Community Help Hub

mario.natinet · ‎03-30-2017

Just like the screenshot. I cannot remove the profile, even thought no analysis is running. I tried to reboot the ATD and delete, still not work.

ATD version: 3.8.0.29.53939

*Edit

Another questions :

1) How can I factory resets ATD-3000 appliance? Command "factorydefaults" is not availabe in cli and ssh.

2) I am very annoyed with android image on this ATD. during boot up, it takes a lot of time just to boot the android vm. and somehow I cannot delete android vm image.

Someone can help me to disable or delete android vm?

System Logs:

2017-03-30-18:36:47: starting vmcreator

2017-03-30-18:36:49: lvclean was successful.

2017-03-30-18:36:49: Copying image base to work folder: win7sp1x64_win7ver1.img

2017-03-30-18:38:51: Copied 14.53G in 122 seconds

2017-03-30-18:38:51: 121.96Mbytes/second

2017-03-30-18:38:51: Booting VM: win7sp1x64_win7ver1_sn01

2017-03-30-18:38:55: Waiting for VM to come up: win7sp1x64_win7ver1

2017-03-30-18:39:46: Giving more time to come up: win7sp1x64_win7ver1

2017-03-30-18:40:07: VM is up: win7sp1x64_win7ver1

2017-03-30-18:40:12: Starting image install.

2017-03-30-18:40:12: Loading software: win7sp1x64_win7ver1

2017-03-30-18:40:13: Ftp login OK.

2017-03-30-18:40:14: Upload installation image OK.

2017-03-30-18:40:16: Telnet login successful.

2017-03-30-18:40:16: ------ Running the OS validation tool ------

2017-03-30-18:40:26: OS Windows 7 6.1

2017-03-30-18:40:26: FTP OK

2017-03-30-18:40:26: TELNET OK

2017-03-30-18:40:26: AUTOLOGON OK

2017-03-30-18:40:26: ADMINISTRATOR OK

2017-03-30-18:40:26: FIREWALL OK

2017-03-30-18:40:26: FreeSpace OK

2017-03-30-18:40:26: Microsoft Office 2010 OK

2017-03-30-18:40:26: Adobe Reader 11.0 OK

2017-03-30-18:40:26: java version "1.8.0_92" OK

2017-03-30-18:40:26: flash not exist OK

2017-03-30-18:40:26: Activation OK

2017-03-30-18:40:26: Scan Complete!

2017-03-30-18:40:26:

2017-03-30-18:40:26: ---------------------------------

2017-03-30-18:40:26: Found installation image.

2017-03-30-18:40:26: Installing application

2017-03-30-18:40:31: Finishing up installation.

2017-03-30-18:41:16: Completed software installation.

2017-03-30-18:41:16: -------------------------------------------

2017-03-30-18:41:16: Finished install for OS: win7sp1x64_win7ver1

2017-03-30-18:44:20: Copied 4.94G in 9 seconds

2017-03-30-18:44:20: 562.55Mbytes/second

2017-03-30-18:44:35: Completed image prep...

2017-03-30-18:44:35: ----------------------------------------------------------------

2017-03-30-18:44:35: total number of VMs configured: 2

2017-03-30-18:44:35: ----------------------------------------------------------------

2017-03-30-18:44:35: creating VM: win7sp1x64_win7ver1_sn01

2017-03-30-18:44:35: Checking vm status: win7sp1x64_win7ver1_sn01

2017-03-30-18:44:36: Booting VM: win7sp1x64_win7ver1_sn01

2017-03-30-18:44:36: VM has started: win7sp1x64_win7ver1_sn01

2017-03-30-18:44:36: Creating snapshot for: win7sp1x64_win7ver1_sn01

2017-03-30-18:45:14: time taken: 39.084436

2017-03-30-18:45:14: creating VM: android_sn01

2017-03-30-18:46:12: Checking vm status: android_sn01

2017-03-30-18:46:12: Booting VM: android_sn01

2017-03-30-18:46:17: VM has started: android_sn01

2017-03-30-18:46:17: Creating snapshot for: android_sn01

2017-03-30-19:01:28: -----------------------------------------------------------------------------

2017-03-30-19:01:28: vmcreator FAILURE

2017-03-30-19:01:28: The analysis VM creation process has failed. The ATD system needs to be restarted.

2017-03-30-19:01:28: Log into the CLI interface and enter the command "reboot vmcreator" to reboot the system and re-run vmcreator.

2017-03-30-19:01:28: Updating VM database

2017-03-30-19:01:33: Vmcreator success.

2017-03-30T19:01:34+0800: [vmcreator.sh] ::1490871694.281110189 - 1490870193.695460618 = 1500.585649571, minutes = 25

mario.natinet · ‎03-31-2017

I found the analyzer profile "AP_defa", which is the first profile I created, is automatically became default analyzer profile of all local users.

Screenshot:

After I change the default analyzer profile in all local users. I can delete the profile.

But,

1) I still don't know how to factory reset ATD-3000 appliance

2) The android VM still bugging me, I don't need android VM but I still cannot delete it. Based kb: McAfee Corporate KB - How to remove the default Android VM provided in Advanced Threat Defense KB863...

command "removeAndroid" should do the job, but it does not work. And it created android vm automatically, after bootup.

Please see screenshot below:

mjesmer · ‎03-31-2017

Command to factory reset ATD is listed in the Product Guide, you can Ctrl+F and look for factorydefaults.

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26831/en_US/...

Page 142 at the Bottom.

Thanks,

Matthew Jesmer

mjesmer · ‎03-31-2017

I forgot to mention, you can also reimage/restore the ATD using a USB Recovery Image.

This is a somewhat time consuming process, and requires direct access to the ATD appliance.

Instructions can be found in the Product Guide on Page 177-179

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26831/en_US/...

If you are just re-imaging / factoryresetting the ATD in an attempt to remove the Android VM, I would recommend you open an SR with support first. They should be able to assist you in dropping the Android VM from the backend of the box. (Might save you time, I say might because Queue times and response times via email can be slow)

Everything that you supplied to this thread I would also include in your SR.

Regards,

Matthew Jesmer

bretzeli · ‎07-17-2017

He wants to remove the Analyzer Profile NOT Reset the ATD? The thing costs USD 100'000.- and does not work sometimes...

@mario.natinet, Open a case with them OR maybe as last option TRY to migrate to 4.0 version of the ATD. Now here two comments a) You should BECAUSE the 3.8 has a serious EXPLOIT b) The ATD 4.X has some bug with 64BIT VM's and DELPHI EXE/DLL. But in your case if you are realy stuck maybe a good option to try that first.

mjesmer · ‎07-19-2017

If you read the entire case you would see that he also asks about resetting the ATD.

Thanks,

bretzeli · ‎07-20-2017

@mjesmer,

I am reading Forum Entrys like Mcafee TIER Subject AND the rest while customer on the phone. 😉

Learned that from Mcafee.....

Troja · ‎07-20-2017

Hello ,

i removed analyzer VMs and analyzer profiles multiple times from ATD. So, i think you know the dependencies on ATD. A user has an analyzer profile configured, the analyzer profile itself includes one or more VM profiles.

If you remove an Analyzer Profile from the users you should be able to remove the Analyzer Profile.

If you remove a VM Profile from any Analyzer Profile you should be able to delete the VM Profile.

If there is a "damaged" Image file for a Analyzer VM on ATD i confirm with , support can remove any of these image files.

If you want to reset the ATD, this should also be no problem. From my side, I never had the need to reset an ATD appliance to factory defaults since version 3.6.x or 3.8.x.

Just a question, have you updated your ATD?? If yes, have you updated the android image as well? 🙂

Finally one thing, which Analyzer Profile is your default profile?? I´m not shure if it works when you try to remove the default VM Profile.

Cheers

How to remove Analyzer Profile ?

Re: How to remove Analyzer Profile ?

Re: How to remove Analyzer Profile ?

Re: How to remove Analyzer Profile ?

Re: How to remove Analyzer Profile ?

Re: How to remove Analyzer Profile ?

Re: How to remove Analyzer Profile ?

Re: How to remove Analyzer Profile ?

Community Help Hub

Join the Community