we´re currently thniking about to extend our security infrastructure with McAfee ATD.
As in understand the product there is a appliance running some VMs simulate our productive environment and run supicious files to proof if they are malicious or not.
I read as much as I can about current threats, and what one often can read is that the malware recognizes if it is running on a VM or not.
So nice to have such a sandboxing technology, but not much of a need if the malware isn´t executed.
Is there some more else technology from McAfee to compensate?
Or does the Virustotal implementation help here?
Thank you guys for your answers.
There you can find many useful Information about ATD and Threat Intelligence Exchange (TIE)
First of all: Yes you are right. Yes, the vendors implemented sandbox Systems. Afterwards the Malware Designers designed mechanism to detect sandboxing. Afterwards the vendors changed theire Systems to prevent sandbox detection. This is a never ending war game at the Moment. This games is not only played for sandbox Systems, this games is played everywhere where security should be bypassed. :-)
Threat Intelligence Exchange is a mechanism to, let me say, collect data/metadata. Information is processed to determine the resulting Reputation score for a file. For communication DXL is used as a Standard communication bus System.
Now, any Information is helpful.
- McAfee already implemented "Information pools" like the GTI cloud.
- Several products can be implemented into TIE: VSE, Application Control, Webgateway. New products will be intergrated soon.
- Reputation Scores from ATD can be added to TIE.
- There will be several SIA Partners which integrate into TIE and are DXL ready.
Advanced Threat Defense: If there is unknown code executed on your endpoint, the code is uploaded to the TIE Server. TIE Server Uploads the file to ATD. ATD executes the file and sends the result back to TIE.
There are virtual Images available on ATD where the Code is executed. ATD does static and dynamic code Analysis. An IOC is also Generated and can be extracted from the Report or automatically sent to ESM.
Virustotal Integration: It depends, because, virustotal can be triggered if a "TIE/Suspect..." Event is Generated on endpoint.
This is my understanding what goes on with TIE/ATD/TIEM and virustotal. Hope this helps.
As you can see, there are many steps done to determine malicious behavior.
Thanks for the explanations Troja.
I´ll have a look at the link you provided.
In my described case TIE would upload to ATD but there the malware wouldn´t be triggered.
So ATD would rate the file as non-malicious and give the score back to TIE and TIE back to endpoint which then would execute the file.
You are right it´s the old game...
Just in the perspective of ATD, I had just been to the 4 day administration class. McAfee has designed a proprietary hypervisor operating system makes the VMs running on top look as physical as can be to thwart the "VM Aware" malware.
here some mor Information how the Reputation is determined.
File and certificate reputation is determined when a file attempts to run on a managed system.
These steps occur in determining a file or certificate's reputation.
If Advanced Threat Defense is present, the following process occurs.
If McAfee Web Gateway is present, the following process occurs.
Have fun :-)