In your comment here, you asked the following: https://community.mcafee.com/docs/DOC-9375#comment-27670
just a question :-)
How this can be handled if we have a complex Ruleset for Customers e.g. mwg is used by a service provider.
Customer A: Cloud Threat Detection (waiting for result)
Customer B: Uses Cloud Threat Detection with immediate File availability
Customer C: Uses the ATD Appliance with Data Trickling
Customer D: Some users/groups using ATD Appliance with Data Trickling, some users/groups are using ATD with immediate file availability.
Customer E: Uses ATD Appliance with Datatrickling.
Is this possible??
How are you differentiating between the customers? Is it a combination of different things?
I ask because I'm working on a ruleset to accomplish what you're asking for. So I want to accommodate your needs.
let me explain in some more detail. 🙂
There are 30 Webgateways in a Cluster Environment. Customer A to E are hosted by one Service Provider. The Service Provider manages the whole MWG Cluster Environment. The customers A to E are separated by the Proxy port in the MWG ruleset. There are virtual appliances available for the central Management (high availability Management). All MWGs are connected to a DXL fabric. One ATD-6000 Appliance and 8 EPO Servers are connected to this DXL fabric.
Now, Customer A to E are using one MWG Environment where every Customer has an assigned Proxy port.
Based on the contract between the Service Provider and the customer different ATD Services (ATD, CTD and so on) should be available. Additional, based on User/Group different ATD usage should be configureable e.g. Trickling during download or offload scanning. This should also be possible based on Content type. When downloading Composite Objects a trickling page should be shown, when downloading a PE offline scanning should be available.
Hope this is better to understand. 🙂
Online scan (waiting for the result with or without data trickling) is not a problem at all. The tricky part would be offline scan for customers B and D. I would suggest to add a group "CustomerB" or "CustomerD" to the list of user groups before calling property Antimalware.MATD.InitBackgroundScan to differentiate between customers later, when condition Antimalware.MATD.IsBackgroundScan becomes true. You can also (mis)use the following properties to identify customers when handling background scan request: client ip, authentication.isauthenticated, authentication method, realm and user name.
I have the ruleset created, see attached. There is three rulesets over all.
1) Add ATD/CTD Groups
2) Advanced Threats (ATD/CTD)
3) Handle Offline Scanning (ATD/CTD)
The only ruleset you should have to touch is 1), 2) goes at the bottom below GAM, and 3) goes at the top.
For 1) we are appending special groups to the transaction. You define the criteria for which this special group gets added (based on location, customer, etc...).
For 2) I added options to for inline or offline scanning for documents and executable's like you mentioned.
For 3) I added in a TIE reputations publishing for CTD convictions, I still need to tweak this a bit.
The presence of these added groups dictates how the transaction will be scanned (using CTD-inline, CTD-offline, ATD-inline, ATD-offline). As mentioned by Andrej, CTD inline is only possible in the cloud, so the rules also adjust for this.
Let me know if you have any suggestions or problems. To reiterate, everything is dictated mostly by the groups.
lools pretty nice! 🙂
I will check this in the next time. Let´s so how this works in my environment.
Just a question, in your screenshot i see a Rule called "Handle Offline Scanning for ATD/CTD". I have not found such a Ruleset in my MWG Ruleset library. Where i can find it?
All rulesets should have been included in the export I attached.
In any case I've made a little more progress in cleaning up the rules.
The rules I uploaded use "simplified view" its meant to hide the complexity of the rules.
If you find that you need to unlock them (either for understanding or customization), please let me know how I might be able to make it easier to understand.
One debugging feature I built into the rules is the ability to change the scanning profile based on URL parameters:
hxxp://malwarehost.tld/testsample-80b.exe?ctdinline&mwgthreattesting // Results in an inline CTD scan
hxxp://malwarehost.tld/testsample-80b.exe?ctdoffline&mwgthreattesting // Results in an offline CTD scan
hxxp://malwarehost.tld/testsample-80b.exe?atdoffline&mwgthreattesting // Results in an offline ATD scan
hxxp://malwarehost.tld/testsample-80b.exe?atdinline&mwgthreattesting // Results in an inline ATD scan
The URL parameter "mwgthreattesting" will have the MWG block the file regardless of the ATD/CTD conviction. This is useful if you're testing with a known bad sample and dont want it to reach your test endpoint.
Also built into the rules is a "demo hashes" list, where you can add in hashes to force a check against CTD, because by default CTD only checks unknown files. Adding a hash to the list forces MWG to check against CTD.
okay, so i will try....
Regarding the "simplified view". Can i build such a rule for my own? I designed a complex ruleset to integrate MWG into TIE/DXL. A simplified view would be great, also if there is an editor available for this. 🙂