A few things occur to me with this.
1) I agree in certain cases you might want to send a sample to 2 different profiles however doing this all the time, especially in inline (wait for result) mode is not advisable. MWG is going to test properties serially unless you fork off another transaction which is tricky and would not allow you to block the original request.
In your case it's not that you want to run it against multiple images, it's that you want to run it against the right image. You have a few choices. First of all, if the question is as basic as 32bit vs 64bit, ATD can select for you (vm analyser profile, autoselect). Second, with ePO integration, ATD can attempt to determine the platform and pick the correct one based on the ePO common catalog. And third, you can select the correct ATD profile based on user-agent.
I would break it into 2 rules with criteria of user-agent matches winXP send to that ATD engine definition XP, and default to the platform that is most common. Dynamic analysis is not always perfect, either, which is why we do the static code analysis, which is going to be platform agnostic.
2) That many comparisons on a ruleset could have a performance impact. Compressing this to a few comparisons is a good thing.
I would say those file types are a bit unusual are they legitimate windows executables? First, I would put those file types into the list you already have on the criteria. There is no issue with adding to that list as long as ATD supports the file. The list is more of a starter list, I would expect the default to change over time.
Second, are you not blocking high risk sites? One of the primary purposes of this integration is to do as many downselects as you can directly on the MWG. I would use GAM, GTI (both web and file) and AV, and then if none of those work, then send it to ATD.
3) Most likely the issue is with the order. The offline scan has 2 rulesets. One to start the offline scan (no engine setting) and one to catch it and send it into ATD. The Handle Offline Scan should be at the very top of the ruleset, the Init should be at the bottom below the other scanning engines.
Hopefully that should get you scanning, good luck.
ATD as an regule scanner for MWG (two ATD analyzer profiles.
Q1: It is not possible to evalueate 2 conditions in parallel (start both scans at the same time, evaluate url categories and scan for malware, etc).
Q2: You can define as many ATD configurations as you want.
ATD and additional file types on risky sites
Standard rule covers all media types supported by ATD, but it seems the true media type of downloaded file is not recognized by MWG, that's why you had to add odd-looking types like "force-download". Can you send me a mail with a link to a malware that has this specific media types?
ATD and offline scanning
Have you placed "ATD - Handle Offline Scan" ruleset at the top of you policy? This error message means that either MWG was not able to connect to proxy.ip or no rule set handled offline request, e.g. it was blocked by some other rule set befor "ATD - Handle Offline Scan" ruleset recognized it as offline scan request.
How do you validate that the mwg is talking to the ATD server? Can this be checked in the mwg logs? We have it set up, but see no indication in ATD that it is doing anything, or that mwg is sending any files over.
there are two things you can do.
- Check the DXL log on MWG.
- If a file i checked you can see an entry under TIE Reputations (where has file run).
The easiest way is:
1) Download a file from a server
2) Find the file under TIE Reputations
3) Mark the file as known malicious
4) Download the file again, MWG should block the download.
ad Q1: Not at the moment. You just can use one profile. From my point of information "Analyzer Chaining" will be added in further releases of ATD. But note, there is no official information about this feature. From MWG perspective, you can configure several ATD configurations using different ATD users to map different Analyzer profiles.
Hmmmm, this is a cool idea, i will try this. :-)
ad Q2: See Q1. Have not tested it. I do not know if there are any side effects.
Additional File Types: Hmmm, mwg identifies the true filetype: There are several different properties for File Types. If changing the behavior just check the ATD results if there are any reports with unsupported filetypes. I tested it, there was no problem except a high load on ATD. I sent too much files. :-)
Handle offline scan; I used the information from Web Gateway: Integrating with Advanced Threat Defense (ATD), this worked in my environment. I just have troubles when adding these rules to a complex ruleset, there it has not worked.
Let me know if you have some different experience.
This is what i noticed while trying to check whether MWG is talking to ATD and sending files for analysis.
The probability which determines the files to be submitted to the ATD for analysis is set to 60, this probability is set by the Gateway Anti-Malware engine in the MWG.
I changed this probability value to 30 to allow more files to be sent to the ATD for analysis, this was done because the Gateway Anti-Malware engine blocked the access to down-load test antivirus file and i wasn't certain about downloading them anyway.
This worked and i could see the increase in files being sent for analysis.
Remember that MATD has specific file types and minumun and maximum file sizes that it can handle. This is not the same as the list on MWG .. especially the mix of min and max file sizes.
Run "show filesizes" on the cli of a MATD (ssh on port 2222 as cliadmin) and you'll see the file types and min and max sizes supported. That way you can write more accurate rulesets on the MWG side to tailor the files you send to MATD.
MWG uses the ensured media types. MATD I'm less sure of as it talks of file extensions but not the media types.
The probability got an overhawl in the recent GAM release so we see 0 for safe (ahem.. ) and 50-100 depending on potential risk.
One could argue if MWG tthinks a file has 80% probability of being bad, why not just block it.
Also, be mindful. It is very easy to overload MATD so you can't send it too much.
Where is the probability set?
Default it's only send to ATD when it hits 60.
Dit some tests with some samples (where can you get good samples anyway which are not blocked by GAM?) but it's always 0.
Currently no samples are send to ATD.
Where is the probability set?
- Under Ruleset MATD - offline scan
-> edit criteria -> Antimalware Proactive Probablity <Gateway Anti-Malware> greater than or equal 60.
Decrease the score in this criteria.
With a lower score most of the normal software files that you download will be sent to MATD for analysis.
Please note : I had done this only to test, as Roybad mentioned MATD might overload if too many files are sent by decreasing the score.
Hope this helps.