McAfee Threat Activity Tracer (TAT) is a host based software solution that allows you to collect network telemetry for host based threat activity. With this information you can gain a better understanding of where attacks are originating from, both inside and outside of your environments.
TAT uses the McAfee Host Intrusion Prevention firewall on a host to generate the network telemetry data. TAT is designed to not only provide network connection data for Host IPS events but also for VirusScan Enterprise events as well. The event data that is generated is designed to allow for easy analysis by ePO users along with providing an event data stream to McAfee Enterprise Security Manager
• McAfee Threat Activity Tracer (TAT) is a Windows service that provides ePO event data for network activity that immediately precedes a threat detection event on a host.
• TAT provides visibly into the network origin of an attack detected by Host IPS,VirusScan On Access Scanner and VirusScan Access Protection rules.
• TAT events are standard McAfee Agent threat events that are intended to be leveraged by McAfee ESM as well as ePO for threat analysis and correlation.
• TAT is deployed and configured through ePO, supports 3rd party deployments as well as manual installations.
• TAT is a McAfee Communities supported solution. (*This solution not supported by McAfee Support*).
• McAfee ePO 4.6, 4.5.4 or greater
• McAfee Agent 4.5 P2 or greater
• McAfee Host IPS 8.0 P1 or greater
• McAfee VSE 8.8 P1or greater
• Microsoft .NET Framework 3.5 or greater on the Endpoint
• Requires HIPS firewall to be enabled and configured to log network traffic
Threat Event Log - Tracking an EICAR download
Will McAfee Threat Activity Tracer (TAT) work with VirusScan Enterprise 8.7 and Host IPS 7.0?
TAT was specifically designed to work with HOST IPS 8.0 and VirusScan Enterprise 8.8. We have confirmed that it will not work with VirusScan Enterprise 8.7 and we do not predict it will work with Host IPS 7.0. Both Host IPS 8.0 and VirusScan Enterprise 8.8 have features that made them the ideal choice on which to develop this functionality.
Are there any special configurations that need to be made to VirusScan Enterprise or Host IPS to use TAT?
If your host is running both VirusScan Enterprise and Host IPS you will have to configure an Access Protection rule exclusion for mfetat.exe process. In addition, you'll need to configure the Host IPS firewall and firewall rule policy so that network events can be logged. Additional details about this configuration can be found in the attached product guide.
What client operating systems will TAT run on?
We have tested and confirmed functioning on Windows 7 (32-bit and 64-bit) Windows XP (32-bit). We expect TAT to run on Windows 2008, 2008 R2 and 2003 servers versions, although this has not been completely tested. TAT may run on other Windows operating systems but we advise customers to test any deployment thoroughly in a test environment before any type of production deployment.
What is the expected performance impact on the client?
Testing has shown working set memory utilization to be in the 7 to 15 MB range and CPU utilization to be under 1%.
Does the TAT service have any form of self-protection?
TAT is a very similar in design concept as the McAfee Agent. Neither service has its own built-in self-protection as we rely on our protection products (VSE, HIPS Application Control etc.) to provide protection of our processes, files and registry settings. The use of Host IPS Application Protection rules coupled with VirusScan Enterprise Access Protection rules can provide protection for TAT files, processes and registry keys. Please see the product guide for additional details.
Will TAT create a lot of additional events on my EPO server?
Events created by TAT are standard McAfee Threat events (specifically NIPS permitted traffic events) when configuring TAT users can configure the number of the network connection events that would be generated when a detection occurs. One recommendation would be to determine the average number of threat events per product in a given timeframe and use that number to determine the total number of additional events that could be sent to your EPO server. For example, if you receive 5,000 threat events per day and you configure TAT to log 3 network connections for each detection event you could generate up to 15,000 additional event per day. Leveraging an ePO server task that executes a query based threat event purge will help manage the total number of stored events.
Should I monitor VirusScan Access Protection events?
TAT was designed to be able to monitor Host IPS, VirusScan Enterprise On Access Scanner (OAS) and VirusScan Enterprise Access Protection (AP) events. TAT’s default configuration is to monitor both Host IPS and VirusScan enterprise OAS events. We provided the option to monitor Access Protection events and highly recommend that users assess the number to AP events being generated by current access protection policies prior to enabling the AP monitoring.
Do I need to reboot my system after deploying TAT?
We have identified a condition on Windows XP where if you have just deployed VirusScan Enterprise and then immediately deploy TAT to the system prior to a reboot, TAT will not monitor the On Access Scanner log until the next reboot. Our recommendation is to ensure that your systems have been rebooted after a VirusScan Enterprise deployment and prior to a TAT deployment.
How do I know if the TAT service is installed?
You can review the McAfee Agent client events in ePO console to see if a successful deployment has occurred on your target systems. If you have McAfee System Information Reporter (SIR) deployed (available from McAfee Platinum Support) you can create e registry key check for the TAT service. TAT installations can be determined locally by looking in Control Panel -> Add Remove Programs or Programs (OS dependent) to see if McAfee Threat Activity Tracer is installed. Please see the product guide for more details.
Updated version has replaced prior file
A very minor change has been made to improve performance. When checking in to ePO, the new version will read "184.108.40.206" (5/22/2013)