cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
lpp
Level 9
Report Inappropriate Content
Message 1 of 3

Antimalware.MATD.GetReport possible usage

Jump to solution

In WebGateway 7.4, amongst the properties available to build a rule criteria, Antimalware.MATD.GetReport apparently doesn't seem to be very effective.

Actually, withtin a Web Gateway - Advanced Threat Defence integration one would think that through this property a query to existing results (including blacklist) on the ATD would be possible. But then how to use these results?

How can MWG query ATD to check for a file hash against previous analysis, without submitting the entire file. Antimalware.MATD.GetReport seems to be the proper way to proceed, but then in case a report is available and downloaded, how to get its result?

2 Solutions

Accepted Solutions
amart
Level 9
Report Inappropriate Content
Message 2 of 3

Re: Antimalware.MATD.GetReport possible usage

Jump to solution

Antimalware.MATD.GetReport property returns true and sets other properties of AV family like Antimalware.Infected and Antimalware.MATD.Report if it was able to download an existing report for the current body.

rule 1: check if a recent report can be downloaded

condition: Antimalware.MATD.GetReport<atd config> equals false

action: stop rule set

rule 2: evaluate results. Here cached values are used

condition: Antimalware.MATD.Probability greater than 0

action: block

View solution in original post

lpp
Level 9
Report Inappropriate Content
Message 3 of 3

Re: Antimalware.MATD.GetReport possible usage

Jump to solution

Andrej, you are perfectly right.

These properties work well together, although the results are obtained from Web Gateway's cache only, without actually querying the ATD appliance for its archive.

Thank you and best regards.

View solution in original post

2 Replies
amart
Level 9
Report Inappropriate Content
Message 2 of 3

Re: Antimalware.MATD.GetReport possible usage

Jump to solution

Antimalware.MATD.GetReport property returns true and sets other properties of AV family like Antimalware.Infected and Antimalware.MATD.Report if it was able to download an existing report for the current body.

rule 1: check if a recent report can be downloaded

condition: Antimalware.MATD.GetReport<atd config> equals false

action: stop rule set

rule 2: evaluate results. Here cached values are used

condition: Antimalware.MATD.Probability greater than 0

action: block

View solution in original post

lpp
Level 9
Report Inappropriate Content
Message 3 of 3

Re: Antimalware.MATD.GetReport possible usage

Jump to solution

Andrej, you are perfectly right.

These properties work well together, although the results are obtained from Web Gateway's cache only, without actually querying the ATD appliance for its archive.

Thank you and best regards.

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community