Advanced Threat Defense 4.2 changes to Management Interface and Malware internet port use

Technical Articles ID: KB90022
Last Modified: 5/27/2020

Environment

McAfee Advanced Threat Defense (ATD) 4.x

Summary

ATD 4.0 and 3.x
The Management Interface port (MGMT) in ATD 3.x and 4.0 was used for potentially malicious or dirty traffic. ATD 3.x and 4.0 used the MGMT port with the configured Preferred and Alternate DNS servers, as follows:

Activation VM traffic is sent out of the Management Interface port, regardless of its setting. Activation VM is used when creating the VM profile.
DNS lookups for URL downloads do not use the Malware Interface port. They use the Management Interface port.
DNS lookups do not use the Malware DNS setting. They use the Preferred and Alternate DNS servers.
URL download traffic is performed through the Management Interface, regardless of the Malware Interface port setting.

NOTE: When a URL sample is submitted to ATD, ATD first validates the URL using down selectors and then the sandbox before it starts to scan, as outlined in KB89334. The validation process consists of a DNS host name check for the URL, followed by downloading the content from the URL. Both the DNS lookup and the downloading processes are performed through the MGMT port.

ATD 4.2 and later
ATD 4.2 prevents the MGMT interface from being used for potentially malicious or dirty traffic:

Dirty DNS traffic—This traffic includes:
- DNS lookups for URL download
- Traffic from the sandbox VM for analysis
- Traffic from the VM for activation, in which you activate Microsoft Windows and Microsoft Office.
This traffic is sent to the Malware DNS server using the Malware Interface port. If Malware DNS is not set, no DNS lookups are made, and URL download fails.
Other dirty traffic—All other dirty traffic from/to the sandbox VM, and from/to the VM for activation, follows the Malware Interface port setting.

IMPORTANT: You can assign the Malware internet port to any one of mgmt, intfport 1, intfport 2, and intfport 3. If you configure your MGMT port as Malware internet port, the dirty traffic is still sent using the MGMT port in ATD 4.2 and later.

To separate dirty traffic from your management network, use the MGMT port only for management, and then assign the Malware internet port to either intfport 1, 2, or 3.

Affected Products

Advanced Threat Defense 4.8.x
Advanced Threat Defense 4.6.x
Advanced Threat Defense 4.4.x
Advanced Threat Defense 4.2.x
Advanced Threat Defense 4.0.x (EOL)

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Portuguese Brasileiro

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Advanced Threat Defense 4.2 changes to Management Interface and Malware internet port use

Environment

Summary

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Advanced Threat Defense 4.2 changes to Management Interface and Malware internet port use

Environment

Summary

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title