Loading...

Knowledge Center

Print
How to enable Global Threat Intelligence Technology in your McAfee product
Technical Articles ID:  KB70130
Last Modified:  02/03/2014
Rated:

Environment

McAfee Global Threat Intelligence Technology
McAfee Global Threat Intelligence File Reputation
McAfee Global Threat Intelligence Message Reputation
McAfee Global Threat Intelligence Network Connection Reputation
McAfee Global Threat Intelligence Web Categorization
McAfee Global Threat Intelligence Web Reputation
Multiple McAfee products
McAfee Labs

Summary

What is McAfee Global Threat Intelligence?
Global Threat Intelligence (GTI) is a cloud-based threat intelligence service that works with selected McAfee products. Upon detecting a potential threat, McAfee GTI-enabled products query the GTI cloud, the cloud renders a response in the form of a reputation score or categorization information, and the product takes policy-based action in your environment.

Supported McAfee products
McAfee has currently added GTI support to the products listed below. This list will be updated as further support is made available. 

Product
 From version Patch

Comments
Email and Web Security Appliance 5.5    
Email Gateway 6.7.2    
Firewall Enterprise 7.0    
Host Intrusion Prevention 8.0    
Network Security Platform 6.0    
Network Threat Behavior Analysis 1.0    
Network Threat Response 2.1.1     
SaaS Endpoint Protection
 5.2    
SaaS Email Protection* Any    
SaaS Web Protection* Any    
Security for Microsoft Exchange 7.6     
Security for Microsoft SharePoint Server  2.5    
SiteAdvisor Enterprise 3.5    
VirusScan Enterprise 
8.8
 1  
VirusScan Enterprise  8.7i 1 Install the latest patch for VSE 8.7i.**
Web Gateway 7.0     
* No version information given.
**
To download McAfee products, updates, and documentation, visit the Downloads page at http://www.mcafee.com/us/downloads/downloads.aspx.

For instructions on downloading, see: KB56057.
 

Solution

To enable GTI for your point product(s)
Click one of the following links for information about enabling GTI File Reputation in your product:
Email and Web Security Appliance 
Email and Web Security Appliance (EWS) 5.5 and 5.6 can use GTI. This article describes how to enable and configure GTI for Email and Web Security (EWS) Appliance Software 5.5 and 5.6. 

This technology is not supported for earlier versions of EWS Appliance.
  1. Log on to the management console.
  2. Select one of the two Installation methods:
    1. Installation via SMTP:
      1. Select Email, Email Policies, Scanning Policies.
      2. Select a protocol: SMTP (or POP3), Anti-Virus, Viruses.
        You see the Anti-Virus Settings window.
         
    2. Installation via HTTP:
      1. Select Web, Web Policies, Scanning Policies.
      2. Select a protocol: HTTP (or ICAP/FTP), Anti-Virus, Viruses.
        You see the Anti-Virus Settings window. 
         
  3. From the Basic Options tab, select Enable Global Threat Intelligence file reputation.
  4. Select Sensitivity level (Default: Medium).
     
    Disabled GTI is turned off.
    Very Low For desktops/servers with restricted user rights and strong security footprint
    Low Minimum recommendation for laptops or desktops/servers with strong security footprint
    Medium Minimum recommendation for laptops or desktops/servers
    High For deployment to systems or areas which are regularly infected
    Very High In Email and On-Demand Scans on non-operating system volumes

     
  5. Click Apply Changes.
Back to top


Email Gateway (formerly IronMail) (6.7.2 or later)
Email Gateway is integrated with GTI Message Reputation.

To enable this service:
  1. Select Anti-Spam, TrustedSource.
  2. Click Enable TrustedSource and set additional configuration if required.


To enable GTI Message Reputation in the Spam Profiler:

  1. Select Anti-Spam, Spam Profiler, Configure.
  2. Click Enable Trusted Source under Spam Features/Dictionaries.
Back to top


Firewall Enterprise (7.0 or later)
Firewall Enterprise is integrated with GTI Network Connection Reputation.

To enable this service:
  1. From the Administrative Console, on the resource tree on the left, select a specific Firewall, then select Policy, then Access Control Rules.
  2. Create a new rule by clicking on the green plus sign at the top or select an existing rule from the list.
  3. In the Rule Properties screen, select Enable TrustedSource.
  4. Adjust the Network Connection Reputation level for the rule.
Back to top


Network Security Platform (6.0 or later for file, and 6.0.7 for network connection reputation)
Network Security Platform is integrated with GTI File and Network Connection Reputation.

To enable GTI File Reputation:
  1. In the Network Security Manager Resource Tree, select IPS Settings and select the Malware Detection tab.
  2. Set the GTI File Reputation specific options for the sensor, including DNS servers, Sensitivity Level and Response Action. From here, you can also manage options related to the use of custom fingerprints.
  3. Click Save.
  4. Select Enable options.
  5. Set the Enable options per sensor and port or port pair.
  6. For each port or port pair, choose a direction and detection type.
  7. Click Save, then select Configuration Update for the changes to take effect.
     

To enable GTI Network Connection reputation:

  1. In the Network Security Manager Resource Tree, select IPS Settings and select the Malware Detection tab.
  2. In the Network Security Manager, navigate to My Company/Integration, then Global Threat Intelligence. You can then choose your participation levels, alert details, and technical information.
Back to top 


Host Intrusion Prevention System (8.0 or later)
Host IPS is integrated with GTI Network IP Connection Reputation.

To enable this service:
  1. Launch ePO and go to the Policy Catalog.
  2. Select Host Intrusion Prevention 8.0 or later: Firewall under Product.
  3. Select Firewall Options under Categories.
  4. Click Edit corresponding to the policy for which you want to enable GTI.
  5. Select a value from the drop down for Incoming/Outgoing TrustedSource Block Threshold.
Back to top


Network Threat Behavior Analysis (1.0 or later)
Network Threat Behavior Analysis is integrated with GTI Network Connection Reputation.

To enable this service:
  1. In the Network Security Manager, navigate to My Company/Integration, then Global Threat Intelligence.
  2. You can now configure participation levels, alert details, and technical information as desired.
Back to top


Network Threat Response (2.1.1 or later)
Network Threat Response is integrated with GTI File and Network Connection Reputation. Network Threat Response integration with GTI is on by default, so you do not have to take any action. You can disable it, if required. The only setting an administrator has to set to enable the feature is to set a proxy.
 Select the drop-down menu Administration Proxy, type the information, and commit the change.
 
GTI updates with Network Threat Response analysis and findings and GTI Network Connection Reputation (TrustedSource) is queried to provide event context. For example, an analyst can quickly determine if a malicious file was downloaded from a suspicious URL before any detailed analysis takes place

Back to top


SaaS Email Protection
SaaS Email Protection is integrated with GTI message reputation.

This service is enabled by default.
 
Back to top


SaaS Web Protection
SaaS Web Protection is integrated with GTI Web Categorization.

To enable this service:
  1. In the administrative console, select the Web Protection tab.
  2. Select the Policies tab.
  3. Select the Content tab.
  4. Select Enable content filtering. Under Safe Search Options, you can also choose to Prevent leading search engines from returning sexually explicit search results.
  5. You can further select website allow/deny options by selecting the following options:


Back to top
 

Security for Microsoft Exchange 7.6
Security for Exchange is integrated with GTI Message Reputation.

To enable GTI Message Reputation:
  1. Click Start, Programs, McAfee, Security for Microsoft Exchange, Product Configuration.
  2. Click Settings & Diagnostics.
  3. Click Anti-Spam.
  4. Under McAfee Global Threat Intelligence message reputation, select Enable message reputation.
  5. Click Apply.
To configure GTI locally:
  1. Click Start, Programs, McAfee, Security for Microsoft Exchange, Product Configuration.
  2. Click Policy Manager, then select On-Access or On Demand.
  3. Click Master policy.
  4. Click Anti-Virus Scanner.
  5. Under Activation, select Enable.
  6. Under Options, select the anti-virus option you want to configure and click Edit.
  7. Select the Scanner Options you require, then select Enable Artemis Technology and the required Sensitivity Level:

    Disabled GTI is turned off.
    Very Low For desktops/servers with restricted user rights and strong security footprint
    Low Minimum recommendation for laptops or desktops/servers with strong security footprint
    Medium Minimum recommendation for laptops or desktops/servers
    High For deployment to systems or areas which are regularly infected
    Very High In Email and On-Demand Scans on non-operating system volumes
     
  8. Click Save.
  9. Click Apply.
  10. Refresh the page to view policy setting changes.
Back to top


To configure GTI via ePolicy Orchestrator:
  1. Log on to the ePolicy Orchestrator server as an administrator.
  2. Click Systems, System Tree, select the appropriate group, then select the individual system(s).
  3. Click Assigned Policies.
  4. Select the appropriate Product, Category, and Policy, then click Save.
  5. Click Policy Manager, then select On-Access or On Demand.
  6. Click Master policy.
  7. Click Anti-Virus Scanner.
  8. Under Activation, select Enable.
  9. Under Options, select the anti-virus option you want to configure and click Edit.
  10. Select the Scanner Options you require, then select Enable Artemis Technology and the required Sensitivity Level:

    Disabled GTI is turned off.
    Very Low For desktops/servers with restricted user rights and strong security footprint
    Low Minimum recommendation for laptops or desktops/servers with strong security footprint
    Medium Minimum recommendation for laptops or desktops/servers
    High For deployment to systems or areas which are regularly infected
    Very High In Email and On-Demand Scans on non-operating system volumes
     
  11. Click Save.
  12. Select the client computer, then send an Agent wake-up call.
Back to top


Security for Microsoft SharePoint Server
  • GTI is supported with Security for Microsoft SharePoint as of version 2.5.
  • GTI does not replace signature files. DAT files are still required for further actions such as cleaning and repair.
  • GTI protection is only available if your computer is connected to the Internet. Without Internet connectivity, computers are protected by the local DAT files, but GTI will not be active.
  • GTI uses a very small amount of bandwidth and is suitable for use on low speed connections.

To configure GTI locally:

  1. Log on to the Microsoft SharePoint server with an Administrator account.
  2. Launch Security for Microsoft SharePoint Server.
  3. Click Policy Manager, then select On-Access or On Demand.
  4. Click Master Policy
  5. Click Anti-Virus Scanner.
  6. Under Activation, select Enable.
  7. Under Options, select the anti-virus option you want to configure and click Edit.
  8. Select the Basic Options, then select Enable Artemis Technology and the required Sensitivity Level.

    Disabled GTI is turned off.
    Very Low For desktops/servers with restricted user rights and strong security footprint
    Low Minimum recommendation for laptops or desktops/servers with strong security footprint
    Medium Minimum recommendation for laptops or desktops/servers
    High For deployment to systems or areas which are regularly infected
    Very High In Email and On-Demand Scans on non-operating system volumes

     
  9. Click Save.
  10. Click Apply.
  11. Refresh the page to view policy setting changes.

Back to top

To configure GTI via ePolicy Orchestrator:

  1. Log on to the ePolicy Orchestrator server as an Administrator.
  2. Click Systems, System Tree, select the appropriate group, then select the individual system(s).
  3. Click Assigned Policies.
  4. Select the appropriate Product, Category, and Policy, then click Save.
  5. Click Policy Manager, then select On-Access or On Demand.
  6. Click Master Policy.
  7. Click Anti-Virus Scanner.
  8. Under Activation, select Enable.
  9. Under Options, select the anti-virus option you want to configure and click Edit.
  10. Select the Basic Options, then select Enable Artemis Technology and the required Sensitivity Level:

    Disabled GTI is turned off.
    Very Low For desktops/servers with restricted user rights and strong security footprint
    Low Minimum recommendation for laptops or desktops/servers with strong security footprint
    Medium Minimum recommendation for laptops or desktops/servers
    High For deployment to systems or areas which are regularly infected
    Very High In Email and On-Demand Scans on non-operating system volumes
     
  11. Click Save.
  12. Select the client computer, then send an Agent wake-up call.
Back to top
 

SiteAdvisor Enterprise (3.5 or later)
SiteAdvisor Enterprise is the first version to use GTI URL reputation. Version 3.5 patch 2 will also use GTI file reputation.

To enable this service:
  1. Launch ePO and select Menu, Policy, Policy Catalog.
  2. Select Product – SiteAdvisor Enterprise 3.5 or later.
  3. Click Enable or Disable from the policy menu.
Back to top


VirusScan Enterprise 8.7i
VirusScan Enterprise (VSE) is integrated with GTI File Reputation.
  • For VSE 8.7i (unpatched) and VSE 8.7i Patch 1, you can enable the GTI service for On-Delivery Email Scan, On-Demand Scan, or On-Access Scan.
  • For VSE 8.7i Patch 2 and later, GTI is enabled by default and you do not have to take any no action.
NOTE: Internet Connectivity
If Internet connectivity policies prevent you from enabling GTI for VSE, you can download and install the GTI Proxy Server, which consolidates McAfee client-to-cloud communications through a single, easily-auditable virtual appliance. GTI Proxy Server is free of charge with your McAfee product purchase.
To download McAfee products, updates, and documentation, visit the Downloads page at http://www.mcafee.com/us/downloads/downloads.aspx.

For instructions on downloading, see: KB56057.
 


IMPORTANT: 
  • You can only deploy GTI to VSE 8.7i or later using ePO 4.0 or later.
  • When checking in packages to ePO, there are three options: Current, Previous and Evaluation. The default is for all clients to use Current.
  • To stage deployments, you can assign a group of computers to update from the Evaluation branch. You can then check in the SuperDAT as Evaluation. 
To enable GTI in VSE 8.7i or later using ePO 4.5
  1. On-Delivery Email Scan policy:
    1. Launch ePO, then click Menu, Policy, Policy Catalog.
    2. Select VirusScan Enterprise 8.7.0 (or later), On Delivery Email Scan Policies.
    3. Select to edit the policy for Server or Workstation.
    4. Select the Scan Items tab, then under Heuristic network check for suspicious files, (or in VSE 8.8, under Artemis (heuristic network check for suspicious files)) select the Sensitivity level.
    5. On the Scan Items tab under Heuristics, enable Find unknown program threats and trojans.
    6. Save the policy. 
       
  2. On-Demand Scan task:
    1. Launch ePO, then click Menu, Systems, System Tree.
    2. Click the Client Tasks tab, then click New Task.
    3. Type a new name and select the task type On Demand Scan (VSE 8.7.0 or later). 
    4. Click Next and select the Performance tab.
    5. Under Heuristic network check for suspicious files, (or in VSE 8.8, under Artemis (heuristic network check for suspicious files)) select the Sensitivity level.
    6. On the Scan Items tab under Heuristics, enable Find Unknown program threats.
    7. To schedule the task to run, click Next.
    8. To review and save the task, click Next
       
  3. On-Access Scan policy (VSE 8.7i Patch 1 or later required):
    1. Launch ePO, then click Menu, Policy, Policy Catalog.
    2. Select VirusScan Enterprise 8.7.0 (or later), On Access General Policies.
    3. Select to edit the policy for Server or Workstation.
    4. Select the General tab, then select the Sensitivity level under Heuristic network check for suspicious files (or in VSE 8.8, under Artemis (heuristic network check for suspicious files)).
    5. Save the policy.
    6. Select VirusScan Enterprise 8.7.0 (or later), On Access Default / High-Risk / Low-Risk Process Policies.
    7. Select to edit the policy for Server or Workstation.
    8. Click the Scan Items tab and enable Find unknown programs and trojans under Heuristics.
    9. Save the policy.
Back to top

To enable GTI  in VSE 8.7i or later using ePO 4.0
 
  1. On-Delivery Email Scan policy:
    1. Launch ePO, then click the Systems tab.
    2. Click the Policy Catalog tab, then select VirusScan Enterprise 8.7.0 (or later) On Delivery Email Scan Policies.
    3. Select to edit the policy for Server or Workstation.
    4. Select the Scan Items tab, then under Heuristic network check for suspicious files, (or in VSE 8.8, under Artemis (heuristic network check for suspicious files)) select the Sensitivity level.
    5. On the Scan Items tab under Heuristics, enable Find unknown program threats and trojans.
    6. Save the policy.
       
  2. On-Demand Scan task:
    1. Launch ePO, then click the Systems tab.
    2. Click the System TreeClient Tasks, New Task.
    3. Type a new name and select the task type On Demand Scan (VSE 8.7.0 or later).
    4. Click Next and select the Performance tab.
    5. Under Heuristic network check for suspicious files, (or in VSE 8.8, under Artemis (heuristic network check for suspicious files)) select the Sensitivity level.
    6. On the Scan Items tab under Heuristics, enable Find Unknown program threats.
    7. To schedule the task to run, click Next.
    8. To review and save the task, click Next.
       
  3. On-Access Scan policy (VSE 8.7i Patch 1 or later required): 
    1. Launch ePO, then click the Systems tab.
    2. Click the Policy Catalog tab and select VirusScan Enterprise 8.7.0 (or later) On Access General Policies.
    3. Select to edit the policy for Server or Workstation.
    4. Select the General tab, then select the Sensitivity level under Heuristic network check for suspicious files (or in VSE 8.8, under Artemis (heuristic network check for suspicious files)).
    5. Save the policy.
    6. Select VirusScan Enterprise 8.7.0 (or later) and On Access Default / High-Risk/Low-Risk Process  Policies.
    7. Select to edit the policy for Server or Workstation.
    8. Click the Scan Items tab and enable Find unknown programs and trojans under Heuristics.
    9. Save the policy.
 
Configure GTI settings for VSE 8.7i locally:
  1. On-Demand Scan policy:
    1. Click Start, Programs, McAfee, VirusScan Console.
    2. Double-click On-Demand Scan. If necessary, select the Performance tab.
    3. Under Heuristic network check for suspicious files, (or in VSE 8.8, under Artemis (heuristic network check for suspicious files)) set the appropriate Sensitivity level, then click OK.
    4. Select the Scan Items tab.
    5. Under Heuristics, enable Find Unknown program threats, then click OK.
       
  2. On-Delivery Email Scan policy:
    1. Click Start, Programs, McAfee, VirusScan Console
    2. Double-click On-Delivery Email Scan. If necessary, select the Scan Items tab.
    3. Under Heuristic network check for suspicious files, (or in VSE 8.8, under Artemis (heuristic network check for suspicious files)) set the appropriate Sensitivity level, then click OK.
    4. Select Scan Items tab.
    5. Under Heuristics, enable Find Unknown Program threats and trojans, then click OK.
       
  3.  On-Access Scan policy (Patch 1 for VSE 8.7i required):
    1. Click Start, Programs, McAfee, VirusScan Console.
    2. Double-click On-Access Scan. If necessary, select the Scan Items tab.
    3. Under Heuristic network check for suspicious files, (or in VSE 8.8, under Artemis (heuristic network check for suspicious files)) set the appropriate Sensitivity level, then click OK.
    4. Select Scan Items tab.
    5. Under Heuristics, enable Find unknown programs and trojans, then click OK.
Back to top
 

Web Gateway (7.0 or later) 
Web Gateway is integrated with GTI File Reputation, web categorization, and web reputation.

To enable GTI File Reputation:

  1. In the policy screen, in the settings tab to the left, drill down on engines, anti-malware, and gateway anti-malware.
  2. Under Advanced Settings, click Enable Artemis Queries.

To enable GTI  Web Categorization and Reputation:

  1. Staying in the policy screen and settings tab on the left, drill down to TrustedSource, Default.
  2. To the right, select Do in the cloud rating if local rating yields no result for web categorization and Use default TrustedSource server for in the cloud rating for web reputation.
    Geolocation information is only available through cloud look-ups. To enable this, select Only use in the cloud rating services.

Related Information

See also:
  • For details on Global Threat Intelligence File Reputation Levels, see KB74983.
  • For FAQs for Global Threat Intelligence File Reputation, see KB53735.
  • For FAQs for Global Threat Intelligence Proxy, see KB71000.

NOTE: This article replaces KB53732, KB72228, KB68631 and KB53730. 

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.