The purpose of this document is to illustrate how to integrate McAfee's Advanced Threat Defense (ATD) sandboxing technology with McAfee's Network Security Platform.
Part 1 - Preparing the Advanced Threat Defense
Preparing the Analyzer Profile
Navigate to the "Policy" tab within the Advanced Threat Defense
On the Analyzer page a list of the current analyzer profiles is listed. The "android" profile is there by default. Any other profile
are the custom images that have been built and added to the ATD device.
Select "New" at the bottom if you'd like a specific analyzer profile for files submitted via McAfee Network Security Platform sensors. If you'd like
to use an existing analyzer profile proceed to the next step.
Analyzer Profile - Fill out "Name" as it's required and then the "VM Profile" will provide a list of the VM's that have been uploaded to the ATD device.
Automatically Select OS - If there are two images on the ATD, one 64-bit and one 32-bit, then enabling this feature will automatically
select which image to use for analysis.
Reports, Logs and Artifacts - This section select the boxes for the reports and artifacts you'd like generated for each file analysis.
By default all boxes are checked. After submitting multiple file samples and viewing the reports you may find sections that aren't
helpful, this is where you can come in and de-select specific options.
Analyze Options - lists the options that can be used to analyze a file set to ATD. In my case I have not selected local black list,
as there is currently no data in the black list. I have also chosen not to "Run All Selected" as this can add significant time to the analysis process.
However, if you would like as much detail as possible in all your reports checking this box will provided that detail.
Internet Options - If you would like and if your ATD has access to the internet you can select this box to allow the analyzer VM access to the Internet.
This can potentially lead to more detailed information and additional execution paths that would be available in the reports.
Select "Save" to save your new analyzer profile.
Now that the analyzer profile exists that you would like to use for file submitted by the Network Security Platform sensors you have to assign
that profile to the built-in NSP user.
navigate to "Manage"
On the Manage the first page "User Management" displays a list of the current users. The "NSP" User is a built in user. To assign
the profile you just created to the the NSP user select the radio button and then select "edit".
User Management page
User Credentials - This section is important to note as these are the credentials that you have to configure in the Network Security Manager
Note: write down the user name and password you choose
User Details - The only mandatory section here is the "First and Last Name".
Default Analyzer Profile - this is where we select the analyzer profile that we just configured from the "Policy" tab.
Roles - Since your NSP user will be logging in automatically to submit files there is no need to assign this user Admin rights.
Leave all the other boxes checked.
FTP Results Output - If you'd like to output results to an FTP server input the credentials here.
Finally click "Save" at the bottom of the page to assing the analyzer profile to the user.
Part 2 - Connect the Network Security Manager to Advanced Threat Defense
Log into your Network Security Manager and navigate to the "Devices" tab and then on the left side of the page expand
"Default Device Settings" and then "IPS Devices" and select ATD Integration
Fill out the Fields with your ATD's IP address.
The username is the default user that was built into the ATD user accounts that we just edited and added a default analyzer profile to.
Note: This is the password that you wrote down earlier
After you have entered in the credentials click "Test Connection from Manager". If the connection is successful (the message will
appear above the "ATD Integration" box) click "Save".
Note: If the connection fails then verify the credentials have been entered correctly. If the credentials are good then
verify that a firewall or router isn't blocking the connection.
Part 3 - Configure the Malware Policy for ATD and deploy policy to inspection ports
Navigate to the "Policy" tab to create a policy that forwards files to ATD for inspection.
On the Left expand the "Advanced Malware" section then select "Advanced Malware Policies". We want to create a new policy, in the
bottom right hand corner select "new"
In the Properties section give your new rule a name. You can also give it a description however this is optional. Since we are making
this change at the "Global" level and not per device, making the policy visible to Child Admin Domains allows for specific policies to be
applied at the child domains.
I recommend selecting both HTTP and SMTP, this allows files downloaded via web and attachements in email to be inspected by ATD.
Next we'll edit our scanning options
Our scanning options include the list of file types that can be scanned, the Malware Engines that we can select to scan and the
"Action Thresholds" or the actions we would like to apply upon scanning results.
Some items to note:
Boxes grayed out implied that malware engine isn't available for that file type. In the case of NTBA it is all grayed out since files
scanned by ATD can't also be scanned by NTBA. If you currently have an NTBA in your environement you can select file scanning
by either ATD or NTBA, but not both.
Action Thresholds determine at which point to take action. In the case of "Alert" if files in ATD are inspect and are rated "Medium"
no alert will be created in the manager. Since I'd like to initially see ATD returning alerts to the manager I'm going to set my Alert Threshold to "Low"
Once you have finised configuring your changes select the box "Prompt for assignment after save" the click "Save". By checking the box you will
be guided through the process of assigning your new policy to inspection ports.
After Clicking "Save" a new page will open asking you to which ports you'd like to assign your new malware inspection policy.
After selecting the ports (and direction) you'd like to apply your policy move them to the "Selected Interfaces" section. Once you have selected all
relevant ports click "Save".
A dialogue box will open reminding you that you now have to update your sensors to have the policy take effect, select "OK".
On the left hand side scroll down and expand the IPS interface(s) that are connected
On the right hand side under Advance Malware Policy. Select the Assignment Logic and then select the policy you just created for the Inbound
and Outbound Policy(s)
Scroll further down to "Protection Options". It is recommended to enable Layer7 Data Collection on the interfaces to provide
better incident reporting and collection of the file names.
After Clicking "Save" navigate to the "Devices" tab and on the left side you can select either "Global" or "Devices" tab to deploy
the pending changes. You can deploy the changes on only the devices being affected but if you have other changes you'd
like to make at the same time it can be done from the "Global" tab. I only have a change at a single sensor so I chose the
Once you've navigated to the "Deploy Pending Changes" page in either the "Devices" tab or "Global" tab click "update".
After the changes have been deployed to the sensor the new malware policy will be in effect.
To verify that ATD is properly sending alerts please see the video at the top of this document to see where and when an alert from ATD will show in your Network Security Manager.