8 Replies Latest reply on Oct 14, 2011 8:35 AM by eelsasser

    MWG 7 AntiMalware Question..



      i have a question regards the McAfee Web Gateway AntiMalware engines..


      i don't have any option under the Gateway AntiMalware.. does it caused by the license or configuration issue?





        • 1. Re: MWG 7 AntiMalware Question..



          you have a Web Security license, which does not include the Gateway Anti-Malware. The settings you can see in the screenshot are the ones for the McAfee AV engine.


          Technically you still have the Gateway Anti-Malware, but because of the license the engine will only use the McAfee AV part and has the additional options disabled (they are not even visible in the configuration).


          So it's related to the license, it's not a configuration issue.





          • 2. Re: MWG 7 AntiMalware Question..

            Hi Dirk,


            this means that i can use the default McAfee VS engin for the scanning purposes, right? but i can't do editting in the engine..

            • 3. Re: MWG 7 AntiMalware Question..

              Yes, you can use the McAfee AV engine for virus scanning.


              The only AV options you can change (beside enabling/disabling AV scanning) are the AV prescan and the GTI file reputation queries.


              All the other options are not available for you, because those concern the Gateway Antimalware engine only (ProActive, Mobile Code Scanning, ect...).





              • 4. Re: MWG 7 AntiMalware Question..

                Ok thanks Dirk..

                • 5. Re: MWG 7 AntiMalware Question..

                  Dear Support,


                  If we enable GTI, it mean McAfee will use GTI module for scoring the URL access to analyse Malware on website, right?

                  Some new Malware may not include to current McAfee AV signature but we can use GTI for drop it instead, right?

                  If I understand correct, which alert page that user will see if McAfee block website by AV and GTI, is it same or different?

                  And how we can check McAfee block with AV or GTI? Can we give me example URL for blocking with GTI?

                  Last tihing, McAfee will use AV module for scanning first. If it found Malware, the URL will be blocked. and McAfee wouldn't use GTI module.

                  If not found, then McAfee will use GTI module for further analysis. Please confirm if I understand correct.



                  Akekarat C.


                  Message was edited by: akenichi on 10/13/11 11:24:04 PM CDT
                  • 6. Re: MWG 7 AntiMalware Question..

                    If you enable GTI File Reputation for Antimalware scanning, it will include the additional detections that it offers (formerly Artemis). The block still occurs under the one property for Antimalware.Infected. There is no difference in the Block page. The only difference you will see is the Virus name will be "Artemis!XXXXXXXX".



                    Blocking a URL with GTI is different than blocking a file for malware. GTI Category and Web Reputation for URLs is a list of URLs and categories. The category database on the appliance is searched first, if it's not found it then searchs a much larger database in the cloud if it is not on the local database. Even though they are both called GTI, Web Category/Web Reputation is different than GTI File Reputation.

                    • 7. Re: MWG 7 AntiMalware Question..

                      Dear eelsasser,


                      You mean GTI can analyse Category of website that it cannot analyse by local DB. Then MWG action with that URL category with MWG policy, right?

                      If correct, can we know when MWG use GTI for URL category? Can you give me any URL for example? Block page will be same as block by local DB or not?


                      About GTI on Malware, can you give me any example? I have to show benefit of GTI on both Malware and Category to customer.



                      Akekarat C.

                      • 8. Re: MWG 7 AntiMalware Question..

                        Using the GTI Web Category Lookup is a default setting.

                        Ther are X number of entries in the local database, there 100 million more URL entries in the cloud database.

                        The block page looks the same, there is no indication that a URL was looked up in the cloud versus locally.

                        There is a property called GTI.RequestSentToCloud that can be used to log or display on the block page to tell if it was a local lookup vs cloud lookup.

                        Cloud lookups are rea-time as the request is being made. When using a local database, you must wait for a database up update for new sites to take effect. MWG looks for local updates every 30 minutes by default, however when you have a local database like SmartFilter on Blue Coat, it only looks up every 24 hours. GTI cloud lookups will reduce the windows of opportunity for malicious URLs to be retrieved.

                        I do not have a list of cloud-only URLs because they change constantly.


                        Here is more information I found:

                        Cloud vs Local URL Checks:

                        Local Databases were the only option in the early 6.x Release of MWG for customers.  Every n hours the appliances would check for a new updates to the Databases and perform downloads.  MWG 7.x now has the capability to perform both local and cloud based lookups which gives the customer more than 250% better coverage due to the size differences in local vs cloud databases.  Customers should be advised to should give consideration to going with the cloud based lookups.  Not only does this increase the users security posture but also notifies McAfee Lab's automatically about uncategorized sites.



                        GTI File Reputation is similar. It provides a smaller window of opportunity for a piece of malware to proliferate before specific signatures are created. It is the same reason why you should turn it on the desktop, also.