Not so long ago on the portal McAfee My Products | McAfee Downloads It appeared package ATD Detection Image-18.104.22.168 (atd-detection-img-22.214.171.124.56517-3.6.2.x86_64.rpm)
I have a simple question - what kind of package ?
Why is it needed ?
Would like to inform you that this detection package includes enhancements in malware detection. After installing this package you will be able to detect more malware variants as well.
Also would like to inform you that fix for adding .html extension is not fixed in this detection package.
That fix is expected to be released by Q4,2016 Tentatively.
Would like to inform you that this issue has been fixed in hotfix release 126.96.36.199. Request you to upgrade and test the same.
When you submit a .wsf file in XMode, Advanced Threat Defense now uses Windows Scripting Host to open the original file. (1152278, 1153121)
The person did ask what the RPM package does? Now since we don't want to click around in the CLI could you please mention where the RPM package would be installed in GUI.
Is this correct? We fully understand below option from System software. But the RPM package is unclear. We know what to do with that on Linux but on the ATD?
@ Throsten "Just a question, this is a known issue at the moment??"
The question is absolute right.
We both asumed that even with the HTM* extension of the scripts THEY would analyse it and run it as script. If the thing is really smart it would make sure that any kind of malware which would hook in between
the Windows Scriptin Host could not like fake things. If it's text script i don't need a sandbox for EUR 80'000.- If it's only pattern based then HIPS or VSE/ENS should do the trick.
@Mcafee, We also asume that with PDF which have hidden jscript and download scripts you scan those scripts. And we asume if the Form/PDF has 50 buttons you scan all of them. Fortigate Sandbox does lmit those DEPTH/Buttons
to like 8 and the malware coders started button 50 click field or button in their HTML or PDF (Most of them hidden).
regarding the RPM Package. I think i do not understand, i have never installed a RPM package on ATD. You can see the detection package in the ATD GUI and you can install it or you can revert to an previous version. Anything is done under "content update" in the ATD GUI.
Regarding the HTM Files. I tested many malware samples with several different content types. I have no access at the moment to my environment (Malware Samples).
My experience from the past, GAM did a great job for many scripts types or internet based content types.