cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee

GAM 2014.2 BETA

All we are looking for people to test the GAM 2014.2 engine.

Details here:

This thread is the one where we would you to discuss questions/problems.

thanks,

Michael

0 Kudos
24 Replies
Troja
Level 14

Re: GAM 2014.2 BETA

Hi Michael,

are there any new additional features to the 5700engine in the new GAM?

New Version is up and running on our MWG in DMZ. Let´s see what happens. :-)

GAMv2.jpg

Cheers,

Thorsten

0 Kudos
McAfee Employee

Re: GAM 2014.2 BETA

Thanks Thorsten

Just updated the Blog Post with "New Features"

feickholt
Level 10

Re: GAM 2014.2 BETA

Hi

The following URL http://cache-ams02.cdn.yandex.net/download.cdn.yandex.net/browser/yandex/ru/lite/Yandex.exe?browser=...

was detected as PUP or McAfeeGW: Heuristic.BehavesLike.Win32.Suspicious.L!70 using the current engine.

The new Beta engine tells me the file is CLEAN.

What is right?

Frank

p.s. Happy Christmas to all of you!

0 Kudos
feickholt
Level 10

Re: GAM 2014.2 BETA

Any idea to check files against both engines for easier comparision?

My personal idea:

Check in proxy with old engine.

If infected -> forward to second proxy, (add findings in Headerfile)

Seconds proxy analyses again and shows both results....

Frank

0 Kudos
dstraube
Level 11

Re: GAM 2014.2 BETA

Hello Frank,

the 2014.2 engine has improved a lot when it comes to False Positives. So the number of False Positives that you have seen with the older engine should go down. The file you've mentioned had a detection ratio of 0/54 when checked using virus total, so it was a False Positive and the file is not infected.

Regards,

Dirk

0 Kudos
Troja
Level 14

Re: GAM 2014.2 BETA

Hmmm,

hi all did some testing with the file. Wrote down some explanation as well (I´m a detail freak *g*)

1) yandex.exe

the file itself seems to be clean. Also sandbox systems showing no problem. virustotal.com shows the file is clean.

But, when analyzing with ATD (executing the file) the result shows connections to a site which is categorized as Risk/Fraud/Crime.

yandex_browser.jpg

There is also content downloaded from internet. The files are stored in the user profile and the whole directory is 380MB in size. :-)

ATD detects several malicious activity.

My conclusion:

GAM works fine as expected, because MWG never executes a file and a false/positives is removed with the new GAM version. The "malicious behavior" starts, if the file is executed on the endpoint. There are 467 files stored on disk.

TIE/DXL will close this gap, because the whole behavior will be analyzed with all involved files.

2) Files in the user profile directory

Did some behavior based analysis with the files stored in the user profile directory. No system detected malicious behavior with the samples i uploaded.

Final conclusio:

This means, if you ask the question "is this file okay or not" you will detect much well known malware and many zero-day malware with GAM. But, with this approach you will not detect sophisticated threats. :-)

Cheers,

Thorsten

Troja
Level 14

Re: GAM 2014.2 BETA

Thanks Michael for the info,

Improved Down-Selection Support for Windows Executables

Does this mean ATD integration with "Data Trickling" or "Offline Scanning"??

Installed this:

- GAM heuristics higher than 30%: Trickling page occurs

- GAM heuristics lower than 30%:supported file is sent to ATD with offline scanning.

Btw,waiting with pleasant anticipation for DXL integration. :-)

Cheers,

Thorsten

0 Kudos
McAfee Employee

Re: GAM 2014.2 BETA

Hi Thorsten - happy new year 1st

So, that improved down-selection means that GAM is now taking other vectors into consideration and enable a better 'grey' detection so that you will get more 60-90 ratings as opposed to 0 and 100 as previously.

Michael

0 Kudos
Troja
Level 14

Re: GAM 2014.2 BETA

updated any proxy to the new GAM (during listening Vienna Philharmonic Orchestra - New Year's Concert).....  :-)

0 Kudos