I had a call today with McAfee and a partner regarding their Advanced Threat Detection, or ATD, device. Malware is hard to detect, and even harder to fully remove. And given the breadth of the term “malware”, which can include ransomeware, adware, and spyware, it is increasingly difficult to identify.
McAfee says they have an answer. With their Web Filtering Gateway, you can now identify problematic files before they even get to the end-point to be installed. Using GTI (Global Threat Intelligence) and heuristics, the gateway can scan and detect files as they are being downloaded. The file is either clean and allowed, or blocked due to signature or reputation. But, what happens if the file falls in the “grey area”, where it *could* be malicious.
This is where McAfee’s Advanced Threat Detection comes into play. This appliance (which comes in two models), can do a far more deeper inspection taking up greater processing cycles that the web gateway can’t afford to use. Using disassemblers and sandboxing, the ATD will actually go through and review the install of the files. How does it sandbox? By spinning up VM’s!
Supported VM’s are:
- Android (pre-installed)
- Microsoft XP
- Microsoft Server 2003
- Microsoft Server 2008
- Windows 7
Find, Freeze, and Fix
McAfee’s Advanced Threat Detection touts the motto “Find, Freeze, Fix”
- Find – This is the detection function of the product. As files are sent to it, it does a full scan using either static analysis (i.e. technologies such as GTI (reputation), signatures, and heuristics) and dynamic analysis (disassemblers and sandboxing)
- Freeze – If it finds a match to be discarded, it will block and/or quarantine the file.
- Fix – Once a file has been recognized as malicious, the next logical step would be to look in your environment, and see if other systems have the same match (infection). This employs EPO Real-Time, and can tell you which systems you need to take offline and/or re-image.
I’ve been told the “Fix” function of ATD still has some baking to do, but the theory and methodology is sound. Unfortunately, it’s hard to fully test this in a lab environment, so I cannot validate one way or the other.
My mind was blown when I heard how the appliance can actually spin up a VM and test the install automatically. I’d be curious how this actually works in real-life, but just the idea of it is the next logical step. I haven’t heard any other security vendor to make such a statement. If you know of one, I’d love to hear about it. I also love the idea of the “fix” function. It makes sense that once it identfies the installer’s “fingerprint”, that it should be able to find other installations, but this process it’s pretty extensive.
Overall, if you are using McAfee Web Gateway, and you need greater control and deeper inspection, the ATD would be the next logical step.
- McAfee Advanced Threat Detection Product Page
- McAfee Advanced Threat Detection Datasheet
- McAfee Advanced Threat Detection Release Notes
- McAfee Advanced Threat Detection Product Guide