McAfee QUICKCLEAN 3.0 User's Guide

Product GuideRevision BMcAfee Advanced Threat Defense 3.0.4

• Block future downloads of the same file: Subsequently, if the file is found to be malicious, youranti-malware protection must prevent future downloa

Upload files for analysis using SFTPBefore you begin• Your user name has FTP Access privilege. This is required to access the FTP server hostedon McAf

bSet the frequency at which the Analysis Status page must refresh itself.The default refresh interval is 1 minute.cTo refresh the Analysis Status page

5Hide the columns that you do not require.aMove the mouse over the right corner of a column heading and click the drop-down arrow.bSelect Columns.cSel

Table 7-5 Column definitions Column DefinitionReportsClick to display the types of reports available for the sample. Click any of the enabled repo

Table 7-5 Column definitions (continued)Column DefinitionSeverityIndicates the severity level of the analyzed sample.• Information — Indicates that t

Task1To access the Analysis Summary report in the McAfee Advanced Threat Defense web application, dothe following:aSelect Analysis | Analysis Results.

The various sections of the HTML format of the Analysis Summary report are outlined here.Figure 7-4 Analysis Summary report7Analyzing malwareView the

Table 7-6 Analysis Summary report sections Item Description1 This section displays the details of the sample file. This includes the name, hash value

Table 7-6 Analysis Summary report sections (continued)Item Description8 GTI URL Reputation. This provides McAfee GTI reputation and severity for the

• On the right-hand side, a table provides the properties of the file. This includes information suchas:• Signed or unsigned for the digital signature

• It has the McAfee Anti-Malware Engine embedded within it for signature-based detection.• It dynamically analyzes the file by executing it in a virtu

• Process operations: Details the process operation activities such as new process creation,termination, new service creation, and code injection into

Table 7-9 A section of a sample Disassembly Results report Column 1 Column 2 Column 3:00401010 e8 1f2c0000 call 00403c34;;call URLDownloadToFileAThe

This section uses yWorks yEd Graph Editor to explain how to use the Logic Path Graph GML file. In theyEd Graph Editor, you must first set the Routing

When you open the <file name>_logicpath.gml file in yEd Graph Editor, initially you might see manyrectangle boxes overlapping each other or a si

In the yEd Graph Editor select Layout | Hierarchical.Figure 7-8 Incremental Hierarchic Layout dialog7Analyzing malwareView the analysis results114McA

In the Incremental Hierarchic Layout dialog, click Ok without changing any of the default settings. Thefollowing example shows the complete layout of

Two colors are used to indicate the executed path. The red dash lines show the non-executed path,and the blue solid lines show the executed path.Accor

convention. Consider that the sample submitted is vtest32.exe. Then the .zip file contains thefollowing results:• vtest32_summary.html (.json, .txt, .

• System Health — Provides the system health details of the McAfee Advanced Threat DefenseAppliance.• System Information — Provides the version number

File CountersThis monitor shows the analysis status for files submitted during the specified time period. Forexample, if you set the time period for t

McAfee Advanced Threat Defense deployment optionsYou can deploy McAfee Advanced Threat Defense in the following ways:• Standalone deployment — This is

• The infected and not infected file counts are indicated using different colors.• To hide the infected or not infected files, click the corresponding

VM Creation Status monitorThis monitor displays the status of the analyzer VMs created for the specified time period in thedashboard. For example, if

System InformationThis monitor shows the version numbers of the software components related to McAfee AdvancedThreat Defense.Figure 7-17 System Infor

8CLI commands for McAfee AdvancedThreat DefenseThe McAfee Advanced Threat Defense Appliance supports command-line interface (CLI) commands fortasks su

Logging on to the McAfee Advanced Threat Defense Applianceusing an SSH clientTask1Open an SSH client session.2Enter the IPv4 address of the McAfee Adv

• set appliance gateway is also required if any of the following are true:• If the McAfee Advanced Threat Defense Appliance is on a different network

Table 8-1 CLI commands for managing the disks Command Descriptioncopyto backup Copies the software version on the active disk to the backup disk. Fo

• To check if an MD5 is present in the blacklist, use blacklist query <md5>Parameter Description<md5> The MD5 hash value of a malware that

Parameter Description<md5> The MD5 value of the file for which you want to delete all the reports in McAfeeAdvanced Threat Defense.Example: dele

listLists all the CLI commands available to users.Syntax: listThis command has no parameters.nslookupDisplays nslookup query result for a given domain

• Integration with Network Security Platform — This deployment involves integrating McAfeeAdvanced Threat Defense with Network Security Platform Senso

rebootParameter Descriptionreboot active Reboots the Appliance with the software version on the active disk.reboot backup Reboots the Appliance with t

set appliance ip 192.34.2.8 255.255.0.0set appliance gatewaySpecifies IPv4 address of the gateway for the McAfee Advanced Threat Defense Appliance.Syn

set intfport ipSets an IP address to an interface port.Syntax:set intfport <1><2><3> ip A.B.C.D E.F.G.HExample:set intfport 1 10.10.

Default Value:By default, the network port is set to auto (auto-negotiate).set_ui_timeoutSpecifies the number of minutes of inactivity that can pass b

show epo-stats nspDisplays the count of requests sent to McAfee ePO, the count of responses received from McAfee ePO,and the count of requests that fa

Information displayed by the show nsp scandetails command includes:• The IP address of the IPS Sensor.• Total number of packets received from the Sens

Table 8-2 System IP routing table (continued)Destination Gateway Genmask Flags Metric Ref Use Iface13.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 mgmt0.0.0.0 10.

Syntax:watchdog <on | off | status>Parameter Description<on> Enables the watchdog.<off> Disables the watchdog. Use it if the Applian

8CLI commands for McAfee Advanced Threat DefenseList of CLI commands138McAfee Advanced Threat Defense 3.0.4 Product Guide

IndexAabout this guide 7CCLI commands issue 123auto-complete 124console 123mandatory commands 124ssh 123CLI logon 125CLI syntax 124conventions and ico

• Integration with McAfee® Web Gateway — You can configure McAfee Advanced Threat Defense asan additional engine for anti-malware protection. When you

0B00

• It is an on-premises solution that has access to cloud-based GTI. In addition, you can integrate itwith other McAfee's security products.• McAf

1Malware detection and McAfee® Advanced Threat DefenseThe McAfee Advanced Threat Defense solution16McAfee Advanced Threat Defense 3.0.4 Product Guide

2Setting up the McAfee Advanced ThreatDefense ApplianceReview this chapter for information regarding the McAfee Advanced Threat Defense Appliance and

Before you install the McAfee Advanced Threat DefenseApplianceThis section describes the tasks that you must complete before you begin to install a Mc

Warnings and cautionsRead and follow these safety warnings when you install the McAfee Advanced Threat DefenseAppliance. Failure to observe these safe

COPYRIGHTCopyright © 2014 McAfee, Inc. Do not copy without permission.TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee

Unpack the shipment1Open the crate.2Remove the first accessory box.3Verify you have received all parts as listed in Check your shipment on page 20.4Re

McAfee Advanced Threat Defense Appliance front and back panelsFigure 2-1 Front view of ATD-3000 with bezelFigure 2-2 Side view of ATD-3000 without b

Label Description1 Power supply module 12 Power supply module 23 Management port (NIC 1)4 NIC 25 NIC 36 NIC 47 Video connector8 RJ45 serial-A port9 US

Hardware specifications and environmental requestsSpecifics ATD-3000 ATD-6000Dimensions• 734.66 L x 438 W x 43.2 H inmillimeters• 29 L x 17.25 W x 1.7

Specifics ATD-3000 ATD-6000Vibration Unpackaged: 5 Hz to 500 Hz, 2.20 gRMS randomUnpackaged: 5 Hz to 500 Hz, 2.20 gRMS randomPackaged: 5 Hz to 500 Hz,

Install or remove rack handles• To install a rack handle, align it with the two holes on the side of the McAfee Advanced ThreatDefense Appliance and a

2At the back of the rack, pull the back mounting-bracket (extending the mounting rail) so that italigns with the required rack holes.Ensure that the m

8Lift the release tab and push the Appliance into the rack.Figure 2-12 Lift release tab and push Appliance into rack9To remove the McAfee Advanced Th

Task1Follow these steps to remove the front bezel.aUnlock the bezel if it is locked.bRemove the left end of front bezel from rack handle.cRotate the f

Task1Plug a console cable (RJ45 to DB9 serial) to the console port (RJ45 serial-A port) at the back panelof the McAfee Advanced Threat Defense Applian

ContentsPreface 7About this guide ... 7Audience ... 7Conventions ...

6To set the management port IP address and subnet mask of the McAfee Advanced Threat DefenseAppliance, type set appliance ip <A.B.C.D> <E.F.G

3Accessing McAfee Advanced ThreatDefense web applicationThe McAfee Advanced Threat Defense web application is hosted on the McAfee Advanced ThreatDefe

Access the McAfee Advanced Threat Defense web applicationTask1From a client computer, open a session using one of the supported browsers.2Use the foll

4Managing users and performanceYou use the McAfee Advanced Threat Defense web application to manage user accounts and monitorthe McAfee Advanced Threa

• ATD admin — This is the default user account to access the FTP server on McAfee AdvancedThreat Defense. The user name is atdadmin and the password i

2Hide the columns you do not want to see.aMove the mouse over the right corner of a column heading and click the drop-down arrow.bSelect Columns.cSele

Task1Select Manage | User Management | New.The User Management page is displayed.Figure 4-3 Add users2Enter the appropriate information in the respec

OptionnameDefinitionDefault AnalyzerProfileSelect the analyzer profile that must be used for files submitted by the user. Forexample, if the file is s

3Make the changes to the required fields and click Save.For information on the fields, see Add users on page 35.Delete UsersIf you are assigned the ad

Task1Select Manage | Software Management.Figure 4-4 McAfee Advanced Threat Defense software upgrade2Click Browse and select the required McAfee Advan

5 Creating analyzer VM 41Create a VMDK file from an ISO image ... 42Import a VMDK file into McAfee Advanced Threat Defense ...

Task•To access the Troubleshooting page, select Manage | Troubleshooting.Figure 4-5 Troubleshooting pageTasks• Export McAfee Advanced Threat Defense

5Creating analyzer VMFor dynamic analysis, McAfee Advanced Threat Defense executes a suspicious file in a secure virtualmachine (VM) and monitors its

If you already have a VMDK file, it must be a single file that contains all the files required to create theVM.Contents Create a VMDK file from an

3In the New Virtual Machine Wizard window, select Custom (Advanced) and click Next.Figure 5-1 Select the configuration type for the virtual machine4I

5In the Guest Operating System Installation window, select either Installer disc or Installer disc image file (iso),browse and select the ISO image, a

• Confirm — Enter cr@cker42• Log on automatically (requires a password) — Deselect this box.Figure 5-4 Easy Install Information window7In the VMware

8Complete the following in the Name the Virtual Machine window and then click Next.• Virtual Machine name — Enter virtualMachineImage• Location — Brow

9Leave the default values and click Next for the following unless specified otherwise:•Processor ConfigurationFigure 5-7 Processor configuration for

•Memory for the Virtual MachineFigure 5-8 Memory configuration for the VMFor Windows XP set 1024 MB as the memory. For Windows 7, set 3072 MB as the

•Network TypeFigure 5-9 Network type configuration for the VM•Select I/O Controller TypesFigure 5-10 Select the I/O controller typeCreating analyzer

createDefaultVms ...127deleteblacklist ... 127deletesamplereport ...

10In the Select a Disk Type page, select IDE and click Next.SCSI disks are not compatible with McAfee Advanced Threat Defense.Figure 5-11 Select a di

12Complete the following in the Specify Disk Capacity window and then click Next.• Maximum disk size (GB) — Enter the exact values mentioned here base

13In the Specify Disk file window, make sure virtualMachineImage.vmdk is displayed by default and clickNext.If you specified a different name for Virt

This step might take around 30 minutes to complete.Figure 5-15 VM creation progress15If the Removable Devices pop-up window is displayed, select Do n

17Select Public network in the Set Network Location window and click Next.Figure 5-17 Select a network location18Complete the following only for Wind

21For Windows 7, in the virtualMachineImage, complete the following.aSelect Start | Control Panel | System and Security | Windows Firewall | Turn on W

cSelect Start | Control Panel | Programs | Programs and Features | Turn Windows feature on or off and completethe following.1Select Internet Informati

23In the Telnet Properties(Local Computer) window, you must select Automatic from the Startup type drop-downlist. Then select Apply | Start | OK.Figur

3Select Write.4Select Log visits and click Apply and then OK.5Creating analyzer VMCreate a VMDK file from an ISO image58McAfee Advanced Threat Defense

25To enable FTP on Windows 7, complete the following.aIn the virtualMachineImage, select Start | Control Panel | System and Security | Administrative

Contents6McAfee Advanced Threat Defense 3.0.4 Product Guide

1Select Sites and right-click Default Web Site and remove. Confirm by clicking Yes.Figure 5-23 Remove Default Web Site5Creating analyzer VMCreate a V

2Right-click Sites and select Add FTP Site. Then complete the following.Figure 5-24 Select Add FTP SiteaFor FTP site name, enter root.bPhysical Path:

3For Bindings and SSL Settings, select No SSL. For all other fields, leave the default values and clickNext.Figure 5-26 Binding and SSL settings4For

26Set automatic logon.aFor Windows XP, select Start | Run, enter rundll32 netplwiz.dll,UsersRunDll and press Enter.bFor Windows 7, select Start | Run,

27In the User Accounts window, deselect Users must enter a user name and password to use this computer and clickApply.Figure 5-29 User Accounts windo

28In the Automatically Log On pop-up window, complete the following.• User name — Enter Administrator• Password — Enter cr@cker42• Confirm Password —

Press OK in the message boxes.Figure 5-31 User Accounts window29Download Sigcheck on to the VM from http://technet.microsoft.com/en-us/sysinternals/b

31In Windows Explorer, go to C:\ WINDOWS\system32 and double-click sigcheck.exe.Figure 5-33 Run sigcheck.exe32If prompted, click Run in the warning m

33Click Agree for Sigcheck License Agreement.Figure 5-35 Sigcheck license agreement 34Download MergeIDE.zip from https://www.virtualbox.org/attachme

37Close Windows Explorer.38Verify if Windows is activated. Click Start, right-click Computer, then select Properties.It is mandatory that Windows is a

PrefaceThis guide provides the information you need to work with your McAfee product.Contents About this guide Find product documentationAbout t

a .docx file using Office 2003, you need the corresponding compatibility pack installed. After youdownload the compatibility pack, install it on the v

bSelect CD/DVD (IDE) and then select either Use physical drive or Use ISO image file and browse to the ISOimage of Microsoft Office. Then click OK.Fig

dSelect Run all from my computer for Microsoft Office. Then select Not Available for applications such asAccess, InfoPath, Lync, Outlook, Publisher, a

43In the Windows Run dialog, enter msconfig.44In the System Configuration utility, go to the Startup tab.45Deselect reader_sl and jusched and then cli

Convert the VMDK file to an image fileBefore you begin• You have uploaded the VMDK file to McAfee Advanced Threat Defense.• You have admin-user permis

VM profiles contain the operating system and applications in an image file. This enables you to identifythe images that you uploaded to McAfee Advance

2Hide the unneeded columns.aMove the mouse over the right corner of a column heading and click the drop-down arrow.bSelect Columns.cSelect only the re

3Click Activate to create and activate the VM from the selected image file.When you click Activate, the VM is opened in a pop-up window. So, make sure

After you OK the warning messages, the VM starts.Figure 5-50 VM displayed in a pop-up window4Activate the VM, shut it down, and also close the pop-up

5Create the VM profile for the VM that you created by entering the appropriate information in therespective fields.Table 5-1 Option definitions Optio

Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and trou

Edit VM profilesBefore you beginTo edit a VM profile, either you must have created it or you must have admin-user role.Task1Select Policy | VM Profil

View the VM creation logWhen you create a VM profile using the VM Profile page, McAfee Advanced Threat Defense creates ananalyzer VM from the image fi

5Creating analyzer VMView the VM creation log82McAfee Advanced Threat Defense 3.0.4 Product Guide

6Configuring McAfee Advanced ThreatDefense for malware analysisAfter you install McAfee Advanced Threat Defense Appliance on your network, you can con

analysis. For static analysis, McAfee Advanced Threat Defense uses the following resources and inthe same order:• Local whitelist — This is the list o

Only the following operating systems are supported to create the analyzer VMs:• Windows XP SP2 32-bit • Windows Server 2008 64-bit• Windows XP SP3 32-

To dynamically analyze a file, the corresponding user must have the VM profile specified in theuser's analyzer profile. This is how the user indi

7In the Analysis Status page, monitor the status of the analysis. See Monitor the status of malwareanalysis on page 1008After the analysis is complete

You use the McAfee Advanced Threat Defense web application to manage analyzer profiles.Figure 6-2 Contents of an analyzer profileView analyzer profil

Create analyzer profilesBefore you beginIf you intend to select the dynamic analysis option in the analyzer profile, make sure thatyou have created th

1Malware detection and McAfee® AdvancedThreat DefenseOver the years, malware has evolved into a sophisticated tool for malicious activities such as st

2Enter the appropriate information in the respective fields.Option name DefinitionNameEnter the name for the analyzer profile. It should allow you to

Option name DefinitionSaveCreates the analyzer profile record with the information you provided.CancelCloses the Analyzer Profile page without saving

To determine the analyzer VM for a file submitted by Network Security Platform or McAfee WebGateway, McAfee Advanced Threat Defense uses the following

Task1Select Manage | ePO Login.The ePO Login page displays.Figure 6-3 McAfee ePO integration2Enter the details in the appropriate fields.Option name

Task1Select Manage | HTTP Proxy Setting.The HTTP Proxy Setting page is displayed.Figure 6-4 Proxy Setting page2Enter the appropriate information in t

2Enter the appropriate information in the respective fields.Option name DefinitionDomainEnter the Active Directory domain name, for example, McAfee.co

6Configuring McAfee Advanced Threat Defense for malware analysisConfigure the proxy DNS settings96McAfee Advanced Threat Defense 3.0.4 Product Guide

7Analyzing malwareAfter you have configured McAfee Advanced Threat Defense, you can upload files for analysis. Thefollowing are the methods you can fo

Table 7-1 Option definitions Option DefinitionFileEither drag and drop the malware file from Windows Explorer or click Browse and selectthe file. If

requests for user-intervention by the malware are not honored. However, the screen shots of all suchrequirements are available in the Screenshots sect