For discussion/questions/reports on this topic, please use: GAM 2014.2 BETA
The Web Gateway team is planning the release of an update to the Gateway Anti-Malware engine in late Q1 2015.
The following AV engines will be included in the update and are now available as Beta for MWG 7.3 and higher:
McAfee Gateway Anti-Malware: v2014.2
McAfee Anti-Malware Engine: 5700
Subscribing to the Beta channel for updates
The engines are available via the normal update server, but retrieving them requires the custom update parameter "uc-beta".
The custom parameter for MWG 7 can be defined in the UI of MWG:
Configuration -> <appliance_name> -> Central Management Configuration -> Advanced Update Settings
To test this Beta version isolated on a single appliance that is part of a central management environment, customers can avoid replication of this update to other nodes in the same section by disallowing the distribution of updates to other nodes.
Reverting back to the default engine
After official release of the engine the uc-beta flag can remain and MWG will continue to work normally also retrieve updates. Also all beta engine releases will be retrieved in future. If this is not desired the flag should be removed.
For reverting a machine back during beta phase to the normal updates the steps would be:
- Remove the uc-beta parameter from the custom parameter field.
- Save the changes.
- Login as root via SSH to the appliance.
- Stop MWG: service mwg stop
- Remove all existing AV updates: rm -rf /opt/mwg/plugin/data/antivirus/*
- Start MWG again: service mwg start
- Log in via GUI and trigger the engine update.
New in this release
In addition to the 5700 engine, new features include:
New Windows Emulation Environment with 64-bit Support
GAM’s emulation environment for Windows Executables – the key to behavior-based malware classification –, has been improved in collaboration with Intel Engineering.
It now supports accurate emulation of all the latest Intel CPU instruction sets. Furthermore, in light of the growing prevalence of 64-bit Windows deployments and related malware, support for behavioral analysis of 64-bit Windows Executables has been added to GAM.
New Relationship-Oriented Malware Family Naming
Malware naming in GAM has traditionally refered to behavior, this is now augmented by new patent-pending technology that names malware based on the nearest family relationship.
For example a new malware variant, exposing similar behavior traits previously seen in the Sality virus family, will now be named “BehavesLike.Sality” rather than “BehavesLike.Virus”.
A new variant of the Zbot password-stealer will get named “BehavesLike.ZBot” rather than “BehavesLike.Spyware”, and so on.
Improved Down-Selection Support for Windows Executables
GAM can be used to down-select suspicious files that need deeper analysis on a connected ATD appliance.
To further support this deployment model, the amount of detections with a likelihood ranging from 70- to 89%, has been improved in order to detect more relevant candidate files that can be offloaded for deeper analysis.
We are currently hunting a bug in which Artemis might not work and thus the Beta is extended until we know more. Will keep you posted on the progress and dates here.