cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee ATD and ATP Real Protect - duplicate functionality?

Jump to solution

Hello community,

if I have Advanced Threat Defense enabled in the enviroment, does it still make sense to have ENS ATP Real Protect function enabled as well? What is the difference in the functionality between those tools. It is my understanding that both those tools protect against zero day malware, one with sandboxing and the other with machine learning. I noticed some performenace problems with the ENS ATP 10.6.1 and wondering if I could disable ATP Real Protect without major reduction in protection, to improve performance. I assume even with ATP Real Protect disalbed the enviroment will be sufficently protected with the ATP Sandboxing in place. Does enyone here has experience with this?

Labels (3)
2 Solutions

Accepted Solutions
McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: McAfee ATD and ATP Real Protect - duplicate functionality?

Jump to solution

Q:  If I have Advanced Threat Defense enabled in the enviroment, does it still make sense to have ENS ATP Real Protect function enabled as well?

A:  Yes, because, ATP would be the last line of defense for 0-day malware, provided that the reputation sources (like ATD) do not return enough information for action to be taken.  Real Protect Static and Real Protect Dynamic, along with the Dynamic Application Containment, would then be the last checks for hopefully containing and producing detection.

 

Q:  What is the difference in the functionality between those tools?

A:   I can see a benefit of ATD being that ATD sandboxing is much less costly from a resource perspective, as opposed to say 100 endpoints all using ATP/DAC to analyze/contain the same unknown threat at the same time.  ATD is essentially going to be another reputation provider, and when necessary, we can execute a sample locally on the ATD server in order to obtain more information.  If we had a sample we were curious about, but that sample wasn't actually introduced into the environment, yet, we could use ATD to try and establish a better reputation, without executing the sample locally on a system using ATP.  Then, if the sample was executed on an endpoint, we would expect the established ATD reputation to be part of the overall reputation provided by the TIE server (if the TIE lookup is performed), which may mean that action is taken prior to the Real-Protection Dynamic engine even being asked to perform work, and thereby preventing the DAC submission (essentially a more speedy determination).  The Real-Protect Static engine also provides a rule set for known behaviors to easily determine if something is absolutely trusted, or absolutely dirty, and that check is performed prior to any TIE lookup that could occur.  Since the overall reputation and action is always determined by the product on the endpoint, ATP is using all available reputation providers (ATD being one of them), along with its own static rules and machine learning techniques, to make the final determination.


Q:  If the Real Protect function is mini version of ATD, what is the point of keeping it on, if there already the bigger version (ATD) is in place?

A:  Real-Protection Dynamic, along with DAC, has the ability to take action on something that receives an unknown reputation from all providers, which may or may not include ATD reputation.

 

Q:  Does real protect provide us with some additional functionality that ATD doesn't? Can you provide some comprising technical functions of those both elements?

A:  DAC comes to mind, in that if the final reputation for all sources returns "unknown," then ATP running on the endpoint can successfully contain the threat until a final reputation is aggregated and combined from all sources, including GTI.  Another item to consider, is that without ATP, there cannot be a TIE lookup which can then make use of something submitted to ATD, since it is ATP that will perform the TIE lookup.  Without ATP, ENS Threat Prevention is simply making use of available DAT content, along with standard GTI lookups, provided that the endpoint can successfully query the GTI servers.

 


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 

 

 

Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: McAfee ATD and ATP Real Protect - duplicate functionality?

Jump to solution

Just to add to this, Real Protect isn't really a mini-ATD.  They are different engines, different models, etc.  So you are not getting duplication.  RP runs a static analysis very quickly pre-execution, and if it triggers something it blocks outright.  RP cloud sends an ETL trace into the cloud for a comparative analysis.  This will detect within several seconds of triggering.

ATD's engine is distinct.  The file has to be sent to it, analyzed and the results returned to TIE.  It is going to be slower in getting results. 

One might detect things the other wouldn't give the different models used.  So considering all of this, I would run both, along with DAC and enabling key Exploit Rules that are disabled by default in the event they both miss!

Hopefully this helps.

5 Replies
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: McAfee ATD and ATP Real Protect - duplicate functionality?

Jump to solution

Hi - from a security perspecitve it is absolutely worth having ATP and ATD. The real protect function is a mini version of ATD in some respects but is no where near as powerful as ATD.

ATD is an appliance which not only performs an in-depth analysis of files, but it also allows you to pull reports and critical infomration for further investigation. It helps you convert threat information into immediate action and protection on the Endpoints.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted

Re: McAfee ATD and ATP Real Protect - duplicate functionality?

Jump to solution
Alright, but going back to the original question, if the Real Protect function is mini version of ATD, what is the point of keeping it on, if there already the bigger version (ATD) is in place? Does real protect provide us with some additional functionality that ATD doesn't? Can you provide some comprising technical functions of those both elements?
McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: McAfee ATD and ATP Real Protect - duplicate functionality?

Jump to solution

Q:  If I have Advanced Threat Defense enabled in the enviroment, does it still make sense to have ENS ATP Real Protect function enabled as well?

A:  Yes, because, ATP would be the last line of defense for 0-day malware, provided that the reputation sources (like ATD) do not return enough information for action to be taken.  Real Protect Static and Real Protect Dynamic, along with the Dynamic Application Containment, would then be the last checks for hopefully containing and producing detection.

 

Q:  What is the difference in the functionality between those tools?

A:   I can see a benefit of ATD being that ATD sandboxing is much less costly from a resource perspective, as opposed to say 100 endpoints all using ATP/DAC to analyze/contain the same unknown threat at the same time.  ATD is essentially going to be another reputation provider, and when necessary, we can execute a sample locally on the ATD server in order to obtain more information.  If we had a sample we were curious about, but that sample wasn't actually introduced into the environment, yet, we could use ATD to try and establish a better reputation, without executing the sample locally on a system using ATP.  Then, if the sample was executed on an endpoint, we would expect the established ATD reputation to be part of the overall reputation provided by the TIE server (if the TIE lookup is performed), which may mean that action is taken prior to the Real-Protection Dynamic engine even being asked to perform work, and thereby preventing the DAC submission (essentially a more speedy determination).  The Real-Protect Static engine also provides a rule set for known behaviors to easily determine if something is absolutely trusted, or absolutely dirty, and that check is performed prior to any TIE lookup that could occur.  Since the overall reputation and action is always determined by the product on the endpoint, ATP is using all available reputation providers (ATD being one of them), along with its own static rules and machine learning techniques, to make the final determination.


Q:  If the Real Protect function is mini version of ATD, what is the point of keeping it on, if there already the bigger version (ATD) is in place?

A:  Real-Protection Dynamic, along with DAC, has the ability to take action on something that receives an unknown reputation from all providers, which may or may not include ATD reputation.

 

Q:  Does real protect provide us with some additional functionality that ATD doesn't? Can you provide some comprising technical functions of those both elements?

A:  DAC comes to mind, in that if the final reputation for all sources returns "unknown," then ATP running on the endpoint can successfully contain the threat until a final reputation is aggregated and combined from all sources, including GTI.  Another item to consider, is that without ATP, there cannot be a TIE lookup which can then make use of something submitted to ATD, since it is ATP that will perform the TIE lookup.  Without ATP, ENS Threat Prevention is simply making use of available DAT content, along with standard GTI lookups, provided that the endpoint can successfully query the GTI servers.

 


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 

 

 

Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: McAfee ATD and ATP Real Protect - duplicate functionality?

Jump to solution

Just to add to this, Real Protect isn't really a mini-ATD.  They are different engines, different models, etc.  So you are not getting duplication.  RP runs a static analysis very quickly pre-execution, and if it triggers something it blocks outright.  RP cloud sends an ETL trace into the cloud for a comparative analysis.  This will detect within several seconds of triggering.

ATD's engine is distinct.  The file has to be sent to it, analyzed and the results returned to TIE.  It is going to be slower in getting results. 

One might detect things the other wouldn't give the different models used.  So considering all of this, I would run both, along with DAC and enabling key Exploit Rules that are disabled by default in the event they both miss!

Hopefully this helps.

Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: McAfee ATD and ATP Real Protect - duplicate functionality?

Jump to solution
We some cutsomers with FULL ATD-Sanbox and TIE (ATP).

You mentioned: "I noticed some performenace problems with the ENS ATP 10.6.1". wITH A TEN YEAR debug expierence

In Mcafee discussions i can allmost say it's not Mcafee which makes it slow. The Mcafee Module forces and highlights something that is wrong and multiplies it. OR it's a bug and they will release a fix with an update. Even when stopping services or after a rebbot this affects can impact.

We had a case where Certification Exporation Check triggered a CHAIN of LOOKUP in the Cert store oif each client when touched (Mcafee was the last who did so ITS MCAFEE!!!). This effect was in never after a reboot because windows began to worik through those certs mcafee touched.


Some thoughts:
* Certificate Revocation List foer CODE SIGNEN in isolated VLAN (Delay) > Like in Exchange Rollup with no Internet 😉
* WRONG usages of HIGH/LOW Level Process Risk. Use their tool or PROCEXP.exe to find out your heavy and secure process and exclude those IF possible and not usbprocess of something.

Leave BOTH on. It's all in like in a poker game against ransomware. If it's slow then it's slow.
Search the REAL problem wherever it lies but keep mcafee all on and customized.
That means also the IP Exploit filter for Powershell and fileless ON and active


Greetings from Switzerland




Regards
Mike
More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.