cancel
Showing results for 
Search instead for 
Did you mean: 

We had integrated McAfee ATD with Active Response in accordance to https://community.mcafee.com/docs/DOC-8447

We had integrated McAfee ATD with Active Response in accordance to https://community.mcafee.com/docs/DOC-8447

But we have following issue. In ATD report says: "Active Response. Status: Product is not Avaliable​".

Can you help us to solve this problem?

7 Replies
McAfee Employee rbrady
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: We had integrated McAfee ATD with Active Response in accordance to https://community.mcafee.com/docs/DOC-8447

MAR integration with ATD is dependent on a functional DXL fabric.  If ATD isn't able to talk on DXL for any reason, then the MAR queries won't work.  Also, MAR isn't queried unless the sample is actually malicious, so if the test cases aren't scoring as malicious, then MAR won't be queried.  Also confirm that ATD has the correct tags applied in ePO per the document.

Re: We had integrated McAfee ATD with Active Response in accordance to https://community.mcafee.com/docs/DOC-8447

thank you very much for your reply

ADT has DXL Status: UP, in ePO ATD has  tag ATDDXL,Workstation

Analysis of the results file in the ADT has shown that the level is very high but the status of the MAR - McAfee Active Response Status: Product is not Available

in what may be yet?

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 4 of 8

Re: We had integrated McAfee ATD with Active Response in accordance to https://community.mcafee.com/docs/DOC-8447

Hi ​,

are you using the DXL Broker service on the MAR Server? Yes/no?

Step 1: If yes, configure your endpoints to connect directly to the MAR DXL Broker.

Step 2: Test if a standard MAR Queries are working fine. If no, there is a problem with the MAR integration, because the MAR query does not come to the endpoints.

Step 3: Check your MAR Server integration under Registered Servers in EPO. (this will not be necessary with MAR 2.0 any more)

If anything is fine and working you can test removing the DXL Broker from the MAR Server. This is an installation type is would always suggest. In bigger environment there should be no DXL Broker server available on the core systems like TIE Server or MAR server. Always use dedicated DXL Broker appliances.

As ​ explained, there is only are MAR Query done if the file was malicious.

Hope this helps,

Cheerw

Highlighted

Re: We had integrated McAfee ATD with Active Response in accordance to https://community.mcafee.com/docs/DOC-8447

Troja       

   thank you very much for your reply

are you using the DXL Broker service on the MAR Server? Yes/no? - YES

standard  MAR queries work

  file was malicious

ATD :

McAfee Active Response

Status: Querying for Compromised Hosts

Val
Level 8
Report Inappropriate Content
Message 6 of 8

Re: We had integrated McAfee ATD with Active Response in accordance to https://community.mcafee.com/docs/DOC-8447

We saw similar issue when ATDDXL tag was not authorized to send MAR Server API calls.

You can check if this is the case in ePO | Server Settings | DXL Topic Authorization.

'Send Tags' field for 'Mar Server API' topic should contain ATDDXL in addition to MARSERVER.

Re: We had integrated McAfee ATD with Active Response in accordance to https://community.mcafee.com/docs/DOC-8447

'Mar Server API'  tags  ATDDXL and  MARSERVER
           

               
Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 8 of 8

Re: We had integrated McAfee ATD with Active Response in accordance to https://community.mcafee.com/docs/DOC-8447

Hi all,

tested around yesterday a little bit.... Result, if not any device, this means really any DXL enabled device, points to the DXL broker on MAR server it does not work. 😞

So i have to revoke my earlier post. When this is done, anything works fine in my environment.

Second, i tested with an MAR aggregator. But this was also not working. The install guide shows an information about DXL Client. There must not be an DXL Client when a MAR aggregator is installed on the DXL broker. Doing so results in a complete DXL outage in my environment.

MAR 2.0 will be available soon. Hoping there will be some improvements.

Cheers

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community