3 Replies Latest reply on Feb 3, 2014 12:17 PM by vinoo

    Split DNS

    mscox42

      I see an old thread about this but would like some further clarification, please.

       

      Even with a proxy set, I see a lot of dns queries generated by GetSusp, which fail in our environment. Is there some functionality there that isn't duplicated in the traffic I see going through the proxy?

       

      I'm not particularly McAfee literate. We do have your proxy server with ePO but not your client AV, if any of that matters.

       

      Thanks in advance!

      Michael

        • 1. Re: Split DNS
          vinoo

          On a machine with VirusScan installed and configured to send the file reputation queries via GTI Proxy, the GTI Proxy server ip address(es) is specified under the following registry key.

           

          [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\GTI Enterprise Server]

          “AEServer”=”192.168.1.1,192.168.2.1,192.168.3.1”

           

          When GetSusp is run, it looks for this key pre-populated to check for the presence of GTI Proxy in the environment.

           

          If the client AV is not McAfee but you have GTI Proxy, you can create this registry key on the client to make GetSusp direct all DNS queries to the proxy.

          1 of 1 people found this helpful
          • 2. Re: Split DNS
            mscox42

            Thanks. I'll look into options for a GTI proxy.

             

            I'm curious though... I see connections through my web proxy to getclean.mcafee.com and list.smartfilter.com. What functionality is happening via DNS, and what functionality is happening via HTTP? How is the tool's output impacted if the dns queries don't go through?

             

            Thanks again!

            • 3. Re: Split DNS
              vinoo

              DNS queries over UDP port 53 to *.avqs.mcafee.com are the file reputation queries for hashes that meet a certain suspicious or unknown criteria.


              The GetSusp_*.zip that is created containing the harvested suspect files and logs is uploaded to https://getclean.mcafee.com post a scan.


              If the DNS queries fails - it will result in a noisy report / bloated zip file as files identified during scan are not eliminated.