thanks! so GAM (the regular AV engine) sets the rating which the ATD rule uses to send samples.
Where can i find information on how the GAM decides which rating is applied?
So i guess setting the threshold on the ATD rule below 50 doesn't make a difference?
ATD as an regule scanner for MWG (two ATD analyzer profiles.
Q1: It is not possible to evalueate 2 conditions in parallel (start both scans at the same time, evaluate url categories and scan for malware, etc).
Q2: You can define as many ATD configurations as you want.
ATD and additional file types on risky sites
Standard rule covers all media types supported by ATD, but it seems the true media type of downloaded file is not recognized by MWG, that's why you had to add odd-looking types like "force-download". Can you send me a mail with a link to a malware that has this specific media types?
ATD and offline scanning
Have you placed "ATD - Handle Offline Scan" ruleset at the top of you policy? This error message means that either MWG was not able to connect to proxy.ip or no rule set handled offline request, e.g. it was blocked by some other rule set befor "ATD - Handle Offline Scan" ruleset recognized it as offline scan request.
ad Q1: Not at the moment. You just can use one profile. From my point of information "Analyzer Chaining" will be added in further releases of ATD. But note, there is no official information about this feature. From MWG perspective, you can configure several ATD configurations using different ATD users to map different Analyzer profiles.
Hmmmm, this is a cool idea, i will try this. 🙂
ad Q2: See Q1. Have not tested it. I do not know if there are any side effects.
Additional File Types: Hmmm, mwg identifies the true filetype: There are several different properties for File Types. If changing the behavior just check the ATD results if there are any reports with unsupported filetypes. I tested it, there was no problem except a high load on ATD. I sent too much files. 🙂
Let me know if you have some different experience.