cancel
Showing results for 
Search instead for 
Did you mean: 

An analysis of the file in McAfee ATD

Hello.

I'm trying to analyze the file for analysis in ATD.

Files with the following extensions - vb, vba, vbe, vb

In the analysis I select mode - Xmode

Profile analysis was used - OS Windows XP, OS Windows 7 (32, 64).

I see that the file is opened as text expansion.

ATD.jpg

File - the usual script language visual basic.

The file does not contain any malware !

The same file, we analyzed in the sandbox Cuckoo.

Cuckoo Sandbox analyzes the file thus execute and it does not open as text.

How is that set up in McAfee ADT ?

21 Replies

Re: An analysis of the file in McAfee ATD

Hi,

You can try the below steps.

1. Go to Control Panel, Default Programs, Associate a file type or protocol with a program

2. Then set the default program correctly as shown below.

Default Program.JPG

3. You will have to change the program to C:\Windows\System32\wscript.exe to open the script file.

Refer below KB link for more details.

https://support.microsoft.com/en-us/kb/232211

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 3 of 22

Re: An analysis of the file in McAfee ATD

Hi,

based on the ATD Product Guide (ATD_3.6.0_Product_Guide_revA.pdf, Table 8-1 on page 282) you can see the following information.

vb, vba, vbe, vb Files are supported for Static Analysis but not for dynamic Analysis.

Page 228 shows wich engines and technologies are used for static analysis: Global Whitelist, Local Blacklist, McAfee GTI, Gateway Anti-Malware (GAM), Custom Yara Scanner and Anti-Malware.

GAM is perfect for Script analysis. GAM is able to look for the obfuscation and encryption mechanism of an script, and much more. GAM emultates a virtual CPU in memory is does much fancy stuff. 🙂

Therefore, analyzing the file types in XMode (Dynamic Analysis) will make no difference when analyzing that file.

Just one thing i´m not shure, what happens if the script downloads and drops a file......

Hope this helps,

Cheers

Re: An analysis of the file in McAfee ATD

Hi Troja

In my bad you looked PG.

these extensions vb vba vbe vbs repeated in statics and dynamics.

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 5 of 22

Re: An analysis of the file in McAfee ATD

Ups, yes, you are right..... saw the info for JPG Files as a headline.... 😞

Do you have a sample to analyze??

Cheers

Highlighted

Re: An analysis of the file in McAfee ATD

Please try the previously suggested steps for associating the file type with a default program. For this below steps needs to be followed.

1. Delete the Analyzer Profile

2. Delete the VM Profile

3. New VM Profile with same VM that you deleted in Step 2.

4. Click on Activate button under New VM Profile and make the suggested changes.

5. Shutdown the VM from Start menu.

6. Enter the Maximum license value

7. Click on Save.

8. Create a new Analyzer Profile using VM Profile created in Step 7.

9. Submit a sample in X-Mode and verify whether it is opening with correct application or not.

Thanks.

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 7 of 22

Re: An analysis of the file in McAfee ATD

Hi all,

will test it next week also in my environment.

Cheers

Re: An analysis of the file in McAfee ATD

You can take this same image that is shown in the illustration above when analyzing it in ATD.

The only problem is I do not know how to insert it here.

Re: An analysis of the file in McAfee ATD

Well, there will be more proposals ??

Does anyone have any more suggestions ??

Why ATD appends .html extension at the end of the file ?

Re: An analysis of the file in McAfee ATD

Would like to inform you that this issue has been fixed and fix will be available in upcoming release.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator