3 Replies Latest reply on Aug 14, 2017 9:56 PM by d_aloy

    ATD - Simulator Mode Reports

    ymachado99

      Hi All,

       

      I am wondering if the reports generated in ATD when it is configured in Simulator mode (for the internet connection) will include some comments/details on the connections that was unable to simulate ?

       

      Thank you.

       

      Regards,

      Yohan.

        • 1. Re: ATD - Simulator Mode Reports
          d_aloy

          Hi Yohan

           

          McAfeer ATD will run in 'simulator mode' if no internet access is given to the sandboxing environment within ATD.

           

          This means ATD will simulate (theoretically) whatever the malware is trying to get from external sources. This means it will represent internet services like web servers, FTP servers, etc - and will even serve some content back to the potentially malicious file being analysed.

           

          This all should be part of the report. The admin  guide has something about this but if that's not enough I would suggest logging a support call to get an official response.

           

          Regards

          David

          • 2. Re: ATD - Simulator Mode Reports
            ymachado99

            Hi David,

             

            Thank you for your reply.

             

            My undersdanding is that in Simulator mode ATD will only emulates the following services as per McAfee Corporate KB - FAQs for Advanced Threat Defense KB79333

             

                 •HTTP

                 •SMTP

                 •FTP

                 •TELNET

                 •DNS

             

            What you are saying the report will include details of whatever the malware is trying to get fom the external sources ?

             

            The only limitation of the Simulator mode is that the VM won't be able to download the payload ?

             

            Regrads,

            Yohan.

            • 3. Re: ATD - Simulator Mode Reports
              d_aloy

              Hi Yohan

               

              It's always good to read the docs....thanks for the details

               

              Yes, that's my understanding: ATD will show you which calls/functions were executed and the processes that initiated them - all based on the sample being analysed - even if 'no real' internet connection is available.

               

              And now that I said that, and even if a simulated internet connection/services is great because it lowers the risk during analysis... There is a big 'BUT' when simulating  a I ternrt space...and it is that you will not get an accurate report compared to the same sample analysis with full internet connectivity. We've seen samples trying to connect to A and B, with bad URL or iP reputation...and you will see the GET requests on the report...But you won't see what happens when the downloader gets the real payload down and executes it..

              However, give full internet access to the same file, and you will see how it may download config and executable files that will start other processes on the sandbox VM - and provide you with proper actionable intelligence and IOCs.

              I would always push for an isolated line so malware can show its full potential on sandboxes...ADSL lines aren't that expensive nowadays..

               

              Now that you've listed the protocols it will simulate, I wonder though what details we would get about other connection attempts like RPC/SMB on a simulated environment...

              Unfortunately I haven't been able to play with ATD for over 2 years... so I don't know the answer to that. But if you do or get feedback from support, please share

               

              Cheers

              David