cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Choosing Between MAR, TIE and ATD

Jump to solution

Hello,

We are trying to understand which product(s) our organization will need for very specific use cases, and since McAfee has a lot of products to offer we are not sure which one will serve our purpose - So I thought I'd reach out to the forums hoping anyone can direct us on what exactly we should purchase.

We already have ENS with ATP, DXL and DLP - all managed with ePO (McAfee Endpoint Protection - Advanced Suite)

I think that, for the purpose of this 'planning' it would also be important to say that our environment is air gapped (no internet/external connection) so we cannot connect to any cloud service/external websites or make a proxy to such connection.

Okay - So, to the point.

Our Security + Cyber Research Team recently started sending us out excel tables containing File Hashes of Malicious Files and YARA Rules and Told us to Block Them (for Future Detection), while also scanning every client (that is managed with ePO) for any findings of those File Hashes (md5,sha1,sha256) and YARA Rules

After some research and googling I have found that doing so will not be possible on our current product(s) and that we will need to purchase these "extensions" in order to comply with their request,

I am just unsure on what we should get for our environment, so what we need is the ability to scan file hashes and look for detections based on YARA Rules against a Managed Client at any given time & Block File Hashes and detections based on YARA Rules for any future 'detection'.

I was faced with three products;

1. McAfee Threat Intelligence Exchange

2. McAfee Active Response (Requires McAfee TIE, and an Internet Connection in order to work[?])

3. McAfee Advanced Threat Defense (That can Integrate with TIE and MAR [unsure what for])

Our Security Team started sending us file hashes periodically and they started to pile up so we have to resolve this ASAP.

I appreciate any help on this,

Thanks a lot! 

3 Solutions

Accepted Solutions
bbarnes
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 7

Re: Choosing Between MAR, TIE and ATD

Jump to solution

Hello RainingClouds, 

I am afraid I personally may not be able to answer all your questions but I can provide a bit of clarity that might help to move things forward. Threat Intelligence Exchange in combination with ENS+ATP can provide hash level reputation management and be configured to block/clean/delete executables based on those lists of "Bad Hashes" that you are mentioning. The product also can leverage GTI (cloud intelligence) for that same style of information but it would require an internet connection to do so. With no internet connection all reputation management would need to be done by someone local. With the implementation of an OpenDXL client and a bit of python you could even automate the ingestion of the hash lists into the TIE database.

Advanced Threat Defense is something customers often add on to this solution and it brings in the ability to sandbox unknown executables to further analyze behavior and assign reputations for files and can be configured to cover the gap for new malware that may not yet be in GTI. 

Detection of an executable launch attempt of one of these bad hashes would result in a detection and event being generated that a detection and clean/block was done. 

However, none of these solutions would scan entire drives to do hash comparison and would only evaluate them on execution. 

 

View solution in original post

bbarnes
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Choosing Between MAR, TIE and ATD

Jump to solution

As for MAR (Active Response), the newer version of this is EDR. It would also require at least an ePO/DXL > Internet connection to operate correctly. It can build up a database of files and their hashes on clients that can be searched against. Through metadata on the files or the hashes themselves. However, this would be more a job to be executed by an administrator rather than a continuously monitored list.

I hope this information helps


Thanks,

Brian Barnes

View solution in original post

bbarnes
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Choosing Between MAR, TIE and ATD

Jump to solution

Hello, 

To answer question 1, no. ENS ATP is the module that assesses processes for reputation against TIE. This module only assesses processes (Launched executables). Reputation based evaluation of hashes in this case would only work when the process was executed. Scanning through say an OnDemand scan task would leverage the existing DAT based scanning methods but would not leverage reputation data. 

For question 2, per the product design internet connectivity is a pre-requisite. I am afraid without getting intimately familiar with your environment and specific goals, I could not recommend MAR at this time. 

I would recommend reaching out to sales on the topic. Where perhaps a more involved conversation could take place. There may be an opportunity there, but it would possibly require some custom work. 

 

Thanks

Brian

View solution in original post

6 Replies

Re: Choosing Between MAR, TIE and ATD

Jump to solution

Bumping Thread and tagging people so we could maybe get a quicker response..

@Pravas  , @bbarnes  , @AdithyanT   Please Help us on this!

P.S: We Know about the Access Protection Rule + Exploit Prevention Expert Rules to block File Hashes, But the problem is that while running a scan they are not being detected as "malicious", it only blocked these specific file hashes from running.

bbarnes
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 7

Re: Choosing Between MAR, TIE and ATD

Jump to solution

Hello RainingClouds, 

I am afraid I personally may not be able to answer all your questions but I can provide a bit of clarity that might help to move things forward. Threat Intelligence Exchange in combination with ENS+ATP can provide hash level reputation management and be configured to block/clean/delete executables based on those lists of "Bad Hashes" that you are mentioning. The product also can leverage GTI (cloud intelligence) for that same style of information but it would require an internet connection to do so. With no internet connection all reputation management would need to be done by someone local. With the implementation of an OpenDXL client and a bit of python you could even automate the ingestion of the hash lists into the TIE database.

Advanced Threat Defense is something customers often add on to this solution and it brings in the ability to sandbox unknown executables to further analyze behavior and assign reputations for files and can be configured to cover the gap for new malware that may not yet be in GTI. 

Detection of an executable launch attempt of one of these bad hashes would result in a detection and event being generated that a detection and clean/block was done. 

However, none of these solutions would scan entire drives to do hash comparison and would only evaluate them on execution. 

 

bbarnes
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Choosing Between MAR, TIE and ATD

Jump to solution

As for MAR (Active Response), the newer version of this is EDR. It would also require at least an ePO/DXL > Internet connection to operate correctly. It can build up a database of files and their hashes on clients that can be searched against. Through metadata on the files or the hashes themselves. However, this would be more a job to be executed by an administrator rather than a continuously monitored list.

I hope this information helps


Thanks,

Brian Barnes

Re: Choosing Between MAR, TIE and ATD

Jump to solution

I understand @bbarnes , Thanks for the great explanation! 

Few more questions before we finally go on and decide what to get;

1. After adding a file hash, for example - we add an md5 file hash to the TIE reputation database and mark it as "Known Malicious" (for example, the hash is '66bd00e43ff8b932c14140472c4b8cc6')  - now, lets say that we have a client pc named "Customer01.domain.local" (FQDN) and it has this exact file residing somewhere in its Drives; if we initiate a scan on the Customer01 PC from ePO, would it detect the file as malicious after we marked it in TIE reputation as malicious? (even if it was not potentially executed)

2. For the MAR, Can we still implement it without any internet connection and just use its query features to scan machines? we cannot connect to the cloud since internet connection is not available to us at all - it is an air gapped (secured) environment.

I believe that is all I have left to ask,

Thank You!

bbarnes
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Choosing Between MAR, TIE and ATD

Jump to solution

Hello, 

To answer question 1, no. ENS ATP is the module that assesses processes for reputation against TIE. This module only assesses processes (Launched executables). Reputation based evaluation of hashes in this case would only work when the process was executed. Scanning through say an OnDemand scan task would leverage the existing DAT based scanning methods but would not leverage reputation data. 

For question 2, per the product design internet connectivity is a pre-requisite. I am afraid without getting intimately familiar with your environment and specific goals, I could not recommend MAR at this time. 

I would recommend reaching out to sales on the topic. Where perhaps a more involved conversation could take place. There may be an opportunity there, but it would possibly require some custom work. 

 

Thanks

Brian

Re: Choosing Between MAR, TIE and ATD

Jump to solution

Alright Brian, I understand.

Now that we know (much) better, We can be more confident about what to do and what we should get.

Thanks for clarifying everything!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community