Showing results for 
Search instead for 
Did you mean: 

Adaptive Threat Protection


Adaptive Threat Protection

McAfee® Endpoint Security Adaptive Threat Protection (ATP) analyzes content from your enterprise and decides what to do based on file reputation, rules, and reputation thresholds.

Adaptive Threat Protection with next-generation Real Protect scanning, and Dynamic Application Containment, performs automated analysis, to contain, block, or clean files with known malicious or unknown reputations.

Use McAfee® ePolicy Orchestrator® (McAfee® ePO™) to configure, manage, deploy, and enforce Adaptive Threat Protection policies. Configure queries, reports, and dashboards to monitor threat activity within your environment.

The Adaptive Threat Protection module is supported on Windows systems only. Real Protect technology is not supported on some Windows operating systems. See KB82761 for information.

Adaptive Threat Protection also integrates with:

McAfee Threat Intelligence Exchange (TIE) server — A server that stores information about file and certificate reputations, then passes that information to other systems. TIE server is optional. For information about the server, see Threat Intelligence Exchange.

Data Exchange Layer — Clients and brokers that enable bidirectional communication between the Adaptive Threat Protection module on the managed system and the TIE server. Data Exchange Layer is optional — it is required for communication with TIE server. For more information about McAfee Data Exchange Layer integration, see McAfee Data Exchange Layer.

These components are installed as McAfee ePO extensions and add additional new features and reports.

Real Protect

Key benefit: Next-generation scanning and detection performance; automated detection and protection for unknown security threats and malware.

Real Protect scanning performs automated, real-time behavioral analysis to detect zero-day malware which is undetected by static detection methods.. Uses signature-less machine learning with minimal client footprint and performance impact. Real Protect stops known threats by comparison and analysis of established malware attributes, then combats and convicts the unknown using behavioral and memory analysis. Real Protect unpacks executables to detect sophisticated threats using obfuscated code variants.

Improves detection rates up to 30% from legacy based DAT/signature with McAfee GTI detections alone.

Pre-execution, detects malware before it executes

Signature-less static analysis

Compares attributes against millions of samples

Machine learning automates classification

Identifies malicious actions

Real-time behavior classification finds commonalities through identifiable actions

Machine learning automates classification

Genealogy-based repair

Augments McAfee endpoint security products for Windows

Dynamic Application Containment (DAC)

Key benefit: Maintains productivity while securing patient zero, isolating the network, and preventing damage to endpoint

Suspicious applications run contained; but DAC monitors, restricts, and blocks potential malicious actions executed the unknown process.  DAC defeats “Sandbox-aware” malware, malware is less-likely to detect the containment. DAC also speeds up remediation as detection occurs on the endpoint and remediation of the patient zero endpoint is “not needed” since malware was “already contained”.

DAC defeats “Sandbox-aware” malware, malware is less-likely to detect the containment.

DAC speeds up remediation as detection occurs on the endpoint. Correction of patient zero endpoint is “not needed” since the malware was “already contained”.

Processes are contained if reputation is less than the configured reputation threshold. For example, DAC will contain an unknown process if it has an unknown reputation. Actions of a contained process are constrained by the Block or Report settings configured for enabled Dynamic Application Containment rule.  For further information on recommended Dynamic Application Containment rule settings, see KB87843 in the McAfee Knowledge Base.  Dynamic Application Containment Rules are created by McAfee Labs Global Threat Intelligence, based on latest unknown malware analysis.

Administrators can create global exclusions based upon process name, MD5 hash, or digital signature. DAC reputation threshold value is set to "Unknown" by default.

When integrated with McAfee Active Response or Advanced Threat Defense, file execution attributes are traced, collected, and reported for real-time analysis. If convicted, DAC will terminate the contained process.  If clean, DAC allows the process to run.

Securing Endpoints with Real Protect and Dynamic Application Containment



Is ATP a module that compriese Access Protection, Exploit prevention etc, or how it is.

Version history
Revision #:
1 of 1
Last update:
‎12-14-2016 06:21 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community