Loading...

Knowledge Center


FAQs for Advanced Threat Defense
Technical Articles ID:   KB79333
Last Modified:  11/14/2019
Rated:


Environment

McAfee Advanced Threat Defense (ATD)

Summary

Recent updates to this article
Date Update
November 14, 2019 Amended descriptions for Email Connector maximum concurrent SMTP connections.
August 2, 2019 Added: "Which URLs does ATD try to connect to when proxy testing the GTI HTTP and Malware Site Proxies" in the Operations section.
February 6, 2019 Removed all questions that were specific to ATD 3.x (ATD 3.x is EOL).
October 18, 2018 Added "When creating a VM with Hardware version 9 on VMware Workstation Pro, I see a warning that version 9 is not supported." to Operations.
September 14, 2018 Added "ATD Analyzer Profile setting offers 2 options to control how the downselector and scanner run against a sample" to Operations.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

 
This article is a consolidated list of common questions and answers, and is intended for users who are new to the product, but can be of use to all users.

ATD runs on either a dedicated appliance or as a virtual machine, and identifies sophisticated, hard-to-detect threats. It works by running suspected malware in a sandbox, analyzing its behavior, and assessing the potential impact the malware might have, on an endpoint and a network.

Contents
Click to expand the section you want to view:
What cable do I need to connect to the appliance, to run a HyperTerminal session?
Plug a console cable (RJ45 to DB9 serial) into the console port at the back of the ATD appliance. Connect the other end of the cable to the COM port of the PC you are using to configure the appliance.

How do I identify the installed ATD, DAT, and Engine versions?
Log on to the ATD management console. The ATD version is under System Information.

For example, the DAT and Engine versions are under System Information:
  • McAfee AV DAT Version: 7419
  • McAfee AV Engine Version: 5600
  • McAfee GAM DAT Version: 2951
  • McAfee GAM Engine Version: 7001.1302.1842

Why am I unable to authenticate to the ATD appliance?
You might not be using the correct user name. There are two default users; confirm that you are using the correct user name:
  • The graphical user interface (GUI) name is admin.
  • The command line interface (CLI) user name is cliadmin.
Which user account do I use to upload a VMDK to the ATD appliance?
You must use the atdadmin user account.
 
IMPORTANT: You cannot use any other account, even if the FTP Access role is selected for that account.

What does the Waiting Counter (Dashboard, File Counters, Waiting) represent in the ATD Manager?
The Waiting Counter represents the count of the files waiting for Sandbox and other down selectors, such as GTI, GAM, and Blacklist, among others.
 
I selected Troubleshooting, Diagnostic File, but nothing happened and no file was produced; is this result an issue or fault with ATD?
No. A diagnostic file is generated only if an error occurred on the ATD appliance. If no error has occurred, a diagnostic file is not generated.
 
Why is there a delay (of 10 seconds), before ATD shows the "Password:" prompt, when I connect to the appliance via SSH?
You have not assigned a valid DNS server IP address to the ATD appliance. When you set a valid DNS server, ATD shows the prompt immediately.
 
Why does VM creation fail after I configure the IP address of ATD?
You need to reboot the ATD appliance after you set the IP address for the first time, or when you change the IP address. If you do not reboot, ATD does not operate properly.

How do I erase the data on an ATD evaluation unit, or my ATD appliance, before returning it to McAfee?
From the command line, type factorydefaults and press ENTER. This command deletes all samples, results, logs, and VM images, and resets IP addresses, before rebooting the appliance.

Where can I find hardware technical specifications, and system LED or beep status information, for ATD appliance hardware?
Identify which ATD hardware model you are using, and then view the corresponding Technical Product Specification from the following links.
IMPORTANT: If you suspect hardware failure, contact Technical Support and open a Service Request.

Where can I download the ePolicy Orchestrator (ePO) extensions for my release?
The ePO Software Manager lists the available extensions. The extensions are also available on the Product Downloads site (http://mcafee.com/us/downloads/downloads.aspx) under ePO downloads

NOTE: The extensions offered might list a version number earlier than your installed release of ATD. Not every new build requires updated extensions; you can safely use the older extensions with your current version of ATD.

For example, the Threat Events Dashboard extension is available under ATD 3.8 and the MATDXLTAG extension (for TIE integration) is under ATD 3.4. Both are compatible with all current releases of ATD.

Does ATD 4.0 use an Active or Backup partition?
No. This feature was removed in ATD 4.0. ATD 4.0 and later no longer use an Active or Backup partition.

Can I assign an ePO client task to ATD, to upgrade components such as DXL or McAfee Agent?
While you are able to assign the tasks, you must not do so. The appliance is tested with specific versions of the components, and does not support upgrading them individually. Upgrades are delivered as part of ATD software packages, as needed for all integrated components.

My submissions are currently stuck in the analyzing state and are not being processed. How can I delete the pending ATD sample queue?
Open a command-line session, run the command removesampleinwaiting, and restart the amas service.

Can I configure the ATD management interface to use a DHCP-assigned IP address, or must I configure a static IP address?
Yes. Run the command set appliance ip dhcp to configure the appliance to use a DHCP-assigned IP address.

Can the ATD User Interface be accessed from the following interfaces: eth0, eth1, eth2, eth3?
No. Only access the ATD manager and command line interface using the management port or eth0 interface.

Can the default route be applied to the management port?
No routes are required to access the ATD manager or command line interface from the management interface.

NOTE: The management GUI and REST interface use the same server and port, so they cannot be isolated from each other.

When I validate an uploaded image, the validation log ends with the message "No changes for installed applications settings will be applied for [VM Image name]." What does this message mean?
The Windows 10 and 2016 validation checks stop before validation of network protocols such as Telnet. This message reports that because these checks have not been performed, no changes are made to the settings of applications in the VM image. Because these checks are made on images that use earlier operating systems, you do not see this message when validating those images.


Back to top


How many CPUs and CPU cores does ATD assign to a VM system? Is it possible to customize this setting?
ATD assigns one (1) processor with one (1) core. You cannot customize this setting.

When I enable "Automatically select OS" in Analyzer Profile, how does ATD select the VM Profile?
For example, if you configure the following Analyzer Profile:
VM profile
: Android
Automatically Select OS
: Enable
Windows 32-bit VM Profile
: WinXPsp3
Windows 64-bit VM Profile
: Win7sp1x64
When an APK file is received for analysis, it is analyzed with Android. A 32-bit PE file is sent to Windows 32-bit VM (WinXPsp3), and a 64-bit PE file is sent to the Windows 64-bit VM (Win7sp1x64). If ATD is not able to determine which operating system (OS) to send, the file is sent to the OS listed in the VM Profile, which would be considered the default VM for this purpose.

Why do I see the error message "Application Blocked by Security Settings" when I try to interact with a VM?
The Java security settings cause this error. To change these settings, open the Java Control Panel and select the Security tab. Change the Security Level to Medium and apply the changes.

What happens when you start VM Creation on the ATD appliance?
When you create a VM Profile (New OS) for the first time, ATD stops the amas service, VM Creation is started, and when finished, amas is restarted. When you change only the Maximum License count under the existing VM Profile, the amas service is not restarted.

NOTE: Between the amas stop and amas start state, existing VMs do not process traffic. Waiting samples remain in the queue and new samples from Network Security Platform (NSP) are dropped. But Email Gateway, Web Gateway, and RestAPI submitted samples are added to the queue.

IMPORTANT: Always stop sending traffic to ATD before starting a new VM Profile (New OS) creation.

Does the ATD appliance support interface bonding (for example, bonding eth0 to eth1)?
No. Bonding or link aggregation is not currently supported.

What time stamp does ATD use?
ATD uses RFC 3339.

What does the output of the "show filequeue" command mean?
  • Processing Time: The time taken by the sample, from the time ATD receives it, until it is finished with analysis and reports are ready (total time spent by the sample in ATD).
  • Analyzing Time: The time taken for the sample to start and finish sandboxing (total time taken for analysis).
  • Files in SandBox: The number of samples currently being prepared for sandbox analysis. Before sandbox submission, samples are sent to heuristic analyzers. Heuristic analysis can determine if a sample is clean, and if so it does not require sandbox analysis. This process allows for more samples showing a status of "in analysis", than the actual number of sandbox VMs.
  • Files in Queue: The number of files currently present in the scan directory.
  • Estimated average processing time for all samples: The current wait time of the system, or the time ATD takes to analyze the next submitted sample.
Can I configure multiple network interfaces such as mgmt and intfport1, as part of the same subnet?
No. ATD does not support configuring multiple interfaces to use the same subnet, which applies to both standalone and cluster setups.

In what order do the ATD scanners perform malware analysis?
  1. Static Analysis:
    1. Local whitelist
    2. Anti-Malware
    3. Gateway Anti-Malware
    4. GTI
    5. Local blacklist
  2. Dynamic Analysis: (Sandbox)
    NOTE: See the product guide for your release for pre and post actions for the scanners.
Why do I see a past time/date in the File Submitted field for samples?
ATD has reused the past scan result instead of scanning the sample again. For example, open Analysis Summary and view two of the recent scan results for the same sample (select Analysis, Analysis Reports, search for the sample, click the Reports icon, and click Analysis Summary). If ATD has reused the previously scanned results, the submitted time/date in the summary of each sample is the same past date. But, if you see that the listed time/date of each sample is different, ATD has scanned the sample again.

What information does ATD retrieve or use from compatible and connected McAfee products?
  • ATD uses information learned about reputation from Global Threat Intelligence (GTI), in its determination of the probability that a file is malware.
  • ePolicy Orchestrator (ePO) is used to help identify the target environment, so that the appropriate virtual environment can be used to analyze the file.
    ATD works with ePO to identify the target device characteristics, so that dynamic analysis of the malware can be run on the appropriate operating system.
     
  • ATD accepts files from NSP and returns the outcomes of analysis, so that the information can be used in policy enforcement.
  • Files can also be manually uploaded through the web application (Analysis, Manual Upload), FTP, and API. For FTP, the user must have FTP access enabled for file submission under Manage, User Name.
What is the minimum threat score that ATD considers to be malicious?
3 (medium).

What severity is the threat score in a digit on JSON report, translated to on HTML and PDF report?
ATD SEVERITY
MEANING
-2
Failed
-1
Clean
0
Unverified
1
Informational
2
Low
3
Medium
4
High
5
Very High

I have received a Threat Analysis report, with a severity of “0” (zero) marked as “Unverified”. Why is this report marked as Unverified?
ATD has tried to analyze the sample, but no valid information is seen or found to perform the analysis:
  • The operating system selected in the profile is incompatible with the sample.
  • The submitted file simply contains insufficient or invalid information for analysis, such as corrupted or incomplete.
In both cases, no suspicious code or activity was reported.
 
 
Why does Reputation for GTI Web or URL Reputation show Failed in the Threat Analysis Report?
Failed means that the lookup suffered from an environmental issue such as DNS resolution failure. Or, no connection to the Internet was possible.
 
Which URLs do TrustedSource for GTI Web/URL Reputation check during Dynamic Analysis?
TrustedSource checks all URLs that the sample or its embedded/drop content tries to connect to. It also checks the URL sent with the sample, from NSP or Web Gateway (MWG), for analysis. These checks are performed only when GTI URL reputation is enabled in the Analyzer Profile. All URLs such as HTTP, HTTPS, and FTP are supported.
 
What port does ATD use to communicate with the VNC client (to view sandboxes)?
ATD uses port 6000 and up. If you use Interactive Mode and you experience issues loading the Interactive window, you must open several ports from 6000 and range through the number of VMs you have configured. For example, if you have 10 VMs (4 XP + 6 Windows 7) the open ports must be 6000–6011.

Why do I see the error "Server refused to allocate pty" when trying to connect via SSH to the ATD appliance?
This error is because either port 2222 is not open or you are not connecting through port 2222 for SSH.
 
Can ATD analyze a password-protected file?
ATD can take a password-protected archive and analyze the sample, but the password must be known.

Does ATD identify the vulnerability that was exploited to allow the malware to infect the system in the first place?
Yes. ATD generates summary and comprehensive reporting details to identify the behaviors and key indicators of compromise. This information is shared with other integrated McAfee solutions, such as Web Gateway or ePO, which can then proactively enable defenses and remediation actions.

When you run the "factorydefaults" command, why are both Active and Backup software versions set at the same version?
This setting is as designed. The factorydefaults command erases both the Active and Backup settings, and the Backup software version is aligned to the Active software version.

What is the ATD DNS proxy setting?
All DNS queries performed by ATD use this DNS setting to perform lookups and other functions. These settings apply for all DNS functions, including DAT updates and GTI queries.

Can I purge the items yet to be processed from the ATD appliance?
Yes. Use the following steps to purge items that have not been processed from the ATD appliance:

CAUTION: This action removes all existing Report Analysis Results from the system.
  1. Open the ATD console and browse to Manage, Troubleshooting, Reset Report Analysis Results.
  2. Click Remove all Report Analysis Results.
  3. Click Submit.
How can I configure the session timeout setting for the ATD manager (Admin graphical user interface)?
Run the set ui-timeout command from the CLI. For example: set ui-timeout 300 sets the timeout to 300 seconds.
 
Why does ATD connect to mwg-update.mcafee.com?
ATD retrieves anti-virus and GAM updates from mwg-update.mcafee.com and communicates using the following ports:
Client
Server
Default port
Configurable
Description
ATD
tunnel.message.trustedsource.org
TCP 443 (HTTPS)
No
File Reputation queries
ATD
list.smartfilter.com
TCP 80 (HTTP)
No
URL updates
Any (SSH client)
ATD
TCP 2222 (SSH)
No
CLI access
ATD
mwg-update.mcafee.com
TCP 443 (HTTPS)
No
Updates for McAfee Gateway Anti-Malware Engine, and McAfee Anti-Malware Engine
ATD atd.rest.gti.mcafee.com TCP 443 (HTTPS) No Updates for the Advanced Threat Defense software

 
What does the "set gti dns check" CLI command do? Under what circumstances must I change this setting?
ATD performs name resolution either by DNS or DXL channel to complete GTI queries. Change this setting in accordance with which channel you want to use for GTI communication:
  • If the set gti dns check is set to enabled, the GTI process performs the DNS reachability/name resolution check during startup. If the check fails, the GTI process fails to start. Use this setting when you want your ATD to reach GTI via the DNS/HTTPS channel.
  • If the set gti dns check is set to disabled, the GTI process starts without checking DNS reachability/name resolution on ATD. Use this setting when you want your ATD to reach GTI via the TIE/DXL channel, and when your ATD does not have direct DNS/HTTPS access to the Internet.

Why are no ICMP packets sent outside of ATD, even though malware Internet access has been enabled and ICMP reply messages are sent back to the appliance?
This behavior is as designed. ICMP behavior is always according to Simulator mode, and so ICMP (Ping) packets are not sent outside of the ATD appliance and ICMP reply messages are sent back to it.

Can I change the settings in a VM that is already uploaded to ATD (for example, changing the IP address of the DNS server from A.B.C.D to W.X.Y.Z)?
Yes. You can change settings over the VNC connection under Policy, VM Profile. Choose your VM, and then click Edit, Activate. After you change the required settings, shut down the VM, and then check Validation and Create license. This process creates a VM with the changed settings.

Are there any considerations or actions to be performed before I add VM profiles, VM analyzer profiles, or add or reduce the licenses assigned to a VM profile?
Yes. McAfee recommends that you stop the amas service before you run vmcreator, even when you are changing the licenses.

What information is deleted if I select Reset Database when I upgrade ATD?
The following information is deleted:
  • Analyzer Profile
  • Analysis Status
  • Analysis Results
  • User Management
  • ePO Login/DXL Setting
  • Date and Time Settings
  • SNMP Settings
  • Syslog Settings
  • Backup Scheduler Settings
The following information is not deleted:
  • VM profile entries in Policy, VM Profile
  • Manage, Proxy Settings
  • Manage, DNS Settings
How can I configure ATD to review a file based on the file extension and not just by the file header before sending it for dynamic analysis?
At the ATD command line, type filetypefilter enable and press ENTER.

When I add an MD5 hash to the blacklist, what value do I enter for ENG-ID and OS-ID?
Use 1 (one) for the ENG-ID and OS-ID values.

How can I view the ATD log files?
Select Troubleshooting, Log Files.

Which OIDs can be used to monitor the ATD appliance via SNMP (SNMP monitoring)?
atdCPUUtilizationAvg 1.3.6.1.4.1.8962.4.1.1.1.0
atdMemoryUtilization 1.3.6.1.4.1.8962.4.1.1.2.0
atdHDDSystemSpaceUtilization 1.3.6.1.4.1.8962.4.1.1.3.0
atdHDDDataSpaceUtilization 1.3.6.1.4.1.8962.4.1.1.4.0
atdFileWaiting 1.3.6.1.4.1.8962.4.1.1.6.0
atdFileAnalyzing 1.3.6.1.4.1.8962.4.1.1.7.0
atdSystemTemperature 1.3.6.1.4.1.8962.4.1.1.8.0
 
The ATD backup archive file appears to be encrypted. How can I decrypt the file to restore it?
You do not need to decrypt the file before restoring it. The backup and restore subcomponent of ATD handles it behind the scene.

Does ATD accept sample submission during the VM creation process?
Yes. ATD accepts samples when you are creating VM profiles. Those samples are placed into a queue, and ATD will scan them after VM creation is finished.

NOTE: VM creation might take a long time if you have a large number to process. VM creation might cause issues if your devices (for example, MEG appliance) have a low (15 minutes) ATD scan timeout setting configured.
MEG submits samples to ATD, but the ATD scan times out after 15 minutes and MEG then scans the sample.
 
Why are test Mode Windows 7 messages seen in the lower right corner of the VM window when I submit a sample in X-mode?
ATD must use the test mode to ensure compatibility with Windows 7 during sample analysis.
NOTE: There is no influence on analysis results.

ATD Analyzer Profile setting offers 2 options to control how the downselector and scanner run against a sample.
Continue to run all the engines even after the file is found malicious and Skip files if previously analysed.
What happens if I select both options?

 
The Continue to run all the engines even after the file is found malicious option has higher precedence over Skip files if previously analysed option.
If you enable both of them, ATD will not skip files if previously analysed.

When I create a VM with Hardware version 9 on VMware Workstation Pro, I see a warning that version 9 is not supported. Will McAfee ever support VMs created with Hardware version 9?
Yes, after testing, VMs with Hardware version 9 are now supported. You can ignore this message.

Which URLs does ATD try to connect to when proxy testing the GTI HTTP and Malware Site Proxies?
In both cases, ATD will try to connect using "http://www.google.com/". If this URL is not accessible, ATD will display the error: Test connection failed.

Back to top

What validation checks does ATD perform before it accepts the web certificate?
  1. The appliance checks for both certificate and key in the uploaded certificate in PEM format.
  2. ATD checks for correct key length and accepts only if it is 2048-bit or more.
  3. ATD checks for hash/signature algorithm and accepts only SHA256 and above.
  4. ATD checks for validity of certificate by checking the expiry date.
  5. ATD checks for OCSP or CRL for revocation. The certificate must have OCSP/CRL URL. It accepts HTTP URLs only.
  6. ATD checks host name validation for presented identifier in SAN or CN field of the certificate. The certificate must have proper hostname/FQDN/IP in SAN/CN.
What web certificate file format does ATD accept?
ATD accepts a valid certificate with an unencrypted private key in PEM format. The web certificate file must be arranged in the following format:
-----BEGIN RSA PRIVATE KEY-----
(your private key data)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(your certificate data)
-----END CERTIFICATE-----
 
NOTE:
  • There must be no empty lines between the END RSA PRIVATE KEY line and the BEGIN CERTIFICATE line. These two lines must appear sequentially.
    If you have separate files (one certificate file and one private key file), you can combine them using a text editor and then upload that file to ATD.
     
  • If you are using ATD 4.0 and generate a CSR with the CSR Generation feature in the manager, your signed web certificate must not contain the private key section.
How does the ATD 4.x CSR Generation feature work?
The feature generates a private key and a Certificate Signing Request (CSR) pair, and stores them in the ATD backend. You can download the CSR from the manager, and then sign it using your preferred CA to generate the appliance your web certificate. After your web certificate is signed, you upload it with your CA certificate to the appliance.
NOTE: The web certificate does not need the private key section in the file, as long as your web certificate originates from the CSR. The ATD backend holds the private key for the CSR, and uses it with the signed certificate.

How do I combine the certificate and private key files?
  1. Open both the certificate file and private key file in a text editor.
  2. Copy the entire contents of the private key file, and then paste it to the start of the certificate file.
  3. Save the web certificate file.
  4. Upload the combined certificate file to ATD.
Does ATD accept an encrypted private key in the web certificate file?
No. You need to use an unencrypted private key in the web certificate file.

In the ATD 4.x manager, there is Trusted CA Certificate field, in addition to the conventional CA Certificate field which was also present in ATD 3.x manager. Which one must I use for my CA certificate in ATD 4.x?
Use the Trusted CA Certificate field. The CA Certificate field is present only for backward compatibility.

Does ATD 4.x support intermediate CA under Manage, Security, Manage Certificate, Trusted CA Certificate field?
Yes.

How does ATD 4.x check the certificate chain if I upload an intermediate CA to the Trusted CA Certificate field?
ATD performs chain validation for the non-root CA certificate using AIA (Authority information Access) URL. It accepts HTTP URLs only. If the non-root CA certificate does not have the AIA field, ATD claims certificate validation failure. The certificate must have AIA field with HTTP URL.

Back to top

Can ATD's integration with Active Directory support nested groups?
Yes. But, you must use the subtree option of the BaseDN search.

I am configuring an FTP server to be used as a repository for my ATD Scheduled Database Backup; are there any limitations or requirements?
Your FTP server must support the SIZE command. If the configured FTP server does not support it, or the command is disabled, your backup fails, when the SIZE command is run.
NOTE: The SIZE command is defined in RFC 3659: Extensions to FTP. ATD uses this command to confirm the success of uploading.

Does ATD support LDAP and RADIUS?
ATD supports LDAP. ATD does not support RADIUS.

Does ATD support the configuration of IPv6?
No. ATD currently does not support IPv6; but, this support is projected for a future update.

Does ATD support Common Criteria certification?
Yes. Common Criteria certification is supported in ATD.

Are there any IP address ranges that must be avoided or are used by ATD?
  • ATD 4.0.2 must not be deployed in the ranges 192.168.55.0/24 (used by Email Connector) and 192.168.122.0/24 (used by VM).
  • ATD 4.0.4 and later must not be deployed in the ranges 192.168.55.0/24 (used by Email Connector) and 192.168.122.0/24 (used by VM), by default.
You can change these internal ranges by using set internal net CLI command. To see the current internal network ranges, use show internal net CLI command.

NOTE: Setting your VMs to this range means that they are not seen or available.

What package must I use to view a Disassembly Results Report?
To view this report, <file name>.asm file use Notepad++. The advantage of using this package is that it performs syntax highlighting.

What package must I use to view a Logic Path Graph?
To view the graph <file name>.gml use yEd: https://www.yworks.com/products/yed.

The virtual appliance is restricted to 8 sandboxes. But, I have purchased a license for more than 8 sandboxes, for example the v1016, 16 sandbox license.
Does this mean that vATD is not restricted to 8 sandboxes?

No, these packages, v1016, v3032, and v6064, are sold to allow you to install a scalable clustered setup.
For example, the v1016 16 license package, would allow you to set up a pair of vATD appliances, allowing 8 sandboxes on each cluster node. This setup provides scale and redundancy.

Can I use a hardware load balancer with ATD?
No. You must use the built-in load balancer. The McAfee product that submitted the sample obtains the results by sending a query, listing the explicit audit ID issued by the first ATD at the time of sample submission. If the query is sent to a different server because of load balancing, it either returns an incorrect result or the query is rejected.


Back to top

Where can the ATD appliance be sited?
The ATD appliance does not have to be placed in-line with traffic or at the edge of the network. It can be placed centrally or on an appropriate network segment, and the NSP Sensor forwards data to it.
 
What is the required free disk space in a VM deployed on ATD?
250 MB. If your VM has less available disk space than 250 MB, the validation process reports FAIL at the Free Space stage.

Can I use LAN2 interface as the communication port of the ATD server?
Yes. Either LAN1 or LAN2 can be used as the communication port of the ATD server when the ATD server is managed using an IP address.

NOTE: You might need to set up static routes for the traffic sent between MEG and the ATD appliance when you use the LAN2 interface.

Why is the connection speed of my ATD appliance slow?
The NIC is incorrectly configured, which causes the NIC auto-negotiation to fail.
  • From the ATD CLI, you can run the show command to view the interface settings for the management NIC.
  • You can manually configure the network configuration by running the set mgmtport speed [10/100/1000] duplex full command.
    Or, you can perform the auto-negotiation again by running the set mgmtport auto command.
How are the drives used on the ATD servers?
VM images and snapshots are saved on the SSD drives; System Disk and Data Disk partitions are on the HDDs.
Files saved on each partition:
  • Data Disk: vmdk, sample files, sample reports, and log files.
  • System Disk: ATD System Software, system logs.
     
Can I mix and match ATD model appliances in an ATD cluster? For example, can I combine 2x ATD-3000 and 1x ATD-6000 to create a cluster?
Yes. You can mix and match ATD appliances to create a cluster; but, you cannot add a virtual device to the cluster.

Can I use old and new model appliances in the same cluster?
Yes. For example, you can add a new ATD-3100 or ATD-6100 appliance to your existing cluster of ATD-3000 or ATD-6000 appliances.
IMPORTANT: All appliances must run the same version of ATD software.

Can I cluster virtual ATD appliances and is it supported?
Yes. You can cluster a vATD device with other vATD devices; but, you cannot mix and match virtual appliances with physical ATD appliances. Your cluster must be either all virtual or all physical devices. Clusters of mixed vATD appliances and physical appliances are not supported.
 
Is a cluster with primary and secondary appliances located in different DCs or network supported?
No. Only clusters with both appliances on the same network are supported.

Can I operate ATD on a closed network without Internet connectivity? How are updates made?
ATD has a virtual network and does not need Internet access to function. ATD currently does not support offline updates. Updates need to be downloaded and imported. The Internet simulator currently emulates the following services:
  • HTTP
  • SMTP
  • FTP
  • TELNET
  • DNS
Does ATD support NIC bonding, teaming, or network aggregation?
No. ATD does not support these technologies.

Must I use the main network for Internet access for samples, or must I implement a separate network or line?
McAfee recommends you segment your network in such a way as not to threaten your main IP addresses reputation. You can either implement a complete segregated network, or implement a specific IP address, only used for this functionality, so that if it ends up with a poor reputation. It does not affect your other business.

Which port is used to pass URL Download traffic when the Malware Interface is configured?
URL Download traffic passes through the Malware Interface only when the Malware Interface is configured. If the Malware Interface is not configured, URL Download traffic passes through the Management Port.


Back to top

How can I view the ATD and Network Security Platform (NSP) Channel Status?
To check on the status of the ATD and NSP communication link, type the status command from the NSP Sensor command line.
For example:
[McAfee MATD Communication]
Status : up
IP : 172.23.80.7
Port : 8505

NOTE: If it is not up, it says down.

Does the NSP Sensor send files to the ATD appliance when traffic is sent over HTTPS and the NSP Sensor has the correct certificate to decrypt?
Yes. File extraction over HTTPS for malware analysis is supported. If the NSP Sensor has the SSL feature enabled and the correct certificate imported, the NSP Sensor can decrypt the files over HTTPS and send files to ATD appliance for malware analysis.

How can I confirm that the NSP Sensor is connected to ATD?
Open a command-line session to the NSP Sensor, run the status command, and view the information under McAfeeMATDCommunication for confirmation.

How can I confirm if a file has been sent to ATD?
Open a command-line session to the NSP Sensor, run the malwareenginestats command, and view the output.

Example:

MALWARE STATISTICS FOR MATD ENGINE:
--------------------------------------------------
Number of files sent: 4
Number of responses Received: 4
Number of files ignored: 0

Which physical port does the NSP Sensor use to communicate with the ATD appliance?
The NSP Sensor uses its management port to communicate with the ATD appliance.

Is NSP able to block malicious files when integrated with ATD?
Yes, with the following considerations:
  • NSP can block only in a static detection.
  • Dynamic detection takes longer; but, NSM pulls the dynamic scan report when it is completed.
  • ATD performs an initial static scan and reports back to the NSM. If the file is matched, the NSM blocks it.
  • NSP maintains the file for only six seconds, and dynamic analysis might take longer than this time period to execute. But, if detection is present during the dynamic scan, the NSM pulls the report from ATD.
Why does the NSP Sensor not send many files to ATD?
The NSP Sensor has to process the entire file. Sometimes, your network configuration (for example, asymmetric traffic flow) might not allow the NSP Sensor to see the entire file. To work around these situations, set the NSP Sensor to permit for flow control instead of permit out of order in the NSP Sensor TCP settings (Devices, Policy, Advanced, TCP Settings).

Why are my signature updates failing?
Incorrect DNS settings usually cause this issue. Confirm that these settings are correct under DNS Proxy setting.

What is the maximum file size that ATD can scan with NSP?
The file scan limit for NSP is set to 25 MB.
Can different Sensors be set to different scanning profiles?
No.

How can I validate that NSM can send files to ATD?
The status command on the NSP Sensor shows whether it can communicate:
[McAfee MATD Communication]
Status          : up
IP                  : 172.18.18.218
Port              : 8505

Download a PE or Office file via the NSP Sensor and ensure it is being analyzed on ATD.


Back to top

When Email Gateway (MEG) sends more samples than ATD can handle and overloads the appliance, can I be notified of this situation?
No. When ATD is overloaded, samples from MEG are rejected and you can see them only in the ATD Analysis Status page marked as Rejected. There is no email or other notification for this rejection from ATD.

Do I need to break integration with MEG or Web Gateway before upgrading my ATD software?
No. You do not need to break this integration before performing an ATD upgrade.

What is the maximum file size that ATD scans with Web Gateway?
The file scan limit for Web Gateway is 128 MB (122.07 MiB).


The Email Connector offers the "Action when system is overloaded" setting under Manage, EC, Configuration. What are the criteria for the Email Connector to treat the system as overloaded?

Email Connector has two criteria for treating the system as overloaded:
  • Number of concurrent SMTP connections to Email Connector: If Email Connector already has maximum allowed concurrent SMTP connections, any new incoming connections are treated according to the setting: Action when system is overloaded.
  • Estimated average processing time: System is treated as overloaded, when the estimated average processing time for all samples shown in the show filequeue CLI command, exceeds double the time configured in the MEG Wait-Time Threshold in Seconds setting.
    NOTE: This setting is located under Manage, ATD Configuration, Global Settings.
What is the number of maximum allowed concurrent SMTP connections?
ATD up to version 4.6.2 has a fixed limit of 300, regardless of ATD model, either physical appliance or virtual appliance, or either standalone or cluster.
ATD 4.8 has the following maximum concurrent SMTP connections:
  • vATD in standalone: 80
  • vATD in cluster: 350
  • physical ATD in standalone: 250
  • physical ATD in cluster: 550
What is the recommended concurrent SMTP sessions from my secure email gateway to the ATD 4.8 Email Connector?
McAfee recommends you configure your secure email gateway to establish less concurrent SMTP sessions than the maximum limits listed above.
For further details see the ATD 4.8 Installation guide Here.

What happens if I select "Reject SMTP connections" (under Manage, EC, Configuration, Action when system is overloaded setting), and the overload criteria are met?
The Email Connector responds with the 421 ATD System Overloaded error in the SMTP welcome banner, instead of 220 McAfee ATD Email Connector.
Your Secure Email Gateway then recognizes the 421 code and treats it as a transient error.
 
What happens if I select "Deliver emails unscanned" (under Manage, EC, Configuration, Action when system is overloaded setting), and the overload criteria are met?
The Email Connector accepts the SMTP connection, then forwards, or delivers email without scanning samples, but adds the following email headers:
X-ATD-TOOBUSY: 1
X-ATD-VERDICT: -8

What is the expected status for an Email Connector in the Dashboard on my ATD cluster?
The Email Connector runs only on the Primary Node. When the Backup Node assumes the Active role, the email connector automatically is UP on the backup node. So, you see the following status:
  • Active Primary Node: Healthy
  • Backup Node: Uninitialized


What is the Deep Neural Network (DNN) and why does ATD use it?
DNN is a centralized system that uses machine learning to identify malicious indicators in a sample. ATD uses this machine learning to improve its prediction accuracy.

How does ATD send information to McAfee for machine learning?
ATD collects DNN-related information for future improvement, and sends it to McAfee through the management interface port, using the telemetry feature.

Does ATD send sample files to McAfee for inspection for machine learning?
No.

Does the ATD appliance learn from its own scan results and improve its individual detection?
No. Learning is performed in-house at McAfee. The improved detection information is shipped with an updated detection package or ATD release.
IMPORTANT: There is no local DNN learning or profile to configure or reset.

Does ATD dynamically check the latest machine learning results via the Internet each time it scans a sample?
No. Checks and predictions are performed using the local detection package. No real-time checks are sent to McAfee, only result-related information is collected and sent via telemetry.

Does DNN cause any sizing or performance implications?
No. The introduction of DNN to ATD does not hold any sizing or performance implications for the appliance. All sizing and performance information from McAfee is unaffected.
 

What is TAXII?
Trusted Automated eXchange of Indicator Information (TAXII™) is a transport mechanism which allows you to automate the exchange of threat information. The information is shared in the form of a STIX report to the TAXII server. ATD generates STIX report when malicious files are detected and then the report sent to your TAXII server. For ATD to do so, you need to configure your TAXII server information about ATD.

What versions of STIX and TAXII does ATD support?
ATD currently supports STIX version 1.2 and TAXII - version 1.x.

Can I use HTTP for TAXII server communication instead of HTTPS?
No. ATD 4.2.0.x supports HTTPS only.

Do I need to specify the port number of the TAXII server even if the TAXII service is listening on the standard HTTPS port 443?
A port number is required on ATD 4.2.0.x. You need to fill in the URL field for example:
https://192.168.0.100:443

I have installed my TAXII server, and configured my ATD to use the TAXII server. When I click Test Connection in the ATD manager, it returns PASS for all criteria, but ATD lists the TAXII server Status as UNKNOWN. Is there an issue with my TAXII server, ATD, or both?
The TAXII status will be UNKNOWN after a configuration change is made (for example after you click Apply) on the ATD appliance.
Its status is marked as UP, only after at least one STIX report is published successfully from the ATD to the TAXII server.
This status is reported because ATD does not know whether the channel is working until publishing from ATD is successful. The channel is marked as DOWN if one STIX push fails.
 

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.