cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee

Using ATD and CTD in the same environment

Hey ​,

In your comment here, you asked the following: https://community.mcafee.com/docs/DOC-9375#comment-27670

Hello,

just a question :-)

How this can be handled if we have a complex Ruleset for Customers e.g. mwg is used by a service provider.

Customer A: Cloud Threat Detection (waiting for result)

Customer B: Uses Cloud Threat Detection with immediate File availability

Customer C: Uses the ATD Appliance with Data Trickling

Customer D: Some users/groups using ATD Appliance with Data Trickling, some users/groups are using ATD with immediate file availability.

Customer E: Uses ATD Appliance with Datatrickling.

Is this possible??

Cheers

How are you differentiating between the customers? Is it a combination of different things?

I ask because I'm working on a ruleset to accomplish what you're asking for. So I want to accommodate your needs.

Best Regards,

Jon

11 Replies
Troja
Level 14

Re: Using ATD and CTD in the same environment

Hello Jon,

let me explain in some more detail. :-)

There are 30 Webgateways in a Cluster Environment. Customer A to E are hosted by one Service Provider. The Service Provider manages the whole MWG Cluster Environment. The customers A to E are separated by the Proxy port in the MWG ruleset. There are virtual appliances available for the central Management (high availability Management). All MWGs are connected to a DXL fabric. One ATD-6000 Appliance and 8 EPO Servers are connected to this DXL fabric.

Now, Customer A to E are using one MWG Environment where every Customer has an assigned Proxy port.

Based on the contract between the Service Provider and the customer different ATD Services (ATD, CTD and so on) should be available. Additional, based on User/Group different ATD usage should be configureable e.g. Trickling during download or offload scanning. This should also be possible based on Content type. When downloading Composite Objects a trickling page should be shown, when downloading a PE offline scanning should be available.

Hope this is better to understand. :-)

Best Regards,

Thorsten

0 Kudos
amart
Level 9

Re: Using ATD and CTD in the same environment

Online scan (waiting for the result with or without data trickling) is not a problem at all. The tricky part would be offline scan for customers B and D. I would suggest to add a group "CustomerB" or "CustomerD" to the list of user groups before calling property Antimalware.MATD.InitBackgroundScan to differentiate between customers later, when condition Antimalware.MATD.IsBackgroundScan becomes true. You can also (mis)use the following properties to identify customers when handling background scan request: client ip, authentication.isauthenticated, authentication method, realm and user name.

Andrej.

0 Kudos
McAfee Employee

Re: Using ATD and CTD in the same environment

Hi Thorsten,

I have the ruleset created, see attached. There is three rulesets over all.

1) Add ATD/CTD Groups

2) Advanced Threats (ATD/CTD)

3) Handle Offline Scanning (ATD/CTD)

The only ruleset you should have to touch is 1), 2) goes at the bottom below GAM, and 3) goes at the top.

For 1) we are appending special groups to the transaction. You define the criteria for which this special group gets added (based on location, customer, etc...).

For 2) I added options to for inline or offline scanning for documents and executable's like you mentioned.

For 3) I added in a TIE reputations publishing for CTD convictions, I still need to tweak this a bit.

The presence of these added groups dictates how the transaction will be scanned (using CTD-inline, CTD-offline, ATD-inline, ATD-offline). As mentioned by Andrej, CTD inline is only possible in the cloud, so the rules also adjust for this.

Let me know if you have any suggestions or problems. To reiterate, everything is dictated mostly by the groups.

Best Regards,

Jon

Troja
Level 14

Re: Using ATD and CTD in the same environment

Hello Jon,

lools pretty nice! :-)

I will check this in the next time. Let´s so how this works in my environment.

Just a question, in your screenshot i see a Rule called "Handle Offline Scanning for ATD/CTD". I have not found such a Ruleset in my MWG Ruleset library. Where i can find it?

Cheers

0 Kudos
McAfee Employee

Re: Using ATD and CTD in the same environment

Hey Thorsten!

All rulesets should have been included in the export I attached.

In any case I've made a little more progress in cleaning up the rules.

See attached.

Best Regards,
jon

0 Kudos
Troja
Level 14

Re: Using ATD and CTD in the same environment

Coool,

just a completely other question. Is there an Editor available to build rules or do i have to do this manually in XML? :-)

Cheers

0 Kudos
McAfee Employee

Re: Using ATD and CTD in the same environment

Hi Thorsten,

The rules I uploaded use "simplified view" its meant to hide the complexity of the rules.

If you find that you need to unlock them (either for understanding or customization), please let me know how I might be able to make it easier to understand.

One debugging feature I built into the rules is the ability to change the scanning profile based on URL parameters:

hxxp://malwarehost.tld/testsample-80b.exe?ctdinline&mwgthreattesting // Results in an inline CTD scan

hxxp://malwarehost.tld/testsample-80b.exe?ctdoffline&mwgthreattesting // Results in an offline CTD scan

hxxp://malwarehost.tld/testsample-80b.exe?atdoffline&mwgthreattesting // Results in an offline ATD scan

hxxp://malwarehost.tld/testsample-80b.exe?atdinline&mwgthreattesting // Results in an inline ATD scan

The URL parameter "mwgthreattesting" will have the MWG block the file regardless of the ATD/CTD conviction. This is useful if you're testing with a known bad sample and dont want it to reach your test endpoint.

Also built into the rules is a "demo hashes" list, where you can add in hashes to force a check against CTD, because by default CTD only checks unknown files. Adding a hash to the list forces MWG to check against CTD.

Best Regards,

Jon

0 Kudos
Troja
Level 14

Re: Using ATD and CTD in the same environment

okay, so i will try....

Regarding the "simplified view". Can i build such a rule for my own? I designed a complex ruleset to integrate MWG into TIE/DXL. A simplified view would be great, also if there is an editor available for this. :-)

Cheers

0 Kudos
McAfee Employee

Re: Using ATD and CTD in the same environment

Hi Thorsten,

You can indeed build a simplified view of your own, you'd need to borrow from other rulesets using their XML. There isnt a editor for this though.

Best Regards,

Jon

0 Kudos