cancel
Showing results for 
Search instead for 
Did you mean: 
lpp
Level 9
Report Inappropriate Content
Message 1 of 3

Antimalware.MATD.GetReport possible usage

Jump to solution

In WebGateway 7.4, amongst the properties available to build a rule criteria, Antimalware.MATD.GetReport apparently doesn't seem to be very effective.

Actually, withtin a Web Gateway - Advanced Threat Defence integration one would think that through this property a query to existing results (including blacklist) on the ATD would be possible. But then how to use these results?

How can MWG query ATD to check for a file hash against previous analysis, without submitting the entire file. Antimalware.MATD.GetReport seems to be the proper way to proceed, but then in case a report is available and downloaded, how to get its result?

2 Solutions

Accepted Solutions
amart
Level 9
Report Inappropriate Content
Message 2 of 3

Re: Antimalware.MATD.GetReport possible usage

Jump to solution

Antimalware.MATD.GetReport property returns true and sets other properties of AV family like Antimalware.Infected and Antimalware.MATD.Report if it was able to download an existing report for the current body.

rule 1: check if a recent report can be downloaded

condition: Antimalware.MATD.GetReport<atd config> equals false

action: stop rule set

rule 2: evaluate results. Here cached values are used

condition: Antimalware.MATD.Probability greater than 0

action: block

Highlighted
lpp
Level 9
Report Inappropriate Content
Message 3 of 3

Re: Antimalware.MATD.GetReport possible usage

Jump to solution

Andrej, you are perfectly right.

These properties work well together, although the results are obtained from Web Gateway's cache only, without actually querying the ATD appliance for its archive.

Thank you and best regards.

2 Replies
amart
Level 9
Report Inappropriate Content
Message 2 of 3

Re: Antimalware.MATD.GetReport possible usage

Jump to solution

Antimalware.MATD.GetReport property returns true and sets other properties of AV family like Antimalware.Infected and Antimalware.MATD.Report if it was able to download an existing report for the current body.

rule 1: check if a recent report can be downloaded

condition: Antimalware.MATD.GetReport<atd config> equals false

action: stop rule set

rule 2: evaluate results. Here cached values are used

condition: Antimalware.MATD.Probability greater than 0

action: block

Highlighted
lpp
Level 9
Report Inappropriate Content
Message 3 of 3

Re: Antimalware.MATD.GetReport possible usage

Jump to solution

Andrej, you are perfectly right.

These properties work well together, although the results are obtained from Web Gateway's cache only, without actually querying the ATD appliance for its archive.

Thank you and best regards.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center