As I'm understanding ATP, it is the same as ATD because it also using DAC to store unknown malware to analyze with TIE and GTI. Do I still need ATD?
One more thing, does ENS will sent file to Mcafee Cloud [not hash file] to analyze?
Please look on below threads:
ENS is not able to send a file to a cloud by itself. It could be integrated in the past with CTD (instead of ATD). But AFAIK CTD is end of life: https://kc.mcafee.com/corporate/index?page=content&id=KB90296
Thank you for your post.
ATD and ATP definitely have their own advantages and uses. I am no expert with ATD, but with my basic understanding of ATD and knowledge of how ATP works, I can try and differentiate the 2 for you.
ATP works at the endpoint, it is a component of Endpoint Security. Hence, any DAC activities it does, is going to use up your endpoint PC's processing power. ATD however, is a solution that requires separate hardware and hence better performance and it can communicate with TIE providing reputation information much faster and at a more global scope when compared to endpoint level processing.
Most importantly, ATD can integrate with existing McAfee solutions (like TIE via ATP), third-party email gateways and other products supporting open standards. ATP on the other hand is only a host based solution.
I am not aware of any implementation of DAC rules in ATD though. In ATP, DAC is a rule based analysis that gets triggered based on the reputation of a file. Here is a quick look at DAC rules for you:
Here is the workflow involving ATP in ENS:
I am sure ATD enhances the protection on top of ATP in a huge way owing to the actual sandboxing solution offered by ATD.
You can learn more about ATD on it's product guide below:
You can learn more about ENS ATP on it's product guide below:
I sincerely hope this helps!
To answer your second part of the question, I am afraid ENS does not send an entire file to our GTI (Global Threat Intelligence) for analysis as that would mean huge amount of traffic in your environment.
We send the file information in an obfuscated fashion as GTI queries weighing less that few hundred KBs that looks up for reputation related information.
With respect to Real protect Cloud-based Scanning (a part of ATP component), Cloud-based Real Protect collects and sends file attributes and behavioral information to the machine-learning system in the cloud for malware analysis.
I sincerely hope this information is helpful.
If you have any further question specific to ATP, you can always post in ENS (Endpoint Security Forum) here:
This helps ENS ATP experts to look into your queries and assist you better with the same.