How to Create an Analyzer Profile for Malware Analysis on McAfee Advanced Threat Defense

Version 1


    This document will demonstrate how to create an Analyzer Profile that will enable you to analyze Malware on Mcafee's Advanced Threat Defense (ATD) appliance.



    You can also watch the steps described in this document by viewing the video below.




    I - Create an Analyzer Profile


    The first thing we will do is make sure that we have successfully imported a VMware I'm quickly going to go over what it means to analyzer profile but first let me show you that we've successfully imported a VM or VMDK image and converted it to a .img for analysis purposes. In the system log, you can see that we have successfully created a second VM; the first being the default Android image that is on the ATD appliance when you get it.




    We can create an Analyzer Profile or associate with that image we just uploaded to a specific user, you would go to "Policy" and then "Analyzer Profile."




    Here you can see the default Android analyzer profile, but we want to create a new one.



    The first field you will notice is "Name." Typically, we try to match whatever name we gave it when the image was created. In this case, enter something along the lines of "Windows 64 sp1."  In the description, you can add things like Adobe, Windows Office Version, or whatever else you would like to.



    If "Automatically Select OS" is clicked, ATD will recognize whether it is a 32 bit or a 64 bit file and it will choose from the two images that you have. The caveat is that you do need to have both the 32 and 64 bit images in place in order to do that.



    Under "Runtime Parameters," if you happen to know your .zip or compressed files need passwords, you can enter the passwords here so that ATD can get those passwords and unzip the files. Under "Reports, Logs, and Attachments," the options are fairly straight forward; just check all of the things that you would like to see in a report to see as an output from an analysis. Under "Analyze Options," you can select how many of these engines you would like to run or inspect with as files get submitted. Keep in mind, not all files have to be checked, as things like a web gateway may have some of these already on them. In fact, it has a GAM (Gateway Anti-Malware) engine and AV and access to GTi so you won’t need to run those on the ATD appliance, you can just select sandboxing in that circumstance.



    Finally, checking "Internet Options" allows the VM or the Sandbox to get access to the internet. A warning will pop up asking if you are sure you wish to select this option. If you do so, make sure ATD is on a connection that doesn’t have access to other parts of your network so that malware does not propagate.



    We can then save our work at the bottom. You will see that as soon as we go to the last page, the new analyzer profile appears underneath the original one.




    II - Associate Analyzer Profile With A Specific User


    So now that we have a second analyzer profile, we want to associate it with a specific user. In this case we are going to select our NSP User, which is IPS device.In this situation, we are going to edit the user and make sure the credentials match on both the Network security manager and here, so we need the same username and password.




    We will also change the "Default Analyzer Profile" from "Analyzer Profile 1" to our new profile, which in this case we named "windows7sp1x64." Then click on save.




    III - Test The New Analyzer Profile


    To test that the Analyzer Profile is associated with the different user, we can go to a web browser and go to a website that contains some malware samples to download.



    The path is through the Network Security Platform, or the IPS that we just associated in the analyzer profile with. It will send that file off to the ATD for inspection. So as i try to save the file, it is blocked by the SmartScreen Filter in Internet Explorer.



    As we move back to ATD, and under analysis, we will see that the files can be viewed in both "Analysis Status" and "Analysis Results".



    When we click on "Analysis Summary" under "Analysis Results," we get the reports and can look at some information about the file we tried to download. We see that it went through GAM (Gateway Anti-Malware) and anti-malware detected it and convicted it with a pretty high score of 5 indicating that the file is malicious.



    This way, we know that the Analyzer Profile here is associated with the correct user and is being used for inspection.