we are testing McAfee Webgateway and ATD Integration in our live HTTP traffic in our company.
Enclosed you can see some configuration samples.
Therefore we defined new ruleset for risky websites.
I also don´t know if this is supported. In my case it was the only solution to block the malware.
This feature is not working in my environment. I always get the eror message on MWG: Could not activate background scan in time.
Has anyone experience with ATD and inegration to MWG?
Has anyone seccessfully installed the offline scan feature?
Solved! Go to Solution.
A few things occur to me with this.
1) I agree in certain cases you might want to send a sample to 2 different profiles however doing this all the time, especially in inline (wait for result) mode is not advisable. MWG is going to test properties serially unless you fork off another transaction which is tricky and would not allow you to block the original request.
In your case it's not that you want to run it against multiple images, it's that you want to run it against the right image. You have a few choices. First of all, if the question is as basic as 32bit vs 64bit, ATD can select for you (vm analyser profile, autoselect). Second, with ePO integration, ATD can attempt to determine the platform and pick the correct one based on the ePO common catalog. And third, you can select the correct ATD profile based on user-agent.
I would break it into 2 rules with criteria of user-agent matches winXP send to that ATD engine definition XP, and default to the platform that is most common. Dynamic analysis is not always perfect, either, which is why we do the static code analysis, which is going to be platform agnostic.
2) That many comparisons on a ruleset could have a performance impact. Compressing this to a few comparisons is a good thing.
I would say those file types are a bit unusual are they legitimate windows executables? First, I would put those file types into the list you already have on the criteria. There is no issue with adding to that list as long as ATD supports the file. The list is more of a starter list, I would expect the default to change over time.
Second, are you not blocking high risk sites? One of the primary purposes of this integration is to do as many downselects as you can directly on the MWG. I would use GAM, GTI (both web and file) and AV, and then if none of those work, then send it to ATD.
3) Most likely the issue is with the order. The offline scan has 2 rulesets. One to start the offline scan (no engine setting) and one to catch it and send it into ATD. The Handle Offline Scan should be at the very top of the ruleset, the Init should be at the bottom below the other scanning engines.
Hopefully that should get you scanning, good luck.
How do you validate that the mwg is talking to the ATD server? Can this be checked in the mwg logs? We have it set up, but see no indication in ATD that it is doing anything, or that mwg is sending any files over.
there are two things you can do.
- Check the DXL log on MWG.
- If a file i checked you can see an entry under TIE Reputations (where has file run).
The easiest way is:
1) Download a file from a server
2) Find the file under TIE Reputations
3) Mark the file as known malicious
4) Download the file again, MWG should block the download.
This is what i noticed while trying to check whether MWG is talking to ATD and sending files for analysis.
The probability which determines the files to be submitted to the ATD for analysis is set to 60, this probability is set by the Gateway Anti-Malware engine in the MWG.
I changed this probability value to 30 to allow more files to be sent to the ATD for analysis, this was done because the Gateway Anti-Malware engine blocked the access to down-load test antivirus file and i wasn't certain about downloading them anyway.
This worked and i could see the increase in files being sent for analysis.
Remember that MATD has specific file types and minumun and maximum file sizes that it can handle. This is not the same as the list on MWG .. especially the mix of min and max file sizes.
Run "show filesizes" on the cli of a MATD (ssh on port 2222 as cliadmin) and you'll see the file types and min and max sizes supported. That way you can write more accurate rulesets on the MWG side to tailor the files you send to MATD.
MWG uses the ensured media types. MATD I'm less sure of as it talks of file extensions but not the media types.
The probability got an overhawl in the recent GAM release so we see 0 for safe (ahem.. ) and 50-100 depending on potential risk.
One could argue if MWG tthinks a file has 80% probability of being bad, why not just block it.
Also, be mindful. It is very easy to overload MATD so you can't send it too much.
Where is the probability set?
Default it's only send to ATD when it hits 60.
Dit some tests with some samples (where can you get good samples anyway which are not blocked by GAM?) but it's always 0.
Currently no samples are send to ATD.
Where is the probability set?
-> edit criteria -> Antimalware Proactive Probablity <Gateway Anti-Malware> greater than or equal 60.
Decrease the score in this criteria.
With a lower score most of the normal software files that you download will be sent to MATD for analysis.
Please note : I had done this only to test, as Roybad mentioned MATD might overload if too many files are sent by decreasing the score.
Hope this helps.
It doesn't really make any great different in my opinion.
The ruleset still sends all files matching the media type and less than 25MB to ATD.. and ATD will reject files bigger than it can deal with an error to MWG (e.g. EXEs have to be less than 10MB)
The GAM rating is either 50-100 or 0. We set it to "anything bigger than 5" as there's not much that is rated between 50 and 60... and if MWG thinks it is more risky than a 0, we want to send it!
ATD is better than it used to be now .. but the malware writers have also upped their game so some of the malware we see seems to evade everything. (there are really some clever people writing malware!)