How to Create an Analyzer Profile for Malware Analysis on McAfee Advanced Threat Defense

Version 1

    Introduction


    This document will demonstrate how to create an Analyzer Profile that will enable you to analyze Malware on Mcafee's Advanced Threat Defense (ATD) appliance.

     

    Video

    You can also watch the steps described in this document by viewing the video below.

     

    Process

     

    I - Create an Analyzer Profile

     

    The first thing we will do is make sure that we have successfully imported a VMware I'm quickly going to go over what it means to analyzer profile but first let me show you that we've successfully imported a VM or VMDK image and converted it to a .img for analysis purposes. In the system log, you can see that we have successfully created a second VM; the first being the default Android image that is on the ATD appliance when you get it.

    analyzer2.png

    analyzer6.png

     

    We can create an Analyzer Profile or associate with that image we just uploaded to a specific user, you would go to "Policy" and then "Analyzer Profile."

    analyzer8.png

    analyzer9.png

     

    Here you can see the default Android analyzer profile, but we want to create a new one.

    analyzer12.png

     

    The first field you will notice is "Name." Typically, we try to match whatever name we gave it when the image was created. In this case, enter something along the lines of "Windows 64 sp1."  In the description, you can add things like Adobe, Windows Office Version, or whatever else you would like to.

    analyzer13.png

     

    If "Automatically Select OS" is clicked, ATD will recognize whether it is a 32 bit or a 64 bit file and it will choose from the two images that you have. The caveat is that you do need to have both the 32 and 64 bit images in place in order to do that.

    analyzer13.5.png

     

    Under "Runtime Parameters," if you happen to know your .zip or compressed files need passwords, you can enter the passwords here so that ATD can get those passwords and unzip the files. Under "Reports, Logs, and Attachments," the options are fairly straight forward; just check all of the things that you would like to see in a report to see as an output from an analysis. Under "Analyze Options," you can select how many of these engines you would like to run or inspect with as files get submitted. Keep in mind, not all files have to be checked, as things like a web gateway may have some of these already on them. In fact, it has a GAM (Gateway Anti-Malware) engine and AV and access to GTi so you won’t need to run those on the ATD appliance, you can just select sandboxing in that circumstance.

    analyzer15.png

     

    Finally, checking "Internet Options" allows the VM or the Sandbox to get access to the internet. A warning will pop up asking if you are sure you wish to select this option. If you do so, make sure ATD is on a connection that doesn’t have access to other parts of your network so that malware does not propagate.

    analyzer16.png

     

    We can then save our work at the bottom. You will see that as soon as we go to the last page, the new analyzer profile appears underneath the original one.

    analyzer17.png

    analyzer18.png

     

    II - Associate Analyzer Profile With A Specific User

     

    So now that we have a second analyzer profile, we want to associate it with a specific user. In this case we are going to select our NSP User, which is IPS device.In this situation, we are going to edit the user and make sure the credentials match on both the Network security manager and here, so we need the same username and password.

    analyzer22.png

    analyzer23.png

     

    We will also change the "Default Analyzer Profile" from "Analyzer Profile 1" to our new profile, which in this case we named "windows7sp1x64." Then click on save.

    analyzer25.png

    analyzer26.png

     

    III - Test The New Analyzer Profile

     

    To test that the Analyzer Profile is associated with the different user, we can go to a web browser and go to a website that contains some malware samples to download.

    analyzer28.png

     

    The path is through the Network Security Platform, or the IPS that we just associated in the analyzer profile with. It will send that file off to the ATD for inspection. So as i try to save the file, it is blocked by the SmartScreen Filter in Internet Explorer.

    analyzer29.png

     

    As we move back to ATD, and under analysis, we will see that the files can be viewed in both "Analysis Status" and "Analysis Results".

    analyzer32.png

     

    When we click on "Analysis Summary" under "Analysis Results," we get the reports and can look at some information about the file we tried to download. We see that it went through GAM (Gateway Anti-Malware) and anti-malware detected it and convicted it with a pretty high score of 5 indicating that the file is malicious.

    analyzer36.png

     

    This way, we know that the Analyzer Profile here is associated with the correct user and is being used for inspection.