Professional Documents
Culture Documents
McAfee ATD Manual
McAfee ATD Manual
McAfee ATD Manual
TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, Foundstone, McAfee LiveSafe, McAfee QuickClean, McAfee SECURE,
SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, TrustedSource, VirusScan are trademarks of McAfee LLC or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
1 Introduction 9
The malware threat scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
The Advanced Threat Defense solution . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Disable telemetry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Configuring Email Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Enable and configure Email Connector . . . . . . . . . . . . . . . . . . . . . . . 79
Configuring your Secure Email Gateway for Email Connector . . . . . . . . . . . . . . . 80
Configure Email Connector filtering rules . . . . . . . . . . . . . . . . . . . . . . . 81
Understanding Email Headers with analysis status . . . . . . . . . . . . . . . . . . . 82
Set minimum SSL/TLS version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Enable Common Criteria (CC) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Enable account lock out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Configure the minimum number of password characters . . . . . . . . . . . . . . . . . . . . 84
Add the Advanced Threat Defense logon banner . . . . . . . . . . . . . . . . . . . . . . . 85
Generating a Certificate signing request (CSR) . . . . . . . . . . . . . . . . . . . . . . . . 85
Generate a CSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Upload certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
3 Updating content 87
Defining Custom Behavioral Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Create the Custom Behavioral Rules file . . . . . . . . . . . . . . . . . . . . . . . 88
Define Custom Yara Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Create Custom YARA Scanner files . . . . . . . . . . . . . . . . . . . . . . . . . 89
Import custom behavioral and YARA scanner rules . . . . . . . . . . . . . . . . . . . . . . 90
Change custom behavioral rules and YARA scanner files . . . . . . . . . . . . . . . . . . . . 90
Disable custom behavioral rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Manage whitelist database samples . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Manage the file and URL samples . . . . . . . . . . . . . . . . . . . . . . . . . 91
Manage the digital signature samples . . . . . . . . . . . . . . . . . . . . . . . . 92
Update DAT version for McAfee Gateway Anti-Malware and Anti-Virus . . . . . . . . . . . . . . . 92
Update the detection package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Automatically download the latest Detection Package . . . . . . . . . . . . . . . . . . 92
Manually upload the latest Detection Package . . . . . . . . . . . . . . . . . . . . . 93
4 Analyzing malware 95
Analyze files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Upload files for analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Upload files for analysis using SFTP . . . . . . . . . . . . . . . . . . . . . . . . 100
Analyze URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Analyzing URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Upload URLs for analysis using Advanced Threat Defense web interface . . . . . . . . . . . 102
Monitor the status of malware analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 102
View the analysis results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
View the Threat Analysis report . . . . . . . . . . . . . . . . . . . . . . . . . . 105
View the Dropped Files report . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Viewing and Understanding the Disassembly Results report . . . . . . . . . . . . . . . 107
Logic Path Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
User API Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Download the Complete Results .zip file . . . . . . . . . . . . . . . . . . . . . . 110
Download the original sample . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Submit false positive and negative samples . . . . . . . . . . . . . . . . . . . . . . . . 111
Submit false positive samples . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Submit false negative samples . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Troubleshoot low sandbox file scores . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Monitor Advanced Threat Defense with the Dashboard . . . . . . . . . . . . . . . . . . . . 113
Index 167
®
McAfee Advanced Threat Defense (Advanced Threat Defense) is an on-premise appliance that facilitates
detection and prevention of malware.
Advanced Threat Defense provides protection from known, near-zero day, and zero-day malware without
compromising on the quality of service to your network users.
Advanced Threat Defense has the added advantage of being an integrated solution. In addition to its own
multi-level threat detection capabilities, its ability to seamlessly integrate with other McAfee security products,
protects your network against malware and other Advanced Persistent Threats (APTs).
Contents
The malware threat scenario
The Advanced Threat Defense solution
• Detection of file downloads: When a user attempts to download a file from an external resource, your
security product must be able to detect it.
• Analysis of the file for malware: You must be able to verify if the file contains any known malware.
• Block future downloads of the same file: Subsequently, if the file is found to be malicious, your anti-malware
protection must prevent future downloads of the same file or its variants.
• Identify and remediate affected hosts: Your security system must be able to identify the host which
executed the malware, and also detect the hosts to which it has spread. Then, it must provide an option to
quarantine the affected hosts until they are clean again.
There are other industry-leading McAfee anti-malware products for the web, network, and endpoints. However,
McAfee recognizes that a robust anti-malware solution requires a multi-layered approach, the result of which is
Advanced Threat Defense.
Advanced Threat Defense integrates with other McAfee and third-party products to provide you a multilayered
defense mechanism against malware.
• Integrates with McAfee Global Threat Intelligence (McAfee GTI) for cloud-lookups to detect malware that
® ™
• Dynamically analyzes the file by executing it in a virtual sandbox environment. Based on how the file
behaves, Advanced Threat Defense determines its malicious nature.
• Allows you to configure your Secure Email Gateway to send emails and attachments to Advanced Threat
Defense for analysis.
Here are some of the advantages that Advanced Threat Defense provides:
• Advanced Threat Defense does not sniff or tap into your network traffic. It analyzes the files submitted to it
for malware. This means that you can place the McAfee Advanced Threat Defense Appliance anywhere in
®
your network as long as it is reachable to all the integrated McAfee products. It is also possible for one
Advanced Threat Defense Appliance to cater to all such integrated products (assuming the number of files
submitted is within the supported level). This design can make it a cost-effective and scalable anti-malware
solution.
• For malware analysis, Advanced Threat Defense can receive files from these inline devices:
• IPS Sensors
• Android is currently one of the top targets for malware developers. With this integration, the Android-based
handheld devices on your network are also protected. You can dynamically analyze the files downloaded by
your Android devices such as smartphones and tablets.
• Files are concurrently analyzed by various engines. So, it is possible for known malware to be blocked in
almost real time.
• When Advanced Threat Defense dynamically analyzes a file, it selects the analyzer virtual machine that uses
the same operating system and applications as that of the target host. The dynamic analysis can be
facilitated through its integration with McAfee ePolicy Orchestrator (McAfee ePO ) or through passive
® ® ® ™
device profiling feature of McAfee Network Security Platform. Advanced Threat Defense runs the file only in
®
the virtual environment. The dynamic analysis results help you to identify the exact impact on a targeted
host if the file is run. You can also configure your environment to take the required remedial measures.
• When hosts download zero-day malware, the Sensor submits the file to Advanced Threat Defense. After
dynamic analysis, Advanced Threat Defense determines if the file is malicious. Based on the Advanced
Malware policy, the Manager adds the malware to the Sensor blacklist. If the file is also on the Advanced
Threat Defense blacklist, the file's ability to re-enter your network is greatly reduced.
• Even the first time when a zero-day malware is downloaded, you can contain it by quarantining the affected
hosts until they are cleaned and remediated.
• Packing can change the composition of the code or enable a malware to evade reverse engineering. So,
proper unpacking is very critical to get the actual malware code for analysis. Advanced Threat Defense is
capable of unpacking the code such that the original code is secured for static analysis.
To configure Advanced Threat Defense for malware analysis, log on to the Advanced Threat Defense web
interface.
Ensure that you change the password for cliadmin from the Command-line interface and atdadmin from the
web interface for the configurations to be successful. Some of the configurations might fail if you continue using
the default password.
Contents
Terminologies
Malware analysis workflow
Add users
Creating analyzer VMs
Create analyzer profiles
Integrate Advanced Threat Defense with compatible products
Configure the date and time
Configure the maximum wait time threshold
Configure DNS setting
Configure LDAP
Configure proxy servers for Internet connectivity
Configure SNMP setting
Configure the syslog settings
Configure telemetry
Configuring Email Connector
Set minimum SSL/TLS version
Enable Common Criteria (CC) mode
Enable account lock out
Configure the minimum number of password characters
Add the Advanced Threat Defense logon banner
Generating a Certificate signing request (CSR)
Upload certificates
Terminologies
Being familiar with the following terminologies facilitates malware analysis using Advanced Threat Defense.
• Static analysis — When Advanced Threat Defense receives a supported file for analysis, it first performs static
analysis of the file. The objective is to check if it is a known malware in the shortest possible time, and also
to preserve the Advanced Threat Defense resources for dynamic analysis. For static analysis, Advanced
Threat Defense uses these resources in the following order.
• Global Whitelist — This is the list of MD5/SHA-256 hash values of trusted files and VBA scripts embedded
inside a Microsoft Office application, which need not be analyzed.
The whitelist feature is enabled by default. To disable it, use the setwhitelist command.
In a load-balancing scenario, after the cluster creation, run the whitelistMerge cluster command
on the Active node to manually copy the Global Whitelist database of Active node onto Secondary/
Backup nodes. This is only a one-time activity, after which the Whitelist database of Secondary/Backup
nodes is automatically overwritten by that of Active node at 0000 hours on a daily basis.
• Local Blacklist — This is the list of MD5 hash values of known malware stored in the Advanced Threat
Defense database. When Advanced Threat Defense detects a malware through its heuristic McAfee
Gateway Anti-Malware engine or through dynamic analysis, it updates the local blacklist with the file
MD5 hash value. A file is added to this list automatically only when its malware severity as determined by
Advanced Threat Defense is medium, high, or very high. There are commands to manage the entries in
the blacklist.
• McAfee GTI — This is a global threat correlation engine and intelligence base of global messaging and
communication behavior, which enables the protection of the customers against both known and
emerging electronic threats across all threat areas.
For File Reputation queries to succeed, make sure Advanced Threat Defense is able to communicate with
tunnel.message.trustedsource.org over HTTPS (TCP/443). Advanced Threat Defense retrieves the
URL updates from List.smartfilter.com over HTTP (TCP/80).
• Gateway Anti-Malware — McAfee Gateway Anti-Malware Engine analyzes the behavior of web sites, web site
code, and downloaded Web 2.0 content in real time to preemptively detect and block malicious web
attacks. It protects businesses from modern blended attacks, including viruses, worms, adware, spyware,
riskware, and other crimeware threats, without relying on virus signatures.
• Anti-Malware — The DAT is updated automatically or manually based on the network connectivity of
Advanced Threat Defense.
Static analysis also involves analysis through reverse engineering of the malicious code. This includes
analyzing all the instructions and properties to identify the intended behaviors, which might not surface
immediately. This also provides detailed malware classification information, widens the security cover,
and can identify associated malware that leverages code re-use.
By default, Advanced Threat Defense downloads the updates for McAfee Gateway Anti-Malware Engine and
McAfee Anti-Malware Engine every 90 minutes.
• Dynamic Analysis — Advanced Threat Defense executes the file in a secure VM and monitors its behavior to
check how malicious the file is. At the end of the analysis, it provides a detailed report as required by the
user. By default, if static analysis identifies the malware, Advanced Threat Defense does not perform
dynamic analysis. However, you can configure Advanced Threat Defense to perform dynamic analysis
regardless of the results from static analysis. You can also configure only dynamic analysis without static
analysis. Dynamic analysis includes the disassembly listing feature of Advanced Threat Defense as well. This
feature can generate the disassembly code of PE files for you to analyze the sample further. The dynamic
analysis sequence uses these resources in the following order.
• Global Whitelist
• Local Blacklist
• McAfee GTI, McAfee Gateway Anti-Malware Engine, and McAfee Anti-Malware Engine
• YARA scanner
• Dynamic Analysis
See also
Define Custom Yara Scanner on page 89
2 Advanced Threat Defense applies the analyzer profile that you specified during file upload.
3 Based on the configuration in the analyzer profile, it determines the modules to use for static analysis and
checks the file against those modules.
4 If the file is found to be malicious during static analysis, Advanced Threat Defense stops further analysis and
generates the required reports. This, however, depends on how you have configured the corresponding
analyzer profile.
5 If the static analysis does not report any malware or if you had configured Advanced Threat Defense to
perform dynamic analysis regardless of the results from static analysis, Advanced Threat Defense initiates
dynamic analysis for the file.
6 It executes the file in the corresponding analyzer VMs and records every behavior. The analyzer VM is
determined based on the VM profile in the analyzer profile.
7 If the file is fully executed or if the maximum execution period expires, Advanced Threat Defense prepares
the required reports.
8 After dynamic analysis is complete, it sets the analyzer VMs to their baseline version so that they can be
used for the next file in queue.
Providing Internet access to samples enables Advanced Threat Defense to analyze the network behavior of a
sample and also determine the impact of the additional files downloaded from the Internet. Some malware
might try to determine if they are being executed in a sandbox by requesting for Internet access and then alter
their behavior accordingly.
When an analyzer VM is created, Advanced Threat Defense makes sure that the analyzer VM has the
configurations to communicate over a network when required.
You can control granting real network access to an analyzer VM through a setting in the analyzer profiles.
Network services are provided regardless of the method used to submit the sample. For example, it is provided
to samples submitted manually using the Advanced Threat Defense web interface as well as samples submitted
by the integrated products.
When samples access Internet resources, Advanced Threat Defense checks if the Internet connectivity is
enabled in the corresponding analyzer profile. Based on whether Internet connectivity is enabled or not,
Advanced Threat Defense determines the mode that provides the network services:
• Simulator mode — If Internet connectivity is not enabled in the analyzer profile, this mode is used.
Advanced Threat Defense can represent itself as being the target resource. For example, if the sample
attempts to download a file through FTP, Advanced Threat Defense simulates this connection for the
analyzer VM.
• Real Internet mode — This mode requires the management port (eth-0), eth-1, eth-2 or eth-3 to have
access to the Internet. If Internet connectivity is enabled in the analyzer profile, Advanced Threat Defense
uses this mode. Advanced Threat Defense provides real Internet connection through the management port
by default, which is publicly routed or directed towards your enterprise firewall as per your network
configuration. Because the traffic from an analyzer VM could be malicious, you might want to segregate this
traffic away from your production network. In this case, you can use Advanced Threat Defense's eth-1, eth-2,
or eth-3 provide Internet access to the analyzer VM.
Advanced Threat Defense logs all network activities. The types of reports generated vary based on the mode:
• Network activities are summarized and presented in the Analysis Summary report. You can find the DNS
queries and socket activities under network operations. You can find all the network activities in the Network
Operations section of the report.
• The dns.log report also contains the DNS queries made by the sample.
• The packet capture of the network activities is provided in the NetLog folder within the Complete Results zip
file.
Task
1 Log on to the Advanced Threat Defense CLI and enable the malware port.
For example, set intfport 1 enable to enable eth-1 port
3 For the Ethernet port, configure the gateway that you want to route the Internet access.
For example, set malware-intfport 1 gateway 10.10.10.252
4 To allow the port to check if it is configured for malware Internet access, use the show intfport <port
number> command.
For example, show intfport 1.
• Malware Gateway
To revert to the managment port (eth-0) for malware Internet access, run set malware-intfport mgmt in
the CLI. Advanced Threat Defense uses the management port IP and default gateway to provide Internet
access to samples.
For general Advanced Threat Defense traffic, use the route add network command.
For Internet traffic from analyzer VMs, use set malware-intfport.
The route add network and set malware-intfport commands do not affect each other.
Add users
Create accounts for users on your network, then assign them permissions.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense web interface.
The number of analyzer VMs you can create is limited by the following conditions:
• the available Advanced Threat Defense Appliance disk space.
Advanced Threat Defense limits the maximum number of analyzer VMs you can use for analysis.
• ATD-3000 — 29 analyzer VMs
The number of concurrent licenses that you specify affects the number of concurrent active analyzer VMs.
Any security software or low-level utility tool on an analyzer VM can interfere with the dynamic analysis of the
sample file. The sample-file execution can be terminated during dynamic analysis. As a result, the reports might
not capture the full behavior of the sample file. If you need to find out the complete behavior of the sample file,
do not patch the operating system of the analyzer VM or install any security software on it.
Contents
Analyzer VM requirements
Create the virtual machine
Create the VMDK file
Prepare the VMDK image for analysis
Install Microsoft Office on the virtual machine
Enable PDF file analysis
Enable JAR file analysis
Enable Flash file analysis
Import the VMDK file
Convert the VMDK file to an image file
Create VM profiles
View the system logs
Analyzer VM requirements
To create the analyzer VM and VM profile, review the recommended requirements.
• If you already have a VMDK file, it must be a single file that contains all the files required to create
the VM.
• The platforms and other specifications listed here are based on McAfee test results.
VM workstations
RAM size
Android • 2.3
• 4.3
• 5.2
Android 2.3 or 4.3 are pre-installed on the Advanced Threat Defense Appliance.
If you are using a Microsoft Windows operating system, you must have the license key, and it must come in one
of these languages:
• English • Italian
• Japanese • French
• German
Required applications
Table 2-1 Required applications
Application Supported version Supported languages
Internet Explorer 6,7,8,9,10, and 11 English, Chinese-Simplified,
Japanese, German, and Italian.
Mozilla Firefox all versions until 54.0 English, Chinese-Simplified,
Japanese, German, and Italian.
Google Chrome all versions until 59 All languages
Microsoft Office 2003, 2007, 2010, 2013, and 2016 English
• 10
• 11
Disk space
The minimum available disk space must be 200 MB. The maximum used total disk space must not exceed 30
GB.
The disk space affects the maximum number of VMs you can create.
Maximum VMs
The following table specifies the maximum number of VMs that you can create for each Microsoft Windows
operating system. The number of VMs listed in the table is based on the assumption that the disk space
occupied by Windows is not more than 22 GB.
The disk space occupied by Windows could affect the maximum number of VMs you can create. For example, if
the OS occupies 30 GB, then you can only create 21 VMs on ATD-3000/3100 and 42 VMs in ATD-6000/6100.
• Microsoft Windows 8.1 64-bit Enterprise (Update 1 version 6.3 build 9600)
Task
1 Make sure you have your operating system ISO image and license key.
5 To complete the New Virtual Machine Wizard, configure the following options, then click Next on each page.
Specify Disk file Make sure that virtualMachineImage.vmdk appears in the field.
If you specified a different virtual machine name, the name appears here.
Ready to Create Virtual Select Power on this virtual machine after creation, then click Finish.
Machine This step can take up to 30 minutes to complete.
Tasks
• Create a VMDK file for Windows 7 on page 24
If you are using Windows 7, use the following steps to create the VMDK file.
• Create a VMDK file for Windows 8 on page 25
If you are using Windows 8, use these steps to create the VMDK file.
• Create a VMDK file for Windows XP on page 25
If you are using Windows XP, use the following steps to create the VMDK file.
• Create a VMDK file for Windows Server 2003 on page 26
If you are using Windows Server 2003, use the following steps to create the VMDK file.
• Create a VMDK file for Windows Server 2008 on page 27
If you are using Windows Server 2008, use the following steps to create the VMDK file.
• Create a VMDK file for Windows 8.1 on page 27
If you are using Windows 8.1, use these steps to create the VMDK file.
• Create a VMDK file for Windows 10 on page 28
If you are using Windows 10, use these steps to create the VMDK file.
• Create a VMDK file for Windows 10 version 1703 (Redstone 2) on page 29
If you are using Windows 10 versino 1703 (Redstone 2), use these steps to create the VMDK file.
• Create a VMDK file for Windows 2012 on page 29
If you are using Windows 2012, use these steps to create the VMDK file.
• Create a VMDK file for Windows 2012 R2 on page 30
If you are using Windows 2012 R2, use these steps to create the VMDK file.
• Create a VMDK file for Windows Server 2016 Standard on page 30
If you are using Windows Server 2016 Standard, use these steps to create the VMDK file.
Task
1 In the Removable Devices window, select Do not show this hint again, then click OK.
The Windows installation can take up to 15 minutes.
2 In the Set Network Location window, select Public Network, then close the window.
Task
1 Configure Adobe Reader as the default application to open PDF files.
a Open the Control Panel, then select Programs | Default Programs | Associate a file type or protocol with a program.
c Click Close.
2 In the Removable Devices window, select Do not show this hint again, then click OK.
The Windows installation can take up to 15 minutes.
• cr@cker42
Task
1 Complete the Windows XP setup.
a On the Setup cannot continue until you enter your name. Administrator and Guest are not allowable names to use
message, click OK.
b In the Windows XP Professional Setup window, enter the following, then click Next.
• Name — root
• Password — cr@cker42
Advanced Threat Defense does not support VMware Tools. When you fail to stop the VMware Tools
installation, you can continue with the VMDK file creation process, but make sure it is uninstalled when the
VMDK file is ready.
5 Next to the Use ISO image file field, click Browse, locate the ISO file, then click OK.
6 Download and install the following Redistributable Packages and .NET Framework.
• Microsoft Visual C++ 2005 Redistributable Package (x86)
Task
1 In the VMware Workstation, turn on the virtual machine, then install Windows Server 2003.
• This step can take up to 30 minutes.
• To format the partition during installation, you can use the NTFS file system.
• Advanced Threat Defense does not support VMware Tools. When you fail to stop the VMware Tools
installation, you can continue with the VMDK file creation process, but make sure it is uninstalled when
the VMDK file is ready.
2 For each Windows setup window, configure the options, then click Next.
• Password — cr@cker42
5 If you are using Windows Server 2003 SP1, complete the following.
a Install the hotfix for Microsoft Windows Server 2003.
6 Download and install the following Redistributable Packages and .NET Framework.
• Microsoft Visual C++ 2005 Redistributable Package (x86)
Task
1 In the Removable Devices window, select Do not show this hint again, then click OK.
The Windows installation can take up to 15 minutes.
2 In the Initial Configuration Tasks window, select Do not show this window at logon, then click Close.
Task
1 From New Virtual Machine wizard, select BIOS as the firmware type.
2 From the installation wizard, select the language, time and currency format, keyboard or input method, then
click Next.
4 On the Activate Windows page, enter your Windows product key, or select I don't have a product key to activate
it later, then click Next.
6 On the Windows Setup page, select Custom: Install Windows only (advanced), use the default disk space settings,
then click Next.
The step is completed in five stages. Wait for all stages to complete.
8 For the type of owner, select I own it, then click Next.
9 Asked to enter your Microsoft Account Details, select Skip this step.
• Password — cr@cker42
12 Wait until the installation is complete, then install the required software.
Log on to your computer and make sure that these redistributable packages are installed.
• Microsoft Visual C++ 2005 Redistributable Package (x86)
Task
1 From New Virtual Machine wizard, select BIOS as the firmware type.
2 From the installation wizard, select the language, time and currency format, keyboard or input method, then
click Next.
4 On the Activate Windows page, enter your Windows product key, or select I don't have a product key to activate
it later, then click Next.
6 On the Windows Setup page, select Custom: Install Windows only (advanced), use the default disk space settings,
then click Next.
The step is completed in five stages. Wait for all stages to complete.
8 For the type of owner, select I own it, then click Next.
10 In the Create an account for this PC windows, use these credentials, then click Next.
• User name — admin
• Password — cr@cker42
11 In the Choose how you'll connect' window, select Join a local Active Directory domain.
13 Wait until the installation is complete, then install the required software.
Log on to your computer and make sure that these redistributable packages are installed.
• Microsoft Visual C++ 2005 Redistributable Package (x86)
Task
1 From New Virtual Machine wizard, select BIOS as the firmware type.
2 From the installation wizard, select the language, time and currency format, keyboard or input method, then
click Next.
4 On the Activate Windows page, enter your Windows product key, or select I don't have a product key to activate
it later, then click Next.
6 On the Windows Setup page, select Custom: Install Windows only (advanced), use the default disk space settings,
then click Next.
The step is completed in five stages. Wait for all stages to complete.
11 In the Choose how you'll connect' window, select Join a local Active Directory domain.
12 In the Create an account for this PC windows, use these credentials, then click Next.
• User name — admin
• Password — cr@cker42
13 In the Choose Privacy settings window, keep the default settings, then click Next.
14 Wait until the installation is complete, then install the required software.
Log on to your computer and make sure that these redistributable packages are installed.
• Microsoft Visual C++ 2005 Redistributable Package (x86)
Task
1 From the installation wizard, select the language, time and currency format, keyboard or input method, then
click Next.
2 Click Install Now, accept the license terms, then click Next.
3 Select Custom Install Windows, Windows Server 2012 Datacenter, use the default disk space settings, then click Next.
5 Log on to the computer, then download and install the following redistributable packages and .NET
framework.
• Microsoft Visual C++ 2005 Redistributable Package (x86)
Task
1 From the installation wizard, select the language, time and currency format, keyboard or input method, then
click Next.
2 Click Install Now, accept the license terms, then click Next.
3 Select Custom Install Windows, Windows Server R2 2012 Datacenter, use the default disk space settings, then click
Next.
5 Log on to the computer, then download and install the following redistributable packages and .NET
framework.
• Microsoft Visual C++ 2005 Redistributable Package (x86)
Task
1 From the installation wizard, select the language, time and currency format, keyboard or input method, then
click Next.
2 Click Install Now, accept the license terms, then click Next.
3 Select Custom Install Windows, Windows Server 2016 Standard, use the default disk space settings, then click Next.
5 Log on to the computer, then download and install the following redistributable packages and .NET
framework.
• Microsoft Visual C++ 2005 Redistributable Package (x86)
Tasks
• Run the VMDK Preparation Tool on page 31
Download the VMDK Preparation Tool from the Advanced Threat Defense interface, then run the
tool to prepare your VMDK images to capture malware behaviors in the sandbox environment.
• Prepare your VMDK image for analysis manually on page 32
Prepare your environment manually to capture malware behaviors in the sandbox environment.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense interface.
4 Save the VMDK Preparation Tool .exe file on your virtual machine.
5 Make sure that the Visual Studio 2012 C++ Redistributable is installed on the VM.
Download the x86 version of the Visual Studio 2012 C++ Redistributable for your corresponding operating
system language from https://www.microsoft.com/EN-US/DOWNLOAD/DETAILS.ASPX?ID=30679.
If the VMDK Preparation Tool reports errors, perform the steps manually, then run the tool again to verify.
To view the log file that contains all executed commands and changed registries, go to C:\vmdk_prep.log.
Before you shut down the virtual machine, copy the log file to another system (outside of the VM) for later
reference, then remove the log file.
Tasks
• Prepare a Windows XP image for analysis on page 32
Configure your Windows XP virtual system for analysis.
• Prepare a Windows Server 2003 image for analysis on page 34
Configure your Windows Server 2003 virtual system for analysis.
• Prepare a Windows 7 image for analysis on page 37
Configure your Windows 7 virtual system for analysis.
• Prepare a Windows Server 2008 image on page 40
Configure your Windows Server 2008 virtual system for analysis.
• Prepare a Windows 8 image for analysis on page 42
Configure your Windows 8 virtual system for analysis.
• Prepare a Windows 8.1 image for analysis on page 46
Configure your Windows 8.1 virtual system for analysis.
• Prepare a Windows 10 or Windows 10 v1703 (Redstone 2) image for analysis on page 49
Configure your Windows 10 virtual system for analysis.
• Prepare a Windows 2012 R2 image for analysis on page 53
Configure your Windows Server 2012 R2 virtual system for analysis.
• Prepare a Windows Server 2016 Standard image for analysis on page 56
Configure your Windows Server 2016 Standard virtual system for analysis.
Task
For details about product features, usage, and best practices, click ? or Help.
c In Use ISO image file, browse to the ISO file that you used and click OK.
3 Turn off the firewall in the virtual image: Select Start | Control Panel | Security Center | Windows Firewall | OFF.
c In the Telnet Properties (Local Computer) page, select Automatic for the Startup type, then select Apply | Start |
OK.
• Common Files
b In the Internet Information Services page, expand the entry under Internet Information Services, then expand
FTP Sites.
d Browse to the C:\ drive, select Read, Write, and Log visits.
b In the User Accounts window, deselect Users must enter a user name and password to use
this computer and click Apply.
• Password — cr@cker42
b Extract MergeIDE.zip and run the MergeIDE batch file in the VM.
b Open System.
b Lower the security to run macros for the Office applications. In Microsoft Word 2003 and select Tools |
Macro | Security, select Low, then click OK. Do the same for other applications such as Microsoft Excel and
PowerPoint.
d In the Compatibility Pack for the 2007 Office system dialog, select Click here to accept the Microsoft Software
License Terms, then click OK.
c In Adobe Reader, select Edit | Preferences | General, then remove Check for updates.
d In Adobe Reader, select Help | Check for updates | Preferences, then deselect Adobe Updates.
12 Configure Java:
a Open Java in the Control Panel.
c In the Java Update Warning message, select Do Not Check and then click OK.
b From the Startup tab, deselect reader_sl and jusched, then click OK.
d In the System Configuration Utility message, select Don't show this message or launch the System Configuration
Utility when Windows start, then click OK.
b Select Tools | Internet Options, for Home page select Use Blank or Use new tab based on the version of Internet
Explorer.
c Go to the Advanced tab of the Internet Options and locate Security, then select Allow active content to run in
files on My Computer.
Task
For details about product features, usage, and best practices, click ? or Help.
2 If the Windows Server Post-Setup Security Updates page appears, select Finish.
3 If the Manage Your Server window page appears, select Don't Display the page at logon and close the page.
b In the Group policy object editor page, select Computer Configuration | Administrative Templates | System, then
double-click Display Shutdown Event Tracker.
5 Install the hotfix for Windows Server 2003 Service Pack 1 (if applicable).
Skip this step if you have Windows Server 2003 Service Pack 2.
6 Turn off the firewall in the virtual image: Select Start | Control Panel | Windows Firewall | OFF.
c In the Telnet Properties (Local Computer) page, select Automatic for the Startup type, then select Apply | Start |
OK.
b In the Windows Components wizard, double-click Application Server, then double-click Internet Information
Services(IIS).
• Common Files
e In the Windows Components wizard, click Finish when the FTP installation is complete.
b In the Internet Information Services page, expand the entry under Internet Information Services, then expand
FTP Sites.
d Browse to the C:\ drive, select Read, Write, and Log visits.
b In the User Accounts window, deselect Users must enter a user name and password to use
this computer and click Apply.
• Password — cr@cker42
b Extract MergeIDE.zip and run the MergeIDE batch file in the VM.
b Lower the security to run macros for the Office applications. In Microsoft Word 2003 and select Tools |
Macro | Security, select Low, then click OK. Do the same for other applications such as Microsoft Excel and
PowerPoint.
d In the Compatibility Pack for the 2007 Office system dialog, select Click here to accept the Microsoft Software
License Terms, then click OK.
c In Adobe Reader, select Edit | Preferences | General, then remove Check for updates.
d In Adobe Reader, select Help | Check for updates | Preferences, then deselect Adobe Updates.
15 Configure Java:
a Open Java in the Control Panel.
c In the Java Update Warning message, select Do Not Check and then click OK.
b From the Startup tab, deselect reader_sl and jusched, then click OK.
d In the System Configuration Utility message, select Don't show this message or launch the System Configuration
Utility when Windows start, then click OK.
b Select Tools | Internet Options, for Home page select Use Blank or Use new tab based on the version of Internet
Explorer.
c Go to the Advanced tab of the Internet Options and locate Security, then select Allow active content to run in
files on My Computer.
Task
For details about product features, usage, and best practices, click ? or Help.
b Select Turn off Windows Firewall (not recommended) for both Home or work(private) network location settings and Public
network location settings, then click OK.
c Select Internet Information Services | Web Management Tools | IIS Management Service.
c In the Telnet Properties (Local Computer) page, select Automatic for the Startup type, then select Apply | Start |
OK.
b In the Internet Information Services page, expand the entry under Internet Information Services(IIS) Manager,
then expand the tree under host name.
c Select Sites, right-click on Default FTP Site, select Remove, then click Yes to confirm.
• For Bindings and SSL Settings, select No SSL, then click Next.
• For Authentication and Authorization Information, select Basic under Authentication, select All Users
under Allow access to, select both Read and Write under Permissions.
• Click Finish.
b In the User Accounts window, deselect Users must enter a user name and password to use
this computer, then click Apply.
• Password — cr@cker42
b Extract MergeIDE.zip and run the MergeIDE batch file in the VM.
b Under Important updates, select Never check for updates (not recommended).
c Deselect all options under Recommended updates, Who can install updates, Microsoft update, Software notifications.
d Click OK.
b Lower the security to run macros for the Office applications. In Microsoft Word 2003 and select Tools |
Macro | Security, select Low, then click OK. Do the same for other applications such as Microsoft Excel and
PowerPoint.
d In the Compatibility Pack for the 2007 Office system dialog, select Click here to accept the Microsoft Software
License Terms, then click OK.
c In Adobe Reader, select Edit | Preferences | General, then remove Check for updates.
d In Adobe Reader, select Help | Check for updates | Preferences, then deselect Adobe Updates.
11 Configure Java:
a Open Java in the Control Panel.
c In the Java Update Warning message, select Do Not Check and then click OK.
b From the Startup tab, deselect reader_sl and jusched, then click OK.
d In the System Configuration Utility message, select Don't show this message or launch the System Configuration
Utility when Windows start, then click OK.
b Select Tools | Internet Options, for Home page select Use Blank or Use new tab based on the version of Internet
Explorer.
c Go to the Advanced tab of the Internet Options and locate Security, then select Allow active content to run in
files on My Computer.
14 Disable the HTTP auto proxy server: Open command prompt with administrator privilege, then run these
commands.
• Net stop WinHttpAutoProxySvc
Task
For details about product features, usage, and best practices, click ? or Help.
2 If the Manage Your Server window page appears, select Don't Display the page at logon and close the page.
b In the Local Group Policy Editor page, select Computer Configuration | Administrative Templates | System, then
double-click Display Shutdown Event Tracker.
b In the Server Manager window, right-click Features and select Add Features.
b In the Telnet Properties (Local Computer) page, select Automatic for the Startup type, then select Apply | Start |
OK.
b In the Internet Information Services Manager page, select Sites, select Add FTP Site
• For Bindings and SSL Settings, select No SSL, then click Next.
• For Authentication and Authorization Information, select Basic under Authentication, select All Users
under Allow access to, select both Read and Write under Permissions.
• Click Finish.
b In the User Accounts window, deselect Users must enter a user name and password to use
this computer, then click Apply.
• Password — cr@cker42
b Extract MergeIDE.zip and run the MergeIDE batch file in the VM.
b Under Important updates, select Never check for updates (not recommended).
d Click OK.
b Lower the security to run macros for the Office applications. In Microsoft Word 2003 and select Tools |
Macro | Security, select Low, then click OK. Do the same for other applications such as Microsoft Excel and
PowerPoint.
d In the Compatibility Pack for the 2007 Office system dialog, select Click here to accept the Microsoft Software
License Terms, then click OK.
c In Adobe Reader, select Edit | Preferences | General, then remove Check for updates.
d In Adobe Reader, select Help | Check for updates | Preferences, then deselect Adobe Updates.
13 Configure Java:
a Open Java in the Control Panel.
c In the Java Update Warning message, select Do Not Check and then click OK.
b From the Startup tab, deselect reader_sl and jusched, then click OK.
d In the System Configuration Utility message, select Don't show this message or launch the System Configuration
Utility when Windows start, then click OK.
b Select Tools | Internet Options, for Home page select Use Blank or Use new tab based on the version of Internet
Explorer.
c Go to the Advanced tab of the Internet Options and locate Security, then select Allow active content to run in
files on My Computer.
Task
For details about product features, usage, and best practices, click ? or Help.
1 From the native system, set up Windows 8 to display in the Desktop mode instead of the default Metro UI
mode when it starts.
a Press the Windows and R keys simultaneously, which is the shortcut to open the Run dialog box.
d Change Value data to explorer.exe, explorer.exe (instead of the default value of explorer.exe),
then click OK.
b Select Turn off Windows Firewall (not recommended) for both Home or work(private) network location settings and Public
network location settings, then click OK.
b Select Windows Defender | Settings | Administrators, deselect Turn on Windows Defender, then click Save changes.
c In the Local Group Policy Editor page, select Computer Configuration | Administrative Templates | System |
Logon.
d Double-click Show first sign-in animation, select Disabled, then click OK.
d Select Internet Information Services | Web Management Tools | IIS Management Service.
f Select .NET Framework 3.5(includes .NET 2.0 and 3.0) and then select Windows Communication Foundation HTTP
Activation and Windows Communication Foundation Non-HTP Activation options, then press OK.
g If the Windows needs files from Windows Update to finish installing some features message appears, select Download
files from Windows Update.
This operation might take around 5 minutes to complete. A confirmation message is displayed when the
operation completes.
b Select Power Options | Choose when to turn off the display, select Never for both Turn off the display and Put the
computer to sleep options, then click Save changes.
c Select Power Options | Choose what the power buttons do, select Change Settings that are currently unavailable for
both Turn off the display and Put the computer to sleep options, then click Save changes.
d For shutdown settings, deselect Turn on fast startup and Hibernate options, then click Save changes.
b In the Telnet Properties (Local Computer) page, select Automatic for the Startup type, then select Apply | Start |
OK.
c In the Internet Information Services page, expand the entry under Internet Information Services(IIS) Manager,
then expand the tree under host name.
d If you see the Do you want to get started with Microsoft Web Platform to stay connected with latest Web Platform
Components? message, select Do not show this message, then click Cancel.
e Select Sites, right-click on Default Web Site, select Remove, then click Yes to confirm.
• For Bindings and SSL Settings, select No SSL, then click Next.
• For Authentication and Authorization Information, select Basic under Authentication, select All Users
under Allow access to, select both Read and Write under Permissions.
• Click Finish.
c Select Computer Management (Local) | System Tools | Local Users and Groups | Groups.
d Double-click TelnetClients.
e Click Add, type Administrator, click Check Names, then click OK.
b In the User Accounts window, deselect Users must enter a user name and password to use
this computer, then click Apply.
• Password — cr@cker42
b Extract MergeIDE.zip and run the MergeIDE batch file in the VM.
b Lower the security to run macros for the Office applications. In Microsoft Word 2003 and select Tools |
Macro | Security, select Low, then click OK. Do the same for other applications such as Microsoft Excel and
PowerPoint.
d In the Compatibility Pack for the 2007 Office system dialog, select Click here to accept the Microsoft Software
License Terms, then click OK.
c In Adobe Reader, select Edit | Preferences | General, then remove Check for updates.
d In Adobe Reader, select Help | Check for updates | Preferences, then deselect Adobe Updates.
16 Configure Java:
a Open Java in the Control Panel.
c In the Java Update Warning message, select Do Not Check and then click OK.
c Select Java(TM) Update Scheduler (jusched) (if listed), then click Disable.
d Select Adobe Acrobat SpeedLauncher (reader_sl) (if listed), then click Disable.
f In the System Configuration Utility message, select Don't show this message or launch the System Configuration
Utility when Windows start, then click OK.
b Select Tools | Internet Options, for Home page select Use Blank or Use new tab based on the version of Internet
Explorer.
c Go to the Advanced tab of the Internet Options and locate Security, then select Allow active content to run in
files on My Computer.
19 Disable the HTTP auto proxy server: Open command prompt with administrator privilege, then run these
commands.
• Net stop WinHttpAutoProxySvc
Task
For details about product features, usage, and best practices, click ? or Help.
1 From the native system, set up Windows 8.1 to display in the Desktop mode instead of the default Metro UI
mode when it starts.
a Press the Windows and R keys simultaneously, which is the shortcut to open the Run dialog box.
d Change Value data to explorer.exe, explorer.exe (instead of the default value of explorer.exe),
then click OK.
b Select Turn off Windows Firewall (not recommended) for both Home or work(private) network location settings and Public
network location settings, then click OK.
b Select Windows Defender | Settings | Administrators, deselect Turn on this app, then click Save changes.
b In the Local Group Policy Editor page, select Computer Configuration | Administrative Templates | System |
Logon.
c Double-click Show first sign-in animation, select Disabled, then click OK.
c Select Internet Information Services | Web Management Tools | IIS Management Service.
e Select .NET Framework 3.5(includes .NET 2.0 and 3.0) and then select Windows Communication Foundation HTTP
Activation and Windows Communication Foundation Non-HTP Activation options, then press OK.
f If the Windows needs files from Windows Update to finish installing some features message appears, select Download
files from Windows Update.
This operation might take around 5 minutes to complete. A confirmation message is displayed when the
operation completes.
b Select Power Options | Choose when to turn off the display, select Never for both Turn off the display, and Put the
computer to sleep options, then click Save changes.
c For shutdown settings, deselect Turn on fast startup and Hibernate options, then click Save changes.
b In the Telnet Properties (Local Computer) page, select Automatic for the Startup type, then select Apply | Start |
OK.
b In the Internet Information Services page, expand the entry under Internet Information Services(IIS) Manager,
then expand the tree under host name.
c If you see the Do you want to get started with Microsoft Web Platform to stay connected with latest Web Platform
Components? message, select Do not show this message, then click Cancel.
d Select Sites, right-click on Default Web Site, select Remove, then click Yes to confirm.
• For Bindings and SSL Settings, select No SSL, then click Next.
• For Authentication and Authorization Information, select Basic under Authentication, select All Users
under Allow access to, select both Read, and Write under Permissions.
• Click Finish.
c Select Computer Management (Local) | System Tools | Local Users and Groups | Groups.
d Double-click TelnetClients.
e Click Add, type Administrator, click Check Names, then click OK.
b In the User Accounts window, deselect Users must enter a user name and password to use
this computer, then click Apply.
• Password — cr@cker42
b Extract MergeIDE.zip and run the MergeIDE batch file in the VM.
b Lower the security to run macros for the Office applications. In Microsoft Word 2007, select the Microsoft
Office option on the top left corner, then select Word options | Trust Center | Trust Center Settings | Macro
Settings, then select Enable all macros (not recommended potentially dangerous code can run). Do the same for
other applications such as Microsoft Excel and PowerPoint.
d On the Sign-up for Microsoft Update page, select I don't want to use Microsoft Update, then click Finish.
b In Adobe reader, if Adobe Reader Protected Mode message appears, select Open with Protected Mode
disabled, then select OK.
d Select Edit | Preferences | Updater, select Do not download or install updated automatically, select OK, then select
Yes to confirm the changes.
17 Configure Java:
a Open Java in the Control Panel.
c In the Java Update Warning message, select Do Not Check and then click OK.
c Select Java(TM) Update Scheduler (jusched) (if listed), then click Disable.
d Select Adobe Acrobat SpeedLauncher (reader_sl) (if listed), then click Disable.
e In the System Configuration dialog, select Don't show this message again, then select Restart.
b Select Tools | Internet Options, for Home page select Use Blank or Use new tab based on the version of Internet
Explorer.
c Go to the Advanced tab of the Internet Options and locate Security, then select Allow active content to run in
files on My Computer.
20 Disable the HTTP auto proxy server: Open command prompt with administrator privilege, then run these
commands.
• Net stop WinHttpAutoProxySvc
Task
For details about product features, usage, and best practices, click ? or Help.
1 From the native system, set up Windows 10 to display in the Desktop mode instead of the default Metro UI
mode when it starts.
a Press the Windows and R keys simultaneously, which is the shortcut to open the Run dialog box.
d Change Value data to explorer.exe, explorer.exe (instead of the default value of explorer.exe),
then click OK.
b Select Turn off Windows Firewall (not recommended) for both Home or work(private) network location settings and Public
network location settings, then click OK.
b Select Windows Defender, then turn off all features on the Windows Defender Settings page.
c In the Local Group Policy Editor page, select Computer Configuration | Administrative Templates | System |
Logon.
d Double-click Show first sign-in animation, select Disabled, then click OK.
c Select Internet Information Services | FTP server | Control Panel | FTP Extensibility.
d Select Internet Information Services | Web Management Tools | IIS Management Service.
e Select .NET Framework 4.6 Advanced Services, and ensure that ASP.NET 4.6 is enabled, then press OK.
f Select WCF Service Library, ensure that TCP Port Sharing is enabled.
g If the Windows needs files from Windows Update to finish installing some features message appears, select Download
files from Windows Update.
This operation might take around 5 minutes to complete. A confirmation message is displayed when the
operation completes.
b Select Power Options | Choose when to turn off the display, select Never for Turn off the display, then click Save
changes.
c For shutdown settings, deselect Turn on fast startup and Hibernate options, then click Save changes.
c In the Internet Information Services page, expand the entry under Internet Information Services(IIS) Manager,
then expand the tree under host name.
d If you see the Do you want to get started with Microsoft Web Platform to stay connected with latest Web Platform
Components? message, select Do not show this message, then click Cancel.
e Select Sites, right-click on Default Web Site, select Remove, then click Yes to confirm.
• For Bindings and SSL Settings, select No SSL, then click Next.
• For Authentication and Authorization Information, select Basic under Authentication, select All Users
under Allow access to, select both Read, and Write under Permissions.
• Click Finish.
e Press the Windows and X keys simultaneously, then select Control Panel | Windows Update | Change.
b In the User Accounts window, deselect Users must enter a user name and password to use
this computer, then click Apply.
• Password — cr@cker42
b Extract MergeIDE.zip and run the MergeIDE batch file in the VM.
b Lower the security to run macros for the Office applications. In Microsoft Word 2007, select the Microsoft
Office option on the top left corner, then select Word options | Trust Center | Trust Center Settings | Macro
Settings, then select Enable all macros (not recommended potentially dangerous code can run). Do the same for
other applications such as Microsoft Excel and PowerPoint.
c Lower the security to run ActiveX for the Office applications. In Microsoft Word 2007, select the Microsoft
Office option on the top left corner, then select Word options | Trust Center | Trust Center Settings | ActiveX
Settings, then select Enable all controls without restrictions and without prompting (not recommended potentially
dangerous code can run). Do the same for other applications such as Microsoft Excel and PowerPoint.
d Select Word options | Trust Center | Trusted Center Settings | Trusted Locations, then use the Add new location...
button to add C:\ under User Locations. Once added, double click on the entry for C:\, then in the pop-up,
select Subfolders of this location are also trusted, then click OK.
f On the Sign-up for Microsoft Update page, select I don't want to use Microsoft Update, then click Finish.
g When you open any of the Microsoft Office 2007 software, you would see the Help Protect and Improve
Microsoft Office pop-up. From the pop-up select Don't make changes, then click OK.
b In Adobe reader, if Adobe Reader Protected Mode message appears, select Open with Protected Mode
disabled, then select OK.
d Select Edit | Preferences | Updater, select Do not download or install updated automatically, select OK, then select
Yes to confirm the changes.
14 Configure Java:
a Open Java in the Control Panel.
c In the Java Update Warning message, select Do Not Check and then click OK.
c Select Java(TM) Update Scheduler (jusched) (if listed), then click Disable.
d Select Adobe Acrobat SpeedLauncher (reader_sl) (if listed), then click Disable.
e In the System Configuration dialog, select Don't show this message again, then select Restart.
b Select Tools | Internet Options, for Home page select Use Blank or Use new tab based on the version of Internet
Explorer.
c Go to the Advanced tab of the Internet Options and locate Security, then select Allow active content to run in
files on My Computer.
17 Disable the HTTP auto proxy server: Open command prompt with administrator privilege, then run these
commands.
• Net stop WinHttpAutoProxySvc
Task
For details about product features, usage, and best practices, click ? or Help.
2 If the Manage Your Server window page appears, select Don't Display the page at logon and close the page.
3 If the Server Manager windows is displayed, select Manage | Server Manager Properties, select Do not start Server
Manager automatically at logon, then select OK.
b In the Local Group Policy Editor page, select Computer Configuration | Administrative Templates | System, then
double-click Display Shutdown Event Tracker.
b In the Telnet Properties (Local Computer) page, select Automatic for the Startup type, then select Apply | Start |
OK.
2 In the Installation type page, select Role-based or feature-based installation, then click Next.
3 In the Server selection page, select Select a server from the server pool, then click Next.
4 In the Server Roles page, expand the Web Server (IIS) node, expand the FTP Server node, select FTP Server,
select FTP Service, then click Next.
c In the Internet Information Services Manager page, select Sites, select Add FTP Site
• For Bindings and SSL Settings, select No SSL, then click Next.
• For Authentication and Authorization Information, select Basic under Authentication, select All Users
under Allow access to, select both Read and Write under Permissions.
• Click Finish.
b In the User Accounts window, deselect Users must enter a user name and password to use
this computer, then click Apply.
• Password — cr@cker42
b Extract MergeIDE.zip and run the MergeIDE batch file in the VM.
b Under Important updates, select Never check for updates (not recommended).
d Click OK.
b Lower the security to run macros for the Office applications. In Microsoft Word 2007, select the Microsoft
Office option on the top left corner, then select Word options | Trust Center | Trust Center Settings | Macro
Settings, then select Enable all macros (not recommended potentially dangerous code can run). Do the same for
other applications such as Microsoft Excel and PowerPoint.
c Lower the security to run ActiveX for the Office applications. In Microsoft Word 2007, select the Microsoft
Office option on the top left corner, then select Word options | Trust Center | Trust Center Settings | ActiveX
Settings, then select Enable all controls without restrictions and without prompting (not recommended potentially
dangerous code can run). Do the same for other applications such as Microsoft Excel and PowerPoint.
e On the Sign-up for Microsoft Update page, select I don't want to use Microsoft Update, then click Finish.
b In Adobe reader, if Adobe Reader Protected Mode message appears, select Open with Protected Mode
disabled, then select OK.
d Select Edit | Preferences | Updater, select Do not download or install updated automatically, select OK, then select
Yes to confirm the changes.
15 Configure Java:
a Open Java in the Control Panel.
c In the Java Update Warning message, select Do Not Check and then click OK.
b From the Startup tab, deselect reader_sl and jusched, then click OK.
c In the System Configuration dialog, select Don't show this message again, then select Restart.
b Select Tools | Internet Options, for Home page select Use Blank or Use new tab based on the version of Internet
Explorer.
c Go to the Advanced tab of the Internet Options and locate Security, then select Allow active content to run in
files on My Computer.
Task
1 Log on to the virtual machine as administrator.
2 If the Manage Your Server window page appears, select Don't Display the page at logon and close the page.
3 If the Server Manager windows is displayed, select Manage | Server Manager Properties, select Do not start Server
Manager automatically at logon, then select OK.
b In the Local Group Policy Editor page, select Computer Configuration | Administrative Templates | System, then
double-click Display Shutdown Event Tracker.
b Select Turn off Windows Firewall (not recommended), for the following, then click OK.
• Public networks
2 In the Installation type page, select Role-based or feature-based installation, then click Next.
3 In the Server selection page, select Select a server from the server pool, then click Next.
4 In the Server Roles page, expand the Web Server (IIS) node, expand the FTP Server node, select FTP Server,
select FTP Service, then click Next.
c In the Internet Information Services Manager page, select ADMINISTRATOR | Sites, then right-click on Sites
and select Add FTP Site.
• For Bindings and SSL Settings, select No SSL, then click Next.
• For Authentication and Authorization Information, select Basic under Authentication, select All Users
under Allow access to, select both Read and Write under Permissions.
• Click Finish.
b In the User Accounts window, deselect Users must enter a user name and password to use
this computer, then click Apply.
• Password — cr@cker42
b Extract MergeIDE.zip and run the MergeIDE batch file in the VM.
c On the right pane, double click Configure Automatic Updates, then select Disable.
d Click OK.
f On the right pane, double click Turn off Windows Defender , then select Disable.
g Click OK.
b Lower the security to run macros for the Office applications. In Microsoft Word , select the Microsoft
Office 2016 option on the top left corner, then select Word options | Trust Center | Trust Center Settings | Macro
Settings, then select Enable all macros (not recommended potentially dangerous code can run). Do the same for
other applications such as Microsoft Excel and PowerPoint.
c Lower the security to run ActiveX for the Office applications. In Microsoft Word 2007, select the Microsoft
Office option on the top left corner, then select Word options | Trust Center | Trust Center Settings | ActiveX
Settings, then select Enable all controls without restrictions and without prompting (not recommended potentially
dangerous code can run). Do the same for other applications such as Microsoft Excel and PowerPoint.
e On the Sign-up for Microsoft Update page, select I don't want to use Microsoft Update, then click Finish.
b In Adobe reader, if Adobe Reader Protected Mode message appears, select Open with Protected Mode
disabled, then select OK.
d Select Edit | Preferences | Updater, select Do not download or install updated automatically, select OK, then select
Yes to confirm the changes.
13 Configure Java:
a Open Registry Editor
c On the right pane, double click {A509B1A7-37EF-4b3f-8CFC-4F3A74704073}, then set its value to 0.
Replace <Adobe-Flash-For-Windows-Package> with the name and path of the Adobe Flash for
Windows package MUM file.
b From the Startup tab, deselect reader_sl and jusched, then click OK.
c In the System Configuration dialog, select Don't show this message again, then select Restart.
b Select Tools | Internet Options, for Home page select Use Blank or Use new tab based on the version of Internet
Explorer.
c Go to the Advanced tab of the Internet Options and locate Security, then select Allow active content to run in
files on My Computer.
Task
1 In the Microsoft Office Setup window, select the following options, then click Next.
• Microsoft Word
• Microsoft Excel
• Microsoft PowerPoint
2 To open Microsoft Office files created in a newer version of Microsoft Office, install the compatibility pack.
a Download the required Microsoft Office compatibility pack for Word, Excel, and PowerPoint file formats.
3 In the Compatibility Pack for the 2007 Office system window, select Click here to accept the Microsoft Software License
Terms, then click OK.
Task
1 Install Adobe Reader on the virtual machine.
2 Open Adobe Reader, then click Accept on the License Agreement window.
Task
1 Download and install the Java SE Development Kit for your computer.
Task
1 Make sure that Internet Explorer is your default browser.
• Download and install Adobe Flash plug-in, then verify that Shockwave Flash Object is enabled.
Task
1 Click Start | Shut down.
2 Make sure there are not any stale lock files (.lck) associated with the virtual machine.
The .lck files are located in the same folder as the .vmdk file.
6 To connect to the FTP server on Advanced Threat Defense, use the following credentials.
• Host — IP address of Advanced Threat Defense
• Username — atdadmin
• Password — atdadmin
• Port — The corresponding port number based on the protocol you want to use.
7 Upload the VMDK file from the local machine to Advanced Threat Defense.
See also
Set FTP on page 138
Users without administrator permissions are able to convert VMDK files to image files.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense web interface.
3 From the VMDK Image drop-down list, select the imported VMDK file.
4 In the Image Name field, enter the image name that corresponds to your operating system.
McAfee ePO and OS profiling work only when you use the default name.
6 Click Convert.
b Click View.
Create VM profiles
You must configure each image file that you convert with a single, unused VM profile. You can convert the same
VMDK file image files multiple times. This enables you to create multiple image files from one VMDK file.
VM profiles contain the operating system and applications in an image file. This enables you to identify the
images that you uploaded to Advanced Threat Defense and then use the appropriate image to dynamically
analyze files. You can also specify the number of licenses that you possess for the operating system and the
applications. Advanced Threat Defense factors this in when creating concurrent analyzer VMs from the
corresponding image file.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense web interface, then select Policy | VM Profile | New.
2 From the Image drop-down list, select the image, then click Activate.
Based on your browser settings, the activation window opens in a new tab or window.
d From the command line, run the following commands, then press Enter.
• flashplayerX_X_X_win.exe
• flashplayerX_X_X_win_debug.exe
• flashplayerX_X_X_win_sa_debug.exe
f Stop the VM, then copy the VMDK image to the Advanced Threat Defense Appliance.
To view the image validation log, click . If the validation fails, create a new VMDK file with the correct settings,
then create the analyzer VM.
7 Click Check Status, then verify that the following validation tests are successful on the Image Validation Log
window.
• FTP connect to <VM IP address> OK
• FTP login OK
• OS winxp
• Multiprocessing OK
• FTP OK
• TELNET OK
• AUTOLOGON OK
• ADMINISTRATOR OK
• FIREWALL OK
• Sigcheck OK
• Scan Complete
If the validation tests fail, create a new VMDK file, then create the analyzer VM.
b Click Save.
Task
1 Log on to the Advanced Threat Defense web interface.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Make sure the users assigned to the analyzer profile are logged off of Advanced Threat Defense.
c From the Default Analyzer Profile list, select the analyzer profile.
d Click Save.
See also
View the Threat Analysis report on page 105
View the Dropped Files report on page 106
View the Disassembly Results report on page 107
Logic Path Graph on page 108
User API Log on page 109
Tasks
• Integrate Advanced Threat Defense with Private GTI Cloud on page 68
You can configure Advanced Threat Defense to send queries to a Private GTI Cloud.
• Integrate Advanced Threat Defense with McAfee NGFW on page 68
McAfee NGFW integrates security features with high availability and manageability. It integrates
application control, Intrusion Prevention System (IPS), and evasion prevention into a single,
affordable solution. Following steps should be performed by McAfee NGFW customer in order to
integrate McAfee NGFW with Advanced Threat Defense.
1 Advanced Threat Defense queries McAfee ePO for the operating system of a host based on its IP address. If
information from this source or the corresponding analyzer VM is not available, it goes to the next source.
2 If Device Profiling is enabled, the Sensor provides the operating system and application details when
forwarding a file for analysis. If information from this source or the corresponding analyzer VM is not
available, it goes to the next source.
3 From the analyzer profile in the corresponding user record, Advanced Threat Defense determines the VM
profile. If information from this source or if the corresponding analyzer VM is not available, it goes to the
next source.
When Advanced Threat Defense receives host information for a particular IP address from McAfee ePO, it
caches this detail.
• The cached IP address to host information data has a time to live (TTL) value of 48 hours.
• For the first 24 hours, Advanced Threat Defense uses just the host information in the cache.
• For the second 24 hours, Advanced Threat Defense uses the host information from the cache but also
queries McAfee ePO and updates its cache. This updated information is valid for the next 48 hours.
• If the cached information is more than 48 hours old, it treats it as if there is no cached information for the
corresponding IP address. That is, it attempts to find the information from other sources and also sends a
query to McAfee ePO.
The following explains how Advanced Threat Defense collaborates with McAfee ePO.
1 Network Security Platform or Web Gateway sends a file to Advanced Threat Defense for analysis. When
Network Security Platform sends a file, the IP address of the target host is also sent.
2 Advanced Threat Defense checks its cache to see if there is a valid operating system mapped to that IP
address.
3 If it is the first time that a file for that IP address is being analyzed, there is no information in the cache. So, it
determines the analyzer VM from the device profiling information in case of Network Security Platform and
user record in case of McAfee Web Gateway. Simultaneously, it sends a query to McAfee ePO for host
information based on the IP address.
4 McAfee ePO forwards the host information to Advanced Threat Defense, which is cached for further use.
Task
1 As an administrator, log on to McAfee ePO, then install the Advanced Threat Defense extension.
b From the Severity Level drop-down list, select the security level for the events you want to send to McAfee
ePO.
c On the Publish Threat Events Setting updated successfully message, click OK.
d Click Apply.
These analysis reports are published to a topic located at /mcafee/event/atd/file/report on the DXL broker.
Clients such as Security Information and Event Management (SIEM) that subscribe to this topic can fetch
analysis reports from DXL broker to build a robust security reputation database. Subscribing clients can refer to
this database and treat files entering their network according to the analysis report of the files.
1 Advanced Threat Defense gets the sample files from different channels like Network Security Platform, Web
Gateway, and so on for analysis.
2 The analysis summary is then sent to the DXL broker for further on-demand distribution to subscribing
clients.
The following diagram explains Advanced Threat Defense and DXL integration.
If you want your Advanced Threat Defense to have exclusive rights to publish on the Advanced Threat Defense
topic, then you must install the ATDDXLTagging extension on McAfee ePO. This restricts publishing on the
Advanced Threat Defense topic by any other sender.
Task
1 Log on to the Advanced Threat Defense web interface.
Verifies the connection between Advanced Threat Defense and the DXL broker channel.
6 Click Apply
If more than one VM is configured in the analyzer profile, Advanced Threat Defense publishes the report for
each VM.
Task
1 Log on to the Advanced Threat Defense web interface.
4 Verify that the DXL Status is UP, then select Enable Active Response.
• Ensure that you have reset your cliadmin password. If you continue using the default
password, the configurations might fail.
Task
For details about product features, usage, and best practices, click ? or Help.
3 In the GTI Cloud Setting section, select Enable Private GTI Cloud.
4 In Private Cloud IP or Hostname, enter the IP address or the host domain name of your Private GTI Cloud.
If you have configured a hostname, then ensure that the DNS resolves the hostname for Advanced Threat
Defense.
5 Click Test Connection to check the connection status, then click Save.
We recommend you configure Private GTI Cloud using the Advanced Threat Defense web interface.
In a Load Balancing scenario if you configure Private GTI Cloud using CLI, then the configuration will
not sync automatically among the other nodes. You'd need to configure the nodes manually.
Task
For details about product features, usage, and best practices, click ? or Help.
4 To make REST API calls, use the McAfee NGFW user credentials on SCM.
There is no change to the existing SOFA protocol for file submission. If a user named “ngfw” (user type
NGFW) exists, all file submissions through the SOFA channel is assumed to be from McAfee NGFW
appliances.
You can either manually specify the date and time or configure Network Time Protocol (NTP) servers as the time
source for Advanced Threat Defense. If you specify NTP servers, you can configure up to 3 Network Time
Protocol (NTP) servers. In this case, Advanced Threat Defense acts as an NTP client and synchronizes with the
highest priority NTP server that is available.
• By default, synchronization with NTP servers is enabled in Advanced Threat Defense. Also, pool.ntp.org is
configured as the default NTP server. The default time zone is Pacific Standard Time (UTC-8).
• When you upgrade from a previous version without selecting the Reset Database option, the date and time
settings from the previously installed version are preserved. If you upgrade with the Reset Database option
selected, the default date and time settings as described above are set.
• At any point in time, there must be at least one valid NTP server specified in the Date and Time Settings page of
Advanced Threat Defense. You can add, edit, or delete the list of NTP servers specified in Advanced Threat
Defense.
• Based on the access available to Advanced Threat Defense, you can specify public NTP servers or the ones
locally on your network.
• You can specify the domain name or the IPv4 address of NTP servers. If you specify the domain names, then
you must have configured DNS settings in Advanced Threat Defense.
If you specify public NTP servers, then using the domain names instead of IP addresses is recommended. The
domain of a public NTP server might resolve to different IP addresses based on various factors.
• Whether you enable NTP server synchronization or manually set the date and time, you must select the
required time zone in the Date and Time Settings page. If you configure an NTP server, Advanced Threat
Defense considers only the date and time from the NTP server. But for the time zone, it relies on what is
specified in the Date and Time Settings page.
• The date and time on a Advanced Threat Defense client has no impact on the timestamps that are
displayed. Consider that the current time on the Advanced Threat Defense Appliance is 10 am PST (UTC-8).
Regardless of the time zone from which you access this Advanced Threat Defense Appliance, all the
timestamps are displayed in PST only. That is, the timestamps are not converted based on a client's date
and time.
• When the current date and time settings are changed, the timestamp for all the older records are also
changed accordingly. Consider that the current time zone is PST (UTC-8) and you change it to Japan Standard
Time (UTC+9). Then the timestamp for the older records are all converted as per Japan Standard Time (JST).
For example, if the timestamp displayed for a record in the Analysis Status page was 0100 hours (1 am) PST
before you changed the time zone. After you change the time zone to JST, the timestamp for the same
record is 1800 hours JST.
• The date and time settings of all the analyzer VMs are immediately synchronized to the date and time on the
Advanced Threat Defense Appliance.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense web interface.
Task
For details about product features, usage, and best practices, click ? or Help.
The IP configured for DNS should be resolved by the DNS server using reverse lookup.
Task
1 Log on to the Advanced Threat Defense web interface.
4 In Malware DNS Setting, type IP address of the DNS server to use for malware analysis in the sandbox
environment, then click Apply.
5 To restart the amas services, use the amas restart CLI command.
Configure LDAP
LDAP (Lightweight Directory Access Protocol) enables Advanced Threat Defense to configure a dedicated LDAP
server for user authentication. A separate server for user authentication facilitates a secured and centralized
authentication system. It provides a robust and secure credential authentication and management system for
various types of Advanced Threat Defense users.
The following user accounts (data) must be created on the LDAP server. Accounts created on the LDAP server
must be the same as on the Advanced Threat Defense appliance.
• Base Distinguished Name (BaseDN) — Create a specific BaseDN for Advanced Threat Defense users.
BaseDN acts as a root node under which all the Advanced Threat Defense users are added.
• Admin Credentials — To enable the LDAP option, you must provide the Admin User credentials in the
Advanced Threat Defense web interface. If the Admin User has not been created, you must create the same
in the LDAP server directory.
• User creation — Create users manually on an LDAP server. The following table contains the list of users
needed.
During the LDAP logon, username must match the username created locally in the Advanced Threat Defense
database. Username is case sensitive.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense web interface.
3 Configure the LDAP User Credentials options, then click Test Connection.
5 Click Submit.
Select Enable Fallback in case the configured LDAP server is not reachable and the authentication channel
needs to be routed to Advanced Threat Defense local database. For cliadmin users, Enable Fallback is always
enabled.
LDAP authentication is used for SFTP communication with Advanced Threat Defense. The fallback feature is
not supported when SFTP communication is used.
• GTI HTTP Proxy — This setting is relevant for those analyzer profiles which have GTI Reputation enabled in their
Analyzing Options. Advanced Threat Defense sends a query to a McAfee GTI server to fetch McAfee GTI
score for the suspicious file being analyzed. If the customer network is protected under proxy, specify the
proxy server details here so that the McAfee GTI queries can be sent out.
• Malware Site Proxy — This setting is applicable when samples being analyzed at analyzer VMs request Internet
access. The proxy server specified under Malware Site Proxy handles the request. Because the traffic from an
analyzer VM might be malicious, you might want to segregate this traffic from your production network.
Tasks
• Configure Advanced Threat Defense to communicate with McAfee GTI on page 72
To use McAfee GTI with Advanced Threat Defense, configure the options.
• Enable the malware site proxy on page 73
Allow analyzer VMs to connect to the internet for sample analysis.
Task
1 Log on the Advanced Threat Defense web interface.
5 Click Submit.
Task
1 Log on the Advanced Threat Defense web interface.
4 Click Submit.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on the Advanced Threat Defense web interface.
4 Select Send SNMP Traps, configure the SNMP Traps options, then click Submit.
CPU Utilization field appearing in the SNMP Setting page is different from CPU Load featuring under System Health
under Dashboard tab.
5 To retrieve the attribute numeric values, enter the snmpget command in the command prompt or any MIB
browser.
• Interface Status
• User Login/Logout
• Audit Log
Once the user-defined threshold limit exceeds for CPU Utilization, Memory Utilization and HDD Utilization,
syslog events are generated and sent to SIEM receiver. Minimum threshold level supported is 30%. Maximum
threshold level supported is 90%. By default, the threshold percentage displayed under Syslog Setting page is
75%.
Whenever the interface link goes down or comes up, syslog events are generated and sent to SIEM receiver.
Analysis results and logon/logoff events are sent to the SIEM receiver.
After syslog events are generated and sent to SIEM receiver, the information are parsed and sent to ESM. The
summary is then displayed on the ESM user interface.
The SIEM receiver and ESM can be on separate appliances or can be together in a virtual environment.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense web interface.
In non-CC mode, any valid certificate along with key can be uploaded as no checks on key length or signature
algorithm is performed. However, in CC mode:
• key length should be 2048 and above and signature algorithm should be minimum SHA256
with RSA Encryption.
• Default listening port for Audit function is 6514 and protocol used for same is TCP/TLS
Encryption.
• While uploading Syslog Certificate for TLS Encryption, Advanced Threat Defense performs
various security validations on the syslog certificates. If you are prompted with security
warnings, you can either accept them or fix the issues before upload the Syslog Certificate.
4 Click Test Connection. When the "Test connection successful" message appears, click OK.
When you select UDP as the Protocol from the drop-down list then Test Connection tab is disabled as UDP uses a
simple connectionless transmission model rendering the connection status, unverifiable.
5 In the Statistic to Log area, make these selections and entries as per requirement.
• Select Analysis Results.
• Select CPU Utilization and specify Threshold level in the respective Threshold drop-down.
• Select Memory Utilization and specify Threshold level in the respective Threshold drop-down.
• Select HDD Utilization and specify Threshold level in the respective Threshold drop-down.
• If you want to store the logon/logoff information with a time stamp, select User Login/Logout.
• Select Audit Log to view logs for administrative actions performed on Advanced Threat Defense. Audit Log
is selected by default.
• Select HTTPS Session Log to view logs for every session established or terminated.
This option is only available when Common Criteria Mode is enabled in Advanced Security Settings.
When HTTPS Session Log is enabled, Advanced Threat Defense web performance is impacted.
6 Click Submit.
Tasks
• View the Syslog logs on page 75
Syslog starts logging syslog events taking place within the Advanced Threat Defense.
Simultaneously, it prints the related logs, which you can view in the Advanced Threat Defense web
interface. You can use this information for troubleshooting purposes.
• View the Audit Log on page 76
When you configure audit function by checking on the Audit Log using Syslog Setting page, Advanced
Threat Defense starts logging the administrative actions performed within the Advanced Threat
Defense. Through these log entries, you can view what is happening as the administrative actions,
for example, configuration change, session establishment/session termination and so on are
performed. These log entries are displayed in a tabular form. You can use this information for
troubleshooting purposes.
Task
1 Log on to the Advanced Threat Defense web interface.
Task
1 Log on to the Advanced Threat Defense web interface.
Configure telemetry
Telemetry allows Advanced Threat Defense to collect data about malware and the Advanced Threat Defense
Appliance.
Advanced Threat Defense captures these two categories of data.
Telemetry data McAfee Labs requires the analysis results from Advanced Threat Defense telemetry data
for: to:
• McAfee GTI • Update the McAfee Labs databases
• McAfee Labs • Categorize the samples and malware that Advanced Threat Defense analyzes
Telemetry data contains information about the analyzed samples, and includes:
• SHA-1 of sample
• SHA-256 of sample
• MD5 hash value of sample
• Advanced Threat Defense detection score
• Digital signature data from sample
• Parent metadata corresponding to dropped files
• Advanced Threat Defense product information
Tasks
• Enable telemetry on page 78
Advanced Threat Defense sends system telemetry data only when you allow automatic updates.
• Disable telemetry on page 78
You can disable system and McAfee Labs telemetry without disabling the automatic update.
Enable telemetry
Advanced Threat Defense sends system telemetry data only when you allow automatic updates.
Task
For details about product features, usage, and best practices, click ? or Help.
5 Ensure that the following options are selected, then click Submit.
• Send feedback to McAfee about system information in order to improve the product.
Disable telemetry
You can disable system and McAfee Labs telemetry without disabling the automatic update.
Task
For details about product features, usage, and best practices, click ? or Help.
• Email Connector is not installed with Advanced Threat Defense. For more information on
installing Email Connector, see McAfee Advanced Threat Defense Installation Guide.
• If you have configured a cluster, ensure that you install Email connector in your primary as well
as the backup nodes.
• Ensure that you have reset your cliadmin password. If you continue using the default password,
the configurations might fail.
Advanced Threat Defense receives emails from a secure email gateway, performs an analysis on the email
attachments, adds a verdict in the email header and sends it back to the email server. You can view the analysis
report from Analysis | Email Reports on your Advanced Threat Defense web interface.
While you view the reports, the maximum number of reports you can navigate to are one million. If you want to
view the reports beyond one million, use the search filter to reduce the result of the number of reports.
You need to configure your email gateway to send emails to the Advanced Threat Defense for analysis. You can
add filters such as send the ones with attachment only and so on. We recommend you configure your SEG to
send emails for analysis to Advanced Threat Defense only when your SEG's AV analysis have returned an
inconclusive result.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Log on to the Advanced Threat Defense interface, then click Manage | Email Connector | Configuration.
2 In Receiving Email, select Enable Email Connector and complete these settings.
• Listen Port — Type the port number to use for receiving emails. The default port number is 25.
• Use TLS Connection — Select one of the three options from the drop-down to use TLS-secured
communication, when available, always, or not use at all for receiving emails.
• Permitted Hosts — From the drop-down, select the Host type as IP address, Hostname, or Network, then enter the
IP addresses, host name, or network address of the source SEG for Advanced Threat Defense to receive
emails. Click Add to add an IP address.
• Smart Host Port — Type the port number of the destination email server. The default port number is 25.
• Use TLS Connection — Select one of the three options from the drop-down to use TLS-secured
communication, when available, always, or not use at all for sending emails.
• Test Connection — Click Test Connection to ensure that the configured email server is reachable.
• Scan these file types — File types of the email attachments that can be scanned. Select All or a minimum
one of the file types.
• Action when system is overloaded — Choose whether to deliver emails without scanning or drop SMTP
connections when the system is overloaded.
If you've selected Deliver emails unscanned, then the emails are delivered with the X-ATD-VERDICT as -8.
If you enable this option, the header X-ATD-VERDICT -7 is added to the emails.
• Document Format – Select the format in which you want your profiling report to get generated.
• Reporting Period – Select the period for which you want the emails to be profiled.
• Download Report – Downloads a report about the overall email attachment profiling.
6 Click Apply.
You can view the total number of emails and attachments analyzed in the Email Counter monitor from the
Dashboard.
If the timeout is too short and an Advanced Threat Defense scan is in progress, Advanced Threat Defense
doesn't accept the email. At such times, the source SEG would requeue the message for delivery back to the
ATD for a later time. Depending on the retry period set on your SEG and the load on Advanced Threat Defense,
cached results can be available at the time a subsequent delivery attempt is made. This could lead to the
timeout to not trigger again. The default timeout value is 10 minutes.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Log on to the Advanced Threat Defense interface, then click Manage | Email Connector | Filtering Rules.
2 Type a name for the rule, then select one or a combination of these filtering options.
• File Name — Add file names separated by semi-colons (;). * and ? can be used as wildcard characters.
• File Size — Select less than or greater than criteria, type the file size, then select the unit.
Header Values
X-ATD-FILENAMES Lists the names of all attachments of the email separated by comma(,).
X-ATD-ALTFILENAMES Lists the alternate names of scanned attachments that have the same hash value as
determined during the earlier scans. For example, if after scanning a file (file1), another
attachment with the same hash but a different file name (file2) is detected, the
X-ATD-ALTFILENAMES header is added with the value file1, file 2.
X-ATD-FILEHASHES Adds the hashes of all email attachments. For example, MD5 , SHA-256.
X-ATD-FILEVERDICTS Adds the verdict for each email attachment that was submitted for analysis.
• 5 — Very high (risk)
• 4 — Malicious
• 3 — Likely to be malicious
• 2 — Low activities
• 1 — Very low activity
• 0 — Informational
• -1 — Clean
• -2 — Failed to scan (because of unsupported file type)
• -3 — Scan Timed out
• -4 — Filtered by the File Type Configuration
• -5 — Filtered by File Filtering Rules
Header Values
X-ATD-SILENTMODE Adds the value of 1 if an email was scanned in silent mode. Otherwise this header is not
added.
X-ATD-TOOBUSY Adds this header to all messages that pass through Advanced Threat Defense while it is:
• processing new attachments for scanning
• configured in Email pass-through mode.
The X-ATD-TOOBUSY value is always 1. Since Advanced Threat Defense includes a results
cache, the X-ATD-VERDICT should be referenced to determine whether the attachments
were scanned in a previous submission.
Task
For details about product features, usage, and best practices, click ? or Help.
2 In the Minimum SSL/TLS Protocol Version drop-down, select the minimum SSL/TLS version.
Ensure that the products your Advanced Threat Defense communicates with, supports the minimum SSL/TLS
protocol version you define here.
• FTP Access, HTTP Port, and Force HTTPS options are disabled.
Task
For details about product features, usage, and best practices, click ? or Help.
3 Configure the System Log Server options, then click Test connection to test the connection.
Certificate uploaded for Syslog Setting is validated against key length, signature algorithm and expiry date. In
case of a problem with certificate, Advanced Threat Defense displays an error message.
4 In the Statistics to Log area, make sure Audit Log is checked. By default Audit Log is enabled.
5 Click Submit.
See also
http_redirect on page 123
Task
For details about product features, usage, and best practices, click ? or Help.
3 Select Enabled Account Lock Out, then set the lock out duration and the number of allowed incorrect logon
attempts.
• Duration of Lock Out in Minutes – Set the duration of the lock out period in minutes.
• Maximum Login Retries – Set the number of allowed incorrect logon attempts, after which the account is
locked.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense web interface.
4 Click Save.
Task
1 Log on to the Advanced Threat Defense web interface.
You can only use the ASCII character set. The maximum number of characters you can use is 1024.
5 Click Save.
To generate a CSR, you need to enter your organization details, and the key size. You can then generate your
CSR, export it, and submit it to a certificate signing authority to get it signed.
Generate a CSR
You can generate a CSR from Advanced Threat Defense.
Task
For details about product features, usage, and best practices, click ? or Help.
• Organization Unit [OU] – Enter the organization unit that is ordering the certificate.
• City/Town [L], State/Province [ST], Country [C] – Enter the address of your organization.
• Key Size (in bits) – Select a key size for your certificate in bits.
Your CSR is now listed in the Certificate Singing Request Message section. You can use the icon in the Action column
to Export or Remove your CSR. Once the certificate is singed, you can upload it as Web Certificate from the Manage
Certificate page.
Upload certificates
For web server authentication, Advanced Threat Defense allows you to upload certificates.
When you upload a certificate, Advanced Threat Defense checks for the attached public key. If a key is not
attached, the certificate upload fails. If a key is attached, Advanced Threat Defense validates the metadata. Post
validation, you might see security warnings as a result of the validation which you may accept or fix.
Task
For details about product features, usage, and best practices, click ? or Help.
• CA Certificate
• Trusted CA Certificate
5 Click Upload.
To upload content to the Advanced Threat Defense Appliance, use the Advanced Threat Defense web interface.
Contents
Defining Custom Behavioral Rules
Define Custom Yara Scanner
Import custom behavioral and YARA scanner rules
Change custom behavioral rules and YARA scanner files
Disable custom behavioral rules
Manage whitelist database samples
Update DAT version for McAfee Gateway Anti-Malware and Anti-Virus
Update the detection package
In this section, the word sample refers to both files and URLs that have been submitted to Advanced Threat
Defense for malware analysis.
You can store your Custom Behavioral Rules in a text file. You can name this file such that it enables you track
modifications to your Custom Behavioral Rules set. You import this text file into Advanced Threat Defense
through the web interface.
Assuming you have enabled all analyze options with custom YARA rules, Advanced Threat Defense processes
the sample files and URLs in the following order of priority:
1 Global Whitelist
2 Local blacklist
3 McAfee GTI
7 Dynamic Analysis
9 Internal YARA rules — Internal YARA rules that are defined by McAfee and updated during Advanced Threat
Defense software upgrades. You cannot view or download these rules.
Advanced Threat Defense checks a sample against YARA rules only if the sample is dynamically analyzed.
After you import your Custom Behavioral Rules into Advanced Threat Defense, the malware detection and
classification are based on these rules as well. Final severity result of sample analysis is determined as a
maximum value from analysis methods mentioned above, including custom YARA rules.
Considerations
• Advanced Threat Defense supports custom YARA rules only from Advanced Threat Defense release 3.2.0.
• Advanced Threat Defense 3.2.0 supports YARA version 1.0 only. So, all YARA features documented in YARA
User's Manual for version 1.0 are supported.
• In an Advanced Threat Defense cluster setup, each node maintains its set of Custom Behavioral Rules
separately. That is, the custom YARA rules that you define in the primary node are not sent to the secondary
nodes automatically.
• There is no limit on the number of rules that you can include in your Custom Behavioral Rules file. Neither is
there a limit on the size of this file. However, the number of rules and their complexity might affect the
performance of Advanced Threat Defense.
• You have identified the user API log of the sample that you want to use as a reference for
creating your Custom Behavioral Rules.
Task
1 Create a text file and open it in a text editor such as Windows Notepad.
2 Enter the comments in the text file to track the APIs or data that are the sources for your Custom Behavioral
Rules.
Metadata is mandatory for standard rules and optional for helper rules. Regarding custom YARA rules,
metadata can contain classification, description, and severity. Use a [metadata field name] = [string/value]
format to define all these three metadata fields. These fields are case-insensitive.
a Optionally, enter the classification value for Custom Behavioral Rules. Classification is the malware
classification category to which a behavioral rule belongs. Use the following information to calculate the
classification value.
Classification Value
Persistence, Installation Boot Survival 1
Hiding, Camouflage, Stealthiness, Detection and Removal Protection 2
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection 4
Spreading 8
Exploiting, Shellcode 16
Networking 32
Data spying, Sniffing, Keylogging, Ebanking Fraud 64
For example, if a YARA rule describes a malware that attempted to do spreading (value 8), installation
boot survival (value 1), and networking (value 32) then total classification result is 8+1+32 = 41.
b Enter the description for the rule, which is displayed in the analysis reports.
c Enter a severity value for the behavior described by the YARA rule.
Severity value must be an integer from 1–5, with 5 indicating most malicious behavior. Severity values
are irrelevant for helper rules.
6
Click Analysis | Analysis Reports, click , then select User API Log.
7 On the text editor, enter the strings and conditions according to YARA syntax.
8 Add more rules according to your requirement in the same custom YARA text file, then save the file.
See also
Integrate Advanced Threat Defense with Active Response on page 67
Integrate Advanced Threat Defense with Active Response on page 67
in a file analyzed, then after the analysis Very High severity is displayed in the analysis report with threat name as
the rule name. If defined rule is not present in the file analyzed, then Unverified is displayed in the analysis report
for the file.
Task
1 Log on to the Advanced Threat Defense web interface.
4 Next to Upload File, click Browse, then locate and open the YARA file.
6 Click Upload.
If there are syntax errors in the file, Advanced Threat Defense displays the Uploaded file contains invalid Custom
Behavioral Rules. Please check system log for more details. message.
If you delete the Current YARA rule file, the Backup file replaces the Current file. To reinstate the Current file, click
Revert.
• Secondary
• Backup
On the primary node, click Policy | Analyzer Profile, select the analyzer profile, then click Edit. Enable
Custom Yara Scanner.
Task
1 Log on to the Advanced Threat Defense web interface.
4 To download the file from the Advanced Threat Defense database onto your client, click the File Name link.
5 Open the file that you downloaded in a text editor, make your changes, then save the file.
6 On the Incremental Updates page, click Browse, locate and open the file, then click Upload.
Task
1 Log on to the Advanced Threat Defense web interface.
The whitelist database lists the MD5/SHA-256 hash values of trusted files and do not need to be analyzed.
Tasks
• Manage the file and URL samples on page 91
Add and remove file and URL samples that you have added to the whitelist database.
• Manage the digital signature samples on page 92
Add and remove the digtal signature samples that you have added to the whitelist database.
Task
For details about product features, usage, and best practices, click ? or Help.
To upload a file or URL to the whitelist on the Manual Upload page, go to Analysis | Manual Upload.
Alternately, you can add an analyzed sample to the whitelist database on the Analysis Reports page in the
Analysis tab.
Task
For details about product features, usage, and best practices, click ? or Help.
To upload a digital signature to the whitelist on the Manual Upload page, go to Analysis | Manual Upload..
Alternately, you can add an analyzed sample to the whitelist database using Analysis Reports page in the
Analysis tab.
Task
1 Log on to the Advanced Threat Defense web interface.
Tasks
• Automatically download the latest Detection Package on page 92
Automatically download and install the latest Detection Package in Advanced Threat Defense.
• Manually upload the latest Detection Package on page 93
Manually upload and install the latest Detection Package in Advanced Threat Defense.
Task
For details about product features, usage, and best practices, click ? or Help.
b On the Incremental Updates window, click Install next to the new detection package.
Task
For details about product features, usage, and best practices, click ? or Help.
4 On the Incremental Updates page, click Browse, then select the detection package file.
5 Click Upload.
To reinstate the Backup file as the Current file, click Revert.
Upload files and URLs for analysis. You can monitor the status of malware analysis using Advanced Threat
Defense web interface, then view the results.
Contents
Analyze files
Analyze URLs
Monitor the status of malware analysis
View the analysis results
Submit false positive and negative samples
Troubleshoot low sandbox file scores
Monitor Advanced Threat Defense with the Dashboard
Analyze files
Advanced Threat Defense performs static and dynamic analysis on the files you submit.
Table 4-1 File guidelines
Guideline Definition
File submission You can submit files using the following methods:
methods
• Log on to the Advanced Threat Defense web interface and manually upload the files.
• Post the files on the FTP server, which is hosted on the Advanced Threat Defense
Appliance.
• Use the Advanced Threat Defense web interface RESTful APIs. For more information, refer
to the McAfee Advanced Threat Defense APIs Reference Guide.
• The maximum file size supported is 128 MB if you use the Advanced Threat Defense web
interface, RESTful APIs, or Web Gateway.
• Integrate Advanced Threat Defense with Network Security Platform and Web Gateway,
which automatically submit samples to Advanced Threat Defense.
Maximum file The Advanced Threat Defense web interface, RESTful APIs, and Web Gateway support a
size maximum of 128 MB in file size.
Static analysis Static analysis of Visual Basic for Applications scripts (VBA scripts) embedded inside a
Microsoft Office application takes place inside the virtual machine. The analysis enhances
the ability to identify threats that are disguised as VBA scripts.
Dynamic Dynamic analysis of Flash files occurs after you install the Internet Explorer-based Flash
analysis plug-in or Flash player on the virtual machine. The Flash plug-in is supported only for
Internet Explorer on the virtual machine. When you install the Flash player and Flash plug-in,
the Flash plug-in takes precedence.
Pre-filtering Advanced Threat Defense supports Flash and PDF file sample pre-filtering. File and
application pre-filtering that uses Microsoft Office 2003 and earlier, and Microsoft Office
2007 and later is supported. The pre-filtering functionality ascertains the high confidence
Microsoft Office samples as clean, even before these samples are submitted for dynamic
analysis. This reduces load on the virtual machines.
• .png
• .gif
Task
1 Log on to the Advanced Threat Defense web interface.
Tasks
• Manually upload files on page 98
Manually upload files to Advanced Threat Defense for analysis.
For example, a default setting in the analyzer VM might pause the execution unless the setting is manually
overridden. Some files might display dialog boxes, where you are required to make a selection or a
confirmation. Malware demonstrates such behavior to determine if they are being executed in a sandbox. The
behavior of the malware might vary based on your intervention. When you submit files in user-interactive
mode, the analyzer VM opens in a pop-up window on your client computer and you can provide your input
when prompted.
You can upload files to be executed in the user-interactive mode. This option is available only when you
manually upload a file using the Advanced Threat Defense web interface. For files submitted by other methods,
such as FTP upload and files submitted by Network Security Platform, requests for user intervention by the
malware are not honored. However, the screen shots of all such requirements are available in the Screenshots
section of the Analysis Summary report. Then you can manually resubmit such files in the user-interactive mode
to know the actual behavior of the file.
For XMode, Google Chrome version 44.0.2403 and later, and Mozilla Firefox version 40.0.3 and later are
supported. Microsoft Internet Explorer is not supported.
Because the analyzer VM is opened in a pop-up window, make sure the pop-up blocker is disabled in your
browser.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on the Advanced Threat Defense web interface.
2 Click Analysis | Manual Upload | Browse, then locate and open the file you want to submit for analysis.
You can also drag and drop the file on the Drop your file here box.
• If you are uploading a password-protected .zip file, make sure you have provided the password in the
analyzer profile that you want to use for analysis.
• If dynamic analysis is required, the files in the .zip file are executed on different instances of the analyzer
VM. If enough analyzer VMs are not available, some of the files are in the pipeline until analyzer VMs are
available.
• Because the files in the .zip file are analyzed separately, separate reports are created for each file.
• Unicode is supported for the file name of samples. A file names can contain non-English characters and
special characters.
File names are displayed as the MD5 hash value of the file if the following characters are used: "'`<>|;*?#
$*
3 From the Analyzer Profile drop-down list, select the analyzer profile.
When the file execution completes, the VM automatically shuts down and you are unable to use Connect
to view the VNC session. When you click Disconnect, Advanced Threat Defense closes the VNC session
from the client and displays the VNC disconnected message.
Enabling X-Mode overrides the maximum execution time in the Analyzer profile to the X-Mode time.
When you submit a previously analyzed .zip file, Advanced Threat Defense displays the sample with the
highest severity.
• You have created the required analyzer profile that you want to use.
By default, FTP is not a supported protocol for uploading samples. To use FTP to upload files, you must enable it
using the set ftp enable CLI command.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Open your FTP client and connect to Advanced Threat Defense using the following information.
• Host — Enter the IP address of Advanced Threat Defense
• Port — Enter 22, which is the standard port for SFTP. For FTP, enter 21.
2 Upload the files from the local site to the remote site, which is on Advanced Threat Defense.
4 Click Analysis | Analysis Status and monitor the status of the uploaded files.
See also
Set FTP on page 138
Analyze URLs
Advanced Threat Defense analyzes the URL in an analyzer VM determined by the user profile, and reports the
file analysis results. Advanced Threat Defense uses only the local blacklist and dynamic analysis for the
downloaded file. In addition, the McAfee GTI reputation of the URL is reported. The behavior of the browser
when opening the URL is also analyzed for malicious activity.
Follow these methods to submit URLs:
• Manually upload the URL using the Advanced Threat Defense web interface.
• Use the restful APIs to upload URLs. See the McAfee Advanced Threat Defense RESTful APIs Reference Guide.
Malicious websites typically contain multiple types of malware. When a victim visits the website, the malware
that suits the vulnerabilities present in the endpoint is downloaded. You can create multiple analyzer VMs, each
with different operating systems, browsers, applications, browser plug-ins that are relevant to your network.
Also, if the browsers and operating systems are unpatched, it might enable you to analyze the actual behavior
of web sites.
The advantage of using Advanced Threat Defense is that, you can get a detailed report of previously unknown
malicious domains, websites, and IP addresses as well as the current behavior of known ones. You can also get
a detailed analysis report for even benign sites that are recently compromised.
Advanced Threat Defense analyzes the URL samples and generates a Graph Modeling Language (GML) file. This
file is in an ASCII plain text format, which contains data to generate a graphical representation of the logic
execution path. You cannot directly view this file in the Advanced Threat Defense web interface.
• When analyzing a URL sample, ensure to select an analyzer profile that does not have the Full
Logic Path option enabled. Full Logic Path is only supported for PE files types.
• GTI Reputation is enabled by default. This setting allows Advanced Threat Defense to analyze
URLs.
Analyzing URLs
To analyze URLs, select an analyzer profile that has both sandbox and Internet access enabled.
1 Advanced Threat Defense uses a proprietary procedure to calculate the MD5 hash value of the URL. Then, it
checks this MD5 against its local blacklist.
2 It is assumed that the file that the URL refers to is of a supported file type. Then Advanced Threat Defense
dynamically analyzes the file using the corresponding analyzer VM. It is assumed that the MD5 of the URL is
not present in the blacklist or Run All Selected option is selected in the corresponding analyzer profile.
McAfee GTI File Reputation, Anti-Malware, and Gateway Anti-Malware analyze options are not relevant for
URLs.
3 Dynamic analysis and reporting for URLs is similar to that of files. It records all activities in the analyzer VM
including registry operations, process operations, file operations, runtime DLLs, and network operations. If
the webpage downloads any dropper files, Advanced Threat Defense dynamically analyzes these files as well
and includes the results in the same report under embedded/dropped content section.
4 If a dropped file connects to other URLs, all these URLs are checked with TrustedSource for URL reputation
and categorization.
5 Advanced Threat Defense analyzes the URL samples and generates a Graph Modeling Language (GML) file.
This file is in an ASCII plain text format, which contains data to generate a graphical representation of the
logic execution path. You cannot directly view this file in the Advanced Threat Defense web interface.
When analyzing a URL sample, ensure to select an analyzer profile that does not have the Full Logic Path option
enabled.
Only HTTP, HTTPS, and FTP protocols are supported for URL analysis.
Upload URLs for analysis using Advanced Threat Defense web interface
You can upload the URLs using two different options based on their requirements.
• URL—The selected URL is sent to the analyzer VM, and the file pointed to by the URL is downloaded to the
analyzer VM for analysis. For example, when a user submits the URL http://the.earth.li/~sgtatham/putty/
latest/x86/putty.exe, the URL is sent to the analyzer VM, then the putty.exe file is downloaded to the
analyzer VM.
• URL Download—The selected URL is downloaded to the Advanced Threat Defense. The file which the URL is
pointing to is downloaded locally in the Advanced Threat Defense and the downloaded file is then sent to
the static analyzers and the analyzer VM for analysis. For example, when a user submits the URL http://
the.earth.li/~sgtatham/putty/latest/x86/putty.exe, the putty.exe file is downloaded to the Advanced Threat
Defense, then sent to the analyzer VM.
When you use the Advanced Threat Defense web interface to submit a URL for analysis, select an analyzer
profile. This analyzer profile overrides the default analyzer profile associated with your user account.
Task
1 Log on to the Advanced Threat Defense web interface.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense web interface.
3 From the drop-down lists, configure the view and refresh criteria.
• The default refresh interval is 1 minute.
• By default, results from the last 24 hours are displayed. You can specify this criteria based on time or
number. For example, you can select to view the status for files submitted in the last 5 minutes or for the
last 100 samples.
b Select Columns.
You can click a column heading and drag it to the required position.
6 To sort the records based on a particular column name, click the column heading.
You can sort the records in the ascending or descending order. Alternatively, move the mouse over the right
corner of a column heading and click the drop-down arrow. Then select Sort Ascending or Sort Descending. By
default, the records are sorted in descending order based on the Submitted Time column.
7 To cancel analysis of multiple pending files, select the files using the checkbox and click Cancel Selected.
Cancel Selected and Cancel All Pending are applicable only for the files in Pending state and not in Analyzing state.
9
Click
• Older reports are deleted when the data disk of Advanced Threat Defense is 75 percent full. You
can view the current data disk space available in the System Health monitor of the Dashboard. If you
configure the options under FTP Result Output in the User Management page and use the set
resultbackup enable command, then Advanced Threat Defense saves the results locally as well as
sends them to the configured FTP server for your long-term use.
• While you view the reports, the maximum number of reports you can navigate to are one million.
If you want to view the reports beyond that, , use the search filter to reduce the result of the
number of reports.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense web interface.
If you do not have admin permissions, only those files that you submitted are listed. A user with admin
permissions can view the samples submitted by all users.
Click on Export CSV to export locally the status of completed files in CSV format.
3 Specify the criteria for viewing and refreshing the records in the Analysis Reports page.
a Set the criteria to display records in the Analysis Reports page.
By default, the results for the files completed in the last 24 hours are shown.
You can specify this criteria based on time or number. For example, you can select to view the files for
which the analysis was completed in the last 5 minutes or for the last 100 completed files.
b Set the frequency at which the Analysis Reports page must refresh itself.
The default refresh interval is 1 minute.
b Select Columns.
You can click a column heading and drag it to the required position.
5 To sort the records based on a particular column name, click the column heading.
You can sort the records in the ascending or descending order. Alternatively, move the mouse over the right
corner of a column heading and click the drop-down arrow. Then select Sort Ascending or Sort Descending.
By default, very high severity files are shown at the top of the list.
6
To save the Analysis Reports page settings, click
• Text
Advanced Threat Defense supports XML and JSON formats, which provide well-known malware behavior tags
for high-level programming script to extract key information. Network Security Platform and Web Gateway use
the JSON formats to display the report details in their user interfaces.
Advanced Threat Defense also supports OpenIOC and STIX formats, which you can use to share threat
information. With the OpenIOC and STIX formats, you can share the Analysis Summary reports with other
security applications for a better understanding, detection, and containment of malware. For example, you can
manually submit the OpenIOC and STIX reports to an application, which query hosts for the indicators in the
report. This way you can detect the infected hosts, and then take the required remedial actions to contain and
remove the malware.
The Threat Analysis reports in the OpenIOC and STIX formats are available in the sample Complete Results file.
• Severity 0 – Informational. The submitted file has insufficient or invalid information for analysis.
• Severity 1 – Very low activity. The submitted file hasn't shown signs of a malware. Use with caution.
• Severity 2 – Low activities. The submitted file shows signs of a malware that pose low risk.
• Severity 3 – Likely to be malicious. The submitted file shows signs of a malware that pose medium risk.
• Severity 4 – Malicious. The submitted file shows signs of a malware that pose high risk.
• Severity 5 – Very high. The submitted file shows signs of a malware that pose very high risk.
The Deep Neural Network section displays the verdict and probability factor of the analysis through machine
learning. To enable Deep Neural Network for your analyzer profile, enable Machine Learning: Deep Neural Network under
Dynamic Analysis by editing your analyzer profile or when you create a new analyzer profile.
The Family Classification section displays the category of malware present in the file submitted.
If the parent file generates other files with malicious content, it shows categories of malware in the subordinate
files too.
To use the Family Classification option, you must have enabled the Disassembly Results option in the corresponding
analyzer profile.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense web interface.
•
To view theThreat Analysis Report in PDF format, click , then select Analysis Summary (PDF).
You can download these files using one of the following methods.
•
In the Analysis Reports page (Analysis | Analysis Reports), click and select Dropped Files. Download the
dropfiles.zip file, which contains the files that the sample created in the sandbox. To use this option, you
must have enabled the Dropped Files option in the corresponding analyzer profile.
•
After you click , select Complete Results. Download the <sample_name>.zip file. This .zip file contains the
same dropfiles.zip inside the AnalysisLog folder. The Complete Results contains the dropfiles.zip regardless
of whether you have enabled Dropped Files option in the corresponding analyzer profile.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Make sure the users assigned to the analyzer profile are logged off from Advanced Threat Defense.
4 From Reports, Logs, and Artifacts, select Disassembly Results, then click Save.
•
To download the report as a file, click in the Analysis Reports page and select Complete Results. Download the
<sample_name>.zip file. This .zip file contains a file named as <file name>_detail.asm in the AnalysisLog
folder. The Zip Report contains this .asm file regardless of whether you have enabled Disassembly Results
option in the corresponding analyzer profile.
The Disassembly Results report provides the assembler instructions along with any static standard library call
names like printf and Windows system DLL API call names embedded in the listing. If the global variables such
as string text are referenced in the code, these string texts are also listed.
The virtual address of the instruction is shown in column 1, the binary instruction in column 2, and the
assembly instruction with comments is in column 3. In the preceding example the call 00403c34 instruction
at memory location of 00401010 is making a functional call at 0x403c34 memory location, which is determined
to be system DLL API function call determined to be URLDownloadToFileA(). The comment shown with
the ;; in this listing provides the library function name.
The Logic Path Graph report is available in the Graph Modeling Language (GML) file format. The file is in ASCII
plain text format, which contains a graphical representation of the logic execution path of the sample in the
GML (Graph Modeling Language) format. You cannot directly view this file in the Advanced Threat Defense web
interface, but download it to your client computer. Then you must use a graphical layout editor, like yWorks yEd
Graph Editor, that supports GML format. You can use such an editor to display the cross-reference of all
functions using this file as an input.
You can download the Logic Path Graph file using one of the following methods.
•
In the Analysis Reports page (Analysis | Analysis Reports), click and select Logic Path Graph. Then download the
<file name>_logicpath.gml file. To use this option, you must have enabled the Logic Path Graph option in the
corresponding analyzer profile.
•
After you click , select Complete Results. Download the <sample_name>.zip file. This .zip file contains the
same <file name>_logicpath.gml file in the AnalysisLog folder. The Zip Report contains the <file
name>_logicpath.gml file regardless of whether you have enabled Logic Path Graph option in the
corresponding analyzer profile.
This section uses yWorks yEd Graph Editor to explain how to use the Logic Path Graph GML file. In the yEd
Graph Editor, you must first set the Routing Style. You need to do this only once, and this setting is saved for
further use.
1 To open the Logic Path Graph file, use your yEd Graph Editor.
3 Click Edges, select Polyline from the Routing Style drop-down list, then click Ok.
When you open the <file name>_logicpath.gml file in yEd Graph Editor, initially you might see many
rectangle boxes overlapping each other.
The graph depicts an overview of the complexity of the sample as seen by the cross-reference of function calls.
The following shows more detail on the function names and their addresses as seen by zooming in.
Two colors are used to indicate the executed path. The red dash lines show the non-executed path, and the
blue solid lines show the executed path.
According to the preceding control graph, the subroutine (Sub_004017A0) at virtual address 0x004017A0 was
executed and is shown with a blue solid line pointing to the Sub_004017A0 box. However, the subroutine
(GetVersion]) was not called potentially as there is a red dash line pointing to it.
The Sub_004017A0 subroutine is making 11 calls as there are 11 lines coming out of this box. Seven of these 11
calls were executed during dynamic analysis. One of them is calling Sub_00401780 as there is a blue solid line
pointing from Sub_004017A0 to Sub_00401780. Calls to Sub_00401410, printf, Sub_00401882, and
Sub_00401320 were not executed and shown with red dashed line pointing at them.
The Sub_00401780 subroutine is making only one unique call as there is only one line coming out from this box.
This call was executed during dynamic analysis.
<sample_name>.zip file. This .zip file contains the same information in the <sample name>.log file in the
AnalysisLog folder. The content of the .log file includes the following:
• A record of all systems DLL API calling sequence.
• An address which indicates the approximate calling address where the DLL API call was made.
• Optional input and output parameters, and return code for key systems DLL API calls.
• The following are the other files containing the dynamic execution logs. All these files are contained in the
<sample name>.zip file.
• <sample name>ntv.txt file. This file contains the Windows Zw version of native system services API calling
sequence during the dynamic analysis. The API name typically starts with Zw as in ZwCreateFile.
• log.zip
• dump.zip
• dropfiles.zip
• networkdrive.zip
Task
1 Log on to the Advanced Threat Defense web interface.
3
Click and select Complete Results .
Download the <sample_name>.zip file to the location you want. This .zip file contains the reports for each
analysis. The files in this .zip file are created and stored with a standard naming convention. Consider that
the sample submitted is vtest32.exe. Then the .zip file contains the following results:
• vtest32_summary.html (.json, .txt, .xml) — This is the same as the Analysis Summary report. There are four
file formats for the same summary report in the .zip file. The html and txt files are mainly for end users
to review the analysis report. The .json and .xml files provide well-known malware behavior tags for
high-level programming script to extract key information.
If the malware severity is 3 and above, then it contains .ioc, and .stix.xml formats of the Analysis
Summary report for the sample.
• vtest32.log — This file captures the Windows user-level DLL API calling activities during dynamic analysis.
You must thoroughly examine this file to understand the complete API calling sequence as well as the
input and output parameters. This is the same as the User API Log report.
• vtest32ntv.txt — This file captures the Windows native services API calling activities during dynamic
analysis.
• vtest32.txt — This file shows the PE header information of the submitted sample.
• vtest32_detail.asm — This is the same as the Disassembly Results report. This file contains
reverse-engineering disassembly listing of the sample after it has been unpacked or decrypted.
• log.zip —This file contains all the run-time log files for all processes affected by the sample during the
dynamic analysis. If the sample generates any console output text, the output text message is captured
in the ConsoleOutput.log file zipped up in the log.zip file. Use any regular unzip utility to see the content
of all files inside this log.zip file.
• dump.zip — This file contains the memory dump (dump.bin) of binary code of the sample during
dynamic analysis. This file is password protected. The password is virus.
• dropfiles.zip — This is the same as the Dropped Files report in the Analysis Reports page. The dropfiles.zip
file contains all files created or touched by the sample during the dynamic analysis. It is also password
protected. The password is virus.
Task
1 Log on to the Advanced Threat Defense web interface.
7 Save the zipped <SAMPLENAME>_<MD5SUMOFSAMPLE>.zip file on your local machine, then extract the contents
and use infected as the password.
Task
For details about product features, usage, and best practices, click ? or Help.
• To submit an URL sample, go to http://www.trustedsource.org, then submit the false positive URL.
• Anti-Malware — Go to http://support.mcafee.com, select Service Requests, then submit the false positive
sample.
• Sandbox — Go to http://support.mcafee.com, select Service Requests, then submit the false positive
sample.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Go to http://support.mcafee.com, select Service Requests, then submit the false negative sample.
Make sure that you include the Analysis ID.
Task
For details about product features, usage, and best practices, click ? or Help.
• Complete the following, then submit a sample after each task to check if the sandbox file score remains low.
• Verify that you are using the latest Advanced Threat Defense version. If you are using an older version,
upgrade the Advanced Threat Defense software.
• Edit the Analyzer Profile, then select Enable Malware Internet Access.
• Verify that Microsoft Office, Adobe Flash, Adobe Reader, and Java are installed on the virtual machine.
For example, when you submit a Microsoft Office document, you must have Microsoft Office installed.
• Select Analysis | Manual Upload | User Interactive Mode, configure the remaining options, then click Submit.
Task
1 Log on to the Advanced Threat Defense web interface.
2 Select Dashboard.
3 Specify the time period for the information to be displayed in the monitors.
For example, you can select to view the information for the past one hour. By default, data for the past 14
days is shown. This field does not affect the System Health and System Information monitors.
The Advanced Threat Defense Appliance supports command-line interface (CLI) commands for tasks such as
network configuration, restarting the appliance, and resetting the appliance to factory defaults.
Contents
Issuing CLI commands
CLI syntax
Log on to the CLI
Meaning of "?"
List of CLI commands
Issuing commands
To perform an operation on the Advanced Threat Defense Appliance, you must perform the operation from the
command line of the console host that connects to the Advanced Threat Defense Appliance. For example, when
you first configure the network details for the Advanced Threat Defense Appliance, you must do so from the
console.
See also
Log on to the Advanced Threat Defense Appliance on page 115
Task
1 Open an SSH client session.
• Password — atdadmin
If you are logging on for the first time, you are prompted to changed the user name and password.
You are unable to access the account associated to the new user name and password, or create another
user to access the CLI.
Depending on your SSH client, the number of logon attempts differ. For example, Putty 0.54 and 0.56 allow
you three log on attempts, and Putty 0.58 and Linux SSH clients allow you four attempts.
Auto-complete
The CLI allows you to auto-complete commands.
To auto-complete a command, press Tab after typing a few characters of a valid command and then press
Enter. For example, typing pas and pressing Tab would result in the CLI auto-completing the entry with the
command passwd.
If the partially entered text matches multiple options, the CLI displays all available matching commands.
CLI syntax
You issue commands at the command prompt as shown.
<command> <value>
• Values that you must enter are enclosed in angle brackets (< >).
Mandatory commands
There are certain commands that must be executed on the Advanced Threat Defense Appliance before it is fully
operational. The remaining commands in this chapter are optional and will assume default values for their
parameters unless they are executed with other specific parameter values.
These are the required commands:
• set appliance ip
• set appliance gateway is also required if any of the following are true:
• If the Advanced Threat Defense Appliance is on a different network than the McAfee products you plan
to integrate
• If you plan to access Advanced Threat Defense from a different network either using an SSH client or a
browser for accessing the Advanced Threat Defense web interface
Change the password using the passwd command within your first interaction with the Advanced Threat Defense
Appliance.
Meaning of "?"
? displays the possible command strings that you can enter.
Syntax
If you use ? in conjunction with another command, it shows the next word you can type. If you execute the ?
command in conjunction with the set command, for example, a list of all options available with the set
command is displayed.
activeResponseStats
Displays the statistics on McAfee Active Response and McAfee Advanced Threat Defense integration.
Syntax:
activeResponseStats
Example:
activeResponseStats
[ Active Response Statistics ]
Status : DISABLED
Request Files Received : 0
Search in Pending state : 0
Search in Completed state : 0
ERROR COUNT : 0
amas
Use this command to restart/start/stop the amas services.
Parameter Description
<WORD> The amas service you want to stop.
atdcounter
Displays the engine specific counter e.g. files sent and processed by McAfee GTI, Anti-Virus Engine, Gateway
Anti-Virus Engine, and amas.
Syntax: atdcounter
backup reports
Use this command to create a backup of the McAfee Advanced Threat Defense reports on an external FTP/SFTP
server configured for a user under the FTP results output setting interface ports.
Syntax
backup reports
Parameter Description
yyyy-mm-dd yyyy-mm-dd The date range for which you want to create a backup for reports.
Blacklist
Use the following commands to manage the McAfee Advanced Threat Defense blacklist.
Syntax:
• To add an MD5 to the blacklist, use blacklist add <md5> <score> <file_name> <malware_name>
<Eng-ID> <OS-ID>
Parameter Description
<md5> The MD5 hash value of a malware that you want to add to the blacklist.
<score> The malware severity score. A valid value is from 3 to 5.
<file_name> The file name for the MD5.
<malware_name> The malware name for the MD5.
<Eng-ID> The numerical ID for the engine that detected the malware. Following is the numerical
coding. Sandbox — 0, GTI — 1, GAM — 2, Anti-Malware — 4.
<OS-ID> The numerical ID of the operating system that was used to dynamically analyze the
malware.
Parameter Description
<md5> The MD5 hash value of a malware that you want to delete from the blacklist.
Parameter Description
<md5> The MD5 hash value of a malware that you want to query if it is present in the blacklist.
If the MD5 is present, the details such as the engine ID, malware severity score, and so on, are displayed.
• To update the details for an entry in the blacklist, use blacklist update <md5> <score> <file_name>
<malware_name> <Eng-ID> <OS-ID>
Parameter Description
<md5> The MD5 hash value of a malware that you want to update. This value must exist in the
blacklist for you to update the record.
<score> The new malware severity score that you want to change to. A valid value is from 3 to 5.
<file_name> The new file name for the MD5.
<malware_name> The new malware name for the MD5.
<Eng-ID> The new engine ID that you want to change to.
<OS-ID> The new value for the operating system that was used to dynamically analyze the
malware.
clearstats all
Use this command to reset all the McAfee Advanced Threat Defense statistics to zero.
clearstats ActiveResponse
Clears all previous statistics from McAfee Active Response and McAfee Advanced Threat Defense integration.
Syntax:
clearstats ActiveResponse
Example:
clearstats ActiveResponse
All Active Response stats are reset to zero
Request Files Received : 0
Search in Pending state : 0
Search in Completed state : 0
Response from MAR : 0
clearstats dxl
Resets the DXL file counter to zero.
Syntax: clearstats dxl
clearstats lb
Use this command to reset all the McAfee Advanced Threat Defense load-balancing statistics to zero.
Syntax: clearstats lb
clearstats tepublisher
Clear the count of events sent to McAfee ePO.
clearlbconfig
This command is used to destroy cluster using CLI command prompt. It is permitted to run at all nodes
(Primary/Backup/Secondary). It wipes out all cluster related configurations from that node and makes it as a
standalone box.
This command can be used in scenarios where normal means of removing a node (Remove Node/Withdraw
From Cluster) does not remove that node from cluster.
When you execute the clearlbconfig command on a Primary or Active node, you must execute the command on
all other nodes in the cluster.
Syntax: clearlbconfig
createDefaultVms
Delete all of the existing analyzer VMs and create default analyzer VMs.
Syntax: createDefaultVms
This command will not work on the non-active nodes in the cluster.
db_repair
Repairs the Advanced Threat Defense database when the database is corrupt.
Syntax: db_repair
deleteblacklist
Remove all the entries from the Advanced Threat Defense blacklist.
Syntax: deleteblacklist
deletesamplescore <0-5>
Deletes all sample reports with the specified severity score.
Syntax:
deletesamplescore <0-5>
Parameter Description
<0-5> Enter a severity score between 0 to 5.
Example:
deletesamplescore 0
Deleting all sample results with score=0
delete 0 sample entries with 0
deletesamplereport
Deletes all of the analysis reports for a file.
Syntax: deletesamplereport <md5>
Parameter Description
<md5> The file MD5 value that you want to use to delete all the reports in Advanced Threat Defense.
diskcleanup
Delete old analysis reports when the Advanced Threat Defense disk space is low.
Syntax: diskcleanup
To prevent Advanced Threat Defense from losing your results and reports, enable set resultbackup.
dxlstatus
View the DXL status.
Syntax: dxlstatus
Exit
Exits the CLI.
This command has no parameters.
Syntax:
exit
factorydefaults
Deletes all samples, results, logs, and analyzer VM images, then resets the IP addresses before rebooting the
device. This command does not appear when you type ? nor does the auto-complete function applies to this
command. You must type the command in full to execute it.
This command has no parameters.
• You are warned that the operation will clear Advanced Threat Defense Appliance and you must confirm the
action. The warning occurs since the Advanced Threat Defense Appliance returns to its clean, pre-configured
state, thus losing all current configuration settings in both the active and backup disks. Once you confirm,
this command immediately clears all your configuration settings, including samples, results, logs, and
analyzer VM images, in both the active and backup disks.
• The current software version in the backup disk is applied on the active disk.
Syntax:
factorydefaults
filetypefilter
Enables Advanced Threat Defense to use the file extension that the file carries before sending it for dynamic
analysis.
Syntax:filetypefilter<enable><disable><status>
Parameter Description
status Displays whether the filetypefilter feature is enabled or disabled.
By default, it is disabled.
enable Enables sample filtering. When enabled, Advanced Threat Defense uses the following supported
file types for analysis:
.7z, .ace, .apk, .arj, .bat, .cab, .cgi, .chm, .class, .cmd, .com,
.dll, .doc, .docm, .docx, .dotm, .dotx, .eml, .exe, .htm,
.html, .inf, .ins,. js, .lnk, .lzh, l.zma, .mof, .msg,
.ocx, .pdf, .potm, .potx, .ppam, .pps, .ppsm, .ppsx
ftptest USER_NAME
Tests the FTP settings.
Parameter Description
USER_NAME The user name that you want to test the FTP settings.
Example: NSPuser
gti-restart
Restarts the McAfee GTI engine.
Syntax: gti-restart
help
Provides a description of the interactive help system.
This command has no parameters.
Syntax:
help
http_redirect
Enables or disables the redirection of http browser requests to https. When http_redirect is disabled, secure
access to the Advanced Threat Defense Appliance is ignored.
Syntax:
set http_redirect
When port 80 is disabled, then the HTTP port is used to access the Advanced Threat Defense Appliance
interface in a browser.
Any sample that you submit during the command execution is rejected as lighttpd is restarted.
Parameter Description
enable Advanced Threat When http_redirect is enabled, the http url is redirected to https. RestAPI calls with
Defense Appliance only the https protocol are accepted.
disable When http_redirect is disabled, http is not redirected to https. RestAPI calls with
the http or https protocol are accepted.
Make sure http_redirect is always enabled. Disable http_redirect only when there are issues with certificate
validation.
To view if http to https redirection is enabled or disabled on the Advanced Threat Defense Appliance, use the
show http_redirect command. By default, the redirect feature is enabled.
install msu
Installs these msu files.
• amas-3.x.x.x.x.msu
• system-3.x.x.x.x.msu
Syntax:
install msu
Parameter Description
<SWNAME> The msu filename that you want to install.
<RESET_DB> Accepts the following values:
• 0 — msu file installs without resetting the database
• 1 — msu file install and the database is reset
Before you run this command, SFTP the install package to your Advanced Threat Defense Appliance with
atdadmin user account.
Syntax:
Parameter Description
<package path> Enter the package path and name.
lbservice restart/status
Use this command to restart the LB services or to check the status of LB services.
Syntax:
lbservice <restart>/<status>
Example:
lbservice is running
lbservice restarted
ATD-3000>
lbstats
Shows the statistics for Primary node, Back up node and Secondary node in a load-balancing cluster.
This command has no parameters. No output is displayed if the Advanced Threat Defense is not part of a
cluster.
Syntax:
lbstats
See also
list
Lists all of the available CLI commands.
Syntax: list
lowseveritystatus
Advanced Threat Defense treats severity 1 and 2 samples as low-severity, and severity 3, 4, and 5 as malicious.
By default, when you configure dynamic analysis, the dynamic analysis score is displayed in the summary report
for all samples. The score also affects the final score for the sample. You can use the lowseveritystatus
command to alter the behavior. For example, for low-severity samples that are dynamically analyzed, Advanced
Threat Defense does not display the dynamic analysis score in the summary report, or consider the score to
compute the final score.
The lowseveritystatus command applies only to non-PE samples, such as Microsoft Word documents and PDF
files.
Parameter Description
show The default behavior. If a sample is dynamically analyzed, Advanced Threat Defense displays the
dynamic analysis score in the report. It also considers the score to compute the final score.
hide Assume that the sample is a non-PE file, which has undergone dynamic analysis. If Advanced
Threat Defense detects the file to be low-severity, it does not display the dynamic analysis score
in the report (under Sandbox in the Down Selector's Analysis section). Advanced Threat Defense also
does not consider the dynamic analysis score for computing the final score. However, the details
of the dynamic analysis such as files opened and files created are included in the report.
The lowseveritystatus hide command affects only the score displayed in the report and does not
affect how the results are displayed in the Analysis Reports page.
no malware-dns
Use this command to configure the malware dns to the default 127.0.0.1.
Syntax:
no malware-dns
no timeout
Removes timeout for SSH sessions.
Syntax:
no timeout
nslookup
Queries the results for domain names. You can use nslookup to verify if Advanced Threat Defense can perform
nslookup queries correctly.
Parameter Description
<WORD> The domain name that you want to query for nslookup.
passwd
Changes the password of the CLI cliadmin user.
A password must be between 8 and 25 characters in length and can consist of any alphanumeric character or
symbol.
You are asked to enter the current password before changing to a new password.
Syntax:
passwd
ping
Pings a network host or domain name. You can specify an IPv4 address to ping network host and domain name
to ping domain names.
Syntax:
ping <A.B.C.D>
Parameter Description
<A.B.C.D> Denotes the 32-bit network host IP address written as four eight-bit numbers separated by
periods. Each number (A, B, C or D) is an eight-bit number between 0–255.
<WORD> The domain name that you want to ping.
quit
Exits the CLI.
This command has no parameters.
Syntax:
quit
reboot
Reboots the Advanced Threat Defense Appliance with the image in the current disk. You must confirm that you
want to reboot.
Syntax:
reboot
Parameter Description
reboot vmcreator Recreates the analyzer VMs configured in the Advanced Threat Defense web interface,
while rebooting the appliance.
remove
This command removes all original samples from ATD for which analysis is complete.
• enable: When executed, immediately removes the original samples for all the completed samples present
on ATD. It also enables you to set a daily task to automatically remove original samples from newly
completed samples at a configured time.
• disable: When executed, disables the daily task to remove original samples from newly completed sample
files at the configured time.
removeAndroid
Remove the Android VM from the VM profile list.
Ensure that Android is not the default VM profile and the Vmcreator process is not running
Syntax: removeAndroid
Sample Output:
ATD_1U_21> removeAndroid
This command will not work on the non-active nodes in the cluster.
removenetworkaddress
Removes the IP, subnet mask, and gateway addresses from the Advanced Threat Defense Appliance.
The changes are reflected after the box is rebooted. This is a hidden command, but is useful for Support.
Syntax: removenetworkaddress
removeSampleInWaiting
Remove all of the samples to be analyzed by Advanced Threat Defense.
Syntax: removeSampleInWaiting
removevmImage
To delete the VM Image from all nodes in the LB cluster when option is specified as all, execute this command
from Primary[Active] or Backup[Active] Advanced Threat Defense.
If option is specified as A.B.C.D, it deletes the Image only from Secondary with IP A.B.C.D.
Reduce the License count for ImageName to zero before executing this command, or the command execution
fails. This command does not delete the ImageName from Active (Primary/Backup) Advanced Threat Defense.
Syntax:
Example:
resetuiadminpasswd
Resets the Advanced Threat Defense web interface administrator password. When you use the command, the
password is reset to the default value, which is admin. The currently logged on sessions are unaffected. A
change in password affects only new logon attempts.
Syntax: resetuiadminpasswd
resetusertimeout
Enables you to log on to Advanced Threat Defense web interface without waiting for the timer to expire.
Parameter Description
<WORD> The Advanced Threat Defense web interface user name that you want to remove the logon timer.
When the action is successful, the Reset done! message displays.
restart network
Restarts the Advanced Threat Defense network.
Use this command when you cannot revert the application software from the Advanced Threat Defense
interface.
Use this command when you cannot revert the application software from the Advanced Threat Defense
interface.
revertwebcertificate
Revert the uploaded web certificate to the default certificate.
Syntax: revertwebcertificate
revertwebcertificate
Successfully reverted back web certificate to default!
Restarting lighttpd service!
route add network <network ip> netmask <netmask> gateway <gateway ip> intfport <port
number 1><port number 2><port number 3>
Example: route add network 1.1.1.0 netmask 255.255.255.0 gateway 1.1.1.1 intfport 1
To delete a port
route delete network <network ip> netmask <netmask> gateway <gateway ip> intfport
<port number 1><port number 2><port number 3>
Example: route delete network 1.1.1.0 netmask 255.255.255.0 gateway 1.1.1.1 intfport 1
samplefilter
This command is specific to Network Security Platform Sensors and all REST channel submissions. Use this
command to prevent Sensors from sending unsupported file types to McAfee Advanced Threat Defense for
analysis.
Syntax:
samplefilter <status><enable><disable>
Parameter Description
status displays whether the sample filtering feature is enabled or disabled currently. By default, it is
enabled.
enable sets the sample filtering on. When it is enabled, McAfee Advanced Threat Defense considers only
the supported file types from Network Security Platform for analysis.
McAfee Advanced Threat Defense ignores all other file types and also informs Network Security
Platform that a sample is of an unsupported file type . This prevents resources being spent on
unsupported file types on both McAfee Advanced Threat Defense and Network Security Platform.
disable sets the sample filtering to off. When disabled, McAfee Advanced Threat Defense considers all
the files submitted by Network Security Platform for analysis but only the supported file types
are analyzed. The remaining are reported as unsupported in the Analysis Status and Analysis Reports
pages.
Example:
samplefilter status
See also
Analyzing malware on page 4
Parameter Description
<A.B.C.D> DNS preferred address
<E.F.G.H> DNS alternate address
<WORD> Appliance domain name
set port80
Allows you to access Advanced Threat Defense interface from a web browser through HTTP port 80.
Syntax
Parameter Description
<enable> The Advanced Threat Defense interface can be accessed using the https://<Advanced Threat
Defense IP address> link from a browser.
(Replace Advanced Threat Defense IP address with the actual IP address)
<disable> The Advanced Threat Defense interface can't be accessed from a browser.
Delete the browser cache before you access the Advanced Threat Defense interface.
If you disable port 80, the http redirect will also not work.
Example
Syntax:
Parameter Description
<A.B.C.D> A 32-bit address written as four eight-bit numbers separated by periods. A, B, C or D represents
an eight-bit number between 0–255.
Example:
set appliance ip
Specifies the Advanced Threat Defense Appliance IPv4 address and subnet mask. Changing the IP address
requires a restart for the changes to take effect. See the reboot command for instructions on how to reboot
the Advanced Threat Defense Appliance.
Syntax:
Parameter Description
<A.B.C.D Indicates an IPv4 address followed by a netmask. The netmask strips the host ID from the IP
E.F.G.H> address, leaving only the network ID. Each netmask consists of binary ones (decimal 255) to
mask the network ID and binary zeroes (decimal 0) to retain the host ID of the IP
address(For example, the default netmask setting for a Class C address is 255.255.255.0).
Example:
Syntax:
Parameter Description
<WORD> Indicates a case-sensitive character string up to 25 characters. The string can include hyphens,
underscores, and periods, and must begin with a letter.
Example:
Syntax:
Parameter Description
<Private Cloud IP> Enter the IP address for the GTI Private Cloud.
Syntax:
Parameter Description
<Domain name> Enter the URL for the GTI Private Cloud.
Syntax:
Syntax:
set intfport
Enable or disable the Advanced Threat Defense interface ports.
Syntax:
Parameter Description
<1-3> Enter one of the three available ports.
<ip address> Enter the IP address that you want to remove.
Example:
Syntax:
Example:
set intfport ip
Sets an IP address to an interface port.
Syntax:
Example:
Syntax:
Parameter Description
<1> <2> <3> Specifies the interface port ID that you want to use to configure the speed and duplex.
<10 | 100> Configures the speed on the interface port. The speed value can be either 10 or 100.
<half | full> Configures the duplex setting on the interface port. Set the value "half' for half duplex, and full
for 'full' duplex.
Example:
set IPAddressSwap
When you submit samples for analysis through Network Security Platform, the source and destination IP
information is swapped for the submitted samples.
To reverse the aberration caused by Network Security Platform, Advanced Threat Defense enables set
IPAddressSwap command. This command nullifies the swap effect of Network Security Platform and displays
the correct the source and destination IP information for samples submitted through Network Security
Platform. When samples are submitted from McAfee NGFW to Advanced Threat Defense, the source and
destination IP information are displayed correctly. Based on the preference, you can use the following
command to enable or disable IPAddressSwap.
Parameter Description
enable Enables LDAP authentication.
disable Disable LDAP authentication.
Example:
Note:
Authentication method got changed!
Terminating matdcli session in 10 seconds!
Please login again!
set malware-dns
Use this command to configure the malware DNS IP that Advanced Threat Defense uses to route the malware
DNS queries.
Syntax: set malware-dns
set malware-intfport
Configure the required port to route Internet traffic from an analyzer VM.
Before you run this command, make sure that the required port is enabled and configured with an IP address.
Run the show intfport 1 and verify the Malware Interface Port and Malware Gateway entries.
Advanced Threat Defense uses the configured port to provide Internet access to analyzer VMs.
See also
Internet access to sample files on page 15
Syntax:
Default Value:
Run the show intfport mgmt and verify the Malware Interface Port and Malware Gateway entries.
McAfee Advanced Threat Defense uses the management port to provide Internet access to analyzer VMs. See
Internet access to sample files on page 15.
Syntax:
Parameter Description
<10|100> Specifies the speed on the Ethernet network port. The speed value can be either 10 or 100 Mbps.
To set the speed to 1000 Mbps, use the set mgmtport auto command.
<half|full> Specifies the duplex setting on the Ethernet network port.
• half — Half duplex
• full — Full duplex
Default Value:
set pdflinks
Enable or disable validation operation performed by McAfee GTI on links embedded inside PDFs during
dynamic analysis.
set filesizes
Enables you to change the minimum and maximum file sizes.
Syntax:
set filesizes <type number> <minimum size> <maximum size> <restart engine>
Parameter Description
type number Type of file submitted for analysis.
minimum size Minimum file size.
maximum size Maximum file size.
restart engine Uses a value of 1 or 0.
1 — Restart AMAS service; this is required for NSP and NGFW integration.
0 — Keeps AMAS service running; use this when submission is through GUI/RestAPI.
For example, if you want to change the minimum file size of a JPEG image file to 300 bytes, then run the
command: set filesizes 7 300 1000000 0.
If the file size specified is beyond the minimum or maximum value listed in the above table, the following error
message is displayed:
The <max><min> file size value=<numeric value specified> is invalid
Set FTP
When you upload files for analysis using an FTP client or when you import a VMDK file into Advanced Threat
Defense to create an analyzer VM, you use SFTP since FTP is not supported by default. However, if you prefer to
use FTP for these tasks, you can enable FTP.
See also
show ftp on page 144
set headerlog
Use this command to enable or disable the logging of information regarding http header. The lighttpd web
server is restarted on execution of this command.
This command has no parameters.
See also
set logconfig
Set the debugging mode to be applied for logs.
set mar-timeout
Configure a timeout period after which Advanced Threat Defense stops querying MAR server for results.
set nsp-ssl-channel-encryption
Use this command to configure an encrypted channel for communication between Advanced Threat Defense
and Network Security Platform.
• Log on to the Advanced Threat Defense CLI and execute set nsp-ssl-channel-encryption enable.
• If encryption is disabled on Advanced Threat Defense and Network Security Platform, the data sent from
Network Security Platform to Advanced Threat Defense is not encrypted and uses a NULL-SHA cipher.
• Log on to the Sensor CLI and enter into debug mode.
• Log on to the Advanced Threat Defense CLI and execute set nsp-ssl-channel-encryption
disable.
Parameter Description
enable Enable TCP channel support
disable Disable TCP channel support
Example:
set stixreportstatus
Use this command to enable or disable the STIX report generation.
This command has no parameters.
See also
show stixreportstatus on page 149
set tcpdump
Configures the packet capture functionality.
set tcpdump<stop>
Parameter Description
start Starts the packet capture operation on the specified tcp dump.
stop Stops the packet capture operation.
Parameter Description
<0-35791> Value to set the SSH timeout in seconds.
Example:
set uilog
Sets the amount of web interface access information to be logged. Level varies from 1 to 7.
Syntax:
set uilog<seconds>
Parameter Description
<numeric> Sets the amount of UI access information to be logged.
set ui-timeout
Specifies the number of minutes the Advanced Threat Defense web interface is inactive before the connection
times out.
Syntax:
Parameter Description
<60 - 86400> You can set a timeout period from 60 to 86,400 seconds.
show
Shows all the current configuration settings on the Advanced Threat Defense Appliance.
This command has no parameters.
Syntax:
show
[Sensor Info]
• Serial Number
• IP Address
• Netmask
• Default Gateway
• DNS address
Sample Output:
AV DAT version=7868
AV Engine version=5700
GAM DAT version=3811
GAM Engine version=7001.1302.1842
show ds status
View the status of all analyzing options.
Sample Ouptut:
GTI is alive
MAV is alive
GAM is alive
Yara is alive
show ec
Displays the status and configurations of email connector.
Syntax: show ec
Example:
show ec
Email Connector Status :enabled
Listen Port :1234
Smart Host name :10.213.248.196
Smart Host port :2222
Maximum time per email :3600
Normal Mode :enabled
EC Health Status :Healthy.
Skip Protected Files :disabled
show ec file-types
Shows whether the email connector file types are enabled or disabled for scans.
Syntax:show ec file-types
show ec filter-rules
Shows the list of Email Connector Filter Rules.
Syntax:show ec filter-rules
show ec permittedHosts
Shows the email connector permitted hosts.
Syntax:show ec permittedHosts
show ec rejectmode
Shows what action is to be taken when the system is overloaded
Syntax:show ec rejectmode
Example
show filequeue
Displays the file queue statistics, such as the estimated average processing time, analyzing time, and files that
are pending.
This command has no parameter.
Syntax:show filequeue
show filesizes
Displays all the filetypes supported by Advanced Threat Defense with details such as type number, minimum
and maximum file size, and short description.
This command has no parameters.
Syntax:
show filesizes
show ftp
Use this command to know if FTP is enabled or disabled currently. By default, FTP is disabled.
Syntax: show ftp
See also
Set FTP on page 138
Example:
Example:
show history
Displays the list of CLI commands issued in the session.
show intfport
Shows the status of the specified interface port or the management port of McAfee Advanced Threat Defense.
Syntax: show intfport <mgmt><1><2><3>
• If configured to provide Internet access to analzyer VMs, then the corresponding gateway for this traffic.
show IPAddressSwap
Use this command to know if IPAddressSwap is enabled or disabled currently. By default, FTP is enabled.
show ldap
Displays the configured parameters for LDAP authentication.
Syntax:
show ldap
Example:
show ldap
+++++ LDAP Configuration +++++
LDAP username : (null)
Base DN : (null)
LDAP Login Attribute : (null)
LDAP Search scope : subtree
LDAP Auth Method : Simple
LDAP Server : IP:[(null)] Port:[0]
LDAP Service status : DOWN
LDAP Fallback status : DISABLE
Example:
Example:
show logconfig
Lists the current debug mode employed for debugging.
Syntax: show logconfig
show mar-timeout
Displays a configured timeout period after which Advanced Threat Defense stops querying MAR server for
results.
show pdflinks
view whether or not validation operation is performed by McAfee GTI on links embedded inside PDFs during
dynamic analysis.
show msu
Displays all the msu files copied to Advanced Threat Defense via SFTP.
Syntax: show msu
If you do not specify the Sensor IP address, the details are displayed for all the Sensors integrated with the
Advanced Threat Defense Appliance.
• The timestamp of when the last packet was sent to and received from the Sensor.
• The encryption method used for the communication with the Sensor.
• Count of MD5 mismatches between what was sent by the Sensor and what was calculated by Advanced
Threat Defense.
Parameter Description
status Displays the SSL channel encryption status for Network Security Platform.
Example:
show port80
Displays the status of HTTP port 80.
Syntax:
show port80
Example:
show port80
HTTP port 80 is closed or blocked
show resultbackup
This command displays the resultbackup status.
Syntax:
show resultbackup
show route
Displays the routes that you configured using the route add command as well as the system IP routing table.
Syntax:
show route
The details from a sample output of the command in the following table.
show stixreportstatus
Displays the current status of the stixreportstatus.
This command has no parameter.
show system id
Displays the system ID.
Syntax:
show system id
71xxxxxxxx-xxxxxxx-xxxxx-xxxxxx-xxxxxxxxxxxxx
show tcpdump
Displays the current status of packet capture functionality. The maximum file size for the capture is 10MB.
Syntax: show tcpdump
show tepublisherstatus
Displays the status of McAfee ePO Threat Event Publisher.
Syntax:
show tepublisherstatus
show timeout
Displays the timeout value configured for SSH.
Syntax: show timeout
Example:
show timeout
show ui-timeout
Displays the Advanced Threat Defense web interface client timeout in seconds.
Syntax: show ui-timeout
show uilog
Check the current level of uilog.
This command has no parameters.
Syntax:
show uilog
show version
Displays the zebra version of Advanced Threat Defense.
This command has no parameters.
Syntax:
show version
Example:
Backup VERSION=3.8.0.19.58759
Backup LastModifiedTime=2016-12-02 02:01:23
Example:
show vmImage
This command displays the list of the VM Images in Advanced Threat Defense.
Synatx:
show vmImage
Example:
android
winxpSp3
win7sp1
ATD-3000>
show waittime
Displays the wait time threshold set for Email Gateway.
Syntax: show waittime
shutdown
Stops the Advanced Threat Defense Appliance so you can power it down.
Then, after about a minute, you can power down the Advanced Threat Defense Appliance manually and unplug
both the power supplies. Advanced Threat Defense Appliance does not power off automatically. You must
confirm that you want to shut it down.
Syntax:
shutdown
status
Shows Advanced Threat Defense system status, such as the health and the number of files submitted to various
engines.
This command has no parameters.
Syntax: status
Sample output:
terminal
Sets the number of lines to display on the Advanced Threat Defense web interface.
Syntax:
terminal <length>¦no
Parameter Description
<length> Sets the number of lines to display. The value ranges from 0 - 512.
no Negates the previous command or sets the default value.
unlockuser <username>
Unlock a locked account.
Syntax
unlockuser <username>
Parameter Description
<username> Enter the username of the locked user account.
Example
unlockuser admin
Unlock user: admin
User unlocked!
update_avdat
By default, Advanced Threat Defense updates the DAT files for the McAfee Gateway Anti-Malware Engine and
McAfee Anti-Malware Engine every 90 minutes. To update these files immediately, use the update_avdat
command.
This command has no parameters.
Syntax: update_avdat
vmlist
Displays a list of all the VMs configured in Advanced Threat Defense.
Syntax: vmlist
watchdog
The watchdog process reboots the Advanced Threat Defense Appliance when an unrecoverable failure is
detected.
Syntax:
Parameter Description
<on> Enables the watchdog.
<off> Disables the watchdog. Use it if the appliance reboots continuously due to repeated system
failure.
<status> Displays the status of the watchdog process.
web
Restart, start, stop, and check the web service.
Syntax:
web <parameters>
Parameter Description
restart Restart the web service.
start Start the web service.
Parameter Description
stop Stop the web service.
check Check the web service.
Example:
web restart
Service: restart
Web restarted
Web request done
whitelistMerge
Manually copy the Global Whitelist database of the Active node onto the Secondary or Backup nodes.
This is only a one-time activity, after which the Whitelist database of Secondary/Backup nodes is automatically
overwritten by that of Active node at 0000 hours on a daily basis.
• whitelistMerge <cluster> executed on Active node of a cluster: In this scenario, the Global Whitelist
database of the Active node is copied onto Secondary/Backup nodes and following sample output is
displayed.
Sample Output:
• whitelistMerge <cluster> executed on Secondary node or Backup node of a cluster: In this scenario,
the following sample output is displayed.
Sample Output:
• whitelistMerge <standalone> executed on a standalone Advanced Threat Defense: In this scenario, the
following sample output is displayed.
Sample Output:
xl destroy
Delete the desired snapshot of VM.
Use CLI command vmlist to get detailed information on VirtualMachineName or VM Domain ID.
Sample Output:
ATD300025> xl destroy 31
This command will not work on the non-active nodes in the cluster.
Manage the malware analysis configurations and monitor the Advanced Threat Defense Appliance
performance.
Contents
Delete VMDK files
Monitor the Advanced Threat Defense performance
Upgrade the software and Android analyzer VM
Limit the number of records in the database
Troubleshooting
Back and restore Advanced Threat Defense Appliance from a USB drive
Back up and restore the Advanced Threat Defense database
Task
For details about product features, usage, and best practices, click ? or Help.
3 To connect to the Advanced Threat Defense Appliance, use your FTP client.
For example, FileZilla.
• Use the status command in the Advanced Threat Defense Appliance CLI.
See also
CLI commands on page 4
Best practice: Upgrade the Advanced Threat Defense software to the latest version.
Task
To complete a successful upgrade, you must already use Advanced Threat Defense 3.4.8 or later. For details
about product features, usage, and best practices, click ? or Help.
3 On the LDAP server, make sure the gidNumber value is 1024 for the atdadmin user.
Task
1 Go to the McAfee Downloads page.
2 Enter the Grant Number, the letters or numbers displayed, then click Submit.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Use an FTP client, such as Filezilla, to log on to the Advanced Threat Defense Appliance.
Log on as the atdadmin user.
2 Using SFTP, upload these files to the Advanced Threat Defense root directory:
• Installation file
3 Use the following to upgrade the Advanced Threat Defense software, then repeat these steps to upgrade the
Android analyzer VM.
a Log on to the Advanced Threat Defense web interface as the administrator.
4 When the Advanced Threat Defense Appliance starts, log on to the CLI and verify the software version.
5 Log on to the Advanced Threat Defense web interface and verify the following.
• Software version
• All data and configuration settings are transferred from the previous Advanced Threat Defense
installation
6 Click Dashboard, then verify that the VM Creation status is Successful on the VM Status monitor.
Advanced Threat Defense automatically re-creates all analyzer VMs. The amount of time it takes to re-create
the analyzer VMs depends on the number of analyzer VMs configured in Advanced Threat Defense.
The Advanced Threat Defense Appliance stores the software version on the active disk.
When you upgrade the software, Advanced Threat Defense disables the Whitelist status.
Task
For details about product features, usage, and best practices, click ? or Help.
Upgrading the application software also upgrades the detection packages. You would not see any previously
installed detection packages after this upgrade. Also, the system services and system might restart during the
application software upgrade process.
When updates are available for the application software and detection software package, notification messages
appear in the toolbar of the Advanced Threat Defense interface.
Tasks
• Automatically download the latest application software package on page 158
Automatically download and install the latest application software in Advanced Threat Defense
Appliance.
• Manually upload the latest application software package on page 158
Manually upload and install the latest application software in Advanced Threat Defense.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Log on to the Advanced Threat Defense web interface, then do one of these to access the Incremental Updates
page.
• Click Click to Update Software from the header.
When multiple notifications are available, select Click to Update Software from the list of notifications.
3 Select the Application Software tab, then click Install against the available software version.
A confirmation message appears before the installation starts. All Advanced Threat Defense services are
restarted. Once the process is complete, a status message appears that provides information about a
successful upgrade and a suggestion to log on again to the Advanced Threat Defense interface.
4 Log on to the Advanced Threat Defense interface again, then validate whether the upgrade was successful.
• From the header on Advanced Threat Defense interface, .
• Verify that the version is listed as Current: Click Manage | Image & Software | Incremental Updates, then click the
Application Software tab.
In case of any issues with the upgrade, click Revert to reverse the software to the previous backed-up version.
You won't see the Revert option if Advanced Threat Defense software has been upgraded using system.msu.
Task
For details about product features, usage, and best practices, click ? or Help.
4 On the Incremental Updates page, click Browse, then select the application software package.
5 Click Upload.
To reinstate the Backup file as the Current file, click Revert.
Task
For details about product features, usage, and best practices, click ? or Help.
4 Click Schedule.
Troubleshooting
There are several methods to troubleshoot Advanced Threat Defense in your network.
Tasks
• Export the Advanced Threat Defense log files on page 159
If you experience any Advanced Threat Defense issues, export the log files to McAfee for analysis.
• Recreate the analyzer VMs on page 160
You can delete all existing VMs, including the default Android VM and healthy analyzer VMs, then
re-create them.
• Delete the analysis results and reports on page 160
Remove all existing analysis results and reports from Advanced Threat Defense.
• Reset email reports and cache on page 161
Remove all the email reports and cached verdicts for email attachments that are scanned by
Advanced Threat Defense.
• Diagnostic Logs — Troubleshoot critical issues, such as system crashes in Advanced Threat Defense.
• Debug Logs — Troubleshoot issues related to database operations, system processes, and other errors.
Only McAfee Support can read the Advanced Threat Defense log content.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense web interface.
3 Select the log files you want to send, configure the amount of logs you want to include, then click Create
Support Bundle.
4 On the Ticket Number window, enter your ticket number, then click OK.
Task
1 Log on to the Advanced Threat Defense web interface.
• To view the VM re-creation status, click Dashboard. The status is displayed on the VM Creation Status monitor.
The Create VMs option becomes available again when Advanced Threat Defense completes the analyzer VM
re-creation process.
Task
1 Log on to the Advanced Threat Defense web interface.
3 Select Remove all Analysis Results and Reports, then click Submit.
4 Click Submit.
Task
For details about product features, usage, and best practices, click ? or Help.
3 Select Remove all Email Reports, then select Clear Email Results Cache.
4 Click Submit.
Back and restore Advanced Threat Defense Appliance from a USB drive
Create a USB recovery drive, then re-image the Advanced Threat Defense Appliance.
Table 6-1 Approximate time required
Task Required time
Create the recovery USB drive 1 hour
Re-image the Advanced Threat Defense Appliance 1.5 hours
Tasks
• Create the USB recovery drive on page 161
Create the USB drive that you use to recover the Advanced Threat Defense Appliance.
• Re-image the Advanced Threat Defense Appliance on page 162
Use the USB recovery drive to re-image the Advanced Threat Defense Appliance.
Task
1 Make sure that your environment meets the following requirements:
• Linux-based computer with a USB port and root administration privileges
c Enter your grant number, enter the letters or numbers displays, then click Submit.
• Android-5.0.msu
4 Plug in the USB drive to your computer, then copy the atd-usb-creator.bin file to the desktop.
To store the .bin file, you must have 7.4 GB of free space on the computer and USB drive.
5 From the command prompt, enter bash atd-usb-creator.bin, then press Enter.
Task
For details about product features, usage, and best practices, click ? or Help.
• Password — atdadmin
3 For each of the following, enter the command, then press Enter:
• Manage set appliance IP xxx.xxx.xxx.xxx 255.255.xxx.xxx
4 Using the SFTP, copy systemimage-3.6.0.17.55414.msu to the Advanced Threat Defense Appliance.
7 Install android-5.0.msu.
a Using the SFTP, copy android-5.0.msu to the Advanced Threat Defense Appliance.
d From the System Software drop-down list, select Android-5.0.msu, then click Install.
10 Upload the .vmdk image files for your operating system, then create the VM profiles and analyzer profiles.
To make sure that the system works as intended, submit a sample.
When you want to restore a backup, Advanced Threat Defense collects the selected backup file from the FTP
server and overwrites its database with the contents of the backup file.
The analyzer VM image or VMDK files are not included in the back up. Before you restore a
backup, make sure the image files specified in the backed-up VM profiles are located in
Advanced Threat Defense.
• Analyzer profiles
• User information
• McAfee ePO integration details
• Proxy settings
• DNS settings
• Syslog settings
• SNMP settings
• Date and time settings including the NTP server details
• Load-balancing cluster settings
This does not include the configuration and analysis results from the other nodes in the
cluster.
Data not • Any sample file or URL that is being analyzed at the time of backup
included in
backup The Analysis Status page only shows the file being currently analyzed
• A directory on the FTP server where you want to store the backup files
• The user name that Advanced Threat Defense uses to access the FTP server
Make sure that the user name has write access to the specified folder.
• The corresponding password that Advanced Threat Defense uses to access the FTP server.
• Make sure that the communication over SFTP or FTP is possible between Advanced Threat
Defense and the FTP server.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense web interface.
The backup is stored in a password-protected .zip file in the specified directory on the FTP server.
Do not unzip or tamper with the .zip file. If the file corrupts, you cannot restore the database backup with
the .zip file.
• All users are logged off the Advanced Threat Defense web interface, REST APIs, and CLI.
When you restore a database backup during a backup, the restoration fails.
For details about product features, usage, and best practices, click ? or Help.
Task
1 Log on to the Advanced Threat Defense web interface.
If the IP address changes on the FTP server, update the configuration on the Backup Scheduler Setting page, then
complete the restoration. If the FTP server changes, your restore to backup on the old server fails. You would
only be able to restore from the files on the new server.
4 Click Restore.
A E
Account Email Connector
lock out period 84 Clear cache 161
analysis results Overview 79
viewing 104 Remove analysis reports 161
analysis status 82 Email headers 82
monitoring 102 ePO server configuration 65, 67
analyzer profile 14 ePO server integration 64, 65
adding 63 exporting logs 159
viewing 63
analyzer VM 14 F
creating 18 false negative samples, submitting 112
Anti-Malware Engine 14 false positive samples, submitting 111
Family Classification 105
B
backup and restore 163 G
Gateway Anti-Malware Engine 14
C generate
CLI commands certificate signing request 85
issuing 115 CSR 85
list 117
mandatory commands 116 I
syntax 116
Integration
CLI commands issue
Private GTI Cloud 68
auto-complete 116
Internet access 15
console 115
Internet proxy server 72, 73
ssh 115
CLI logon 117
J
Common Criteria 83
configure JSON 105
email connector 79
Configure SEG 80 L
custom YARA rules 70, 87, 89 local blacklist 14
local whitelist 14
D log files 159
dashboard 113 logon banner, customize 85
database
backup and restore 163 M
date and time 69, 88–92 malware analysis 95
Deep Neural Network 105 process flow 15, 95, 101
diagnostic files 159 malware analysis configuration
DNS settings configuration 70, 71, 73–76 overview 13
dynamic analysis 14