cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 9
Report Inappropriate Content
Message 1 of 4

ATP without sandbox?

What is experience of companies that have implemented ENS with ATP but without any sandbox solution in place? Let's assume company has implemented ENS and TIE and now as next step is going to implement full ATP power (DAC and RP switched ON) to take control of unknown files.

Does it work? Or the amount of unknown files can never be taken under reasonable control without complementing ATP with sandbox (ATD)?

rgds

Taavi 

3 Replies
Highlighted

Re: ATP without sandbox?

you are confused between ATP & ATD.

ATP is Adaptive Threat protection

ATD is sandbox technology.

ATP of ENS is similar functionality of TIE Module for VSE

Highlighted
Level 9
Report Inappropriate Content
Message 3 of 4

Re: ATP without sandbox?

Hi, thnx for reply. I'm not confused, I know very well those technologies and abbreviations. Have 5 year experience with McAfee products.
I put my questions differently:
ATP modules work togeather and try to determine if the unknown files is bad or good by doing different analyses, calculating final reputation and take action accordingly. All those analyses have been done locally and in McAfee cloud. This is not optimal, because central reputations repository TIE is not complemented with analyses results in endpoint, so every endpoint works separatelly and might make same work with similar results than hundreds of other endpoints in enterprise. And probability of getting false positives is quite high if we set Unknown files to be blocked.

This is the idea of this discussion. Running ATP, but not using sandbox next to it - is such setup optimal enough to implement?

rgds
T

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: ATP without sandbox?

It is actually much more complicated than that on the back end.

There are two reputations involved, file reputation and process reputation.  File reputation is what you see in TIE.  There are various reputation sources, including GTI and ATD, but ultimately Enterprise reputation trumps though.  By default, ATD good reputations don't change an unknown, but you can change this I believe.

The reason reputation is computed locally is because of modules.  Let's say that an attack performs a DLL side loading attack.  In this case an otherwise good process is now compromised.  So in this case the file reputation of the process is changed on the fly by computing a process reputation of unknown due to the untrusted module.

Now, all this being said, that doesn't automatically mean a process is contained.  You can have MANY untrusted processes that McAfee won't touch, because there are numerous rules that impact what is and isn't touched, such as, for example, prevelence in the environment.  These are JTI rules that you can adjust.  In this case, there is general process containment that comes into play, but also DAC rules, which you select whether to enable or disable.  

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community