5 Replies Latest reply on Mar 8, 2016 2:52 AM by Troja

    VM-aware Malware in combination with ATD

    Daniel_S

      Hey guys,

       

      we´re currently thniking about to extend our security infrastructure with McAfee ATD.

      As in understand the product there is a appliance running some VMs simulate our productive environment and run supicious files to proof if they are malicious or not.

      I read as much as I can about current threats, and what one often can read is that the malware recognizes if it is running on a VM or not.

      So nice to have such a sandboxing technology, but not much of a need if the malware isn´t executed.

       

      Is there some more else technology from McAfee to compensate?

      Or does the Virustotal implementation help here?

       

      Thank you guys for your answers.

       

      Dan

        • 1. Re: VM-aware Malware in combination with ATD
          Troja

          Hi,

          first of all i would recommend a look at McAfee Expert Center.

          There you can find many useful Information about ATD and Threat Intelligence Exchange (TIE)

           

          First of all: Yes you are right. Yes, the vendors implemented sandbox Systems. Afterwards the Malware Designers designed mechanism to detect sandboxing. Afterwards the vendors changed theire Systems to prevent sandbox detection. This is a never ending war game at the Moment. This games is not only played for sandbox Systems, this games is played everywhere where security should be bypassed. :-)

           

          Threat Intelligence Exchange is a mechanism to, let me say, collect data/metadata. Information is processed to determine the resulting Reputation score for a file. For communication DXL is used as a Standard communication bus System.
          Now, any Information is helpful.
          -  McAfee already implemented "Information pools" like the GTI cloud.
          - Several products can be implemented into TIE: VSE, Application Control, Webgateway. New products will be intergrated soon.

          - Reputation Scores from ATD can be added to TIE.

          - There will be several SIA Partners which integrate into TIE and are DXL ready.

           

          Advanced Threat Defense: If there is unknown code executed on your endpoint, the code is uploaded to the TIE Server. TIE Server Uploads the file to ATD. ATD executes the file and sends the result back to TIE.
          There are virtual Images available on ATD where the Code is executed. ATD does static and dynamic code Analysis. An IOC is also Generated and can be extracted from the Report or automatically sent to ESM.

           

          Virustotal Integration: It depends, because, virustotal can be triggered if a "TIE/Suspect..." Event is Generated on endpoint.

          This is my understanding what goes on with TIE/ATD/TIEM and virustotal. Hope this helps.

          TIE_Malware_Ablauf v2.0.gif

           

          As you can see, there are many steps done to determine malicious behavior.

           

          Cheers, T.

          1 of 1 people found this helpful
          • 2. Re: VM-aware Malware in combination with ATD
            Daniel_S

            Thanks for the explanations Troja.

            I´ll have a look at the link you provided.

             

            In my described case TIE would upload to ATD but there the malware wouldn´t be triggered.

            So ATD would rate the file as non-malicious and give the score back to TIE and TIE back to endpoint which then would execute the file.

            You are right it´s the old game...

             

            Thanks

            Dan

            • 3. Re: VM-aware Malware in combination with ATD
              kennywap

              Just in the perspective of ATD, I had just been to the 4 day administration class. McAfee has designed a proprietary hypervisor operating system makes the VMs running on top look as physical as can be to thwart the "VM Aware" malware.

              1 of 1 people found this helpful
              • 4. Re: VM-aware Malware in combination with ATD
                Daniel_S

                Cool, good to know.

                 

                Have you been to the McAfee university?

                Was the course worth visiting?

                • 5. Re: VM-aware Malware in combination with ATD
                  Troja

                  Hi all,

                  here some mor Information how the Reputation is determined.

                   

                  How a reputation is determined

                  File and certificate reputation is determined when a file attempts to run on a managed system. 

                  These steps occur in determining a file or certificate's reputation

                  1. A user or system attempts to run a file. 
                  2. VirusScan Enterprise inspects the file and can't determine its validity and reputation
                  3. The module for  VirusScan Enterprise inspects the file and gathers file and local system properties of interest. 
                  4. The module checks the local reputation cache for the file Hash. If the file Hash is found, the module gets the enterprise prevalence and reputation data for the file from the cache. 
                  5. If the file Hash is not found in the local reputation cache, the module queries the TIE server. If the Hash is found, the module gets the enterprise prevalence data (and any available reputations) for that file Hash. 
                  6. If the file Hash is not found in the TIE cache or database, the server queries  McAfee GTI for the file Hash reputation.McAfee GTI sends the information it has available, for example "unknown reputation", and the server stores that information.  If  Advanced Threat Defense is present and the file Hash was not found in  McAfee GTI, or if the policy on the endpoint indicates that the file should be sent to  Advanced Threat Defense, the server sends the file for scanning. See the additional steps under  If  Advanced Threat Defense is present
                  7. The server returns the file Hash's enterprise age, prevalence data, and reputation to the module based on the data that was found. If this is the first time the file is seen in the environment, the server also sends a first instance flag to the module. If  McAfee Web Gateway is present and eventually sends a reputation score,  TIE returns the reputation of the file. 
                  8. The module evaluates this metadata to determine the file's reputation
                    • File and system properties 
                    • Enterprise age and prevalence data 
                    • Reputation
                  9. The module takes action based on the policy assigned to the system that is running the file. 
                  10. The module updates the server with the reputation information and whether the file is allowed or blocked. It also sends threat events to  McAfee ePO via the  McAfee Agent
                  11. The server publishes the reputation change event for the file Hash. 

                  If  Advanced Threat Defense is present

                  If  Advanced Threat Defense is present, the following process occurs. 

                  1. If the system running the file has access to  Advanced Threat Defense and this is the first time the file is seen in the environment, the  Threat Intelligence Exchange server sends the file to  Advanced Threat Defense for scanning. 
                  2. Advanced Threat Defense scans the file and sends file reputation results to the TIE server using the  Data Exchange Layer. The server also updates the database and sends the updated reputation information to all TIE-enabled systems to immediately protect your environment.  TIE or any other  McAfee product can initiate this process. In either case,  TIE processes the reputation and saves it in the database. 

                  If  McAfee Web Gateway is present

                  If  McAfee Web Gateway is present, the following process occurs. 

                  1. When downloading files,  McAfee Web Gateway sends a report to the TIE server that saves it in the database. When  TIE receives a request from  McAfee Web GatewayTIE returns the reputation it received from  McAfee Web Gateway.

                   

                   

                   

                   

                  Have fun :-)

                  Cheers

                  1 of 1 people found this helpful