What's new in ATD 3.6.0?

Version 4

    Introduction

     

         ATD 3.6.0 was released in April of 2016.  The purpose of this document is to illustrate some of the key

         changes and illustrate their purpose.

     

    Video

     

         coming soon!

    What's new

     

        1.      Appliance performance improvements

      • 25% over current sample rate analysis) for ATD 3K and 6K
      • Load balancer performance improvement in terms of faster submission rates across a LB ATD deployment (50% increase)
      • Synchronization of VM profiles in LB Cluster (an ATD cluster will automatically synchronize the VM profiles of primary node to all secondary nodes)

         2.      Usability

      • Sample whitelisting thorough GUI interface rather than CLI
      • [if !supportLists]-[endif]Ability to Cancel samples which are in Pending (Waiting) state thus prioritizing samples in Waiting queue 

         3.     Single File Submission to Multiple VMs

      • Send a file to multiple sandbox VMs to find which VM causes it to detonate

         4.     Global Whitelisting

      • Provide GUI support to manage (Add/Delete/Query) whitelist records.

         5.     Submission Priority

      • Provide a privilege to the user to submit and get analysis results of critical samples immediately 'Run Now', even if there is a big sample queue.

         6.    Support Bundle Enhancements

      • Provide the ability to selectively choose the log file categories, number of most recent log files, removed the blocking call for downloading the log files.

         7.     Family Classification for .Net

      • COVERAGE FOR .NET SAMPLES. Steady increase in malware created using .NET frameworks since 2014.

         8.     Family Classification for 64-bit samples

      • SAME AS ABOVE

         9.     Anti-evasionary technique detection (i.e. detect malware attempts to detect execution in a sandbox)

      • DETECTION HOOKS FOR API
      • ENVIRONMENT (SW & HW) SCANNING BY MALWARE
      • CHECKS FOR HARDCODED EXECUTION PATHS TO EVADE DETECTION

         10.   Full Logic Path

      • Available for Windows 7 32-bit systems
      • Augmented section(s) in current report with graphical presentation of execution through logical brances
      • Execution of multiple logic paths depending on sample complexity
      • Suitable for deeper analysis by a SOC analyst as it has performance trade-offs

         11.   Engine Updates

      • GAM engine update to v2015
      • AV engine update to v5800

          12.   McAfee Active Response Integration (MAR)

      • McAfee Active Response is a threat detection and response tool. It provides real-time information about the endpoints

                   on a network. Integration of MATD with MAR provides user the information as to which endpoints are infected by a sample

                   that has been detected as malicious by MATD. User can take appropriate action on the endpoint if MAR finds it to be infected.

     

     

    Getting Started

     

         Before you Begin upgrading to 3.6.0

      • If the current version is below than 3.4.8 and you want to upgrade to 3.6.0, you need to upgrade the

                   McAfee Advanced Threat Defense to 3.4.8 first. Refer to the sections listed below for guidance on upgrade to 3.4.8

        • Upgrade ATD software from 3.4.2.32 to 3.4.8 section under Managing Advanced Threat Defense

                             chapter in McAfee Advanced Threat Defense 3.6.0 Product Guide

        • Upgrade ATD software from 3.4.4.63 to 3.4.8 section under Managing Advanced Threat Defense chapter in

                             McAfee Advanced Threat Defense 3.6.0 Product Guide

        • Upgrade ATD software from 3.4.6 to 3.4.8 section under Managing Advanced Threat Defense chapter in

                             McAfee Advanced Threat Defense 3.6.0 Product Guide

        • If the current version is 3.4.8.190 or 3.4.8.193, you can directly upgrade to 3.6.0


      • Make sure that the system-3.6.0.msu ATD software that you want to use is extracted and that

                     you can access it from your client computer

      • You have the credentials to log on as the admin user in the ATD web application
      • you have the credentials to log on to the ATD CLI using SSH (default cliadmin/atdadmin)
      • You have the credentials to SFTP to the ATD Appliance (default atdadmin/atdadmin)
      • For the admin user recored, select "Allow Multiple Logins" in the "User Management" page
      • A new version of android 5.0 is available from the McAfee Download site using your grant number

    if you'd like to upgrade your android analyzer profile please see "Upgrading the Android Analyzer VM"

     

         Upgrading your Android analyzer VM to Android 5.0

      • Make sure that the current version of ATD is 3.4.8 (do this before upgrading to 3.4.6)
      • Make sure that the android-5.0.msu has been downloaded and can be access from your client computer
      • Make sure you have Admin, CLI and SFTP credentials prior to starting
      • For the admin user recored, select "Allow Multiple Logins" in the "User Management" page


         Perform the Android 5.0 Analyzer VM upgrade

     

    1. Log on to the Advanced Threat Defense Appliance using an FTP client such as FileZilla.

        Log on as the atdadmin user.


    2. Using SFTP, upload the android-4.3.msu file to the root directory of Advanced Threat Defense.

         Make sure that the transfer mode is binary.


    3. After the file is uploaded, log on to the Advanced Threat Defense web application as the admin

    user and select Manage | Software Management.


    4. Under System Software, select the android-4.3.msu file.

     

    5. Make sure that Reset Database is deselected as this is not relevant for Android upgrade

    and click Install. Android installation process begins with file validation.


    6. A confirmation message is displayed; click OK. Advanced Threat Defense web application

    closes logs out automatically and the status of the installation is displayed in the browser.

        • It takes a minimum of 20 minutes for the system software installation to complete.
        • If you are not able to view these messages, clear the browser cache.
        • When you upgrade Android, the default Android analyzer VM is automatically re-created.

    This process might take a few minutes to complete.


    7. Log on to the web application, and select Manage | System Log.


    8. In the System Log page, verify that the vmcreator task is successfully completed for the Android analyzer VM.

     

         When user doesn’t want to retain Android VM
      • Before upgrade make sure use removeandroid  cli command and reboot.
      • Post reboot download the system.msu with RTW 3.6.0.x version and apply the update
      • Ensure system works fine post upgrade
      • Make sure no android VM is available and all other windows VMs should work fine.

     

      Performing the ATD appliance upgrade

     

    1.  Log on to the Advanced Threat Defense Appliance using an FTP client such as FileZilla.

    Log on as the atdadmin user.

     

    2.  Using SFTP, upload the system-<version number>.msu file to the root directory of

    Advanced Threat Defense.

          Make sure that the transfer mode is binary.

     

    3.  After the file is uploaded, log on to the Advanced Threat Defense web application as the

    admin user and select Manage | Software Management.

     

    4.  Under System Software, select the system-<version number>.msu file.

     

    5.  Make sure that Reset Database is deselected in case of upgrades and click Install.

     

    6.  A confirmation message is displayed; click OK

    The system software is installed and the status is displayed in the browser.

          It takes a minimum of 20 minutes for the system software installation to complete.

     

    7.  After the software is installed Advanced Threat Defense Appliance restarts. A relevant

    message is displayed. The Appliance restarts on its own. The message that is displayed

    is only for your information.

        If you are not able to view these messages, clear the browser cache.

     

    8.  Wait for Advanced Threat Defense Appliance to start. Log on to the CLI and verify the

    software version.

          

    9.  Verify the version in the Advanced Threat Defense web application.


    10.  Log on to the web application, and in the System Log page, verify that the vmcreator

    task is invoked.

        When you upgrade the ATD, all analyzer VMs are automatically re-created.  This process might take

         some time to complete depending on the number of analyzer VMs.


    11. Verify the data and configuration from your earlier version are preserved.  The software

    version you upgraded to is now stored in the active disk of Advanced Threat Defense Appliance

         Whitelist status is disabled after you upgrade to ATD 3.6.0



    Additional Resources    


         Release Notes

         3.6.0 Product Guide

         ATD 3.6.0 API Reference Guide