 18 if Protocol
228. ense is designed for detecting file based malware Earlier users received malware as attachments in their emails With the upsurge in Internet applications users only need to click a link to download files Today there are many other options to post such files blogs social networking sites web sites chat messages web mails message boards and so on The key challenges in tackling this issue are to detect malware in the shortest possible time and also contain it from spreading to other computers There are four major aspects to an anti malware strategy e Detection of file downloads When a user attempts to download a file from an external resource your security product must be able to detect it e Analysis of the file for malware You must be able to verify if the file contains any known malware McAfee Advanced Threat Defense 3 4 8 Product Guide 11 Malware detection and McAfee Advanced Threat Defense The Advanced Threat Defense solution e Block future downloads of the same file Subsequently if the file is found to be malicious your anti malware protection must prevent future downloads of the same file or its variants e Identify and remediate affected hosts Your security system must be able to identify the host which executed the malware and also detect the hosts to which it has spread Then it must provide an option to quarantine the affected hosts until they are clean again The Advanced Threat Defense solution
229. ent Console and IIS Management Service Control Panel Home View installed updates B Turn Windows features on off Turn Windows features on or off To tum a festure on select its check box To tum af check box 4 filled box means thet onby part of the a Od Hyper V wld interet Explorer 10 2 interet information Services 3 ldo FTP Server wj FTP Extensibility de FTP Service ar Web Management Tools ald 156 Management Compatibility 2 Klana gement Lo male J 15 Management Scripts and Toots Y GS Management Service 3 Select Telnet Server Turn Windows features on To turn a feature on select its cher check box 4 filled box means that Cl Network Projection Print and Document Ser Ch RAS Connection Manag Remote Differential Con RIP Listener ll LI Simple Network Manage Simple TCPIP services i Oh Telnet Client L A Telnet Server Je TFTP Client Pill Windmee lento Enire 4 Select NET Framework 3 5 includes NET 2 0 and3 0 and then select Windows Communication Foundation HTTP Activation and Windows Communication Foundation Non HTP Activation options McAfee Advanced Threat Defense 3 4 8 Product Guide 197 198 Creating analyzer VM Create a VMDK file for Windows 8 Step Details Turn Windows features on or off i To tum a feature on select tts check box To turn a feature off clear its check box A filled box means that only part of
230. er Accounts window deselect Users must enter User Accounts Users Advanced Use the list below to grant or deny users access to your computer and to change passwords and other settings User must enter a user name and password to use this computer Users for this computer User Marne Group a 1 Adminstrator Administrators Users Password for Administrator To change your password press Ctrl Ah Del and select Change 4 Password o Ls o e Username Enter Administrator e Password Enter cr cker42 e Confirm Password Enter cr cker42 User Accounts El Automatically Leg On You can set up your computer so that users do not hawe to type a user E name and pateword to log on To do this specify a user that will be automatically logged on below Leer mame Administrator Password Por TTT ier Pepi Confirm Password cane Step 31 Download Sigcheck on to your computer the native host from http technet microsoft com en us sysinternals bb897441 aspx The VM that you created has the Windows Firewall switch off as well as there is no anti virus installed on it Therefore it is recommended that you download the programs and components on to the native host first and then copy them to the VM in VMware Workstation Step 32 Extract sigcheck zip to C WINDOWS system32 location McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK fi
231. er name for Advanced Threat Defense to use to access the LDAP server The user name must be specified in the DN format For example CN root OU atd DC myhost and DC com Password Enter the password Authentication Method Select the authentication method to be used to communicate with the LDAP server IP Address Specify the IP address of the LDAP server Port Number This field is populated automatically based on the selected authentication method The default port number is 389 for Simple authentication and 636 for SSL authentication Users can manually configure a different port number Base DN Specify the name of the domain in the LDAP server database where the search is to be performed The name must be in DN format For example OU atd DC myhost and DC com LDAP Scope Specify the search scope in the LDAP server It has the following three options e Subtree The complete subtree of the BaseDN is searched e Onelevel One level below the BaseDN is searched e Base The base of the BaseDN is searched Login Attribute Specify the attribute of the field to be searched in the LDAP server database For example in case of OpenLDAP login attribute can be uid and in case of Microsoft Active Directory it can be sAMAccountName 4 Click the Test Connection tab When the LDAP Test connection successful message appears click OK 5 Click the Submit tab The LDAP configuration saved successfully message appears The LDAP server configuration
232. er profile that has both sandbox and Internet access enabled Following is the process flow when you submit a URL for analysis to Advanced Threat Defense 1 Advanced Threat Defense uses a proprietary procedure to calculate the MD5 hash value of the URL Then it checks this MD5 against its local blacklist D The local whitelist is not applicable for URLs 2 Itis assumed that the file that the URL refers to is of a supported file type Then Advanced Threat Defense dynamically analyzes the file using the corresponding analyzer VM It is assumed that the MD5 of the URL is not present in the blacklist or Run All Selected option is selected in the corresponding analyzer profile D GTI File Reputation Anti Malware and Gateway Anti Malware analyze options are not relevant for URLs 3 Dynamic analysis and reporting for URLs is similar to that of files It records all activities in the analyzer VM including registry operations process operations file operations runtime DLLs and network operations If the webpage downloads any dropper files Advanced Threat Defense dynamically analyzes these files as well and includes the results in the same report under embedded dropped content section 4 Ifa dropped file connects to other URLs all these URLs are checked with TrustedSource for URL reputation and categorization D Only HTTP HTTPS and FTP protocols are supported for URL analysis Upload URLs for analysis using Advanced Threat Defense web appl
233. er supply module 1 Add in adapter slots from riser card McAfee Advanced Threat Defense 3 4 8 Product Guide Setting up the Advanced Threat Defense Appliance 2 Hardware specifications and environmental requests Hardware specifications and environmental requests Specifics ATD 3000 ATD 6000 Dimensions e 734 66 L x 438 W x 43 2 Hin e 712 Lx 438 W x 87 3 Hin millimeters millimeters e 29Lx17 25Wx1 70 H in inches e 28 Lx 17 24 W x 3 43 H in inches Form Factor 1U rack mountable fits 19 inch 2U rack mountable fits 19 inch rack rack Weight 15 Kg 33 lbs 22 7 Kg 50 lbs Storage e Disk space HDD 2 x 4TB e Disk space HDD 4 x 4TB e SSD 2x 400 GB e SSD 2 x 800 GB Maximum Power 2x 750W 2x 1600W Consumption Redundant Power AC redundant hot swappable AC redundant hot swappable Supply AC voltage 100 240 V at 50 60 Hz 5 8 100 240 V 50 60 Hz 8 5 Amps Amps Operating 10 C to 35 C 50 F to 95 F 10 C to 35 C 50 F to 95 F Temperature with the maximum rate of change with the maximum rate of change not not to exceed 10 C per hour to exceed 10 C per hour Non operating 40 C to 70 C 40 F to 158 F 40 C to 70 C 40 F to 158 F temperature Relative humidity e Operational 10 to 90 e Operational 10 to 90 non condensing e Non operational 90 at 35 C e Non operational 50 to 90 with a maximum wet bulb of 28 C at temperatures from 2
234. er you click on Agree no confirmation message is displayed Organize a Open Burm Mew folder YE Favorites Mame M Desktop mB gegcheck jp Downloads b signdre dll Step 34 Click Agree for Sigcheck License Agreement Dl Cointra Symi Taighe Saqtheck License Agreement Toy Gan o ee fhe Access Comin ich do can he PULA SYSINTERNALS SOFTWARE LICENSE TERMS These licanse tems are an ayreament botes Sysintemaks a wholly ad cada of Micnenh Corporation and you Pease read them They apply to the so teere you ere downloading from Systintemals com Ahihi includes Ha media on hc you Peace i dE ey The bartte alan apply to anr Syanternads idas supokmenta Tiere base memis snd Prir Step 35 Download MergelDE zip from https www virtualbox org attachment wiki Migrate_Windows MergelDE zip on to the native computer and then copy it to the VM Inganize Include in library Share with Ur Favorites Marne FI Desktop y 0218 206 m Downloads E LIZENZ E Recent Places 3 MergelDE MergelDE Step 36 Extract MergeIDE zip and run the MergeIDE batch file in the VM e If prompted select Run in the warning message e Close Windows Explorer McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 7 Step Details yee Disable Windows 1 Select Start Control Panel Windows Update Change settings updates 2 In the Change setting
235. erforms static analysis of the file The objective is to check if it is a known malware in the shortest McAfee Advanced Threat Defense 3 4 8 Product Guide 231 232 Configuring Advanced Threat Defense for malware analysis Terminologies possible time and also to preserve the Advanced Threat Defense resources for dynamic analysis For static analysis Advanced Threat Defense uses the following resources Static analysis sequence is following D 1 Local Whitelist gt 2 Local Blacklist gt 3 McAfee GTI McAfee Gateway Anti Malware Engine McAfee Anti Malware Engine These three resources are processed in tandem Local Whitelist This is the list of MD5 hash values of trusted files which need not be analyzed This whitelist is based on the McAfee Application Control database that is used by other solutions in the McAfee suite This has over 230 000 000 entries The whitelist feature is enabled by default To disable it use the setwhitelist command There are commands to manage the entries in the whitelist The static McAfee Application Control database cannot be modified However you can add or delete entries based on file hash You can also query the whitelist for a certain file hash to see if it has been added to the database O The default whitelist entries are not periodically updated However they might be updated when you upgrade the Advanced Threat Defense software The McAfee products that submit files to Advanced Thr
236. ersion active version backup version system health status system uptime sample files submitted count on that day GTI scanner files submitted count on that day GAM scanner files submitted count on that day MAV scanner files submitted count on that day YARA Scanner files submitted count on that day sandbox files submitted count on that day sandbox files processed count on that day sample files error count on that day ePO Config ON OFF status DXL config ON OFF status SNMP ON OFF status proxy Config ON OFF status number of physical interfaces used actively VM profile information from database analyzer profile information fram database information whether deployment mode is StandAlone SA or LoadBalanced LB number of files submitted user type and number of malicious samples severity gt 3 I accept the terms and conditions Submit Upload Web Server certificate and CA certificate Advanced Threat Defense allows customers to upload their own certificate for web server authentication Follow the steps below to upload a certificate to Advanced Threat Defense 1 2 Go to Manage Configuration Web Certificate In the Web Certificate section upload a valid certificate along with the key in PEM format The key length must be of 2048 characters and above and signature algorithm must be of minimum SHA256 standards with an RSA encryption If the uploaded certificate does not contain key Certificate is invalid me
237. es SWF install the required version of Adobe Flash 1 Goto https community mcafee com docs DOC 6859 2 Refer Adobe flash player installation guidance docx McAfee Advanced Threat Defense 3 4 8 Product Guide 155 Creating analyzer VM Create a VMDK file for Windows 2008 Server Step Details Step 52 Shut down virtualMachinelmage by selecting Start Shut down Step 53 Go to the location that you provided in step 8 to find the VMDK file named as virtualMachinelmage flat vmdk Create a VMDK file for Windows 2008 Server 156 Before you begin e Download VMware Workstation 9 0 or above from http www vmware com products workstation workstation evaluation and install it e Make sure that you have the ISO image of Windows 2008 R2 SP1 for which you need to create the VMDK file Only Windows 2008 64bit SP1 Standard is supported e Make sure you have the license key for the operating system Use this procedure to create VMDK files from ISO images of Windows 2008 R2 SP1 Step Details Step 1 Start the VMware This procedure uses VMware Workstation 10 as an example Workstation Step 2 In the VMware Workstation page select File RE Edit View VM labs Help PA New Virtual Machine Ctrl N ES New Window Open Ctrl O Close Tab Ctl W Pp lw Connect to Server Ctrl Es Virtualize a Physical Machine A kk Export to OVF Map Virtual Disk
238. esponding nodes State Indicates the status of node and any critical information related to that node Some possible states are e Up and Ready e Heartbeat not received e Node is on different config version Remove Select a node and click to remove the node from the cluster The configuration from the Node primary node is retained even when you remove a secondary node from the cluster You cannot remove a primary node or a Backup node if it is in active state before you remove all secondary nodes This option is not available for a secondary node McAfee Advanced Threat Defense 3 4 8 Product Guide Clustering McAfee Advanced Threat Defense Appliances 9 Configuring an Advanced Threat Defense cluster high level steps Table 9 1 Option definitions continued Option Sync All Nodes Definition Click Sync All to trigger the configuration synchronization for all secondary nodes in the cluster When you add a secondary node or when you save any of the synchronized configuration in the primary node the primary automatically triggers a synchronization to all secondary nodes in green and amber state Details of the configuration sync are displayed for each node based on the success or failure of the synchronization Sync All Status 1d 18 14 SUCCESS J 18 15 SUCCESS 16 14 SUCCESS 16 15 ERROR Erimary couldnt send config load request to secondary veny sd logs for details Figure 9 7 Conf
239. ess That is it attempts to find the information from other sources and also sends a query to McAfee ePO McAfee Advanced Threat Defense 3 4 8 Product Guide 243 244 Configuring Advanced Threat Defense for malware analysis Integration with McAfee ePO for OS profiling The following explains how Advanced Threat Defense collaborates with McAfee ePO 1 Network Security Platform or McAfee Web Gateway sends a file to Advanced Threat Defense for analysis When Network Security Platform sends a file the IP address of the target host is also sent Advanced Threat Defense checks its cache to see if there is a valid operating system mapped to that IP address If it is the first time that a file for that IP address is being analyzed there is no information in the cache So it determines the analyzer VM from the device profiling information in case of Network Security Platform and user record in case of McAfee Web Gateway Simultaneously it sends a query to McAfee ePO for host information based on the IP address McAfee ePO forwards the host information to Advanced Threat Defense which is cached for further use Configure McAfee ePO integration Integration with McAfee ePO enables McAfee ePO to gather information such as the operating system browsers installed and so on on the target host Advanced Threat Defense uses this information to select the best analyzer VM for dynamic analysis McAfee Advanced Threat Defense 3 4 8 Product Guide
240. est versions of DAT available for Gateway Anti Malware Engine and Anti Virus 3 Click Browse and locate the DAT files for Gateway Anti Malware Engine and Anti Virus you want to import 4 Click Upload to import the file If you delete the Current file the Backup file automatically assumes the role of Current Click Revert to reinstate the Backup file as the Current file In you want your DAT versions to be updated automatically then select Allow Automatic DAT Update and click Apply Your DAT file is updated with the latest version available Also any manual update done D with Allow Automatic DAT Update enabled is overridden in the subsequent automatic DAT update cycle automatically Therefore it is recommended to deselect Allow Automatic DAT Update before making any manual update Update Detection Package Advanced Threat Defense allows you to import a maximum of two versions of Detection Package at any given time The version uploaded later becomes Current by default rendering the previous one as Backup The Detection Package designated as Current is applied for malware detection McAfee Advanced Threat Defense 3 4 8 Product Guide 281 7 Update content on Advanced Threat Defense Update Detection Package Task 1 Select Manage Image amp Software Content Update 2 Click the link provided to users for system msu download Contact support for any assistance on downloading the detection package 3 Click Browse and locate th
241. esult s Success User admin Category TA dmin Client 10 70 168 72 Action Common Criteria Modification Description Common Criteria mode is saved successfully 20L5 032 L 1124223 Los 7 7 90 405 30 MATDZU0XX 243 Login Tyoe s Aud ic Msgia s C L0 01 0 Result success User lt CGbL Category Admin Client T Action CcLl Login Descriprion Login Success ttylL Tasks e View Syslog log on page 261 e View Audit Log on page 261 View Syslog log As per the selections made in the Syslog Setting page McAfee Advanced Threat Defense starts logging syslog events taking place within the Advanced Threat Defense Simultaneously it prints the related logs which you can view in the Advanced Threat Defense web application You can use this information for troubleshooting purposes e After you click Submit in the Syslog Setting page select Manage Logs Syslog to view the log entries A maximum of 1000 events are displayed in Advanced Threat Defense user interface with latest events at the bottom More events are available in the configured syslog server You cannot print or export the log entries View Audit Log When you configure audit function by checking on the Audit Log using Syslog Setting page McAfee Advanced Threat Defense starts logging the administrative actions performed within the Advanced Threat Defense Through these log entries you can view what is happening as the
242. et ftp on page 363 Generally FTP transfer is faster than SFTP but less secure than SFTP If your Advanced Threat Defense D Appliance is placed in an unsecured network such as an external network McAfee recommends you to use SFTP Task 1 Open an FTP client For example you can use WinSCP or FileZilla 2 Connect to the FTP server on Advanced Threat Defense using the following credentials e Host IP address of Advanced Threat Defense e Username atdadmin e Password atdadmin e Port The corresponding port number based on the protocol you want to use 3 Upload the VMDK file from the local machine to Advanced Threat Defense Convert the VMDK file to an image file Before you begin e You have uploaded the VMDK file to Advanced Threat Defense e You have admin user permissions in Advanced Threat Defense McAfee Advanced Threat Defense 3 4 8 Product Guide 219 5 Creating analyzer VM Convert the VMDK file to an image file Task 1 Inthe Advanced Threat Defense web application select Manage Image amp Software Image 2 In the Image Management page select the VMDK file that you imported from the VMDK Image drop down 3 Provide a name to the image file Gi The name that you provide must be between 1 and 20 characters in length and must not contain any spaces If the image name contains a space then the conversion to image file fails For malware analysis you might require multiple analyzer VMs that run on t
243. etails Step 9 In the Processor Configuration window leave the default values and click Next New Virtual Machine Wizard Specfr the number of processors for this virtual machine Processors Number of processors Number of Comes per processor Total process cores Step 10 In the Memory for the Virtual Machine window set 3072 MB as the memory Mew Virtual Machine Wizard Memory for the Virtual Machine How much memory would you bbe to use for this virtual machine must be a multiple of 4 FB 4 GE Memory for his virtual machine 3072 gt MB 72 Gea 1 GE Ge a aa AA 468 L Maxum recommended memory 158 i 5352 MB 108 lt q 513 MB E Recommended memory 138 HB i4 4B O Guest OS recommended mrimum 12 HB 14 MB 16 H E MB 4 ME Hp o eak pet Cancel McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 2008 Server Step Details Step 11 In the Network Type window leave the default Mew Virtua Machine Wizard N selection Metwork Type What type of nebrork do you want to add Use bodged networking nebrork The guest must have its own P address on the extemal netreork Give the guest operating system access to the host computer s dial up or external Ethernet nebwork cormection using the hosts P address i Use hoet only nebworking i Connect the quest operating system to a private virtual network on the host
244. ete Select if you want to remove an NTP server from the list Status Indicates whether a particular NTP server is reachable or not Green indicates the server is reachable and red indicates that the server is not reachable W E a We Teme Proti Priority HTP Server Name Delete Status tp org F Ol mp org 4 Submit Date Time To manually specify the date and time for Advanced Threat Defense deselect Enable Network Time Protocol and click Submit under Network Time Protocol Specify the date and time in the corresponding fields and then click Submit under Date and Time Settings E Pio Submit Cube ad To Sets Daie Mme 221 14 1 Hr Submit McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 Add a Advanced Threat Defense login banner Option Definition name Select Select the required time zone from the list and click Submit under Time zone Setting The Time zone default time zone is Pacific Time Submit Implements the changes that you made in the corresponding sections of the Date and time settings page and also saves them in the database After you click Submit for Network Time Protocol a success message is displayed If you click OK for this message Advanced Threat Defense checks if it can reach the specified NTP servers and updates the Status accordingly for each NTP server Chedong Status You must click the Submit separately for affected section
245. etting A E E Integration with McAfee Next Generation Firewall Oem e dee 2 a 2 oo A OF Configure proxy servers for Internet connectivity ce eek owe oe ea amp ee 24 Specify Proxy Settings for Global Threat Intelligence traffic oe a Se a woe ae oe 2559 Specify Malware Site Proxy Settings for Malware traffic 256 Configure Syslog Setting 1 ww a a ee 27 VIEW SYSIOd lOQ o e cos s cm mesas Be we ew ee we em eo we o 2Ol View AUdIt LOQ y w a wk b amp w we Eee a we ee ee ee eee ee we Ge Ol Configure DNS Setting s s s s s eas Yew ee Ye owe we Wa Ee Dee we ewe wo BOL Configure date and time settings ee ee 262 Add a Advanced Threat Defense login banner 0 eee ee ee 265 McAfee Advanced Threat Defense 3 4 8 Product Guide Contents Set minimum number of characters for password 1 ew ee ee ee ee 266 Configure Telemetry TE ER eS oe E E Upload Web Server certificate sad CA certificate E oe ek a ee ee a a a OO Configure maximum threshold wait time a a a ee ee ee ee ee ee es 270 Enable Common Criteria setting ee ee ee 2 1 7 Update content on Advanced Threat Defense 273 Uploading and Managing content ke ee ee ee 23 Defining Custom Behavioral Rules TEA NN ee a Create the Custom Behavioral Rules file ca ewe ke ho eae bh ee ae ee ee oO Define Custom Yara Scanner 1 1 ee ee ee ee 2 9 Create C
246. f events sent to ePO Syntax clearstats tepublisher This command has no parameters The following information is displayed using this command All TEP stats are reset to zero Sample Files Received Count 0 Sample Files Published Count 3 0 cluster withdraw This command is used to destroy cluster using CLI command prompt It is permitted to run at all nodes Primary Backup Secondary It wipes out all cluster related configurations from that node and makes it as a standalone box This command can be used in scenarios where normal means of removing a node Remove Node Withdraw From Cluster does not remove that node from cluster Syntax cluster withdraw This command has no parameters createDefaultVms Use this command to create default analyzer VMs Syntax createDefaultVms This command has no parameters db_repair Repairs the ATD database in case the database gets corrupt Syntax db repair This command has no parameters deleteblacklist Use this command to remove all the entries from McAfee Advanced Threat Defense blacklist Syntax deleteblacklist This command has no parameters deletesamplereport Deletes all the analysis reports for a file McAfee Advanced Threat Defense 3 4 8 Product Guide 349 10 CLI commands for McAfee Advanced Threat Defense List of CLI commands Syntax deletesamplereport lt md5 gt Parameter Description lt md5 gt The MD5 value of the file for which you want to delete a
247. f it is a secondary it also means that the primary node is receiving the secondary s heartbeat signal O KM Indicates that the node is up but needs your attention For example the configuration might not be in sync with that of the primary O KM Indicates that the primary node is receiving the secondary node s heartbeat Signal The primary node distributes files only to those nodes which are in the green status If the status of a secondary turns amber or red midway of a file transfer the primary node allocates the file to the next node in queue ATD ID This is a system generated integer value to identify the nodes in a cluster The primary node generates this unique value and assigns it to the nodes in the cluster This ID is displayed in the Analysis Status and Analysis Results left hand side tree structure on the primary node This enables you to identify the node that analyzed a specific sample The uniqueness of the ATD ID is based on the IP address of a node as stored in the primary node s database Consider that you have 3 nodes in the cluster You remove the secondary node with ATD ID 2 from the cluster and add it back again to the cluster Then this secondary node is assigned the same ATD ID of 2 if all these conditions are met e You have not changed the IP address of the node s eth 0 interface management port e The primary node s database still has a record for the secondary s IP address IP Address The m
248. fee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 8 In the Processor Configuration window leave the default values and click Next Details New Virtual Machine Wizard Processor Configuration Specify the number of processors for this virtual machine Processors Number of processors Total processor cores Step 9 In the Memory for the Virtual Machine window set 1024 MB as the memory Memory for the Virtual Machine How much memory would you like to use for thes virtus machine Soeoty the amount of memory alocabed to this vrival machine The memory size must be a multiple of 4 MB Memory for this virtual machine 124 2 MB a Maximum recommended Memory 512 ME O Guest OS recommended minut 128 ME McAfee Advanced Threat Defense 3 4 8 Product Guide 105 5 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 10 In the Network Type window leave the default selection Details New Virtual Machine Wizard Metwork Type What type of network do you want to add Use bodged networking Give the guest operating system access lo the host computer s dialup or external Ethernet network conecti
249. fense 3 4 8 Product Guide 279 7 Update content on Advanced Threat Defense Modify Custom Behavioral Rules and Custom Yara Scanner file 4 In the pop up that appears subsequently select the type of YARA file Custom Behavioral Rules or Custom Yara Scanner Rules to be imported 5 Click Upload to import the file e If the Custom Behavioral Rules file is imported successfully the Custom YARA Scanner Rules uploaded successfully message is displayed If the Custom Behavioral Rules file is imported successfully the Custom YARA Scanner Rules uploaded successfully message is displayed e If there are syntax errors in the Custom Behavioral Rules file the Uploaded file contains invalid Custom Behavioral Rules Please check system log for more details message is displayed If there are syntax errors in the Custom Behavioral Rules file the Failed to Execute YaraEngineUtility message is displayed You can review the system log for the details of the error Select Manage System Log to open the system log where the errors are detailed ee 3 93 PE 1119 43 Bs resting casara far waters i 014 Db D5 L5 311 Leaning 3apsnot Tor 40n4AP50J SL MASAS AA A O wen ee ee 1014 06 03 13 32 00 Updating YM database 1014 06 03 13 32 01 Armas Database Check OK 014 D06 03 13 32 23 Wincoeabor success il o A LAA iii 2014 06 03 02 04 06 vara error in your vara rule hle at lmez 1 s or PRIVATE or GLOBAL 2014 06 04 04 37 47 vara error i
250. fense 3 4 8 Product Guide 365 10 366 CLI commands for McAfee Advanced Threat Defense List of CLI commands Example set tcpdump start i eth0 c 10 set tcpdump lt stop gt Parameter Description start Starts the packet capture operation on the specified tcp dump stop Stops the packet capture operation set uilog Use this command to set the amount of Ul access information to be logged Level varies from 1 to 7 Syntax set uilog lt seconds gt Parameter Description lt numeric gt Sets the amount of Ul access information to be logged ATD 6000 gt set uilog 5 new log level is 5 set ui timeout Specifies the number of minutes of inactivity that can pass before the McAfee Advanced Threat Defense web application connection times out Syntax set ui timeout lt 60 86400 gt Parameter Description lt 60 86400 gt You can set a timeout period from 60 to 86400 seconds Example set ui timeout 600 Default Value 15 minutes set whitelist Use this command to configure checking of whitelist by McAfee Advanced Threat Defense Syntax set whitelist lt enable gt lt disable gt Example set whitelist enable show Shows all the current configuration settings on the McAfee Advanced Threat Defense Appliance This command has no parameters Syntax show McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defen
251. fic secondary node click the corresponding ATD ID For the details of the options in the Analysis Results page see View the analysis results on page 295 Modifying configurations for a Advanced Threat Defense cluster Regarding an Advanced Threat Defense cluster configurations can be classified into two types e Settings that you configure only from the primary node For the sake of explanation these settings are referred as synchronized configuration in this document e Settings that you configure individually in each node of a Advanced Threat Defense cluster These settings are referred as unsynchronized configuration Synchronized configuration The following are the settings that fall under this category e Managing analyzer profiles on page 239 e Configure proxy servers for Internet connectivity on page 254 e Managing McAfee Advanced Threat Defense e Configure DNS setting on page 261 users on page 37 e Integration with McAfee ePO for OS e Configure date and time settings on page profiling on page 243 262 McAfee Advanced Threat Defense 3 4 8 Product Guide 341 342 Clustering McAfee Advanced Threat Defense Appliances Configuring an Advanced Threat Defense cluster high level steps Log on to the primary node with admin rights to configure these settings listed above When you click Save in the corresponding pages the primary node bundles the entire synchronized configuration in a file and sends it to all available second
252. for Windows 2008 Server Step Details Step 39 Lower the security to run macros for the Office applications e Open Microsoft Word 2003 and select Tools Macro Security and then select Low and click OK Security Level Trusted Sources E h Orly signed macros from trusted sources wil be allowed run Linagned macros are automatically drsbied T Medium You can choose whether ar mol bo run pobertial y unsafe macros low not recommended You are not protected from a Liew this setting only if you have harus scanning soPovere installed or you sre sure all documents you open are safe e m m CELL ee A e e e e e l e Similarly lower the macro security for Microsoft Excel and Powerpoint Step 40 You need the compatibility pack to open Microsoft Office files that were created in a newer version of Microsoft Office For example to open a docx file using Office 2003 you need the corresponding compatibility pack installed Go to http www microsoft com en us download details aspx id 3 and download the required Microsoft Office compatibility pack for Word Excel and PowerPoint File Formats Then install them on the virtual machine Product Guide McAfee Advanced Threat Defense 3 4 8 175 176 Creating analyzer VM Create a VMDK file for Windows 2008 Server Step Details Step 41 In the Compatibility Pack for the 2007 Office system dialog
253. ftware from 3 4 2 32 to 3 4 8 on page 44 If the current version is 3 4 4 63 you can directly upgrade to 3 4 8 See Upgrade ATD software from 3 4 4 63 to 3 4 8 on page 46 If the current version is 3 4 6 you can directly upgrade to 3 4 8 See Upgrade ATD software from 3 4 6 to 3 4 8 on page 48 O Once you upgrade you cannot downgrade by loading the backup image using the reboot backup command O Once you upgrade to 3 4 8 you cannot downgrade by using system msu files 1 Once you upgrade to 3 4 8 OpenSSL 1 0 1 is upgraded to OpenSSL 1 0 1m O Once you upgrade to 3 4 8 use copyto backup command to ensure that the Active disk and Backup disk remain on the same software version of Advanced Threat Defense O Boot from Backup disk is not supported in case the Backup disk and Active disk reside at different software versions of Advanced Threat Defense The Android version in the default Android analyzer VM is 4 3 McAfee Advanced Threat Defense 3 4 8 Product Guide 43 44 Managing Advanced Threat Defense Upgrade Advanced Threat Defense and Android VM Upgrade ATD software from 3 4 2 32 to 3 4 8 Before you begin e Make sure that the current version of Advanced Threat Defense is 3 4 2 32 e Make sure that the system 3 4 8 msu Advanced Threat Defense software that you want to use is extracted and that you can access it from your client computer e You have the credentials to log on as the admin user in the Advanced Threa
254. g activities during dynamic analysis You must thoroughly examine this file to understand the complete API calling sequence as well as the input and output parameters This is the same as the User API Log report e vtest32ntv txt This file captures the Windows native services API calling activities during dynamic analysis e vtest32 txt This file shows the PE header information of the submitted sample e vtest32_detail asm This is the same as the Disassembly Results report This file contains reverse engineering disassembly listing of the sample after it has been unpacked or decrypted e vtest32_logicpath gml This file is the graphical representation of cross reference of function calls discovered during dynamic analysis This is the same as the Logic Path Graph report e log zip This file contains all the run time log files for all processes affected by the sample during the dynamic analysis If the sample generates any console output text the output text message is captured in the ConsoleOutput log file zipped up in the log zip file Use any regular unzip utility to see the content of all files inside this log zip file e dump zip This file contains the memory dump dump bin of binary code of the sample during dynamic analysis This file is password protected The password is virus e dropfiles zip This is the same as the Dropped Files report in the Analysis Results page The dropfiles zip file contains all files c
255. gement ports McAfee Advanced Threat Defense 3 4 8 Product Guide Clustering McAfee Advanced Threat Defense Appliances 9 How the Advanced Threat Defense cluster works Number Description 4 The corresponding secondary Advanced Threat Defense responds with a job ID to the primary and begins to analyze the file based on the user profile If the file is detected by static analysis the secondary Advanced Threat Defense sends the malware result severity to the primary Advanced Threat Defense 5 e If the file is detected by static analysis the primary Advanced Threat Defense sends the malware result that it received from the secondary Advanced Threat Defense to the Sensor s management port e If the file is dynamically analyzed the Sensor raises an informational alert in the Real time Threat Analyzer This informational alert is set to auto acknowledge by default which you can disable if necessary 6 The Sensor forwards the job ID to the Manager The Manager queries the primary Advanced Threat Defense Appliance management port for the analysis reports The primary Advanced Threat Defense pulls the reports from the corresponding Advanced Threat Defense Appliance based on the job ID Then it forwards the reports to the Manager for display Also if the file is found to be malicious based on dynamic analysis the alert in the Real time Threat Analyzer is updated accordingly 7 Backup Advanced Threat Defense assumes Primary Adva
256. grade log displays details like the current software version the previous software version system details Following is a sample upgrade log Tue Jul 14 02 23 12 PDT 2015 Following version of software are installed amas build version 3 4 8 85 50409 android build version 4 3 av gti release 3 4 2 32 43041 avengines release 3 4 2 32 43041 linux xen release 3 4 8 82 50312 system config release 3 4 2 32 43041 bulldscript version setup sh 50362 2015 07 11 00sl3s392 lt user gt avlabS xp W3 3 4 8 8 30409 m81 avlabS 64 v3 3 4 8 85 50409 msi Troubleshooting The Troubleshooting page enables you to complete some tasks related to troubleshooting Advanced Threat Defense web application These include exporting logs from Advanced Threat Defense download files pertaining to Network packet capture and clear all the stored analysis results from the Advanced Threat Defense database McAfee Advanced Threat Defense 3 4 8 Product Guide 55 56 Managing Advanced Threat Defense Troubleshooting Task 1 To access the Troubleshooting page select Manage Troubleshooting File Download Log Files Diagnostic File Support Bundle Network Capture VM Creation Create VMs Reset Report Analysis Results E Remove all Report Analysis Results WARNING This will remove all existing report Analysis Results from the system SUDMIT Figure 4 5 Troubleshooting page 2 Click on Remove all Report Analysis Results to reset all the
257. he DXL channel is enabled and the McAfee GTI Reputation is configured in the Analyzer Profile Advanced Threat Defense does a file reputation lookup McAfee GTI TIE Enterprise Reputation for the submitted samples through the DXL channel If the TIE Enterprise Reputation is configured by the administrator on the McAfee ePO the Threat Analysis Report shows the TIE Enterprise Reputation severity score If not set the McAfee GTI file reputation fetched from the TIE server is displayed in the Threat Analysis Report Configure LDAP The LDAP Lightweight Directory Access Protocol feature enables Advanced Threat Defense to configure a dedicated LDAP server for user authentication A separate server for user authentication facilitates a secured and centralized authentication system It provides a robust and secure credential authentication and management system for various types of Advanced Threat Defense users Also configuring a dedicated LDAP server helps in avoiding data replication at multiple hosts and thus increasing data consistency LDAP authentication is applicable only to users with Administrator role enabled in Advanced Threat Defense For non administrative users like nsp mwg atdadmin and tie authentication using an LDAP server is not supported Authentication for these users is made using the Advanced Threat Defense database The following user accounts data must be created on the LDAP server Accounts created on the LDAP server mus
258. he analysis summary complete results and disassembly results are not backed up If you delete the reports from the database from the Troubleshooting page and then restore a backup the detailed result is listed in the Analysis Results page from the backup but the reports are not available e Local blacklist local whitelist is not backed up e VM profiles The image or VMDK file of the analyzer VMs are not backed up Before you restore a backup make sure the image files specified in the backed up VM profiles are present in McAfee Advanced Threat Defense e Analyzer profiles e User records e McAfee ePO integration details McAfee Advanced Threat Defense 3 4 8 Product Guide Managing Advanced Threat Defense 4 Back up and restore the Advanced Threat Defense database Proxy settings DNS settings Syslog settings SNMP settings Date and time settings including the NTP server details Load balancing cluster settings as displayed in the Load Balancing Cluster Setting page D This does not include the configuration and analysis results from the other nodes in the cluster Custom YARA rules and configuration Backup scheduler settings Backed up file details as displayed in the Restore Management page The following data does not get backed up Any sample file or URL that is being analyzed at the time of backup D The Analysis Status page only shows the file being currently analyzed The VMDK or image files of analyzer VMs
259. he check bos A shaded bow meang that only pas ol the component wall be naled To ses what included in a component chick Detak Subcomporents of Inteimal naman Serscss IS O Fis Tesnales Protocol FTP Savins O af FrontPage 2000 Server Extensions O Y Internet lnfomnation Services Snageln O asa TP Senit O Bl old Wide Web Senne Desoption Imik Required 115 pogan filles Total disk space requined 56 5 HA 5pabe malabis m dick 23715 he Step 28 In the Internet Information Services IIS pop up window complete the following 1 Select File Transfer Protocol FTP Service 2 Select Common Files 3 Select Internet Information Services Snap In click OK and then click Next Windows Components Wizard Internet Information Services 115 To add o emos a component click the check box A shaded bos meara tha oriy pari if the component vall bs netelled To res whas included in a component chk Dabak Subcompenerds of internet Information Senices iS gt Common Files 1 0 MB T A Documentation 25 MB E N File Tiare Protocol FTP Senice O gt FrontPage 2000 Ser Esteras 33 MB e Ey leva reat INcimabon Ss teres 5 rie br 1 3 MB Tra SMTP Sara 1 1 MB T ll old Wide Wet Sanace 23MB Y Discipior Firar appii lo dese FTP pier Lied bo upload and deveridoad Mat Teal dek spsce requred 61 8 HE Space slds on cick 230 2 HB lor conc Step 29 In the Insert Disk pop up click Cancel L5 Plesos wal while Setup co
260. he corresponding backup file that you plan to restore is available on the FTP server at the specified directory As a precaution make sure that there is no other user logged on to Advanced Threat Defense during the restoration window Factor in the Advanced Threat Defense web application REST APIs and CLI Make sure that Advanced Threat Defense is not analyzing any sample files or URLs at the time of restoration Also make sure no integrated product user or script is Submitting samples during the restoration window Make sure that you do not restore a backup during the backup window Make sure that there is no Advanced Threat Defense software upgrade happening during the restoration window There might be some changes regarding the FTP server used for the backup For example the IP address of the FTP backup server might change or you might want to migrate the FTP server to a new physical or virtual server If the IP address changes make sure you update the configuration accordingly on the Backup Scheduler Setting page You can then restore from the required backup file However if the server itself is changed you cannot restore the backups stored on the old server You can only restore from the files backed up on the new server e You cannot restore a backup from an earlier or later version of Advanced Threat Defense software All numbers in the version must exactly match For example you cannot restore a backup from 3 0
261. he following details in the Computer Name and Administrator Password window e Computer name leave the default value e Administrator password cr cker42 e Confirm password cr cker42 indie Setup Computer Name and Admenstedio Password Tou must poide a mame and an Administ passed for youn compte Tabh has suggested a name fos pos computer If your compere is ona 8 nabeak yaa raliet admiristralor can bell you y dal mame bo ure Computer mare F OT FSC IDA Setup ceges a al acan called Aidmneiiato Tou use the aourt wher you reed hull access lo por compuber Teme an Admiro passesond Sdmiriralor passant AA Confirm password AA lt Back McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 23 Click Next in the Date and Time Settings window EEE E pimio Seip Details O Date and Time Set the conect date and hime for pour Windows computer E Step 24 In the Network Settings window leave the default values and click Next eds Se gp Insiang reteak solvate ados pou lo connec lo other computers nales and iha rere Step 25 Leave the default values in the Workgroup or Computer Domain window and click Next Wokgroup o Compea es Domain es Slo A E deman is a collectio
262. he same operating system but with different applications For example you might require a Windows 7 SP1 analyzer VM with Internet Explorer 10 and another Windows 7 SP1 analyzer VM with Internet Explorer 11 If you plan to create multiple analyzer VMs of the same operating system it is mandatory that you provide an Image Name If you plan to create only one analyzer VM for a specific operating system then providing the Image Name is optional If you do not provide a name a default name is assigned to the image file which you use to view the logs create VM profile and so on The default names for the image files are as follows e winXPsp2 corresponds to Microsoft Windows XP 32 bit Service Pack 2 e winXPsp3 corresponds to Microsoft Windows XP 32 bit Service Pack 3 e win7sp1 corresponds to Microsoft Windows 7 32 bit Service Pack 1 e win7x64sp1 corresponds to Microsoft Windows 7 64 bit Service Pack 1 e win2k3sp1 corresponds to Microsoft Windows Server 2003 32 bit Service Pack 1 e win2k3sp2 corresponds to Microsoft Windows Server 2003 32 bit Service Pack 2 e win2k8sp1 corresponds to Microsoft Windows Server 2008 R2 Service Pack 1 e win8p0x32 corresponds to Microsoft Windows 8 32 bit e win8p0x64 corresponds to Microsoft Windows 8 64 bit The name that you provide is appended to the default name Suppose you provide with_PDF as the Image Name and the operating system is Windows Server 2003 32 bit Service Pack 1 Then the image file is name
263. hen you must have configured DNS settings in Advanced Threat Defense If you specify public NTP servers then using the domain names instead of IP addresses is recommended The domain of a public NTP server might resolve to different IP addresses based on various factors e Whether you enable NTP server synchronization or manually set the date and time you must select the required time zone in the Date and Time Settings page If you configure an NTP server Advanced Threat Defense considers only the date and time from the NTP server But for the time zone it relies on what is specified in the Date and Time Settings page e The date and time on a Advanced Threat Defense client has no impact on the timestamps that are displayed Consider that the current time on the Advanced Threat Defense Appliance is 10 am PST UTC 8 Regardless of the time zone from which you access this Advanced Threat Defense Appliance all the timestamps are displayed in PST only That is the timestamps are not converted based on a client s date and time e When the current date and time settings are changed the timestamp for all the older records are also changed accordingly Consider that the current time zone is PST UTC 8 and you change it to Japan Standard Time UTC 9 Then the timestamp for the older records are all converted as per Japan Standard Time JST For example if the timestamp displayed for a record in the Analysis Status page was 0100 hours 1 am PST bef
264. here to accept the Microsoft Software License Terms 126 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Details Step 56 To analyze PDF files 1 Install Adobe Reader 9 0 in the VM download Adobe Reader to the native host and copy it to the VM 2 Open Adobe Reader and click Accept This procedure uses Adobe Reader 9 0 as an example Adobe Reader License Apreement Press thee Accept button bo agree Lo the List Aosta ened Corie ADOBE SYSTEMS INCORPORATED Warrant Disclaimer aad Saare License Agrerment THIS DOCUMENT INCLUDES WARRANTY INFORMATION FART D AND A LICENSE ADREEM M THE USE UF ADOBE SOFTWARE PART If PART L WARRANTY DSC LATER 3 a In Adobe Reader select Edit Preferences General and deselect Check for updates ej In Adobe Reader select Help Check for updates Preferences and deselect Adobe Updates CAE Em Tab Creer M Jii rails mere tts PE are Copa indo eo UL Ui T Mada Hard cen cade dared i Pee Dey E T idos Harij ad sae h 3D trad Sbado Hard Sed ee ee Pe alt gt Blac Skeet cer cad ira icrobad cora 5 Fark His re h ai Indy Der lina Direk Lara error Mie mad baca elt pet fe Mare 204 Fami ee Faini Fid krki ea ri s See a a ln Pri Mid mA ej s ir da carita coli rd Secas
265. his blank and click Next This operation might take around 15 minutes Windows XF Professional Setup Parsonabize Your Sollmware Seba wees the mnbormadion you prowds sbow porel ho personaliza po Windo ars aF mheasg SH Tppe pour full name and the name of your company or organization Hane rien Digarizalaa Back Het Step 21 Only if prompted log on to virtualMachineImage with the following credentials e User administrator e Password cr cker42 McAfee Advanced Threat Defense 3 4 8 Product Guide 83 Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Details Step 22 Stop the VMware Tools installation The VMware Tools are not compatible with Advanced Threat Defense If you did not stop the VMware Tools installation you can continue with the VMDK file creation process but make sure it is uninstalled when the VMDK PSE race file is ready O e ld di Com E Step 23 In the virtualMachinelmage select Start Miedos Security Canter Control Panel Security Center Windows Firewall OFF Mindo firewall pa inde f eraa Sal prodeci pour compu dd Resources loan airing Sache ho T Gt the biet marky el viru iomain ian Plorasoh On recommesredesd a ht for the Latest plates Fron x id z That pete bloci al cate e iWindines Lindas pane bl coroura alt ita
266. hortcut to open the Run dialog box 2 In the Run dialog box enter regedit and press Enter q Typethe name of a program folder document or Internet resource and Windows will open it for you Open regedit De The task well be crested with administrate privileges Cancel Browse The Registry Editor opens 3 Select HKEY_LOCAL_ MACHINE SOFTWARE Microsoft Windows NT CurrentVersion Winlogon and then double click on Shell 4 Change Value data to explorer exe explorer exe instead of the default value of explorer exe and click OK a Rasrilry Eda eee Pete A hie leo ites P miu REG won Cedi i En Ci Bed Ea E FG aa PEO Fro 7 Series FEG valet Ce Ta FL RAGE eNO oT Ea Sai CA E AGG de ermid EE Leer FP de Aleida sb Larki TIET a Je rei E Pura REJ AAC AOS Te a Wek sd Pra BEF l de Ari A E ALLA Ad Ta de damian A epnt PBI 1 gt ql Pares ce GA de Wrest FG i ep HL e We mN A PEI SeCED e cL m a seeds HG D iit i Pi iin Fi Be in RDG dar AA 4 E 4 i Come LOCAL eT ee ee AMA ARGOS McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 8 Step Details Step 22 In the VM turn off the Windows Firewall 1 Press the Windows key and X simultaneously and then select Control Panel System and Security Windows Firewall Turn on Windows Firewall On or Off 2 Select Turn off Windows Firewall not recom
267. ication Before you begin Make sure that the required analyzer profile is available with sandbox and malware Internet access options selected 290 McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware 8 Analyze URLs You can upload the URLs using two different options based on their requirements using Advanced Threat Defense web application These options are available for manually uploading URLs e URL The selected URL is sent to the analyzer VM and the file pointed to by the URL is downloaded to the analyzer VM for analysis For example when a user submits the URL http the earth li sgtatham putty latest x86 putty exe the URL is sent to the analyzer VM then the putty exe file is downloaded to the analyzer VM e URL Download The selected URL is downloaded to the Advanced Threat Defense The file which the URL is pointing to is downloaded locally in the Advanced Threat Defense and the downloaded file is then sent to the static analyzers and the analyzer VM for analysis For example when a user submits the URL http the earth li sgtatham putty latest x86 putty exe the putty exe file is downloaded to the Advanced Threat Defense then sent to the analyzer VM When you use the Advanced Threat Defense web application to submit a URL for analysis select an analyzer profile This analyzer profile overrides the default analyzer profile associated with your user account Manual upload using URL option
268. ication description and severity Use a metadata field name string value format to define all these three metadata fields These fields are case insensitive a custom yara Notepad File Edit Format View Help ffCreateDirectoryA S 17FC cr ytest dir ret l ffRemoveDirectoryA S6186F cr test dir ret t FAGetProc ddress 401845 76486088 RegClreatekeyA gt rule custom YARA G1 4 meta Classification 32 Description CUSTOM yara test create remove directory Severity 4 Figure 7 4 Metadata for a custom YARA rule a Optionally enter the classification value for Custom Behavioral Rules Classification is the malware classification category to which a behavioral rule belongs Use the following information to calculate the classification value Classification Value Persistence Installation Boot Survival 1 Hiding Camouflage Stealthiness Detection and Removal Protection 2 Security Solution Mechanism bypass termination and removal Anti Debugging VM 4 Detection Spreading 8 Exploiting Shellcode 16 Networking 32 Data spying Sniffing Keylogging Ebanking Fraud 64 For example if a YARA rule describes a malware that attempted to do spreading value 8 installation boot survival value 1 and networking value 32 then total classification result is 8 1 32 41 b Enter the description for the rule which is displayed in the analysis reports Dynamic An
269. iew the following monitors on the Advanced Threat Defense Dashboard VM Creation Status Shows the status for analyzer VMs that being created File Counters Indicates the number of samples in progress The indicated samples displayed in Running count are either being processed by various engines heuristic analysis or sandbox processing O The number of samples displayed in Running count include all of the pre processors and may indicate a value larger than the configured number of sandboxes Top 5 URLs Analyzed by GTI Lists five most severe URLs being analyzed by GTI Top 5 URLs Lists five most severe URLs being analyzed VM Profile Usage Lists the number of files analyzed by VMs along with number of licenses for these analyzer VMs Files Analyzed by Engine Provides the severity and number of files analyzed by GAM GTI and Sandbox Top 10 File Types by volume Provides a view of ten most number of files of different types being analyzed Top 5 Recent Malware by Filename Lists five most severe malware files in your network by file name Top 10 Malware by Threat Name Lists ten most severe malware files in your network by threat name System Health Provides the system health details of the Advanced Threat Defense Appliance System Information Provides the version numbers for the software components of Advanced Threat Defense Appliance Task 1 2 Click Dashboard to view the monitors
270. iguration sync error Withdraw from Cluster This button is relevant only for secondary nodes Click to withdraw a secondary node from the cluster and to use the secondary node as a standalone Advanced Threat Defense Appliance Recall that if the primary and Backup nodes are down simultaneously the load balancing cluster is down In the aforementioned case click Withdraw from Cluster in the secondary nodes to withdraw from the cluster and to use the secondary nodes as Stand alone appliances Monitor the status of an Advanced Threat Defense cluster Before you begin You have successfully created a load balancing cluster as explained in Create the McAfee Advanced Threat Defense cluster on page 331 McAfee Advanced Threat Defense 3 4 8 Product Guide 335 9 Clustering McAfee Advanced Threat Defense Appliances Configuring an Advanced Threat Defense cluster high level steps You can monitor the status of an Advanced Threat Defense cluster in the Load Balancing Cluster Setting page or by using the lbstats command After configuring cluster IP address we can login using cluster IP address to access Advanced Threat Defense interface 336 McAfee Advanced Threat Defense 3 4 8 Product Guide Clustering McAfee Advanced Threat Defense Appliances 9 Configuring an Advanced Threat Defense cluster high level steps Task 1 Logon to the CLI of the primary or a secondary node 2 Run lbstats command Separate sections a
271. ility and manageability It integrates application control Intrusion Prevention System IPS and evasion prevention into a single affordable solution Following steps should be performed by McAfee Next Generation Firewall customer in order to integrate McAfee Next Generation Firewall with McAfee Advanced Threat Defense 1 Create a user called ngfw on Advanced Threat Defense after logging into Advanced Threat Defense as admin This user has the same privileges as the nsp user 2 Restart amas from the CLI 3 Use ngfw user on SCM to make REST API calls There is no change to the existing SOFA protocol for file submission Since a user called ngfw exists all file submissions via the SOFA channel is assumed to be from McAfee NGFW appliances Advanced Threat Defense is not able to support McAfee Network Security Platform and McAfee Next 3 Generation Firewall in the same environment McAfee Advanced Threat Defense 3 4 8 Product Guide Malware detection and McAfee Advanced Threat Defense 1 The Advanced Threat Defense solution How the deployment options address the 4 major aspects of anti malware process cycle Detection of file download As soon as a user accesses a file the inline Network Security Platform Sensor or McAfee Web Gateway detects this and sends a copy of the file to McAfee Advanced Threat Defense for analysis Analysis of the file for malware Even before the user fully downloads the file McAfee Adva
272. indows 2003 Server SP1 or SP2 ISO image continued Step Step 17 In the VMware Workstation power on the virtual machine that you just created and install Windows Server 2003 following the usual procedure e This step might take around 30 minutes to complete e You can use the NTFS file system to format the partition during installation e Do not install VMware Tools If you did not stop the VMware Tools installation you can continue with the VMDK file creation process but make sure it is uninstalled when the VMDK file is ready Details E virwattectinatiere Virar Woristston O Y File Edit View WM Tabs Help P olb Od Dar o Library x El My Computer ED virtualMachinelmage ED virtualMachinelmage 27 virtualMachineName aiiis 5 Shared Vis Ej Upgrade the virtual machine i a k 1 Tings Step 18 In the Regional and Language Options window you can customize the settings lagna anc Language Opera Witenes Creare lar Pos ie regios 5 lee Po ana e e de plaped Vos cae ade dd pa ie dira The Standards and keva viagi otto EnginhiLivted Staten ard the keak mi do Lilas Saad Ta clara er pr ch Cumin Dusionos Ed pai Largh dor vos da ron hed r ray ae LEA U Ane dl nor rahade fared dea Yar del sde bed rpa lua ned raha o LS haad lapaut Ta vir a charge ps cur canfuradon cick iste Deisi McAfee Advanced Threat Defense 3 4 8 Product Guide
273. ing for the Java Control Panel updates and will miss future security updates We strong recommend letting Java perodicaly check for rear versions lo enue uu hare fe mcet secure and fastest Jaws epee Check Mantly Step 47 In the Windows Run dialog enter nscon io AE E Type the name of a program folder document or internet resource and Windows will open it for you Open msconfig p This task will be created with administrative privileges McAfee Advanced Threat Defense 3 4 8 Product Guide 153 154 Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 48 In the System Configuration utility go to the Startup tab General Boot denice Startup Toat Simip lier Harari han Comrami Locallan Tate aiI Maken 4 Ja Lp Orada Come agen Al HEUAEOPTAARe Microsoft ofi P Hiram Dap COPROGRA Z CProgramiata Me Deselect reader_s and jusched and then click OK Step 49 In the System Configuration dialog click Restart dera to restart your computer to apply these changes ting save any open files and dose all programs Don t show this message again McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 50 Open the default browser and set it up for malware analysis This procedure uses Internet Explorer as an examp
274. integrates its native capabilities with other McAfee products to provide you a multilayered defense mechanism against malware e Its preliminary detection mechanism consists of a local blacklist to quickly detect known malware e It integrates with McAfee Global Threat Intelligence McAfee GTI for cloud lookups to detect malware that has already been identified by organizations throughout the globe e It has the McAfee Gateway Anti Malware Engine embedded within it for emulation capability McAfee Advanced Threat Defense 3 4 8 Product Guide Malware detection and McAfee Advanced Threat Defense 1 The Advanced Threat Defense solution e It has the McAfee Anti Malware Engine embedded within it for signature based detection e It dynamically analyzes the file by executing it in a virtual sandbox environment Based on how the file behaves Advanced Threat Defense determines its malicious nature McAfee Advanced Threat Defense Static analysis components Whitelist McAfee Anti Malware Engine Figure 1 1 Components for malware analysis McAfee Advanced Threat Defense 3 4 8 Product Guide 13 14 Malware detection and McAfee Advanced Threat Defense The Advanced Threat Defense solution McAfee Advanced Threat Defense deployment options You can deploy McAfee Advanced Threat Defense in the following ways e Standalone deployment This is a simple way of deploying McAfee Advanced Threat Defense In this case it is not i
275. intel Security Y Product Guide Revision McAfee Advanced Threat Defense 3 4 8 COPYRIGHT Copyright 2015 McAfee Inc 2821 Mission College Boulevard Santa Clara CA 95054 1 888 847 8766 www intelsecurity com TRADEMARK ATTRIBUTIONS Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and or other countries McAfee and the McAfee logo McAfee Active Protection McAfee DeepSAFE ePolicy Orchestrator McAfee ePO McAfee EMM McAfee Evader Foundscore Foundstone Global Threat Intelligence McAfee LiveSafe Policy Lab McAfee QuickClean Safe Eyes McAfee SECURE McAfee Shredder SiteAdvisor McAfee Stinger McAfee TechMaster McAfee Total Protection TrustedSource VirusScan are registered trademarks or trademarks of McAfee Inc or its subsidiaries in the US and other countries Other marks and brands may be claimed as the property of others LICENSE INFORMATION License Agreement NOTICE TO ALL USERS CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE AS A BOOKLET A FILE ON THE PRODUCT CD OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU D
276. irtual machine hardware compatibility Hardware compatibility Workstation 9 0 Compatible with EGN Server Compatible products Limitatons Eu 5 1 54 GE mema y A Fusion 5 0 A processors Fusion 6 0 1d nebwork adapbers Workstation 10 0 2 TE disk sue Workstation 9 0 Mo SATA devices McAfee Advanced Threat Defense 3 4 8 Product Guide 75 76 Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step System Installation window select either Installer disc or Installer disc image file iso browse and select the ISO image and then click Next Details Step 5 In the Guest Operating New Virtual Machine Wizard EE Guest Operating System Installation A rtual machine s ike a priyacal compuber A needs an operating system How wil you install the guest operating system Install from Installer dec eg DVD Riv Drive Es Iretaler disc image file iso Le Windows XP Professional detected This operabng system well use Easy Install What s this I vell ingtall he operating system later The virtual machine vell be created with a blank hard disk 7 cal ST Help B k Hext gt l a Step 6 Enter the information in the Easy Install Information window and then click Next e Windows product key Enter the license key of the Windows operating
277. ith admin role you can view the existing list of McAfee Advanced Threat Defense users If you do not have admin role you can view your user record Task 1 Select Manage User Management The current list of users is displayed based on your role User PHanagerment Marre ba Login OC Cotault Analyzer Protikz adminfH adrninilA admin Analyzer Profile 1 NS User test map nap TO admin image upload user atdsdmin Analyzer Profile i Micros Web Gateway mg Analyzer Profile 1 Figure 4 1 View the list of users Column name Definition Select Select to edit or delete the user record Name Full name of the user as entered in the user details Login ID The user name for accessing McAfee Advanced Threat Defense Default Analyzer Profile The Analyzer Profile that McAfee Advanced Threat Defense uses when the user Submits a sample for analysis However the user can override this at the time of sample submission McAfee Advanced Threat Defense 3 4 8 Product Guide Managing Advanced Threat Defense 4 Managing McAfee Advanced Threat Defense users 2 Hide the columns you do not want to see a Move the mouse over the right corner of a column heading and click the drop down arrow b Select Columns c Select only the required column names from the list Login ID Default Analyzer Profile admin 4 Sort i au Sort Ascending m z ee nsp A Sort Descending atdadmin ER E Columns b i F PJ mwg Analyzer Profile
278. l E Recent places ES sigverit Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 8 Step Details Step 38 Click Agree for Sigcheck License Agreement CAWindows System32sigcheck exe After you click on Agree no confirmation message is displayed You can also use the accepheula commandire rich bo accept the EULA SYSINTERNALS SOFTWARE LICENSE TERMS hese license terms are an agreement between Sysinternals a wholly hed subsidiary of Merosot Corporation and you Please read thern They apply to the sofware you are downloading from Systinternals com which includes the media on which you received It E any The terms alsa apply to any Sysinternals updates supplements intenet based services and Step 39 Download MergelDE zip from https www virtualbox org attachment wiki Migrate_Windows MergelDE zip on to the native computer and then copy it to the VM Step 40 Extract MergeIDE zip and run the MergeIDE batch file in the Compressed Folder Tools a VM Home Share View Extract rl MergelDE EE C Name Typ E Desktop E 0218 206 Tes de Downloads E LIZENZ Tex Recent places MergelDE Wir a MergelDE Rec Libraries e If prompted select Run in the warning message e Close Windows Explorer McAfee Advanced Threat Defense 3 4 8 Product Guide 209 210 Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 41 T
279. l disk as a single file Spit virtual disk into multipie files Siting the disk makes it eager lo move the virtual machine to another computer but may reduce performance with very large disks Hep Bade Next gt Cancel Mew Virtual Machine Wizard a Specify Disk File where would you like to store the disk fle One 5 G8 disk file all be created using the fle name provided here vrialMachin elmage Mak Browse Hep Bad Next gt Cancel McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 16 Review the virtual machine creation settings and click Finish This creates the virtual machine and then you must install the operating system Details New Virtual Machine Wierd Check Finish to create the virtual machine Then you can install Windows CUl Wokpan Workstabon 9 0 3 GB Pre allocated HAT New Virtual Machine Wizard Ez Ready to Create Virtual Machine Click Finish to create the virtual machine Then you can install Windows Server 2003 Standard Edition The virtual machine val be created with the followang settings McAfee Advanced Threat Defense 3 4 8 Product Guide 109 110 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from W
280. l does not turn on off the AC power To remove AC power from 67 the Advanced Threat Defense Appliance you must unplug both AC power cords from either the power supply or wall outlet Handling the front bezel You can remove the front bezel if required and then re install it However before you install the bezel you must install the rack handles Task 1 Follow these steps to remove the front bezel a Unlock the bezel if it is locked b Remove the left end of front bezel from rack handle c Rotate the front bezel anticlockwise to release the latches on the right end from the rack handle Figure 2 13 Removing front bezel McAfee Advanced Threat Defense 3 4 8 Product Guide Setting up the Advanced Threat Defense Appliance 2 Setting up Advanced Threat Defense 2 Follow these steps to install the front bezel a Lock the right end of the front bezel to the rack handle b Rotate the front bezel clockwise until the left end clicks into place c Lock the bezel if needed Figure 2 14 Installing front bezel Connect the network cable Task 1 Plug a Category 5e or 6 Ethernet cable in the management port which is located in the back panel 2 Plug the other end of the cable into the corresponding network device Configure network information for Advanced Threat Defense Appliance After you complete the initial installation and configuration you can manage the Advanced Threat Defense Appliance from a remote computer or termin
281. le 1 Make sure the pop up blocker is turned on In Internet Explorer select Tools Pop up Blocker Turn on Pop up Blocker us Delete Brdertong History Che ghi Del Ci Shitt F JnP reste Braz J oae Page Geely Took Pengen Lact ron 25307 InPireate ltening Cheb Shite F InPireate Pheng Settings Pop up Blocker G i Turn Of Pep ue Blecka Smarireen Alter i Bep op Becker Setinge Manage Add ens 2 Select Tools Internet Options and for Home page select Use Blank or Use new tab based on the version of Internet Explorer Internet Options Ea General Security Privacy Content Connections Programs Advanced Home page gt To create home page tabs type each address on its own line A boutbiank Browsing history 3 Go to the Advanced tab of the Internet Options and locate Security 4 Select Allow active content to run in files on My Computer Internet Options LH General Security Privacy Content Connections Programs Advarx Settings i Printing A Print background colors and images Search from the Address bar Go not submit unknown addresses to your auto search pn Just display the results in the main window amp Security Allow active content from CDs to run on My Computer TI Allow active content to run in files on My Computer Allow software to run or install even if the signature is inv 5 Click OK Step 51 To dynamically analyze Flash fil
282. le when you first configure the network details for a McAfee Advanced Threat Defense Appliance you must do so from the console When you are successfully connected to the McAfee Advanced Threat Defense Appliance you will see the login prompt Issuing a command through SSH You can administer a McAfee Advanced Threat Defense Appliance remotely from a command prompt over ssh McAfee Advanced Threat Defense 3 4 8 Product Guide 343 10 CLI commands for McAfee Advanced Threat Defense CLI syntax Logging on to the McAfee Advanced Threat Defense Appliance using an SSH client Task 1 Open an SSH client session 2 Enter the IPv4 address of the McAfee Advanced Threat Defense Appliance and enter 2222 as the SSH port number 3 At the logon prompt enter the default user name cliadmin and password atdadmin The number of logon attempts to the McAfee Advanced Threat Defense Appliance from a client on a single connection is set to 3 after which the connection is closed The number of logon attempts to the McAfee Advanced Threat Defense Appliance can differ based on the ssh client that you are using You can get three logon attempts with certain clients for example Putty release 0 54 Putty release 0 56 or you can get four logon attempts with other clients for example Putty release 0 58 Linux ssh clients Auto complete The CLI provides an auto complete feature To auto complete a command press Tab after typing a few characters
283. le for Windows 2008 Server Step Details Step 33 In Windows Explorer go to C WINDOWS system32 and double click sigcheck exe Orange fa Open Bum Mew folda TF Favorites Name Desktop a sigcheck dp Downloads signdry dll Step 34 Click Agree for Sigcheck License Agreement After you click on Agree no confirmation message is displayed E ER bee hee 7 Check License dgeeement Yo can aso ss ihe pocendeuls commuting tha acca fhe BULA SYSINTERNALS SOFTWARE LICENSE TERMS These licence Tes are an agreament bote Sysintemak a wholly ceed abadan of Misco Corporation ard you Please rene therm They appiy bo the softarare you ere downkoading from Systntemals com Ahihi includes as media on ec you road ii E ey The berri also apply bo any Sysinternals idas supplements Imerne based serdices 300 Step 35 Download MergelDE zip from https www virtualbox org attachment wiki Migrate_Windows MergelDE zip on to the native computer and then copy it to the VM Inganize Include in library Share with Ur Favorites Name BR Desktop _ 0218 206 e Downloads E LIZENZ Recent Places E MergelDE A MergelDE Step 36 Extract MergeIDE zip and run the MergeIDE batch file in the VM e If prompted select Run in the warning message e Close Windows Explorer McAfee Advanced Threat Defense 3 4 8 Product Guide 173 5 Creating analyzer VM Create a VMDK file for Wi
284. les just like how you submit the files to a standalone Advanced Threat Defense Appliance See Upload files for analysis using Advanced Threat Defense web application on page 284 for step by step information e You can also use the REST APIs of the primary node to submit files and URLs See the Advanced Threat Defense APIs Reference Guide for information e You can also submit files using FTP or SFTP to the primary node See Upload files for analysis using SFTP on page 289 If cluster IP address is configured we need to login submit files using cluster ip Monitor analysis status for an Advanced Threat Defense cluster The Analysis Status page of the primary node displays the analysis status for files analyzed by each node In a secondary node only those files analyzed by that secondary node are displayed Similar to a standalone Advanced Threat Defense you can view the status of samples that you submitted If you have admin rights you can view the status for samples submitted by any user Task 1 Log on to the web application of the primary node 2 Select Analysis Analysis Status The Analysis Status expands to display the secondary nodes of the cluster Analysis Status corresponds to the primary node The secondary nodes are listed under Analysis status with their ATD ID and their management port IP address ATD Id 2 1 ATD Id 3 Analysis Results Manual Upload 340 McAfee Advanced Threat Defense 3 4 8 Product Guide
285. les y s os k eam i ia a asas e oo aog d oa so 228 Delete VM profiles a a a a a a a a a a a a a a ee ee 229 View the System log a a a a a a a ee ee ee 229 Configuring Advanced Threat Defense for malware analysis 231 Terminologies A TAE FS we me we Se S aod High level steps for confiadas late ANAYSIS s da e amp amp es e asa BSD How Advanced Threat Defense analyzes Malware ew ee ee ee 235 Internet access to sample files ee 236 Managing analyzer profiles 1 ww we ee ee 239 View analyzer profiles ee ke ee ee 239 Create analyzer profiles 1 1 ew ek ee ee ee 240 Edit analyzer profiles ee ee ee ws 242 Delete analyzer profiles TA eee ee ee ee ae ee oe eo Integration with McAfee ePO for OS oral E eo ew ee Be Be wee ee se a Configure McAfee ePO integration ee 244 Configure McAfee ePO integration to publish threat events 4 4 2 246 Configure McAfee ePO integration to publish threat event 246 Integration with Data Exchange Layer 1 ee ee a 248 Configure Data Exchange Layer integration 2 we ew ew ew ew ee 250 Integration with Threat Intelligent Exchange 2 2 we eee ee ee 2b1 Conngure LDAP 2 sx 2 sas ER we Gt ee Bie ee Rw ewe em ee E al Configure SNMP s
286. lex full half Sets the speed to 10 or 100 Mbps at full or half duplex 9 To verify the configuration type show This displays the current configuration details 10 To check the network connectivity ping other network hosts At the prompt type ping lt IP address gt The success message host lt ip address gt is alive appears If the host is not reachable failed to talk to lt ip address gt appears 11 Change the Advanced Threat Defense Appliance password by using the passwd command A password must be between 8 and 25 characters is case sensitive and can consist of any alphanumeric character or symbol McAfee strongly recommends that you choose a password with a combination of characters that is easy for you to remember but difficult for someone else to guess 12 Reboot the ATD appliance At any point of time if you change the IP address of ATD you must reboot the appliance to reflect the changes McAfee Advanced Threat Defense 3 4 8 Product Guide 33 34 Setting up the Advanced Threat Defense Appliance Setting up Advanced Threat Defense McAfee Advanced Threat Defense 3 4 8 Product Guide Accessing Advanced Threat Defense web application The Advanced Threat Defense web application is hosted on the Advanced Threat Defense Appliance If you are a Advanced Threat Defense user with web access you can access the Advanced Threat Defense web application from a remote machine using a supported browser
287. lick Browse and select the file If you want to submit multiple files upload them in a zip file e If you are uploading a password protected zip file make sure you have provided the password in the analyzer profile that you want to use for analysis e If dynamic analysis is required the files in the zip file are executed on different instances of the analyzer VM If enough analyzer VMs are not available some of the files are in the pipeline until analyzer VMs are available Because the files in the zip file are analyzed separately separate reports are created for each file e Unicode is supported for the file name of samples A file names can contain non English characters and special characters File names are displayed as the MD5 hash value of the file if the following characters are used lt gt e The file name can be up to 200 bytes in length Analyzer Profile Select the required analyzer profile for the sample Advanced Submit Click to specify additional parameters for analyzing the sample The Advanced options are available only when you manually submit the file using Advanced Threat Defense web application User Interactive Mode Upon execution some malware requires user input This is typically done to check if the malware is being analyzed in a sandbox In the absence of user input the malware might take an alternative execution path or suspend further execution If you select thi
288. lick OK then click Submit The sample is uploaded to Advanced Threat Defense and a success message with the details are displayed 6 Click OK in the Uploaded File Successfully dialog box 7 Click OK to go to the Analysis Status page samples Case Sensitive St Subrutted Tena heer Status Fila Rara WA Profila Analycar Prof 3 24 21 22 ST Senn E Hinge POP Rear por amXP pJ Wins PErag shi 2014 02 24 21 15 45 PST admin Completed POF Radia pol Bins Fapa APOZ Test 2014 02 24 21005127 PST admin Completed POFRedirO1 pdi mnxPsp3 A Figure 8 3 X Mode in the Analysis Status page 8 On the Analysis Status page click X Mode for the corresponding record 9 After the file execution completes the VM automatically shuts down 60 Once the analysis is complete you cannot use Connect to view the VNC session If you click Connect a Failed to connect server error message is displayed When you click Disconnect it only closes the VNC session from the client and displays a VNC disconnected error message If you click Connect it will connect back to the VNC session Upload samples for analysis in skip analysis mode You can configure Advanced Threat Defense to skip analysis of the submitted samples if the same has been analyzed previously McAfee Advanced Threat Defense 3 4 8 Product Guide 287 Analyzing malware Analyze files Task 1 2 3 Select Analysis Manual Upload In the Manual upload field click Browse and select th
289. lick TelnetClients Description Changes to a usere group membership Add lemove are nal affective until the nad time tha user loge an 3 Click Add and enter Administrator 4 Click Check Names and then OK 206 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 8 Step Details s Control Asset Members of the group can remot TelnetChients Properties 7 E Step 32 Press the Windows key and R Simultaneously which is the shortcut to open the Run dialog box Then enter netplwiz and click OK Db Type the name of a program folder document or Internet resource and Windows will open it for you Open netphwizi v oy This task will be created with administrative privileges Step 33 In the User Accounts window deselect Users must enter a user name and password to use this computer and click Apply Users advanced Wie the list below to grant or deny users access to your computer and te change passwords and other settings Users must enter a user name and password to use this computer Users for this computer Weer Marne Group a e o pela pco q Administrata did Remove Properties Password for Administrator To change your password press Ctrl Alt Del and select Change Password Reset Password McAfee Advanced Threat Defense 3 4 8 Product Guide 207 Creating analyzer VM Create a
290. ll Windows E BA Windows product key erson of Windows to install Windows A Pro Full name administrator Paeeword ir Confirm Poe PP Step 7 If the VMware Workstation message displays click Yes You have entered a Full Name that may conflict with a built in account in the quest operating system F it does conflict you may be asked for a new Full Name by the installer Would you like to continue Do not show this message again es we 184 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 8 Step Details Step 8 Enter the e Virtual Machine name You must enter virtualMachinelImage as the information in the Name the name Virtual Machine window and then click Next e Location Browse and select the folder where you want to create the VMDK file Mew Virtual Machine Wizard What name would you ike to use for fis virtual machine rival machine name VirtalMachine mage Location Cc 01_P pa O5MATD_3 2 008 The default location can be changed at Edi gt Preferences Step 9 In the Processor Configuration window leave New Virtual Machine Wizard the default values and click Next Processor Configuration ped the number of processors for this virtual machine Processors Number of ronsar F Number of cores per processor la Total processor cones 1
291. ll the reports in McAfee Advanced Threat Defense Example deletesamplereport c0850299723819570b793f6e81ce0495 diskcleanup Use this command to delete some of the older analysis reports if the disk space of McAfee Advanced Threat Defense is low Syntax diskcleanup This command has no parameters dxistatus Use this command to know the status of DXL Syntax dxlstatus This command has no parameter The following information is displayed using this command lt DXL STATUS gt Sie o DISABLED DXL Channel Status DOWN Sample Files Received Count 3 0 Sample Files Published Count 2 Sample Files Queued Count oe docfilterstatus Docfilterstatus command helps in higher performance of Advanced Threat Defense Appliance by bypassing the dynamic analysis of MS Office 2007 Power Point files pptx that have no suspicious embedded content or malicious hyperlinks Only suspicious pptx files are analyzed in sandbox and clean pptx files are spared from entering the sandbox The docfilterstatus command is introduced to avoid unnecessary sandbox loading by MS Office 2007 Word and Excel files when they contain no suspicious content The command allows enabling or disabling of the heuristic filter for MS Office 2007 Word and Excel files By default docfilterstatus is enabled Syntax set docfilterstatus lt enable gt set docfilterstatus lt disable gt Parameter Description enable Sets the sample filtering
292. lua wes Binding and SSL Settings Binding IP Address Port All Unassigned A Erable Virtue host Hemes Steet FTP be ora ly SSL Po SL Albee 551 Require 351 SSL Certificate Canes Figure 5 1 Binding and SSL settings 4 For Authentication and Authorization Information complete the following a Select Basic b For Allow access to select All Users c For Permissions select both Read and Write and then click Finish McAfee Advanced Threat Defense 3 4 8 Product Guide 145 5 Creating analyzer VM Create a VMDK file for Windows 7 Step Details d Close the Internet Information Services IIS Manager Step 28 select Start Run enter netplwiz and press OK Type the name of a program folder docurnent or internet resource and Windows wall open it for you op Thes task will be created with admenestratree privileges 146 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 7 enter a user name and password to use this computer and click Apply Step 30 In the Automatically Log On pop up window complete the following and then press OK in the message boxes Step Details Step 29 In the User Accounts window deselect Users must User Accounts r Users Advanced Use the list below to grant or deny users access to your computer and to change passwords and other settings Wiser
293. lue exceeds the configured threshold value for CPU Utilization and Memory Utilization e CPU Utilization e Memory Utilization Minimum threshold level supported is 30 Maximum threshold level supported is 90 By default the threshold percentage displayed under SNMP Setting page is 75 67 CPU Utilization field appearing in the SNMP Setting page is different from CPU Load featuring under System Health under Dashboard tab Task 1 Select Manage Configuration SNMP Setting SNMP Setting SNMP Monitoring El Allow SNMP Monitoring SHMP Traps E Send SNMP Traps Trap Threshold Do i Submit Download MIB Files 2 In the SNMP Monitoring area select Allow SNMP Monitoring You can modify the SNMP Community String By default it is set as atdpublic 3 In the SNMP Traps area make these selections and entries e Select Send SNMP Traps e Enter the IP address of your local machine in the Destination IP field McAfee Advanced Threat Defense 3 4 8 Product Guide 253 6 Configuring Advanced Threat Defense for malware analysis Integration with McAfee Next Generation Firewall e Enter a SNMP trap port By default this is set as 162 e Under Trap select the Threshold percentage for the required attributes SNMP Monitoring Y Allow SNMP Monitoring Community String new569 SNMP Traps V Send SNMP Traps Destination IP 192 16 10 171 Port Number 129 Trap Threshold CPU Utilization o Memory Utilization Yo
294. lumn Definition Reports E P Click to display the types of reports available for the sample Reports Submitted Time Analysis Summary HTML Analysis Summary PDF Dropped Files Logic Path Graph User API Log Complete Results Original Sample 2014 10 25 01 42 02 MDT Click any of the enabled reports to view the corresponding details A specific report is enabled only if it is relevant to the analyzed file and also selected in the corresponding analyzer profile e Analysis Summary HTML This is the comprehensive report that is available for all file types This report is also displayed when you double click a record e Analysis Summary PDF Select this to view the report in PDF e Dropped Files Select this report to view the files that the analyzed sample created during dynamic analysis e Disassembly Results Select this to view the assembly language code reverse engineered from the file This report is relevant only for sample types such as exe and dll e Logic Path Graph Select this to view a graphical representation of which subroutines were executed during the dynamic analysis and which were not e Dynamic Execution Logs Select this to view the Windows user level DLL API calls made directly by the sample during dynamic analysis e Complete Results Click to download the zip file containing all the report types to your local machine e Original Sample Click to download the originally submitted sampl
295. lware analysis 6 Upload Web Server certificate and CA certificate Select Manage Configuration Telemetry 2 Select accept the terms and conditions at the bottom of the page 3 Click Submit Telemetry Setting Terms and Conditions IMPORTANT NOTICE PLEASE READ CAREFULLY BY CLICKING ON THE CHECKBOX I accept the terms and conditions AT THE BOTTOM OF THIS PAGE YOU AGREE TO LET McAfee CAPTURE FOLLOWING TELEMETRY RELATED DATA 1 Labs require analysis results from Advanced Threat Defense ATD as telemetry to update their databases in order to categorize the samples malwares which were analyzed by ATD This telemetry data contains information related to the samples which are analyzed by the ATD Following is the list of data collected for the labs MD5 of sample SHA 1 of sample SHA 256 of sample ATD detection score digital signature data from sample parent metadata corresponding to dropped files ATD product information ATD analyzing options scores URL visited by file IPv4 address visited by file product version that the sample belongs to publisher name of the sample product name that the sample belongs to file version of the sample and OS version that the file was found on 2 Also telemetry data related to performance of ATD is collected This helps us improve the product and also helps us understand how customers use ATD box Following is the list of data which we collect for ATD System type serial number software v
296. lware_ name gt The new malware name for the MD5 lt Eng ID gt The new engine ID that you want to change to lt OS ID gt The new value for the operating system that was used to dynamically analyze the malware Example blacklist update 254A40A56A6E28636E1465AF7C42B71F 4 ExampleFileName ExampleMalwareName 2 4 clearstats all Use this command to reset all the McAfee Advanced Threat Defense statistics to zero Syntax clearstats all This command has no parameters The following information is displayed using this command lt DXL STATUS gt STATUS DISABLED DXL Channel Status DOWN Sample Files Received Count 3 0 Sample Files Published Count ae Sample Files Queued Count 3 0 clearstats dxl Use this command to reset the DXL file counter to zero Syntax clearstats dxl This command has no parameters The following information is displayed using this command All DXL stats are reset to zero Sample Files Received Count O Sample Files Published Count aO clearstats Ib Use this command to reset all the McAfee Advanced Threat Defense load balancing statistics to zero Syntax clearstats lb This command has no parameters McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands The following information is displayed using this command BB Stats are reset to Zero clearstats tepublisher Use this command to clear the count o
297. lysis Analysis Results click and select Logic Path Graph Then download the lt file name gt _logicpath gml file To use this option you must have enabled the Logic Path Graph option in the corresponding analyzer profile After you click select Complete Results Download the lt sample_name gt zip file This zip file contains the same lt file name gt _logicpath gml file in the AnalysisLog folder The Zip Report contains the lt file name gt _logicpath gml file regardless of whether you have enabled Logic Path Graph option in the corresponding analyzer profile McAfee Advanced Threat Defense 3 4 8 Product Guide 305 a Analyzing malware View the analysis results This section uses yWorks yEd Graph Editor to explain how to use the Logic Path Graph GML file In the yEd Graph Editor you must first set the Routing Style You need to do this only once and this setting is saved for further use 1 In the yEd Graph Editor select Layout Hierarchical 2 In the Incremental Hierarchic Layout dialog select the Edges tab and select Polyline from the Routing Style drop down list J Incremental Hierarchic Layout Routing Style Polyline Backloop Routing F Backloop Routing For Selfloops Automatic Edge Grouping F Minimum First Segment Length Minimum Last Segment Length Minimum Length 20 0 Minimum Edge Distance 15 0 Minimum Slope 0 0 Port Constraint Optimization E Straighten Edges Figure 8 11 Configuring Routing Style
298. lyzes malware 3 Based on whether Internet connectivity is enabled or not Advanced Threat Defense determines the mode in which network services are to be provided e Simulator mode If Internet connectivity is not enabled in the analyzer profile this mode is used Advanced Threat Defense can represent itself as being the target resource For example if the sample attempts to download a file through FTP Advanced Threat Defense simulates this connection for the analyzer VM e Real Internet mode This mode requires the management port eth 0 eth 1 eth 2 or eth 3 to have access to the Internet If Internet connectivity is enabled in the analyzer profile Advanced Threat Defense uses this mode Advanced Threat Defense provides real Internet connection through the management port by default which is publicly routed or directed towards your enterprise firewall as per your network configuration Because the traffic from an analyzer VM could be malicious you might want to segregate this traffic away from your production network In this case you can use Advanced Threat Defense s eth 1 eth 2 or eth 3 provide Internet access to the analyzer VM 4 Regardless of the mode used Advanced Threat Defense logs all the network activities However the types of reports generated might vary based on the mode e Network activities are summarized and presented in the Analysis Summary report You can find the DNS queries and socket activities under netwo
299. m that was used to dynamically analyze the malware Example blacklist add 254A40A56A6E28636E1465AF7C42B71F 3 ExampleFileName ExampleMalwareName 4 2 e To delete an MD5 from the blacklist use blacklist delete lt md5 gt Parameter Description lt md5 gt The MD5 hash value of a malware that you want to delete from the blacklist Example blacklist delete 254A40A56A6E28636E1465AF7C42B71F e To check if an MD5 is present in the blacklist use blacklist query lt md5 gt Parameter Description lt md5 gt The MD5 hash value of a malware that you want to query if it is present in the blacklist Example blacklist query 254A40A56A6E28636E1465AF7C42B71F If the MD5 is present the details such as the engine ID malware severity score and so on are displayed McAfee Advanced Threat Defense 3 4 8 Product Guide 347 10 348 CLI commands for McAfee Advanced Threat Defense List of CLI commands e To update the details for an entry in the blacklist use blacklist update lt md5 gt lt score gt lt file name gt lt malware name gt lt Eng ID gt lt OS ID gt Parameter Description lt md5 gt The MD5 hash value of a malware that you want to update This value must exist in the blacklist for you to update the record lt score gt The new malware severity score that you want to change to A valid value is from 3 to 5 lt file_ name gt The new file name for the MD5 lt ma
300. malicious activity McAfee Advanced Threat Defense 3 4 8 Product Guide 289 a Analyzing malware Analyze URLs Follow these methods to submit URLs e Manually upload the URL using the Advanced Threat Defense web application e Use the restful APIs of Advanced Threat Defense web application to upload URLs See the Advanced Threat DefenseRESTful APIs Reference Guide Malicious websites typically contain multiple types of malware When a victim visits the website the malware that suits the vulnerabilities present in the endpoint is downloaded You can create multiple analyzer VMs each with different operating systems browsers applications browser plug ins that are relevant to your network Also if the browsers and operating systems are unpatched it might enable you to analyze the actual behavior of web sites The advantage of using Advanced Threat Defense is that you can get a detailed report of previously unknown malicious domains websites and IP addresses as well as the current behavior of known ones You can also get a detailed analysis report for even benign sites that are recently compromised Advanced Threat Defense does not analyze URLs contained within files submitted for analysis For example when a Network Security Sensor submits a Microsoft Word file Advanced Threat Defense analyses the file for malware but does not analyze any URLs in the file How Advanced Threat Defense analyzes URLs To analyze URLs select an analyz
301. malware after the file has been downloaded it informs Network Security Platform and you can use the Sensor to quarantine the host until it is cleaned and remediated You can configure the Manager to update all the Sensors about this malicious file Therefore if that file is downloaded again anywhere in your network your Sensors might be able to block it For information on how to integrate Network Security Platform and McAfee Advanced Threat Defense refer to the latest Network Security Platform Integration Guide Internet McAfee GTI Request File download forwarded in progress Y Sensor h Copy of file for analysis r p y i E I l i i i i j Analysis result Advanced Threat 1 j Defense Request Download of for file safe 5 ez download Endpoints Figure 1 3 Integration with Network Security Platform and McAfee ePO McAfee Advanced Threat Defense 3 4 8 Product Guide 15 16 Malware detection and McAfee Advanced Threat Defense The Advanced Threat Defense solution Integration with McAfee Web Gateway You can configure McAfee Advanced Threat Defense as an additional engine for anti malware protection When your network user downloads a file the native McAfee Gateway Anti malware Engine on McAfee Web Gateway scans the file and determines a malware score Based on this score and the file type McAfee Web Gateway sends a copy of the file to McAfee Advanced Threat Defense for deeper inspection and dynamic
302. mance of your PL and allow standard users to install updates on thg PC i Tum on auborratic updebes Let me choose my settings Mon recent ceck for udier Neves Updates were maitalect Hever Vou rerent upasbes For Windows only Get updates for other Microsoft products Fired out more McAfee Advanced Threat Defense 3 4 8 Product Guide 205 5 Creating analyzer VM Create a VMDK file for Windows 8 1 Open the Control Panel and from the View by drop down select Small Icons 2 Select Administrator Tools Computer Management and complete the steps in the next column Step Details 7 31 Complete the 1 Select Computer Management Local System Tools Local Users and Groups ollowing Groups File Action View Help o e ER o E 3 Computer Management Local Hame De 23 Siem loots Access Control Assist Me A Administrators Arch Shared Folders E Tp SR a Local Users and Groups Cryptographic a E Users He Distributed COM Users Me ff Groups de Event Log Readers hle i Performance dh Guests Gu dy Device Manager de Hyper V Administrators Me a Storage e 15 USRS Bui ES Disk Management e Network Configuratio Me ay Services and Applications He Performance Log Users Me de Performance Monitora Me Be Power Users Por Be Remote Desktop Users Mie de Rernote Managerment Me de Replicator Sup de Users Lise TelnetCients de WinkMRemoteWMIL Me 2 Double c
303. mbly code of PE files See Disassembly Results on page 304 Logic Path Graph Select to generate Logic Path Graph report See Logic Path Graph on page 305 User API Log This report provides Windows user level DLL API calls made directly by the malware sample during dynamic analysis See User API Log on page 310 McAfee Advanced Threat Defense 3 4 8 Product Guide 241 242 Configuring Advanced Threat Defense for malware analysis Managing analyzer profiles Option name Definition Local Black List Select if you want Advanced Threat Defense to check the file s MD5 hash value with the list of black listed MD5 hash values in its local database Anti Malware Select if you want Advanced Threat Defense to scan the file using McAfee Anti Malware Engine GTI File Reputation Select if you want Advanced Threat Defense to check the file s MD5 hash value with McAfee GTI Make sure Advanced Threat Defense is able to communicate with McAfee GTI which is on the cloud Gateway Anti Malware Select if you want Advanced Threat Defense to check the file using McAfee Gateway Anti Malware Engine Sandbox Select if you want the file to be dynamically analyzed A file is not dynamically analyzed if any of the static methods report it as a malware or a white listed file If you want to dynamically analyze the file regardless of the result from static analysis select Run All Selected as well Make sure y
304. me Shane Whew T 5 All Control Panel tems Administrative Tools a Name EF Computer Management fee Defragment and Optimize Drives EL Disk Cleanup Sr Favorites MN Desktop mM Downloads EL Recent places MH internet Information Services 116 Manage CS inrtiator Sa Libraries al Panic ci 2 Double click Internet Information Services IIS Manager expand the tree under Hostname 3 If you see the following message box select Do not show this message and click Cancel 4 Select Site Do you want to get started with Microsoft Web Platform to stay connected wath latest Web Plathorm Components Do not show this message Yes s and right click Default Web Site and then select Remove Confirm by clicking Yes Default Wet a Y WIN FUK9I7E6605 WIN FUK i Application Pools a ll Sites ASP NET Explore Edit Permissions Filter P Add Application TI Add Virtual Directory Edit Bindings Manage Website b ia Refresh X Remove McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 8 Step Details 5 Right click Sites and select Add FTP Site Then complete the following d ca WIN FUK9I7E6605 WIN FUK E s Pools Add Website Refresh Add FTP Site Switch to Content View a For FTP site name enter root b Physical Path C c Click Next Site Information FTP site n
305. mended for both Home or work private network location settings and Public network location settings and then click OK Curiverira Satin e mb esa rra Customize settings for each type of network You tan modify the Mireni astinga fer cach byes of network that pou ue Prarie reparo pena a Tum of Wed Airtaal wt Plot a lim oft Waris Fees re recrimina Publ peim semis a Tom en rado Firewall E Tumi OT Wehr Fresa in Of elie need McAfee Advanced Threat Defense 3 4 8 Product Guide 193 5 Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 23 Disable Windows 1 Open the Control Panel and from the View by drop down select Small Defender co a E TARTA G Meth Conic Pe p Adol pour corr poabir a Seti T tc Dirt 2 dibeh arer Tim Ig de CS Diiia Dio ao Eu Cabos lie a Cre bli ima oo Cun are Teri my Dl A puma del ira PAra 2 Click Windows Defender a FO AMA EN Fr A e S Region W RemoteApp and dl Speech Recognition G Storage Spaces El System BF Tablet PC Settinc 8 Troubleshooting A User Accounts dl Windows Defender P Windows Firewal 3 In Windows Defender select Settings Administrators and deselect Turn on Windows Defender Then click Save changes PL rara Protecios Pal rH preter Loiad im and keaton fan on edo Drier Load file type Wher Hero he brm sera Perras rinda sl gle alps pra el her Edad perl sarta pened ca ren nn or eri a cr
306. mg East Va TOP O Tet carte nava LE bassi ana Vird bas computer Hi serve of Foco PEP a AS Ya Poor rihi be resetea M ire McAfee Advanced Threat Defense 3 4 8 Product Guide 167 168 Creating analyzer VM Create a VMDK file for Windows 2008 Server Step Details Step 26 In the Telnet Properties Local Computer dialog select Automatic from the Startup type list Then select Apply Start OK Telnet Properties Local Computer McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2008 Server McAfee Advanced Threat Defense 3 4 8 Step Details ri 27 Enable FTP on the 1 In the virtualMachineImage select Start Administrative Tools Internet Information Services IIS Manager 2 In the Internet Information Services IIS Manager window select Sites Add FTP Site E Internet Information Services 115 Manager CoO P WIN MLAHIMDSIRT Sites File View Help 3 Start Page 183 WIN MLAHIMDSIRT p Application Pools Site e Switch to Content View 3 a In the Add FTP Site wizard enter FTP site name and Physical path and then click Next Internet Information Services 015 Manager OO Gl WIN MILAHIMDOSIRT Sites Add FTP Site Fie View Product Guide 169 170 Creating analyzer VM Create a VMDK file for Windows 2008 Server Step Details
307. move rm Ta i ARNIA Thes 1 Figure 4 6 Support bundle creation Advanced Threat Defense collects the required information and a message is displayed at the bottom of the browser After some time option to save the lt ticket number gt tgz file is provided 4 Provide the following files to McAfee support e System logs atdlogs bin e Diagnostic logs atdcore bin e Additional miscellaneous logs lt ticket number gt tgz Recreate the analyzer VMs During dynamic analysis samples might corrupt some of the analyzer VMs So these analyzer VM instances might not be available for further analysis Under such circumstances you can delete all the existing analyzer VMs and recreate them All the existing analyzer VMs including the default Android VM and also the healthy analyzer VMs are O deleted and re created So no file analysis is possible until all the analyzer VMs are created again The time taken for the re creation varies based on the number of analyzer VM instances as well as their size If you re activate Windows license on the VMDK by VNC connection you need to update these changes O onto the existing analyzer VM instances Under such circumstances you can also delete the target VM profile and create a new VM profile McAfee Advanced Threat Defense 3 4 8 Product Guide 57 Managing Advanced Threat Defense Back up and restore the Advanced Threat Defense database Task 1 In the Troubleshooting page click Create VMs a
308. must enter a user name and password to use this computer Users for this computer User Hart Group a Administrator Administrators Users Password for Administrator To change your password press Ctrl Ah Del and select Change a Password oc cent a e Username Enter Administrator e Password Enter cr cker42 e Confirm Password Enter cr cker42 User Accounts El Automatically Leg On You can set up your computer so that users do not have to type a user H name and pateword lo log on To do this specy a user that wall be automatically logged on below User name Administrator Password Pee eee Confirm Password enana Step 31 Download Sigcheck on to your computer the native host from http technet microsoft com en us sysinternals bb897441 aspx The VM that you created has the Windows Firewall switch off as well as there is no anti virus installed on it Therefore it is recommended that you download the programs and components on to the native host first and then copy them to the VM in VMware Workstation Step 32 Extract sigcheck zip to C WINDOWS system32 location McAfee Advanced Threat Defense 3 4 8 Product Guide 147 148 Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 33 In Windows Explorer go to C WINDOWS system32 and double click sigcheck exe TISHE Computer Local Disk C Windows Systema Aft
309. n name click the column heading You can sort the records in the ascending or descending order Alternatively move the mouse over the right corner of a column heading and click the drop down arrow Then select Sort Ascending or Sort Descending 4 To view the complete details of a specific VM Profile select the record and click View Create VM profiles After you have converted the VMDK file to the image format you can initiate the VM creation and also create the corresponding VM profile Each image file that you converted must be associated with only one VM profile That is you need one unused image file for each VM profile that you want to create However you can convert the same VMDK file image files multiple times This enables you to create multiple image files from one VMDK file Task 1 Select Policy VM Profile New The VM Profile page is displayed Image winXPsp3 img v Validate Activate winXPsp3 img Name android img Description F Default Profile Maximum Licenses Delete Cancel Figure 5 7 Select the image file 2 From the Image drop down select the one for which you want to create the VM profile 3 Click Activate to create the VM from the selected image file e When you click Activate the Activation window is opened in a new tab or window based on the browser settings This is not related to Windows activation with Microsoft You must complete Windows activation before you import the VMDK file in
310. n of cenges debned by s network adeunshatos McAfee Advanced Threat Defense 3 4 8 Product Guide 113 114 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 26 Log on to the virtual machine with the following credentials Details e User administrator e Password cr cker42 Step 27 If the Windows Server Post Setup Security Updates page is displayed click Finish Windows Server Post Setup Security odates Mercat e continua upeieting Wirken bo help protect pour rar fran tra end other cr Feet a a Se ae diese Where E porta pu dl rca la al of e lar re a ri rr Late Sores pales aspie bal Wingless be reciarted lindos Es cerebral helio prose proa Pica um lo Wired Update Ea erea Phat aiea umian hare Geen rota before continuing ah eee eps Update this server Step 2 Configure Automatic Updates Gh Pigs Intestin Ma Automatic Upisa asua car autorice downoad tha lata eecurts plata ona chula poo piy Mes Chest thes pave Pues been dba pa Can he eras Chaat it chavs nds ber org dao Updales o Genfigure aubomestic upuala tina for this Serve Pa dam Eh para nd aos inoue cones ds Ds eee click Pin Por rear inforraabiori Bot bc aora connate ses the ib Caipas dira j Step 28 If the Manage Your Server window is displayed select Don t Display the page at logon and close
311. n to manage VM profiles VM profile Image img file name Name of the operating system User description for the VM profile pre installed applications and so on Whether this is the default VM profile Number of licenses for the operating system Figure 5 6 Configurations in a VM profile View VM profiles You can view the existing VM profiles in the Advanced Threat Defense web application Task 1 Select Policy VM Profile The currently available VM profiles are listed Column name Definition Select Select to edit or delete the corresponding VM profile Name Name that you have assigned to the VM profile Licenses The number of end user licenses that you possess for the corresponding operating system and applications This is one of the factors that determine the number of concurrent analyzer VMs on Advanced Threat Defense Default Whether this is a default VM profile Size The size of the image file in megabytes Hash The MD5 hash value of the image file McAfee Advanced Threat Defense 3 4 8 Product Guide 223 5 Creating analyzer VM Managing VM profiles 2 Hide the unneeded columns a Move the mouse over the right corner of a column heading and click the drop down arrow b Select Columns c Select only the required column names from the list D You can click a column heading and drag it to the required position 3 To sort the records based on a particular colum
312. n waiting 0 files imn Sandbox 0 Estimated average processing time for all samples 58 00 seconds show filesizes Displays all the filetypes supported by McAfee Advanced Threat Defense with details such as type number minimum and maximum file size in bytes and short description This command has no parameters Syntax show filesizes Following is the information displayed by the show filesizes command Type File description Minimum Maximum number size size 1 Windows portable executable PE file PE file dll and 1024 10000000 sys file PDF document file with pdf extension 2048 25000000 Java class data file with class extension 1024 5000000 4 Microsoft Office older files with doc ppt or xls 5120 10000000 extension Microsfot rich text format file with rtf extension 1024 10000000 6 Zip file APK file or newer Microsoft Office file 200 20000000 with docx pptx or xlsx extension JPEG image file 5120 1000000 PNG image file 5120 1000000 GIF image bitmap file 5120 1000000 10 Microsoft DOS executable file with com extension 1024 5000000 11 Flash file with swf extension 1024 5000000 12 7 zip compressed archive file with 7z extension 200 10000000 13 RAR compress archive file with rar extension 200 10000000 14 Microsoft cabinet compressed archive file with cab 200 10000000 and msi extension 15 Miscellaneous text or script files for 100 1000000 example js bat vbs xml py u
313. n your yga rule file at vara error in vour ware rule file at fine 10 syntax error u Figure 7 8 Details of the error If you delete Current the Backup file automatically assumes the role of Current Click Revert to reinstate the Backup file as the Current file In Load balancing scenario the Custom Yara Scanner files need to be uploaded manually in primary node secondary node and Backup node using aforementioned instruction The Custom Yara Scanner analyzing option is then enabled in the Analyzer Profile section of the primary node Modify Custom Behavioral Rules and Custom Yara Scanner file Before you begin You have imported the custom YARA text file into Advanced Threat Defense After you import the Custom Behavioral Rules and Custom Yara Scanner file you might want to add some more rules or modify some of the existing rules For example you might want to change the severity value for a rule Task 1 Select Manage Image amp Software Content Update 2 In the Uploaded Content area click on the YARA Rules tab 3 Click the link under File Name to download the file from the Advanced Threat Defense database onto your client 4 Open the file that you downloaded in a text editor and make the required changes When complete save the file You can rename this file according to your requirement 5 Import the modified file into Advanced Threat Defense 280 McAfee Advanced Threat Defense 3 4 8 Product Guid
314. nced Threat Defense Over the years malware has evolved into a sophisticated tool for malicious activities such as stealing valuable information accessing your computer resources without your knowledge and for disrupting business operations At the same time technological advancement provides limitless options to deliver malicious files to unsuspecting users Hundreds of thousands of new malware variants every day make the job of malware detection even more complex Traditional anti malware techniques are no longer sufficient to protect your network McAfee s response to this challenge is the Advanced Threat Defense solution This is an on premise Appliance that facilitates detection and prevention of malware Advanced Threat Defense provides protection from known near zero day and zero day malware without compromising on the quality of service to your network users Advanced Threat Defense has the added advantage of being an integrated solution In addition to its own multi level threat detection capabilities its ability to seamlessly integrate with other McAfee security products protects your network against malware and other Advanced Persistent Threats APTS Contents gt The malware threat scenario gt The Advanced Threat Defense solution The malware threat scenario Any software capable of being involved in hostile activities with respect to a computer application or network can be termed as malware Advanced Threat Def
315. nced Threat Defense can detect a known malware using sources that are local to it or on the cloud Block future downloads of the same file Every time McAfee Advanced Threat Defense detects a medium high or very high severity malware it updates its local black list Identify and remediate affected hosts Integration with Network Security Platform enables you to quarantine the host until it is cleaned up and remediated Advanced Threat Defense advantages Here are some of the advantages that Advanced Threat Defense provides It is an on premises solution that has access to cloud based GTI In addition you can integrate it with other McAfee s security products Advanced Threat Defense does not sniff or tap into your network traffic It analyzes the files submitted to it for malware This means that you can place the Advanced Threat Defense Appliance anywhere in your network as long as it is reachable to all the integrated McAfee products It is also possible for one Advanced Threat Defense Appliance to cater to all such integrated products assuming the number of files submitted is within the supported level This design can make it a cost effective and scalable anti malware solution Advanced Threat Defense is not an inline device It can receive files from IPS Sensors for malware analysis So it is possible to deploy Advanced Threat Defense in such a way that you obtain the advantages of an inline anti malware solution but without the associ
316. nced Threat Defense Appliance to be used by Advanced Threat Defense McAfee Advanced Threat Defense 3 4 8 Product Guide 267 6 Configuring Advanced Threat Defense for malware analysis Configure Telemetry Telemetry data related to the Advanced Threat Defense Appliance are collected This helps McAfee to improve Advanced Threat Defense and understand how the Advanced Threat Defense Appliance is used The list of system data collected for Advanced Threat Defense is as follows e Serial number e Software version e Active version e Advanced Threat Defense Appliance backup version e System health status e System uptime e Count of sample files submitted e Count of McAfee GTI scanner files submitted e Count of GAM scanner files submitted e Count of AV scanner files submitted e Count of YARA scanner files submitted e Count of Sandbox files submitted e Count of Sandbox files processed e Count of sample files errors e McAfee ePO configuration status ON OFF e DXL configuration status ON OFF e SNMP status ON OFF e Proxy configuration status ON OFF e Number of physical interfaces configured e VM profile information e Analyzer profile information e Information whether deployment mode is StandAlone SA or LoadBalanced LB e Number of files submitted user type and number of malicious samples Severity gt 3 268 McAfee Advanced Threat Defense 3 4 8 Product Guide Task 1 Configuring Advanced Threat Defense for ma
317. nced Threat Defense role if Primary Advanced Threat Defense goes down for some reason Process flow for McAfee Web Gateway Consider a scenario where Web Gateway is inline between the endpoints on your network and the Web This Web Gateway Appliance is integrated with a Advanced Threat Defense cluster consisting of three Advanced Threat Defense Appliances Sensor a O k ondary McAfee z ae Figure 9 4 Web Gateway integrated with an Advanced Threat Defense cluster Number Description 1 The endpoints attempt to download web objects 2 Web Gateway forwards these requests McAfee Advanced Threat Defense 3 4 8 Product Guide 329 9 Clustering McAfee Advanced Threat Defense Appliances Configuring an Advanced Threat Defense cluster high level steps Number Description 3 When a file is downloaded the native McAfee Gateway Anti malware Engine on Web Gateway scans the file and determines the malware score 4 Based on the file type and the malware score Web Gateway determines if the file needs to be sent to Advanced Threat Defense for analysis and if needed forwards the file to the primary Advanced Threat Defense s management port 5 The primary Advanced Threat Defense distributes such files among the members based on the number of files submitted to a node A highly burdened node receives lesser number of samples for processing as opposed to a less burdened node All commu
318. nd confirm that you want to delete all existing analyzer VM instances and recreate them 2 Select Manage Logs System to view the logs related to VM re creation You can select Dashboard and view the VM Creation Status monitor to know the progress of VM re creation The Create VMs button in the Troubleshooting page is available again only after all the analyzer VM instances have been re created Delete the analysis results Task 1 In the Troubleshooting page click Remove all Report Analysis Results 60 Once we click Remove all Report Analysis Results all blacklist entries whether added manually or added automatically are flushed 2 Click Submit Back up 58 and restore the Advanced Threat Defense database As a precaution you can periodically backup the Advanced Threat Defense database You can then restore a backup of your choice when required For example if you want to discard all changes made during a troubleshooting exercise you can restore the backup that was taken before you started troubleshooting You can schedule automatic backups to a designated FTP server on a daily weekly or monthly basis When you want to restore a backup Advanced Threat Defense fetches the selected backup file from the FTP server and overwrites its database with the contents of the backup file What gets backed up The following data gets backed up e Results as displayed in the Analysis Results page Analysis reports such as t
319. ndows 2008 Server Step Details nel Disable Windows 1 Select Start Control Panel Windows Update Change settings updates 2 In the Change settings page complete the following a Select Never check for updates not recommended b Deselect the check box under Recommended updates EN h a a Conos Panel Virgie Linde PUR A hal Pim Edi Wma Ton Fin hase hi Madras Con insLall apdabes NAT IS ira Wincava cam ora oca he dor posta DAA acd cuca that LA pETNGL her reer USC ae TE pe TN ing EA thee bere tin dyan the COTOS raro edo A EE a D peta apdates ete becolty recomended F kH pa wedi LE l r sr rias bu js lar aes A ara H re i N Sol Er Fi jale mr hy H ri X M sar che sl A Er The HE ae in NEAR Ad pe E Daul mE Au pire Termeni LEA O Bi A A RE aE 3 Click OK Step 38 To analyze Microsoft Word Excel and Powerpoint El Microsoft Office XP Setup 35 Es files install Microsoft Office 2003 on the virtual machine Co wich anole for eto ls bal Select the Office XP applications you would like installed creme tered Mac erie Chu tisk Microsoft Excel Microec t Access El 2 tarot PowerPor A motos retell sppicabions vath the pral opioa Choate detailed iis balian options for each appicandon ett aed on cs SS Space Awailable on 657 M5 a lt i e cen 174 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file
320. ned rule is not present in the file analyzed then Unverified is displayed in the analysis report for the file Import Custom Behavioral Rules and Custom Yara Scanner Rules Before you begin You have defined your Custom Behavioral Rules and Custom Yara Scanner Rules in a text file After you create your YARA rules in a text file you import this file into Advanced Threat Defense using the Advanced Threat Defense web application Advanced Threat Defense allows you to import a maximum of two versions of YARA rules at any given time The version uploaded later becomes Current by default rendering the previous one as Backup Rules defined in DAT file designated as Current are applied for malware detection Auto Update Y Appl Y Download Update Package Y Allow Automatic DAT Update pply Erben ctra lc at Manual Content Update Upload File Browse Upload Uploaded Content GAM AV DATs YARARules Detection Pkg Packages File Name Uploaded Date Status Action Custom Behavioral Rules custom yara yara 2015 06 03 23 03 59 Delete Custom Behavioral Rules yara engine behvrtwo yara 2015 06 14 23 09 05 Delete Revert Custom YARA Scanner custom yara yara 2015 06 03 23 24 02 1 Select Manage Image amp Software Content Update 2 In the Uploaded Content area click on the YARA Rules tab 3 Click Browse and locate the Custom Behavioral Rules or Custom Yara Scanner Rules you want to import McAfee Advanced Threat De
321. nfig Version The version of the configuration file currently on the node System Status McAfee Advanced Threat Defense 3 4 8 Whether the node is up and running Product Guide 339 9 Clustering McAfee Advanced Threat Defense Appliances Configuring an Advanced Threat Defense cluster high level steps Table 9 2 Details of the Ibstats command continued Output entry Description System Health Whether the node is in good or an uninitialized state Sample Files Distributed Count The total number of samples distributed among the nodes including the primary node This node includes both files and URLs This data is displayed only when you run lbstats on the active node Primary node or Backup node Submitting samples to an Advanced Threat Defense cluster You use the primary node to submit samples to an Advanced Threat Defense cluster The process is Similar to how you use an individual Advanced Threat Defense Appliance e Make sure the integrated products interface with the primary node When you configure the integration make sure you use the passwords as configured in the primary node For example for Web Gateway use the mwg user name and its password as configured in the primary node If Backup node is configured then cluster IP address should be the point of contact to for these integrated products e To submit files and URLs manually log on to the primary node with admin rights and submit the fi
322. nfigures the components The may lake Insert Disk Plassa inert ihe Compact Dens labeled windows xP Professional Semice Pack 3 OD into you CD ROM deve D and than chek OK You can alaa chick OK of posa want des lo be coped from an allemate location such as a floppy disk ona raiik rene McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 30 In the Windows XP Setup pop up select OK Details Please war while Setup configure the components This may take several minutes depending on the components selected ae Windows XP Setup Step 31 In the VMware Workstation right click on the VM which in this example is virtualMachineImage Then select Settings Q Type here to search E ib My Computer ip A Shared VMs E Close Tab Mark as Favorite Rename Remove Power b Removable Devices p Pause Send Ctri Alt Del Grab Input Snapshot Capture Screen Manage Reinstall VMware Tools Settings McAfee Advanced Threat Defense 3 4 8 Product Guide 87 Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Details Step 32 In the Virtual Machine Settings window select CD DVD Wa Machine Settings IDE Ha
323. ng Windows 8 364 and Hen ware Tools The virtual machine will be rested with the following settings Locaban Col J IMA TO 3 2 0 Wind Version Workstation 9 0 Operating System Windows 064 Hard Disk 24 GB Pre allocated Network Adapter MAT Diha Devices COO USB Controller Printer Sound Card Power on this virtual machine after creation Beck cme Ready to Create Virtual Machine Chek Aeh lo create the virtual machine and siat netaling Windows 8 190 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 8 Step Details Step 18 If the Removable Windows begins to install which might take around 15 minutes Devices pop up window is displayed select Do not show this hint again and click OK instalirg Mire Ors Toja computer all reia sea meo The recy tobe a while miair poeta Step 19 Log on to virtualMachinelmage using the following credentials e Administrator e cr cker42 Step 20 The VM by default displays in the Metro UI mode Click the Desktop tile to switch to Desktop mode McAfee Advanced Threat Defense 3 4 8 Product Guide 191 192 Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 21 Set up Windows 8 to display in the Desktop mode instead of the default Metro UI mode when it starts 1 Press the Windows key and R simultaneously which is the s
324. ng analyzer VM Categories Trust Manager Full Screen a PDF File Attachments General Allow opening of non PDF file attachments with external applications Page Display Restore the default list of allowed and disallowed file attachment types Restore 3D amp Multimedia Accessibility i Adde Dokas A Internet Access from PDF Files outside the web browser Email Accounts Unless explicitly permitted PDF files cannot send information to the Internet Forms Identity Change Settings Internet JavaScript Automatic Adobe Approved Trusted Certificates Updates Language Measuring 2D Load trusted root certificates from an Adobe server no personal information is sent Measuring 3D Measuring Geo Multimedia legacy Multimedia Trust legacy Automatic European Union Approved Trusted Certificates Updates Reading Reviewing 7 Load trusted root certificates from an Adobe server no personal infomation is sent Search Security Ask before updating Update Now Security Enhanced Signatures Spelling Units Updater Ask before updating Update Now 4 loa 3 Under Adobe Reader Preferences General select Enable Protected Mode at startup and click OK Adobe Reader Wamings FT Do not show edit waming Measuring 2D Measuring 3D Measuring Geo Messages from Adobe Multimedia legacy E Show me messages when launch Reader Multimedia Trust legacy Online Services Reading Reviewing
325. nge the default password after logon e Network Security Platform The logon name is nsp and the default password is admin This is used by Network Security Platform to integrate with McAfee Advanced Threat Defense e ATD upload Admin This is the default user account to access the FTP server on McAfee Advanced Threat Defense The user name is atdadmin and the password is atdadmin McAfee Advanced Threat Defense 3 4 8 Product Guide 37 38 Managing Advanced Threat Defense Managing McAfee Advanced Threat Defense users e McAfee Web Gateway This is for the integration between McAfee Web Gateway and McAfee Advanced Threat Defense e McAfee Email Gateway This is for the integration between McAfee Email Gateway and McAfee Advanced Threat Defense e To access the CLI of McAfee Advanced Threat Defense you must use cliadmin as the logon name and atdadmin as the default password User is forced to change the default password after logon You cannot access this user record You cannot create any other user to access the CLI You access the CLI through SSH over port 2222 See Log on to the CLI on page 345 e If you are not an admin user you can view your user record and modify it To modify your role assignments you must contact the admin user Multiple login for admin users is allowed only when McAfee Advanced Threat Defense is in non CC mode The same is not allowed in CC mode Viewing user profiles If you are a user w
326. nger Diagnoses Connection Problems 2 Select Tools Internet Options and for Home page select Use Blank or Use new tab based on the version of Internet Explorer Internet O ptio ns General Security Privacy Content Connections Programs Advanced Home page A Tou can change which page bo use for your home page Address about blank Use Defaut Use Blank 3 Go to the Advanced tab of the Internet Options and locate Security 4 Select Allow active content to run in files on My Computer McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 7 Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Details Internet Optio ns General Securty Privacy Content Connections Programs Advanced settings 4 Just display the resulte in the main wandow a 8 Just go to the most ikely site Security Allow acte content from ODs to nun on My Compute Elio actree content torun m ies on My Comparte lc zolbuare to pur of retall ever if the signature it invalid Check fot publishers certificate teyacshon Check hu seer cebiicabe revocation requires restart Check for signatures on downloaded program Dio nol sawe encrppled pages bo dick Emply Temporary Internet Files folder when browser is closed Enable Integrated Windows Authentication requires restart Enable Prolle sasita Use SSL 2 0 Use SSL
327. nication between the members in a cluster is over their management ports Assume that the file is sent to one of the secondary Advanced Threat Defense for analysis The secondary Advanced Threat Defense returns the job ID and task ID to the primary node and begins to analyze the file The primary node in turn returns the job ID and task ID to Web Gateway 6 For the analysis reports Web Gateway queries the primary node with the task ID Using the task ID the primary node identifies the Advanced Threat Defense that analyzed the file and pulls the reports from it 7 In response to the query from Web Gateway the primary Advanced Threat Defense forwards the reports 8 Based on the report from Advanced Threat Defense Web Gateway allows or blocks the file accordingly 9 Backup Advanced Threat Defense assumes Primary Advanced Threat Defense role if Primary Advanced Threat Defense goes down for some reason Notes When Web Gateway queries for an MD5 hash value with time period without the job or task ID the primary node checks the MD5 hash in its database If there is no matching record the primary node checks the secondary nodes where the file is analyzed and sends the report back to Web Gateway without analyzing the corresponding file again When Web Gateway queries for an MD5 hash value for a running task without the job or task ID the primary node checks the MD5 hash with status waiting or analyzing in its datab
328. nse 3 4 8 Product Guide 315 316 Analyzing malware Working with the Advanced Threat Defense Dashboard Files Analyzed by Engine In this monitor you can view the severity and number of files analyzed by GAM GTI and Sandbox Files Analyzed by Engine E Noi Malicous GTI E Clean ar ir YT Ff ff vt vt t t vr fr rr 20 40 60 60 100 Figure 8 21 Files Analyzed by Engine This monitor has drill down capabilties Once you click the mouse over a particular block Advanced Threat Defense takes you to Analysis Results page displaying the records sorted as per the chosen block Top 5 URLs Analyzed by GTI In this monitor you can view the names of five most severe URLs being analyzed by GTI This information might enable further research such as finding more information about these files on the web e The listed malware files are sorted based on their severity level in the descending order e The first column displays the file names The second column displays the severity level Top 5 URLs Analyzed by GTI URL Total WWW KEEP NS3 NAME 1 MTNOUTFITTERS COM 1 HTTP FILES OBAKTAT RU DOCSFF 1 HTTP FILES OBAKTRT RU DOCSF 1 Figure 8 22 Top 5 URLs Analyzed by GTI Top 5 URLs In this monitor you can view the names of five malicious files detected in your network with the most severe ones listed on top This information might enable further research such as finding mo
329. nt bezel with key McAfee Advanced Threat Defense Appliance front and back panels Figure 2 3 ATD 3000 and ATD 6000 front panel 22 McAfee Advanced Threat Defense 3 4 8 Product Guide Setting up the Advanced Threat Defense Appliance 2 Before you install the Advanced Threat Defense Appliance Label Description System ID button with integrated indicator light NMI button recessed tool required for use NIC 1 activity indicator light Bb N e ATD 3000 NIC 3 activity indicator light e ATD 6000 Not used System cold reset button System status indicator light Power button with integrated indicator light Hard drive activity indicator light WOW O IN Oo U e ATD 3000 NIC 4 activity indicator light e ATD 6000 Not used 10 NIC 2 activity indicator light dy An optional lockable bezel is included with the McAfee Advanced Threat Defense Appliance which you can install to cover the front panel Figure 2 4 ATD 3000 Appliance back panel Label Description 1 Power supply module 1 2 Power supply module 2 3 Management port NIC 1 This is the eth 0 interface The set appliance and set mgmtport commands apply to this interface For example when you use the set appliance ip command the corresponding IP address is assigned to this interface NIC 2 This is the eth 1 interface This interface is disabled by default e To enable or di
330. ntegrated with other externally installed McAfee products When deployed as a standalone Appliance you can manually submit the suspicious files using the McAfee Advanced Threat Defense web application Alternatively you can submit the samples using an FTP client This deployment option is used for example during the testing and evaluation phase to fine tune configuration and to analyze suspicious files in an isolated network segment Also research engineers might use the standalone deployment option for detailed analysis of malware Internal Network Figure 1 2 A standalone deployment scenario McAfee Advanced Threat Defense 3 4 8 Product Guide Malware detection and McAfee Advanced Threat Defense 1 The Advanced Threat Defense solution Integration with Network Security Platform This deployment involves integrating McAfee Advanced Threat Defense with Network Security Platform Sensor and Manager Based on how you have configured the corresponding Advanced Malware policy an inline Sensor detects a file download and sends a copy of the file to McAfee Advanced Threat Defense for analysis If McAfee Advanced Threat Defense detects a malware within a few seconds the Sensor can block the download The Manager displays the results of the analysis from McAfee Advanced Threat Defense If McAfee Advanced Threat Defense requires more time for analysis the Sensor allows the file to be downloaded If McAfee Advanced Threat Defense detects a
331. o a local hard 162 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 2008 Server Step Details Step 15 Specify the details in the Specify Disk Capacity window and then click Next Step 16 In the Specify Disk file window make sure virtualMachineImage vmdk is displayed by default and click Next If you specified a different name for Virtual Machine name that name is displayed here e Maximum disk size GB For Windows 2008 Server the maximum disk size can be 30 GB however you must enter 14 GB for optimal performance e Select Allocate all disk space now e Select Store virtual disk as a single file Mew Virtual Machine Wizard Specify Disk Capacity Hew large de you want thet disk to be E Maximum digk gine 58 Allocate all disk space now Alocabira the ful capacity can enhance performance but requires al of the physical disk space to be available right now If you do not allocate all the space now She wrtual disk starts small and grows amp you add data to it Spit virtual disk into multiple files Salting She disk makes it eager to move the virtual machine to another lt Beck _plext gt Cancel Mew Virtual Machine Wizard 53 Where voud you ike to store the dsk fe Cesk Fie One 14 GB disk file mil be created using the fe name provided here
332. o analyze Microsoft Word Excel and Powerpoint files install Microsoft Office 2003 on the virtual machine Chace whch apical Tor setup ls miial Select the Office XP applications you would like installed E A rmn wed Macr erie Dtos E Frete 2 Microsoft Access Y Merosot Pover Pont D o trta retell spoicabons vath the hpa opgore Coach Pigured onc Sie Space Awalable on E 67 MG o tiak nets cancel Step 42 Lower the security to run macros for the Office applications e Open Microsoft Word 2003 and select Tools Macro Security and then select Low and click OK gh Orly signed macros from trusted sources wil be allowed to run Unsigned macros are suincabcaly desbled f Medium You can choose whether or mol bo run potermial y unsafe macros Low not recommended You are not protected from ipotertaly unsafe macros Une this setting only iF you have panus scanning software installed O you are sure all e Similarly lower the macro security for Microsoft Excel and PowerPoint McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 8 Step Details Step 43 You need the In the Compatibility Pack for the 2007 Office system dialog select Click here to accept compatibility pack to open the Microsoft Software License Terms and click Continue Microsoft Office files that were created in a newer Compatibility Pack forthe 20
333. o the preferred DNS server the DNS Status is critical and the same is indicated by Red color If Advanced Threat Defense is not connected to any preferred DNS server the DNS Status is Not Configured and the same is indicated by Red color Uptime The number of hours the Appliance has been running continuously CPU Load The actual system load For example 100 CPU load indicates the CPU is fully loaded 125 indicates that the CPU is fully loaded and 25 of the load is yet to be processed Memory Utilization The percentage of the Appliance s memory in use currently Data Disk Space The Appliance s disk capacity in terabyte for sample data storage such as the samples themselves and their report files Data Disk Available Disk space currently available in terabyte for sample data storage System Health System Health cod DNS Status Uptime 17 06 CPU Load 4 25 Memory Utilization 3 76 Data Disk Space 3 027 Data Disk Available 2 007 System Disk Space 62 87G System Disk Available 51 52G Figure 8 25 System Health monitor McAfee Advanced Threat Defense 3 4 8 Product Guide 317 a Analyzing malware Working with the Advanced Threat Defense Dashboard e System Disk Space The Appliance s disk capacity for storing the Advanced Threat Defense system software data e System Disk Available Disk space currently available for storing the Advanced Threat Defense system software data System Information
334. oad contents to the Advanced Threat Defense Appliance This section introduces you to the related contents and provides the procedures to upload the same to Advanced Threat Defense Appliance Contents Uploading and managing content Defining Custom Behavioral Rules Define Custom Yara Scanner Import Custom Behavioral Rules and Custom Yara Scanner Rules Modify Custom Behavioral Rules and Custom Yara Scanner file Enable or disable Custom Behavioral Rules Update DAT version for McAfee Gateway Anti Malware and Anti Virus Update Detection Package Uploading and managing content Use these high level steps to configure Advanced Threat Defense for uploading and managing content 1 2 Select Manage Image amp Software Content Update If you want your uploaded DAT versions to be updated automatically select Allow Automatic DAT Update and click Apply Your DAT file is updated with the latest version available every 90 minutes In the Uploaded Content area contents already uploaded are displayed under the relevant content tab heading Click required content on the GAM AV DATs YARA Rules and Detection Pkg tabs to perform the following actions e View the below listed information about uploaded content e Feature Specifies the name of the uploaded content e Engine Specifies the name of the engine the content is applied to e DAT version Specifies the version of the uploaded DAT e Engine Version Specifies the version of
335. oading VMDK file to the McAfee Advanced Threat Defense Appliance Log User Activities Select if you want to log the changes made by the user in the McAfee Advanced Threat Defense web application e Restful Access Select to assign access to the RESTful APIs of the McAfee Advanced Threat Defense web application to submit files for analysis The Restful Access role must be selected for the integrated McAfee products that use RESTful APIs If you remove this selection the integration might not work Sample Download Access This role enables a user to download originally submitted samples McAfee Advanced Threat Defense 3 4 8 Product Guide 41 42 Managing Advanced Threat Defense Managing McAfee Advanced Threat Defense users Option Definition name FTP Result Specify the details of the FTP server to which McAfee Advanced Threat Defense must Output provide the results of malware analysis When you configure the FTP server details McAfee Advanced Threat Defense sends D the results to the specified FTP server as well as stores in its data disk When the data disk is 75 percent full the older analysis results are deleted To preserve the results for a longer term you can configure FTP Result Output Remote IP The IPv4 address of the FTP server Protocol Specify whether FTP or SFTP must be used McAfee recommends using SFTP e Path The complete path to the folder where the results must be saved
336. oduct Guide Managing Advanced Threat Defense 4 Upgrade Advanced Threat Defense and Android VM 4 Under System Software select the android 4 3 msu file Software Management MATD Software File Browse E Reset Database Install System Software The System Software file must be uploaded to appliance using SFTP fir File android 4 3 msu Fl Reset Database Install Figure 4 4 Select the Android file 5 Make sure that Reset Database is deselected as this is not relevant for Android upgrade and click Install Android installation process begins with file validation are E gt Installing Sotware fe most pe up oadet 3 droid 4 3 msu abase 6 A confirmation message is displayed click OK Status pas 1 y System Software file was validated a lt p successfully Installation will start shortly e uploac OK McAfee Advanced Threat Defense 3 4 8 Product Guide 53 4 Managing Advanced Threat Defense Upgrade Advanced Threat Defense and Android VM Advanced Threat Defense web application closes logs out automatically and the status of the installation is displayed in the browser Afee OMpany McAfee Advanced Threat Defense Login ID Password Status Log In 1 Installation is in progress Please wait ECS e It takes a minimum of 20 minutes for the system software installation to complete e If you are not able to view these messages clear the browser cache e When yo
337. oftware is installed Advanced Threat Defense Appliance restarts A relevant message is displayed The Appliance restarts on its own The message that is displayed is only for your information Status q J J The system is going down for reboot now OK D If you are not able to view these messages clear the browser cache 8 Wait for Advanced Threat Defense Appliance to start Log on to the CLI and verify the software version 9 Verify the version in the Advanced Threat Defense web application McAfee Advanced Threat Defense 3 4 8 Product Guide 45 46 Managing Advanced Threat Defense Upgrade Advanced Threat Defense and Android VM 10 Log on to the web application and in the System Log page verify that the vmcreator task is invoked When you upgrade to Advanced Threat Defense 3 4 8 all analyzer VMs are automatically re created This process might take some time to complete depending on the number of analyzer VMs 11 Verify the data and configurations from your earlier version are preserved The software version you upgraded to is now stored in the active disk of Advanced Threat Defense Appliance D Whitelist status is disabled after you upgrade to Advanced Threat Defense 3 4 8 Upgrade ATD software from 3 4 4 63 to 3 4 8 Before you begin e Make sure that the current version of Advanced Threat Defense is 3 4 4 63 e Make sure that the system 3 4 8 msu Advanced Threat Defense software that you want to use is extract
338. on This is used to install Windows 7 164 Windows product key jiti Fa UE pigi Fai Yerson of Windows to install Windows 7 Professonal Personalize Windows Ful rame administrator Password fsrptttes optional Confirm 41 Log on automatically requires a password Hep lt Badc Next gt Cancel Step 7 If the VMware Workstation message displays click Yes You have entered a Full Name that may conflict with a built in account in the guest operating system If it does conflict you may be asked for a new Full Name by the installer Would you like to continue F Do not show this message again McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 7 Step Details Step 8 Enter the information in the Name the Virtual Machine window and then click Next e Virtual Machine name You must enter virtualMachinelImage as the name e Location Browse and select the folder where you want to create the VMDK file Mew Virtual Machine Wizard Es Name the Virtual Machine hat mame would you ike to use for this vrtual machine Virtual machine name vir tualMachinelmage Loca Gon ia B a ims eee fi iai Pi Se ts o a See lee OA a The default location can be changed at Edit gt Preferences Back text gt Canel Step 9 In the Processor Configuration window leav
339. on at memory location of 00401010 is making a functional call at 0x403c34 memory location which is determined to be system DLL API function call determined to be URLDownloadToFileA The comment shown with the in this listing provides the library function name McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware 8 View the analysis results Logic Path Graph This report is a graphical representation of cross reference of function calls discovered during dynamic analysis This report enables you to view the subroutines in the analyzed file that were executed during the dynamic analysis as well as the ones that were potentially not executed These non executed functions could be a potential time bomb waiting to trigger under the right conditions The Logic Path Graph report is available as a Graph Modeling Language GML file This file is an ASCII plain text format which contains a graphical representation of the logic execution path of the sample in the GML Graph Modeling Language format You cannot directly view this file in the Advanced Threat Defense web application but download it to your client computer Then you must use a graphical layout editor like yWorks yEd Graph Editor that supports GML format You can use such an editor to display the cross reference of all functions using this file as an input You can download the Logic Path Graph file using one of the following methods In the Analysis Results page Ana
340. on is in progress Please wait D It takes a minimum of 20 minutes for the system software installation to complete 7 After the software is installed Advanced Threat Defense Appliance restarts A relevant message is displayed The Appliance restarts on its own The message that is displayed is only for your information Status q J J The system is going down for reboot now OK D If you are not able to view these messages clear the browser cache 8 Wait for Advanced Threat Defense Appliance to start Log on to the CLI and verify the software version 9 Verify the version in the Advanced Threat Defense web application McAfee Advanced Threat Defense 3 4 8 Product Guide 47 48 Managing Advanced Threat Defense Upgrade Advanced Threat Defense and Android VM 10 Log on to the web application and in the System Log page verify that the vmcreator task is invoked When you upgrade to Advanced Threat Defense 3 4 8 all analyzer VMs are automatically re created This process might take some time to complete depending on the number of analyzer VMs 11 Verify the data and configurations from your earlier version are preserved The software version you upgraded to is now stored in the active disk of Advanced Threat Defense Appliance D Whitelist status is disabled after you upgrade to Advanced Threat Defense 3 4 8 Upgrade ATD software from 3 4 6 to 3 4 8 Before you begin e Make sure that the current version of Advanced Th
341. on options for each appicanor Coach igured onc 159 M8 Space Aralable on E 557 MG a e e McAfee Advanced Threat Defense 3 4 8 Product Guide 149 150 Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 39 Lower the security to run macros for the Office applications e Open Microsoft Word 2003 and select Tools Macro Security and then select Low and click OK gh Only signed macros from trusted sources wil be allowed to run Unsigned macros are sutomabcaly drabled Tf Medium You can docse whether or rol to run potentially unsafe macros Low not recommended You are not protected from potentially unsafe macros Uar this setting only if you have harus scanning soFovere installed or you are sure oll e Similarly lower the macro security for Microsoft Excel and Powerpoint Step 40 You need the compatibility pack to open Microsoft Office files that were created in a newer version of Microsoft Office For example to open a docx file using Office 2003 you need the corresponding compatibility pack installed Go to http www microsoft com en us download details aspx id 3 and download the required Microsoft Office compatibility pack for Word Excel and PowerPoint File Formats Then install them on the virtual machine After you download the compatibility pack install it on the virtual machine To open files created by a later version of
342. on using the hoata IP address Lise foet only networking Connect the quest operating system to a private virtual network on the host Do no use a nebwerk connection Help _ lt Beck text gt cores Step 11 In the Select I O Controller Types leave the default selection New Virtual Machine Wizard EZ Select 1 0 Controller Types Which SOSI controller type would you ke bo use AO controller types SCSI Controller Buslogic Not for 64 bit quests Y Sllogc Recommended o LSE Logic SAS 106 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 12 In the Select a Disk Type page select IDE and click Next SCSI disks are not compatible with Advanced Threat Defense Details New Virtual Machine Wizard A select a Disk Type What land of disk do you want to create SATA Not supported on Workstation 9 0 Wis Help o zk Step 13 In the Select a Disk window o Create a new virtual disk and click Mew Virtual Machine Wizard oF Xt Select a Dick Which disk de you want to use Disk Create a new virtual disk rival disk is composed of one or more Ges on the host fle system which vell appear as a single hard disk to the guest operabrg system Virtual disks can easly be copeed or moved on he
343. only if you have installed Adobe Reader Step 64 In the System Configuration dialog click Restart System Configuration You must restart your computer for some of the changes made by System Configuration to take effect Step 65 In the System Configuration Utility dialog select Don t show this System Configuration Utley message or launch the System Configuration Utility when Windows starts and click OK You have usaj the System Configuration Litlity to make changed bo the may Windows starts A A GEAT A ati causing this message to be dsplsyed and the wiht bo run every bme Windows star Choose the Normal Sharbup mode on the General tab bo shart Windows normal and undo the Deng peL System Configu ston Whitty McAfee Advanced Threat Defense 3 4 8 Product Guide 129 130 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Details Step 66 Open the default browser and set it up for malware analysis This procedure uses Internet Explorer as an example 1 Make sure the pop up blocker is turned on In Internet Explorer select Tools Pop up Blocker Turn on Pop up Blocker Faaite Help k Hal ared Mewes F pn Aia x Turn Off Pop up Blocker Manage 4dd om5 Popeup Blocker Settings criba le Serena Windows Update E com mbar when you link yi Windows Messe
344. ore you changed the time zone After you change the time zone to JST the timestamp for the same record is 1800 hours JST e The date and time settings of all the analyzer VMs are immediately synchronized to the date and time on the Advanced Threat Defense Appliance Task 1 Select Manage Configuration Date and Time Settings The Date and Time Settings page is displayed McAfee Advanced Threat Defense 3 4 8 Product Guide 263 6 Configuring Advanced Threat Defense for malware analysis Configure date and time settings 2 Enter the appropriate information in the respective fields and click Submit in the affected sections separately Option Definition name Enable Select if you want Advanced Threat Defense to act as an NTP client By default this is Network selected a To manually set the time for Advanced Threat Defense deselect this option Priority This is the order of priority assigned to the NTP servers At the scheduled interval Advanced Threat Defense attempts to synchronize with the first NTP server If not available it attempts to synchronize with the second and then the third NTP Server Specify the domain name or IPv4 addresses of the NTP servers in the order of priority Name that Advanced Threat Defense should synchronize with If you enter domain names make sure you have configured the DNS settings properly At any point in time there must be at least one reachable NTP server configured Del
345. orner of a column heading and click the drop down arrow Then select Sort Ascending or Sort Descending By default the records are sorted in descending oreder based on the Submitted Time column To save the Analysis Status page settings click ae View the analysis results After you submit a file for analysis you can view the results in the Analysis Results page Older reports are deleted when the data disk of Advanced Threat Defense is 75 percent full You can view the current data disk space available in the System Health monitor of the Dashboard If you configure the options under FTP Result Output in the User Management page then Advanced Threat Defense saves the results locally as well as sends them to the configured FTP server for your long term use McAfee Advanced Threat Defense 3 4 8 Product Guide 295 a Analyzing malware View the analysis results Task 1 Select Analysis Analysis Results The Analysis Results page lists the status for the completed files Last 24 hours Refresh every 1 minute Show All Results Case Sensitive Search By Search Export CSV VM Profile Hash File Size Source IP Destination IP StaticAnalysis FDF6EED594E448398EC4651601 37 442 KB 10 40 243 8 96 17 202 67 StaticAnalysis FOFSEED594E448398EC46516D1 537 442 KB 161 69 7 20 96 17 202 67 winxPsp3 BF26D1E598568 78219B23211564 15 KB 161 69 7 20 65 68 53 81 winkPsp3 BF26D1ES98568C 8219B23211564 15 KB 10 40 247 45 65 68 53 81
346. ot recommended potentially dangerous code can run ActiveX Settings O ote Protected View Trust access to the VBA project object model Message Bar File Block Settings Privacy Options McAfee Advanced Threat Defense 3 4 8 Product Guide 71 Creating analyzer VM Below is the Adobe Reader setting that needs to be selected after installing Adobe Reader version 8 9 or 10 1 Under Adobe Reader Preferences Updater select Do not download or install updates automatically and click OK Preferences Categories Check for updates Full Screen R Adobe recommends that you automatically install updates General C Automatically install updates Page Displa i ii Automatically download updates but let me choose when to install them 3D amp Multimedia Notify me but let me choose when to download and install updates Accessibility Do not download or install updates automatically Adobe Online Services Email Accounts Forms Identity Internet JavaScript Language Measuring 2D Measuring 3D Measuring Geo Multimedia legacy Multimedia Trust legacy Reading Reviewing m Search Security Security Enhanced Signatures Spelling Tracker Trust Manager TT 2 Under Adobe Reader Preferences Trust Manager select Ask before updating in Automatic Adobe Approved Trusted Certificates Updates section and click OK McAfee Advanced Threat Defense 3 4 8 Product Guide Creati
347. oth the sides Figure 2 11 Install the Appliance to rail Drop in the rear spool first followed by the middle and then front Q Lifting the Advanced Threat Defense Appliance and attaching it to the rack is a two person job 7 Attach the lockable bezel to protect the front panel if required 8 Lift the release tab and push the Appliance into the rack Figure 2 12 Lift release tab and push Appliance into rack 9 To remove the Advanced Threat Defense Appliance from the rack lift the release tab next to the front spool on the chassis and lift it out of the rails This needs to be done simultaneously on both the sides and requires two people McAfee Advanced Threat Defense 3 4 8 Product Guide 29 30 Setting up the Advanced Threat Defense Appliance Setting up Advanced Threat Defense Turn on the McAfee Advanced Threat Defense Appliance The Advanced Threat Defense Appliance has redundant power supplies pre installed D The Advanced Threat Defense Appliance ships with two power cords specific to your country or region Task 1 Plug one end of the AC power cord into the first power supply module in the back panel and the other end into an appropriate power source 2 Plug one end of the AC power cord into the second power supply module in the back panel and the other end into an appropriate power source Advanced Threat Defense powers up without pressing the on off button on the front panel The on off button on the front pane
348. ou have selected the VM profile and the Runtime Parameters Skip files if previously analyzed Select if you want Advanced Threat Defense to skip analysis of a file if the same has been previously analyzed Custom Yara Scanner Select if you want Advanced Threat Defense to check the file using Custom Yara Scanner rules Continue to run all engines even after file is found malicious Enable Malware Internet Access Select if you want Advanced Threat Defense to analyze the file using all the selected analyze options regardless of the result from any specific method Select to provide Internet access to samples when they attempt to access a resource on the Internet To enable this option the Sandbox option under Analyzer Options must be D enabled Also you must have admin role privileges to select or deselect Enable Malware Internet Access Because the sample being analyzed could potentially be a malware selecting the Enable Malware Internet Access option involves the risk of malicious traffic O propagating out of your network A disclaimer message is displayed when you select this option and you must click OK to proceed Also administrator can configure proxy setting for malware in case there is a proxy server in their network Save Cancel Creates the analyzer profile record with the information you provided Closes the Analyzer Profile page without saving the changes Edit analyzer profiles Task
349. port For example set intfport 1 10 10 10 10 255 255 2550 3 For the Ethernet port set the gateway through which you want to route the Internet access For example set malware intfport 1 gateway 10 10 10 252 4 Runthe show intfport lt port number gt command for the port to check if it is configured for malware Internet access For example show intfport 1 Verify the Malware Interface Port and Malware Gateway entries I h qe H d H I E E m ct ct A A O A Hs i Ei a 3 A Fo Fg g oct SS tu ft fo E ft et E H GO Him ta e To revert to the managment port eth 0 for malware Internet access run set malware intfport mgmt in the CLI Advanced Threat Defense uses its management port IP and the corresponding default gateway to provide Internet access to samples e Suppose you configured eth 1 for malware Internet access but now you want to use eth 2 Then follow the above procedure for eth 2 Eth 2 is set as the port for Internet access for malware e Suppose you configured eth 1 for Internet access but now you want to use eth 1 but with a different IP address or gateway Then repeat the procedure but with the new IP address or gateway e The route add network command is for general Advanced Threat Defense traffic Whereas set malware intfport is for Internet traffic from an analyzer VM So the route add network and the set malware intfport commands do not affect each other 238 McAfee Advanced Threat D
350. prefer to use FTP for these tasks you can enable FTP D In Common Criteria CC mode FTP is not supported Syntax set ftp lt enable gt lt disable gt By default FTP is disabled Example set ftp enable See also show ftp on page 369 set headerlog Use this command to enable or disable the logging of information regarding http header The lighttpd web server is restarted on execution of this command This command has no parameters Syntax set headerlog lt enable gt lt disable gt By default FTP is disabled Example set headerlog lt enable gt See also show headerlog on page 369 set logconfig Use this command to set the debugging mode to be applied for logs Syntax set logconfig lt enable gt lt disable gt The following information is displayed using this command IPS Enable logconfig support AvDat Digable Llogconfig support CLI EPO McAfee Advanced Threat Defense 3 4 8 Product Guide 363 10 364 CLI commands for McAfee Advanced Threat Defense List of CLI commands Monitor Amaslib GTI GAM MAV Scanners LB DXL INI SNMP CONFIG set heuristic_analysis See heuristic_analysis on page 353 set nsp ssl channel encryption Use this command to configure an encrypted channel for NSP ATD communication Syntax set nsp ssl channel encryption lt enable gt lt disable gt Example ATD 6000 gt set nsp ssl channel encryption enable Encrypted data transfer from NSP Use these steps for secur
351. pt button bo agree Lo the Liconsa Agos a Corie ADOBE SYSTEMS INCORPORATED Wamani Disclaimer aad Sauar License Agrerment THIS DOCUMENT INCLUDES WARRANTY INFORMATION FART h AND A LICENSE ACREEM THE USE OF ADOBE SOFTWARE FART If PART L WARRANTY DASCLAIMER Check for updates ej In Adobe Reader select Help Check for updates Preferences and deselect Adobe Updates Ape Ex Tri Tere M Jii rails meres Fal ei e Copa indy beer LL ph D Maka Hard soc ade tac i Pepe Dey gt St il Harj ad ed mide 300 E reas Mobo Hard ol Li ees Mads Skeet cer cal ira Aroha com Fore e li nde Srey dl Ma o E ei a ee heeri Mie mad oa ii E Paar Peau CHO Hasy 580 Feini Fid kki bayi pi Shes ge Sheri i ri Pig eg Pred Les Peele red carita poi ar Seu irii jiza qe ca Sole lieis Lla ct core pi heath lir es Step 59 Download the following on to the native host and then install them on the VM ow Download Microsoft Visual C 2005 Redistributable Package x86 from http www microsoft com en us download details aspx id 3387and install it Download Microsoft Visual C 2008 Redistributable Package x86 from http www microsoft com en us download details aspx id 5582and install it Download Microsoft Visual C 2010 Redistributable Package x86 from http www microsoft com en us download details aspx id 5555and install it Download Microsoft NET Framework 2 0 Service Pack 2 x86 ver
352. r McAfee Advanced Threat Defense List of CLI commands Syntax ping A 8 C D gt Parameter Description lt A B C D gt Denotes the 32 bit network host IP address written as four eight bit numbers separated by periods Each number A B C or D is an eight bit number between 0 255 lt WORD gt The domain name you want to ping quit Exits the CLI This command has no parameters Syntax quit reboot Reboots the McAfee Advanced Threat Defense Appliance with the image in the current disk You must confirm that you want to reboot Syntax reboot Parameter Description reboot active Reboots the Appliance with the software version on the active disk reboot backup Reboots the Appliance with the software version on the backup disk reboot vmcreator Recreates the analyzer VMs configured in the McAfee Advanced Threat Defense web application while rebooting the Appliance remove This command removes all original samples from ATD for which analysis is complete The remove command has these parameters e now When executed immediately removes the original samples for all the completed samples present on ATD Even if you enable Sample Download Access you cannot download the sample e enable When executed immediately removes the original samples for all the completed samples present on ATD It also enables you to set a daily task to automatically remove original samples from newly complet
353. r Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Details Step 53 Lower the security to run e Open Microsoft Word 2003 and select Tools Macro Security and macros for the Office applications then select Low and click OK MICROS Security Security Level Trusted Sources 100 High Gib signed macros from brusted sources will be alkas bo sun Unsigned macros ore automaticaly disabled fe ee CE Medium Fou can choose ehether or not bo run potentially 15 unssbe macros Low not recommended You ane not protected From pobertialy unsafe macros Live this setting onky F you here wirus aari Sof beans hit i Of YOU Ae dure 3l 5 YOU Open are sal e Similarly lower the macro security for Microsoft Excel and Powerpoint Step 54 You need the compatibility pack to open Microsoft Office files that were created in a newer version of Microsoft Office For example to open a docx file using Office 2003 you need the corresponding compatibility pack installed Go to http www microsoft com en us download details aspx id 3 and download the required Microsoft Office compatibility pack for Word Excel and PowerPoint File Formats Then install them on the virtual machine McAfee Advanced Threat Defense 3 4 8 Product Guide 125 5 Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003
354. r a browser for accessing the McAfee Advanced Threat Defense Web Application Log on to the CLI Before you can enter CLI commands you must first log on to the McAfee Advanced Threat Defense Appliance with a valid user name default user name is cliadmin and password default is atdadmin To log off type exit O McAfee strongly recommends you change this password using the passwd command within your first interaction with the McAfee Advanced Threat Defense Appliance Wl Meaning of displays the possible command strings that you can enter Syntax If you use in conjunction with another command it shows the next word you can type If you execute the command in conjunction with the set command for example a list of all options available with the set command is displayed Managing the disks of McAfee Advanced Threat Defense Appliance The McAfee Advanced Threat Defense Appliance has two disks referred to as disk A and disk B Disk A is the active disk and disk B is the backup disk Even if disk A is not booted it is referred as the active disk Similarly even if disk B is the booted disk it is referred as the backup disk By default both these disks contain the pre installed software version Use the show command to view the software version stored in the active and backup disks McAfee Advanced Threat Defense 3 4 8 Product Guide 345 10 CLI commands for McAfee Advanced Threat Defense List of CLI commands
355. r button does Preferred Create a power plan C Bala Choose when to turn off the Aut displa Change when the computer Higt sleeps Fave 4 Select Never for Turn off the display and Put the computer to sleep and then click Save changes T E Power Options Edit Plan Settings Change settings for the plan High performance Choose the sleep and display settings that you want your compu i Tum off the display Newer ta Putthe computer to sleep Never w Product Guide 199 200 Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 27 Press the Windows key and X simultaneously and then select Computer Management Services and Applications Services Then double click on Telnet Programs and Features Power Options Event Viewer System Device Manager Disk Management Command Prompt Command Prompt Admin File Action View Help Ao E lo gt au p E Computer Management Local a i System Tools b E Task Scheduler f Event Vi Telnet Mame b AE Shared Folders m od Supenfet da Descnptepre Pi Steen Local Users and Groups Enables a remote user to log on to oy l b Pal Performance thes computer and run programs and AS System y Device Manager supports various TCP IP Telmet GA Task Sct a E Storage clients cluding UNA based and E TEPIP I VWieidews based computes If this Me A service is stopped remote user access aro a Dh Services an
356. r network you can configure it to analyze malware For this you use the Advanced Threat Defense web application You must have at least the web access role to configure malware analysis This section introduces you to the related terminologies and provides the procedures to set up Advanced Threat Defense for malware analysis Contents gt Terminologies gt High level steps for configuring malware analysis gt How Advanced Threat Defense analyzes malware gt Managing analyzer profiles Integration with McAfee ePO for OS profiling gt Configure McAfee ePO integration to publish threat events gt Integration with Data Exchange Layer gt Integration with Threat Intelligent Exchange gt Configure LDAP gt Configure SNMP setting Integration with McAfee Next Generation Firewall gt Configure proxy servers for Internet connectivity Configure Syslog Setting gt Configure DNS setting gt Configure date and time settings gt Add a Advanced Threat Defense login banner gt Set minimum number of characters for password gt Configure Telemetry gt Upload Web Server certificate and CA certificate gt Configure maximum threshold wait time gt Enable Common Criteria setting Terminologies Being familiar with the following terminologies facilitates malware analysis using Advanced Threat Defense e Static analysis When Advanced Threat Defense receives a supported file for analysis it first p
357. rdware Device Summary de Memory 1GB J Processors 1 E Hard Disk IDE 5 GB Preallocated CD DVD IDE Auto detect Network Adapter NAT USB Controller Present dh Sound Card Auto detect Printer Present Bl Display Auto detect Step 33 In the Use ISO image file field browse to the ISO file that you used and press OK Connection 5 Use physical drive Auto detect E Use 150 image file C 01_Viork MATDMATD 3 0 2 Browse Step 34 In the Welcome to Microsoft Windows XP page click Exit Welcome to Microsoft Windows XP FS What do you want to do gt Install Windows XP gt Leam more about the setup Process gt Install optional Windows components gt Perform additional tasks gt Check system compatibility McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 35 In the virtualMachineImage select Start Control Panel Add or remove Programs Add or remove Windows components Details Windows Components Wizard Windows Componerds You can add o pernos components of Mirada SP To add 0 remove a component click Fe checkbow cheded bos means thes only eaten eed are ere To ree what s included na component cick ela Components E g terest Explorer O NY inerea information Services 115 125 MB O Manag
358. re information about these files on the web e The listed malware files are sorted based on their severity level in the descending order e The first column displays the file names The second column displays the severity level Top 5 URLs URL Severity Figure 8 23 Top 5 URLs VM Creation Status monitor This monitor displays the color based on the status of VM creation Below is the color code followed In Progress Yellow Failed Red Success Green McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware 8 Working with the Advanced Threat Defense Dashboard Below is an example of VM Creation Status monitor when the status of VM creation is Success VM Creation Status Figure 8 24 VM Creation Status monitor Advanced Threat Defense performance monitors The following are the monitors related to Advanced Threat Defense Appliance performance System Health This monitor displays the health of the Advanced Threat Defense Appliance in a table System Health Indicates whether the system health is in good state Green color indicates good health and Red color indicates bad health DNS Status Indicates the connection status between Advanced Threat Defense and the configured DNS servers If Advanced Threat Defense is able to connect to the preferred and alternate DNS server then the DNS Status is Hea thy and the same is indicated by Green color If Advanced Threat Defense is unable to connect t
359. re displayed for each node CLUSTER A ee ee rL Primary Active rpi D Pa mn mn 7 Ait Li oa i LI i E j a a Ls un a Ls lt a A fh a Le a iL uJ a LL uJ a iL un fu ke Figure 9 8 Ibstats output from the primary node McAfee Advanced Threat Defense 3 4 8 Product Guide 337 Clustering McAfee Advanced Threat Defense Appliances Configuring an Advanced Threat Defense cluster high level steps Above is the lbstats output from a primary node mo H L m Pu Figure 9 9 Ibstats output from a secondary node Product Guide 338 McAfee Advanced Threat Defense 3 4 8 Clustering McAfee Advanced Threat Defense Appliances Configuring an Advanced Threat Defense cluster high level steps Above is the lbstats output from a secondary node Wu HH LS t LS 10 0 t r Eu p a 1 B a ll Figure 9 10 Ibstats output from a backup node Above is the Ibstats output from a backup node Table 9 2 Details of the Ibstats command Output entry Description node System Mode Indicates whether the Advanced Threat Defense Appliance is the primary or a secondary node ATD ID The unique ID assigned to the node IP The management port IP address of the Advanced Threat Defense Appliance System Type The appliance model type ATD 3000 or ATD 6000 ATD Version Advanced Threat Defense software version currently installed on the Co
360. re uses VMware Workstation 10 as an example Step 2 In the VMware Workstation page select File New Virtual Machine File Edit View VM Tabs Help FD New Virtual Machine Ctrl N Y New Window Open Ctrl O Close Tab Ciri W l Connect to Server Cal Ea Virtualize a Physical Machine r kk Export to OVF E Map Virtual Disks Exit McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 3 In the New Virtual Machine Wizard window select Custom Advanced and click Next Details a New Virtual Machine Wizard ig Welcome to the New Virtual Machine Wizard What type of configuraton do you want Iypical recommended Create a Workstation 10 0 virtual machine ina few easy steps Custom advanced Creste a virtual machine with advanced opbons such as a SCS controller type window select Workstation 9 0 from the Hardware compatibility drop down list For other fields leave the default values and click Next B virtual disk type and compatbel y wath vmware a O Workstation He Beck Next gt Canmi Step 4 In the Choose the Virtual o Machine Hardware Compatibility ee B Choose the Virtual Machine Hardware Compatibility Which hardware features are needed for this virtual machine V
361. reat Defense 3 4 8 1 Select Start Settings Control Panel 2 Open System 3 In the Automatic Updates tab deselect Keep my computer up to date 4 Click Apply and then OK Product Guide Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 54 To analyze Microsoft Word Excel and Powerpoint files install Microsoft Office 2003 on the virtual machine Details ie Microsoft Office XP Setup Picrosolt Office XF Professional with FrontPage Choose which applcstions For sebup to ieta Select the Office XP applications you would fee installed A rsat word O Microsoft Outiook A l rocoft Access EA C microsoft FrontPage Micresolt Excel A Mikrosoft PowerPoint jeta sopbesbore mith the bppecal options horse detaded iretalsbon options For each application 153 MB 1537 Hb Space hegarad on paca fralable onc lt Back mts corel Step 55 Lower the security to run macros for the Office applications e Open Microsoft Word 2003 and select Tools Macro Security and then select Low and click OK Micros Security Security Level Trusted Sources High Only signed macros from trusted sources val be allowed to run Unsigned macros are automaticaly disabled E E C Medium fou can choose whether or not bo run potentially rag unsa e Macros i Low not recommended fo
362. reat Defense is 3 4 6 e Make sure that the system 3 4 8 msu Advanced Threat Defense software that you want to use is extracted and that you can access it from your client computer e You have the credentials to log on as the admin user in the Advanced Threat Defense web application e You have the credentials to log on to the Advanced Threat Defense CLI using SSH e You have the credentials to SFTP to the Advanced Threat Defense Appliance e For the admin user record select Allow Multiple Logins in the User Management page Task 1 Log on to the Advanced Threat Defense Appliance using an FTP client such as FileZilla Log on as the atdadmin user 2 Using SFTP upload the system lt version number gt msu file to the root directory of Advanced Threat Defense Make sure that the transfer mode is binary 3 After the file is uploaded log on to the Advanced Threat Defense web application as the admin user and select Manage Software Management 4 Under System Software select the system lt version number gt msu file 5 Make sure that Reset Database is deselected in case of upgrades and click Install McAfee Advanced Threat Defense 3 4 8 Product Guide Managing Advanced Threat Defense 4 Upgrade Advanced Threat Defense and Android VM 6 A confirmation message is displayed click OK Status x lt st be uploadd 3 System Software file was validated successfully Installation will start shortly 104 msu OK The s
363. reated or touched by the sample during the dynamic analysis It is also password protected The password is virus Advanced Threat Defense does not provide you access to the original sample files that it analyzed If Network Security Platform is integrated you can use the Save File option in the Advanced Malware D policy to archive samples However note that the Sensor s simultaneous file scan capacity is reduced if the Save File option is enabled See the latest Network Security Platform IPS Administration Guide for the details Download the original sample Advanced Threat Defense allows user to download the originally submitted files All the submitted samples are available in a zip file which you can download by following below steps Task 1 2 3 Select Manage User Management In the User Management page select your user profile Enable Sample Download option Select Analysis Results click Reports icon and select Original Sample Save the zipped lt SAMPLENAME gt _ lt MD5SUMOFSAMPLE gt zip file on your local machine Extract the content of lt SAMPLENAME gt _ lt MD5SUMOFSAMPLE gt zip using infected as password McAfee Advanced Threat Defense 3 4 8 Product Guide 311 a Analyzing malware Working with the Advanced Threat Defense Dashboard Working with the Advanced Threat Defense Dashboard When you access Advanced Threat Defense from a client browser the Advanced Threat Defense Dashboard is displayed You can v
364. rk not recommended F Disable all Trusted Locations OK Cancel 2 Under lt Office Application gt File Option Trust Center ActiveX Settings select Enable all controls without restrictions and without prompting and click OK McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Trust Center Trusted Publish rusted Publishers 2 Setti for all Office Applicati Trusted Locations g Disable all controls without notification Trusted Documents Prompt me before enabling Unsafe for Initialization UFI controls with additional restrictions and Safe for Initialization SFI controls with minimal restrictions Add ins C Prompt me before enabling all controls with minimal restrictions Activex Settings 9 Enable all controls without restrictions and without prompting not recommended potentially dangerous controls can run Macro Settings Protected View Safe mode helps limit the control s access to your computer Message Bar File Block Settings Privacy Options 3 Under lt Office Application gt File Option Trust Center Macro Settings select Enable all macros and click OK Trust Center _ Trusted Publishers Macro Settings Trusted Locations g C Disable all macros without notification Trusted Documents Disable all macros with notification Add ins Disable all macros except digitally signed macros Enable all macros n
365. rk operations You can find all the network activities in the Network Simulator section of the report e The dns log report also contains the DNS queries made by the sample e The packet capture of the network activities is provided in the NetLog folder within the Complete Results zip file Sample accesses an Internet resource MATD McAfee Advanced Threat Defense Internet access in the analyzer profile MATO determines the mode Simulation mode Real Internet mode Yes MATD provides Internet access through its configured Ethernet port MATO represents itself as 5 Internet ISE the target host enabled MATD logs all network activities Data presented in the reports Analyzer YMI shut down after dynamic analysis Figure 6 2 Internet access to samples process flow McAfee Advanced Threat Defense 3 4 8 Product Guide 237 6 Configuring Advanced Threat Defense for malware analysis How Advanced Threat Defense analyzes malware Recall that Advanced Threat Defense uses its management port eth 0 by default to provide Internet access to samples You can also configure a different port for this purpose To enable a different Ethernet port for malware network access follow the procedure below 1 Logon to the Advanced Threat Defense CLI and enable the required port For example set intfport 1 enable to enable eth 1 port 2 Set the required IP address and subnet mask for the
366. rl htm etc 368 McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands show fips Shows if FIPS is enabled or disabled currently This command has no parameters Syntax show fips show ftp Use this command to know if FTP is enabled or disabled currently By default FTP is disabled Syntax show ftp See also set ftp on page 363 show headerlog This command shows the current status of the http header log This command has no parameters Syntax show headerlog Sample Output Header log is disable show history Displays the list of CLI commands issued in this session Syntax show history This command has no parameters show heuristic_analysis See heuristic_analysis on page 353 show intfport Shows the status of the specified interface port or the management port of McAfee Advanced Threat Defense Syntax show intfport lt mgmt gt lt 1 gt lt 2 gt lt 3 gt Information displayed by the show intfport command includes e Whether the port s administrative status is enabled or disabled e The port s link status e The speed of the port e Whether the port is set to half or full duplex e Total packets received e Total packets sent e Total CRC errors received e Total other errors received McAfee Advanced Threat Defense 3 4 8 Product Guide 369 10 370 CLI commands for McAfee Advanced Threat Defense List of CLI commands
367. rnet Information Services Lg Internet Information Services 115 Manage a File Action View Window Help Services Computer a AROOT FSL5SO H FTP Sites H Application Pools E Web Sites fl Web Service Extensior Step 41 Complete the following gt O a A jw N Select FTP Sites and then right click Default FTP Sites Select Properties Home Directory Browse to C Select Read Select Write Select Log visits and click Apply and then OK da Ele Action yw Y Det esa a AA XAO p te rty aons Messager Mone Deectory piratar Secunty FTF Site Properties j ieme Informacion SSY the content for thes resource should come Irane a dinechory located on this computer E ALETA See ik 33 FIP Sa B Celak FIPS C ideia pii on another compuber Hoal Appeton Pook FIP site directory z A Web Sibes Lgi path E DMRS Hd Web Serene Exba od arene Ex F baai he Whe FA Log mits Carectory hebra style UNDE E E oe McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step 42 Set automatic logon by selecting Start Run enter rund1132 netplwiz dl1 UsersRunD11 and press Enter Details Type the name of a program folder document or Internet resource and Windows w
368. ry node e Use the primary node s IP address to submit files and to manage the configuration e Products such as Network Security Platform Web Gateway and Email Gateway must be integrated with the primary node s IP address Since the result and report retrieval is through the primary connection between the integrated products and the secondary nodes is not mandatory With 3 4 2 release Cluster IP is point of contact for these integrated products if user chooses to configure a Backup node e Make sure the analyzer VMs and VM profiles are identical across all nodes D If you require to add an analyzer VM or if you require to add modify or delete a VM profile break the cluster make the required changes in all nodes and then re create the cluster e The synchronized configurations of the secondary are overwritten with that of the primary node Post cluster creation you use the primary node to manage these configurations For information on synchronized configurations see How the Advanced Threat Defense cluster works on page 323 5 Make sure the secondary nodes and the primary node are able to communicate with each other using their management ports 6 Asa best practice back up the configuration of all nodes especially the secondary nodes before you configure the cluster 7 Make sure that the integrated products are configured to use the primary node This includes the integrated McAfee products as well as any third party application
369. s Don t show this message again McAfee Advanced Threat Defense 3 4 8 Product Guide 217 5 Creating analyzer VM Create a VMDK file for Windows 8 Step Details Step 51 Open the default browser and set it up for malware analysis This procedure uses Internet Explorer as an example 1 Make sure the pop up blocker is turned on In Internet Explorer select Tools Pop up Blocker Turn on Pop up Blocker File Edi View Favorita Help Cirle Skafes Del Cans Shitt P Delete browsing history JnPrwate Browsing Tracking Protection Astrea Filtering Fa Coreen problerra Reopen last browsing pesson Add she to Start Screen nit lifestyle shop rl View dewgloads i Pop up Blocker Sonar Screen Fitter Tum off Pop up Blocker Pop up Blocker settings 2 Select Tools Internet Options and for Home page enter about blank General Security Privacy Content Connections Programs Advance Home page ce To create home page tabs type each address on its own ine p aboutblank Use current Use default Use new tab Startup 3 Go to the Advanced tab of the Internet Options and locate Security 4 Select Allow active content to run in files on My Computer General Security Privacy Content Connections Programs settings dg Multimedia Enable alternative codecs in HTML5 media elements Enable automatic image resizing Play animations in webpages
370. s Exit McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 2008 Server Step Details Step 3 In the New Virtual Machine Wizard window select Custom Advanced and click Next E Nes Virtual Machine Wizard dd Welcome to the New Virtual Machine Wizard what type of configuration do you rant Typical recommended Create a Workstation 10 0 virtual machine ina few easy steps Custom advanced Create a virtual machine with sdvanced opbons such as a SCSI controller type gt wrbual disk type and compatibility with vmware older VMware products Workstation Next gt Cancel Step 4 In the Choose the Virtual Oo o Machine Hardware Compatibility Mo Tle hine Wizard Pn window select Workstation 9 0 from the Hardware compatibility Choose the Virtual Machine Hardware Compatibility drop down list For other fields Which hardware features are needed for this virtual machine leave the default values and click Next Virtual machine hardware compatiblity Hardware compationty workstation 9 0 ll Compatible with ESY Server Compatible products Limitations ES 5 1 s 64 GE memory a Fusion 5 0 A processors Fusion 0 10 nebwork adapters Workstaton 10 0 2 TE disk sue Workstation 9 0 Mo SATA devices McAfee Advanced Threat Defense 3 4 8 Product Guide 157 158 Creating analyzer VM
371. s For example if you make changes to the list of NTP servers and also change the time zone you must click Submit under Network Time Protocol and Submit under Time zone Setting separately Add a Advanced Threat Defense login banner The login banner page enables you to upload customized text on Advanced Threat Defense logon page McAfee Advanced Threat Defense 3 4 8 Product Guide 265 Configuring Advanced Threat Defense for malware analysis Set minimum number of characters for password To upload a login banner do the following 1 Click Manage Configuration Login Banner and select Display Banner 2 Write the desired login message Banner Setting fl Display Login Banner Banner Message Max 1024 CC TEST Submit 3 Click Submit to save changes 60 Maximum number of characters allowed for banner message is 1024 Only ASCII character set is allowed Set minimum number of characters for password 266 Using Password Setting page user can set minimum number of characters to be used while creating password to log on to Advanced Threat Defense The default password length is 8 characters The same password constraints apply for console access and CLI access Use Reset Password tab to reset password for CLI user and troubleshooting password nobrk1n to default McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis Configure Telemetry 6 Password
372. s networks modems and both the power cords attached to the Advanced Threat Defense Appliance before opening it Otherwise personal injury or equipment damage can result Avoid injury lifting the Advanced Threat Defense Appliance and attaching it to the rack is a two person job This equipment is intended to be grounded Ensure that the host is connected to earth ground during normal use Do not remove the outer shell of the Advanced Threat Defense Appliance Doing so invalidates your warranty Do not operate the system unless all cards faceplates front covers and rear covers are in place Blank faceplates and cover panels prevent exposure to hazardous voltages and currents inside the chassis contain electromagnetic interference EMI that might disrupt other equipment and direct the flow of cooling air through the chassis 60060 To avoid electric shock do not connect safety extra low voltage SELV circuits to telephone network O voltage TNV circuits LAN ports contain SELV circuits and WAN ports contain TNV circuits Some LAN and WAN ports both use RJ 45 connectors Use caution when connecting cables Usage restrictions The following restrictions apply to the use and operation of Advanced Threat Defense Appliance e You should not remove the outer shell of the Advanced Threat Defense Appliance Doing so invalidates your warranty e The Advanced Threat Defense Appliance is not a general purpose server e McAfe
373. s are removed except primary node administrator can remove primary node Removal of primary node is not permitted unless other nodes are removed 326 McAfee Advanced Threat Defense 3 4 8 Product Guide Clustering McAfee Advanced Threat Defense Appliances 9 How the Advanced Threat Defense cluster works e Backup is active Active Primary In this case as the configured primary is not serving as Active Primary the removal of nodes directly from Load Balancing page of Advanced Threat Defense is not permitted Administrator can logon to Load Balancing page of Advanced Threat Defense to remove withdraw all the secondary nodes first Backup node can then be removed from the cluster Recall that we cannot have a cluster without a primary node configured so Load Balancing page does not facilitate removal of primary node from cluster After removing Backup node from cluster if primary node is active primary node takes the active role as it does not find the Backup node active Now in order to destroy cluster primary node is removed followed by removal of Backup node If the configured primary is not serving as Active Primary and Backup is in active state then the removal of the configured primary requires destroying of cluster Methods for removing nodes from cluster e Remove Node from Active Primary This option facilitates removal of secondary backup node from Active Primary node If the target node is up at the time of removal the node
374. s case the analyzer VM You can configure Advanced Threat Defense to provide network services to analyzer VMs so that the network activities of a sample file can be analyzed Providing Internet access to samples enables Advanced Threat Defense to analyze the network behavior of a sample and also determine the impact of the additional files downloaded from the Internet Some malware might try to determine if they are being executed in a sandbox by requesting for Internet access and then alter their behavior accordingly When an analyzer VM is created Advanced Threat Defense makes sure that the analyzer VM has the configurations to communicate over a network when required You can control granting real network access to an analyzer VM through a setting in the analyzer profiles Network services are provided regardless of the method used to submit the sample For example it is provided to samples submitted manually using the Advanced Threat Defense web application as well as samples submitted by the integrated products The following is the high level process flow when a sample accesses a resource on the Internet 1 A sample attempts to access a resource on the Internet 2 Advanced Threat Defense checks if the Internet connectivity is enabled in the corresponding analyzer profile used for this analysis McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 How Advanced Threat Defense ana
375. s deplsyed and the utii y bo run every bee Windoves starts Choose the Normal Startup mode on the Gereral tab to start Windows money and undo the changes vou made using bre Sister Configuration Leit 6 Dont show this message or launch the System Configuration Lbley when Windows start lx System Configuration Utility McAfee Advanced Threat Defense 3 4 8 Product Guide 99 100 Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Details Step 68 Open the default browser and set it up for malware analysis This procedure uses Internet Explorer as an example 1 Make sure the pop up blocker is turned on In Internet Explorer select Tools Pop up Blocker Turn on Pop up Blocker Faaite Help Mail and Mews r a a s Tur ff Popup lk Manage Add ons Pop up Blocker Sethings elit le Synchronize Windows Update TE com mbox when you lark yi Windows Messenger Diagnose Cormection Problems internet Captions we 2 Select Tools Internet Options and for Home page select Use Blank or Use new tab based on the version of Internet Explorer Internet Options General Security Privacy Content Connections Programs Advanced Home page A Tou can change whech page bo use for your home page Address about blank Use Curent Use Defauk Use Blank 3 Go to the Advanced ta
376. s in ZwCreateFile e log zip e dump zip e dropfiles zip e networkdrive zip Download the complete results zip file Advanced Threat Defense produces detailed analysis for each submitted sample All the available reports for an analyzed sample are available in a zip file which you can download from the Advanced Threat Defense web application Task 1 Select Analysis Analysis Results 2 In the Analysis Results page click and select Complete Results Download the lt sample_name gt zip file to the location you want This zip file contains the reports for each analysis The files in this zip file are created and stored with a standard naming McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware 8 View the analysis results convention Consider that the sample submitted is vtest32 exe Then the zip file contains the following results e vtest32_summary html json txt xml This is the same as the Analysis Summary report There are four file formats for the same summary report in the zip file The html and txt files are mainly for end users to review the analysis report The json and xml files provide well known malware behavior tags for high level programming script to extract key information If the malware severity is 3 and above then it contains ioc and stix xml formats of the Analysis Summary report for the sample e vtest32 log This file captures the Windows user level DLL API callin
377. s option you can access the actual analyzer VM on which the malware is executed and provide the required input e Skip files if previously analyzed Use this function to avoid reanalyzing samples After you make the required selections click OK Click to upload the file to Advanced Threat Defense for analysis Tasks e Upload URLs for analysis in user interactive mode on page 285 e Upload samples for analysis in skip analysis mode on page 287 Upload URLs for analysis in user interactive mode Before you begin Make sure that the required analyzer profile is available with sandbox and malware Internet access options selected To completely execute some malware user intervention might be required For example a default setting in the analyzer VM might pause the execution unless the setting is manually overridden Some files might display dialog boxes where you are required to make a selection or a confirmation Malware demonstrates such behavior to determine if they are being McAfee Advanced Threat Defense 3 4 8 Product Guide 285 286 Analyzing malware Analyze files executed in a sandbox The behavior of the malware might vary based on your intervention When you submit files in user interactive mode the analyzer VM opens in a pop up window on your client computer and you can provide your input when prompted You can upload files to be executed in the user interactive mode This option is available only
378. s page complete the following a In the Important updates select Never check for updates not recommended b Deselect the check boxes under Recommended updates Who can install updates Microsoft update Software notifications Choose how Windows can install updates When your computer is onines indo can aebormaticalhy check for meotan opdater and install Hem eng hee sethnigs When mew paste pre semilla bs pou can sko mall them before thuthing don bree compruber bey dpr sucre ed sheng Pep me reportsa updates ta Hewes check for paste rot recommended Recommended up hates Gre Pre pamm eel upiya the arre vay lecet pora updates Who can reta l updates Allo ll giri ie mal update on Bii Soe Monro Upisite Gre re updater fer Microso H products and check fer new optional bizzot sofhvars whan parte Windows Sothvaere retiran ew me detailed pobhicaibons when nes Moet sottesa is een lable Hete Windows Update might update isah automatically fit when checking for other updates Faad our paa bere anme 3 Click OK Step 38 To analyze Microsoft Word Excel and Powerpoint files install Microsoft Office 2003 on the virtual machine Chao wich anlar for eto lo miial Select the Office XP applications you would like installed Y Merit Word Macr eat Chu Dock J Merosot Excel E O Microsoft Access E term Bowser Pam E o rot Frontage instal apobcabons with the hpa opioa Choo detaded installati
379. s section This is a section in the Threat Analysis report In this section you can view which methods reported that a sample file contains a malware Table 8 8 Down Selector s Analysis Label Description Engine These are the possible methods that Advanced Threat Defense uses to analyze a file e GTI File Reputation Indicates McAfee GTI that is on the cloud e Gateway Anti_Malware Indicates McAfee Gateway Anti Malware engine e Anti Malware Indicates McAfee Anti Malware Engine e Sandbox Indicates that the file was executed in an analyzer VM Refer to the Analysis Environment section within the report to know the details of that VM Threat Name Indicates the name for known malware in McAfee GTI McAfee Gateway Anti Malware engine and McAfee Anti Malware Engine Severity Indicates the severity score from various methods The highest severity score by a particular method is used to assign the final severity level for the sample Analysis Environment section This is a section in the Threat Analysis report You can find the following details in this section e Details of the corresponding analyzer VM such as the operating system browser and version and the applications and their versions installed on the analyzer VM Analysis Environment Digital Sign EEUE nat walid Microsoft Windows XP Professional Service Pack 3 build vernier 600 Pablipaar Shanghai Digia Tecanglegy Ge Internet Explorer version 6 D
380. sable gt By default set IPAddressSwap is enabled Example set IPAddressSwap enable See also show IPAddressSwap show msu Displays all the msu files copied to Advanced Threat Defense via SFTP Syntax show msu McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands show nsp scandetails Shows the file scan details regarding the integrated IPS Sensors Syntax show nsp scandetails lt Sensor IP address gt If you do not specify the Sensor IP address the details are displayed for all the Sensors integrated with the McAfee Advanced Threat Defense Appliance Information displayed by the show nsp scandetails command includes e The IP address of the IPS Sensor e Total number of packets received from the Sensor e Total number of packets sent to the Sensor e The timestamp of when the last packet was sent to and received from the Sensor e The encryption method used for the communication with the Sensor e Session handle null counts e Count of internal errors e Count of unknown commands received from the Sensor e File string null e File data null e Count of unknown files e Count of out of order packets e Count of MD5 mismatches between what was sent by the Sensor and what was calculated by McAfee Advanced Threat Defense e Count of memory allocation failures e File transfer timeout e New file count e Count of shared memory allocation f
381. sable this interface use the set intfport command For example set intfport 1 enable e To assign the IP details to this interface use set intfport lt eth 1 2 or 3 gt ip lt IPv4 address gt lt subnet mask gt For example set intfport 1 ip 10 10 10 10 255 255 255 0 e You cannot assign the default gateway to this port However you can configure a route on this interface to route the traffic to the desired gateway To configure a route use route add network lt IPv4 subnet gt netmask lt netmask gt gateway lt IPv4 address gt intfport 1 For example route add network 10 10 10 0 netmask 255 255 255 0 gateway 10 10 10 1 intfport 1 This command routes all traffic from the 10 10 10 0 command to 10 10 10 1 through NIC 2 eth 1 NIC 3 This is the eth 2 interface The note described for NIC 2 applies to this interface as well NIC 4 This is the eth 3 interface The note described for NIC 2 applies to this interface as well Video connector McAfee Advanced Threat Defense 3 4 8 Product Guide 23 24 Setting up the Advanced Threat Defense Appliance Before you install the Advanced Threat Defense Appliance Label Description 8 RJ45 serial A port 9 USB ports 10 RMM4 NIC port 11 I O module ports connectors not used 12 Add in adapter slots from riser card 1 and riser card 2 Wi 77 VILL LLL LLL dable ULL MEELIS EN as WA oh a a Figure 2 5 ATD 6000 Appliance back panel
382. same in all the nodes of the cluster All the settings in the VM profiles including the VM profile name must be the same across the nodes When you create a new VM profile or modify an existing one after cluster creation recall that VM profile related changes are not propagated to all the nodes automatically First dismantle the cluster Then manually make the exact change in each node If you are creating a new VM profile make sure you create this VM profile in all the nodes before you select this new VM profile in any of the analyzer profiles If you need to modify an existing VM profile make sure you immediately do the same modification in each node Finally recreate the cluster e VM profiles on all nodes must exactly match e It is recommended that DAT and engine versions of McAfee Anti Malware Engine are the same in all nodes e It is recommended that DAT and engine versions of McAfee Gateway Anti Malware Engine are the same in all nodes e The nodes can be heterogenous regarding the following e Hardware That is you can create a cluster using a combination of ATD 3000 and ATD 6000 Appliances e FIPS compliance Regardless of primary or secondary some nodes can be in FIPS mode and the rest in non FIPS mode 320 McAfee Advanced Threat Defense 3 4 8 Product Guide Clustering McAfee Advanced Threat Defense Appliances 9 Network connections for an Advanced Threat Defense cluster e Use the IP address of the Primary node to
383. se Audit Log is selected by default Select HTTPS Session Log to view logs for every session established or terminated McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis Configure Syslog Setting Enable Logging Off Box System Log IP Address Protocol TCP Test Connection Statistic to Log Analysis Results Y CPU Utilization Memory Utilization HDD Utilization Interface Status User Login Logout 7 Audit Log HTTPS Session Log McAfee Advanced Threat Defense 3 4 8 Severity Level Threshold Threshold Threshold 514 Browse Malicious Medium to Very High M 75 5 175 S 75 5 Product Guide 259 6 Configuring Advanced Threat Defense for malware analysis Configure Syslog Setting 5 Click Submit The Off box syslog setting was submitted successfully message is displayed Sample for Analysis Results log events that is displayed in ESM 20Lo 03 26 0170530 Localhost ATDZESM 13207 Summary Event Type ATD File Report MISversion 3 4 4 2 43772 SUMversion 3 4 4 2 43 12 Osversion win splx64 fileld Not Available Parent MD5 Not Available MATE IP TO 213 Zi Sore LPs LO 2132000 7 DSC IPT 10 213 248 107 Taskld s 37 dobld e 237 O SONversion 1 001 0718 hasDynamicAnalysis true Subject Name http 10 213 248 107 Apoorv samples automation samples vtest64 exe
384. se 10 List of CLI commands Information displayed by the show command includes Sensor Info e System Name e Software Version e Date e Active Version e System Uptime e Backup Version e System Type e MGMT Ethernet Port e Serial Number Sensor Network Config e IP Address e Netmask e Default Gateway e DNS address show dat version Use this command to see the current DAT version of analyzing options Syntax show dat version Sample Output AV DAT version 868 AV Engine version 5700 GAM DAT version 3811 GAM Engine version 7001 1302 1842 show ds status Use this command to see status of all analyzing options Syntax show ds status This command has no parameters Sample Ouptut GTI is alive MAV is alive GAM is alive Yara is alive show epo stats nsp Displays the count of requests sent to McAfee ePO the count of responses received from McAfee ePO and the count of requests that failed Syntax show epo stats nsp This command has no parameters McAfee Advanced Threat Defense 3 4 8 Product Guide 367 10 CLI commands for McAfee Advanced Threat Defense List of CLI commands show filequeue Displays the file queue statistics like the estimated average processing time analyzing time files in waiting and so on This command has no parameter Syntax show filequeue Following is the information displayed by the show filequeue command Processing Time 58200 Analyzing Time 56 00 Files i
385. services For this software unless other terms accompany those items BY USING THE SOFTWARE YOU ACCEPT THESE TERMS IF Y IF you comply with these license berms you have the rights be 1 INSTALLATION AND USE RIGHTS You may install and use 2 SCOPE OF LICENSE The software is licensed not sold Th other rights Unless applicable law gives you more rights desp agreement In doing so you must comply with any technical work around any technical limitations in the software reverse engineer decompile or disassemble the software e limitation make more copies of the software than specified in this agre publish the software for others to copy rent lease or lend the software transfer the software or this agreement to any third party use the software For commercial software hosting services Click here to accept the Microsoft Software License Terms McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 58 To analyze PDF files download Adobe Reader to the native host and copy it to the VM This procedure uses Adobe Reader 9 0 as an example Details 1 Install Adobe Reader 9 0 in the VM 2 Open Adobe Reader and click Accept 3 a In Adobe Reader select Edit Preferences General and deselect Adobe Reader Licene Apreement Press thet Acce
386. sion from http www microsoft com en us download details aspx id 1639and install it Step 60 To analyze JAR files download and install Java Runtime Environment 1 NO Goto https community mcafee com docs DOC 6858 Refer Java installation guidance docx McAfee Advanced Threat Defense 3 4 8 Product Guide 97 98 Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 61 Open Java in the Control Panel Details GE Control Panel amp YX D Accessibilty Add Hardware Add or Options Remo 0 gt A Bluetooth Date and Time Display Devices Swtan to Category Vici Also Windows Update Help and Support Step 62 In the Update tab deselect Check for Updates Automatically E Java Control Panel General The Java Update mechanism ensures y version of the Java platform The optic ee Updates are obtained and applied Before dor Kg Notify Me Step 63 In the Java Update Warning dialog select Do Not Check and then click OK in the Java Control Panel You have chosen to stop automatically checking for A updates and will miss future security updates We strongly recommend letting dasa perodicalk check hor newer versions bo ensure wou hares the most secure snd Fastest Java eaperience Step 64 In the Windows Run dialog enter msconfig
387. sis Integration with Data Exchange Layer Configure Data Exchange Layer integration Task 1 Select Manage ePO login DXL Setting The McAfee ePO page is displayed McAfee ePO ePO User Credentials Enable ePO Login Enable OS Profiling Login ID admin Password PEF IP Address O a Port Number Submit Test ePO Login DXL Setting F Enable DXL communication DXL Status DOWN Apply Test Connection Publish Threat Events to ePO F Enable Threat Event Publisher Publisher Status DOWN Apply 2 Enter the details in the appropriate fields 3 In DXL Setting area select Enable DXL communication 4 Click Test Connection When a Test connection is successful message appears click Apply Once you click on Test Connection tab Advanced Threat Defense checks if connection between Advanced Threat Defense to DXL broker channel is established or not DXL Status indicator tells whether Advanced Threat Defense is publishing reports to DXL broker or not 250 McAfee Advanced Threat Defense 3 4 8 Product Guide Configuring Advanced Threat Defense for malware analysis 6 Integration with Threat Intelligent Exchange Integration with Threat Intelligent Exchange Integration of Advanced Threat Defense with Threat Intelligent Exchange TIE helps Advanced Threat Defense to get the TIE Enterprise Reputation and the McAfee GTI Reputation from the TIE server through the DXL channel for the samples submitted to Advanced Threat Defense If t
388. ss cmd com dll doc docm docx dotm dotx eml exe htm html inf ins js Ink Izh zma mof msg OCX pdf potm potx ppam pps ppsmM ppsx disable Sets the sample filtering to off When it is disabled McAfee Advanced Threat Defense considers only the file types supported by default for dynamic analysis ftptest USER_NAME Use this command to test the FTP settings saved under MANAGE gt USER MANAGEMENT gt FTP Results for a particular user Syntax ftptest USER NAME Parameter Description USER_NAME The user name for which you want to test the FTP settings Example NSPuser gti restart Restarts the McAfee GTI engine of McAfee Advanced Threat Defense Syntax gti restart This command has no parameters help Provides a description of the interactive help system This command has no parameters Syntax help 352 McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands heuristic_analysis Consider a scenario where there is a very high volume of files submitted by a channel like Network Security Sensor Web Gateway or Email Gateway You want Advanced Threat Defense to triage these files based on a need for detailed malware analysis The intention of this triage is to scale up performance without compromising on security The heuristic_analysis command is introduced to meet such a
389. ss Enter Details Type the name of a program folder document or Internet resource and Windows wall open it For you Open rundil32 matphviz dll UsersRunDI Step 44 In the User Accounts window deselect Users must enter a user name and password to use this computer and click Apply User Accounts Users Advanced Us the list below bo grant or deny users access to pour computer and to change passwords and other settings Users must enter a user name and password bo use this computer Users For this computer Liner Nome Group Ml Adimiristrator Adiriristrators ILSA_AOOT DCACECASI3 Guests Password hor Administrabor To change your password press Cr 4k Del snd select Change Password McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 45 In the Automatically Log On pop up window complete the following and then press OK in the message boxes Details e Username Enter Administrator e Password Enter cr cker42 e Confirm Password Enter cr cker42 A utomatically l Op Un i You can set up your computer so that users do not have bo type a i user name and password to log om To do this specify a user that vall be automaticaly logged on below User name Administrator Password AT Confirm Password a Cen
390. ssage is displayed Certificate uploaded for Syslog settings will be validated against the key length signature algorithm and expiry date McAfee Advanced Threat Defense 3 4 8 Product Guide 269 Configuring Advanced Threat Defense for malware analysis Configure maximum threshold wait time 3 In case of a problem with the uploaded certificate an error message is displayed An example of error message displayed incase of a certificate with invalid signature algorithm is shown below Error X Certificate is invalid Invalid signature algorithm OK 4 Incase of no validation error web server restarts and user needs to re login to Advanced Threat Defense user interface Follow the steps below to upload a CA Certificate Authority certificate 1 Goto Manage Configuration Web Certificate 2 In the CA Certificate section upload a valid CA certificate 3 In case of a problem with the uploaded certificate an error message is displayed An example of error message displayed incase of a certificate with invalid signature algorithm is shown below Error ES Certificate is invalid Invalid signature algorithm OK 4 Incase of no validation error the specified CA certificate is uploaded successfully Configure maximum threshold wait time 270 Advanced Threat Defense allows you to configure the maximum wait time for analyzing samples received from McAfee Email Gateway If the average analysis time of samples in Advanced Threat
391. supported files McAfee Advanced Threat Defense ignores all other file types and also informs Network Security Platform that a sample is of an unsupported file type This prevents resources being spent on unsupported file types on both McAfee Advanced Threat Defense and Network Security Platform disable sets the sample filtering to off When disabled McAfee Advanced Threat Defense considers all the files submitted by Network Security Platform for analysis but only the supported file types are analyzed The remaining are reported as unsupported in the Analysis Status and Analysis Results pages Example samplefilter status set appliance dns A B C D E F G H WORD Sets Advanced Threat Defense Appliance preferred and alternate DNS address Syntax set appliance dns A B C D E F G H WORD Parameter Description lt A B C D gt DNS preferred address lt E F G H gt DNS alternate address lt WORD gt Appliance domain name Example ATD 6000 gt set appliance dns 1 1 1 2 10 11 10 4 nai com DNS setting had been configured set gti dns check This command requires DNS to be set for GTI to work By default this command is set to disabled which means that if there is no internet access GTI works fine If this command is enabled GTI will not work unless ATD is connected to the Internet and resolves GTI lookup URLs You need to restart amas for these changes to reflect on ATD Syntax set gti dns check lt
392. t Defense SSH Advanced wpm webwasher com TCP 443 No Updates for McAfee Threat Defense HTTPS Gateway Anti Malware Engine and McAfee Anti Malware Engine Setting up Advanced Threat Defense This chapter describes how to set up the Advanced Threat Defense Appliance for you to configure it 26 McAfee Advanced Threat Defense 3 4 8 Product Guide Setting up the Advanced Threat Defense Appliance 2 Setting up Advanced Threat Defense Contents gt Install or remove rack handles gt Install or remove the Appliance from the rack gt Turn on the McAfee Advanced Threat Defense Appliance gt Handling the front bezel gt Connect the network cable gt Configure network information for Advanced Threat Defense Appliance Install or remove rack handles e To install a rack handle align it with the two holes on the side of the Advanced Threat Defense Appliance and attach the rack handle to the Appliance with two screws as shown Figure 2 6 Installing the rack handle e To remove a rack handle remove the two screws holding the rack handle in place and remove the rack handle from the server system as shown Figure 2 7 Removing the rack handle Install or remove the Appliance from the rack Use the rack mounting kit included with the Advanced Threat Defense Appliance to install the unit into a four post 19 inch rack The kit can be used with most industry standard rack cabinets Use the tie wraps to secure the ca
393. t Defense 2 ww ee eee ee 26 Install or remove rack handles ww we ee ee ee ee ee DT Install or remove the Appliance from the rack ww ee ee ee ee 27 Turn on the McAfee Advanced Threat Defense Appliance 30 Handling the front bezel 1 we ke ee e ee 30 Connect the network cable 1 we ee ee ke ee 31 Configure network information for Advanced Threat Defense Appliance 31 3 Accessing Advanced Threat Defense web application 35 McAfee Advanced Threat Defense client requirements 1 we eee ee ee 35 Access the Advanced Threat Defense Appliance web application 36 4 Managing Advanced Threat Defense 37 Managing McAfee Advanced Threat Defense users a a a ee ee ee 37 Viewing user profiles ek ee 38 AO USCES 4 amp dea e ee he Aa ss a RR ee eA ee A we ee ee ROD Edi ces 2 4 2 unn r oe eo ee eek OE ee eG eae oe ee sa e Delete Users 1 1 we we ee AA Monitoring the Advanced Threat Defense performance 2 we ee ee ee ee 43 Upgrade Advanced Threat Defense and Android VM wwe a ee ee 43 Upgrade ATD software from 3 4 2 32 to3 4 8 2 2 1 we eee ee ee ee 44 Upgrade ATD software from 3 4 4 63t03 4 8 2 ee ee ee ee 46 Upgrade ATD software from 3 4 6 to 3 4 8 1 ww ee ee ee ee ee 48 McAfee Advanced Threat Defense 3
394. t Defense web application e You have the credentials to log on to the Advanced Threat Defense CLI using SSH e You have the credentials to SFTP to the Advanced Threat Defense Appliance e For the admin user record select Allow Multiple Logins in the User Management page Task 1 Log on to the Advanced Threat Defense Appliance using an FTP client such as FileZilla Log on as the atdadmin user 2 Using SFTP upload the system lt version number gt msu file to the root directory of Advanced Threat Defense Make sure that the transfer mode is binary 3 After the file is uploaded log on to the Advanced Threat Defense web application as the admin user and select Manage Software Management 4 Under System Software select the system lt version number gt msu file 5 Make sure that Reset Database is deselected in case of upgrades and click Install McAfee Advanced Threat Defense 3 4 8 Product Guide Managing Advanced Threat Defense 4 Upgrade Advanced Threat Defense and Android VM 6 A confirmation message is displayed click OK Status x lt st be uploadd 3 System Software file was validated successfully Installation will start shortly 104 msu OK The system software is installed and the status is displayed in the browser HH Login ID Password Status Installation is in progress Please wait D It takes a minimum of 20 minutes for the system software installation to complete 7 After the s
395. t be the same as on the Advanced Threat Defense appliance e Base Distinguished Name BaseDN Create a specific BaseDN for Advanced Threat Defense users BaseDN acts as a root node under which all the Advanced Threat Defense users are added e Admin Credentials To enable the LDAP option credentials user name and password of the Administrator user must be provided in the Advanced Threat Defense user interface If the Administrator user is not present users must create the same in the LDAP server directory e User creation Create users manually on an LDAP server The following table contains the list of users needed Table 6 1 Users in LDAP server User_Name Type Service used admin User Interface UI SFTP nsp User Interface UI SFTP atdadmin User Interface UI SFTP mwg User Interface UI SFTP meg User Interface UI SFTP vnsp User Interface UI SFTP nonadmin User Interface UI SFTP tie User Interface UI SFTP cliadmin System CLI During the LDAP logon username must match the username created locally in the Advanced Threat Defense database Username is case sensitive McAfee Advanced Threat Defense 3 4 8 Product Guide 251 Configuring Advanced Threat Defense for malware analysis Configure SNMP setting Task 1 Select Manage Configuration LDAP 2 Select the Enable LDAP checkbox 3 Enter these details Option name Definition Username DN Enter a us
396. t page for the admin user are the same So when the administrator user modifies the FTP details on one of those pages it automatically reflects on the other page McAfee Advanced Threat Defense 3 4 8 Product Guide 59 60 Managing Advanced Threat Defense Back up and restore the Advanced Threat Defense database Task 1 Select Manage Restore 8 Backup Backup The Backup Scheduler Setting page is displayed Backup Scheduler Setting Automatic Backup Setting if Enable Backup Backup Frequency Weekly y Day of Week Sunday W Time 01 00 AM Ra Last Backup 2014 06 06 21 10 02 Admin FTP Settim Remote IP Protocol Path ATD_Backups ATD_Backup_2014 02 User Mame admin Password TTTTTIT Submit Figure 4 7 Schedule a backup 2 Enter the appropriate information in the respective fields McAfee Advanced Threat Defense 3 4 8 rop Test Product Guide Managing Advanced Threat Defense 4 Back up and restore the Advanced Threat Defense database Option Definition name Enable Backup Select to enable automatic backup at the scheduled time If you want to stop the automatic backup deselect this checkbox Backup Specify how frequently you want Advanced Threat Defense to back up the Frequency database e Daily Select to back up daily Time Specify the time for the daily backup For example if you select 1 a m Advanced Threat Defense backs up at 1 a m daily according to its clo
397. t saving the changes 9 Monitor the progress of VM creation A message is displayed about the VM creation Information The VMs are being created and the VM Creation Status progress can be monitored in the Dashboard Each VM will take about 5 10 minutes to complete OK McAfee Advanced Threat Defense 3 4 8 Product Guide 227 5 Creating analyzer VM Managing VM profiles You can monitor the progress using the following methods e Select Dashboard and check the VM Creation Status monitor WM Creation Status VM Creation Status In Progress e Select Policy VM Profile to view the status against the corresponding VM profile ffl _eihiouwl UF 37136 ME YA ocrealion amp Em pregress If the VM creation fails the License column displays O In that case you need to manually delete the VM profile Select the VM profile and click Delete To view the system logs related to VM creation select Manage System Log an 10 To confirm successful VM profile creation select Policy Analyzer Profile and check if the VM profile that you created is listed in the VM Profile drop down Name Description VM Profile WE android Automatically Select 0 win2k3spi1 win splx64 Edit VM profiles Before you begin To edit a VM profile either you must have created it or you must have admin user role Task 1 Select Policy VM Profile The currently available VM profiles are listed 2 Select the required record and
398. t your McAfee ePO administrator for the port number Test ePO Login Click to verify if Advanced Threat Defense is able to reach the configured McAfee ePO server over the specified port Submit Click to save the configuration and enable Advanced Threat Defense McAfee ePO integration Make sure that the test connection is successful before you click Submit Configure McAfee ePO integration to publish threat events Integrating Advanced Threat Defense and McAfee ePO enables Advanced Threat Defense to send relevant data about submitted samples to McAfee ePO Users can select the severity level of files for which the data needs to be captured This storage of information in McAfee ePO facilitates debugging and support activities Users must install the ATDThreatEvent extension on McAfee ePO in order to facilitate publishing of threat events by Advanced Threat Defense Integration with McAfee ePO to publish threat events is supported with McAfee ePO 5 1 1 or later The following data is sent to McAfee ePO from Advanced Threat Defense e ATD s w version e IOC Indicators of compromise file e Job ID e MD5 value e Task ID e Time stamp e ATD IP address e Size e Source IP address e Severity Configure McAfee ePO integration to publish threat event Integrating Advanced Threat Defense and McAfee ePO enables Advanced Threat Defense to send relevant data about submitted samples to McAfee ePO Users can select the severity level
399. te remove directory Severity 4 strings Slinei CreateDirectoryA cr test dir RRemoveDirectorya Cr Ytest dir y RGetProcAddress Reglreatekeyays condition linet Figure 7 7 A custom YARA rule 7 Add more rules according to your requirement in the same custom YARA text file and save the file when complete 278 McAfee Advanced Threat Defense 3 4 8 Product Guide Update content on Advanced Threat Defense 7 Define Custom Yara Scanner Define Custom Yara Scanner Custom Yara Scanner is also a set of YARA rules similar to Custom Behavioral rules The two differ in the fact that Custom Behavioral Rules is applied on the User API log of an analyzed sample whereas Custom Yara Scanner serves as an analyzing option in analyzer profile before analysis Custom Yara Scanner is available as a static analysis option with no dependency on dynamic analysis Create Custom YARA Scanner files YARA Scanner files is a set of rules written in accordance with YARA manual These rules are user defined written to identify any specific pattern in a file If Custom YARA Scanner is enabled in your analyzer profile as an analyzing option Advanced Threat Defense checks for a presence of these user defined rules in the samples being analyzed If any defined rule is present in a file analyzed then after the analysis Very High severity is displayed in the analysis report with threat name as the rule name If defi
400. ter you click on Agree no confirmation message is displayed Details SigCheck License Agreement You can aso ute the accepleuda command ine saich lo accep the EULA SYSINTERNALS SOFTWARE LICENSE TERMS These iceage terra ae an agreement between Sysinternals a whol owned subsidiary of Microsoft Corporation and you Please read them They appl to ha afeat you ae downloading rom Systinternab com Whi includes the media on which you received it Fan The terrne also apply to any Sysinternals updates supplements Internet based services and Step 51 Download MergelDE zip from https www virtualbox org attachment wiki Migrate_Windows MergeIDE zip on to the native computer and then copy it to the VM MergelDE File Edit View Favorites Tool Help i TF 7 Search gt Folders O Cibocuments and Settings Adminstrator Desktop MergeIDe Address 0218 206 File and Folder Tasks Text Document i KE Rename this Fie lat Move this file LIZENE ext Lan t Y Copy this file a K Publish this file to the Web 1 MergelDE 3 E mail this file A a Ly Print this File Delete this File MergelDE Registration Entrie 7 KB ther Mares Step 52 Extract MergeIDE zip and run the MergeIDE batch file in the VM e If prompted select Run in the warning message e Close Windows Explorer Step 53 Disable Windows updates 94 McAfee Advanced Th
401. the Network Operations details for the files in the sample Data spying Sniffing Indicates if the malware is capable of any such behaviors Keylogging Ebanking Fraud Operations details section This section provides the details of every operation performed by a file during dynamic analysis Separate sections are provided for every file that was executed as part of the sample Run time DLLs Lists all the DLLs and their paths that were called by a file in runtime File operations Lists file operation activities like creation open query modification copy move deletion and directory creation deletion operations This section also lists the file attributes and the MD5 hash value for the files Registry operations Provides the details of Windows registry operation activities like creation open deletion modification and query on registry sub key and key entry Process operations Details the process operation activities such as new process creation termination new service creation and code injection into other processes Networking operations Details networking operations such as DNS queries TCP socket activities and HTTP file download Other operations Provides details of operations not belonging to these categories Examples are mutex signally objects getting the system metric and configuration data of the analyzer VM McAfee Advanced Threat Defense 3 4 8 Product Guide 303 304 Analyzing malware View th
402. the engine e Uploaded Date Specifies the date and time of upload McAfee Advanced Threat Defense 3 4 8 Product Guide 273 Update content on Advanced Threat Defense Defining Custom Behavioral Rules e Status Specifies whether the uploaded content is acting as Current or Backup Content designated as Current is applied for malware detection e Action Has two tabs Delete and Revert Delete when used for the content serving as Current disables the same and reverts Backup as Current Delete when used for content serving as Backup deletes the uploaded content Revert is used to switch content designated as Backup to Current Advanced Threat Defense allows you to import maximum two versions of YARA rules at any given time The version uploaded later becomes Current by default rendering the previous one as Backup Rules defined in DAT file designated as Current are applied for malware detection e Upload the content After clicking on the required tab click Browse under Manual Content Update area and locate the content you want to upload Refer the following links for more guidance on uploading the content Update DAT version for McAfee Gateway Anti Malware and Anti Virus on page 281 Import Custom Behavioral Rules and Custom Yara Scanner Rules on page 279 Upload Detection Package Defining Custom Behavioral Rules 274 Custom Behavioral Rules is a set of YARA rules YARA is a rule based tool to identify and classify malware
403. the monitors related to malware analysis File Counters This monitor shows the analysis status for files submitted during the specified time period For example if you set the time period for the data in the dashboard as last 5 minutes this monitor shows the count of files in completed analyzing and waiting statuses since the last 5 minutes If you view this monitor in the stacked bar chart format it also displays the severity level for the files File Counters x Waiting WE Malicious ES Not Malicious Not Rated Running Completed 150 200 250 300 Figure 8 16 File Counters monitor o 50 100 McAfee Advanced Threat Defense 3 4 8 Product Guide 313 a Analyzing malware Working with the Advanced Threat Defense Dashboard e The severity levels are indicated using various colors e To hide the files for a particular severity click the corresponding severity in the legend For example if you want to focus on only the malicious files click Not Malicious and Not Rated in the legend Now the chart shows only the high severity malware that is in the waiting running and completed statuses Click again on Not Malicious and Not Rated to view the combined chart e Move the mouse over a particular block in the chart to view the number of files that make up that block This monitor has drill down capabilties Once you click the mouse over a particular block Advanced Threat Defense takes you to Analysis Results page
404. the pl ra Chark Pos addon Step 43 To analyze JAR files download and install Java Runtime Environment 1 Goto https community mcafee com docs DOC 6858 2 Refer Java installation guidance docx McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Create a VMDK file for Windows 7 Step Details Step 44 Open Java in Control Panel IO EL Control Panel Programs Control Panel Home a Programs an E M Uninstall a progra one ob Run programs mi Network and Internet Hardware and Sound e Default Progr Change default s e Programs Make a file type a User Accounts and Farnily Desktop Gadi ten a Add gadgets to tt Appearance and Personalization Restore desktop as Java 32 bit Ease of Access Step 45 In the Update tab deselect Check for Updates Automatically The Java Update mechanism ensures you have the most updated SA version of the Java platform The options below let you control haw applied updates are obtained and Notify Me Before downiosdng x E Check for Updates Automatically Advanced Glick the Update Now button below to check for updates An icon will appear in the system tray if an update e available Move the cursor over the icon to see the status of the update Step 46 In the Java Update Warning dialog select Do Not Jsa Update Waring e l Check and then click OK in You have chosen to stop automatically check
405. ther Places G Control Parel EJ My Documents mi all E Step 40 In the Internet Information Services widnow expand below Internet Information Services 2 Internet Information Services Fie Action View Help mM B AMA gt wu Internet Information Services E ROOT DCACEC4633 local computer Compuber lrooT 0 Step 41 Expand FTP Sites E Internet Information Services File Action e 8B m amp Internet Information Services J ROOT DCACEC4633 local computer a FTP Sites View Help ll Compute roort Step 42 Right click on Default FTP Site and then select Properties Home Directory Then complete the following 1 Browse to C 2 Select Read 3 Select Write 4 Select Log visits and click Apply and then OK Internet Infenmetion ds Detauti FTP Site Properties FIP Sie Senmpirppsi Mapag Poms Directory ten correcting ta ha rece the content houd cores hor E a grecior koste on ha computa Ca dass bcalsd on nother comnpuba FTP Sis Dira Lotal Path EA Flies aiia 5 Log vide Errar asco Lieg de E UNG 2 HEDOS McAfee Advanced Threat Defense 3 4 8 Product Guide 91 92 Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 43 Set automatic logon by selecting Start Run enter rund 1 32 netplwiz dl1 UsersRunD11 and pre
406. to on or enables docfilterstatus operation disable Sets the sample filtering to off or disables docfilterstatus operation 350 McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands When docfilterstatus is enabled e Docfilterstatus filtering is ON Enabling docfilterstatus sets docfilterstatus to ON Advanced Threat Defense Appliance scans MS Office 2007 Word or Excel files structure for any abnormalities If there are no abnormalities the file is treated as a clean and there is no further analysis If there are any heuristic abnormalities the MS Office 2007 Word or Excel file is statically and dynamically analyzed as per the corresponding analyzer profile When docfilterstatus is disabled e Docfilterstatus is OFF Disabling docfilterstatus sets docfilterstatus to OFF Advanced Threat Defense Appliance does not scan MS Office 2007 Word and Excel files for any heuristic abnormalities MS Office 2007 Word and Excel files are statically and dynamically analyzed as per the corresponding analyzer profile Use the show command to know the current filter setting Syntax show docfilterstatus Exit Exits the CLI This command has no parameters Syntax exit factorydefaults Deletes all samples results logs and analyzer VM images and it resets IP addresses before rebooting the device This command does not appear when you type nor does the auto
407. to Advanced Threat Defense using FTP or SFTP 224 McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM 5 Managing VM profiles A progress bar indicating the VM creation is displayed Once this is done the VM boots up win2k3 p2 1m0g Ss Activate Default Profile Connecting to VM eres ot pe MAXIMUM LICENSES Installed Applications Operating System win2k3sp2 Applications MA Add Figure 5 8 Progress of the VM creation 4 Select Start Control Panel Windows Activation Activate Windows now Now open Microsoft Word and click Activate once Microsoft Office Activation Wizard pops up After the aforementioned step if you want to use a different Ethernet port for malware network D access select Start Control Panel Network and Internet Network and Sharing Center and right click on Properties of TCP IPv4 Now set Preferred DNS Server Online Windows Activation needs internet access An activation packet is sent through the gateway IP that is assigned to the management port If you have a proxy environment to access external 67 internet then you need to configure proxy settings on your VM manually because Advanced Threat Defense proxy settings will not work for Windows Activation packet on your VM After the activation the proxy settings on the VM needs to be manually removed 5 After the VM is up properly shut it down and close the window or tab Cauce pra Cia AAA ri
408. tomatically submitted by other McAfee products such as Network Security Platform Destination IP The IP of the targeted host Similar to the source IP this is not relevant for manually submitted files e Job ID This is a unique number assigned to all the files Task ID This is a unique number assigned to all the files The Task ID and Job ID are different for compressed files and are same for uncompressed files e URL List of URL that is submitted for analysis Enter the search string in the adjacent text box Case Sensitive Select if you want to make the search case sensitive Suppose that you have selected File Name and Status as the criteria selected Case Sensitive and specified Com All the records in the completed state and file names starting with the characters Com are listed Table 8 5 Column definitions Column Definition Submitted Time The time stamp when the file was submitted for analysis Status The current status of analysis e Waiting Typically this indicates that Advanced Threat Defense is waiting for an analyzer VM to dynamically analyze the file e Analyzing Indicates that the analysis is still in progress e Completed Indicates that the analysis is complete for the file Double click the record to see the complete report e Discarded Indicates that the analysis of files is aborted after the reboot Analyzer VM dynamically re analyzes the files File Name
409. tp technet microsoft com en us sysinternals bb897441 aspx The VM that you created has the Windows Firewall switch off as well as there is no anti virus installed on it Therefore it is recommended that you download the programs and components on to the native host first and then copy them to the VM in VMware Workstation Step 46 Extract sigcheck zip to c WINDOWS system32 location Fiz Edi ws Favorites Togi Help Q be J po Search Ey Folders tea gt Cw INDCASi system Pokders a S rv dl wmoc_mode di ro A ordonoz a Benctrega E gt mu TPM Monde dl El armcompar 8 A E CO Network Diagnostic Pido El ll G Cembir l TE TPP Pirar cl A COMFIG NT E cika Web Pages Pirc u E E E pehaskth WTP d Ce PAT OHE S Puerist Ay TPUAMonL de dl A apa del F 27 4 ES Prafetch El ap ipid PNF TPP a oe E i Provisioning A on dl t oo E Ep Reoktration S TPWPHordeu cl H pertccos 2 recat 6 TPP HTa d Ed perfhoos Subir dy Parir imise a Ba marts S ymipgracentstutdonevn E S soriy Y Ea Shuboosn a d m ighe Step 47 In Windows Explorer go to C WINDOWS system32 and double click sigcheck exe Step 48 If prompted click Run in the warning message McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 2003 Server Table 5 3 Create a VMDK file from Windows 2003 Server SP1 or SP2 ISO image continued Step Step
410. ttpd is restarted Parameter Description enable When http redirect feature is enabled http url is redirected to https on browser RestAPI calls with only Attps protocol are accepted disable When http redirect feature is disabled http when requested on browser is not redirected to https RestAPI calls with either http or https protocol are accepted It is advised to have this feature enabled all the time You must disable this feature in case of issues with certificate validation Use the show http redirect to know whether the http to https redirect feature is currently enabled or disabled on the Advanced Threat Defense Appliance device By default the redirect feature is enabled Syntax show http redirect install msu Installs either of the two below listed msu files e amas 3 x X X X MSU e system 3 xX X X X MSU Syntax install msu Parameter Description lt SWNAME gt msu filename that user wants to install Either amas 3 x x x x msu or system 3 x X X X msu lt RESET DB gt This parameter accepts two values 0 1 0 indicates msu file to be installed without resetting the database 1 indicates msu file to be installed alongwith resetting the database Example install msu amas 3 3 0 25 42303 msu 1 Ibstats Shows the statistics for Primary node Back up node and Secondary node in a load balancing cluster This command has no parameters No output is displayed if the Advan
411. ty Whi FTP Service Ml Web Management Tools a D 156 Management Compatibility O fe 0S Management Console de TS Management Sonpts and Tools mi U World Wide Web Services Step 25 Click Start and right click Computer Then select Manage Services and Applications Services Then double click Telnet Fa dca Mia Hap e AO BA enp a Computer Management Local al fit Sem Took E E Task Scbedules Telnet ma j Evert Verwer E Shared Folder Stop the werris PA Ha Be Local Wess and Geoups Paans the ure E ans qa ah Pedornance Sata Pa wenice CA TCR RETOS HL Piire 2 Device Manages Tela pony Promat a ES fonge Ciscnpbore Py f Onk Management Enables a remote user do los on to sl Themes Preven McAfee Advanced Threat Defense 3 4 8 Product Guide Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 26 In the Telnet Properties Local Computer dialog select Automatic from the Startup type list Then select Apply Start OK McAfee Advanced Threat Defense 3 4 8 Service name Trt Sr Display name Telnet Enables a remote user to log on to ihis computer and a ne nun programs and supports wanous TCP AP Telnet Path to executable Startup type Automatic m p Els on oe start 100 rase pesume You can specty the sdai parameters that apply when you start the service CE tame tr Product Guide 143
412. ty score of 3 and a threat level of medium BOOOL indicates a severity score of 4 and a threat level of high e 000 0 indicates a severity score of 5 and a threat level of very high Click a file name to navigate to the section of the report that provides the details of the file behavior 6 Embedded Dropped content section This section provides file name and MD5 hash value of all the files that were created by the samples during analysis 7 Screen shots section This section displays all the pop up windows during dynamic analysis By viewing these screenshots you can determine if user intervention is required during dynamic analysis to know the actual behavior of the file If user intervention is required you can submit the file manually in user interactive mode 8 Operations details section This section provides detailed information on all the operations performed by the sample file during dynamic analysis These operations are grouped under corresponding groups Expand each group for the specific operations For example expand Files Operations to view the files created files deleted files modified files read directories created or opened directories removed and so on 9 Analysis Environment This section includes the details of the analyzer VM properties of the file and so on McAfee Advanced Threat Defense 3 4 8 Product Guide 301 a Analyzing malware View the analysis results Analysis Result
413. u ars not protected From pobertialy unsafe macros Use this setting only F you hawe hae i or you Se dure all e Similarly lower the macro security for Microsoft Excel and Powerpoint McAfee Advanced Threat Defense 3 4 8 Product Guide 95 Creating analyzer VM Create a VMDK file for Windows XP Table 5 2 Create a VMDK file from Windows XP SP2 or SP3 ISO image continued Step Step 56 You need the compatibility pack to open Microsoft Office files that were created in a newer version of Microsoft Office For example to open a docx file using Office 2003 you need the corresponding compatibility pack installed Go to http www microsoft com en us download details aspx id 3 and download the required Microsoft Office compatibility pack for Word Excel and PowerPoint File Formats Then install them on the virtual machine Details FileFormeatlony erters Step 57 In the Compatibility Pack for the 2007 Office system dialog select Click here to accept the Microsoft Software License Terms and click OK Compatibility Pack for the 200 7 Office system You must accept the Microsoft Software License Terms in order MICROSOFT SOFTWARE LICENSE TERMS MICROSOFT OFFICE COMPATIBILITY PACE FOR WORD EXC These license terms are an agreement between Microsoft Cor them They apply to the software named above which inchuc Updates supplements Internet based services and support
414. u can continue with the VMDK file creation process but make sure it is uninstalled when the VMDK file is ready iF Vietware Tools Setup i de you sure you want Eo cancel Meare Tools kT mstallabon Ci Jl e Step 23 In the VM turn off the Windows Firewall 1 Select Start Control Panel System and Security Windows Firewall Turn on Windows Firewall On or Off 2 Select Turn off Windows Firewall not recommended for both Home or work private network location settings and Public network location settings and then click OK McAfee Advanced Threat Defense 3 4 8 Product Guide 141 142 Creating analyzer VM Create a VMDK file for Windows 7 Step Details Step 24 Select Start Control Panel Programs Programs and Features Turn Windows feature on or off and complete the following 1 Select Internet Information Services FTP server and select FTP Extensibility 2 Select Internet Information Services Web Management Tools and select IIS Management Service 3 Select Telnet Server and press OK This operation might take around 5 minutes to complete Turn Windows features on or off To turn a feature on select its check box To tum a feature off clear its check box A filled box means that only part of the feature is turned on de Indexing Service a O Internet Explorer 8 a de Internet Information Services y FTP Server 4 FTP Extensibili
415. u upgrade Android the default Android analyzer VM is automatically re created This process might take a few minutes to complete 7 Log on to the web application and select Manage System Log 8 In the System Log page verify that the vmcreator task is successfully completed for the Android analyzer VM System Log 2014 06 26 05 14 38 starting vmcreator 5 2014 06 26 05 14 38 Ivclean was successful 2014 06 26 05 14 38 Copying image base to work folder android img 2014 06 26 05 2014 06 26 05 2014 06 26 05 2014 06 26 05 2014 06 26 05 2014 06 26 05 2014 06 26 05 2014 06 26 05 2014 06 26 05 2014 06 26 05 2014 06 26 05 2014 06 26 05 2014 06 26 05 2014 06 26 05 2014 06 26 05 2014 06 26 05 14 42 14 42 14 42 14 42 14 42 Copied 1 496 in 4 seconds 380 36Mbytes second Completed image prep 2 creating WM android_sn01 9 Checking vm status android_sn0i Booting VM android _sn01 VM has started android _sn01 Creating snapshot for android_sn0i 2 Waiting for Android emulator to come up 9 32 Updating VM database a2 Wmcreator success 2 Amas Database Check OK McAfee Advanced Threat Defense 3 4 8 Product Guide Managing Advanced Threat Defense 4 Troubleshooting View the Upgrade log If you want to upgrade the McAfee Advanced Threat Defense software version you can view the upgrade path and version history logs from Manage Logs Upgrade The up
416. ultiple Logir NSP User Details MWG First and Last Name MEG NGFW Company Email Phone Address State Country Default Analyzer Profile v Roles FTP Result Output F Admin User 7 Web Access Remote IP Protocol ftp M 7 Restful Access 7 FTP Access Path FP Sample Download User Name Password Access Figure 4 3 Add users 2 Enter the appropriate information in the respective fields Option Definition name Username The user name for accessing the McAfee Advanced Threat Defense web application FTP server or RESTful APIs Password The default password that you want to provide to the user It must meet the following criteria e Minimum 8 characters in length e At least one of the alphabetic characters must be in uppercase e Must contain at least 1 number e Must contain at least one of the following special characters amp e Password and user name must not be same Allow Multiple Deselect it you want to restrict the concurrent logon sessions for this user name to Logins just one Select if you want to allow multiple concurrent logon sessions for the user name FirstandLast Enter the full name of the user It must be of at least 2 characters in length Name Email Optionally enter the email address of the user McAfee Advanced Threat Defense 3 4 8 Product Guide Managing Advanced Threat Defense 4 Managing McAfee Advanced Threat Defense users
417. urity applications for a better understanding detection and containment of malware For example you can manually submit the OpenIOC and STIX reports to an application which can query hosts for the indicators in the report This way you can detect the infected hosts and then take the required remedial actions to contain and remove the malware For generic information on OpenIOC see http www openioc org Regarding STIX you can see https stix mitre org The Threat Analysis report in the OpenIOC and STIX formats are available in the Complete Results zip file for the sample McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware 8 View the analysis results Task 1 To access the Threat Analysis report in the Advanced Threat Defense web application do the following a Select Analysis Analysis Results p To view the HTML format of the report click and then select Analysis Summary HTML Alternatively you can double click the required record To view the PDF of the report click and then select Analysis Summary PDF 2 To access the Threat Analysis report from the reports zip file do the following a Select Analysis Analysis Results j Click and select Complete Results c Save the zipped reports on your local machine The zip file is named after the name of the sample file d Extract the contents of the zip file The AnalysisLog folder contains the HTML text XML and JSON formats of the An
418. ustom YARA Scanner files A E Import Custom Behavioral Rules and Custom Yara Scanner Rules e ee ee ee ee ass sal Modify Custom Behavioral Rules and Custom Yara Scanner file 280 Enable or disable Custom Behavioral Rules aw amp ie ee ee w OL Update DAT version for McAfee Gateway Anti Malware ane Anti Virus ee 281 Update Detection Package 1 ew ee ee 281 8 Analyzing malware 283 Analyze files 4 Es ex a os A ss 283 Upload files for analysis using Advanced direol Defense web suplicaton toe ee ww wt 284 Upload files for analysis using SFTP we ee ee ee 289 Analyze URLs cee ee ee eS ie eeee Be eee se Be ee ee amp Oo How Advanced Threat Defense nales URLs cee ee ee 29 Upload URLs for analysis using Advanced Threat Defense ee pe n da a ae a 290 Configure the Analysis Status page 2 ww 0 a o o o e ee 293 View the analysis results AA E E ee aA eS 2 theo View the Threat Analysis ano cee eee ewe Rew Re ee ee we 2299 Dropped files report 1 1 ew ke ek 304 Disassembly Results 1 1 ee ee ee 304 Logic Path Graph gt s s ra es x era dka gwa et ee esat ae a BOS User API Log E ce a E ew eS ewe E E Download the complete T Zip file cias ten ea ee ee sa a 2310 Download the original sample O eee ee ee Se OT Working with the Advanced Threat Defense Do E 2 M
419. vanced Threat Defense See the corresponding documentation e The maximum file size supported is 128 MB if you use the Advanced Threat Defense web application its restful APIs or McAfee Web Gateway e Unicode is supported for the file name of samples A file name can be up to 200 bytes long A file names can contain non English characters and special characters File names are displayed as the MD5 hash value of the file if the following characters are used E E D For example if the file name of a submitted sample is vtest 32 exe then Advanced Threat Defense displays the file name as e2cfe1c89703352c42763e4b458fc356 exe e Static analysis of Visual Basic for Applications scripts VBA scripts embedded inside a Microsoft Office application takes place inside the VMs This analysis enhances the chance of identifying any threat disguised as a VBA script McAfee Advanced Threat Defense 3 4 8 Product Guide 283 a Analyzing malware Analyze files e Pre filtering of files and applications pertaining to Microsoft Office 2003 and earlier and Microsoft Office 2007 and later is catered to The pre filtering functionality ascertains the high confidence Microsoft Office samples as clean even before these samples are submitted for dynamic analysis This reduces load on the VMs e Dynamic analysis of Flash files takes place after installing a browser based Flash plug in on VMs Table 8 1 Supported file types File Types Stati
420. ventions and icons Book title term Title of a book chapter or topic a new term emphasis emphasis Bold Text that is strongly emphasized User input code Commands and other text that the user types a code sample a displayed message message Interface text Words from the product interface like options menus buttons and dialog boxes Hypertext blue A link to a topic or to an external website Note Additional information like an alternate method of accessing an option Tip Suggestions and recommendations O 6 Important Caution Valuable advice to protect your computer system software installation network business or data Warning Critical advice to prevent bodily harm when using a hardware product gt McAfee Advanced Threat Defense 3 4 8 Product Guide 9 Preface Find product documentation Find product documentation 10 After a product is released information about the product is entered into the McAfee online Knowledge Center Task 1 Goto the Knowledge Center tab of the McAfee ServicePortal at http support mcafee com 2 In the Knowledge Base pane click a content source e Product Documentation to find user documentation e Technical Articles to find KnowledgeBase articles 3 Select Do not clear my filters 4 Enter a product select a version then click Search to display a list of documents McAfee Advanced Threat Defense 3 4 8 Product Guide Malware detection and McAfee Adva
421. view analysis results 295 VM creation log 229 261 VM profile 231 adding 224 creating 224 deleting 229 editing 228 management 222 viewing 223 VMDK file image conversion 219 importing 219 W Warnings 21 X X Mode 285 287 XML 298 Xmode 35 XMode 285 287 Y YARA rules 269 270 273 274 279 Product Guide intel Security Y dis OCOO
422. w ui timeout Sample output Current timeout value 600 show uilog Use this command to check the current level of uilog This command has no parameters Syntax show uilog Following is the information displayed by the show uilog command ATD 6000 gt Show urilog Current log level is 7 show version Displays zebra version of McAfee Advanced Threat Defense This command has no parameters 372 McAfee Advanced Threat Defense 3 4 8 Product Guide CLI commands for McAfee Advanced Threat Defense 10 List of CLI commands Syntax show version Following is the information displayed by the show version command ebra Veo a lt Copyright 1996 2004 Kuniniro Ishiguro ATD 3000 gt show waittime Displays wait time threshold set for McAfee Email Gateway Syntax show waittime Sample output Current MEG wait time threshold 780 seconds shutdown Halts the McAfee Advanced Threat Defense Appliance so you can power it down Then after about a minute you can power down the McAfee Advanced Threat Defense Appliance manually and unplug both the power supplies McAfee Advanced Threat Defense Appliance does not power off automatically You must confirm that you want to shut it down This command has no parameters Syntax shutdown status Shows McAfee Advanced Threat Defense system status such as the health and the number of files submitted to various engines This command has no parameters Syntax status Sampl
423. when you manually upload a file using the Advanced Threat Defense web application For files submitted by other methods such as FTP upload and files submitted by Network Security Platform requests for user intervention by the malware are not honored However the screen shots of all such requirements are available in the Screenshots section of the Analysis Summary report Then you can manually resubmit such files in the user interactive mode to know the actual behavior of the file For XMode Google Chrome version 44 0 2403 and later and Mozilla Firefox version 40 0 3 and later are supported Microsoft Internet Explorer is not supported Because the analyzer VM is opened in a pop up window make sure the pop up blocker is disabled in your browser Task 1 Select Analysis Manual Upload 2 In the File field click Browse and select the file you want to submit for analysis or drag and drop the file into the specified box Manual Upload File w Browse Analyzer Profile winXP wr Submit Advanced Figure 8 1 Submit the file 3 In the Analyzer Profile field select the required analyzer profile from the drop down list McAfee Advanced Threat Defense 3 4 8 Product Guide Analyzing malware 8 Analyze files 4 Click Advanced and select User Interactive Mode XMode Advanced Control Y User Interactive Mode XMode Y Skip files if previously analyzed OK Cancel Figure 8 2 Select User Interactive Mode XMode 5 C
424. whiteliststatus McAfee Advanced Threat Defense 3 4 8 Product Guide 375 10 CLI commands for McAfee Advanced Threat Defense List of CLI commands 376 McAfee Advanced Threat Defense 3 4 8 Product Guide Index A about this guide 9 active disk 345 analysis results cluster 341 viewing 295 analysis status cluster 340 monitoring 293 analyzer profile 231 adding 240 deletion 243 management 239 modification 242 viewing 239 analyzer VM 231 creating 67 Anti Malware Engine 231 backup and restore 58 backup disk 345 C CLI commands how to 343 list 346 mandatory commands 344 syntax 344 CLI commands issue auto complete 344 console 343 ssh 343 CLI logon 345 conventions and icons used in this guide 9 custom YARA rules 269 270 273 274 279 D dashboard 312 database backup and restore 58 date and time 262 276 279 281 diagnostic files 56 McAfee Advanced Threat Defense 3 4 8 disk A 345 disk B 345 DNS settings configuration 251 252 257 261 265 267 271 documentation audience for this guide 9 product specific finding 10 typographical conventions and icons 9 dynamic analysis 231 ePO server configuration 244 246 250 ePO server integration 243 246 exporting logs 56 G Gateway Anti Malware Engine 231 I Internet access 236 Internet proxy server 254 256 J JSON 298 L local blacklist 231 local whitelist 231 log files 56 M malware analysis 283 process flow 235 283 289 malware analysis
425. ws 8 0 Pro 32 bit e Microsoft Windows 8 0 Pro 64 bit e Android 2 3 by default You can upgrade it to Android 4 3 See Upgrade the Android analyzer VM on page 52 All of the above Windows operating systems can be in English Chinese Simplified Japanese German or Italian The only pre installed analyzer VM is the Android VM McAfee Advanced Threat Defense 3 4 8 Product Guide 67 5 Creating analyzer VM 2 Using VMware Workstation 9 0 create a Virtual Machine Disk VMDK file of the ISO image After you create the VM you can install the required applications such as e Internet Explorer versions 6 7 8 9 and 10 e Mozilla Firefox versions 11 12 and 13 e Microsoft Office versions 2003 2007 2010 and 2013 e Adobe Reader version 9 10 and 11 Recommended VMware workstation version is 9 0 However if you use VMware Workstation 10 0 or VMware Workstation 11 0 select Workstation 9 0 under Hardware Compatibility in New Virtual Machine Wizard as shown below New Virtual Machine Wizard Choose the Virtual Machine Hardware Compatibility Which hardware features are needed for this virtual machine Virtual machine hardware compatibility Hardware compatibility Workstation 9 0 Compatible with ESX Server Compatible products Limitations ESXi 5 1 64 6B memory Fusion 5 0 8 processors Fusion 6 0 10 network adapters Workstation 10 0 2 TB disk size Workstation 9 0 No SATA devices Grad Cama 3 Import th
426. xy Settings page To enable this option the GTI File Reputation option under Analyze Options must be enabled McAfee Advanced Threat Defense 3 4 8 Product Guide 255 6 Configuring Advanced Threat Defense for malware analysis Configure proxy servers for Internet connectivity 2 In the GTI HTTP Proxy area enter the appropriate information in the respective fields Option name Definition Enable Proxy Select to connect Advanced Threat Defense to a proxy server for Internet connectivity User Name Enter the user name that Advanced Threat Defense uses for the proxied Internet connection Password Enter the corresponding password Proxy IP Address Enter the IPv4 address of the proxy server Port Number Enter the port number on which the proxy server is listening for incoming connections Test Click to verify if Advanced Threat Defense is able to reach the configured HTTP proxy server over the specified port Submit Click to save the proxy settings in the database Make sure that the test connection is successful before you click Submit Specify Malware Site Proxy Settings for Malware traffic Task 1 Select Manage Configuration Proxy Settings On the Proxy Settings page Malware Site Proxy section is displayed Malware Site Proxy 2 Enable Proxy F Copy above settings User Name matd Password Proxy IP Address Port Number 888 Submit Test Figure 6 6 Proxy Settings page 256
427. y default You can upgrade it to Android 4 3 See Upgrade the Android analyzer VM on page 52 All of the above Windows operating systems can be in English Chinese Simplified Japanese German or Italian The only pre installed analyzer VM is the Android VM McAfee Advanced Threat Defense 3 4 8 Product Guide 233 6 Configuring Advanced Threat Defense for malware analysis Terminologies You must create analyzer VMs for Windows You can create different VMs based on your requirements The number of analyzer VMs that you can create is limited only by the disk space of the Advanced Threat Defense Appliance However there is a limit as to how many of them can be used concurrently for analysis The number of concurrent licenses that you specify also affects the number of concurrent instances for an analyzer VM e VM profile After you upload the VM image vmdk file to Advanced Threat Defense you associate each of them with a separate VM profile A VM profile indicates what is installed in a VM image and the number of concurrent licenses associated with that VM image Using the VM image and the information in the VM profile Advanced Threat Defense creates the corresponding number of analyzer VMs For example if you specify that you have 10 licenses for Windows XP SP2 32 bit then Advanced Threat Defense understands that it can create up to 10 concurrent VMs using the corresponding vmdk file e Analyzer profile This defines how to anal
428. ystem software is installed and the status is displayed in the browser HH Login ID Password Status Installation is in progress Please wait D It takes a minimum of 20 minutes for the system software installation to complete 7 After the software is installed Advanced Threat Defense Appliance restarts A relevant message is displayed The Appliance restarts on its own The message that is displayed is only for your information Status q J J The system is going down for reboot now OK D If you are not able to view these messages clear the browser cache 8 Wait for Advanced Threat Defense Appliance to start Log on to the CLI and verify the software version 9 Verify the version in the Advanced Threat Defense web application McAfee Advanced Threat Defense 3 4 8 Product Guide 49 4 Managing Advanced Threat Defense Upgrade Advanced Threat Defense and Android VM 10 Log on to the web application and in the System Log page verify that the vmcreator task is invoked When you upgrade to Advanced Threat Defense 3 4 8 all analyzer VMs are automatically re created This process might take some time to complete depending on the number of analyzer VMs 11 Verify the data and configurations from your earlier version are preserved The software version you upgraded to is now stored in the active disk of Advanced Threat Defense Appliance D Whitelist status is disabled after you upgrade to Advanced Threat Defense
429. yze a file and what to report In an analyzer profile you configure the following e VM profile e Analysis options e Reports you wish to see after the analysis e Password for zipped sample files e Minimum and maximum execution time for dynamic analysis You can create multiple analyzer profiles based on your requirements For each Advanced Threat Defense user you must specify a default analyzer profile This is the analyzer profile that is used for all files uploaded by the user Users who use the Advanced Threat Defense web application to manually upload files for analysis can choose a different analyzer profile at the time of file upload Always the analyzer profile selected for a file takes precedence over the default analyzer profile of the corresponding user To dynamically analyze a file the corresponding user must have the VM profile specified in the user s analyzer profile This is how the user indicates the environment in which Advanced Threat Defense should execute the file You can also specify a default Windows 32 bit and a 64 bit VM profile e User A Advanced Threat Defense user is one who has the required permissions to submit files to Advanced Threat Defense for analysis and view the results In case of manual submission a user could use the Advanced Threat Defense web application or an FTP client In case of automatic submission you integrate McAfee products such as McAfee Network Security Platform or McAfee Web Gateway
Download Pdf Manuals
Related Search