McAfee ATD Manual

Product Guide
McAfee Advanced Threat Defense 4.0.0

COPYRIGHT
© 2017 McAfee LLC
TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, Foundstone, McAfee LiveSafe, McAfee QuickClean, McAfee SECURE,
SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, TrustedSource, VirusScan are trademarks of McAfee LLC or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
2 McAfee Advanced Threat Defense 4.0.0 Product Guide

Contents
1 Introduction 9
The malware threat scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
The Advanced Threat Defense solution . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Configuring Advanced Threat Defense for malware analysis 13

Terminologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Malware analysis workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Internet access to sample files . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Enable the malware port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Add users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Creating analyzer VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Analyzer VM requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Create the virtual machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Create the VMDK file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Prepare the VMDK image for analysis . . . . . . . . . . . . . . . . . . . . . . . . 31
Install Microsoft Office on the virtual machine . . . . . . . . . . . . . . . . . . . . . 58
Enable PDF file analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Enable JAR file analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Enable Flash file analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Import the VMDK file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Convert the VMDK file to an image file . . . . . . . . . . . . . . . . . . . . . . . . 60
Create VM profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
View the system logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Create analyzer profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Integrate Advanced Threat Defense with compatible products . . . . . . . . . . . . . . . . . . 64
Integration with McAfee ePO for OS profiling . . . . . . . . . . . . . . . . . . . . . 64
Configure McAfee ePO integration to publish threat events . . . . . . . . . . . . . . . . 65
Integrate Advanced Threat Defense with DXL . . . . . . . . . . . . . . . . . . . . . 66
Integrate Advanced Threat Defense with Active Response . . . . . . . . . . . . . . . . 67
Integrate Advanced Threat Defense with Private GTI Cloud . . . . . . . . . . . . . . . . 68
Integrate Advanced Threat Defense with TIE . . . . . . . . . . . . . . . . . . . . . 68
Integrate Advanced Threat Defense with McAfee NGFW . . . . . . . . . . . . . . . . . 68
Configure the date and time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configure the maximum wait time threshold . . . . . . . . . . . . . . . . . . . . . . . . 70
Configure DNS setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Configure LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Configure proxy servers for Internet connectivity . . . . . . . . . . . . . . . . . . . . . . . 72
Configure Advanced Threat Defense to communicate with McAfee GTI . . . . . . . . . . . . 72
Enable the malware site proxy . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Configure SNMP setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Configure the syslog settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
View the Syslog logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
View the Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Configure telemetry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Enable telemetry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
McAfee Advanced Threat Defense 4.0.0 Product Guide 3

Contents
Disable telemetry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Configuring Email Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Enable and configure Email Connector . . . . . . . . . . . . . . . . . . . . . . . 79
Configuring your Secure Email Gateway for Email Connector . . . . . . . . . . . . . . . 80
Configure Email Connector filtering rules . . . . . . . . . . . . . . . . . . . . . . . 81
Understanding Email Headers with analysis status . . . . . . . . . . . . . . . . . . . 82
Set minimum SSL/TLS version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Enable Common Criteria (CC) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Enable account lock out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Configure the minimum number of password characters . . . . . . . . . . . . . . . . . . . . 84
Add the Advanced Threat Defense logon banner . . . . . . . . . . . . . . . . . . . . . . . 85
Generating a Certificate signing request (CSR) . . . . . . . . . . . . . . . . . . . . . . . . 85
Generate a CSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Upload certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
3 Updating content 87
Defining Custom Behavioral Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Create the Custom Behavioral Rules file . . . . . . . . . . . . . . . . . . . . . . . 88
Define Custom Yara Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Create Custom YARA Scanner files . . . . . . . . . . . . . . . . . . . . . . . . . 89
Import custom behavioral and YARA scanner rules . . . . . . . . . . . . . . . . . . . . . . 90
Change custom behavioral rules and YARA scanner files . . . . . . . . . . . . . . . . . . . . 90
Disable custom behavioral rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Manage whitelist database samples . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Manage the file and URL samples . . . . . . . . . . . . . . . . . . . . . . . . . 91
Manage the digital signature samples . . . . . . . . . . . . . . . . . . . . . . . . 92
Update DAT version for McAfee Gateway Anti-Malware and Anti-Virus . . . . . . . . . . . . . . . 92
Update the detection package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Automatically download the latest Detection Package . . . . . . . . . . . . . . . . . . 92
Manually upload the latest Detection Package . . . . . . . . . . . . . . . . . . . . . 93
4 Analyzing malware 95
Analyze files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Upload files for analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Upload files for analysis using SFTP . . . . . . . . . . . . . . . . . . . . . . . . 100
Analyze URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Analyzing URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Upload URLs for analysis using Advanced Threat Defense web interface . . . . . . . . . . . 102
Monitor the status of malware analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 102
View the analysis results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
View the Threat Analysis report . . . . . . . . . . . . . . . . . . . . . . . . . . 105
View the Dropped Files report . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Viewing and Understanding the Disassembly Results report . . . . . . . . . . . . . . . 107
Logic Path Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
User API Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Download the Complete Results .zip file . . . . . . . . . . . . . . . . . . . . . . 110
Download the original sample . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Submit false positive and negative samples . . . . . . . . . . . . . . . . . . . . . . . . 111
Submit false positive samples . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Submit false negative samples . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Troubleshoot low sandbox file scores . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Monitor Advanced Threat Defense with the Dashboard . . . . . . . . . . . . . . . . . . . . 113
5 CLI commands 115

Issuing CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Issuing commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Contents
Issuing a command through SSH . . . . . . . . . . . . . . . . . . . . . . . . . 115

Log on to the Advanced Threat Defense Appliance . . . . . . . . . . . . . . . . . . . 115
Auto-complete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
CLI syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Mandatory commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Log on to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Meaning of "?" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
List of CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
activeResponseStats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
amas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
atdcounter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
backup reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
backup reports date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Blacklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
clearstats all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
clearstats ActiveResponse . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
clearstats dxl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
clearstats lb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
clearstats tepublisher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
clearlbconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
createDefaultVms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
db_repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
deleteblacklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
deletesamplescore <0-5> . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
deletesamplereport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
diskcleanup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
dxlstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
factorydefaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
filetypefilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
ftptest USER_NAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
gti-restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
http_redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
install msu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
install package <package path> . . . . . . . . . . . . . . . . . . . . . . . . . . 124
lbservice restart/status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
lbstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
lowseveritystatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
no malware-dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
no timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
nslookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
passwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
removeAndroid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
removenetworkaddress . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
removeSampleInWaiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
removevmImage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
resetuiadminpasswd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
resetusertimeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
restart network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
revert package application . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Contents
revert package detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

revertwebcertificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
route add/delete network . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
samplefilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
set appliance dns A.B.C.D E.F.G.H WORD . . . . . . . . . . . . . . . . . . . . . . 131
set port80 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
set appliance gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
set appliance ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
set appliance name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
set gti dns check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
set gti server ip <Private Cloud IP> . . . . . . . . . . . . . . . . . . . . . . . . . 133
set gti server url <Domain Name> . . . . . . . . . . . . . . . . . . . . . . . . . 133
set gti server ip 0.0.0.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
set gti server url 0.0.0.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
set intfport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
set intfport <1-3> ipdelete <ip address> . . . . . . . . . . . . . . . . . . . . . . . 134
set intfport auto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
set intfport ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
set intfport speed duplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
set IPAddressSwap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
set ldap enable|disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
set malware-dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
set malware-intfport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
set mgmtport auto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
set malware-intfport mgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
set mgmtport speed and duplex . . . . . . . . . . . . . . . . . . . . . . . . . 136
set pdflinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
set filesizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Set FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
set headerlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
set logconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
set mar-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
set nsp-ssl-channel-encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 139
set nsp-tcp-channel enable | disable . . . . . . . . . . . . . . . . . . . . . . . . 139
set resultbackup <enable> <disable> . . . . . . . . . . . . . . . . . . . . . . . 139
set stixreportstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
set tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
set timeout <0-35791> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
set uilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
set ui-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
show dat version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
show ds status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
show ec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
show ec file-types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
show ec filter-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
show ec permittedHosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
show ec rejectmode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
show ec tls (inbound|delivery) . . . . . . . . . . . . . . . . . . . . . . . . . . 143
show epo-stats nsp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
show filequeue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
show filesizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
show ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
show gti dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
show gti server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
show history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Contents
show intfport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

show IPAddressSwap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
show ldap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
show license info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
show license status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
show logconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
show mar-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
show pdflinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
show msu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
show nsp scandetails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
show nsp-ssl-channel-encryption status . . . . . . . . . . . . . . . . . . . . . . 148
show port80 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
show resultbackup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
show rmm info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
show route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
show stixreportstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
show system id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
show tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
show tepublisherstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
show timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
show ui-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
show uilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
show version application . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
show version detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
show vmImage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
show waittime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
unlockuser <username> . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
update_avdat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
vmlist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
whitelistMerge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
xl destroy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
6 Managing Advanced Threat Defense 155

Delete VMDK files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Monitor the Advanced Threat Defense performance . . . . . . . . . . . . . . . . . . . . . 155
Upgrade the software and Android analyzer VM . . . . . . . . . . . . . . . . . . . . . . . 156
Prepare for the upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Download the product files . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Complete the upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
View the upgrade log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Upgrade the software incrementally . . . . . . . . . . . . . . . . . . . . . . . . 158
Limit the number of records in the database . . . . . . . . . . . . . . . . . . . . . . . . 159
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Export the Advanced Threat Defense log files . . . . . . . . . . . . . . . . . . . . 159
Recreate the analyzer VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Delete the analysis results and reports . . . . . . . . . . . . . . . . . . . . . . . 160
Reset email reports and cache . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Back and restore Advanced Threat Defense Appliance from a USB drive . . . . . . . . . . . . . . 161
Create the USB recovery drive . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Re-image the Advanced Threat Defense Appliance . . . . . . . . . . . . . . . . . . . 162

Contents
Back up and restore the Advanced Threat Defense database . . . . . . . . . . . . . . . . . . 163

Schedule a database backup . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Restore a database backup . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Index 167

1 Introduction
®
McAfee Advanced Threat Defense (Advanced Threat Defense) is an on-premise appliance that facilitates
detection and prevention of malware.
Advanced Threat Defense provides protection from known, near-zero day, and zero-day malware without
compromising on the quality of service to your network users.
Advanced Threat Defense has the added advantage of being an integrated solution. In addition to its own
multi-level threat detection capabilities, its ability to seamlessly integrate with other McAfee security products,
protects your network against malware and other Advanced Persistent Threats (APTs).
Contents
The malware threat scenario
The Advanced Threat Defense solution
The malware threat scenario

Any software capable of being involved in hostile activities with respect to a computer, application, or network
can be termed as malware. Advanced Threat Defense is designed for detecting file- and URL-based malware.
Earlier, users received malware as attachments in their emails. With the upsurge in Internet applications, users
only need to click a link to download files. Today, there are many other options to post such files — blogs, social
networking sites, web sites, chat messages, web mails, message boards, and so on. The key challenges in
tackling this issue are to detect malware in the shortest possible time and also contain it from spreading to
other computers.
There are four major aspects to an anti-malware strategy:
• Detection of file downloads: When a user attempts to download a file from an external resource, your
security product must be able to detect it.
• Analysis of the file for malware: You must be able to verify if the file contains any known malware.
• Block future downloads of the same file: Subsequently, if the file is found to be malicious, your anti-malware
protection must prevent future downloads of the same file or its variants.
• Identify and remediate affected hosts: Your security system must be able to identify the host which
executed the malware, and also detect the hosts to which it has spread. Then, it must provide an option to
quarantine the affected hosts until they are clean again.

1 Introduction

A security solution that relies on a single method or process might not be adequate to provide complete and
reliable protection from malware attacks. You might need a multi-layered solution that involves various
techniques and products.
The solution can include pattern matching, global reputation, program emulation, static analysis, and dynamic
analysis. All these layers must be seamlessly integrated and provide you with a single point of control for easy
configuration and management. For example, pattern matching might not detect zero-day attacks. Similarly,
static analysis takes less time than dynamic analysis. However, malware can avoid static analysis by code
obfuscation. Malware can escape dynamic analysis too by delaying execution or take an alternate execution
path if the malware detects that it is being run in a sandbox environment. This is why a reliable protection from
malware requires a multi-level approach.
There are other industry-leading McAfee anti-malware products for the web, network, and endpoints. However,
McAfee recognizes that a robust anti-malware solution requires a multi-layered approach, the result of which is
Advanced Threat Defense.
Advanced Threat Defense integrates with other McAfee and third-party products to provide you a multilayered
defense mechanism against malware.
• To quickly detect malware, Advanced Threat Defense includes a local blacklist.
• Integrates with McAfee Global Threat Intelligence (McAfee GTI) for cloud-lookups to detect malware that
® ™
has already been identified by organizations throughout the globe.
• Includes the McAfee Gateway Anti-Malware Engine for emulation capabilities.

®
• Includes the McAfee Anti-Malware Engine for signature-based detection.

®

Introduction
The Advanced Threat Defense solution 1
• Dynamically analyzes the file by executing it in a virtual sandbox environment. Based on how the file
behaves, Advanced Threat Defense determines its malicious nature.
• Allows you to configure your Secure Email Gateway to send emails and attachments to Advanced Threat
Defense for analysis.
Figure 1-1 Components for malware analysis
Here are some of the advantages that Advanced Threat Defense provides:

1 Introduction
• Advanced Threat Defense does not sniff or tap into your network traffic. It analyzes the files submitted to it
for malware. This means that you can place the McAfee Advanced Threat Defense Appliance anywhere in
®
your network as long as it is reachable to all the integrated McAfee products. It is also possible for one
Advanced Threat Defense Appliance to cater to all such integrated products (assuming the number of files
submitted is within the supported level). This design can make it a cost-effective and scalable anti-malware
solution.
• For malware analysis, Advanced Threat Defense can receive files from these inline devices:
• IPS Sensors
• McAfee Web Gateway

®
• McAfee Email Gateway

®
• Android is currently one of the top targets for malware developers. With this integration, the Android-based
handheld devices on your network are also protected. You can dynamically analyze the files downloaded by
your Android devices such as smartphones and tablets.
• Files are concurrently analyzed by various engines. So, it is possible for known malware to be blocked in
almost real time.
• When Advanced Threat Defense dynamically analyzes a file, it selects the analyzer virtual machine that uses
the same operating system and applications as that of the target host. The dynamic analysis can be
facilitated through its integration with McAfee ePolicy Orchestrator (McAfee ePO ) or through passive
® ® ® ™
device profiling feature of McAfee Network Security Platform. Advanced Threat Defense runs the file only in
®
the virtual environment. The dynamic analysis results help you to identify the exact impact on a targeted
host if the file is run. You can also configure your environment to take the required remedial measures.
• When hosts download zero-day malware, the Sensor submits the file to Advanced Threat Defense. After
dynamic analysis, Advanced Threat Defense determines if the file is malicious. Based on the Advanced
Malware policy, the Manager adds the malware to the Sensor blacklist. If the file is also on the Advanced
Threat Defense blacklist, the file's ability to re-enter your network is greatly reduced.
• Even the first time when a zero-day malware is downloaded, you can contain it by quarantining the affected
hosts until they are cleaned and remediated.
• Packing can change the composition of the code or enable a malware to evade reverse engineering. So,
proper unpacking is very critical to get the actual malware code for analysis. Advanced Threat Defense is
capable of unpacking the code such that the original code is secured for static analysis.

2 Configuring Advanced Threat Defense for
malware analysis
To configure Advanced Threat Defense for malware analysis, log on to the Advanced Threat Defense web
interface.
Ensure that you change the password for cliadmin from the Command-line interface and atdadmin from the
web interface for the configurations to be successful. Some of the configurations might fail if you continue using
the default password.
Contents
Terminologies
Malware analysis workflow
Add users
Creating analyzer VMs
Create analyzer profiles
Integrate Advanced Threat Defense with compatible products
Configure the date and time
Configure the maximum wait time threshold
Configure DNS setting
Configure LDAP
Configure proxy servers for Internet connectivity
Configure SNMP setting
Configure the syslog settings
Configure telemetry
Configuring Email Connector
Set minimum SSL/TLS version
Enable Common Criteria (CC) mode
Enable account lock out
Configure the minimum number of password characters
Add the Advanced Threat Defense logon banner
Generating a Certificate signing request (CSR)
Upload certificates

2 Configuring Advanced Threat Defense for malware analysis
Terminologies
Terminologies
Being familiar with the following terminologies facilitates malware analysis using Advanced Threat Defense.
• Static analysis — When Advanced Threat Defense receives a supported file for analysis, it first performs static
analysis of the file. The objective is to check if it is a known malware in the shortest possible time, and also
to preserve the Advanced Threat Defense resources for dynamic analysis. For static analysis, Advanced
Threat Defense uses these resources in the following order.
• Global Whitelist — This is the list of MD5/SHA-256 hash values of trusted files and VBA scripts embedded
inside a Microsoft Office application, which need not be analyzed.
The whitelist feature is enabled by default. To disable it, use the setwhitelist command.
In a load-balancing scenario, after the cluster creation, run the whitelistMerge cluster command
on the Active node to manually copy the Global Whitelist database of Active node onto Secondary/
Backup nodes. This is only a one-time activity, after which the Whitelist database of Secondary/Backup
nodes is automatically overwritten by that of Active node at 0000 hours on a daily basis.
• Local Blacklist — This is the list of MD5 hash values of known malware stored in the Advanced Threat
Defense database. When Advanced Threat Defense detects a malware through its heuristic McAfee
Gateway Anti-Malware engine or through dynamic analysis, it updates the local blacklist with the file
MD5 hash value. A file is added to this list automatically only when its malware severity as determined by
Advanced Threat Defense is medium, high, or very high. There are commands to manage the entries in
the blacklist.
• McAfee GTI — This is a global threat correlation engine and intelligence base of global messaging and
communication behavior, which enables the protection of the customers against both known and
emerging electronic threats across all threat areas.
DNS must be configured for McAfee GTI to run.
For File Reputation queries to succeed, make sure Advanced Threat Defense is able to communicate with
tunnel.message.trustedsource.org over HTTPS (TCP/443). Advanced Threat Defense retrieves the
URL updates from List.smartfilter.com over HTTP (TCP/80).
• Gateway Anti-Malware — McAfee Gateway Anti-Malware Engine analyzes the behavior of web sites, web site
code, and downloaded Web 2.0 content in real time to preemptively detect and block malicious web
attacks. It protects businesses from modern blended attacks, including viruses, worms, adware, spyware,
riskware, and other crimeware threats, without relying on virus signatures.
• Anti-Malware — The DAT is updated automatically or manually based on the network connectivity of
Static analysis also involves analysis through reverse engineering of the malicious code. This includes
analyzing all the instructions and properties to identify the intended behaviors, which might not surface
immediately. This also provides detailed malware classification information, widens the security cover,
and can identify associated malware that leverages code re-use.
By default, Advanced Threat Defense downloads the updates for McAfee Gateway Anti-Malware Engine and
McAfee Anti-Malware Engine every 90 minutes.
• Dynamic Analysis — Advanced Threat Defense executes the file in a secure VM and monitors its behavior to
check how malicious the file is. At the end of the analysis, it provides a detailed report as required by the
user. By default, if static analysis identifies the malware, Advanced Threat Defense does not perform
dynamic analysis. However, you can configure Advanced Threat Defense to perform dynamic analysis
regardless of the results from static analysis. You can also configure only dynamic analysis without static

Configuring Advanced Threat Defense for malware analysis
Malware analysis workflow 2
analysis. Dynamic analysis includes the disassembly listing feature of Advanced Threat Defense as well. This
feature can generate the disassembly code of PE files for you to analyze the sample further. The dynamic
analysis sequence uses these resources in the following order.
• Global Whitelist
• Local Blacklist
• McAfee GTI, McAfee Gateway Anti-Malware Engine, and McAfee Anti-Malware Engine
• YARA scanner
• Dynamic Analysis
See also
Define Custom Yara Scanner on page 89

Consider that you have uploaded a file manually using Advanced Threat Defense web interface.
1 Assuming the file format is supported, Advanced Threat Defense unpacks the file and calculates the MD5
hash value.
2 Advanced Threat Defense applies the analyzer profile that you specified during file upload.
3 Based on the configuration in the analyzer profile, it determines the modules to use for static analysis and
checks the file against those modules.
4 If the file is found to be malicious during static analysis, Advanced Threat Defense stops further analysis and
generates the required reports. This, however, depends on how you have configured the corresponding
analyzer profile.
5 If the static analysis does not report any malware or if you had configured Advanced Threat Defense to
perform dynamic analysis regardless of the results from static analysis, Advanced Threat Defense initiates
dynamic analysis for the file.
6 It executes the file in the corresponding analyzer VMs and records every behavior. The analyzer VM is
determined based on the VM profile in the analyzer profile.
7 If the file is fully executed or if the maximum execution period expires, Advanced Threat Defense prepares
the required reports.
8 After dynamic analysis is complete, it sets the analyzer VMs to their baseline version so that they can be
used for the next file in queue.
Internet access to sample files

When being dynamically analyzed, a sample might access a resource on the Internet. For example, the sample
might attempt to download additional malicious code or attempt to upload information that it collected from
the host machine (in this case, the analyzer VM).
You can configure Advanced Threat Defense to provide network services to analyzer VMs so that the network
activities of a sample file can be analyzed.
Providing Internet access to samples enables Advanced Threat Defense to analyze the network behavior of a
sample and also determine the impact of the additional files downloaded from the Internet. Some malware
might try to determine if they are being executed in a sandbox by requesting for Internet access and then alter
their behavior accordingly.

When an analyzer VM is created, Advanced Threat Defense makes sure that the analyzer VM has the
configurations to communicate over a network when required.
You can control granting real network access to an analyzer VM through a setting in the analyzer profiles.
Network services are provided regardless of the method used to submit the sample. For example, it is provided
to samples submitted manually using the Advanced Threat Defense web interface as well as samples submitted
by the integrated products.
Figure 2-1 Internet access to samples - process flow
When samples access Internet resources, Advanced Threat Defense checks if the Internet connectivity is
enabled in the corresponding analyzer profile. Based on whether Internet connectivity is enabled or not,
Advanced Threat Defense determines the mode that provides the network services:
• Simulator mode — If Internet connectivity is not enabled in the analyzer profile, this mode is used.
Advanced Threat Defense can represent itself as being the target resource. For example, if the sample
attempts to download a file through FTP, Advanced Threat Defense simulates this connection for the
analyzer VM.
• Real Internet mode — This mode requires the management port (eth-0), eth-1, eth-2 or eth-3 to have
access to the Internet. If Internet connectivity is enabled in the analyzer profile, Advanced Threat Defense
uses this mode. Advanced Threat Defense provides real Internet connection through the management port
by default, which is publicly routed or directed towards your enterprise firewall as per your network
configuration. Because the traffic from an analyzer VM could be malicious, you might want to segregate this
traffic away from your production network. In this case, you can use Advanced Threat Defense's eth-1, eth-2,
or eth-3 provide Internet access to the analyzer VM.
Advanced Threat Defense logs all network activities. The types of reports generated vary based on the mode:

Add users 2
• Network activities are summarized and presented in the Analysis Summary report. You can find the DNS
queries and socket activities under network operations. You can find all the network activities in the Network
Operations section of the report.
• The dns.log report also contains the DNS queries made by the sample.
• The packet capture of the network activities is provided in the NetLog folder within the Complete Results zip
file.
Enable the malware port

By default, Advanced Threat Defense uses the management port (eth-0) to provide Internet access to samples,
but you can also configure the malware port to securely access the Internet.
Task
1 Log on to the Advanced Threat Defense CLI and enable the malware port.
For example, set intfport 1 enable to enable eth-1 port
2 Configure the malware port IP address and subnet mask.

For example, set intfport 1 10.10.10.10 255.255.255.0
Make sure the IP address is outside your network.
3 For the Ethernet port, configure the gateway that you want to route the Internet access.
For example, set malware-intfport 1 gateway 10.10.10.252
4 To allow the port to check if it is configured for malware Internet access, use the show intfport <port
number> command.
For example, show intfport 1.
5 Verify these entries:

• Malware Interface Port
• Malware Gateway
To revert to the managment port (eth-0) for malware Internet access, run set malware-intfport mgmt in
the CLI. Advanced Threat Defense uses the management port IP and default gateway to provide Internet
access to samples.
For general Advanced Threat Defense traffic, use the route add network command.
For Internet traffic from analyzer VMs, use set malware-intfport.
The route add network and set malware-intfport commands do not affect each other.
Add users
Create accounts for users on your network, then assign them permissions.
For details about product features, usage, and best practices, click ? or Help.

Task
1 Log on to the Advanced Threat Defense web interface.
2 Click Manage | ATD Configuration | ATD Users, then click New.
3 Configure the user options, then click Save.

To save the FTP results for a longer time period, configure the FTP Result Output settings, then enable Set
resultbackup from the Advanced Threat Defense CLI.

Advanced Threat Defense uses secure virtual machines, or analyzer VMs, for dynamic analysis. During dynamic
analysis, Advanced Threat Defense executes suspicious files in the analyzer VM, then monitors the file behavior
for malicious activities.
The number of analyzer VMs you can create is limited by the following conditions:
• the available Advanced Threat Defense Appliance disk space.
• the disk space occupied by the operating system.
Advanced Threat Defense limits the maximum number of analyzer VMs you can use for analysis.
• ATD-3000 — 29 analyzer VMs
The number of concurrent licenses that you specify affects the number of concurrent active analyzer VMs.
Any security software or low-level utility tool on an analyzer VM can interfere with the dynamic analysis of the
sample file. The sample-file execution can be terminated during dynamic analysis. As a result, the reports might
not capture the full behavior of the sample file. If you need to find out the complete behavior of the sample file,
do not patch the operating system of the analyzer VM or install any security software on it.
Contents
Analyzer VM requirements
Create the virtual machine
Create the VMDK file
Prepare the VMDK image for analysis
Install Microsoft Office on the virtual machine
Enable PDF file analysis
Enable JAR file analysis
Enable Flash file analysis
Import the VMDK file
Convert the VMDK file to an image file
Create VM profiles
View the system logs

Creating analyzer VMs 2
Analyzer VM requirements
To create the analyzer VM and VM profile, review the recommended requirements.
• If you already have a VMDK file, it must be a single file that contains all the files required to create
the VM.
• The platforms and other specifications listed here are based on McAfee test results.
VM workstations
Operating system Recommended VMware Workstation

Microsoft Windows 7 32-bit VMware Workstation version 9.0
(Service Pack 1)
If you use a higher version of the VMware workstation, select Workstation
Microsoft Windows 7 64-bit 9.0 from Hardware Compatibility in the Virtual Machine installation
(Service Pack 1) wizard.
Microsoft Windows 8
Professional 32-bit
Microsoft Windows 8
Professional 64-bit
Microsoft Windows 8.1 64-bit
Enterprise (Update 1 version 6.3
build 9600)
Microsoft Windows 10 Enterprise
64-bit (Redstone 1 and 2,
Threshold 2)
Microsoft Windows Server 2003
32-bit (Service Pack 1 and 2)
R2 (Service Pack 1)
Datacenter
R2 Datacenter
Standard
RAM size
Operating system RAM size (MB)

Microsoft Windows XP 32-bit (Service Pack 2 and 3) 512
Microsoft Windows 7 32-bit (Service Pack 1) 1024
Microsoft Windows 7 64-bit (Service Pack 1) 2048
Microsoft Windows 8 Professional 32-bit 2048
Microsoft Windows 8 Professional 64-bit 2048
Microsoft Windows 8.1 64-bit Enterprise (Update 1 version 6.3 build 9600) 2048
Microsoft Windows 10 Enterprise 64-bit (Redstone 1 and 2, Threshold 2) 3072
Microsoft Windows Server 2003 32-bit (Service Pack 1 and 2) 2048
Microsoft Windows Server 2008 R2 (Service Pack 1) 2048

Operating system RAM size (MB)

Microsoft Windows Server 2012 Datacenter 2048
Microsoft Windows Server 2012 R2 Datacenter 2048
Microsoft Windows Server 2016 Standard 2048
Supported operating systems

To create an ISO image, Advanced Threat Defense supports the following operating systems.
Operating system Version

Microsoft Windows • 7 32-bit Service Pack 1
• 7 64-bit Service Pack 1
• 8 Professional 32-bit
• 8 Professional 64-bit
• 8.1 Enterprise (Update 1 version 6.3 build 9600)
• 10 Enterprise 64-bit (Redstone 1 and 2, Threshold 2)
Microsoft Windows • 2003 32-bit Service Pack 1 and 2 • 2012 R2 Datacenter

Server
• 2008 R2 Service Pack 1 • 2016 Standard
• 2012 Datacenter
Android • 2.3
• 4.3
• 5.2
Android 2.3 or 4.3 are pre-installed on the Advanced Threat Defense Appliance.
If you are using a Microsoft Windows operating system, you must have the license key, and it must come in one
of these languages:
• English • Italian
• Chinese Simplified • Spanish
• Japanese • French
• German
Required applications
Table 2-1 Required applications
Application Supported version Supported languages
Internet Explorer 6,7,8,9,10, and 11 English, Chinese-Simplified,
Japanese, German, and Italian.
Mozilla Firefox all versions until 54.0 English, Chinese-Simplified,
Japanese, German, and Italian.
Google Chrome all versions until 59 All languages
Microsoft Office 2003, 2007, 2010, 2013, and 2016 English

Table 2-1 Required applications (continued)

Application Supported version Supported languages
Adobe Flash Player software 13 English
and plugin
Adobe Flash Player plugin only 22.0.0.210 English
Adobe Reader • 9 English
• 10
• 11
jdk-7u25 • 32-bit on all 32-bit operating systems English

• 64-bit on all 64-bit operating systems
jre-7u25 • 32-bit on all 32-bit operating systems English

jdk-8u101 • 32-bit on all 32-bit operating systems English

jre-8u101 • 32-bit on all 32-bit operating systems English

Disk space
The minimum available disk space must be 200 MB. The maximum used total disk space must not exceed 30
GB.
The disk space affects the maximum number of VMs you can create.
Maximum VMs
The following table specifies the maximum number of VMs that you can create for each Microsoft Windows
operating system. The number of VMs listed in the table is based on the assumption that the disk space
occupied by Windows is not more than 22 GB.
The disk space occupied by Windows could affect the maximum number of VMs you can create. For example, if
the OS occupies 30 GB, then you can only create 21 VMs on ATD-3000/3100 and 42 VMs in ATD-6000/6100.
Operating system Minimum disk ATD-3000 ATD-6000 ATD-3100 ATD-6100

space occupied (Number of (Number of (Number of (Number of
VMs) VMs) VMs) VMs)
Microsoft Windows XP 5 GB 29 59 29 59
Service Pack 2 and 3
Microsoft Windows 7 32-bit 12 GB 29 59 29 59
Microsoft Windows 7 64-bit 14 GB 29 59 29 59
Microsoft Windows 8 25–30 GB 29 59 29 59
Professional 32-bit
Professional 64-bit
Microsoft Windows 8.1 25–30 GB 29 59 29 59
Enterprise (Update 1
version 6.3 build 9600)

Operating system Minimum disk ATD-3000 ATD-6000 ATD-3100 ATD-6100

space occupied (Number of (Number of (Number of (Number of
VMs) VMs) VMs) VMs)
Enterprise 64-bit (version
1507, 1511, 1607, 1703)
Microsoft Windows Server 5 GB 29 59 29 59
2003 Service Pack 1 and 2
Microsoft Windows Server 14 GB 29 59 29 59
2008 64bit Service Pack 1
Microsoft Windows 2012 R2 25–30 GB 29 59 29 59
Datacenter 64-bit
Standard
Supported VMDK Preparation Tool operating systems

To use the VMDK Preparation Tool, you must use a supported operating system.
• Microsoft Windows XP 32-bit (Service Pack 2 and 3)
• Microsoft Windows 7 32-bit and 64-bit (Service Pack 1)
• Microsoft Windows 8 Professional 32-bit and 64-bit
• Microsoft Windows 8.1 64-bit Enterprise (Update 1 version 6.3 build 9600)
• Microsoft Windows 10 Enterprise 64-bit (Redstone 1 and 2, Threshold 2)
• Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2008 R2 (Service Pack 1)
• Microsoft Windows Server 2012 Datacenter
• Microsoft Windows Server 2012 R2 Datacenter
• Microsoft Windows Server 2016 Standard
Create the virtual machine

To create the virtual machine, you must complete the New Virtual Machine Wizard.
Task
1 Make sure you have your operating system ISO image and license key.
2 Download and install VMware Workstation 9.0 or later.
3 Start the VMware Workstation.
4 On the VMware Workstation page, select File | New Virtual Machine.
5 To complete the New Virtual Machine Wizard, configure the following options, then click Next on each page.

Window name Configuration options

Welcome to the New Virtual Select Custom (Advanced).
Machine Wizard
Choose the Virtual Machine From the Hardware compatibility drop-down list, select Workstation 9.0.
Hardware Compatibility
If you use VMware Workstation 10.0 or VMware Workstation 11.0, select
Workstation 9.0.
For all other fields, use the default values.
Guest Operating System Select one of these options:

Installation • Installer disc
• Installer disc image file (iso), then click Browse and select the ISO image
Easy Install Information Enter the following:

• Windows product key — License key of the Windows operating system where you
want to create the VMDK file
• Full name — administrator
• Password — cr@cker42, which is the password that Advanced Threat Defense
uses to log on to the VM
• Confirm — cr@cker42
• Log on automatically (requires a password) — Deselect
If the VMware Workstation message displays, click Yes.
Name the Virtual Machine Enter the following:

• Virtual Machine name
• Location — Click Browse, then select the folder where you want to create the
VMDK file
Processor Configuration Use the default values.

Memory for the Virtual Enter the amount of RAM for your operating system. See Analyzer VM
Machine requirements to know the RAM size required for your operating system.
Network Type Use the default value.
Select I/O Controller Types Use the default value.
Select a Disk Type Select IDE.
SCSI disks are not compatible with Advanced Threat Defense.
Select a Disk Select Create a new virtual disk.

Specify Disk Capacity Enter the Maximum disk size (GB), then select these options:
• Allocate all disk space now.
• Store virtual disk as a single file.
Specify Disk file Make sure that virtualMachineImage.vmdk appears in the field.
If you specified a different virtual machine name, the name appears here.
Ready to Create Virtual Select Power on this virtual machine after creation, then click Finish.
Machine This step can take up to 30 minutes to complete.

Create the VMDK file

Create a Virtual Machine Disk (VMDK) file of the ISO image.
Tasks
• Create a VMDK file for Windows 7 on page 24
If you are using Windows 7, use the following steps to create the VMDK file.
If you are using Windows 8, use these steps to create the VMDK file.
• Create a VMDK file for Windows XP on page 25
If you are using Windows XP, use the following steps to create the VMDK file.
• Create a VMDK file for Windows Server 2003 on page 26
If you are using Windows Server 2003, use the following steps to create the VMDK file.
• Create a VMDK file for Windows Server 2008 on page 27
• Create a VMDK file for Windows 8.1 on page 27
If you are using Windows 8.1, use these steps to create the VMDK file.
• Create a VMDK file for Windows 10 version 1703 (Redstone 2) on page 29
If you are using Windows 10 versino 1703 (Redstone 2), use these steps to create the VMDK file.
• Create a VMDK file for Windows 2012 R2 on page 30
If you are using Windows 2012 R2, use these steps to create the VMDK file.
• Create a VMDK file for Windows Server 2016 Standard on page 30
If you are using Windows Server 2016 Standard, use these steps to create the VMDK file.
Create a VMDK file for Windows 7

If you are using Windows 7, use the following steps to create the VMDK file.
Task
1 In the Removable Devices window, select Do not show this hint again, then click OK.
The Windows installation can take up to 15 minutes.
2 In the Set Network Location window, select Public Network, then close the window.
3 Stop the VMware Tools installation.

Advanced Threat Defense does not support VMware Tools. When you fail to stop the VMware Tools
installation, you can continue with the VMDK file creation process, but make sure it is uninstalled when the
VMDK file is ready.
4 Download and install Microsoft .NET Framework 4.6.1.


Task
1 Configure Adobe Reader as the default application to open PDF files.
a Open the Control Panel, then select Programs | Default Programs | Associate a file type or protocol with a program.
b Double-click .pdf, then select Adobe Reader.
c Click Close.
3 To log on to virtualMachineImage, use these credentials:

• Administrator
• cr@cker42
4 To switch to desktop mode, click the desktop tile.
Create a VMDK file for Windows XP

If you are using Windows XP, use the following steps to create the VMDK file.
Task
1 Complete the Windows XP setup.
a On the Setup cannot continue until you enter your name. Administrator and Guest are not allowable names to use
message, click OK.
b In the Windows XP Professional Setup window, enter the following, then click Next.
• Name — root
• Organization — Leave blank.
c If prompted, log on to virtualMachineImage with the following credentials.

• User — administrator
• Password — cr@cker42
2 On the VMware Tools Setup message, click No.
VMDK file is ready.
3 On the VMware Workstation, right-click the VM, then select Settings.
4 In the Virtual Machine Settings window, select CD/DVD (IDE).
5 Next to the Use ISO image file field, click Browse, locate the ISO file, then click OK.

6 Download and install the following Redistributable Packages and .NET Framework.
• Microsoft Visual C++ 2005 Redistributable Package (x86)
• Microsoft .NET Framework 3.5 Service Pack 1 (x86)
Create a VMDK file for Windows Server 2003

Task
1 In the VMware Workstation, turn on the virtual machine, then install Windows Server 2003.
• This step can take up to 30 minutes.
• To format the partition during installation, you can use the NTFS file system.
• Advanced Threat Defense does not support VMware Tools. When you fail to stop the VMware Tools
installation, you can continue with the VMDK file creation process, but make sure it is uninstalled when
the VMDK file is ready.
2 For each Windows setup window, configure the options, then click Next.
Window name Configuration options

Regional and Language Options Configure the settings for your environment.
Windows Setup Enter the following credentials:
• Name — root
• Organization — Leave blank
Your Product Key Enter the product key.

Licensing Modes Select Per Server, then enter the number of concurrent connections.
Computer Name and Administrator Password Configure the following options:
• Computer name — Use the default value
• Administrator password — cr@cker42
• Confirm password — cr@cker42
Date and Time Settings Use the default values.

Network Settings Use the default values.
Workgroup or Computer Domain Use the default values.
3 To log on to the virtual machine, use these credentials:

• User — administrator
4 In the Windows Server Post-Setup Security Updates window, click Finish.
5 If you are using Windows Server 2003 SP1, complete the following.
a Install the hotfix for Microsoft Windows Server 2003.
b Restart your computer.
c On the command prompt, enter tlntsvr /service, then press Enter.

6 Download and install the following Redistributable Packages and .NET Framework.
• Microsoft .NET Framework 3.5 Service Pack 1 (x86)
Create a VMDK file for Windows Server 2008

Task
2 In the Initial Configuration Tasks window, select Do not show this window at logon, then click Close.
3 Stop the VMware Tools installation.

VMDK file is ready.
Create a VMDK file for Windows 8.1

If you are using Windows 8.1, use these steps to create the VMDK file.
Task
1 From New Virtual Machine wizard, select BIOS as the firmware type.
2 From the installation wizard, select the language, time and currency format, keyboard or input method, then
click Next.
3 Click Install Now, then click Next.
Installation process is completed in various stages. The setup is first initialized.
4 On the Activate Windows page, enter your Windows product key, or select I don't have a product key to activate
it later, then click Next.
5 Accept the license terms, then click Next.
6 On the Windows Setup page, select Custom: Install Windows only (advanced), use the default disk space settings,
then click Next.
The step is completed in five stages. Wait for all stages to complete.
7 In the Settings window, select Use Express settings.
8 For the type of owner, select I own it, then click Next.
9 Asked to enter your Microsoft Account Details, select Skip this step.
10 Asked to create an account, use these credentials, then click Next.

• User name — administrator

11 Asked about Cortana, select Not now.
12 Wait until the installation is complete, then install the required software.
Log on to your computer and make sure that these redistributable packages are installed.
• Microsoft .NET Framework 4.6.1

Task
click Next.
then click Next.
8 For the type of owner, select I own it, then click Next.
9 In the Make it yours window, select Skip this step.
10 In the Create an account for this PC windows, use these credentials, then click Next.
• User name — admin
11 In the Choose how you'll connect' window, select Join a local Active Directory domain.
12 In the Meet Cortana windows, select Not now.

Create a VMDK file for Windows 10 version 1703 (Redstone 2)

If you are using Windows 10 versino 1703 (Redstone 2), use these steps to create the VMDK file.
Task
click Next.
then click Next.
8 For the type of owner, select I do, then click Next.
9 In the Make it yours window, select Skip this step.
10 In the Meet Cortana windows, select Not now.
11 In the Choose how you'll connect' window, select Join a local Active Directory domain.
12 In the Create an account for this PC windows, use these credentials, then click Next.
13 In the Choose Privacy settings window, keep the default settings, then click Next.

Task
click Next.
2 Click Install Now, accept the license terms, then click Next.

3 Select Custom Install Windows, Windows Server 2012 Datacenter, use the default disk space settings, then click Next.
Installation process is completed in various stages.
4 Set password for administrator account.
5 Log on to the computer, then download and install the following redistributable packages and .NET
framework.
Create a VMDK file for Windows 2012 R2

If you are using Windows 2012 R2, use these steps to create the VMDK file.
Task
click Next.
3 Select Custom Install Windows, Windows Server R2 2012 Datacenter, use the default disk space settings, then click
Next.
framework.
Create a VMDK file for Windows Server 2016 Standard

If you are using Windows Server 2016 Standard, use these steps to create the VMDK file.
Task
click Next.
3 Select Custom Install Windows, Windows Server 2016 Standard, use the default disk space settings, then click Next.

framework.
Prepare the VMDK image for analysis

Prepare your VMDK images to capture malware behaviors in the sandbox environment.
We recommend that you run the VMDK Preparation Tool that's available in the Advanced Threat Defense
interface. However, if the tool doesn't work in your environment, you could also prepare your sandbox
environment manually.
Tasks
• Run the VMDK Preparation Tool on page 31
Download the VMDK Preparation Tool from the Advanced Threat Defense interface, then run the
tool to prepare your VMDK images to capture malware behaviors in the sandbox environment.
• Prepare your VMDK image for analysis manually on page 32
Prepare your environment manually to capture malware behaviors in the sandbox environment.
Run the VMDK Preparation Tool

Download the VMDK Preparation Tool from the Advanced Threat Defense interface, then run the tool to
prepare your VMDK images to capture malware behaviors in the sandbox environment.
Run the VMDK Preparation Tool after installing all required software on all Windows VM images that you create.
The VMDK Preparation Tool supports operating systems configured for the supported languages: English,
Spanish, Japanese, Chinese (Simplified), German, French, Italian.
Task
1 Log on to the Advanced Threat Defense interface.
2 Click Manage | Image & Software | Image.
3 Click Download VMDK Preparation Tool.
4 Save the VMDK Preparation Tool .exe file on your virtual machine.
5 Make sure that the Visual Studio 2012 C++ Redistributable is installed on the VM.
Download the x86 version of the Visual Studio 2012 C++ Redistributable for your corresponding operating
system language from https://www.microsoft.com/EN-US/DOWNLOAD/DETAILS.ASPX?ID=30679.
6 Open and run the VMDK Preparation Tool .exe file.
If the VMDK Preparation Tool reports errors, perform the steps manually, then run the tool again to verify.
To view the log file that contains all executed commands and changed registries, go to C:\vmdk_prep.log.
Before you shut down the virtual machine, copy the log file to another system (outside of the VM) for later
reference, then remove the log file.

Prepare your VMDK image for analysis manually

Prepare your environment manually to capture malware behaviors in the sandbox environment.
Tasks
• Prepare a Windows XP image for analysis on page 32
Configure your Windows XP virtual system for analysis.
• Prepare a Windows Server 2003 image for analysis on page 34
Configure your Windows Server 2003 virtual system for analysis.
• Prepare a Windows 7 image for analysis on page 37
Configure your Windows 7 virtual system for analysis.
• Prepare a Windows Server 2008 image on page 40
• Prepare a Windows 8 image for analysis on page 42
• Prepare a Windows 8.1 image for analysis on page 46
Configure your Windows 8.1 virtual system for analysis.
• Prepare a Windows 10 or Windows 10 v1703 (Redstone 2) image for analysis on page 49
• Prepare a Windows 2012 R2 image for analysis on page 53
Configure your Windows Server 2012 R2 virtual system for analysis.
• Prepare a Windows Server 2016 Standard image for analysis on page 56
Configure your Windows Server 2016 Standard virtual system for analysis.
Prepare a Windows XP image for analysis

Configure your Windows XP virtual system for analysis.
Task
1 Configure the virtual machine in VMware Workstation:

a Right-click on the Windows XP image, then select Settings.
b In the Virtual Machine Settings window, select CD/DVD (IDE).
c In Use ISO image file, browse to the ISO file that you used and click OK.
d In the Welcome to Microsoft Windows XP page, click Exit.
2 Log on to the virtual machine as administrator.
3 Turn off the firewall in the virtual image: Select Start | Control Panel | Security Center | Windows Firewall | OFF.
4 Start the telnet service in the virtual image:

a Click Start and right-click My Computer.
b Select Manage | Services and Applications | Services, then double-click Telnet.
c In the Telnet Properties (Local Computer) page, select Automatic for the Startup type, then select Apply | Start |
OK.
5 Enable FTP in the virtual image:

a Select Start | Control Panel | Add or remove Programs | Add or remove Windows components.
b In the Windows Components wizard, double-click Internet Information Services(IIS).

c In the Internet Information Services(IIS) pop-up window, select these entries:

• File Transfer Protocol (FTP) Service
• Common Files
• Internet Information Services Snap-In
d Click OK, then click Next.
e In the Windows Components wizard, click Finish to finish installing FTP.
f In the Insert Disk message, click Cancel.
g In the Windows XP Setup message, select OK.
6 Configure FTP settings in the virtual image:

a Select Start | Control Panel | Switch to Classic View | Administrative Tools, then double-click Internet Information
Services.
b In the Internet Information Services page, expand the entry under Internet Information Services, then expand
FTP Sites.
c Right-click on Default FTP Site, select Properties | Home Directory.
d Browse to the C:\ drive, select Read, Write, and Log visits.
e Click Apply, then OK.
7 Set automatic logon:

a Select Start | Run, type rundll32 netplwiz.dll,UsersRunDll, then press Enter.
b In the User Accounts window, deselect Users must enter a user name and password to use
this computer and click Apply.
c In the Automatically log on page, provide these credentials.

• User name — Administrator
• Confirm Password — cr@cker42
8 Run the MergeIDE batch file on the virtual machine:

a Download MergeIDE.zip from https://www.virtualbox.org/attachment/wiki/Migrate_Windows/
MergeIDE.zip on the native computer and then copy it to the virtual machine.
b Extract MergeIDE.zip and run the MergeIDE batch file in the VM.
9 Disable Windows updates:

a Select Start | Settings | Control Panel.
b Open System.
c In the Automatic Updates tab, deselect Keep my computer up to date.
d Click Apply and then OK.

10 Configure Microsoft Office:

a To analyze Microsoft Word, Excel, and PowerPoint files, install Microsoft Office 2003 on the virtual
machine.
b Lower the security to run macros for the Office applications. In Microsoft Word 2003 and select Tools |
Macro | Security, select Low, then click OK. Do the same for other applications such as Microsoft Excel and
PowerPoint.
c Go to http://www.microsoft.com/en-us/download/details.aspx?id=3 and download the required

Microsoft Office compatibility pack for Word, Excel, and PowerPoint File Formats, then install them on
the virtual machine.
You need the compatibility pack to open Microsoft Office files that were created in a newer version of
Microsoft Office. For example, to open a .docx file using Office 2003, you need the corresponding
compatibility pack installed.
d In the Compatibility Pack for the 2007 Office system dialog, select Click here to accept the Microsoft Software
License Terms, then click OK.
11 Configure Adobe Reader:

a To analyze PDF files, download Adobe Reader to the native host and copy it to the VM.
b Open Adobe Reader and click Accept.
c In Adobe Reader, select Edit | Preferences | General, then remove Check for updates.
d In Adobe Reader, select Help | Check for updates | Preferences, then deselect Adobe Updates.
12 Configure Java:
a Open Java in the Control Panel.
b In the Update tab, deselect Check for Updates Automatically.
c In the Java Update Warning message, select Do Not Check and then click OK.
13 Configure system startup:

a Run the msconfig command.
b From the Startup tab, deselect reader_sl and jusched, then click OK.
reader_sl is available only when Adobe Reader is installed.
c In the System Configuration message, select Restart.
d In the System Configuration Utility message, select Don't show this message or launch the System Configuration
Utility when Windows start, then click OK.
14 Configure the default browser:

a In Internet Explorer, select Tools | Pop-up Blocker | Turn off Pop-up Blocker.
b Select Tools | Internet Options, for Home page select Use Blank or Use new tab based on the version of Internet
Explorer.
c Go to the Advanced tab of the Internet Options and locate Security, then select Allow active content to run in
files on My Computer.
Prepare a Windows Server 2003 image for analysis


Task
2 If the Windows Server Post-Setup Security Updates page appears, select Finish.
3 If the Manage Your Server window page appears, select Don't Display the page at logon and close the page.
4 Disable the shutdown event tracker:

a Select Start | Run, type gpedit.msc, then click OK.
b In the Group policy object editor page, select Computer Configuration | Administrative Templates | System, then
double-click Display Shutdown Event Tracker.
c Select Disabled, then click OK.
d Close the Group policy object editor page.
5 Install the hotfix for Windows Server 2003 Service Pack 1 (if applicable).
Skip this step if you have Windows Server 2003 Service Pack 2.
a Go to http://support.microsoft.com/hotfix/KBHotfix.aspx? kbnum=899260&kbln=en-us and install the

hotfix corresponding to your version of Windows Server 2003.
b Restart the virtual machine.
c In the Windows command prompt, run the tlntsvr /service command.
6 Turn off the firewall in the virtual image: Select Start | Control Panel | Windows Firewall | OFF.

OK.
8 Enable FTP in the virtual image:

a Select Start | Control Panel | Add or remove Programs | Add or remove Windows components.
b In the Windows Components wizard, double-click Application Server, then double-click Internet Information
Services(IIS).
c In the Internet Information Services(IIS) pop-up window, select these entries:

• File Transfer Protocol (FTP) Service
• Common Files
• Internet Information Services Manager
d Click OK, then click Next.
e In the Windows Components wizard, click Finish when the FTP installation is complete.
f In the Insert Disk message, click Cancel.
g In the Windows XP Setup message, select OK.


a Select Start | Control Panel | Switch to Classic View | Administrative Tools, then double-click Internet Information
Services.
b In the Internet Information Services page, expand the entry under Internet Information Services, then expand
FTP Sites.
c Right-click on Default FTP Site, select Properties | Home Directory.
d Browse to the C:\ drive, select Read, Write, and Log visits.
e Click Apply, then click OK.

a Select Start | Run, type rundll32 netplwiz.dll,UsersRunDll, then press Enter.
this computer and click Apply.



a Select Start | Control Panel | System | Automatic Updates.
b Select Turn off Automatic Updates.
c Click Apply and then click OK.

machine.
PowerPoint.



15 Configure Java:


Explorer.
Prepare a Windows 7 image for analysis

Task
2 Turn off the firewall in the virtual image:

a Select Start | Control Panel | System and Security | Turn on Windows Firewall On or Off.
b Select Turn off Windows Firewall (not recommended) for both Home or work(private) network location settings and Public
network location settings, then click OK.
3 Enable required Windows features.

a Select Start | Control Panel | Programs | Programs and Features | Turn Windows feature on or off.
b Select Internet Information Services | FTP server | FTP Extensibility.

c Select Internet Information Services | Web Management Tools | IIS Management Service.
d Select Telnet Server, then click OK.

This operation might take around 5 minutes to complete.

OK.

a Select Start | Control Panel | System and Security | Administrative Tools, then double-click Internet Information
Services.
b In the Internet Information Services page, expand the entry under Internet Information Services(IIS) Manager,
then expand the tree under host name.
c Select Sites, right-click on Default FTP Site, select Remove, then click Yes to confirm.
d Right-click Sites, select Add FTP Site, then do the following.

• Provide the FTP site name as root and Physical path as C:\, then click Next.
• For Bindings and SSL Settings, select No SSL, then click Next.
• For Authentication and Authorization Information, select Basic under Authentication, select All Users
under Allow access to, select both Read and Write under Permissions.
• Click Finish.
e Close the Internet Information Services (IIS) Manager page.

a Select Start | Run, type netplwiz, then press Enter.
this computer, then click Apply.



a Select Start | Control Panel | Windows Update | Change settings.
b Under Important updates, select Never check for updates (not recommended).

c Deselect all options under Recommended updates, Who can install updates, Microsoft update, Software notifications.
d Click OK.

machine.
PowerPoint.


11 Configure Java:


Explorer.

14 Disable the HTTP auto proxy server: Open command prompt with administrator privilege, then run these
commands.
• Net stop WinHttpAutoProxySvc
• Sc config WinHttpAutoProxySvc start= disabled
Prepare a Windows Server 2008 image

Task

b In the Local Group Policy Editor page, select Computer Configuration | Administrative Templates | System, then
d Close the Local Group Policy Editor page.

a Select Start | Control Panel | Windows Firewall | Turn on Windows Firewall On or Off.
b Select Off, then click OK.
5 Install telnet in the virtual image:

a Select Start | Administrative Tools | Server Manager.
b In the Server Manager window, right-click Features and select Add Features.
c In the Add Features Wizard, select Telnet Server.
d Click Next, then Install.
e Click Close after the installation succeeds.

a Select Start | Administrative Tools | Services, then double-click Telnet.
b In the Telnet Properties (Local Computer) page, select Automatic for the Startup type, then select Apply | Start |
OK.

a Select Start | Administrative Tools | Internet Information Services(IIS) Manager.
b In the Internet Information Services Manager page, select Sites, select Add FTP Site
c In the Add FTP Site wizard, do the following.


• Click Finish.




c Deselect Recommended updates when downloading, installing, or notifying me about updates.
d Click OK.

machine.
PowerPoint.



13 Configure Java:


Explorer.
Prepare a Windows 8 image for analysis

Task
1 From the native system, set up Windows 8 to display in the Desktop mode instead of the default Metro UI
mode when it starts.
a Press the Windows and R keys simultaneously, which is the shortcut to open the Run dialog box.
b In the Run dialog box, type regedit, then press Enter.
c In Registry Editor, select HKEY_LOCAL_MACHINE | SOFTWARE | Microsoft | Windows NT | CurrentVersion |

Winlogon, then double-click on Shell.
d Change Value data to explorer.exe, explorer.exe (instead of the default value of explorer.exe),
then click OK.

a Press the Windows and X keys simultaneously, then select Control Panel | System and Security | Turn on
Windows Firewall On or Off.

4 Disable Windows Defender:

a Press the Windows and X keys simultaneously, select Control Panel, then select Small Icons under View by.
b Select Windows Defender | Settings | Administrators, deselect Turn on Windows Defender, then click Save changes.
c Close the Windows Defender message box.
5 Disable first log on animation:

a Press the Windows and X keys simultaneously.
b In the Run dialog box, type gpedit.msc, then press Enter.
c In the Local Group Policy Editor page, select Computer Configuration | Administrative Templates | System |
Logon.
d Double-click Show first sign-in animation, select Disabled, then click OK.

b Select Programs | Programs and Features | Turn Windows feature on or off.
c Select Internet Information Services | FTP server | FTP Extensibility.
d Select Internet Information Services | Web Management Tools | IIS Management Service.
e Select Telnet Server.
f Select .NET Framework 3.5(includes .NET 2.0 and 3.0) and then select Windows Communication Foundation HTTP
Activation and Windows Communication Foundation Non-HTP Activation options, then press OK.
g If the Windows needs files from Windows Update to finish installing some features message appears, select Download
files from Windows Update.
This operation might take around 5 minutes to complete. A confirmation message is displayed when the
operation completes.
7 Edit the power options:

b Select Power Options | Choose when to turn off the display, select Never for both Turn off the display and Put the
computer to sleep options, then click Save changes.
c Select Power Options | Choose what the power buttons do, select Change Settings that are currently unavailable for
both Turn off the display and Put the computer to sleep options, then click Save changes.
d For shutdown settings, deselect Turn on fast startup and Hibernate options, then click Save changes.

a Press the Windows and X keys simultaneously, select Computer Management | Services and Applications |
Services, then double-click Telnet.
OK.

b Select Administrative Tools, then double-click Internet Information Services.

c In the Internet Information Services page, expand the entry under Internet Information Services(IIS) Manager,
d If you see the Do you want to get started with Microsoft Web Platform to stay connected with latest Web Platform
Components? message, select Do not show this message, then click Cancel.
e Select Sites, right-click on Default Web Site, select Remove, then click Yes to confirm.
f Right-click Sites, select Add FTP Site, then do the following.

• Click Finish.
g Close the Internet Information Services (IIS) Manager page.
10 Turn off automatic updating for Windows:

b Select Windows Update | Change.
c Select Never check for updates (not recommended), then click OK
11 Configure Telnet clients

b Select Administrator Tools | Computer Management.
c Select Computer Management (Local) | System Tools | Local Users and Groups | Groups.
d Double-click TelnetClients.
e Click Add, type Administrator, click Check Names, then click OK.

a Press the Windows and R keys simultaneously, type netplwiz, then press Enter.




machine.
PowerPoint.


16 Configure Java:

b From the Startup tab, then click Open Task Manager.
c Select Java(TM) Update Scheduler (jusched) (if listed), then click Disable.
d Select Adobe Acrobat SpeedLauncher (reader_sl) (if listed), then click Disable.
e In the System Configuration message, select Restart.
f In the System Configuration Utility message, select Don't show this message or launch the System Configuration

Explorer.

commands.
Prepare a Windows 8.1 image for analysis

Configure your Windows 8.1 virtual system for analysis.
Task
1 From the native system, set up Windows 8.1 to display in the Desktop mode instead of the default Metro UI

then click OK.


b Select Windows Defender | Settings | Administrators, deselect Turn on this app, then click Save changes.
c If a Windows Defender message appears, close the message screen.

a Press the Windows and R keys simultaneously, type gpedit.msc, then press Enter.
b In the Local Group Policy Editor page, select Computer Configuration | Administrative Templates | System |
Logon.
c Double-click Show first sign-in animation, select Disabled, then click OK.

a Press the Windows and X keys simultaneously, then select Control Panel | Programs | Programs and Features |
Turn Windows feature on or off.
b Select Internet Information Services | FTP server | FTP Extensibility.
c Select Internet Information Services | Web Management Tools | IIS Management Service.
d Select Telnet Server.

e Select .NET Framework 3.5(includes .NET 2.0 and 3.0) and then select Windows Communication Foundation HTTP
Activation and Windows Communication Foundation Non-HTP Activation options, then press OK.
f If the Windows needs files from Windows Update to finish installing some features message appears, select Download
7 Download and install the .NET Framework 4.6 on the VM image.

If a Blocking Issues message appears, install the suggested components, then select Continue.

b Select Power Options | Choose when to turn off the display, select Never for both Turn off the display, and Put the
computer to sleep options, then click Save changes.
c For shutdown settings, deselect Turn on fast startup and Hibernate options, then click Save changes.

a Press the Windows and X keys simultaneously, select Computer Management | Services and Applications |
Services, then double-click Telnet.
OK.

a Press the Windows and X keys simultaneously, select Control Panel | System and Security | Administrative Tools,
then double-click Internet Information Services.
b In the Internet Information Services page, expand the entry under Internet Information Services(IIS) Manager,
c If you see the Do you want to get started with Microsoft Web Platform to stay connected with latest Web Platform
d Select Sites, right-click on Default Web Site, select Remove, then click Yes to confirm.
e Right-click Sites, select Add FTP Site, then do the following.

under Allow access to, select both Read, and Write under Permissions.
• Click Finish.
f Close the Internet Information Services (IIS) Manager page.

a Press the Windows and X keys simultaneously, then select Control Panel | Windows Update | Change.
b Select Never check for updates (not recommended), then click OK

12 Configure Telnet clients.

b Select Administrative tools | Computer Management.
c Select Computer Management (Local) | System Tools | Local Users and Groups | Groups.
d Double-click TelnetClients.
e Click Add, type Administrator, click Check Names, then click OK.




machine.
b Lower the security to run macros for the Office applications. In Microsoft Word 2007, select the Microsoft
Office option on the top left corner, then select Word options | Trust Center | Trust Center Settings | Macro
Settings, then select Enable all macros (not recommended potentially dangerous code can run). Do the same for
other applications such as Microsoft Excel and PowerPoint.
c On the Welcome to Microsoft Office 2007 page, click Next button.
d On the Sign-up for Microsoft Update page, select I don't want to use Microsoft Update, then click Finish.

a To analyze PDF files, download Adobe Reader to the native host and install it to the VM.
b In Adobe reader, if Adobe Reader Protected Mode message appears, select Open with Protected Mode
disabled, then select OK.
c If Accessibility Setup Assistance message appears, select Cancel.
d Select Edit | Preferences | Updater, select Do not download or install updated automatically, select OK, then select
Yes to confirm the changes.

17 Configure Java:

e In the System Configuration dialog, select Don't show this message again, then select Restart.

a In Internet Explorer, select Tools | Internet options | Privacy, select Turn off Pop-up Blocker, then select OK.
Explorer.
commands.
Prepare a Windows 10 or Windows 10 v1703 (Redstone 2) image for analysis

Task
1 From the native system, set up Windows 10 to display in the Desktop mode instead of the default Metro UI

then click OK.



b Select Windows Defender, then turn off all features on the Windows Defender Settings page.
c If a Windows Defender message appears, close the message screen.

a Press the Windows and R keys simultaneously.
b In the Run dialog box, type gpedit.msc, then press Enter.
c In the Local Group Policy Editor page, select Computer Configuration | Administrative Templates | System |
Logon.
d Double-click Show first sign-in animation, select Disabled, then click OK.

b Select Programs | Programs and Features | Turn Windows feature on or off.
c Select Internet Information Services | FTP server | Control Panel | FTP Extensibility.
d Select Internet Information Services | Web Management Tools | IIS Management Service.
e Select .NET Framework 4.6 Advanced Services, and ensure that ASP.NET 4.6 is enabled, then press OK.
f Select WCF Service Library, ensure that TCP Port Sharing is enabled.
g If the Windows needs files from Windows Update to finish installing some features message appears, select Download

b Select Power Options | Choose when to turn off the display, select Never for Turn off the display, then click Save
changes.
c For shutdown settings, deselect Turn on fast startup and Hibernate options, then click Save changes.

b Select Administrative Tools, then double-click Internet Information Services.
c In the Internet Information Services page, expand the entry under Internet Information Services(IIS) Manager,

d If you see the Do you want to get started with Microsoft Web Platform to stay connected with latest Web Platform
e Select Sites, right-click on Default Web Site, select Remove, then click Yes to confirm.
f Right-click Sites, select Add FTP Site, then do the following.

under Allow access to, select both Read, and Write under Permissions.
• Click Finish.
g Close the Internet Information Services (IIS) Manager page.

b Select Administrative Tools | Services, then double-click Windows Update.
c Select Startup type as Disabled.
d Stop the service if the service is running.
e Press the Windows and X keys simultaneously, then select Control Panel | Windows Update | Change.
f Select Never check for updates (not recommended), then click OK




machine.

c Lower the security to run ActiveX for the Office applications. In Microsoft Word 2007, select the Microsoft
Office option on the top left corner, then select Word options | Trust Center | Trust Center Settings | ActiveX
Settings, then select Enable all controls without restrictions and without prompting (not recommended potentially
dangerous code can run). Do the same for other applications such as Microsoft Excel and PowerPoint.
d Select Word options | Trust Center | Trusted Center Settings | Trusted Locations, then use the Add new location...
button to add C:\ under User Locations. Once added, double click on the entry for C:\, then in the pop-up,
select Subfolders of this location are also trusted, then click OK.
e On the Welcome to Microsoft Office 2007 page, click Next button.
f On the Sign-up for Microsoft Update page, select I don't want to use Microsoft Update, then click Finish.
g When you open any of the Microsoft Office 2007 software, you would see the Help Protect and Improve
Microsoft Office pop-up. From the pop-up select Don't make changes, then click OK.

14 Configure Java:

e In the System Configuration dialog, select Don't show this message again, then select Restart.

Explorer.

commands.
18 Run the VMDK Preparation Tool for further changes.
Prepare a Windows 2012 R2 image for analysis

Configure your Windows Server 2012 R2 virtual system for analysis.
Task
3 If the Server Manager windows is displayed, select Manage | Server Manager Properties, select Do not start Server
Manager automatically at logon, then select OK.


b Select Off, then click OK.
6 Install telnet in the virtual image:

a Select Start | Administrative Tools | Server Manager.
b In the Server Manager window, select Add Roles and Features.
c In Add Roles and Features Wizard, select Telnet Server.
d Click Next, then Install.
e Click Close after the installation succeeds.

a Select Start | Administrative Tools | Services, then double-click Telnet.
OK.


a Install IIS Manager if not already present and make sure you check the FTP Server checkbox when
installing IIS Manager.
1 From Server Manager page, select Add Roles and Features, then click Next.
2 In the Installation type page, select Role-based or feature-based installation, then click Next.
3 In the Server selection page, select Select a server from the server pool, then click Next.
4 In the Server Roles page, expand the Web Server (IIS) node, expand the FTP Server node, select FTP Server,
select FTP Service, then click Next.
5 In the Select features page, click Next, then click Install.
b Select Start | Administrative Tools | Internet Information Services(IIS) Manager.
c In the Internet Information Services Manager page, select Sites, select Add FTP Site
d In the Add FTP Site wizard, do the following.

• Click Finish.
9 Download and install the .NET Framework 4.6 on the VM image.

If a Blocking Issues message appears, install the suggested components, then select Continue.




c Deselect Recommended updates when downloading, installing, or notifying me about updates.
d Click OK.


machine.
d On the Welcome to Microsoft Office 2007 page, click Next button.
e On the Sign-up for Microsoft Update page, select I don't want to use Microsoft Update, then click Finish.

15 Configure Java:

c In the System Configuration dialog, select Don't show this message again, then select Restart.

Explorer.

Prepare a Windows Server 2016 Standard image for analysis

Configure your Windows Server 2016 Standard virtual system for analysis.
Task
3 If the Server Manager windows is displayed, select Manage | Server Manager Properties, select Do not start Server
Manager automatically at logon, then select OK.


b Select Turn off Windows Firewall (not recommended), for the following, then click OK.
• Home or work (private) networks
• Public networks

a Install IIS Manager if not already present and make sure you check the FTP Server checkbox when
installing IIS Manager.
1 From Server Manager page, select Add Roles and Features, then click Next.
2 In the Installation type page, select Role-based or feature-based installation, then click Next.
3 In the Server selection page, select Select a server from the server pool, then click Next.
4 In the Server Roles page, expand the Web Server (IIS) node, expand the FTP Server node, select FTP Server,
select FTP Service, then click Next.
5 In the Select features page, click Next, then click Install.
b Select Start | Administrative Tools | Internet Information Services(IIS) Manager.
c In the Internet Information Services Manager page, select ADMINISTRATOR | Sites, then right-click on Sites
and select Add FTP Site.
d In the Add FTP Site wizard, do the following.

• Click Finish.
7 Ensure that .NET Framework 4.6.2 is installed.




10 Disable Windows updates and Windows Defender:

a Select Start | Run, type gpedit.msc, then press Enter.
b Select Computer Configuration | Administrative Templates | Windows Components | Windows update.
c On the right pane, double click Configure Automatic Updates, then select Disable.
d Click OK.
e Select Computer Configuration | Administrative Templates | Windows Components | Windows Defender.
f On the right pane, double click Turn off Windows Defender , then select Disable.
g Click OK.
11 Configure Microsoft Office 2016:

machine.
b Lower the security to run macros for the Office applications. In Microsoft Word , select the Microsoft
Office 2016 option on the top left corner, then select Word options | Trust Center | Trust Center Settings | Macro
d On the Welcome to Microsoft Office 2016 page, click Next button.
e On the Sign-up for Microsoft Update page, select I don't want to use Microsoft Update, then click Finish.


13 Configure Java:
a Open Registry Editor
b Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

\.
c On the right pane, double click {A509B1A7-37EF-4b3f-8CFC-4F3A74704073}, then set its value to 0.
d Close the Registry Editor.
14 Configure Adobe flash player:

a Run the command prompt as an Administrator.
b Execute the following command:
dism.exe /online /add-package /packagepath:"<Adobe-Flash-For-Windows-Package>.mum"
Replace <Adobe-Flash-For-Windows-Package> with the name and path of the Adobe Flash for
Windows package MUM file.
c Restart the VM.

a Select Start | Run, type msconfig, then click OK.
c In the System Configuration dialog, select Don't show this message again, then select Restart.

Explorer.
Install Microsoft Office on the virtual machine

To install Microsoft Office on the virtual machine, you must download the compatibility pack from Microsoft.
Task
1 In the Microsoft Office Setup window, select the following options, then click Next.
• Microsoft Word
• Microsoft Excel
• Microsoft PowerPoint

2 To open Microsoft Office files created in a newer version of Microsoft Office, install the compatibility pack.
a Download the required Microsoft Office compatibility pack for Word, Excel, and PowerPoint file formats.
b Install the compatibility pack on the virtual machine.
3 In the Compatibility Pack for the 2007 Office system window, select Click here to accept the Microsoft Software License
Terms, then click OK.
Enable PDF file analysis

To analyze PDF files, download Adobe Reader to the native host and copy it to the VM.
Task
1 Install Adobe Reader on the virtual machine.
2 Open Adobe Reader, then click Accept on the License Agreement window.
Enable JAR file analysis

To analyze JAR files, download and install Java Runtime Environment (JRE).
By default, Advanced Threat Defense supports JRE version 7.
Task
1 Download and install the Java SE Development Kit for your computer.
2 On your computer, click Start | Java | Configure Java.
3 On the Java Control Panel, click the Security tab.
4 Change the Security Level to Medium, then click OK.
Enable Flash file analysis

To dynamically analyze Flash files, install Adobe Flash Player or the Flash plug-in.
Task
1 Make sure that Internet Explorer is your default browser.
2 Install Adobe Flash Player or the Flash plug-in on your computer.

• Download and install Adobe Flash Player, then verify that it is the default flash extension.
• Download and install Adobe Flash plug-in, then verify that Shockwave Flash Object is enabled.
Import the VMDK file

To create an analyzer VM, you must import the corresponding VMDK file into Advanced Threat Defense.
Task
1 Click Start | Shut down.
2 Make sure there are not any stale lock files (.lck) associated with the virtual machine.
The .lck files are located in the same folder as the .vmdk file.
3 Locate the virtualMachineImage-flat.vmdk VMDK file.

Make sure the VMDK file name does not contain any spaces or unsupported characters. If it contains any
spaces or unsupported characters, the VMDK to image file conversion fails.

4 To enable FTP, use the set ftp enable CLI command.

FTP transfer is faster than SFTP, but less secure. If your Advanced Threat Defense Appliance is in an
unsecured network, such as an external network, use SFTP.
5 Open the FTP client.

For example, you can use WinSCP or FileZilla.
6 To connect to the FTP server on Advanced Threat Defense, use the following credentials.
• Host — IP address of Advanced Threat Defense
• Username — atdadmin
• Password — atdadmin
• Port — The corresponding port number based on the protocol you want to use.
7 Upload the VMDK file from the local machine to Advanced Threat Defense.
See also
Set FTP on page 138
Convert the VMDK file to an image file

To create an analyzer VM, you must convert the VMDK file to an image file.
For malware analysis, you can create multiple VMs that run on the same operating system, but with different
applications. For example, you can create a Windows 7 SP1 analyzer VM for Internet Explorer 10 and another
Windows 7 SP1 analyzer VM for Internet Explorer 9.
Users without administrator permissions are able to convert VMDK files to image files.
Task
2 Click Manage | Image & Software | Image.
3 From the VMDK Image drop-down list, select the imported VMDK file.

4 In the Image Name field, enter the image name that corresponds to your operating system.
Table 2-2 Image names

Operating system Image name
Microsoft Windows XP 32-bit Service Pack 2 winXPsp2.img
Microsoft Windows XP 32-bit Service Pack 3 winXPsp3.img
Microsoft Windows 7 32-bit Service Pack 1 win7sp1.img
Microsoft Windows 7 64-bit Service Pack 1 win7x64sp1.img
Microsoft Windows 8 Professional 32-bit win8p0x32.img
Microsoft Windows 8 Professional 64-bit win8p0x64.img
Windows 8.1 Enterprise Update 1 version 6.3 build 9600 64-bit win8p1x64.img
Windows 10 Enterprise (Redstone 1 and 2, Threshold 2) 64-bit win10p0x64.img
Microsoft Windows Server 2003 32-bit Service Pack 1 win2k3sp1.img
Microsoft Windows Server 2003 32-bit Service Pack 2 win2k3sp2.img
Microsoft Windows Server 2008 R2 Service Pack 1 win2k8sp1.img
Windows 2012 Datacenter 64-bit win2k12.img
Windows 2012 R2 Datacenter 64-bit win2k12r2.img
McAfee ePO and OS profiling work only when you use the default name.
5 Select the Operating System.

Advanced Threat Defense attaches the name that you provide to the default name.
Example: You select Windows Server 2003 32-bit Service Pack 1, then enter with_PDF in the Image Name field.
The image file name is win2k3sp1_with_PDF.
The image file name must be an alphabet, number, or underscore (_).
6 Click Convert.
7 On the Info window, click OK.
8 View the image conversion logs.

a From the Select Log drop-down list, select the image name.
b Click View.
Create VM profiles
You must configure each image file that you convert with a single, unused VM profile. You can convert the same
VMDK file image files multiple times. This enables you to create multiple image files from one VMDK file.
VM profiles contain the operating system and applications in an image file. This enables you to identify the
images that you uploaded to Advanced Threat Defense and then use the appropriate image to dynamically
analyze files. You can also specify the number of licenses that you possess for the operating system and the
applications. Advanced Threat Defense factors this in when creating concurrent analyzer VMs from the
corresponding image file.

Task
1 Log on to the Advanced Threat Defense web interface, then select Policy | VM Profile | New.
2 From the Image drop-down list, select the image, then click Activate.
Based on your browser settings, the activation window opens in a new tab or window.
3 Activate Windows on the VM.

a Click Start | Control Panel | Windows Activation | Activate Windows now.
b Open Microsoft Word, then click Activate.
c On the Microsoft Office Activation Wizard, follow the on-screen prompts.
d Shut down the VM, then click Disconnect.
4 On the Advanced Threat Defense web interface, click Validate.
5 Close the 5n. flash not exist OK message.
6 Download Flash Player.

a To run the original VMDK image, use VMware Workstation.
b On the running VM, download Flash Player.
c Unzip the file.
d From the command line, run the following commands, then press Enter.
• flashplayerX_X_X_win.exe
• flashplayerX_X_X_win_debug.exe
• flashplayerX_X_X_win_sa_debug.exe
e Close the Flash Player window.
f Stop the VM, then copy the VMDK image to the Advanced Threat Defense Appliance.
To view the image validation log, click . If the validation fails, create a new VMDK file with the correct settings,
then create the analyzer VM.
7 Click Check Status, then verify that the following validation tests are successful on the Image Validation Log
window.
• FTP connect to <VM IP address> OK
• FTP login OK
• FTP file upload OK
• Telnet login successful
• OS winxp
• Multiprocessing OK
• FTP OK
• TELNET OK
• AUTOLOGON OK

Create analyzer profiles 2
• ADMINISTRATOR OK
• FIREWALL OK
• Sigcheck OK
• Scan Complete
If the validation tests fail, create a new VMDK file, then create the analyzer VM.
8 Create the VM profile.

a Configure the options.
b Click Save.
9 On the Information window, click OK.

• To monitor the VM creation progress, click Dashboard. The VM creation progress appears on the VM Status
monitor.
• To view the VM creation logs, click Manage | System.
View the system logs

When you create a VM profile using the VM Profile page, Advanced Threat Defense creates an analyzer VM from
the image file you selected in the VM profile record. Simultaneously, it prints the related logs, which you can
view in the Advanced Threat Defense web interface. Through these log entries, you can view what is happening
as the analyzer VM is being created. You can use this information for troubleshooting purposes.
Task
2 Click Manage | Logs | System.
Create analyzer profiles

When you submit a file manually or automatically for analysis, the file uses the corresponding analyzer profile
to determine how the file is analyzed and reported.
Task
2 Make sure the users assigned to the analyzer profile are logged off of Advanced Threat Defense.
3 Click Policy | Analyzer Profile | New.
4 Configure the options, then click Save.
5 Associate the analyzer profile to a user.

a Click ATD Configuration | ATD Users.
b Select the administrator, then click Edit.

c From the Default Analyzer Profile list, select the analyzer profile.
d Click Save.
See also
View the Threat Analysis report on page 105
View the Dropped Files report on page 106
View the Disassembly Results report on page 107
Logic Path Graph on page 108
User API Log on page 109

To enhance malware analysis, you can integration Advanced Threat Defense with compatible McAfee products.
Tasks
• Integrate Advanced Threat Defense with Private GTI Cloud on page 68
You can configure Advanced Threat Defense to send queries to a Private GTI Cloud.
• Integrate Advanced Threat Defense with McAfee NGFW on page 68
McAfee NGFW integrates security features with high availability and manageability. It integrates
application control, Intrusion Prevention System (IPS), and evasion prevention into a single,
affordable solution. Following steps should be performed by McAfee NGFW customer in order to
integrate McAfee NGFW with Advanced Threat Defense.
Integration with McAfee ePO for OS profiling

When you integrate Advanced Threat Defense with McAfee ePO, you can correctly identify the target host
environment and use the corresponding analyzer VM for dynamic analysis.
OS profiling requires a VM profile with the default name. To determine the analyzer VM for a file submitted by
Network Security Platform or McAfee Web Gateway, Advanced Threat Defense uses the following sources of
information in the same order of priority:
1 Advanced Threat Defense queries McAfee ePO for the operating system of a host based on its IP address. If
information from this source or the corresponding analyzer VM is not available, it goes to the next source.
2 If Device Profiling is enabled, the Sensor provides the operating system and application details when
forwarding a file for analysis. If information from this source or the corresponding analyzer VM is not
available, it goes to the next source.
3 From the analyzer profile in the corresponding user record, Advanced Threat Defense determines the VM
profile. If information from this source or if the corresponding analyzer VM is not available, it goes to the
next source.
4 You can select a VM profile in your setup as the default.
When Advanced Threat Defense receives host information for a particular IP address from McAfee ePO, it
caches this detail.
• The cached IP address to host information data has a time to live (TTL) value of 48 hours.
• For the first 24 hours, Advanced Threat Defense uses just the host information in the cache.

Integrate Advanced Threat Defense with compatible products 2
• For the second 24 hours, Advanced Threat Defense uses the host information from the cache but also
queries McAfee ePO and updates its cache. This updated information is valid for the next 48 hours.
• If the cached information is more than 48 hours old, it treats it as if there is no cached information for the
corresponding IP address. That is, it attempts to find the information from other sources and also sends a
query to McAfee ePO.
The following explains how Advanced Threat Defense collaborates with McAfee ePO.
1 Network Security Platform or Web Gateway sends a file to Advanced Threat Defense for analysis. When
Network Security Platform sends a file, the IP address of the target host is also sent.
2 Advanced Threat Defense checks its cache to see if there is a valid operating system mapped to that IP
address.
3 If it is the first time that a file for that IP address is being analyzed, there is no information in the cache. So, it
determines the analyzer VM from the device profiling information in case of Network Security Platform and
user record in case of McAfee Web Gateway. Simultaneously, it sends a query to McAfee ePO for host
information based on the IP address.
4 McAfee ePO forwards the host information to Advanced Threat Defense, which is cached for further use.
Configure McAfee ePO integration to publish threat events

You can enable Advanced Threat Defense to send sample data to McAfee ePO.
Advanced Threat Defense sends the following data to McAfee ePO:
• Advanced Threat Defense software version • IOC (Indicators of compromise) file
• Job ID • MD5 value
• Task ID • Time stamp
• Advanced Threat Defense IP address • Size
• Source IP address • Severity
Integrate Advanced Threat Defense with McAfee ePO

Integration enables McAfee ePO to gather information on the target host, and enablesAdvanced Threat Defense
to send relevant data about submitted samples to McAfee ePO.
Task
1 As an administrator, log on to McAfee ePO, then install the Advanced Threat Defense extension.
3 Click Manage | ATD Configuration | ePO Login/DXL.
4 Select Enable ePO Login.
5 Configure the ePO User Credentials options.

a To enable McAfee ePO to collect target host information, configure the options.
b Click Test ePO Login.
c If successful, click Submit.

6 Configure the Publish Threat Events to ePO options.

a To enable Advanced Threat Defense to send relevant data about submitted samples to McAfee ePO,
select Enable Threat Event Publisher.
b From the Severity Level drop-down list, select the security level for the events you want to send to McAfee
ePO.
c On the Publish Threat Events Setting updated successfully message, click OK.
d Click Apply.
Integrate Advanced Threat Defense with DXL

DXL includes client software and one or more brokers that allow bidirectional communication between
endpoints on a network. The DXL client is installed on each managed endpoint so that threat information can
be shared immediately with all other services and devices, reducing the spread of threats.
Integrating Advanced Threat Defense with DXL enables Advanced Threat Defense to send the analysis report of
the samples analyzed at Advanced Threat Defense to the DXL broker. Analysis reports of samples that meet the
following are sent to DXL:
• Portable executable (PE) files with a severity score greater than or equal to 2
• Non-PE files with a severity score greater than or equal to 3
These analysis reports are published to a topic located at /mcafee/event/atd/file/report on the DXL broker.
Clients such as Security Information and Event Management (SIEM) that subscribe to this topic can fetch
analysis reports from DXL broker to build a robust security reputation database. Subscribing clients can refer to
this database and treat files entering their network according to the analysis report of the files.
1 Advanced Threat Defense gets the sample files from different channels like Network Security Platform, Web
Gateway, and so on for analysis.
2 The analysis summary is then sent to the DXL broker for further on-demand distribution to subscribing
clients.
The following diagram explains Advanced Threat Defense and DXL integration.
Figure 2-2 DXL Integration
If you want your Advanced Threat Defense to have exclusive rights to publish on the Advanced Threat Defense
topic, then you must install the ATDDXLTagging extension on McAfee ePO. This restricts publishing on the
Advanced Threat Defense topic by any other sender.

Integrate Advanced Threat Defense with compatible products 2
Integrate Advanced Threat Defense with DXL

Configure Advanced Threat Defense to communicate with DXL.
Task
2 Click Manage | ATD Configration | ePO Login/DXL.
3 Select Enable DXL communication.
4 From TIE Publishing Criteria, select a severity based criteria.

• Malicious (Medium to Very High) — To publish only malicious files that have severity level of Medium to Very
High.
• All Samples — To publish all the samples.
• None — To publish no samples.
5 Click Test Connection.
Verifies the connection between Advanced Threat Defense and the DXL broker channel.
6 Click Apply
If more than one VM is configured in the analyzer profile, Advanced Threat Defense publishes the report for
each VM.
Integrate Advanced Threat Defense with Active Response

Active Response is a threat detection and response tool. It provides real-time information about endpoints on
your network.
Integrating Active Response enables Advanced Threat Defense to identify all endpoints in your network which
are infected with a malicious file having a threat score of 3 and above.
This feature does not support URL analysis.
Integrate Advanced Threat Defense with Active Response

Configure Advanced Threat Defense to communicate with Active Response.
Task
2 Click Manage | ATD Configration | ePO Login/DXL.
3 Select Enable DXL communication.
4 Verify that the DXL Status is UP, then select Enable Active Response.
5 Click Test Connection.
6 On the Test connection is successful window, click Apply.

Integrate Advanced Threat Defense with Private GTI Cloud

You can configure Advanced Threat Defense to send queries to a Private GTI Cloud.
Before you begin

• For Advanced Threat Defense to integrate with the Private GTI Cloud, you must have certain
McAfee certificates installed on all Advanced Threat Defense nodes. Contact Support for more
information.
• Ensure that you have reset your cliadmin password. If you continue using the default
password, the configurations might fail.
Task
2 Click Manage | ATD Configuration | Global Settings.
3 In the GTI Cloud Setting section, select Enable Private GTI Cloud.
4 In Private Cloud IP or Hostname, enter the IP address or the host domain name of your Private GTI Cloud.
If you have configured a hostname, then ensure that the DNS resolves the hostname for Advanced Threat
Defense.
5 Click Test Connection to check the connection status, then click Save.
We recommend you configure Private GTI Cloud using the Advanced Threat Defense web interface.
In a Load Balancing scenario if you configure Private GTI Cloud using CLI, then the configuration will
not sync automatically among the other nodes. You'd need to configure the nodes manually.
Integrate Advanced Threat Defense with TIE

You can enable Advanced Threat Defense to collect the TIE Enterprise and McAfee GTI Reputation data from the
TIE server through the DXL channel.
When the DXL channel is enabled and the McAfee GTI Reputation is configured in the analyzer profile,
Advanced Threat Defense does a file reputation lookup, using McAfee GTI or TIE Enterprise Reputation, for the
submitted samples through the DXL channel. If the TIE Enterprise Reputation is configured by the administrator
on the McAfee ePO, the Threat Analysis Report shows the TIE Enterprise Reputation severity score. If not set,
the McAfee GTI file reputation fetched from the TIE server is displayed in the Threat Analysis Report.
Integrate Advanced Threat Defense with McAfee NGFW

McAfee NGFW integrates security features with high availability and manageability. It integrates application
control, Intrusion Prevention System (IPS), and evasion prevention into a single, affordable solution. Following
steps should be performed by McAfee NGFW customer in order to integrate McAfee NGFW with Advanced
Threat Defense.
Task
1 As an administrator, log on to the Advanced Threat Defense web interface.
2 Create the McAfee NGFW user.

Configure the date and time 2
3 From the CLI, restart amas.

See CLI commands for the amas command details.
4 To make REST API calls, use the McAfee NGFW user credentials on SCM.
There is no change to the existing SOFA protocol for file submission. If a user named “ngfw” (user type
NGFW) exists, all file submissions through the SOFA channel is assumed to be from McAfee NGFW
appliances.
Configure the date and time

Advanced Threat Defense uses the date and time that you configure for all its functional and display purposes.
The date and time displays on the Advanced Threat Defense web interface, reports, log files, and CLI.
To use the Network Security Protocol server domain names, make sure you have configured the DNS servers.
You can either manually specify the date and time or configure Network Time Protocol (NTP) servers as the time
source for Advanced Threat Defense. If you specify NTP servers, you can configure up to 3 Network Time
Protocol (NTP) servers. In this case, Advanced Threat Defense acts as an NTP client and synchronizes with the
highest priority NTP server that is available.
• By default, synchronization with NTP servers is enabled in Advanced Threat Defense. Also, pool.ntp.org is
configured as the default NTP server. The default time zone is Pacific Standard Time (UTC-8).
• When you upgrade from a previous version without selecting the Reset Database option, the date and time
settings from the previously installed version are preserved. If you upgrade with the Reset Database option
selected, the default date and time settings as described above are set.
• At any point in time, there must be at least one valid NTP server specified in the Date and Time Settings page of
Advanced Threat Defense. You can add, edit, or delete the list of NTP servers specified in Advanced Threat
Defense.
• Based on the access available to Advanced Threat Defense, you can specify public NTP servers or the ones
locally on your network.
• You can specify the domain name or the IPv4 address of NTP servers. If you specify the domain names, then
you must have configured DNS settings in Advanced Threat Defense.
If you specify public NTP servers, then using the domain names instead of IP addresses is recommended. The
domain of a public NTP server might resolve to different IP addresses based on various factors.
• Whether you enable NTP server synchronization or manually set the date and time, you must select the
required time zone in the Date and Time Settings page. If you configure an NTP server, Advanced Threat
Defense considers only the date and time from the NTP server. But for the time zone, it relies on what is
specified in the Date and Time Settings page.
• The date and time on a Advanced Threat Defense client has no impact on the timestamps that are
displayed. Consider that the current time on the Advanced Threat Defense Appliance is 10 am PST (UTC-8).
Regardless of the time zone from which you access this Advanced Threat Defense Appliance, all the
timestamps are displayed in PST only. That is, the timestamps are not converted based on a client's date
and time.

• When the current date and time settings are changed, the timestamp for all the older records are also
changed accordingly. Consider that the current time zone is PST (UTC-8) and you change it to Japan Standard
Time (UTC+9). Then the timestamp for the older records are all converted as per Japan Standard Time (JST).
For example, if the timestamp displayed for a record in the Analysis Status page was 0100 hours (1 am) PST
before you changed the time zone. After you change the time zone to JST, the timestamp for the same
record is 1800 hours JST.
• The date and time settings of all the analyzer VMs are immediately synchronized to the date and time on the
Advanced Threat Defense Appliance.
Task
2 Click Manage | ATD Configuration | Date & Time.
3 Configure the Date and Time Settings, then click Submit.

Configure the maximum wait time that Advanced Threat Defense uses to analyze Email Gateway samples. If the
analysis time is longer than the threshold, Advanced Threat Defense rejects the samples.
In a load-balancing scenario, the threshold wait time is 3 hours.
Task
2 Click Manage | ATD Configuration | Global Settings.
3 To configure the MEG Wait-Time Threshold in Seconds, use the arrows.
Configure DNS setting

When you execute files, the files can send DNS queries to resolve names. DNS queries are an attempt by
malware to determine if they are being run in a sandbox environment. If the DNS query fails, the file might take
an alternate path. When Advanced Threat Defense dynamically analyzes such a file, you might want to provide a
proxy DNS service in order to bring out the actual behavior of the file.
The IP configured for DNS should be resolved by the DNS server using reverse lookup.
Task
2 Click Manage | ATD Configuration | DNS.

Configure LDAP 2
3 In DNS Setting, complete these settings, then click Apply.

• Domain — Type your domain name.
• Preferred DNS Server — Type IP address of the primary DNS server.
• Alternate DNS Server — Type IP address of the secondary DNS server.
4 In Malware DNS Setting, type IP address of the DNS server to use for malware analysis in the sandbox
environment, then click Apply.
5 To restart the amas services, use the amas restart CLI command.
Configure LDAP
LDAP (Lightweight Directory Access Protocol) enables Advanced Threat Defense to configure a dedicated LDAP
server for user authentication. A separate server for user authentication facilitates a secured and centralized
authentication system. It provides a robust and secure credential authentication and management system for
various types of Advanced Threat Defense users.
The following user accounts (data) must be created on the LDAP server. Accounts created on the LDAP server
must be the same as on the Advanced Threat Defense appliance.
• Base Distinguished Name (BaseDN) — Create a specific BaseDN for Advanced Threat Defense users.
BaseDN acts as a root node under which all the Advanced Threat Defense users are added.
• Admin Credentials — To enable the LDAP option, you must provide the Admin User credentials in the
Advanced Threat Defense web interface. If the Admin User has not been created, you must create the same
in the LDAP server directory.
• User creation — Create users manually on an LDAP server. The following table contains the list of users
needed.
Table 2-3 LDAP server users

User_Name Type Service used
admin User Interface UI, SFTP
cliadmin System CLI
atdadmin
During the LDAP logon, username must match the username created locally in the Advanced Threat Defense
database. Username is case sensitive.
Task
2 Click Manage | ATD Configuration | LDAP, then select Enable LDAP.
3 Configure the LDAP User Credentials options, then click Test Connection.

4 On the LDAP Test connection successful window, click OK.
5 Click Submit.
Select Enable Fallback in case the configured LDAP server is not reachable and the authentication channel
needs to be routed to Advanced Threat Defense local database. For cliadmin users, Enable Fallback is always
enabled.
LDAP authentication is used for SFTP communication with Advanced Threat Defense. The fallback feature is
not supported when SFTP communication is used.

Advanced Threat Defense connects to different proxy servers for Internet connectivity. Based on the source of
the traffic, Advanced Threat Defense determines the proxy server on which the Internet access requests from
the traffic have to be routed.
These proxy servers can be configured on Advanced Threat Defense to handle Internet access requests:
• GTI HTTP Proxy — This setting is relevant for those analyzer profiles which have GTI Reputation enabled in their
Analyzing Options. Advanced Threat Defense sends a query to a McAfee GTI server to fetch McAfee GTI
score for the suspicious file being analyzed. If the customer network is protected under proxy, specify the
proxy server details here so that the McAfee GTI queries can be sent out.
• Malware Site Proxy — This setting is applicable when samples being analyzed at analyzer VMs request Internet
access. The proxy server specified under Malware Site Proxy handles the request. Because the traffic from an
analyzer VM might be malicious, you might want to segregate this traffic from your production network.
Tasks
• Configure Advanced Threat Defense to communicate with McAfee GTI on page 72
To use McAfee GTI with Advanced Threat Defense, configure the options.
• Enable the malware site proxy on page 73
Allow analyzer VMs to connect to the internet for sample analysis.
Configure Advanced Threat Defense to communicate with McAfee GTI

To use McAfee GTI with Advanced Threat Defense, configure the options.
Task
1 Log on the Advanced Threat Defense web interface.
2 Verify that the GTI File Reputation option is enabled.

a Click Policy | Analyzer Profile.
b Select the analyzer profile, then click Edit.
c Select GTI File Reputation.
3 Click Manage | ATD Configuration | Proxy.
4 Configure the GTI HTTP Proxy options, then click Test.
5 Click Submit.

Configure SNMP setting 2
Enable the malware site proxy

Allow analyzer VMs to connect to the internet for sample analysis.
Task
2 Click Manage | ATD Configuration | Proxy.
3 Configure the Malware Site Proxy options, then click Test.
4 Click Submit.
Configure SNMP setting

To enable users to manage Advanced Threat Defense resources efficiently, the SNMP service obtains integral
values for several Advanced Threat Defense component quantifiable attributes.
The quantifiable attributes include:
• CPU Utilization • Interface Counter
• Memory Utilization • Number of samples in pending queue
• HDD System Space Utilization • Number of samples under analysis
• HDD Data Space Utilization
Advanced Threat Defense supports the 1.3.6.1.4.1.8962.4.1.1 object identifier.
Task
2 Click Manage | ATD Configuration | SNMP.
3 Select Allow SNMP Monitoring, then configure the options.
4 Select Send SNMP Traps, configure the SNMP Traps options, then click Submit.
CPU Utilization field appearing in the SNMP Setting page is different from CPU Load featuring under System Health
under Dashboard tab.
5 To retrieve the attribute numeric values, enter the snmpget command in the command prompt or any MIB
browser.


The syslog mechanism transfers theAdvanced Threat Defense events over the syslog channel to Security
Information and Event Management (SIEM) like McAfee Enterprise Security Manager (McAfee ESM).
This is done for all the files analyzed by Advanced Threat Defense. You can configure an external syslog server
to which the following information is sent:
• Analysis Results (Malicious only or All)
• CPU Utilization (above a threshold percentage)
• Memory Utilization (above a threshold percentage)
• HDD Utilization (above a threshold percentage)
• Interface Status
• User Login/Logout
• Audit Log
• HTTPS Session Log
Once the user-defined threshold limit exceeds for CPU Utilization, Memory Utilization and HDD Utilization,
syslog events are generated and sent to SIEM receiver. Minimum threshold level supported is 30%. Maximum
threshold level supported is 90%. By default, the threshold percentage displayed under Syslog Setting page is
75%.
Whenever the interface link goes down or comes up, syslog events are generated and sent to SIEM receiver.
Analysis results and logon/logoff events are sent to the SIEM receiver.
After syslog events are generated and sent to SIEM receiver, the information are parsed and sent to ESM. The
summary is then displayed on the ESM user interface.
The SIEM receiver and ESM can be on separate appliances or can be together in a virtual environment.
Task
2 Click Manage | ATD Configuration | Syslog, then select Enable Logging.
3 Configure the System Log Server options.
In non-CC mode, any valid certificate along with key can be uploaded as no checks on key length or signature
algorithm is performed. However, in CC mode:
• key length should be 2048 and above and signature algorithm should be minimum SHA256
with RSA Encryption.
• Default listening port for Audit function is 6514 and protocol used for same is TCP/TLS
Encryption.
• While uploading Syslog Certificate for TLS Encryption, Advanced Threat Defense performs
various security validations on the syslog certificates. If you are prompted with security
warnings, you can either accept them or fix the issues before upload the Syslog Certificate.

Configure the syslog settings 2
4 Click Test Connection. When the "Test connection successful" message appears, click OK.
When you select UDP as the Protocol from the drop-down list then Test Connection tab is disabled as UDP uses a
simple connectionless transmission model rendering the connection status, unverifiable.
5 In the Statistic to Log area, make these selections and entries as per requirement.
• Select Analysis Results.
• Select a level from the Severity Level drop-down list.
• Select CPU Utilization and specify Threshold level in the respective Threshold drop-down.
• Select Memory Utilization and specify Threshold level in the respective Threshold drop-down.
• Select HDD Utilization and specify Threshold level in the respective Threshold drop-down.
• Select Interface Status to receive information regarding interface link status.
• If you want to store the logon/logoff information with a time stamp, select User Login/Logout.
• Select Audit Log to view logs for administrative actions performed on Advanced Threat Defense. Audit Log
is selected by default.
• Select HTTPS Session Log to view logs for every session established or terminated.
This option is only available when Common Criteria Mode is enabled in Advanced Security Settings.
When HTTPS Session Log is enabled, Advanced Threat Defense web performance is impacted.
6 Click Submit.
Tasks
• View the Syslog logs on page 75
Syslog starts logging syslog events taking place within the Advanced Threat Defense.
Simultaneously, it prints the related logs, which you can view in the Advanced Threat Defense web
interface. You can use this information for troubleshooting purposes.
• View the Audit Log on page 76
When you configure audit function by checking on the Audit Log using Syslog Setting page, Advanced
Threat Defense starts logging the administrative actions performed within the Advanced Threat
Defense. Through these log entries, you can view what is happening as the administrative actions,
for example, configuration change, session establishment/session termination and so on are
performed. These log entries are displayed in a tabular form. You can use this information for
troubleshooting purposes.
View the Syslog logs

Syslog starts logging syslog events taking place within the Advanced Threat Defense. Simultaneously, it prints
the related logs, which you can view in the Advanced Threat Defense web interface. You can use this
information for troubleshooting purposes.
Task
2 Click Manage | Logs | Syslog.

A maximum of 1,000 events are displayed in Advanced Threat Defense user interface with latest events at
the bottom. More events are available in the configured syslog server. You cannot print or export the log
entries.

Configure telemetry
View the Audit Log

When you configure audit function by checking on the Audit Log using Syslog Setting page, Advanced Threat
Defense starts logging the administrative actions performed within the Advanced Threat Defense. Through
these log entries, you can view what is happening as the administrative actions, for example, configuration
change, session establishment/session termination and so on are performed. These log entries are displayed in
a tabular form. You can use this information for troubleshooting purposes.
Task
2 Click Manage | Logs | Audit.

A maximum of 1,000 events are displayed with the most recent events at the top. More events are available
in the configured syslog server. You cannot print or export the log entries.
Configure telemetry
Telemetry allows Advanced Threat Defense to collect data about malware and the Advanced Threat Defense
Appliance.
Advanced Threat Defense captures these two categories of data.

Configure telemetry 2
Table 2-4 Category definitions

Category Definition
Telemetry data Advanced Threat Defense collects Advanced Threat Defense Appliance telemetry data to:
that Advanced
Threat Defense • Improve Advanced Threat Defense
uses for the • Understand how the Advanced Threat Defense Appliance is used
Advanced Threat
Defense The system data that Advanced Threat Defense collects includes:
Appliance.
• Serial number
• Software version
• Whether Syslog is enabled
• Whether LDAP is enabled
• Whether McAfee ePO is enabled
• Whether SNMP is enabled
• Whether proxy settings are configured
• Whether Load Balancing is enabled
• Whether TIE is enabled
• Number of documents submitted
• Number of flash files submitted
• Number of Microsoft Word files submitted
• Number of PDF files submitted
• Number of files scanned by McAfee Gateway Anti-Malware
• Number of files scanned by McAfee GTI
• Number of files scanned by VirusScan Enterprise
• Number of files scanned by YARA
• Number of files analyzed by the sandbox
• Number of files submitted to the sandbox
• Version of the Detection Package downloaded
Telemetry data McAfee Labs requires the analysis results from Advanced Threat Defense telemetry data
for: to:
• McAfee GTI • Update the McAfee Labs databases
• McAfee Labs • Categorize the samples and malware that Advanced Threat Defense analyzes
Telemetry data contains information about the analyzed samples, and includes:
• SHA-1 of sample
• SHA-256 of sample
• MD5 hash value of sample
• Advanced Threat Defense detection score
• Digital signature data from sample
• Parent metadata corresponding to dropped files
• Advanced Threat Defense product information

Configure telemetry
Table 2-4 Category definitions (continued)

Category Definition
• Advanced Threat Defense analyzing option scores
• URL visited by file
• IPv4 address visited by file
• Product version that the sample belongs to
• Publisher name of the sample
• Product name that the sample belongs to
• File version of the sample, OS name, and OS version on which the file was found on
Tasks
• Enable telemetry on page 78
Advanced Threat Defense sends system telemetry data only when you allow automatic updates.
• Disable telemetry on page 78
You can disable system and McAfee Labs telemetry without disabling the automatic update.
Enable telemetry
Advanced Threat Defense sends system telemetry data only when you allow automatic updates.
Task
2 Click Manage | Image & Software | Content Update.
3 Under Allow Automatic Update, click Apply, then click OK.
4 Click Manage | ATD Configuration | Telemetry.
5 Ensure that the following options are selected, then click Submit.
• Send feedback to McAfee about system information in order to improve the product.
• Send feedback to McAfee about potential malicious files and urls.
These options are enabled by default.
Disable telemetry
You can disable system and McAfee Labs telemetry without disabling the automatic update.
Task
2 Click Manage | ATD Configuration | Telemetry.

Configuring Email Connector 2
3 Deselect the following options, then click Submit.

• Send feedback to McAfee about system information in order to improve the product.
• Send feedback to McAfee about potential malicious files and urls.

Email Connector protects you from email borne threats by analyzing email attachments through Advanced
Threat Defense.
• Email Connector is not installed with Advanced Threat Defense. For more information on
installing Email Connector, see McAfee Advanced Threat Defense Installation Guide.
• If you have configured a cluster, ensure that you install Email connector in your primary as well
as the backup nodes.
• Ensure that you have reset your cliadmin password. If you continue using the default password,
the configurations might fail.
Advanced Threat Defense receives emails from a secure email gateway, performs an analysis on the email
attachments, adds a verdict in the email header and sends it back to the email server. You can view the analysis
report from Analysis | Email Reports on your Advanced Threat Defense web interface.
While you view the reports, the maximum number of reports you can navigate to are one million. If you want to
view the reports beyond one million, use the search filter to reduce the result of the number of reports.
You need to configure your email gateway to send emails to the Advanced Threat Defense for analysis. You can
add filters such as send the ones with attachment only and so on. We recommend you configure your SEG to
send emails for analysis to Advanced Threat Defense only when your SEG's AV analysis have returned an
inconclusive result.
Enable and configure Email Connector

Enable Email Connector and configure options for the Secure Email Gateway (SEG) from where the emails are
received, file analysis settings, and destination SEG or message transfer agent (MTA) to which the emails with
analysis headers are forwarded.
Task
1 Log on to the Advanced Threat Defense interface, then click Manage | Email Connector | Configuration.
2 In Receiving Email, select Enable Email Connector and complete these settings.
• Listen Port — Type the port number to use for receiving emails. The default port number is 25.
• Use TLS Connection — Select one of the three options from the drop-down to use TLS-secured
communication, when available, always, or not use at all for receiving emails.
• Permitted Hosts — From the drop-down, select the Host type as IP address, Hostname, or Network, then enter the
IP addresses, host name, or network address of the source SEG for Advanced Threat Defense to receive
emails. Click Add to add an IP address.

3 In Sending Email, complete these settings.

• Smart Host Hostname — Type the IP address or hostname of the destination SEG or MTA.
This is usually the same as the Permitted Host.
• Smart Host Port — Type the port number of the destination email server. The default port number is 25.
• Use TLS Connection — Select one of the three options from the drop-down to use TLS-secured
communication, when available, always, or not use at all for sending emails.
• Test Connection — Click Test Connection to ensure that the configured email server is reachable.
4 In Scanning Email, complete these settings.

• Maximum time per email to wait for all scans to complete — The maximum time (in seconds) within which the
analysis must complete. The analysis times-out when the time exceeds the time specified and the email
is queued in the SEG. Default is 600.
• Scan these file types — File types of the email attachments that can be scanned. Select All or a minimum
one of the file types.
• Skip Protected Files — Ignores protected files from the scanning.
• Action when system is overloaded — Choose whether to deliver emails without scanning or drop SMTP
connections when the system is overloaded.
If you've selected Deliver emails unscanned, then the emails are delivered with the X-ATD-VERDICT as -8.
5 In Attachment Profiling, complete these settings.

• Enable Profiling Mode (Attachments will not be scanned in this mode) – Enables email profiling. This option disables
scanning the email attachments. Only email count is incremented and sent to the transporting email
server.
If you enable this option, the header X-ATD-VERDICT -7 is added to the emails.
• Document Format – Select the format in which you want your profiling report to get generated.
• Reporting Period – Select the period for which you want the emails to be profiled.
• Granularity – Select the period in a granular level.
• Download Report – Downloads a report about the overall email attachment profiling.
6 Click Apply.
You can view the total number of emails and attachments analyzed in the Email Counter monitor from the
Dashboard.
Configuring your Secure Email Gateway for Email Connector

When attachments are required a full Sandbox scan, emails sent to Advanced Threat Defense could take several
minutes to scan.
Advanced Threat Defense does not accept emails from the sending Secure Email Gateway (SEG), until:

Configuring Email Connector 2
1 the scan is complete
2 the message is delivered to the configured smart host.
Setting up SEG timeout

Setting the right timeout on your SEG is important, so that it waits until the Advanced Threat Defense scan is
complete. A suitable value for timeout depends on the settings for the analyzer profile configured for your
Email Connector.
If the timeout is too short and an Advanced Threat Defense scan is in progress, Advanced Threat Defense
doesn't accept the email. At such times, the source SEG would requeue the message for delivery back to the
ATD for a later time. Depending on the retry period set on your SEG and the load on Advanced Threat Defense,
cached results can be available at the time a subsequent delivery attempt is made. This could lead to the
timeout to not trigger again. The default timeout value is 10 minutes.
Setting Advanced Threat Defense as a permitted host in your SEG

Depending on your SEG and its configuration, you might be required to include the IP address of the Advanced
Threat Defense appliance to your SEG. This allows Advanced Threat Defense to deliver the scanned messages
to your SEG.
Setting up SEG functions

Your SEG is expected to perform all anti-spam, anti-virus, or other blocking and filtering functions. Advanced
Threat Defense does not perform any of these SEG functions. Messages to Advanced Threat Defense must be
redirected only when the SEG:
• is not sure about the content of the email
• requires an Advanced Threat Defense verdict to enforce a policy accordingly.
Configure Email Connector filtering rules

Create rules to exclude email attachments from analysis.
Task
1 Log on to the Advanced Threat Defense interface, then click Manage | Email Connector | Filtering Rules.
2 Type a name for the rule, then select one or a combination of these filtering options.
• File Name — Add file names separated by semi-colons (;). * and ? can be used as wildcard characters.
• File Size — Select less than or greater than criteria, type the file size, then select the unit.
• File Type — Select the file types to exclude.
3 Click Add Rule.
The rule is added in the Filtering Rules table.

Understanding Email Headers with analysis status

After analyzing the email attachment for threats, Advanced Threat Defense updates adds these headers of the
respective emails with the observations, and sends the emails to the configured transporting email server or
MTA.
Header Values
X-ATD-FILENAMES Lists the names of all attachments of the email separated by comma(,).
X-ATD-ALTFILENAMES Lists the alternate names of scanned attachments that have the same hash value as
determined during the earlier scans. For example, if after scanning a file (file1), another
attachment with the same hash but a different file name (file2) is detected, the
X-ATD-ALTFILENAMES header is added with the value file1, file 2.
X-ATD-FILEHASHES Adds the hashes of all email attachments. For example, MD5 , SHA-256.
X-ATD-FILEVERDICTS Adds the verdict for each email attachment that was submitted for analysis.
• 5 — Very high (risk)
• 4 — Malicious
• 3 — Likely to be malicious
• 2 — Low activities
• 1 — Very low activity
• 0 — Informational
• -1 — Clean
• -2 — Failed to scan (because of unsupported file type)
• -3 — Scan Timed out
• -4 — Filtered by the File Type Configuration
• -5 — Filtered by File Filtering Rules
X-ATD-VERDICT Adds the overall verdict for an email.

• 5 — Very high (risk)
• 4 — Malicious
• 3 — Likely to be malicious
• 2 — Low activities
• 1 — Very low activity
• 0 — Informational
• -1 — Clean
• -2 — Failed to scan (because of unsupported file type)
• -3 — Scan timed out
• -6 — No file attachments was scanned
• -7 — Silent Mode (When Advanced Threat Defense is set to disable file scanning,
where the emails attachment are not scanned and only email count is incremented
for every email)
• -8 — Advanced Threat Defense is too busy to service new scanning requests. At least
one attachment has not been scanned and does not have a cached result (see
X-ATD-TOOBUSY)
• -100 — Advanced Threat Defense failed to receive or deliver the emails

Set minimum SSL/TLS version 2
Header Values
X-ATD-SILENTMODE Adds the value of 1 if an email was scanned in silent mode. Otherwise this header is not
added.
X-ATD-TOOBUSY Adds this header to all messages that pass through Advanced Threat Defense while it is:
• processing new attachments for scanning
• configured in Email pass-through mode.
The X-ATD-TOOBUSY value is always 1. Since Advanced Threat Defense includes a results
cache, the X-ATD-VERDICT should be referenced to determine whether the attachments
were scanned in a previous submission.
Set minimum SSL/TLS version

You can set the minimum SSL/TLS protocol version for communication between Advanced Threat Defense and
other products. This setting ensures that Advanced Threat Defense doesn't allow SSL/TLS connections below
the defined version.
For example, if the minimum SSL/TLS version set is TLS version 1.0, Advanced Threat Defense supports all TLS
version from 1.0 and above. However if you set TLS version 1.2, Advanced Threat Defense supports only TLS
version 1.2.
Task
1 Go to Manage | Security | Advanced Security Settings.
2 In the Minimum SSL/TLS Protocol Version drop-down, select the minimum SSL/TLS version.
Ensure that the products your Advanced Threat Defense communicates with, supports the minimum SSL/TLS
protocol version you define here.
Enable Common Criteria (CC) mode

You can enable Common Criteria (CC) mode in Advanced Threat Defense. On enabling the CC mode, you will see
various security warning which you can either accept or fix the secrity warning by reviewing the Security Logs.
Before you begin

Enable logging to enable Common Criteria mode in Advanced Threat Defense.
In Common Criteria (CC) mode:

• the minimum TLS version is set to 1.2.
• FTP Access, HTTP Port, and Force HTTPS options are disabled.
• Advanced Threat Defense uses only SSL connections with NSP.

Task
2 Click Manage | ATD Configuration | Syslog, then select Enable Logging.
3 Configure the System Log Server options, then click Test connection to test the connection.
Certificate uploaded for Syslog Setting is validated against key length, signature algorithm and expiry date. In
case of a problem with certificate, Advanced Threat Defense displays an error message.
4 In the Statistics to Log area, make sure Audit Log is checked. By default Audit Log is enabled.
5 Click Submit.
6 Go to Manage | Security | Advanced Security Settings, select Common Criteria Mode.

Audit function starts as Advanced Threat Defense boots up and stops with Advanced Threat Defense
shutdown. The function restarts in the following two scenarios.
• Change in Syslog certificate
• Manual change in Date and Time information
See also
http_redirect on page 123

You can configure Advanced Threat Defense to lock accounts after a defined number of invalid logon attempts.
You can also define the time period the account remains locked. During this time, the user cannot log on to
Advanced Threat Defense until the lock out period is elapsed.
Task
2 Click Manage | Security | Advanced Security Settings.
3 Select Enabled Account Lock Out, then set the lock out duration and the number of allowed incorrect logon
attempts.
• Duration of Lock Out in Minutes – Set the duration of the lock out period in minutes.
• Maximum Login Retries – Set the number of allowed incorrect logon attempts, after which the account is
locked.
Configure the minimum number of password characters

Configure the minimum number of characters that users can use in the password they create to log on to
The default password length is 8 characters. The password settings also apply to console and CLI access.

Add the Advanced Threat Defense logon banner 2
Task
3 To select the minimum number of password characters, use the arrows.
4 Click Save.
Add the Advanced Threat Defense logon banner

Upload custom text to the Advanced Threat Defense logon page.
Task
3 Select Display Login Banner.
4 In the Banner Message field, enter the logon message.
You can only use the ASCII character set. The maximum number of characters you can use is 1024.
5 Click Save.
Generating a Certificate signing request (CSR)

Advanced Threat Defense allows you to generate a certificate signing request (CSR) from the web interface.
When you generate a CSR , Advanced Threat Defense attaches the key to the CSR. This is because the key for
the CSR is with Advanced Threat Defense.
To generate a CSR, you need to enter your organization details, and the key size. You can then generate your
CSR, export it, and submit it to a certificate signing authority to get it signed.
Generate a CSR
You can generate a CSR from Advanced Threat Defense.
Task
2 Click Manage | Security | CSR Generation.
3 Fill the CSR Generation fields with your organization details.

• Common Name [CN] – Enter the domain name of your organization.
• Organization Name [O] – Enter your organization name.
• Organization Unit [OU] – Enter the organization unit that is ordering the certificate.

Upload certificates
• City/Town [L], State/Province [ST], Country [C] – Enter the address of your organization.
• EmaiL Id [ea] – Enter the email address to contact your organization.
• Hash Function – Select a hash function for your certificate.
• Key Size (in bits) – Select a key size for your certificate in bits.
4 Click Generate to generate your CSR.
Your CSR is now listed in the Certificate Singing Request Message section. You can use the icon in the Action column
to Export or Remove your CSR. Once the certificate is singed, you can upload it as Web Certificate from the Manage
Certificate page.
Upload certificates
For web server authentication, Advanced Threat Defense allows you to upload certificates.
When you upload a certificate, Advanced Threat Defense checks for the attached public key. If a key is not
attached, the certificate upload fails. If a key is attached, Advanced Threat Defense validates the metadata. Post
validation, you might see security warnings as a result of the validation which you may accept or fix.
Task
2 Click Manage | Security | Manage Certificate.
3 Next to one of these options, click Browse.

• Web Certificate
• CA Certificate
• Trusted CA Certificate
4 Locate and select the certificate, then click Open.

The certificate must have a key in PEM format. The key length must be 2,048 characters more, and the
signature algorithm must be SHA256 minimum standards with an RSA encryption. If Advanced Threat
Defense is unable to detect the key, you'd be prompted to upload a valid key. If your certificate has a valid
key but fails validation, the Certificate is invalid message appears, and you'd be prompted to upload a valid
certificate or continue with the existing certificate. Upon uploading a valid certificate that passes the
validation, the web server restarts, and you must log back in to the Advanced Threat Defense web interface.
5 Click Upload.

3 Updating content
To upload content to the Advanced Threat Defense Appliance, use the Advanced Threat Defense web interface.
Contents
Defining Custom Behavioral Rules
Define Custom Yara Scanner
Import custom behavioral and YARA scanner rules
Change custom behavioral rules and YARA scanner files
Disable custom behavioral rules
Manage whitelist database samples
Update DAT version for McAfee Gateway Anti-Malware and Anti-Virus
Update the detection package

Custom Behavioral Rules is a set of YARA rules. YARA is a rule-based tool to identify and classify malware.
Advanced Threat Defense enables you to use your own YARA rules to identify and classify malware. You can
therefore import your own descriptions of malware into Advanced Threat Defense.
Custom Behavioral Rules also enable you to customize the detection capabilities of Advanced Threat Defense to
suit your needs. For example, you can use Custom Behavioral Rules if you would like certain registry operations
to be reported as a particular severity level rather than the default severity level assigned by Advanced Threat
Defense. You can also write Custom Behavioral Rules to catch zero‐day or near-zero-day malware. You can write
your own Custom Behavioral Rules or use the YARA rules from a third party.
In this section, the word sample refers to both files and URLs that have been submitted to Advanced Threat
Defense for malware analysis.
You can store your Custom Behavioral Rules in a text file. You can name this file such that it enables you track
modifications to your Custom Behavioral Rules set. You import this text file into Advanced Threat Defense
through the web interface.
Assuming you have enabled all analyze options with custom YARA rules, Advanced Threat Defense processes
the sample files and URLs in the following order of priority:
1 Global Whitelist
2 Local blacklist
3 McAfee GTI
4 McAfee Gateway Anti-Malware Engine
5 McAfee Anti-Malware Engine
6 Custom Yara Scanner

3 Updating content
7 Dynamic Analysis
8 Custom Behavioral Rules — User-managed YARA rules.
9 Internal YARA rules — Internal YARA rules that are defined by McAfee and updated during Advanced Threat
Defense software upgrades. You cannot view or download these rules.
Advanced Threat Defense checks a sample against YARA rules only if the sample is dynamically analyzed.
After you import your Custom Behavioral Rules into Advanced Threat Defense, the malware detection and
classification are based on these rules as well. Final severity result of sample analysis is determined as a
maximum value from analysis methods mentioned above, including custom YARA rules.
Considerations
• Advanced Threat Defense supports custom YARA rules only from Advanced Threat Defense release 3.2.0.
• Advanced Threat Defense 3.2.0 supports YARA version 1.0 only. So, all YARA features documented in YARA
User's Manual for version 1.0 are supported.
• Advanced Threat Defense 3.4.8 supports YARA version 3.0.
• Advanced Threat Defense 3.6.0 supports YARA version 3.1.
• In an Advanced Threat Defense cluster setup, each node maintains its set of Custom Behavioral Rules
separately. That is, the custom YARA rules that you define in the primary node are not sent to the secondary
nodes automatically.
• There is no limit on the number of rules that you can include in your Custom Behavioral Rules file. Neither is
there a limit on the size of this file. However, the number of rules and their complexity might affect the
performance of Advanced Threat Defense.
Create the Custom Behavioral Rules file

Advanced Threat Defense applies the Custom Behavioral Rules on the User API log of an analyzed sample. To
create Custom Behavioral Rules to catch a specific behavior, you can use the user API log of a sample that
caused the same behavior. You can use YARA rules to catch runtime DLLs, file operations, registry operations,
process operations, and other operations reported in analysis summary report for a sample. For example, to
catch a specific runtime DLL, see a sample's user API log and write a YARA rule for that DLL.
Before you begin

• You are familiar with all features of Custom Behavioral Rules that Advanced Threat Defense
currently supports.
• You have identified the user API log of the sample that you want to use as a reference for
creating your Custom Behavioral Rules.
Task
1 Create a text file and open it in a text editor such as Windows Notepad.
2 Enter the comments in the text file to track the APIs or data that are the sources for your Custom Behavioral
Rules.
3 Write the first rule and provide it a name.
4 Enter the metadata for the rule.

Updating content
Define Custom Yara Scanner 3
Metadata is mandatory for standard rules and optional for helper rules. Regarding custom YARA rules,
metadata can contain classification, description, and severity. Use a [metadata field name] = [string/value]
format to define all these three metadata fields. These fields are case-insensitive.
a Optionally, enter the classification value for Custom Behavioral Rules. Classification is the malware
classification category to which a behavioral rule belongs. Use the following information to calculate the
classification value.
Classification Value
Persistence, Installation Boot Survival 1
Hiding, Camouflage, Stealthiness, Detection and Removal Protection 2
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection 4
Spreading 8
Exploiting, Shellcode 16
Networking 32
Data spying, Sniffing, Keylogging, Ebanking Fraud 64
For example, if a YARA rule describes a malware that attempted to do spreading (value 8), installation
boot survival (value 1), and networking (value 32) then total classification result is 8+1+32 = 41.
b Enter the description for the rule, which is displayed in the analysis reports.
c Enter a severity value for the behavior described by the YARA rule.
Severity value must be an integer from 1–5, with 5 indicating most malicious behavior. Severity values
are irrelevant for helper rules.
6
Click Analysis | Analysis Reports, click , then select User API Log.
7 On the text editor, enter the strings and conditions according to YARA syntax.
8 Add more rules according to your requirement in the same custom YARA text file, then save the file.
Define Custom Yara Scanner

Custom Yara Scanner is also a set of YARA rules, similar to Custom Behavioral rules. The two differ in the fact
that Custom Behavioral Rules is applied on the User API log of an analyzed sample, whereas, Custom Yara
Scanner serves as an analyzing option in analyzer profile before analysis. Custom Yara Scanner is available as a
static analysis option with no dependency on dynamic analysis.
Only enable the Customer YARA scanner in the corresponding YARA file that you upload to Advanced Threat
Defense.
See also
Integrate Advanced Threat Defense with Active Response on page 67
Integrate Advanced Threat Defense with Active Response on page 67
Create Custom YARA Scanner files

YARA Scanner files is a set of rules written in accordance with YARA manual. These rules are user defined,
written to identify any specific pattern in a file.
If Custom YARA Scanner is enabled in your analyzer profile as an analyzing option, Advanced Threat Defense
checks for a presence of these user defined rules in the samples being analyzed. If any defined rule is present

3 Updating content
in a file analyzed, then after the analysis Very High severity is displayed in the analysis report with threat name as
the rule name. If defined rule is not present in the file analyzed, then Unverified is displayed in the analysis report
for the file.

Import the custom rule files into Advanced Threat Defense. You can import a maximum of two YARA rules
versions. The second version that you upload becomes the Current file, and renders the first version the Backup
files. Advanced Threat Defense applies the rules in the Current DAT file for malware detection.
Task
2 Click Manage | Image & Software | Incremental Updates.
3 Click the YARA Rules tab.
4 Next to Upload File, click Browse, then locate and open the YARA file.
5 In the pop-up window, select the YARA file type.
6 Click Upload.
If there are syntax errors in the file, Advanced Threat Defense displays the Uploaded file contains invalid Custom
Behavioral Rules. Please check system log for more details. message.
If you delete the Current YARA rule file, the Backup file replaces the Current file. To reinstate the Current file, click
Revert.
Load balancing scenario

Manually upload the Custom Yara Scanner files on these nodes:
• Primary
• Secondary
• Backup
On the primary node, click Policy | Analyzer Profile, select the analyzer profile, then click Edit. Enable
Custom Yara Scanner.
Change custom behavioral rules and YARA scanner files

Add and change the rules in custom behavioral rules and YARA scanner files.
Task
3 Click the YARA Rules tab.
4 To download the file from the Advanced Threat Defense database onto your client, click the File Name link.

Updating content
Disable custom behavioral rules 3
5 Open the file that you downloaded in a text editor, make your changes, then save the file.
6 On the Incremental Updates page, click Browse, locate and open the file, then click Upload.
Disable custom behavioral rules

To troubleshoot Advanced Threat Defense, you can disable Advanced Threat Defense customer behavioral
rules.
Task
2 Click Manage | Global Settings.
3 Deselect Apply Custom Behavioral Rules.

To reenable the custom behavioral rules, select Enable Custom Behavioral Rules, then click Submit.
Manage whitelist database samples

Use the Advanced Threat Defense web interface to manage whitelisted files, URLs, and digital signatures.
The whitelist database lists the MD5/SHA-256 hash values of trusted files and do not need to be analyzed.
Tasks
• Manage the file and URL samples on page 91
Add and remove file and URL samples that you have added to the whitelist database.
• Manage the digital signature samples on page 92
Add and remove the digtal signature samples that you have added to the whitelist database.
Manage the file and URL samples

Add and remove file and URL samples that you have added to the whitelist database.
Task
2 Click Manage | Global Whitelist | File and URL.
3 Configure the options you need.

• To upload a file or URL to the whitelist, configure the options.
To upload a file or URL to the whitelist on the Manual Upload page, go to Analysis | Manual Upload.
• To add a URL or MD5 to the whitelist, configure the options.
• To search and analyze the records, configure the options.
Alternately, you can add an analyzed sample to the whitelist database on the Analysis Reports page in the
Analysis tab.

3 Updating content
Manage the digital signature samples

Add and remove the digtal signature samples that you have added to the whitelist database.
Task
2 Click Manage | Global Whitelist | Digital Signature.
3 Configure the options you need.

• To upload a digital signature to the whitelist, configure the options.
To upload a digital signature to the whitelist on the Manual Upload page, go to Analysis | Manual Upload..
• To search and analyze the records, use the following options.
Alternately, you can add an analyzed sample to the whitelist database using Analysis Reports page in the
Analysis tab.

Import up to two DAT for McAfee Gateway Anti-Malware Engine and McAfee Anti-Virus versions.
Task
3 Under Automatic Update, deselect Contents , then click Apply.
4 Click Download Content.

You can also access the update package at https://contentsecurity.mcafee.com/update.
5 Click Browse, locate the DAT files, then click Upload.

Apply the latest detection package to Advanced Threat Defense.
Tasks
• Automatically download the latest Detection Package on page 92
Automatically download and install the latest Detection Package in Advanced Threat Defense.
• Manually upload the latest Detection Package on page 93
Manually upload and install the latest Detection Package in Advanced Threat Defense.
Automatically download the latest Detection Package

Automatically download and install the latest Detection Package in Advanced Threat Defense.

Updating content
Update the detection package 3
Task
2 Allow automatic Detection Package downloads.

a Click Manage | ATD Configuration | Image & Software | Incremental Updates.
b Under Automatic Update, select Contents , then click Apply.
c In the Success message, click OK.
3 Install the Detection Package.

a On the Advanced Threat Defense toolbar, click the Detection Package alert message.
b On the Incremental Updates window, click Install next to the new detection package.
Manually upload the latest Detection Package

Manually upload and install the latest Detection Package in Advanced Threat Defense.
Advanced Threat Defense allows you to import a maximum of two versions of the Detection Package. The latest
uploaded version is the Current upload by default, and renders the previous upload as Backup. The Detection
Package designated as Current is applied for malware detection.
Task
3 To download the detection package, contact Support.
4 On the Incremental Updates page, click Browse, then select the detection package file.
5 Click Upload.
To reinstate the Backup file as the Current file, click Revert.

3 Updating content

4 Analyzing malware
Upload files and URLs for analysis. You can monitor the status of malware analysis using Advanced Threat
Defense web interface, then view the results.
Contents
Analyze files
Analyze URLs
Monitor the status of malware analysis
View the analysis results
Submit false positive and negative samples
Troubleshoot low sandbox file scores
Monitor Advanced Threat Defense with the Dashboard
Analyze files
Advanced Threat Defense performs static and dynamic analysis on the files you submit.
Table 4-1 File guidelines
Guideline Definition
File submission You can submit files using the following methods:
methods
• Log on to the Advanced Threat Defense web interface and manually upload the files.
• Post the files on the FTP server, which is hosted on the Advanced Threat Defense
Appliance.
• Use the Advanced Threat Defense web interface RESTful APIs. For more information, refer
to the McAfee Advanced Threat Defense APIs Reference Guide.
• The maximum file size supported is 128 MB if you use the Advanced Threat Defense web
interface, RESTful APIs, or Web Gateway.
• Integrate Advanced Threat Defense with Network Security Platform and Web Gateway,
which automatically submit samples to Advanced Threat Defense.
Maximum file The Advanced Threat Defense web interface, RESTful APIs, and Web Gateway support a
size maximum of 128 MB in file size.

4 Analyzing malware
Analyze files
Table 4-1 File guidelines (continued)

Guideline Definition
File name • Advanced Threat Defense supports unicode.
requirements
• File names can be up to 200 bytes long
• File names can contain non-English and special characters.
When you use the following characters, file names are displayed as the file MD5 hash
value:
• " • ;
• ' • *
• ` • ?
• < • #
• > • $
• | • *
For example, you submit vtest;32.exe. Advanced Threat Defense displays the file name as
e2cfe1c89703352c42763e4b458fc356.exe.
• If you use the \ character, Advanced Threat Defense is unable to display the character and
any following characters.
• If you use a space in the file name, Advanced Threat Defense displays it as _.
Static analysis Static analysis of Visual Basic for Applications scripts (VBA scripts) embedded inside a
Microsoft Office application takes place inside the virtual machine. The analysis enhances
the ability to identify threats that are disguised as VBA scripts.
Dynamic Dynamic analysis of Flash files occurs after you install the Internet Explorer-based Flash
analysis plug-in or Flash player on the virtual machine. The Flash plug-in is supported only for
Internet Explorer on the virtual machine. When you install the Flash player and Flash plug-in,
the Flash plug-in takes precedence.
Pre-filtering Advanced Threat Defense supports Flash and PDF file sample pre-filtering. File and
application pre-filtering that uses Microsoft Office 2003 and earlier, and Microsoft Office
2007 and later is supported. The pre-filtering functionality ascertains the high confidence
Microsoft Office samples as clean, even before these samples are submitted for dynamic
analysis. This reduces load on the virtual machines.

Analyzing malware
Analyze files 4
Table 4-2 Supported file types

File Types Static Analysis Dynamic Analysis
32-bit Portable • .exe • .sys • .exe • .sys
Executables (PE) files;
• .dll • .com • .dll • .com
64-bit PE+ files
• .scr • .cpl • .scr • .cpl
• .ocx • .cgi • .ocx • .cgi
Microsoft Office Suite • .doc • .dotm • .doc • .dotm

documents
• .docx • .dotx • .docx • .dotx
• .xls • .ppam • .xls • .ppam
• .xlsx • .pps • .xlsx • .pps
• .xlsb • .ppsx • .xlsb • .ppsx
• .xlsm • .ppsm • .xlsm • .ppsm
• .ppt • .ppt • .ppt • .ppt
• .pptx • .pptm • .pptx • .pptm
• .rtf • .shs • .rtf • .shs
• .xltm • .sldm • .xltm • .sldm
• .xltx • .sldx • .xltx • .sldx
• .xlam • .thmx • .xlam • .thmx
• .docm • .xar • .docm • .xar
Adobe • .pdf • .pdf

• .swf • .swf
Compressed files • .zip • .msi • .zip • .lzh

• .cab • .lzh • .cab • .lzma
• .7z • .lzma • .7z • .rar
• .msi
Android application .apk .apk

package
Java • JAR • JAR
• CLASS • CLASS
• Java Script • Java Script
• Java bin files • Java bin files

4 Analyzing malware
Analyze files
Table 4-2 Supported file types (continued)

File Types Static Analysis Dynamic Analysis
Image files • .jpeg Not supported
• .png
• .gif
Other file types • .cmd • .ace • .cmd • .arj

• .bat • .arj • .bat • .chm
• .vbs • .chm • .vbs • .inf
• .xml • .lnk • .xml • .ins
• .url • .mof • .url • .lnk
• .htm • .ocx • .htm • .ocx
• .html • .potm • .html • .potm
• .eml • .potx • .eml • .potx
• .msg • .ps1 • .msg • .ps1
• .vb • .reg • .vb • .reg
• .vba • .wsc • .vbe • .wsc
• .vbe • .wsf • .vbs • .wsf
• .vbs • .wsh • .ace • .wsh
Upload files for analysis

To submit a file for analysis, you must select an analyzer profile. The analyzer profile overrides the default
analyzer profile associated with your user account.
Task
2 Make sure that the required analyzer profile is available.
3 Click Analysis | Manual Upload.
4 Configure the options, then click Submit.
Tasks
• Manually upload files on page 98
Manually upload files to Advanced Threat Defense for analysis.
Manually upload files

Manually upload files to Advanced Threat Defense for analysis.
Before you begin

Make sure that the required analyzer profile is available with the Enable Malware Internet Access option
selected.
To completely execute some malware, user intervention might be required.

Analyzing malware
Analyze files 4
For example, a default setting in the analyzer VM might pause the execution unless the setting is manually
overridden. Some files might display dialog boxes, where you are required to make a selection or a
confirmation. Malware demonstrates such behavior to determine if they are being executed in a sandbox. The
behavior of the malware might vary based on your intervention. When you submit files in user-interactive
mode, the analyzer VM opens in a pop-up window on your client computer and you can provide your input
when prompted.
You can upload files to be executed in the user-interactive mode. This option is available only when you
manually upload a file using the Advanced Threat Defense web interface. For files submitted by other methods,
such as FTP upload and files submitted by Network Security Platform, requests for user intervention by the
malware are not honored. However, the screen shots of all such requirements are available in the Screenshots
section of the Analysis Summary report. Then you can manually resubmit such files in the user-interactive mode
to know the actual behavior of the file.
For XMode, Google Chrome version 44.0.2403 and later, and Mozilla Firefox version 40.0.3 and later are
supported. Microsoft Internet Explorer is not supported.
Because the analyzer VM is opened in a pop-up window, make sure the pop-up blocker is disabled in your
browser.
Task
2 Click Analysis | Manual Upload | Browse, then locate and open the file you want to submit for analysis.
You can also drag and drop the file on the Drop your file here box.
• If you are uploading a password-protected .zip file, make sure you have provided the password in the
analyzer profile that you want to use for analysis.
• If dynamic analysis is required, the files in the .zip file are executed on different instances of the analyzer
VM. If enough analyzer VMs are not available, some of the files are in the pipeline until analyzer VMs are
available.
• Because the files in the .zip file are analyzed separately, separate reports are created for each file.
• Unicode is supported for the file name of samples. A file names can contain non-English characters and
special characters.
File names are displayed as the MD5 hash value of the file if the following characters are used: "'`<>|;*?#
$*
• The file name can be up to 200 bytes in length.
3 From the Analyzer Profile drop-down list, select the analyzer profile.
4 From the Submission Priority drop-down list, select the priority.

4 Analyzing malware
Analyze files
5 Select one of these options, then click Submit

• User Interactive Mode (XMode)
On the Uploaded File Successfully window, click OK, then click OK on the pop-up message. On the Analysis
Status page, locate the sample and click X-Mode.
When the file execution completes, the VM automatically shuts down and you are unable to use Connect
to view the VNC session. When you click Disconnect, Advanced Threat Defense closes the VNC session
from the client and displays the VNC disconnected message.
Enabling X-Mode overrides the maximum execution time in the Analyzer profile to the X-Mode time.
• Skip files if previously analyzed.
Advanced Threat Defense is unable to skip sample analysis in these scenarios:

• Analyzer profile settings change after the last analysis
• The last submitted sample analysis occurred three days prior
• You used URL Download to submit the samples
When you submit a previously analyzed .zip file, Advanced Threat Defense displays the sample with the
highest severity.
Upload files for analysis using SFTP

Using SFTP, you can upload supported file types to the FTP server on Advanced Threat Defense.
Before you begin

• Your user name has FTP Access privilege. This is required to access the FTP server hosted on
• You have created the required analyzer profile that you want to use.
• You have installed an FTP client on your machine.
By default, FTP is not a supported protocol for uploading samples. To use FTP to upload files, you must enable it
using the set ftp enable CLI command.
Task
1 Open your FTP client and connect to Advanced Threat Defense using the following information.
• Host — Enter the IP address of Advanced Threat Defense
• User name — Enter your Advanced Threat Defense user name
• Password — Enter your Advanced Threat Defense password
• Port — Enter 22, which is the standard port for SFTP. For FTP, enter 21.
2 Upload the files from the local site to the remote site, which is on Advanced Threat Defense.
3 Log on to theAdvanced Threat Defense web interface.
4 Click Analysis | Analysis Status and monitor the status of the uploaded files.
See also
Set FTP on page 138

Analyzing malware
Analyze URLs 4
Analyze URLs
Advanced Threat Defense analyzes the URL in an analyzer VM determined by the user profile, and reports the
file analysis results. Advanced Threat Defense uses only the local blacklist and dynamic analysis for the
downloaded file. In addition, the McAfee GTI reputation of the URL is reported. The behavior of the browser
when opening the URL is also analyzed for malicious activity.
Follow these methods to submit URLs:
• Manually upload the URL using the Advanced Threat Defense web interface.
• Use the restful APIs to upload URLs. See the McAfee Advanced Threat Defense RESTful APIs Reference Guide.
Malicious websites typically contain multiple types of malware. When a victim visits the website, the malware
that suits the vulnerabilities present in the endpoint is downloaded. You can create multiple analyzer VMs, each
with different operating systems, browsers, applications, browser plug-ins that are relevant to your network.
Also, if the browsers and operating systems are unpatched, it might enable you to analyze the actual behavior
of web sites.
The advantage of using Advanced Threat Defense is that, you can get a detailed report of previously unknown
malicious domains, websites, and IP addresses as well as the current behavior of known ones. You can also get
a detailed analysis report for even benign sites that are recently compromised.
Advanced Threat Defense analyzes the URL samples and generates a Graph Modeling Language (GML) file. This
file is in an ASCII plain text format, which contains data to generate a graphical representation of the logic
execution path. You cannot directly view this file in the Advanced Threat Defense web interface.
• When analyzing a URL sample, ensure to select an analyzer profile that does not have the Full
Logic Path option enabled. Full Logic Path is only supported for PE files types.
• GTI Reputation is enabled by default. This setting allows Advanced Threat Defense to analyze
URLs.
Analyzing URLs
To analyze URLs, select an analyzer profile that has both sandbox and Internet access enabled.
1 Advanced Threat Defense uses a proprietary procedure to calculate the MD5 hash value of the URL. Then, it
checks this MD5 against its local blacklist.
2 It is assumed that the file that the URL refers to is of a supported file type. Then Advanced Threat Defense
dynamically analyzes the file using the corresponding analyzer VM. It is assumed that the MD5 of the URL is
not present in the blacklist or Run All Selected option is selected in the corresponding analyzer profile.
McAfee GTI File Reputation, Anti-Malware, and Gateway Anti-Malware analyze options are not relevant for
URLs.
3 Dynamic analysis and reporting for URLs is similar to that of files. It records all activities in the analyzer VM
including registry operations, process operations, file operations, runtime DLLs, and network operations. If
the webpage downloads any dropper files, Advanced Threat Defense dynamically analyzes these files as well
and includes the results in the same report under embedded/dropped content section.

4 Analyzing malware
4 If a dropped file connects to other URLs, all these URLs are checked with TrustedSource for URL reputation
and categorization.
5 Advanced Threat Defense analyzes the URL samples and generates a Graph Modeling Language (GML) file.
This file is in an ASCII plain text format, which contains data to generate a graphical representation of the
logic execution path. You cannot directly view this file in the Advanced Threat Defense web interface.
When analyzing a URL sample, ensure to select an analyzer profile that does not have the Full Logic Path option
enabled.
Only HTTP, HTTPS, and FTP protocols are supported for URL analysis.
Upload URLs for analysis using Advanced Threat Defense web interface
You can upload the URLs using two different options based on their requirements.
Before you begin

Make sure that the required analyzer profile is available with sandbox and Enable Malware Internet
Access options selected.
These options are available for manually uploading URLs:
• URL—The selected URL is sent to the analyzer VM, and the file pointed to by the URL is downloaded to the
analyzer VM for analysis. For example, when a user submits the URL http://the.earth.li/~sgtatham/putty/
latest/x86/putty.exe, the URL is sent to the analyzer VM, then the putty.exe file is downloaded to the
analyzer VM.
• URL Download—The selected URL is downloaded to the Advanced Threat Defense. The file which the URL is
pointing to is downloaded locally in the Advanced Threat Defense and the downloaded file is then sent to
the static analyzers and the analyzer VM for analysis. For example, when a user submits the URL http://
the.earth.li/~sgtatham/putty/latest/x86/putty.exe, the putty.exe file is downloaded to the Advanced Threat
Defense, then sent to the analyzer VM.
When you use the Advanced Threat Defense web interface to submit a URL for analysis, select an analyzer
profile. This analyzer profile overrides the default analyzer profile associated with your user account.
Manual upload using URL option

Manually upload URLs to Advanced Threat Defense for analysis.
Task
2 Click Analysis | Manual Upload.
3 Configure the options, then click Submit.

The Analysis Status page provides status of your submitted files till the analysis is complete.
Once the analysis is complete, the analysis details can be found on the Analysis Reports page.

Analyzing malware
Monitor the status of malware analysis 4
Task
2 Click Analysis | Analysis Status.
3 From the drop-down lists, configure the view and refresh criteria.
• The default refresh interval is 1 minute.
• By default, results from the last 24 hours are displayed. You can specify this criteria based on time or
number. For example, you can select to view the status for files submitted in the last 5 minutes or for the
last 100 samples.
• To refresh the Analysis Status page now, click .
4 Enter your filter criteria, then click Search.

Suppose that you have selected File Name and Status as the criteria, selected Case Sensitive, and specified Com.
All the records in the completed state and file names starting with the characters Com are listed.
5 Hide the columns that you do not require.

a Move the mouse over the right corner of a column heading and click the drop-down arrow.
b Select Columns.
c Select only the required column names from the list.
You can click a column heading and drag it to the required position.
6 To sort the records based on a particular column name, click the column heading.
You can sort the records in the ascending or descending order. Alternatively, move the mouse over the right
corner of a column heading and click the drop-down arrow. Then select Sort Ascending or Sort Descending. By
default, the records are sorted in descending order based on the Submitted Time column.
7 To cancel analysis of multiple pending files, select the files using the checkbox and click Cancel Selected.
8 To cancel analysis all pending files, click Cancel All Pending.
Cancel Selected and Cancel All Pending are applicable only for the files in Pending state and not in Analyzing state.
9
Click

4 Analyzing malware

View the file analysis results on the Analysis Reports page. In case of dynamic analysis if you have selected
multiple VM profiles, then the file will have one Job ID and separate Task IDs for each VM profile. In case a
sample is detected by Static Analysis then only one entry with one Job ID and one Task ID will be created.
• Older reports are deleted when the data disk of Advanced Threat Defense is 75 percent full. You
can view the current data disk space available in the System Health monitor of the Dashboard. If you
configure the options under FTP Result Output in the User Management page and use the set
resultbackup enable command, then Advanced Threat Defense saves the results locally as well as
sends them to the configured FTP server for your long-term use.
• While you view the reports, the maximum number of reports you can navigate to are one million.
If you want to view the reports beyond that, , use the search filter to reduce the result of the
number of reports.
Task
2 Click Analysis | Analysis Reports.

The Analysis Reports page lists the status for the completed files.
If you do not have admin permissions, only those files that you submitted are listed. A user with admin
permissions can view the samples submitted by all users.
Click on Export CSV to export locally the status of completed files in CSV format.
3 Specify the criteria for viewing and refreshing the records in the Analysis Reports page.
a Set the criteria to display records in the Analysis Reports page.
By default, the results for the files completed in the last 24 hours are shown.
You can specify this criteria based on time or number. For example, you can select to view the files for
which the analysis was completed in the last 5 minutes or for the last 100 completed files.
b Set the frequency at which the Analysis Reports page must refresh itself.
The default refresh interval is 1 minute.
c To refresh the Analysis Reports page now, click .
4 Choose to hide the columns that you do not require.

a Move the mouse over the right corner of a column heading and click the drop-down arrow.
b Select Columns.
c Select only the required column names from the list.
You can click a column heading and drag it to the required position.

Analyzing malware
View the analysis results 4
5 To sort the records based on a particular column name, click the column heading.
You can sort the records in the ascending or descending order. Alternatively, move the mouse over the right
corner of a column heading and click the drop-down arrow. Then select Sort Ascending or Sort Descending.
By default, very high severity files are shown at the top of the list.
6
To save the Analysis Reports page settings, click
View the Threat Analysis report

The Threat Analysis report is an executive brief detailing key behaviors of the sample file.
Advanced Threat Defense allows you to download the Threat Analysis report in these file types:
• HTML
• Text
• PDF
Advanced Threat Defense supports XML and JSON formats, which provide well-known malware behavior tags
for high-level programming script to extract key information. Network Security Platform and Web Gateway use
the JSON formats to display the report details in their user interfaces.
Advanced Threat Defense also supports OpenIOC and STIX formats, which you can use to share threat
information. With the OpenIOC and STIX formats, you can share the Analysis Summary reports with other
security applications for a better understanding, detection, and containment of malware. For example, you can
manually submit the OpenIOC and STIX reports to an application, which query hosts for the indicators in the
report. This way you can detect the infected hosts, and then take the required remedial actions to contain and
remove the malware.
The Threat Analysis reports in the OpenIOC and STIX formats are available in the sample Complete Results file.
Table 4-3 Threat Analysis report content

Formats Severity -1 Severity 0 Severity 1 Severity 2 Severity 3 Severity 4 Severity 5
HTML X X X X X X X
Text X X X X X X
PDF X X X X X X
XML X X X X X X
JSON X X X X X X X
OpenIOC X X X
STIX X X X
What the severity translates to:

• Severity -2 – Failed. Advanced Threat Defense is unable to analyze the submitted file.
• Severity -1 – Clean. The submitted file is not a malware.
• Severity 0 – Informational. The submitted file has insufficient or invalid information for analysis.
• Severity 1 – Very low activity. The submitted file hasn't shown signs of a malware. Use with caution.
• Severity 2 – Low activities. The submitted file shows signs of a malware that pose low risk.
• Severity 3 – Likely to be malicious. The submitted file shows signs of a malware that pose medium risk.

4 Analyzing malware
• Severity 4 – Malicious. The submitted file shows signs of a malware that pose high risk.
• Severity 5 – Very high. The submitted file shows signs of a malware that pose very high risk.
The Deep Neural Network section displays the verdict and probability factor of the analysis through machine
learning. To enable Deep Neural Network for your analyzer profile, enable Machine Learning: Deep Neural Network under
Dynamic Analysis by editing your analyzer profile or when you create a new analyzer profile.
Deep Neural Network analysis only scans PE files.
The Family Classification section displays the category of malware present in the file submitted.
If the parent file generates other files with malicious content, it shows categories of malware in the subordinate
files too.
To use the Family Classification option, you must have enabled the Disassembly Results option in the corresponding
analyzer profile.
Task
3 View the Threat Analysis Report.

•
To view the Threat Analysis Report in HTML format, click , then select Analysis Summary (HTML).
You can also double-click the report.
•
To view theThreat Analysis Report in PDF format, click , then select Analysis Summary (PDF).
4 Download the Threat Analysis Report.

a
Click , then select Complete Results.
b Save the .zip file to your computer.

The .zip file is the same as the sample file.
c Open and extract the .zip file.
View the Dropped Files report

You can download a .zip file containing all the files that the sample created or touched during dynamic analysis.
You can download these files using one of the following methods.
•
In the Analysis Reports page (Analysis | Analysis Reports), click and select Dropped Files. Download the
dropfiles.zip file, which contains the files that the sample created in the sandbox. To use this option, you
must have enabled the Dropped Files option in the corresponding analyzer profile.
•
After you click , select Complete Results. Download the <sample_name>.zip file. This .zip file contains the
same dropfiles.zip inside the AnalysisLog folder. The Complete Results contains the dropfiles.zip regardless
of whether you have enabled Dropped Files option in the corresponding analyzer profile.

Analyzing malware
Viewing and Understanding the Disassembly Results report

The Disassembly Results report provides the disassembly output listing for portable executable (PE) files. This
report is generated based on the sample file after the unpacking process has completed. It provides detail
information about the malware file such as, the PE header information.
The Disassembly Results report includes the following information:
• Date and time of the creation of the sample file
• File PE and Optional Header information
• Different section headers information
• The Intel disassembly listing
Enable Disassembly Results report for an analyzer profile

Change the analyzer profile settings and enable Disassembly Results.
Task
2 Make sure the users assigned to the analyzer profile are logged off from Advanced Threat Defense.
3 Click Policy | Analyzer Profile, select a profile, then click Edit.
4 From Reports, Logs, and Artifacts, select Disassembly Results, then click Save.
View the Disassembly Results report

You can view the Disassembly Results report in the Advanced Threat Defense web interface or download it as a file
to your client computer. The contents of the report are the same in both the methods.
• To view the Disassembly Results report in the Advanced Threat Defense web interface, select Analysis | Analysis
Reports. In the Analysis Reports page, click and select Disassembly Results. To use this option, you must have
enabled the Disassembly Results option in the corresponding analyzer profile.
•
To download the report as a file, click in the Analysis Reports page and select Complete Results. Download the
<sample_name>.zip file. This .zip file contains a file named as <file name>_detail.asm in the AnalysisLog
folder. The Zip Report contains this .asm file regardless of whether you have enabled Disassembly Results
option in the corresponding analyzer profile.
The Disassembly Results report provides the assembler instructions along with any static standard library call
names like printf and Windows system DLL API call names embedded in the listing. If the global variables such
as string text are referenced in the code, these string texts are also listed.
Table 4-4 A section of a sample Disassembly Results report

Column 1 Column 2 Column 3
:00401010 e8 1f2c0000 call 00403c34
;;call URLDownloadToFileA
The virtual address of the instruction is shown in column 1, the binary instruction in column 2, and the
assembly instruction with comments is in column 3. In the preceding example the call 00403c34 instruction
at memory location of 00401010 is making a functional call at 0x403c34 memory location, which is determined
to be system DLL API function call determined to be URLDownloadToFileA(). The comment shown with
the ;; in this listing provides the library function name.

4 Analyzing malware
Logic Path Graph

The Logic Path Graph is a graphical representation of function call cross-references that Advanced Threat Defense
discovers during dynamic analysis. You can use the report to view the executed and non-executed functions in
analyzed files that occurred during dynamic analysis.
If you find non-executed functions, you must fix them immediately.
The Logic Path Graph report is available in the Graph Modeling Language (GML) file format. The file is in ASCII
plain text format, which contains a graphical representation of the logic execution path of the sample in the
GML (Graph Modeling Language) format. You cannot directly view this file in the Advanced Threat Defense web
interface, but download it to your client computer. Then you must use a graphical layout editor, like yWorks yEd
Graph Editor, that supports GML format. You can use such an editor to display the cross-reference of all
functions using this file as an input.
You can download the Logic Path Graph file using one of the following methods.
•
In the Analysis Reports page (Analysis | Analysis Reports), click and select Logic Path Graph. Then download the
<file name>_logicpath.gml file. To use this option, you must have enabled the Logic Path Graph option in the
corresponding analyzer profile.
•
After you click , select Complete Results. Download the <sample_name>.zip file. This .zip file contains the
same <file name>_logicpath.gml file in the AnalysisLog folder. The Zip Report contains the <file
name>_logicpath.gml file regardless of whether you have enabled Logic Path Graph option in the
corresponding analyzer profile.
This section uses yWorks yEd Graph Editor to explain how to use the Logic Path Graph GML file. In the yEd
Graph Editor, you must first set the Routing Style. You need to do this only once, and this setting is saved for
further use.
1 To open the Logic Path Graph file, use your yEd Graph Editor.
2 Click Layout | Hierarchical.
3 Click Edges, select Polyline from the Routing Style drop-down list, then click Ok.
When you open the <file name>_logicpath.gml file in yEd Graph Editor, initially you might see many
rectangle boxes overlapping each other.
Figure 4-1 Layout of the subroutines relationships

Analyzing malware
The graph depicts an overview of the complexity of the sample as seen by the cross-reference of function calls.
The following shows more detail on the function names and their addresses as seen by zooming in.
Figure 4-2 Zoom in on the layout
Two colors are used to indicate the executed path. The red dash lines show the non-executed path, and the
blue solid lines show the executed path.
According to the preceding control graph, the subroutine (Sub_004017A0) at virtual address 0x004017A0 was
executed and is shown with a blue solid line pointing to the Sub_004017A0 box. However, the subroutine
(GetVersion]) was not called potentially as there is a red dash line pointing to it.
The Sub_004017A0 subroutine is making 11 calls as there are 11 lines coming out of this box. Seven of these 11
calls were executed during dynamic analysis. One of them is calling Sub_00401780 as there is a blue solid line
pointing from Sub_004017A0 to Sub_00401780. Calls to Sub_00401410, printf, Sub_00401882, and
Sub_00401320 were not executed and shown with red dashed line pointing at them.
The Sub_00401780 subroutine is making only one unique call as there is only one line coming out from this box.
This call was executed during dynamic analysis.
User API Log

The User API Logs are contained in various files.
• The .log file contains the Windows user-level DLL API calls made directly by the analyzed file during dynamic
analysis. To view this file in the Advanced Threat Defense web interface, select Analysis | Analysis Reports.
Then click and select User API Log. Alternatively, click , select Complete Results. Download the

4 Analyzing malware
<sample_name>.zip file. This .zip file contains the same information in the <sample name>.log file in the
AnalysisLog folder. The content of the .log file includes the following:
• A record of all systems DLL API calling sequence.
• An address which indicates the approximate calling address where the DLL API call was made.
• Optional input and output parameters, and return code for key systems DLL API calls.
• The following are the other files containing the dynamic execution logs. All these files are contained in the
<sample name>.zip file.
• <sample name>ntv.txt file. This file contains the Windows Zw version of native system services API calling
sequence during the dynamic analysis. The API name typically starts with Zw as in ZwCreateFile.
• log.zip
• dump.zip
• dropfiles.zip
• networkdrive.zip
Download the Complete Results .zip file

Advanced Threat Defense produces detailed analysis for each submitted sample. All the available reports for an
analyzed sample are available in a .zip file, which you can download from the Advanced Threat Defense web
interface.
Task
3
Click and select Complete Results .
Download the <sample_name>.zip file to the location you want. This .zip file contains the reports for each
analysis. The files in this .zip file are created and stored with a standard naming convention. Consider that
the sample submitted is vtest32.exe. Then the .zip file contains the following results:
• vtest32_summary.html (.json, .txt, .xml) — This is the same as the Analysis Summary report. There are four
file formats for the same summary report in the .zip file. The html and txt files are mainly for end users
to review the analysis report. The .json and .xml files provide well-known malware behavior tags for
high-level programming script to extract key information.
If the malware severity is 3 and above, then it contains .ioc, and .stix.xml formats of the Analysis
Summary report for the sample.
• vtest32.log — This file captures the Windows user-level DLL API calling activities during dynamic analysis.
You must thoroughly examine this file to understand the complete API calling sequence as well as the
input and output parameters. This is the same as the User API Log report.
• vtest32ntv.txt — This file captures the Windows native services API calling activities during dynamic
analysis.
• vtest32.txt — This file shows the PE header information of the submitted sample.
• vtest32_detail.asm — This is the same as the Disassembly Results report. This file contains
reverse-engineering disassembly listing of the sample after it has been unpacked or decrypted.
• vtest32_logicpath.gml — This file is the graphical representation of cross-reference of function calls

discovered during dynamic analysis. This is the same as the Logic Path Graph report.

Analyzing malware
Submit false positive and negative samples 4
• log.zip —This file contains all the run-time log files for all processes affected by the sample during the
dynamic analysis. If the sample generates any console output text, the output text message is captured
in the ConsoleOutput.log file zipped up in the log.zip file. Use any regular unzip utility to see the content
of all files inside this log.zip file.
• dump.zip — This file contains the memory dump (dump.bin) of binary code of the sample during
dynamic analysis. This file is password protected. The password is virus.
• dropfiles.zip — This is the same as the Dropped Files report in the Analysis Reports page. The dropfiles.zip
file contains all files created or touched by the sample during the dynamic analysis. It is also password
protected. The password is virus.
Download the original sample

Download originally submitted files. All the submitted samples are available in a .zip file.
Task
2 Click Manage | ATD Configuration | ATD Users.
3 Select the user profile, then click Edit.
4 Select Sample Download Access, then click Save.
6 Click the Reports icon, select Original Sample.
7 Save the zipped <SAMPLENAME>_<MD5SUMOFSAMPLE>.zip file on your local machine, then extract the contents
and use infected as the password.
Submit false positive and negative samples

If you find false positive and negative samples in Advanced Threat Defense, submit the samples for further
analysis.
Submit false positive samples

When you receive false positive samples, submit it for analysis.
Task
1 Download the sample.

a Click Manage | ATD Configuration | ATD Users.
b Select the user, then click Edit.
c Select Sample Download Access, then click Save.
d Click Analysis | Analysis Reports.
e Click the Reports icon, then select Original Sample.
f Save the .zip file on your computer.

4 Analyzing malware
4 Click the Reports, then select Analysis Summary.
5 Locate Engine Analysis, then determine where to submit the sample:

• GTI File Reputation — Submit the file as a Service Requests or to the URL reputation team.
• To submit a file sample, go to http://support.mcafee.com, select Service Requests, then submit the false
positive file sample.
• To submit an URL sample, go to http://www.trustedsource.org, then submit the false positive URL.
• Gateway Anti-Malware — Submit the sample to the Gateway Anti-Malware team.

• Submit by email — Send an email to virus_research_gateway@avertlabs.com, attach the false
positive sample, then enter Possible False as the subject.
• Submit by service request — Go to http://support.mcafee.com, select Service Requests, then submit

the false positive sample.
• Anti-Malware — Go to http://support.mcafee.com, select Service Requests, then submit the false positive
sample.
• Sandbox — Go to http://support.mcafee.com, select Service Requests, then submit the false positive
sample.
Submit false negative samples

When you receive false negative samples, submit it for analysis.
Task
1 Download the sample.

b Select the user, then click Edit.
c Select Sample Download Access, then click Save.
d Click Analysis | Analysis Reports.
e Click the Reports icon, then select Original Sample.
f Save the .zip file on your computer.
2 Go to http://support.mcafee.com, select Service Requests, then submit the false negative sample.
Make sure that you include the Analysis ID.

Use Advanced Threat Defense elements to troubleshoot unexpectedly low sandbox file scores.

Analyzing malware
Monitor Advanced Threat Defense with the Dashboard 4
Task
• Complete the following, then submit a sample after each task to check if the sandbox file score remains low.
• Verify that you are using the latest Advanced Threat Defense version. If you are using an older version,
upgrade the Advanced Threat Defense software.
• Edit the Analyzer Profile, then select Enable Malware Internet Access.
• Verify that you are using the correct operating system.

For example, you must use a 32-bit operating system to submit a 32-bit sample, and a 64-bit operating
system to submit a 64-bit sample.
• Verify that Microsoft Office, Adobe Flash, Adobe Reader, and Java are installed on the virtual machine.
For example, when you submit a Microsoft Office document, you must have Microsoft Office installed.
• Select Analysis | Manual Upload | User Interactive Mode, configure the remaining options, then click Submit.
• Submit the sample to McAfee.

To analyze the malware on your network, use the Advanced Threat Defense Dashboard monitors.
Task
2 Select Dashboard.
3 Specify the time period for the information to be displayed in the monitors.
For example, you can select to view the information for the past one hour. By default, data for the past 14
days is shown. This field does not affect the System Health and System Information monitors.
4 Configure the display settings for each monitor.

• To collapse a monitor, click
• To hide a monitor, click
• To change the display format of a monitor, click

4 Analyzing malware

5 CLI commands
The Advanced Threat Defense Appliance supports command-line interface (CLI) commands for tasks such as
network configuration, restarting the appliance, and resetting the appliance to factory defaults.
Contents
Issuing CLI commands
CLI syntax
Log on to the CLI
Meaning of "?"
List of CLI commands
Issuing CLI commands

You can issue CLI commands locally, from the Advanced Threat Defense Appliance console, or remotely through
SSH.
Issuing commands
To perform an operation on the Advanced Threat Defense Appliance, you must perform the operation from the
command line of the console host that connects to the Advanced Threat Defense Appliance. For example, when
you first configure the network details for the Advanced Threat Defense Appliance, you must do so from the
console.
See also
Log on to the Advanced Threat Defense Appliance on page 115
Issuing a command through SSH

You can administer a Advanced Threat Defense Appliance remotely from a command prompt over ssh.
Log on to the Advanced Threat Defense Appliance

Use the SSH client to log on to the Advanced Threat Defense Appliance.
Task
1 Open an SSH client session.
2 Enter the Advanced Threat Defense Appliance IPv4 address.
3 Enter 2222 as the SSH port number.

5 CLI commands
CLI syntax
4 Enter the log on credentials.

• User name — cliadmin
If you are logging on for the first time, you are prompted to changed the user name and password.
You are unable to access the account associated to the new user name and password, or create another
user to access the CLI.
Depending on your SSH client, the number of logon attempts differ. For example, Putty 0.54 and 0.56 allow
you three log on attempts, and Putty 0.58 and Linux SSH clients allow you four attempts.
Auto-complete
The CLI allows you to auto-complete commands.
To auto-complete a command, press Tab after typing a few characters of a valid command and then press
Enter. For example, typing pas and pressing Tab would result in the CLI auto-completing the entry with the
command passwd.
If the partially entered text matches multiple options, the CLI displays all available matching commands.
CLI syntax
You issue commands at the command prompt as shown.
<command> <value>
• Values that you must enter are enclosed in angle brackets (< >).
• Optional keywords or values are enclosed in square brackets ([ ]).
• Options are shown separated by a line (|).
• Variables are indicated by italics.
Do not type the < or [ ] symbols.
Mandatory commands
There are certain commands that must be executed on the Advanced Threat Defense Appliance before it is fully
operational. The remaining commands in this chapter are optional and will assume default values for their
parameters unless they are executed with other specific parameter values.
These are the required commands:
• set appliance name
• set appliance ip
• set appliance gateway is also required if any of the following are true:
• If the Advanced Threat Defense Appliance is on a different network than the McAfee products you plan
to integrate
• If you plan to access Advanced Threat Defense from a different network either using an SSH client or a
browser for accessing the Advanced Threat Defense web interface

CLI commands
Log on to the CLI 5
Log on to the CLI

Before you can enter CLI commands, you must first log on to the Advanced Threat Defense Appliance with a
valid user name (default user name is cliadmin) and password (default is atdadmin).
To log off, type exit.
Change the password using the passwd command within your first interaction with the Advanced Threat Defense
Appliance.
Meaning of "?"
? displays the possible command strings that you can enter.
Syntax
If you use ? in conjunction with another command, it shows the next word you can type. If you execute the ?
command in conjunction with the set command, for example, a list of all options available with the set
command is displayed.

This section lists Advanced Threat Defense CLI commands in the alphabetical order.
activeResponseStats
Displays the statistics on McAfee Active Response and McAfee Advanced Threat Defense integration.
Syntax:
activeResponseStats
This command has no parameters.
Example:
activeResponseStats
[ Active Response Statistics ]
Status : DISABLED
Request Files Received : 0
Search in Pending state : 0
Search in Completed state : 0
ERROR COUNT : 0
amas
Use this command to restart/start/stop the amas services.
Syntax: amas <word>
Parameter Description
<WORD> The amas service you want to stop.
Example: amas start/stop/restart

5 CLI commands
atdcounter
Displays the engine specific counter e.g. files sent and processed by McAfee GTI, Anti-Virus Engine, Gateway
Anti-Virus Engine, and amas.
Syntax: atdcounter
backup reports
Use this command to create a backup of the McAfee Advanced Threat Defense reports on an external FTP/SFTP
server configured for a user under the FTP results output setting interface ports.
Syntax
backup reports
backup reports date

This command creates a backup of the McAfee Advanced Threat Defense reports for a particular date range on
an external FTP/SFTP server configured for a user under the FTP results output setting.
Syntax: backup reports date <yyyy-mm-dd>
yyyy-mm-dd yyyy-mm-dd The date range for which you want to create a backup for reports.
Example: 2014-07-10 2014-07-12
Blacklist
Use the following commands to manage the McAfee Advanced Threat Defense blacklist.
Syntax:
• To add an MD5 to the blacklist, use blacklist add <md5> <score> <file_name> <malware_name>
<Eng-ID> <OS-ID>
<md5> The MD5 hash value of a malware that you want to add to the blacklist.
<score> The malware severity score. A valid value is from 3 to 5.
<file_name> The file name for the MD5.
<malware_name> The malware name for the MD5.
<Eng-ID> The numerical ID for the engine that detected the malware. Following is the numerical
coding. Sandbox — 0, GTI — 1, GAM — 2, Anti-Malware — 4.
<OS-ID> The numerical ID of the operating system that was used to dynamically analyze the
malware.
Example: blacklist add 254A40A56A6E28636E1465AF7C42B71F 3 ExampleFileName

ExampleMalwareName 4 2

CLI commands
List of CLI commands 5
• To delete an MD5 from the blacklist, use blacklist delete <md5>
<md5> The MD5 hash value of a malware that you want to delete from the blacklist.
Example: blacklist delete 254A40A56A6E28636E1465AF7C42B71F
• To check if an MD5 is present in the blacklist, use blacklist query <md5>
<md5> The MD5 hash value of a malware that you want to query if it is present in the blacklist.
Example: blacklist query 254A40A56A6E28636E1465AF7C42B71F
If the MD5 is present, the details such as the engine ID, malware severity score, and so on, are displayed.
• To update the details for an entry in the blacklist, use blacklist update <md5> <score> <file_name>
<malware_name> <Eng-ID> <OS-ID>
<md5> The MD5 hash value of a malware that you want to update. This value must exist in the
blacklist for you to update the record.
<score> The new malware severity score that you want to change to. A valid value is from 3 to 5.
<file_name> The new file name for the MD5.
<malware_name> The new malware name for the MD5.
<Eng-ID> The new engine ID that you want to change to.
<OS-ID> The new value for the operating system that was used to dynamically analyze the
malware.
Example: blacklist update 254A40A56A6E28636E1465AF7C42B71F 4 ExampleFileName

ExampleMalwareName 2 4
clearstats all
Use this command to reset all the McAfee Advanced Threat Defense statistics to zero.
Syntax: clearstats all
The following information is displayed using this command:
<=== DXL STATUS ===>

Status : DISABLED
DXL Channel Status : DOWN
Sample Files Received Count : 0
Sample Files Published Count : 0
Sample Files Queued Count : 0
clearstats ActiveResponse
Clears all previous statistics from McAfee Active Response and McAfee Advanced Threat Defense integration.
Syntax:

5 CLI commands
Example:
All Active Response stats are reset to zero
Request Files Received : 0
Search in Pending state : 0
Search in Completed state : 0
Response from MAR : 0
clearstats dxl
Resets the DXL file counter to zero.
Syntax: clearstats dxl
The following information is displayed using this command.
All DXL stats are reset to zero

clearstats lb
Use this command to reset all the McAfee Advanced Threat Defense load-balancing statistics to zero.
Syntax: clearstats lb
LB stats are reset to zero
clearstats tepublisher
Clear the count of events sent to McAfee ePO.
Syntax: clearstats tepublisher
All TEP stats are reset to zero

clearlbconfig
This command is used to destroy cluster using CLI command prompt. It is permitted to run at all nodes
(Primary/Backup/Secondary). It wipes out all cluster related configurations from that node and makes it as a
standalone box.
This command can be used in scenarios where normal means of removing a node (Remove Node/Withdraw
From Cluster) does not remove that node from cluster.
When you execute the clearlbconfig command on a Primary or Active node, you must execute the command on
all other nodes in the cluster.

CLI commands
Syntax: clearlbconfig
createDefaultVms
Delete all of the existing analyzer VMs and create default analyzer VMs.
Syntax: createDefaultVms
This command will not work on the non-active nodes in the cluster.
db_repair
Repairs the Advanced Threat Defense database when the database is corrupt.
Syntax: db_repair
deleteblacklist
Remove all the entries from the Advanced Threat Defense blacklist.
Syntax: deleteblacklist
deletesamplescore <0-5>
Deletes all sample reports with the specified severity score.
Syntax:
deletesamplescore <0-5>
<0-5> Enter a severity score between 0 to 5.
Example:
deletesamplescore 0
Deleting all sample results with score=0
delete 0 sample entries with 0
deletesamplereport
Deletes all of the analysis reports for a file.
Syntax: deletesamplereport <md5>
<md5> The file MD5 value that you want to use to delete all the reports in Advanced Threat Defense.
Example: deletesamplereport c0850299723819570b793f6e81ce0495

5 CLI commands
diskcleanup
Delete old analysis reports when the Advanced Threat Defense disk space is low.
Syntax: diskcleanup
To prevent Advanced Threat Defense from losing your results and reports, enable set resultbackup.
dxlstatus
View the DXL status.
Syntax: dxlstatus
This command has no parameter.
<=== DXL STATUS ===>

Status : DISABLED
DXL Channel Status : DOWN
Sample Files Queued Count : 0
Exit
Exits the CLI.
Syntax:
exit
factorydefaults
Deletes all samples, results, logs, and analyzer VM images, then resets the IP addresses before rebooting the
device. This command does not appear when you type ? nor does the auto-complete function applies to this
command. You must type the command in full to execute it.
• You are warned that the operation will clear Advanced Threat Defense Appliance and you must confirm the
action. The warning occurs since the Advanced Threat Defense Appliance returns to its clean, pre-configured
state, thus losing all current configuration settings in both the active and backup disks. Once you confirm,
this command immediately clears all your configuration settings, including samples, results, logs, and
analyzer VM images, in both the active and backup disks.
• The current software version in the backup disk is applied on the active disk.
Syntax:
factorydefaults

CLI commands
filetypefilter
Enables Advanced Threat Defense to use the file extension that the file carries before sending it for dynamic
analysis.
Syntax:filetypefilter<enable><disable><status>
status Displays whether the filetypefilter feature is enabled or disabled.
By default, it is disabled.
enable Enables sample filtering. When enabled, Advanced Threat Defense uses the following supported
file types for analysis:
.7z, .ace, .apk, .arj, .bat, .cab, .cgi, .chm, .class, .cmd, .com,
.dll, .doc, .docm, .docx, .dotm, .dotx, .eml, .exe, .htm,
.html, .inf, .ins,. js, .lnk, .lzh, l.zma, .mof, .msg,
.ocx, .pdf, .potm, .potx, .ppam, .pps, .ppsm, .ppsx
disable Disables sample filtering.

When disabled, Advanced Threat Defense uses the default file types that dynamic analysis
supports.
ftptest USER_NAME
Tests the FTP settings.
Syntax: ftptest USER_NAME
USER_NAME The user name that you want to test the FTP settings.
Example: NSPuser
gti-restart
Restarts the McAfee GTI engine.
Syntax: gti-restart
help
Provides a description of the interactive help system.
Syntax:
help
http_redirect
Enables or disables the redirection of http browser requests to https. When http_redirect is disabled, secure
access to the Advanced Threat Defense Appliance is ignored.
Syntax:
set http_redirect

5 CLI commands
When port 80 is disabled, then the HTTP port is used to access the Advanced Threat Defense Appliance
interface in a browser.
Any sample that you submit during the command execution is rejected as lighttpd is restarted.
enable Advanced Threat When http_redirect is enabled, the http url is redirected to https. RestAPI calls with
Defense Appliance only the https protocol are accepted.
disable When http_redirect is disabled, http is not redirected to https. RestAPI calls with
the http or https protocol are accepted.
Make sure http_redirect is always enabled. Disable http_redirect only when there are issues with certificate
validation.
To view if http to https redirection is enabled or disabled on the Advanced Threat Defense Appliance, use the
show http_redirect command. By default, the redirect feature is enabled.
Syntax: show http_redirect
install msu
Installs these msu files.
• amas-3.x.x.x.x.msu
• system-3.x.x.x.x.msu
Syntax:
install msu
<SWNAME> The msu filename that you want to install.
<RESET_DB> Accepts the following values:
• 0 — msu file installs without resetting the database
• 1 — msu file install and the database is reset
Example: install msu amas-3.3.0.25.42303.msu 1
install package <package path>

Installs the detection or application package in the background.
Before you run this command, SFTP the install package to your Advanced Threat Defense Appliance with
atdadmin user account.
Syntax:
install package <package path>
<package path> Enter the package path and name.
lbservice restart/status
Use this command to restart the LB services or to check the status of LB services.
Syntax:

CLI commands
lbservice <restart>/<status>
Example:
ATD-3000> lbservice status
lbservice is running
ATD-3000> lbservice restart
lbservice restarted
ATD-3000>
lbstats
Shows the statistics for Primary node, Back up node and Secondary node in a load-balancing cluster.
This command has no parameters. No output is displayed if the Advanced Threat Defense is not part of a
cluster.
Syntax:
lbstats
See also
list
Lists all of the available CLI commands.
Syntax: list
lowseveritystatus
Advanced Threat Defense treats severity 1 and 2 samples as low-severity, and severity 3, 4, and 5 as malicious.
By default, when you configure dynamic analysis, the dynamic analysis score is displayed in the summary report
for all samples. The score also affects the final score for the sample. You can use the lowseveritystatus
command to alter the behavior. For example, for low-severity samples that are dynamically analyzed, Advanced
Threat Defense does not display the dynamic analysis score in the summary report, or consider the score to
compute the final score.
The lowseveritystatus command applies only to non-PE samples, such as Microsoft Word documents and PDF
files.

5 CLI commands
Syntax: lowseveritystatus <show><hide>
Example: lowseveritystatus hide
show The default behavior. If a sample is dynamically analyzed, Advanced Threat Defense displays the
dynamic analysis score in the report. It also considers the score to compute the final score.
hide Assume that the sample is a non-PE file, which has undergone dynamic analysis. If Advanced
Threat Defense detects the file to be low-severity, it does not display the dynamic analysis score
in the report (under Sandbox in the Down Selector's Analysis section). Advanced Threat Defense also
does not consider the dynamic analysis score for computing the final score. However, the details
of the dynamic analysis such as files opened and files created are included in the report.
The lowseveritystatus hide command affects only the score displayed in the report and does not
affect how the results are displayed in the Analysis Reports page.
no malware-dns
Use this command to configure the malware dns to the default 127.0.0.1.
Syntax:
no malware-dns
no timeout
Removes timeout for SSH sessions.
Syntax:
no timeout
nslookup
Queries the results for domain names. You can use nslookup to verify if Advanced Threat Defense can perform
nslookup queries correctly.
Syntax: nslookup <WORD>
<WORD> The domain name that you want to query for nslookup.
Example: nslookup mcafee.com
passwd
Changes the password of the CLI cliadmin user.
A password must be between 8 and 25 characters in length and can consist of any alphanumeric character or
symbol.
You are asked to enter the current password before changing to a new password.
Syntax:
passwd

CLI commands
ping
Pings a network host or domain name. You can specify an IPv4 address to ping network host and domain name
to ping domain names.
Syntax:
ping <A.B.C.D>
<A.B.C.D> Denotes the 32-bit network host IP address written as four eight-bit numbers separated by
periods. Each number (A, B, C or D) is an eight-bit number between 0–255.
<WORD> The domain name that you want to ping.
quit
Exits the CLI.
Syntax:
quit
reboot
Reboots the Advanced Threat Defense Appliance with the image in the current disk. You must confirm that you
want to reboot.
Syntax:
reboot
reboot vmcreator Recreates the analyzer VMs configured in the Advanced Threat Defense web interface,
while rebooting the appliance.
remove
This command removes all original samples from ATD for which analysis is complete.
The remove command has these parameters:

• now: When executed, immediately removes the original samples for all the completed samples present on
ATD. Even if you enable Sample Download Access, you cannot download the sample.
• enable: When executed, immediately removes the original samples for all the completed samples present
on ATD. It also enables you to set a daily task to automatically remove original samples from newly
completed samples at a configured time.
• disable: When executed, disables the daily task to remove original samples from newly completed sample
files at the configured time.
Syntax: remove samples all <now><enable><disable>
Example 1: ATD-6000> remove samples all now
Removing all sample files now...
10 sample files removed
Example 2: ATD-6000> remove samples all enable 11:37:14

5 CLI commands
Removing all sample files now...
14 sample files removed
Setting up daily task to remove newly completed sample files at 11:37:14
Example 3: ATD-6000> remove samples all disable
Disabling daily task
removeAndroid
Remove the Android VM from the VM profile list.
Ensure that Android is not the default VM profile and the Vmcreator process is not running
Syntax: removeAndroid
Sample Output:
ATD_1U_21> removeAndroid
Started deleting the android VM
Successfully deleted the android VM
removenetworkaddress
Removes the IP, subnet mask, and gateway addresses from the Advanced Threat Defense Appliance.
The changes are reflected after the box is rebooted. This is a hidden command, but is useful for Support.
Syntax: removenetworkaddress
Example: ATD-6000> removenetworkaddress
Remove the appliance network addresses ?
Please enter Y to confirm:
removeSampleInWaiting
Remove all of the samples to be analyzed by Advanced Threat Defense.
Syntax: removeSampleInWaiting

CLI commands
Starting the sample queue cleaning...

The cleaning is done
removevmImage
To delete the VM Image from all nodes in the LB cluster when option is specified as all, execute this command
from Primary[Active] or Backup[Active] Advanced Threat Defense.
If option is specified as A.B.C.D, it deletes the Image only from Secondary with IP A.B.C.D.
Reduce the License count for ImageName to zero before executing this command, or the command execution
fails. This command does not delete the ImageName from Active (Primary/Backup) Advanced Threat Defense.
To obtain ImageName, use the show vmImage command.
Syntax:
removevmImage <ImageName> <all | A.B.C.D>
Example:
removevmImage winxpsp3 all
removevmImage winxpsp3 10.34.2.1
resetuiadminpasswd
Resets the Advanced Threat Defense web interface administrator password. When you use the command, the
password is reset to the default value, which is admin. The currently logged on sessions are unaffected. A
change in password affects only new logon attempts.
Syntax: resetuiadminpasswd
Press Y to confirm, or N to cancel.
resetusertimeout
Enables you to log on to Advanced Threat Defense web interface without waiting for the timer to expire.
Syntax: resetusertimeout <WORD>
<WORD> The Advanced Threat Defense web interface user name that you want to remove the logon timer.
When the action is successful, the Reset done! message displays.
Example: resetusertimeout admin
restart network
Restarts the Advanced Threat Defense network.
Restart amas after using this command.
Syntax: restart network

5 CLI commands
revert package application

Revert the current application software package and install the backup application software as current.
Syntax: revert package application
Use this command when you cannot revert the application software from the Advanced Threat Defense
interface.
revert package detection

Revert the current detection software package and install the backup detection package as current.
Syntax: revert package detection
Use this command when you cannot revert the application software from the Advanced Threat Defense
interface.
revertwebcertificate
Revert the uploaded web certificate to the default certificate.
Syntax: revertwebcertificate
revertwebcertificate
Successfully reverted back web certificate to default!
Restarting lighttpd service!
route add/delete network

CLI commands are available for adding and deleting static routes to Advanced Threat Defense.
To add a port
route add network <network ip> netmask <netmask> gateway <gateway ip> intfport <port
number 1><port number 2><port number 3>
Example: route add network 1.1.1.0 netmask 255.255.255.0 gateway 1.1.1.1 intfport 1
To delete a port
route delete network <network ip> netmask <netmask> gateway <gateway ip> intfport
<port number 1><port number 2><port number 3>
Example: route delete network 1.1.1.0 netmask 255.255.255.0 gateway 1.1.1.1 intfport 1
samplefilter
This command is specific to Network Security Platform Sensors and all REST channel submissions. Use this
command to prevent Sensors from sending unsupported file types to McAfee Advanced Threat Defense for
analysis.
Syntax:
samplefilter <status><enable><disable>

CLI commands
status displays whether the sample filtering feature is enabled or disabled currently. By default, it is
enabled.
enable sets the sample filtering on. When it is enabled, McAfee Advanced Threat Defense considers only
the supported file types from Network Security Platform for analysis.
McAfee Advanced Threat Defense ignores all other file types and also informs Network Security
Platform that a sample is of an unsupported file type . This prevents resources being spent on
unsupported file types on both McAfee Advanced Threat Defense and Network Security Platform.
disable sets the sample filtering to off. When disabled, McAfee Advanced Threat Defense considers all
the files submitted by Network Security Platform for analysis but only the supported file types
are analyzed. The remaining are reported as unsupported in the Analysis Status and Analysis Reports
pages.
Example:
samplefilter status
See also
Analyzing malware on page 4
set appliance dns A.B.C.D E.F.G.H WORD

Configures the Advanced Threat Defense Appliance preferred and alternate DNS address.
Syntax:
set appliance dns A.B.C.D E.F.G.H WORD
<A.B.C.D> DNS preferred address
<E.F.G.H> DNS alternate address
<WORD> Appliance domain name
Example: ATD-6000> set appliance dns 1.1.1.2 10.11.10.4 nai.com
DNS setting had been configured
set port80
Allows you to access Advanced Threat Defense interface from a web browser through HTTP port 80.
Syntax
set port80 <enable/disable>
<enable> The Advanced Threat Defense interface can be accessed using the https://<Advanced Threat
Defense IP address> link from a browser.
(Replace Advanced Threat Defense IP address with the actual IP address)
<disable> The Advanced Threat Defense interface can't be accessed from a browser.
Delete the browser cache before you access the Advanced Threat Defense interface.
If you disable port 80, the http redirect will also not work.

5 CLI commands
Example
set port80 enable

Enabling HTTP port 80
Http port 80 enabled
set appliance gateway

Specifies the IPv4 address of the gateway for the Advanced Threat Defense Appliance.
Syntax:
set appliance gateway <A.B.C.D>
<A.B.C.D> A 32-bit address written as four eight-bit numbers separated by periods. A, B, C or D represents
an eight-bit number between 0–255.
Example:
set appliance gateway 192.34.2.8
set appliance ip
Specifies the Advanced Threat Defense Appliance IPv4 address and subnet mask. Changing the IP address
requires a restart for the changes to take effect. See the reboot command for instructions on how to reboot
the Advanced Threat Defense Appliance.
Syntax:
set appliance ip <A.B.C.D E.F.G.H>
<A.B.C.D Indicates an IPv4 address followed by a netmask. The netmask strips the host ID from the IP
E.F.G.H> address, leaving only the network ID. Each netmask consists of binary ones (decimal 255) to
mask the network ID and binary zeroes (decimal 0) to retain the host ID of the IP
address(For example, the default netmask setting for a Class C address is 255.255.255.0).
Example:
set appliance ip 192.34.2.8 255.255.0.0
set appliance name

Sets the name of the Advanced Threat Defense Appliance. This name is used to identify the Advanced Threat
Defense Appliance if you integrate it with Network Security Platform.
Syntax:
set appliance name <WORD>
<WORD> Indicates a case-sensitive character string up to 25 characters. The string can include hyphens,
underscores, and periods, and must begin with a letter.
Example:
set appliance name SanJose_MATD1

CLI commands
set gti dns check

This command requires DNS to be set for McAfee GTI to work. By default this command is set to disabled,
which means that if there is no internet access, McAfee GTI works fine. If this command is enabled, McAfee GTI
will not work unless Advanced Threat Defense is connected to the Internet and resolves McAfee GTI lookup
URLs. You need to restart amas for these changes to reflect in Advanced Threat Defense.
Syntax: set gti dns check <enable><disable>
Example: ATD-6000> set gti dns check enable
DNS access check is now enabled
ATD-6000> set gti dns check disable
DNS access check is now disabled
set gti server ip <Private Cloud IP>

Sets to a valid GTI Private Cloud using its IP address.
Syntax:
set gti server ip <Private Cloud IP>
<Private Cloud IP> Enter the IP address for the GTI Private Cloud.
set gti server url <Domain Name>

Sets to a valid GTI Private Cloud using its URL.
Syntax:
set gti server url <Domain Name>
<Domain name> Enter the URL for the GTI Private Cloud.
set gti server ip 0.0.0.0

Resets GTI to Public Cloud.
Syntax:
set gti server ip 0.0.0.0
set gti server url 0.0.0.0

Resets GTI to Public Cloud.
Syntax:
set gti server url 0.0.0.0
set intfport
Enable or disable the Advanced Threat Defense interface ports.
Syntax:
set intfport <1><2><3> <enable><disable>

5 CLI commands
Example: set intfport 1 enable
set intfport <1-3> ipdelete <ip address>

Removes IP addresses assigned to an interface.
Syntax:
set intfport <1-3> ipdelete <ip address>
<1-3> Enter one of the three available ports.
<ip address> Enter the IP address that you want to remove.
Example:
set intfport 1 ipdelete 0.0.0.0

Interfaceport 1 IP deleted successfully
set intfport auto

Sets an interface port to auto-negotiate the connection with the immediate network device.
Syntax:
set intfport <1><2><3> auto
Example:
set intfport 1 auto
set intfport ip
Sets an IP address to an interface port.
Syntax:
set intfport <1><2><3> ip A.B.C.D E.F.G.H
Example:
set intfport 1 10.10.10.10 255.255.255.0
set intfport speed duplex

Configures the speed and duplex setting on the specified interface port.
Syntax:
set intfport <1><2><3> speed <10 | 100> duplex <half | full>
<1> <2> <3> Specifies the interface port ID that you want to use to configure the speed and duplex.
<10 | 100> Configures the speed on the interface port. The speed value can be either 10 or 100.
<half | full> Configures the duplex setting on the interface port. Set the value "half' for half duplex, and full
for 'full' duplex.
Example:
set intfport 1 speed 100 duplex full

CLI commands
set IPAddressSwap
When you submit samples for analysis through Network Security Platform, the source and destination IP
information is swapped for the submitted samples.
To reverse the aberration caused by Network Security Platform, Advanced Threat Defense enables set
IPAddressSwap command. This command nullifies the swap effect of Network Security Platform and displays
the correct the source and destination IP information for samples submitted through Network Security
Platform. When samples are submitted from McAfee NGFW to Advanced Threat Defense, the source and
destination IP information are displayed correctly. Based on the preference, you can use the following
command to enable or disable IPAddressSwap.
Syntax: set IPAddressSwap <enable><disable>
By default, set IPAddressSwap is enabled.
Example: set IPAddressSwap enable
set ldap enable|disable

Enables or disables LDAP authentication. Make sure that all LDAP parameters are configured correctly in the
web interface to use this command LDAP.
Syntax:
set ldap enable|disable
enable Enables LDAP authentication.
disable Disable LDAP authentication.
Example:
set ldap disable

Disabling ldap support...
Note:
Authentication method got changed!
Terminating matdcli session in 10 seconds!
Please login again!
set malware-dns
Use this command to configure the malware DNS IP that Advanced Threat Defense uses to route the malware
DNS queries.
Syntax: set malware-dns
Example:set malware-dns 192.168.200.110
set malware-intfport
Configure the required port to route Internet traffic from an analyzer VM.
Before you run this command, make sure that the required port is enabled and configured with an IP address.
Syntax: set malware-intfport <1><2><3> gateway A.B.C.D
Example: set malware-intfport 1 10.10.10.252
Run the show intfport 1 and verify the Malware Interface Port and Malware Gateway entries.

5 CLI commands
Advanced Threat Defense uses the configured port to provide Internet access to analyzer VMs.
See also
Internet access to sample files on page 15
set mgmtport auto

Configures the network port to auto-negotiate the connection between the Advanced Threat Defense Appliance
and the immediate network device.
Syntax:
set mgmtport auto
Default Value:
By default, the network port is set to auto (auto-negotiate).
set malware-intfport mgmt

By default, Internet access to analyzer VMs is through the McAfee Advanced Threat Defense's management port
(eth-0). Use this command, if you had configured a different port for routing Internet traffic and want to revert
to the management port.
Syntax: set malware-intfport mgmt
Run the show intfport mgmt and verify the Malware Interface Port and Malware Gateway entries.
McAfee Advanced Threat Defense uses the management port to provide Internet access to analyzer VMs. See
Internet access to sample files on page 15.
set mgmtport speed and duplex

Configures the network port to match the speed of the network device connecting to the Advanced Threat
Defense Appliance, then runs in full- or half-duplex mode.
Syntax:
set mgmtport <speed <10 | 100> duplex <full | half>>
<10|100> Specifies the speed on the Ethernet network port. The speed value can be either 10 or 100 Mbps.
To set the speed to 1000 Mbps, use the set mgmtport auto command.
<half|full> Specifies the duplex setting on the Ethernet network port.
• half — Half duplex
• full — Full duplex
Default Value:
By default, the network port is set to auto (auto-negotiate).
set pdflinks
Enable or disable validation operation performed by McAfee GTI on links embedded inside PDFs during
dynamic analysis.
Syntax: set pdflinks<enable><disable>

CLI commands
Sample Output: set pdflinks enable Enable pdflinks operation
set filesizes
Enables you to change the minimum and maximum file sizes.
Syntax:
set filesizes <type number> <minimum size> <maximum size> <restart engine>
type number Type of file submitted for analysis.
minimum size Minimum file size.
maximum size Maximum file size.
restart engine Uses a value of 1 or 0.
1 — Restart AMAS service; this is required for NSP and NGFW integration.
0 — Keeps AMAS service running; use this when submission is through GUI/RestAPI.
Type number File description Minimum size Maximum size

1 Windows portable executable (PE) exe, dll or sys file 1024 bytes 10 MB
2 PDF document file with .pdf extension 2048 bytes 25 MB
3 Java class data file with .class extension 1024 bytes 5 MB
4 Microsoft Office older files with .doc, .ppt or .xls extension 5120 bytes 10 MB
5 Microsfot rich text format file with .rtf extension 1024 bytes 10 MB
6 Zip file, APK file, or newer Microsoft Office file 200 bytes 20 MB
with .docx, .pptx or .xlsx extension
7 JPEG image file 5120 bytes 1 MB
8 PNG image file 5120 bytes 1 MB
9 GIF image/bitmap file 5120 bytes 1 MB
10 Microsoft DOS executable file with .com extension 1024 bytes 5 MB
11 Flash file with .swf extension 1024 bytes 5 MB
12 7-zip compressed archive file with .7z extension 200 bytes 10 MB
13 RAR compress archive file with .rar extension 200 bytes 10 MB
14 Microsoft cabinet compressed archive file with .cab and .msi 200 bytes 10 MB
extension
15 Miscellaneous text or script files, for 100 bytes 1 MB
example .js, .bat, .vbs, .xml, .url, .htm etc
For example, if you want to change the minimum file size of a JPEG image file to 300 bytes, then run the
command: set filesizes 7 300 1000000 0.
If the file size specified is beyond the minimum or maximum value listed in the above table, the following error
message is displayed:
The <max><min> file size value=<numeric value specified> is invalid

5 CLI commands
Set FTP
When you upload files for analysis using an FTP client or when you import a VMDK file into Advanced Threat
Defense to create an analyzer VM, you use SFTP since FTP is not supported by default. However, if you prefer to
use FTP for these tasks, you can enable FTP.
In Common Criteria (CC) mode, FTP is not supported.
Syntax: set ftp <enable><disable>
By default, FTP is disabled.
Example: set ftp enable
See also
show ftp on page 144
set headerlog
Use this command to enable or disable the logging of information regarding http header. The lighttpd web
server is restarted on execution of this command.
Syntax: set headerlog <enable><disable>
By default, information regarding http header is not logged.
Example: set headerlog <enable>
See also
set logconfig
Set the debugging mode to be applied for logs.
Syntax: set logconfig<enable><disable>
IPS Enable logconfig support

AvDat Disable logconfig support
CLI
EPO
Monitor
Amaslib
GTI
GAM
MAV
Scanners
LB
DXL
INI
SNMP
CONFIG
set mar-timeout
Configure a timeout period after which Advanced Threat Defense stops querying MAR server for results.
Syntax: set mar-timeout <seconds>
Sample Output: Updated the MAR timeout value to 60 seconds

CLI commands
set nsp-ssl-channel-encryption
Use this command to configure an encrypted channel for communication between Advanced Threat Defense
and Network Security Platform.
Syntax: set nsp-ssl-channel-encryption <enable><disable>
Example: ATD-6000> set nsp-ssl-channel-encryption enable
Encrypted data transfer from Network Security Platform

Use these steps for secure communication between Advanced Threat Defense and Network Security Platform.
• If encryption is enabled on Advanced Threat Defense and Network Security Platform, the data sent from
Network Security Platform to Advanced Threat Defense is encrypted and uses an AES128-SHA cipher.
• Log on to the Sensor CLI and enter into debug mode.
• Execute set amchannelencryption on.
• Log on to the Advanced Threat Defense CLI and execute set nsp-ssl-channel-encryption enable.
• If encryption is disabled on Advanced Threat Defense and Network Security Platform, the data sent from
Network Security Platform to Advanced Threat Defense is not encrypted and uses a NULL-SHA cipher.
• Log on to the Sensor CLI and enter into debug mode.
• Execute set amchannelencryption off.
• Log on to the Advanced Threat Defense CLI and execute set nsp-ssl-channel-encryption
disable.
set nsp-tcp-channel enable | disable

Enables or disables communicate between Network Security Platform and Advanced Threat Defense over TCP.
Syntax:
set nsp-tcp-channel enable | disable
enable Enable TCP channel support
disable Disable TCP channel support
Example:
set nsp-tcp-channel enable

NSP TCP Channel Support Enabled and restarted service
set resultbackup <enable> <disable>

Use this command to back up old reports and results to the FTP server during disk cleanup. When enabled,
Advanced Threat Defense backs up old reports and results before disk cleanup.
Syntax:
set resultbackup <enable> <disable>
set stixreportstatus
Use this command to enable or disable the STIX report generation.

5 CLI commands
Syntax: set stixreportstatus <enable><disable>
By default, stixreportstatus is disabled.
Example: set stixreportstatus <enable>
See also
show stixreportstatus on page 149
set tcpdump
Configures the packet capture functionality.
Syntax: set tcpdump
set tcpdump<start><port options sepearted by underscore>
Example: set tcpdump start -i_eth0_-c_10
set tcpdump<stop>
start Starts the packet capture operation on the specified tcp dump.
stop Stops the packet capture operation.
set timeout <0-35791>

Sets the SSH timeout in seconds.
Syntax:
set timeout <0-35791>
<0-35791> Value to set the SSH timeout in seconds.
Example:
set timeout 600

CLI session timeout value set to 600 seconds
set uilog
Sets the amount of web interface access information to be logged. Level varies from 1 to 7.
Syntax:
set uilog<seconds>
<numeric> Sets the amount of UI access information to be logged.
ATD-6000> set uilog 5
new log level is 5

CLI commands
set ui-timeout
Specifies the number of minutes the Advanced Threat Defense web interface is inactive before the connection
times out.
Syntax:
set ui-timeout <60 - 86400>
<60 - 86400> You can set a timeout period from 60 to 86,400 seconds.
Example: set ui-timeout 600
Default Value: 15 minutes
show
Shows all the current configuration settings on the Advanced Threat Defense Appliance.
Syntax:
show
Information displayed by the show command includes:
[Sensor Info]
• System Name • Software Version
• Date • Active Version
• System Uptime • Backup Version
• System Type • MGMT Ethernet Port
• Serial Number
[Sensor Network Config]
• IP Address
• Netmask
• Default Gateway
• DNS address
show dat version

View the current DAT version of analyzing options.
Syntax: show dat version

5 CLI commands
Sample Output:
AV DAT version=7868
AV Engine version=5700
GAM DAT version=3811
GAM Engine version=7001.1302.1842
show ds status
View the status of all analyzing options.
Syntax: show ds status
Sample Ouptut:
GTI is alive
MAV is alive
GAM is alive
Yara is alive
show ec
Displays the status and configurations of email connector.
Syntax: show ec
Example:
show ec
Email Connector Status :enabled
Listen Port :1234
Smart Host name :10.213.248.196
Smart Host port :2222
Maximum time per email :3600
Normal Mode :enabled
EC Health Status :Healthy.
Skip Protected Files :disabled
show ec file-types
Shows whether the email connector file types are enabled or disabled for scans.
Syntax:show ec file-types
show ec filter-rules
Shows the list of Email Connector Filter Rules.
Syntax:show ec filter-rules
show ec permittedHosts
Shows the email connector permitted hosts.
Syntax:show ec permittedHosts

CLI commands
show ec rejectmode
Shows what action is to be taken when the system is overloaded
Syntax:show ec rejectmode
show ec tls (inbound|delivery)

Shows the TLS option that is configured for inbound and outbound communication.
Syntax:
show ec tls inbound
show ec tls delivery
Example
show ec tls inbound

TLS Inbound connection : optional
show epo-stats nsp

Displays the number of requests sent to McAfee ePO, the count of responses received from McAfee ePO, and
the count of requests that failed.
Syntax: show epo-stats nsp
show filequeue
Displays the file queue statistics, such as the estimated average processing time, analyzing time, and files that
are pending.
Syntax:show filequeue
Following is the information displayed by the show filequeue command:
Processing Time: 58.00

Analyzing Time: 58.00
Files in waiting: 0
files in SandBox: 0
Estimated average processing time for all samples: 58.00 seconds
show filesizes
Displays all the filetypes supported by Advanced Threat Defense with details such as type number, minimum
and maximum file size, and short description.
Syntax:
show filesizes
Following is the information displayed by the show filesizes command:

5 CLI commands
Type File description Minimum size Maximum size

number
1 Windows portable executable (PE) file, PE+ file, dll and sys file 1024 bytes 10 MB
2 PDF document file with .pdf extension 2048 bytes 25 MB
3 Java class data file with .class extension 1024 bytes 5 MB
4 Microsoft Office older files with .doc, .ppt or .xls extension 5120 bytes 10 MB
5 Microsfot rich text format file with .rtf extension 1024 bytes 10 MB
6 Zip file, APK file, or newer Microsoft Office file 200 bytes 20 MB
with .docx, .pptx or .xlsx extension
7 JPEG image file 5120 bytes 1 MB
8 PNG image file 5120 bytes 1 MB
9 GIF image/bitmap file 5120 bytes 1 MB
10 Microsoft DOS executable file with .com extension 1024 bytes 5 MB
11 Flash file with .swf extension 1024 bytes 5 MB
12 7-zip compressed archive file with .7z extension 200 bytes 10 MB
13 RAR compress archive file with .rar extension 200 bytes 10 MB
14 Microsoft cabinet compressed archive file with .cab and .msi 200 bytes 10 MB
extension
15 Miscellaneous text or script files, for 100 bytes 10 MB
example .js, .bat, .vbs, .xml, .py, .url, .htm etc
show ftp
Use this command to know if FTP is enabled or disabled currently. By default, FTP is disabled.
Syntax: show ftp
See also
Set FTP on page 138
show gti dns

Checks the status of DNS lookup for GTI queries. If the status is enabled, then ensure that Advanced Threat
Defense has access to the DNS for the GTI queries to be generated.
Syntax:
show gti dns
Example:
show gti dns

DNS access check is disabled
show gti server

Displays the current configuration of your McAfeeMcAfee GTI integration.
Syntax:
show gti server

CLI commands
Example:
show gti server

GTI Server configured to Private Cloud
Private Cloud address: example.com
show history
Displays the list of CLI commands issued in the session.
Syntax: show history
show intfport
Shows the status of the specified interface port or the management port of McAfee Advanced Threat Defense.
Syntax: show intfport <mgmt><1><2><3>
Information displayed by the show intfport command includes:
• Whether the port's administrative status is enabled or disabled.
• The port's link status.
• The speed of the port.
• Whether the port is set to half or full duplex.
• Total packets received.
• Total packets sent.
• Total CRC errors received.
• Total other errors received.
• Total CRC errors sent.
• Total other errors sent.
• IP address of the port.
• MAC address of the port.
• Whether the port is used to provide Internet access to analyzer VMs.
• If configured to provide Internet access to analzyer VMs, then the corresponding gateway for this traffic.
show IPAddressSwap
Use this command to know if IPAddressSwap is enabled or disabled currently. By default, FTP is enabled.

5 CLI commands
Syntax: show IPAddressSwap
See also: set IPAddressSwap on page 135.
show ldap
Displays the configured parameters for LDAP authentication.
Syntax:
show ldap
Example:
show ldap
+++++ LDAP Configuration +++++
LDAP username : (null)
Base DN : (null)
LDAP Login Attribute : (null)
LDAP Search scope : subtree
LDAP Auth Method : Simple
LDAP Server : IP:[(null)] Port:[0]
LDAP Service status : DOWN
LDAP Fallback status : DISABLE
show license info

Displays the license information of the appliance.
Syntax:
show license info
Example:
show license info

ATD License Manager, on non-license-restricted platform
Authorized to SystemId : NA
Valid before date : Infinity
show license status

Displays the license status of the appliance.
Syntax:
show license status
Example:
show license status

ATD License Manager, on non-license-restricted platform
Valid License
show logconfig
Lists the current debug mode employed for debugging.
Syntax: show logconfig

CLI commands
Sample Output: Logging is ON, mode: send to syslog
show mar-timeout
Displays a configured timeout period after which Advanced Threat Defense stops querying MAR server for
results.
Syntax: show mar-timeout
Default value: 60 Seconds.
Sample Output: MAR Timeout is currently set to 90 seconds
show pdflinks
view whether or not validation operation is performed by McAfee GTI on links embedded inside PDFs during
dynamic analysis.
Syntax: show pdflinks
Sample Output: GTI validation of PDF URLs is OFF
show msu
Displays all the msu files copied to Advanced Threat Defense via SFTP.
Syntax: show msu
show nsp scandetails

Shows the file scan details regarding the integrated IPS Sensors.
Syntax: show nsp scandetails <Sensor IP address>
If you do not specify the Sensor IP address, the details are displayed for all the Sensors integrated with the
Advanced Threat Defense Appliance.
Information displayed by the show nsp scandetails command includes:
• The IP address of the IPS Sensor.
• Total number of packets received from the Sensor.
• Total number of packets sent to the Sensor.
• The timestamp of when the last packet was sent to and received from the Sensor.
• The encryption method used for the communication with the Sensor.
• Session handle null counts.
• Count of internal errors.
• Count of unknown commands received from the Sensor.
• File string null.
• File data null.

5 CLI commands
• Count of unknown files.
• Count of out of order packets.
• Count of MD5 mismatches between what was sent by the Sensor and what was calculated by Advanced
Threat Defense.
• Count of memory allocation failures.
• File transfer timeout.
• New file count.
• Count of shared memory allocation failures.
• Count of the number of static analysis responses sent.
• Count of the number of dynamic analysis responses sent.
• Count of scan request received.
• MD5 of the last file that was streamed by the Sensor.
show nsp-ssl-channel-encryption status

Displays the SSL channel encryption status for Network Security Platform.
Syntax:
status Displays the SSL channel encryption status for Network Security Platform.
Example:

NSP SSL Channel Encryption is Enabled.
show port80
Displays the status of HTTP port 80.
Syntax:
show port80
Example:
show port80
HTTP port 80 is closed or blocked
show resultbackup
This command displays the resultbackup status.
Syntax:
show resultbackup

CLI commands
show rmm info

Displays all hardware and RMM related information.
Syntax:
show rmm info
show route
Displays the routes that you configured using the route add command as well as the system IP routing table.
Syntax:
show route
The details from a sample output of the command in the following table.
Table 5-1 System IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 mgmt
11.11.11.0 0.0.0.0 255.255.255.0 U 0 0 0 mgmt
12.12.0.0 0.0.0.0 255.255.0.0 U 0 0 0 mgmt
13.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 mgmt
0.0.0.0 10.10.10.253 0.0.0.0 UG 0 0 0 mgmt
show stixreportstatus
Displays the current status of the stixreportstatus.
Syntax: show stixreportstatus
Sample Output: STIX reporting is OFF
show system id
Displays the system ID.
Syntax:
show system id
Example: show system id
71xxxxxxxx-xxxxxxx-xxxxx-xxxxxx-xxxxxxxxxxxxx
show tcpdump
Displays the current status of packet capture functionality. The maximum file size for the capture is 10MB.
Syntax: show tcpdump

5 CLI commands
Sample Output: TCPdump is not running
show tepublisherstatus
Displays the status of McAfee ePO Threat Event Publisher.
Syntax:
show tepublisherstatus
Example: show tepublisherstatus
********ePO Threat Event Publisher Status********
tepublisher is not running
show timeout
Displays the timeout value configured for SSH.
Syntax: show timeout
Example:
show timeout
CLI session timeout is 360000 seconds.
show ui-timeout
Displays the Advanced Threat Defense web interface client timeout in seconds.
Syntax: show ui-timeout
Sample output: Current timeout value: 600
show uilog
Check the current level of uilog.
Syntax:
show uilog
Following is the information displayed by the show uilog command:
ATD-6000> show uilog

Current log level is 7
show version
Displays the zebra version of Advanced Threat Defense.
Syntax:
show version

CLI commands
Following is the information displayed by the show version command:
Zebra 0.95a ().

Copyright 1996-2004, Kunihiro Ishiguro.
ATD-3000>
show version application

Displays the current and backup versions of the application software.
Syntax:
show version application
Example:
ATD-3000-37> show version application

Current VERSION=3.8.0.21.58782
Current LastModifiedTime=2016-12-04 17:23:29
Backup VERSION=3.8.0.19.58759
Backup LastModifiedTime=2016-12-02 02:01:23
show version detection

Displays the current and backup versions of the detection software.
Syntax:
show version detection
Example:
ATD-3000-37> show version detection

Current VERSION=3.8.0.161202.58782
Current LastModifiedTime=2016-12-04 17:23:40
show vmImage
This command displays the list of the VM Images in Advanced Threat Defense.
Synatx:
show vmImage
Example:
ATD-3000> show vmImage
android
winxpSp3
win7sp1
ATD-3000>

5 CLI commands
show waittime
Displays the wait time threshold set for Email Gateway.
Syntax: show waittime
Sample output: Current MEG wait time threshold=780 seconds
shutdown
Stops the Advanced Threat Defense Appliance so you can power it down.
Then, after about a minute, you can power down the Advanced Threat Defense Appliance manually and unplug
both the power supplies. Advanced Threat Defense Appliance does not power off automatically. You must
confirm that you want to shut it down.
Syntax:
shutdown
status
Shows Advanced Threat Defense system status, such as the health and the number of files submitted to various
engines.
Syntax: status
Sample output:
System Health Status : good
Sample files received count: 300
Sample files submitted count: 300
GTI Scanner files submitted count: 50
GAM Scanner files submitted count: 100
MAV Scanner files submitted count: 200
Sandbox files submitted count: 25
Sandbox files finished count: 25
Sample files finished count: 300
Sample files error count: 0
terminal
Sets the number of lines to display on the Advanced Threat Defense web interface.
Syntax:
terminal <length>¦no
<length> Sets the number of lines to display. The value ranges from 0 - 512.
no Negates the previous command or sets the default value.

CLI commands
unlockuser <username>
Unlock a locked account.
Syntax
unlockuser <username>
<username> Enter the username of the locked user account.
Example
unlockuser admin
Unlock user: admin
User unlocked!
update_avdat
By default, Advanced Threat Defense updates the DAT files for the McAfee Gateway Anti-Malware Engine and
McAfee Anti-Malware Engine every 90 minutes. To update these files immediately, use the update_avdat
command.
Syntax: update_avdat
vmlist
Displays a list of all the VMs configured in Advanced Threat Defense.
Syntax: vmlist
watchdog
The watchdog process reboots the Advanced Threat Defense Appliance when an unrecoverable failure is
detected.
Syntax:
watchdog <on | off | status>
<on> Enables the watchdog.
<off> Disables the watchdog. Use it if the appliance reboots continuously due to repeated system
failure.
<status> Displays the status of the watchdog process.
web
Restart, start, stop, and check the web service.
Syntax:
web <parameters>
restart Restart the web service.
start Start the web service.

5 CLI commands
stop Stop the web service.
check Check the web service.
Example:
web restart
Service: restart
Web restarted
Web request done
whitelistMerge
Manually copy the Global Whitelist database of the Active node onto the Secondary or Backup nodes.
This is only a one-time activity, after which the Whitelist database of Secondary/Backup nodes is automatically
overwritten by that of Active node at 0000 hours on a daily basis.
Syntax: whitelistMerge <cluster><standalone>
• whitelistMerge <cluster> executed on Active node of a cluster: In this scenario, the Global Whitelist
database of the Active node is copied onto Secondary/Backup nodes and following sample output is
displayed.
Sample Output:
Performing merge of whitelist dB from LB cluster nodes
• whitelistMerge <cluster> executed on Secondary node or Backup node of a cluster: In this scenario,
the following sample output is displayed.
Sample Output:
Not an active LB cluster node
Execute this command from active node in LB mode
• whitelistMerge <standalone> executed on a standalone Advanced Threat Defense: In this scenario, the
following sample output is displayed.
Sample Output:
Performing Whitelist Merge for standalone
xl destroy
Delete the desired snapshot of VM.
Syntax: xl destroy <VirtualMachineName or VM Domain ID>
Use CLI command vmlist to get detailed information on VirtualMachineName or VM Domain ID.
Sample Output:
ATD300025> xl destroy 31
[xl destroy 31] command successful. VM terminated successfully.

6 Managing Advanced Threat Defense
Manage the malware analysis configurations and monitor the Advanced Threat Defense Appliance
performance.
Contents
Delete VMDK files
Monitor the Advanced Threat Defense performance
Upgrade the software and Android analyzer VM
Limit the number of records in the database
Troubleshooting
Back and restore Advanced Threat Defense Appliance from a USB drive
Back up and restore the Advanced Threat Defense database
Delete VMDK files

Remove unused VMDK files from Advanced Threat Defense.
Task
1 Log on to the Advanced Threat Defense CLI.
2 Enter set ftp enable, then press Enter.
3 To connect to the Advanced Threat Defense Appliance, use your FTP client.
For example, FileZilla.
4 Delete the VMDK file.
Monitor the Advanced Threat Defense performance

You can use the following options to monitor the performance of Advanced Threat Defense.
• To continuously monitor the performance, use the monitors on the Advanced Threat Defense dashboard.
• Use the status command in the Advanced Threat Defense Appliance CLI.
See also
CLI commands on page 4


Upgrade the Advanced Threat Defense software and Android analzyer VM to the latest versions.
Best practice: Upgrade the Advanced Threat Defense software to the latest version.
When you upgrade the Advanced Threat Defense software:

• You are unable to use the system.msu files to downgrade the Advanced Threat Defense software.
• OpenSSL automatically upgrades.
Prepare for the upgrade

Prepare your environment to upgrade the Advanced Threat Defense software and Android analyzer VM.
Task
To complete a successful upgrade, you must already use Advanced Threat Defense 3.4.8 or later. For details
about product features, usage, and best practices, click ? or Help.
2 Change the administrator account settings.

b Select the Advanced Threat Defense administrator, the click Edit.
c In the User Credentials configuration area, select Allow Multiple Logins.
d In the Roles configuration area, select Web Access.
3 On the LDAP server, make sure the gidNumber value is 1024 for the atdadmin user.
4 Make sure that you have the following logon credentials.

• Advanced Threat Defense web interface administrator account
• The Advanced Threat Defense CLI using SSH
• The SFTP credentials to the Advanced Threat Defense Appliance
Download the product files

Download the Advanced Threat Defense product files from McAfee Downloads page.
Task
1 Go to the McAfee Downloads page.
2 Enter the Grant Number, the letters or numbers displayed, then click Submit.
3 Click Network Security Reseller Support | Advanced Threat Defense Software.
4 Click and download the installation files to your client computer.
Complete the upgrade

Upgrade the Advanced Threat Defense software and Android analyzer VM to the latest version.

Managing Advanced Threat Defense
Upgrade the software and Android analyzer VM 6
Task
1 Use an FTP client, such as Filezilla, to log on to the Advanced Threat Defense Appliance.
Log on as the atdadmin user.
2 Using SFTP, upload these files to the Advanced Threat Defense root directory:
• Installation file
• Android .msu file
Make sure that the transfer mode is binary.
3 Use the following to upgrade the Advanced Threat Defense software, then repeat these steps to upgrade the
Android analyzer VM.
a Log on to the Advanced Threat Defense web interface as the administrator.
b Click Manage | Image & Software | Software.
c From the System Software drop-down list, select the file.
d Make sure that Reset Database is deselected, then click Install.
e On the installation Status message, click OK.

If you are unable to view the installation Status message, delete the browser cache.
The installation takes a minimum of 20 minutes.
When the installation completes, the Advanced Threat Defense Appliance restarts.
f On the reboot Status message, click OK.

If you are unable to view the reboot Status message, delete the browser cache.
4 When the Advanced Threat Defense Appliance starts, log on to the CLI and verify the software version.
5 Log on to the Advanced Threat Defense web interface and verify the following.
• Software version
• All data and configuration settings are transferred from the previous Advanced Threat Defense
installation
6 Click Dashboard, then verify that the VM Creation status is Successful on the VM Status monitor.
Advanced Threat Defense automatically re-creates all analyzer VMs. The amount of time it takes to re-create
the analyzer VMs depends on the number of analyzer VMs configured in Advanced Threat Defense.
The Advanced Threat Defense Appliance stores the software version on the active disk.
When you upgrade the software, Advanced Threat Defense disables the Whitelist status.
View the upgrade log

When you upgrade Advanced Threat Defense, you can view the upgrade path and version history logs.
Task
2 Click Manage | Logs | Upgrade.

Upgrade the software incrementally

Upgrade the Advanced Threat Defense software to an available patch version.
This application software upgrade option provides an incremental upgrade of the software to an available patch
version. For a complete upgrade of the software, you need to download the software from the McAfee Downloads
page. See the respective sections for detailed instructions on the tasks.
Upgrading the application software also upgrades the detection packages. You would not see any previously
installed detection packages after this upgrade. Also, the system services and system might restart during the
application software upgrade process.
When updates are available for the application software and detection software package, notification messages
appear in the toolbar of the Advanced Threat Defense interface.
Tasks
• Automatically download the latest application software package on page 158
Automatically download and install the latest application software in Advanced Threat Defense
Appliance.
• Manually upload the latest application software package on page 158
Manually upload and install the latest application software in Advanced Threat Defense.
Automatically download the latest application software package

Automatically download and install the latest application software in Advanced Threat Defense Appliance.
Task
1 Log on to the Advanced Threat Defense web interface, then do one of these to access the Incremental Updates
page.
• Click Click to Update Software from the header.
When multiple notifications are available, select Click to Update Software from the list of notifications.
• Click Manage | Image & Software | Incremental Updates.
2 Under Automatic Update, select Application Software, then click Apply.
3 Select the Application Software tab, then click Install against the available software version.
A confirmation message appears before the installation starts. All Advanced Threat Defense services are
restarted. Once the process is complete, a status message appears that provides information about a
successful upgrade and a suggestion to log on again to the Advanced Threat Defense interface.
4 Log on to the Advanced Threat Defense interface again, then validate whether the upgrade was successful.
• From the header on Advanced Threat Defense interface, .
• Verify that the version is listed as Current: Click Manage | Image & Software | Incremental Updates, then click the
Application Software tab.
In case of any issues with the upgrade, click Revert to reverse the software to the previous backed-up version.
You won't see the Revert option if Advanced Threat Defense software has been upgraded using system.msu.
Manually upload the latest application software package

Manually upload and install the latest application software in Advanced Threat Defense.
Advanced Threat Defense allows you to import a maximum of two versions of the application software. The
latest uploaded version is the Current upload by default, and renders the previous upload as Backup.

Limit the number of records in the database 6
Task
3 To download the application software package, contact Support.
4 On the Incremental Updates page, click Browse, then select the application software package.
5 Click Upload.
To reinstate the Backup file as the Current file, click Revert.
Limit the number of records in the database

To ensure you have enough storage, limit the number of records in the Advanced Threat Defense database.
Task
2 Select Manage | Maintenance | Database Pruning.
3 Configure the Database Pruning Setting options.
4 Click Schedule.
Troubleshooting
There are several methods to troubleshoot Advanced Threat Defense in your network.
Tasks
• Export the Advanced Threat Defense log files on page 159
If you experience any Advanced Threat Defense issues, export the log files to McAfee for analysis.
• Recreate the analyzer VMs on page 160
You can delete all existing VMs, including the default Android VM and healthy analyzer VMs, then
re-create them.
• Delete the analysis results and reports on page 160
Remove all existing analysis results and reports from Advanced Threat Defense.
• Reset email reports and cache on page 161
Remove all the email reports and cached verdicts for email attachments that are scanned by
Export the Advanced Threat Defense log files

If you experience any Advanced Threat Defense issues, export the log files to McAfee for analysis.
• Configuration Logs — Troubleshoot issues related to configurations.
• System Logs — Troubleshoot issues related to features, operations, and events.

Troubleshooting
• Diagnostic Logs — Troubleshoot critical issues, such as system crashes in Advanced Threat Defense.
• Debug Logs — Troubleshoot issues related to database operations, system processes, and other errors.
• VM Logs — Troubleshoot issues related to VMs.
• Install Logs — Troubleshoot issues related to installations.
• UI Logs — Troubleshoot issues related to UI errors.
• Integration Logs — Troubleshoot issues related to integration.
• Email Connector Logs — Troubleshoot issues related to email connector.
Only McAfee Support can read the Advanced Threat Defense log content.
Task
2 Click Manage | Troubleshooting.
3 Select the log files you want to send, configure the amount of logs you want to include, then click Create
Support Bundle.
4 On the Ticket Number window, enter your ticket number, then click OK.
Recreate the analyzer VMs

You can delete all existing VMs, including the default Android VM and healthy analyzer VMs, then re-create
them.
Task
2 Click Manage | Troubleshooting | Create VMs.
3 On the Confirmation window, click Yes.

• To view the VM re-creation logs, click Manage | Logs | System.
• To view the VM re-creation status, click Dashboard. The status is displayed on the VM Creation Status monitor.
The Create VMs option becomes available again when Advanced Threat Defense completes the analyzer VM
re-creation process.
Delete the analysis results and reports

Remove all existing analysis results and reports from Advanced Threat Defense.
Task

Back and restore Advanced Threat Defense Appliance from a USB drive 6
3 Select Remove all Analysis Results and Reports, then click Submit.
4 Click Submit.
Reset email reports and cache

Remove all the email reports and cached verdicts for email attachments that are scanned by Advanced Threat
Defense.
Task
3 Select Remove all Email Reports, then select Clear Email Results Cache.
4 Click Submit.
Create a USB recovery drive, then re-image the Advanced Threat Defense Appliance.
Table 6-1 Approximate time required
Task Required time
Create the recovery USB drive 1 hour
Re-image the Advanced Threat Defense Appliance 1.5 hours
Tasks
• Create the USB recovery drive on page 161
Create the USB drive that you use to recover the Advanced Threat Defense Appliance.
• Re-image the Advanced Threat Defense Appliance on page 162
Use the USB recovery drive to re-image the Advanced Threat Defense Appliance.
Create the USB recovery drive

Create the USB drive that you use to recover the Advanced Threat Defense Appliance.
Task
1 Make sure that your environment meets the following requirements:
• Linux-based computer with a USB port and root administration privileges
• USB drive with 32 GB of free space
2 To download the atd-usb-creator.bin recovery USB image file, contact Support.
3 Download the software images.

a Go to the Product Downloads page.
b Under Product Downloads, click Download.
c Enter your grant number, enter the letters or numbers displays, then click Submit.
d On the Products tab, click Network Security Reseller Support.

e On the Current Version tab, click Advanced Threat Defense.
f Download these images:

• systemimage-3.6.0.17.55414.msu
• Android-5.0.msu
4 Plug in the USB drive to your computer, then copy the atd-usb-creator.bin file to the desktop.
To store the .bin file, you must have 7.4 GB of free space on the computer and USB drive.
5 From the command prompt, enter bash atd-usb-creator.bin, then press Enter.
6 Complete the on-screen instructions.
Re-image the Advanced Threat Defense Appliance

Use the USB recovery drive to re-image the Advanced Threat Defense Appliance.
Task
1 Complete the installation process.

a Plug in the USB drive to your Advanced Threat Defense Appliance, then turn on or restart your Advanced
Threat Defense Appliance.
b During the startup process, press F6.
c On the boot up menu, select the USB drive.
d Select Install ATD System, then press Enter.
During the installation process:

• The Advanced Threat Defense Appliance restarts twice.
• Do not restart or log on to the Advanced Threat Defense Appliance.
2 Use these credentials to log on to the Advanced Threat Defense CLI:

• User name — cliadmin
3 For each of the following, enter the command, then press Enter:
• Manage set appliance IP xxx.xxx.xxx.xxx 255.255.xxx.xxx
• set appliance gateway xxx.xxx.xxx.1
• set ftp enable
4 Using the SFTP, copy systemimage-3.6.0.17.55414.msu to the Advanced Threat Defense Appliance.
5 Using the atdadmin account, upload the file.

To check if the file upload is successful, enter show msu, then press Enter.
6 Enter msu system-3.6.0.17.55414, then press Enter.

The Advanced Threat Defense Appliance restarts.

Back up and restore the Advanced Threat Defense database 6
7 Install android-5.0.msu.
a Using the SFTP, copy android-5.0.msu to the Advanced Threat Defense Appliance.
b Log on to the Advanced Threat Defense web interface.
c Select Manage | Image & Software | Software.
d From the System Software drop-down list, select Android-5.0.msu, then click Install.
8 Create the VM profile.

a Select Policy | VM Profile | New.
b In the Maximum Licenses field, enter 1.
c Configure the remaining options, then click Save.
The Advanced Threat Defense Appliance is restored to the default settings.
9 Using the CLI, enter reboot vmcreator, then press Enter.
10 Upload the .vmdk image files for your operating system, then create the VM profiles and analyzer profiles.
To make sure that the system works as intended, submit a sample.

As a precaution, you can periodically backup the Advanced Threat Defense database. You can then restore a
backup of your choice when required. For example, if you want to discard all changes made during a
troubleshooting exercise, you can restore the backup that was taken before you started troubleshooting.
You can schedule automatic backups to a designated FTP server on a daily, weekly, or monthly basis.
When you want to restore a backup, Advanced Threat Defense collects the selected backup file from the FTP
server and overwrites its database with the contents of the backup file.

Table 6-2 Back up data

Data
Data included • Local blacklist
in backup
• Global Whitelist
• VM profiles
The analyzer VM image or VMDK files are not included in the back up. Before you restore a
backup, make sure the image files specified in the backed-up VM profiles are located in
• Analyzer profiles
• User information
• McAfee ePO integration details
• Proxy settings
• DNS settings
• Syslog settings
• SNMP settings
• Date and time settings including the NTP server details
• Load-balancing cluster settings
This does not include the configuration and analysis results from the other nodes in the
cluster.
• Custom YARA rules and configuration

• Backup scheduler settings
• File back up details
Data not • Any sample file or URL that is being analyzed at the time of backup
included in
backup The Analysis Status page only shows the file being currently analyzed
• The VMDK or image files of analyzer VMs

• The Advanced Threat Defense software in the active or backup disk
• The log files and diagnostic files
• Advanced Threat Defense Appliance network information
Schedule a database backup

Schedule daily, weekly, or monthly Advanced Threat Defense database backups.
Before you begin

• Make sure that you have the following:
• A configured FTP server that stores the backup files
• A directory on the FTP server where you want to store the backup files

Back up and restore the Advanced Threat Defense database 6
• Collect the following FTP server information.

• IPv4 address
• The user name that Advanced Threat Defense uses to access the FTP server
Make sure that the user name has write access to the specified folder.
• The corresponding password that Advanced Threat Defense uses to access the FTP server.
• Make sure that the communication over SFTP or FTP is possible between Advanced Threat
Defense and the FTP server.
Task
2 Click Manage | Maintenance | Backup & Restore | Backup.
3 Configure the options, then click Schedule.
The backup is stored in a password-protected .zip file in the specified directory on the FTP server.
Do not unzip or tamper with the .zip file. If the file corrupts, you cannot restore the database backup with
the .zip file.
4 To view the backup logs, click Manage | Logs | System.
Restore a database backup

If the Advanced Threat Defense Appliance becomes corrupted, restore a specified or previous backup file on
any Advanced Threat Defense Appliance.
Before you begin

Verify the following.
• The version number in the backup file matches the current Advanced Threat Defense version.
For example, Advanced Threat Defense is unable to restore a backup from 3.0.4.94.39030 on
3.0.4.94.39031.
• All users are logged off the Advanced Threat Defense web interface, REST APIs, and CLI.
• The FTP server is successfully configured with Advanced Threat Defense.
• All sample file and URL analysis is complete.
When you restore a database backup during a backup, the restoration fails.
Task
2 Click Manage | Maintenance | Restore & Backup | Restore.

3 Restore the backup file.

• You can upload a local backup file.
• You can back up from your FTP server.

• Select Specific backup file, then configure the options.
• Select Previous backup file, then select the file.
If the IP address changes on the FTP server, update the configuration on the Backup Scheduler Setting page, then
complete the restoration. If the FTP server changes, your restore to backup on the old server fails. You would
only be able to restore from the files on the new server.
4 Click Restore.
5 To view the restoration logs, click Manage | Logs | Syslog.

The sample analysis processes stop before the restore process and restart when the restoration completes.
During restoration, make sure to avoid the following.

• Sample submissions from integrated products, users, and scripts
• Advanced Threat Defense software upgrade

Index
A E
Account Email Connector
lock out period 84 Clear cache 161
analysis results Overview 79
viewing 104 Remove analysis reports 161
analysis status 82 Email headers 82
monitoring 102 ePO server configuration 65, 67
analyzer profile 14 ePO server integration 64, 65
adding 63 exporting logs 159
viewing 63
analyzer VM 14 F
creating 18 false negative samples, submitting 112
Anti-Malware Engine 14 false positive samples, submitting 111
Family Classification 105
B
backup and restore 163 G
Gateway Anti-Malware Engine 14
C generate
CLI commands certificate signing request 85
issuing 115 CSR 85
list 117
mandatory commands 116 I
syntax 116
Integration
CLI commands issue
Private GTI Cloud 68
auto-complete 116
Internet access 15
console 115
Internet proxy server 72, 73
ssh 115
CLI logon 117
J
Common Criteria 83
configure JSON 105
email connector 79
Configure SEG 80 L
custom YARA rules 70, 87, 89 local blacklist 14
local whitelist 14
D log files 159
dashboard 113 logon banner, customize 85
database
backup and restore 163 M
date and time 69, 88–92 malware analysis 95
Deep Neural Network 105 process flow 15, 95, 101
diagnostic files 159 malware analysis configuration
DNS settings configuration 70, 71, 73–76 overview 13
dynamic analysis 14

Index
McAfee Advanced Threat Defense terminologies 14

backup and restore 163 TLS 83
dashboard 113 troubleshooting 159
software import 156
solution description 10 U
upgrade 156 Upload certificates
user management 68 CA Certificate 86
Trusted CA Certificate 86
N Web Certificate 86
Network Simulator 15 upload files
manual 98
O SFTP 100
user-interactive mode 98
OpenIOC 105
web application 98
overview 9
upload samples
manual 98
P
SFTP 100
password settings, configure 84 web application 98
process flow 64, 65 upload URLs
manual 102
R web application 102
real Internet mode 15 user 14
reports user API log 109
analysis summary 105 user interactive mode 98
disassembly results 107
dropped files 106 V
logic path graph 108 view analysis results 104
VM creation log 63, 76
S VM profile 14
sample analysis 95 adding 61
samples creating 61
digital signatures 92 deleting 61
false negatives 112 editing 61
false positives 111 management 61
file 91 viewing 61
url 91 VMDK file
Secure Email Gateway Configuration 80 image conversion 60
SEG timeout 80 importing 59
sensor logon, SSH 115 VMDK file, create 31
simulation mode 15
static analysis 14
X
STIX 105 X-Mode 98
support bundle 159 XML 105
XMode 98
T
telemetry
Y
disable 78 YARA rules 70, 87, 89
enable 78

0-00

McAfee ATD Manual

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

McAfee ATD Manual

Caricato da

Copyright:

Formati disponibili

Product Guide

McAfee Advanced Threat Defense 4.0.0

2 McAfee Advanced Threat Defense 4.0.0 Product Guide

2 Configuring Advanced Threat Defense for malware analysis 13

McAfee Advanced Threat Defense 4.0.0 Product Guide 3

5 CLI commands 115

4 McAfee Advanced Threat Defense 4.0.0 Product Guide

Issuing a command through SSH . . . . . . . . . . . . . . . . . . . . . . . . . 115

McAfee Advanced Threat Defense 4.0.0 Product Guide 5

revert package detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

6 McAfee Advanced Threat Defense 4.0.0 Product Guide

show intfport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

6 Managing Advanced Threat Defense 155

McAfee Advanced Threat Defense 4.0.0 Product Guide 7

Back up and restore the Advanced Threat Defense database . . . . . . . . . . . . . . . . . . 163

8 McAfee Advanced Threat Defense 4.0.0 Product Guide

The malware threat scenario

There are four major aspects to an anti-malware strategy:

McAfee Advanced Threat Defense 4.0.0 Product Guide 9

The Advanced Threat Defense solution

• To quickly detect malware, Advanced Threat Defense includes a local blacklist.

has already been identified by organizations throughout the globe.

• Includes the McAfee Gateway Anti-Malware Engine for emulation capabilities.

• Includes the McAfee Anti-Malware Engine for signature-based detection.

10 McAfee Advanced Threat Defense 4.0.0 Product Guide

Figure 1-1 Components for malware analysis

McAfee Advanced Threat Defense 4.0.0 Product Guide 11

• McAfee Web Gateway

• McAfee Email Gateway

12 McAfee Advanced Threat Defense 4.0.0 Product Guide

McAfee Advanced Threat Defense 4.0.0 Product Guide 13

DNS must be configured for McAfee GTI to run.

14 McAfee Advanced Threat Defense 4.0.0 Product Guide

Malware analysis workflow

Internet access to sample files

McAfee Advanced Threat Defense 4.0.0 Product Guide 15

Figure 2-1 Internet access to samples - process flow

16 McAfee Advanced Threat Defense 4.0.0 Product Guide

Enable the malware port

2 Configure the malware port IP address and subnet mask.

5 Verify these entries:

McAfee Advanced Threat Defense 4.0.0 Product Guide 17

2 Click Manage | ATD Configuration | ATD Users, then click New.

3 Configure the user options, then click Save.

Creating analyzer VMs

• the disk space occupied by the operating system.

• ATD-6000 — 59 analyzer VMs

• ATD-3100 — 29 analyzer VMs

• ATD-6100 — 59 analyzer VMs

18 McAfee Advanced Threat Defense 4.0.0 Product Guide

Operating system Recommended VMware Workstation

Operating system RAM size (MB)

McAfee Advanced Threat Defense 4.0.0 Product Guide 19

Operating system RAM size (MB)

Supported operating systems

Operating system Version

Microsoft Windows • 2003 32-bit Service Pack 1 and 2 • 2012 R2 Datacenter

• Chinese Simplified • Spanish

20 McAfee Advanced Threat Defense 4.0.0 Product Guide

Table 2-1 Required applications (continued)

jdk-7u25 • 32-bit on all 32-bit operating systems English

jre-7u25 • 32-bit on all 32-bit operating systems English

jdk-8u101 • 32-bit on all 32-bit operating systems English