McAfee IPS - How to Integrate McAfee's sandbox technology with the IPS




    The purpose of this document is to illustrate how to integrate McAfee's Advanced Threat Defense (ATD) sandboxing technology with McAfee's Network Security Platform.






    Part 1 - Preparing the Advanced Threat Defense


    Preparing the Analyzer Profile


                   Navigate to the "Policy" tab within the Advanced Threat Defense


              Policy tab.JPG


                   On the Analyzer page a list of the current analyzer profiles is listed.  The "android" profile is there by default.  Any other profile

                   are the custom images that have been built and added to the ATD device.


                   Select "New" at the bottom if you'd like a specific analyzer profile for files submitted via McAfee Network Security Platform sensors.  If you'd like

                   to use an existing analyzer profile proceed to the next step.


              analyzer profile name.JPG

                  Analyzer Profile - Fill out "Name" as it's required and then the "VM Profile" will provide a list of the VM's that have been uploaded to the ATD device.


              new analyzer profile.JPG


             automatically select OS.JPG

                   Automatically Select OS - If there are two images on the ATD, one 64-bit and one 32-bit, then enabling this feature will automatically

                   select which image to use for analysis.


              reports logs and artifacts.JPG


                   Reports, Logs and Artifacts - This section select the boxes for the reports and artifacts you'd like generated for each file analysis.

                   By default all boxes are checked.  After submitting multiple file samples and viewing the reports you may find sections that aren't

                   helpful, this is where you can come in and de-select specific options.


              Analyze Options.JPG

                   Analyze Options - lists the options that can be used to analyze a file set to ATD.  In my case I have not selected local black list,

                   as there is currently no data in the black list.  I have also chosen not to "Run All Selected" as this can add significant time to the analysis process.

                   However, if you would like as much detail as possible in all your reports checking this box will provided that detail.


              internet options.JPG

                   Internet Options - If you would like and if your ATD has access to the internet you can select this box to allow the analyzer VM access to the Internet.

                   This can potentially lead to more detailed information and additional execution paths that would be available in the reports.


                   Select "Save" to save your new analyzer profile.


    User Management


                   Now that the analyzer profile exists that you would like to use for file submitted by the Network Security Platform sensors you have to assign

                   that profile to the built-in NSP user.


                   navigate to "Manage"


              Manage tab.JPG


                   On the Manage the first page "User Management" displays a list of the current users.  The "NSP" User is a built in user.  To assign

                   the profile you just created to the the NSP user select the radio button and then select "edit".


              user management.JPG


                   User Management page


              User Credentials.JPG


                  User Credentials - This section is important to note as these are the credentials that you have to configure in the Network Security Manager

                        Note: write down the user name and password you choose


              User Details.JPG


                   User Details - The only mandatory section here is the "First and Last Name".


              default analyzer profile.JPG


                   Default Analyzer Profile - this is where we select the analyzer profile that we just configured from the "Policy" tab.




                   Roles - Since your NSP user will be logging in automatically to submit files there is no need to assign this user Admin rights.

                                Leave all the other boxes checked.




                   FTP Results Output - If you'd like to output results to an FTP server input the credentials here.


                   Finally click "Save" at the bottom of the page to assing the analyzer profile to the user.


    Part 2 - Connect the Network Security Manager to Advanced Threat Defense


                   Log into your Network Security Manager and navigate to the "Devices" tab and then on the left side of the page expand

                   "Default Device Settings" and then "IPS Devices" and select ATD Integration


              NSP - ATD Integration page.JPG



                   Fill out the Fields with your ATD's IP address.

              enable communication.JPG


                   The username is the default user that was built into the ATD user accounts that we just edited and added a default analyzer profile to.

                        Note: This is the password that you wrote down earlier


              Test connection.JPG


                   After you have entered in the credentials click "Test Connection from Manager".  If the connection is successful (the message will

                   appear above the "ATD Integration" box) click "Save".

                        Note: If the connection fails then verify the credentials have been entered correctly.  If the credentials are good then

                                  verify that a firewall or router isn't blocking the connection.



    Part 3 - Configure the Malware Policy for ATD and deploy policy to inspection ports


                   Navigate to the "Policy" tab to create a policy that forwards files to ATD for inspection.


              Advanced Malware Policy.JPG


                   On the Left expand the "Advanced Malware" section then select "Advanced Malware Policies".  We want to create a new policy, in the

                   bottom right hand corner select "new"


              Advanced Malware Properties.JPG


                   In the Properties section give your new rule a name.  You can also give it a description however this is optional.  Since we are making

                   this change at the "Global" level and not per device, making the policy visible to Child Admin Domains allows for specific policies to be

                   applied at the child domains.


                   I recommend selecting both HTTP and SMTP, this allows files downloaded via web and attachements in email to be inspected by ATD.


                   Next we'll edit our scanning options


              Scanning Options.JPG


                   Our scanning options include the list of file types that can be scanned, the Malware Engines that we can select to scan and the

                   "Action Thresholds" or the actions we would like to apply upon scanning results.


                   Some items to note:


                        Boxes grayed out implied that malware engine isn't available for that file type.  In the case of NTBA it is all grayed out since files

                        scanned by ATD can't also be scanned by NTBA.  If you currently have an NTBA in your environement you can select file scanning

                        by either ATD or NTBA, but not both.


                        Action Thresholds determine at which point to take action.  In the case of "Alert" if files in ATD are inspect and are rated "Medium"

                        no alert will be created in the manager.  Since I'd like to initially see ATD returning alerts to the manager I'm going to set my Alert Threshold to "Low"


              Scanning Options changed.JPG


                   Once you have finised configuring your changes select the box "Prompt for assignment after save" the click "Save".  By checking the box you will

                   be guided through the process of assigning your new policy to inspection ports.


                   After Clicking "Save" a new page will open asking you to which ports you'd like to assign your new malware inspection policy.


              ATD Policy assignment.JPG


                   After selecting the ports (and direction) you'd like to apply your policy move them to the "Selected Interfaces" section.  Once you have selected all

                   relevant ports click "Save".


              update required.JPG


                   A dialogue box will open reminding you that you now have to update your sensors to have the policy take effect, select "OK".




                   On the left hand side scroll down and expand the IPS interface(s) that are connected




                   On the right hand side under Advance Malware Policy. Select the Assignment Logic and then select the policy you just created for the Inbound

                   and Outbound Policy(s)


                        malware policy.JPG



                   Scroll further down to "Protection Options". It is recommended to enable Layer7 Data Collection on the interfaces to provide

                   better incident reporting and collection of the file names.


                        Protection Options.JPG



                   After Clicking "Save" navigate to the "Devices" tab and on the left side you can select either "Global" or "Devices" tab to deploy

                   the pending changes.  You can deploy the changes on only the devices being affected but if you have other changes you'd

                   like to make at the same time it can be done from the "Global" tab.  I only have a change at a single sensor so I chose the 
                   "Devices" tab.


              deploy pending changes.JPG


                   Once you've navigated to the "Deploy Pending Changes" page in either the "Devices" tab or "Global" tab click "update".


                   After the changes have been deployed to the sensor the new malware policy will be in effect.


                   To verify that ATD is properly sending alerts please see the video at the top of this document to see where and when an alert from ATD will show in your Network Security Manager.



    Additional Resources


                   Integration Guide - le=en_US&showDraft=false&platinum_status=false&locale=en_US&bk=n