1 2 Previous Next 11 Replies Latest reply on Apr 27, 2017 12:53 PM by Troja

    Using ATD and CTD in the same environment

    Jon Scholten

      Hey Troja,

       

      In your comment here, you asked the following: https://community.mcafee.com/docs/DOC-9375#comment-27670

       

      Hello,

      just a question :-)

      How this can be handled if we have a complex Ruleset for Customers e.g. mwg is used by a service provider.

       

      Customer A: Cloud Threat Detection (waiting for result)

      Customer B: Uses Cloud Threat Detection with immediate File availability

      Customer C: Uses the ATD Appliance with Data Trickling

      Customer D: Some users/groups using ATD Appliance with Data Trickling, some users/groups are using ATD with immediate file availability.

      Customer E: Uses ATD Appliance with Datatrickling.

       

      Is this possible??

      Cheers

       

      How are you differentiating between the customers? Is it a combination of different things?

       

      I ask because I'm working on a ruleset to accomplish what you're asking for. So I want to accommodate your needs.

       

      Best Regards,

      Jon

        • 1. Re: Using ATD and CTD in the same environment
          Troja

          Hello Jon,

          let me explain in some more detail. :-)

           

          There are 30 Webgateways in a Cluster Environment. Customer A to E are hosted by one Service Provider. The Service Provider manages the whole MWG Cluster Environment. The customers A to E are separated by the Proxy port in the MWG ruleset. There are virtual appliances available for the central Management (high availability Management). All MWGs are connected to a DXL fabric. One ATD-6000 Appliance and 8 EPO Servers are connected to this DXL fabric.

           

          Now, Customer A to E are using one MWG Environment where every Customer has an assigned Proxy port.

          Based on the contract between the Service Provider and the customer different ATD Services (ATD, CTD and so on) should be available. Additional, based on User/Group different ATD usage should be configureable e.g. Trickling during download or offload scanning. This should also be possible based on Content type. When downloading Composite Objects a trickling page should be shown, when downloading a PE offline scanning should be available.

           

          Hope this is better to understand. :-)

           

          Best Regards,

          Thorsten

          • 2. Re: Using ATD and CTD in the same environment

            Online scan (waiting for the result with or without data trickling) is not a problem at all. The tricky part would be offline scan for customers B and D. I would suggest to add a group "CustomerB" or "CustomerD" to the list of user groups before calling property Antimalware.MATD.InitBackgroundScan to differentiate between customers later, when condition Antimalware.MATD.IsBackgroundScan becomes true. You can also (mis)use the following properties to identify customers when handling background scan request: client ip, authentication.isauthenticated, authentication method, realm and user name.

             

            Andrej.

            • 3. Re: Using ATD and CTD in the same environment
              Jon Scholten

              Hi Thorsten,

               

              I have the ruleset created, see attached. There is three rulesets over all.

               

              1) Add ATD/CTD Groups

              2) Advanced Threats (ATD/CTD)

              3) Handle Offline Scanning (ATD/CTD)

               

              The only ruleset you should have to touch is 1), 2) goes at the bottom below GAM, and 3) goes at the top.

               

              For 1) we are appending special groups to the transaction. You define the criteria for which this special group gets added (based on location, customer, etc...).

               

              For 2) I added options to for inline or offline scanning for documents and executable's like you mentioned.

               

              For 3) I added in a TIE reputations publishing for CTD convictions, I still need to tweak this a bit.

               

              The presence of these added groups dictates how the transaction will be scanned (using CTD-inline, CTD-offline, ATD-inline, ATD-offline). As mentioned by Andrej, CTD inline is only possible in the cloud, so the rules also adjust for this.

               

               

               

              Let me know if you have any suggestions or problems. To reiterate, everything is dictated mostly by the groups.

               

              Best Regards,

              Jon

              • 4. Re: Using ATD and CTD in the same environment
                Troja

                Hello Jon,

                lools pretty nice! :-)

                I will check this in the next time. Let´s so how this works in my environment.

                 

                Just a question, in your screenshot i see a Rule called "Handle Offline Scanning for ATD/CTD". I have not found such a Ruleset in my MWG Ruleset library. Where i can find it?

                 

                Cheers

                • 5. Re: Using ATD and CTD in the same environment
                  Jon Scholten

                  Hey Thorsten!

                   

                  All rulesets should have been included in the export I attached.

                   

                  In any case I've made a little more progress in cleaning up the rules.

                   

                  See attached.

                   

                  Best Regards,
                  jon

                  • 6. Re: Using ATD and CTD in the same environment
                    Troja

                    Coool,

                    just a completely other question. Is there an Editor available to build rules or do i have to do this manually in XML? :-)

                    Cheers

                    • 7. Re: Using ATD and CTD in the same environment
                      Jon Scholten

                      Hi Thorsten,

                       

                      The rules I uploaded use "simplified view" its meant to hide the complexity of the rules.

                       

                      If you find that you need to unlock them (either for understanding or customization), please let me know how I might be able to make it easier to understand.

                       

                      One debugging feature I built into the rules is the ability to change the scanning profile based on URL parameters:

                       

                      hxxp://malwarehost.tld/testsample-80b.exe?ctdinline&mwgthreattesting // Results in an inline CTD scan

                      hxxp://malwarehost.tld/testsample-80b.exe?ctdoffline&mwgthreattesting // Results in an offline CTD scan

                      hxxp://malwarehost.tld/testsample-80b.exe?atdoffline&mwgthreattesting // Results in an offline ATD scan

                      hxxp://malwarehost.tld/testsample-80b.exe?atdinline&mwgthreattesting // Results in an inline ATD scan

                       

                      The URL parameter "mwgthreattesting" will have the MWG block the file regardless of the ATD/CTD conviction. This is useful if you're testing with a known bad sample and dont want it to reach your test endpoint.

                       

                      Also built into the rules is a "demo hashes" list, where you can add in hashes to force a check against CTD, because by default CTD only checks unknown files. Adding a hash to the list forces MWG to check against CTD.

                       

                      Best Regards,

                      Jon

                      • 8. Re: Using ATD and CTD in the same environment
                        Troja

                        okay, so i will try....

                        Regarding the "simplified view". Can i build such a rule for my own? I designed a complex ruleset to integrate MWG into TIE/DXL. A simplified view would be great, also if there is an editor available for this. :-)

                        Cheers

                        • 9. Re: Using ATD and CTD in the same environment
                          Jon Scholten

                          Hi Thorsten,

                           

                          You can indeed build a simplified view of your own, you'd need to borrow from other rulesets using their XML. There isnt a editor for this though.

                           

                          Best Regards,

                          Jon

                          1 2 Previous Next