ATD 4.0 and 3.x
The Management Interface port (MGMT) in ATD 3.x and 4.0 was used for potentially malicious or dirty traffic. ATD 3.x and 4.0 used the MGMT port with the configured
Preferred and
Alternate DNS servers, as follows:
- Activation VM traffic is sent out of the Management Interface port, regardless of its setting. Activation VM is used when creating the VM profile.
- DNS lookups for URL downloads do not use the Malware Interface port. They use the Management Interface port.
- DNS lookups do not use the Malware DNS setting. They use the Preferred and Alternate DNS servers.
- URL download traffic is performed through the Management Interface, regardless of the Malware Interface port setting.
NOTE: When a URL sample is submitted to ATD, ATD first validates the URL using down selectors and then the sandbox before it starts to scan, as outlined in
KB89334. The validation process consists of a DNS host name check for the URL, followed by downloading the content from the URL. Both the DNS lookup and the downloading processes are performed through the MGMT port.
ATD 4.2 and later
ATD 4.2 prevents the MGMT interface from being used for potentially malicious or dirty traffic:
- Dirty DNS traffic—This traffic includes:
- DNS lookups for URL download
- Traffic from the sandbox VM for analysis
- Traffic from the VM for activation, in which you activate Microsoft Windows and Microsoft Office.
This traffic is sent to the Malware DNS server using the Malware Interface port. If Malware DNS is not set, no DNS lookups are made, and URL download fails.
- Other dirty traffic—All other dirty traffic from/to the sandbox VM, and from/to the VM for activation, follows the Malware Interface port setting.
IMPORTANT: You can assign the Malware internet port to any one of mgmt,
intfport 1,
intfport 2, and
intfport 3. If you configure your MGMT port as Malware internet port, the dirty traffic is still sent using the MGMT port in ATD 4.2 and later.
To separate dirty traffic from your management network, use the MGMT port only for management, and then assign the Malware internet port to either
intfport 1, 2, or 3.