This guide will walk you through integrating McAfee Threat Intelligence Exchange (TIE) and McAfee Advanced Threat Defense (ATD).
If a file's reputation is unknown or is not certain, you can submit it to Advanced Threat Defense for further analysis. McAfee Advanced Threat Defense detects today’s stealthy, zero-day malware with an innovative, layered approach. It combines low-touch antivirus signatures, reputation, and real-time emulation defenses with in-depth static code and dynamic, malware analysis (sandboxing) to analyze the actual behavior of malware. Combined, this represents the strongest advanced anti-malware technology in the market, and effectively balances the need for both security and performance. Files can be sent from Threat Intelligence Exchange to Advanced Threat Defense automatically based on their reputation level and file size. For additional information on ATD please take a look at our product page http://www.mcafee.com/us/products/advanced-threat-defense.aspx
If Advanced Threat Defense is present, the following steps occur (based on policy):
• Endpoints running McAfee Threat Intelligence Exchange can inspect files on execution. If that inspection is inconclusive, the file can be sent to McAfee Advanced Threat Defense for further analysis.
Note: The file is actually sent from the endpoint to the TIE server, and then the TIE server sends the file to ATD.
• After analysis, McAfee Advanced Threat Defense will publish the file’s reputation to the DXL. At that point, the endpoint (and all other products on the DXL) will be notified if it is malicious or safe.
• McAfee recommends configuring the TIE client to block the execution of files if they are sent to ATD. This will result in TIE blocking the execution of the file on the endpoint even if ATD later concludes that they are safe. In that case, the end user would simply have to run the file again to execute it. The instructions below are written based on this recommendation.
McAfee Threat Intelligence Exchange 2.0 or greater
The objective of this guide is to demonstrate automation capabilities when integrating with McAfee Advanced Threat Defense. ATD eliminates the need for administrators to review file executions in ePO. It further eliminates the need to make decisions about whether the file is good or bad by making the determination and then publishing the reputation to the DXL – all with zero administrator involvement. Successful completion of this use case should demonstrate any ATD conviction will automatically immunize your entire environment.
To access the TIE Server settings policy, select Menu | Policy | Policy Catalog and select McAfee TIE Server Management 2.0.0 in the Product drop down.
Click into My Default to edit.
On the Advanced Threat Defense (ATD) tab configure ATD server settings. Files can be sent to ATD for further file reputation evaluation.
Enter the User name and Password for the ATD Server.
Note: The sample will be submitted from the TIE Server.
Note: The online help provides guidance on each option.
To access the TIE Client policy which resides in the Endpoint Security Adaptive Threat Protection (ATP) policy, select Menu | Policy | Policy Catalog and select Endpoint Security Adaptive Threat Protection in the Product drop down.Then select My Default.
Check submit files to ATD at the reputation you wish to send files for further analysis. The sample will be sent at this reputation regardless of the level chosen for block at and clean at.
The options are:
Most Likely Trusted - Almost certainly a trusted file
Unknown - Cannot make a determination at this time
Most Likely Malicious - Almost certainly a malicious file
The files are sent to Advanced Threat Defense when the following occurs:
• The Threat Intelligence Exchange server does not have Advanced Threat Defense information about the file.
• The file is at or below the reputation level you specify.
• The file is at or below the file size limit you specify.
• The file has not already been submitted to ATD by another endpoint or security product in your environment.
Execute a file on a client system that meets the 'Submit files to ATD at and below' criteria set in the configuration section. The sample will be sent to to the TIE server which will then provide the sample to ATD.
On your endpoint execute Artemis-Unknown-All.exe.
This sample will be sent to ATD because it has an unknown reputation and we set the policy to send to ATD if files have an unknown reputation.
The sample file will be sent from the client to the TIE server. The TIE Server then submits the sample to ATD.
In ATD you will see Artemis-Unknown-All.exe
Wait for the file to be analyzed and status set to Completed. The ATD Analysis Results will expose the sample results as well as the reason.
In ePO under TIE Reputations you will see the Known Malicious reputation determined by ATD.
McAfee Advanced Threat Defense connects your security ecosystem by sharing reputation information over the DXL. When an administrator does not want the hassle of researching each unknown or risky file McAfee ATD can offload that responsibility. ATD also improves the efficiency of your security ecosystem. Sharing reputation information means that all future encounters of a file will already have a reputation and will not have to be analyzed again.