McAfee Sandbox - Creating a custom Advanced Threat Defense OS image

Version 2




                   McAfee's Advanced Threat Defense allows for file samples to be analyzed by custom images.  This means detection

                   rates will be based on your specific organization's configurations, not a dated or irrelevant OS or configuration. In

                   this document we'll cover the steps to create a custom image.  Importing the image and configuring the way samples

                   are analyzed are covered here.






         Before Getting Started


                   Creating a custom image will take about an hour, about half of this time will be spent waiting.  To make this as simple

                   as possible I've gathered the links to resources you'll need in this document.  Here's a list of things you'll need:


                    - VMworkstation 9.0 (or above)

                    - .ISO file for the image you wish to create and associated license key

                    - Sigcheck

                    - MergeIDE

                    - Microsoft Office

                    - File Format Converter (for converting older office formats to the newer .docx format)

                    - Adobe reader

                    - Adobe Flash

                    - Microsoft Visual C++ 2005, 2008, 2010 and .NET Framework

                    - Java


                        *TIP: I download all of the packages into a single folder and then place them on a network drive that is available

                                 in the VM I'm creating.  It saves a lot of time downloading in the VM or transferring files later.  Also many

                                 of these can be used when creating addition analyzer Virtual Machines and it's convenient to have them later.

             Creating and customizing the VMDK

                   In most cases I try to simplify the product guide to distill only the information you'll need however in this case the

                   product guide is very clear and includes screen shots.  The process begins on page 71.