1 2 Previous Next 14 Replies Latest reply on Jun 12, 2017 7:35 AM by matic.knuplez

    Webgateway and Advanced Threat Defense (ATD) Integration

    Troja

      Hi all,

      we are testing McAfee Webgateway and ATD Integration in our live HTTP traffic in our company.

       

      Enclosed you can see some configuration samples.

       

      • ATD as an regular scanner for MWG (one ATD analyzer profile)
        ATD1.jpg
        Works fine without any trouble.

       

       

       

      • ATD as an regule scanner for MWG (two ATD analyzer profiles.

        Why this configuration. Some malware does real different things when executed on differentoperating systems. The goal should be to block malware even the malware cannot spread on my coporate endpoint. But, no malware should be stored on any endpoint. Therefore we built the following ruleset.
        ATD2.jpg
        As you can see, there are two Antimalware settings defined. The malware is sent to ATD step-by-step. This means, after the analysis for the first settings is finished, the malware is sent to the second Analyzer profile
        ATD3.jpg
        and the file is checked two time on ATD. This also causes a longer time until the file is submitted to the end user.
        Questions:
        1. Is it not possible to start both scans at the same time?
        2. Is this setting supported?

       

      • ATD and additional file types on risky sites
        In my LAB i was not able to protect an endpoint from donwloading a malicious file. Enclosed some challenges
        1. GAM detected no malicious activiy.
        2. When uploading the file manually to ATD the result showed malicious activity.
        3. The website used two media types which are not defined as an ATD supported media type.

       

      Therefore we defined new ruleset for risky websites.
      ATD4.jpg
      I also don´t know if this is supported. In my case it was the only solution to block the malware.

       

      • ATD and offline scanning

      This feature is not working in my environment. I always get the eror message on MWG: Could not activate background scan in time.

       

       

       

       

       

      Has anyone experience with ATD and inegration to MWG?

      Has anyone seccessfully installed the offline scan feature?

        • 1. Re: Webgateway and Advanced Threat Defense (ATD) Integration

          Hi Troja,

           

          A few things occur to me with this.

           

          1) I agree in certain cases you might want to send a sample to 2 different profiles however doing this all the time, especially in inline (wait for result) mode is not advisable. MWG is going to test properties serially unless you fork off another transaction which is tricky and would not allow you to block the original request.

          In your case it's not that you want to run it against multiple images, it's that you want to run it against the right image. You have a few choices. First of all, if the question is as basic as 32bit vs 64bit, ATD can select for you (vm analyser profile, autoselect). Second, with ePO integration, ATD can attempt to determine the platform and pick the correct one based on the ePO common catalog. And third, you can select the correct ATD profile based on user-agent.

          I would break it into 2 rules with criteria of user-agent matches winXP send to that ATD engine definition XP, and default to the platform that is most common. Dynamic analysis is not always perfect, either, which is why we do the static code analysis, which is going to be platform agnostic.

           

          2) That many comparisons on a ruleset could have a performance impact. Compressing this to a few comparisons is a good thing.

          I would say those file types are a bit unusual are they legitimate windows executables? First, I would put those file types into the list you already have on the criteria. There is no issue with adding to that list as long as ATD supports the file. The list is more of a starter list, I would expect the default to change over time.

          Second, are you not blocking high risk sites? One of the primary purposes of this integration is to do as many downselects as you can directly on the MWG. I would use GAM, GTI (both web and file) and AV, and then if none of those work, then send it to ATD.

           

          3) Most likely the issue is with the order. The offline scan has 2 rulesets. One to start the offline scan (no engine setting) and one to catch it and send it into ATD. The Handle Offline Scan should be at the very top of the ruleset, the Init should be at the bottom below the other scanning engines.

          Screen Shot 2014-05-08 at 9.45.52 AM.png

           

          Hopefully that should get you scanning, good luck.

           

          --Christopher

          • 2. Re: Webgateway and Advanced Threat Defense (ATD) Integration

            Hi,

             

            ATD as an regule scanner for MWG (two ATD analyzer profiles.

             

            Q1: It is not possible to evalueate 2 conditions in parallel (start both scans at the same time, evaluate url categories and scan for malware, etc).

            Q2: You can define as many ATD configurations as you want.

             

            ATD and additional file types on risky sites

             

            Standard rule covers all media types supported by ATD, but it seems the true media type of downloaded file is not recognized by MWG, that's why you had to add odd-looking types like "force-download". Can you send me a mail with a link to a malware that has this specific media types?

             

            ATD and offline scanning

             

            Have you placed "ATD - Handle Offline Scan" ruleset at the top of you policy? This error message means that either MWG was not able to connect to proxy.ip or no rule set handled offline request, e.g. it was blocked by some other rule set befor "ATD - Handle Offline Scan" ruleset recognized it as offline scan request.

            • 3. Re: Webgateway and Advanced Threat Defense (ATD) Integration
              feeeds

              How do you validate that the mwg is talking to the ATD server? Can this be checked in the mwg logs?  We have it set up, but see no indication in ATD that it is doing anything, or that mwg is sending any files over.

              • 4. Re: Webgateway and Advanced Threat Defense (ATD) Integration
                Troja

                Hi,

                there are two things you can do.

                - Check the DXL log on MWG.

                - If a file i checked you can see an entry under TIE Reputations (where has file run).

                 

                The easiest way is:

                1) Download a file from a server

                2) Find the file under TIE Reputations

                3) Mark the file as known malicious

                4) Download the file again, MWG should block the download.

                 

                Cheers

                • 5. Re: Webgateway and Advanced Threat Defense (ATD) Integration
                  Troja

                  Hi,

                   

                  ad Q1: Not at the moment. You just can use one profile. From my point of information "Analyzer Chaining" will be added in further releases of ATD. But note, there is no official information about this feature. From MWG perspective, you can configure several ATD configurations using different ATD users to map different Analyzer profiles.

                  Hmmmm, this is a cool idea, i will try this. :-)

                   

                  ad Q2: See Q1. Have not tested it. I do not know if there are any side effects.

                   

                  Additional File Types: Hmmm, mwg identifies the true filetype: There are several different properties for File Types. If changing the behavior just check the ATD results if there are any reports with unsupported filetypes. I tested it, there was no problem except a high load on ATD. I sent too much files. :-)

                   

                  Handle offline scan; I used the information from Web Gateway: Integrating with Advanced Threat Defense (ATD), this worked in my environment. I just have troubles when adding these rules to a complex ruleset, there it has not worked.

                   

                  Let me know if you have some different experience.

                   

                  Cheers

                  • 6. Re: Webgateway and Advanced Threat Defense (ATD) Integration
                    chengappa

                    This is what i noticed while trying to check whether MWG is talking to  ATD and sending files for analysis.

                    The probability which determines the files to be submitted to the ATD for analysis is set to 60, this probability is set by the Gateway Anti-Malware engine in the MWG.

                    I changed this probability value to 30 to allow more files to be sent to the ATD for analysis, this was done because the Gateway Anti-Malware engine blocked the access to down-load test antivirus file and i wasn't certain about downloading them anyway.

                    This worked and i could see the increase in files being sent for analysis.

                    • 7. Re: Webgateway and Advanced Threat Defense (ATD) Integration
                      roybad

                      Remember that MATD has specific file types and minumun and maximum file sizes that it can handle. This is not the same as the list on MWG .. especially the mix of min and max file sizes.

                      Run "show filesizes" on the cli of a MATD (ssh on port 2222 as cliadmin) and you'll see the file types and min and max sizes supported. That way you can write more accurate rulesets on the MWG side to tailor the files you send to MATD.

                      MWG uses the ensured media types. MATD I'm less sure of as it talks of file extensions but not the media types.

                      The probability got an overhawl in the recent GAM release so we see 0 for safe (ahem.. ) and 50-100 depending on potential risk.

                      One could argue if MWG tthinks a file has 80% probability of being bad, why not just block it.

                       

                      Also, be mindful. It is very easy to overload MATD so you can't send it too much.

                      • 8. Re: Webgateway and Advanced Threat Defense (ATD) Integration
                        wiresharky

                        Where is the probability set?

                        Default it's only send to ATD when it hits 60.

                        Dit some tests with some samples (where can you get good samples anyway which are not blocked by GAM?) but it's always 0.

                        Currently no samples are send to ATD.

                        • 9. Re: Webgateway and Advanced Threat Defense (ATD) Integration
                          chengappa

                          Where is the probability set?

                           

                          • Under Ruleset MATD - offline scan

                                   -> edit criteria -> Antimalware Proactive Probablity <Gateway Anti-Malware> greater than or equal 60.

                          Decrease the score in this criteria.

                          With a lower score most of the normal software files that you download will be sent to MATD for analysis.

                           

                          Please note : I had done this only to test, as Roybad mentioned MATD might overload if too many files are sent by decreasing the score.

                           

                          Hope this helps.

                          Cheers

                          1 2 Previous Next