Showing results for 
Show  only  | Search instead for 
Did you mean: 

McAfee Sandbox - Creating a VM Image


In this document we'll cover which OS to use for your VMs and why.

Which OS should I use?

Listed in the ATD Installation Guide you will see a large list of supported OSes.

The first thing to remember here is that we're trying to maximize Indicator of Compromise (IOC) visibility, so we advise customers against Win10 and other newer OSes; however, there are some very niche customers who demand it due to licensing or bureaucracy.

Wait! So in reality my customer only needs a win7 sandbox? They have win10 in their environment, I was under the impression to match the customer environment 1:1. I guess I misinterpreted ATD altogether?
Not at all; most customers will assume that Win10 environment must mean Win10 sandbox.

Technically, that's correct; however, because Win10 has a frequent update schedule, we don't want customers to get into the process of having to update their sandbox every six months. We also don't want those new security features enabled because then we won't be able to observe all of the malicious activity... which is the whole point of sandboxing.

To summarize; use old and less secure OS/settings for sandboxes. This gives you the best potential for collecting IOCs and reputation data. 

There are some small caveats. If customer only has Win10 licensing and aren't willing to purchase different licensing just for ATD, then just use Windows 10, but you'll need to disable all of the security features (unharden it). That's what makes it difficult. Sandbox environment != Production environment. 

This is not just true of ATD, it's a principle of Cuckoo and everything else. You WANT to entice the malware to detonate. Which means it needs vulnerabilities to exploit.

The next thing to think about, is that every time ATD gets a file, it starts up a new VM to analyse that file. Older OSes often start up quicker than newer ones. So if you're starting 20 copies of a VM, you want to do everything you can to help the ATD to arrive at a verdict in the least possible time.

Thirdly, you've made an investment in an expensive bit of kit. If you have a model 3100, for example, you can run up to 30 VMs. We still see customers who only add licences for maybe 15 or 20 VMs, (and they wonder why their file queue is increasing). Make the maximum use of the appliance and license as many VMs as you can.

Finally, it is perfectly possible for you to create your own image, without following the Installation Guide. However, you should be aware that this will be unsupported. Your VM may work, but if there is an problem with it, Engineering will ask that any software not mentioned in the installation guide is removed before troubleshooting. Similarly, some customers prefer to use a COE machine image. This is completely unsupportable by McAfee Support due to the fact that there are so many configurations and options which could be changed in such an image (e.g. user policies, permissions etc.) which could interfere with the operation of the VM or the reputation verdict of the Analyser.

Creating and Customizing the VMDK

The Online Installation Guide is very clear and includes screen shots.

Version history
Revision #:
1 of 1
Last update:
‎12-20-2018 05:11 AM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community