As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Added one question and answer to the "Operations" section.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
This article is a consolidated list of common questions and answers. It's intended for users who are new to the product, but can be of use to all users.
NOTE: For readability,ATD is often still used as the product moniker below but this article also applies to TIS.
ATD/TIS runs on either a dedicated appliance or as a virtual machine, and identifies sophisticated, hard-to-detect threats. It works by running suspected malware in a sandbox, analyzing its behavior, and assessing the potential impact that the malware might have on an endpoint and a network.
Contents:
Click to expand the section you want to view:
What cable do I need to connect to the appliance to run a HyperTerminal session?
Plug a console cable (RJ45 to DB9 serial) into the console port at the back of the ATD appliance. Connect the other end of the cable to the COM port of the PC you're using to configure the appliance.
How do I identify the installed ATD, DAT, and Engine versions?
Log on to the ATD management console. The ATD version is under System Information.
For example, the DAT and Engine versions are under System Information:
McAfee AV DAT Version: 7419
McAfee AV Engine Version: 5600
McAfee GAM DAT Version: 2951
McAfee GAM Engine Version: 7001.1302.1842
Why am I unable to authenticate to the ATD appliance?
You might be using the wrong username. There are two default users. Confirm that you're using the correct username:
The graphical user interface (GUI) name is admin.
The command line interface (CLI) username is cliadmin.
Which user account do I use to upload a VMDK to the ATD appliance?
You must use the atdadmin user account.
IMPORTANT: You can't use any other account, even if the FTP Access role is selected for that account.
What does the Waiting Counter (Dashboard, File Counters, Waiting) represent in the ATD Manager?
The WaitingCounter represents the count of the files waiting for Sandbox and other down selectors, such as GTI, GAM, and Blacklist.
I selected Troubleshooting, Diagnostic File, but nothing happened and no file was produced; is this result an issue or a fault with the ATD?
No. A diagnostic file is generated only if an error occurs on the ATD appliance. If no error occurs, a diagnostic file isn't generated.
Why is there a delay (of 10 seconds), before ATD shows the "Password:" prompt, when I connect to the appliance via SSH?
You haven't assigned a valid DNS server IP address to the ATD appliance. When you set a valid DNS server, ATD shows the prompt immediately.
Why does VM creation fail after I configure the IP address of ATD?
You need to reboot the ATD appliance after you set the IP address for the first time, or when you change the IP address. If you don't reboot, ATD doesn't operate properly.
How do I erase the data on an ATD evaluation unit or my ATD appliance before returning it?
From the command line, type factorydefaults and press Enter. This command deletes all samples, results, logs, and VM images, and resets IP addresses before rebooting the appliance.
Where can I find hardware technical specifications, and system LED or beep status information, for ATD appliance hardware?
Identify which ATD hardware model you're using, and then view the corresponding Technical Product Specification from the following links.
IMPORTANT: If you suspect hardware failure, contact Technical Support and open a Service Request.
Where can I download the ePolicy Orchestrator (ePO) extensions for my release?
The ePO Software Manager lists the available extensions. The extensions are also available on the Product Downloads site under ePO downloads.
NOTE:The extensions offered might list a version number that's earlier than your installed release of ATD. Not every new build requires updated extensions; you can safely use the older extensions with your current version of ATD. For example, the Threat Events Dashboard extension is available under ATD 3.8 and the MATDXLTAG extension (for TIE integration) is under ATD 4.4. Both are compatible with all current releases of ATD.
Does ATD 4.0 use an Active or Backup partition?
No. This feature was removed in ATD 4.0. ATD 4.0 and later no longer use an Active or Backup partition.
Can I assign an ePO client task to ATD to upgrade components such as DXL or McAfee Agent?
While you can assign the tasks, you must not do so. The appliance is tested with specific versions of the components, and does not support upgrading them individually. Upgrades are delivered as part of ATD software packages, as needed for all integrated components.
My submissions are currently stuck in the analyzing state and aren't being processed. How can I delete the pending ATD sample queue?
Open a command-line session, run the command removesampleinwaiting, and restart the amas service.
Can I configure the ATD management interface to use a DHCP-assigned IP address, or must I configure a static IP address?
Yes. To configure the appliance to use a DHCP-assigned IP address, run the command set appliance ip dhcp.
Can I access the ATD User Interface from the following interfaces: eth0, eth1, eth2, eth3?
No. You can only access the ATD manager and CLI using the management port or eth0 interface.
Can the default route be applied to the management port?
No routes are needed to access the ATD manager or CLI from the management interface.
NOTE: The management GUI and REST interface use the same server and port, so they can't be isolated from each other.
When I validate an uploaded image, the validation log ends with the message "No changes for installed applications settings will be applied for [VM Image name]." What does this message mean?
The Windows 10 and 2016 validation checks stop before validation of network protocols such as Telnet. The message reports that because the checks aren't performed, and no changes are made to the settings of applications in the VM image. You don't see this message when validating these images because the checks are made on images that use earlier operating systems.
How many CPUs and CPU cores does ATD assign to a VM system? Is it possible to customize this setting?
ATD assigns one (1) processor with one (1) core. You can't customize this setting.
When I enable "Automatically select OS" in Analyzer Profile, how does ATD select the VM Profile?
For example, consider configuring the following Analyzer Profile.
VM profile
Android
Automatically Select OS
Enable
Windows 32-bit VM Profile
WinXPsp3
Windows 64-bit VM Profile
Win7sp1x64
When an APK file is received for analysis, it's analyzed with Android. A 32-bit PE file is sent to the Windows 32-bit VM (WinXPsp3), and a 64-bit PE file is sent to the Windows 64-bit VM (Win7sp1x64). If ATD is unable to determine which operating system to send, the file is sent to the operating system listed in the VM Profile. This operating system is considered the default VM for this purpose.
Why do I see the error message "Application Blocked by Security Settings" when I try to interact with a VM?
The Java security settings cause this error. To change these settings, open the Java Control Panel and select the Security tab. Change the Security Level to Medium and apply the changes.
What happens when you start VM Creation on the ATD appliance?
When you create a VM Profile (New OS) for the first time, ATD stops the amas service, VM Creation is started, and when finished, amas is restarted. When you change only the Maximum License count under the existing VM Profile, the amas service isn't restarted.
NOTE: Between the amas stop and amas start state, existing VMs don't process traffic. Waiting samples remain in the queue and new samples from the Network Security Platform (NSP) are dropped. But Email Gateway, Web Gateway, and RestAPI submitted samples are added to the queue.
IMPORTANT: Always stop sending traffic to ATD before starting a new VM Profile (New OS) creation.
Does the ATD appliance support interface bonding (for example, bonding eth0 to eth1)?
No. Bonding or link aggregation isn't currently supported.
What time stamp does ATD use?
ATD uses RFC 3339.
What does the output of the "show filequeue" command mean?
Processing Time: The time taken by the sample from the time ATD receives it until the analysis is complete and the reports are ready (total time spent by the sample in ATD).
Analyzing Time: The time taken by the sample to start and finish sandboxing (total time taken for analysis).
Files in SandBox: The number of samples currently being prepared for sandbox analysis. Before sandbox submission, samples are sent to heuristic analyzers. Heuristic analysis can determine if a sample is clean, and if so, it doesn't require sandbox analysis. This process allows for more number of samples with the status of "in analysis" than the actual number of sandbox VMs.
Files in Queue: The number of files currently present in the scan directory.
Estimated average processing time for all samples: The current wait time of the system, or the time ATD takes to analyze the next submitted sample.
Can I configure multiple network interfaces such as mgmt and intfport1, as part of the same subnet?
No. ATD doesn't support configuring multiple interfaces to use the same subnet, which applies to both standalone and cluster setups.
In what order do the ATD scanners perform malware analysis?
Static Analysis:
Local whitelist
Antimalware
Gateway Anti-Malware
GTI
Local blacklist
Dynamic Analysis: (Sandbox)
NOTE:See the product guide for your release for pre- and post-actions for the scanners.
Why do I see a past time/date in the File Submitted field for samples?
ATD reuses the past scan result instead of scanning the sample again. For example, open Analysis Summary and view two of the recent scan results for the same sample (select Analysis, Analysis Reports, search for the sample, click the Reports icon, and click Analysis Summary). If ATD has reused the previously scanned results, the submitted time/date in the summary of each sample is the same past date. But, if you see that the listed time/date of each sample is different, ATD has scanned the sample again.
What information does ATD retrieve or use from the compatible and connected products?
ATD uses information learned about reputation from Global Threat Intelligence (GTI) in its determination of the probability that a file is malware.
ePO is used to help identify the target environment, so that the appropriate virtual environment can be used to analyze the file.
ATD works with ePO to identify the target device characteristics, so that dynamic analysis of the malware can be run on the appropriate operating system.
ATD accepts files from NSP and returns the outcomes of analysis, so that the information can be used in policy enforcement.
Files can also be manually uploaded through the web application (Analysis, Manual Upload), FTP, and API. For FTP, the user must have FTP access enabled for file submission under Manage, User Name.
What's the minimum threat score that ATD considers to be malicious?
The minimum threat score is 3 (medium).
What severity is the threat score in a digit on the JSON report translated to on the HTML and PDF report?
ATD SEVERITY
MEANING
-2
Failed
-1
Clean
0
Unverified
1
Informational
2
Low
3
Medium
4
High
5
Very High
I've received a Threat Analysis report, with a severity of "0" (zero) marked as "Unverified." Why is this report marked as Unverified?
ATD has tried to analyze the sample, but no valid information is seen or found to perform the analysis:
The operating system selected in the profile is incompatible with the sample.
The submitted file simply contains insufficient or invalid information for analysis, such as corrupted or incomplete information.
In both cases, no suspicious code or activity is reported.
Why does Reputation for GTI Web or URL Reputation show Failed in the Threat Analysis Report?
Failed means that the lookup suffers from an environmental issue such as DNS resolution failure. Or, no connection to the internet is possible.
Which URLs does TrustedSource for GTI Web/URL Reputation check during Dynamic Analysis?
TrustedSource checks all URLs that the sample or its embedded/drop content tries to connect to. It also checks the URL sent with the sample, from NSP or Web Gateway (WG), for analysis. These checks are performed only when GTI URL reputation is enabled in the Analyzer Profile. All URLs such as HTTP, HTTPS, and FTP are supported.
What port does ATD use to communicate with the VNC client (to view sandboxes)?
ATD uses port 6000 and up. If you use Interactive Mode and experience issues when loading the Interactive window, you must open several ports from 6000 and range through the number of VMs that you've configured. For example, if you have 10 VMs (4 XP + 6 Windows 7), the open ports must be 6000–6011.
Why do I see the error "Server refused to allocate pty" when trying to connect via SSH to the ATD appliance?
This error occurs because either port 2222 isn't open or you're not connecting through port 2222 for SSH.
Can ATD analyze a password-protected file?
ATD can take a password-protected archive and analyze the sample, but the password must be known.
Does ATD identify the vulnerability that was exploited to allow the malware to infect the system in the first place?
Yes. ATD generates summary and comprehensive reporting details to identify the behaviors and key indicators of compromise. This information is shared with our other integrated solutions, such as WG or ePO, which can then proactively enable defenses and remediation actions.
When you run the "factorydefaults" command, why are both Active and Backup software versions set at the same version?
This setting is as designed. The factorydefaultscommand erases both the Active and Backup settings, and the Backup software version is aligned to the Active software version.
What's the ATD DNS proxy setting?
All DNS queries performed by ATD use this DNS setting to perform lookups and other functions. These settings apply for all DNS functions, including DAT updates and GTI queries.
Can I purge the items yet to be processed from the ATD appliance?
Yes. Use the following steps to purge items that haven't been processed from the ATD appliance:
CAUTION: This action removes all existing Report Analysis Results from the system.
Open the ATD console and browse to Manage, Troubleshooting, Reset Report Analysis Results.
Click Remove all Report Analysis Results.
Click Submit.
How can I configure the session timeout setting for the ATD manager (Admin graphical user interface)?
Run the set ui-timeoutcommand from the CLI. For example, set ui-timeout 300 sets the timeout to 300 seconds.
Why does ATD connect to mwg-update.mcafee.com?
ATD retrieves antivirus and GAM updates from mwg-update.mcafee.comand communicates using the following ports:
Client
Server
Default port
Configurable
Description
ATD
tunnel.message.trustedsource.org
TCP 443 (HTTPS)
No
File Reputation queries
ATD
list.smartfilter.com
TCP 80 (HTTP)
No
URL updates
Any (SSH client)
ATD
TCP 2222 (SSH)
No
CLI access
ATD
mwg-update.mcafee.com
TCP 443 (HTTPS)
No
Updates for Gateway Anti-Malware Engine and Anti-Malware Engine
ATD
atd.rest.gti.mcafee.com
TCP 443 (HTTPS)
No
Updates for the ATD software
What does the "set gti dns check" CLI command do? Under what circumstances must I change this setting?
ATD performs name resolution either through the DNS or DXL channel to complete GTI queries. Change this setting in accordance with the channel that you want to use for GTI communication:
If the set gti dns check is set to enabled, the GTI process performs the DNS reachability/name resolution check during startup. If the check fails, the GTI process fails to start. Use this setting when you want your ATD to reach GTI via the DNS/HTTPS channel.
If the set gti dns check is set to disabled, the GTI process starts without checking DNS reachability/name resolution on ATD. Use this setting when you want your ATD to reach GTI via the TIE/DXL channel, and when your ATD doesn't have direct DNS/HTTPS access to the internet.
Why are no ICMP packets sent outside of ATD, even though malware internet access has been enabled and ICMP reply messages are sent back to the appliance?
This behavior is as designed. ICMP behavior is always according to the Simulator mode, and so ICMP (Ping) packets are not sent outside of the ATD appliance and ICMP reply messages are sent back to it.
Can I change the settings in a VM that's already uploaded to ATD (for example, changing the IP address of the DNS server from A.B.C.D to W.X.Y.Z)?
Yes. You can change settings over the VNC connection under Policy, VM Profile. Choose your VM, and then click Edit, Activate. After you change the needed settings, shut down the VM, and then check Validation and Create license. This process creates a VM with the changed settings.
Are there any considerations or actions to be performed before I add VM profiles, VM analyzer profiles, or add or reduce the licenses assigned to a VM profile?
Yes. We recommend that you stop the amas service before you run vmcreator, even when you're changing the licenses.
What information is deleted if I select Reset Database when I upgrade ATD?
The following information is deleted:
Analyzer Profile
Analysis Status
Analysis Results
User Management
ePO Login/DXL Setting
Date and Time Settings
SNMP Settings
Syslog Settings
Backup Scheduler Settings
The following information is not deleted:
VM profile entries in Policy, VM Profile
Manage, Proxy Settings
Manage, DNS Settings
How can I configure ATD to review a file based on the file extension and not just by the file header before sending it for dynamic analysis?
At the ATD command line, type filetypefilter enable and press Enter.
When I add an MD5 hash to the blacklist, what value do I enter for ENG-ID and OS-ID?
Use 1 (one) for the ENG-ID and OS-ID values.
How can I view the ATD log files?
Select Troubleshooting, Log Files.
Which OIDs can be used to monitor the ATD appliance via SNMP (SNMP monitoring)?
The ATD backup archive file appears to be encrypted. How can I decrypt the file to restore it?
You don't need to decrypt the file before restoring it. The backup and restore subcomponent of ATD handles it behind the scene.
Does ATD accept sample submission during the VM creation process?
Yes. ATD accepts samples when you're creating VM profiles. These samples are placed into a queue, and ATD scans them after VM creation is complete.
NOTE:VM creation might take a long time if you have a large number to process. VM creation might cause issues if your devices (for example, Email Gateway appliance) have a low (15 minutes) ATD scan timeout setting configured.
Email Gateway submits samples to ATD. But, the ATD scan times out after 15 minutes and Email Gateway then scans the sample.
Why are test Mode Windows 7 messages seen in the lower right corner of the VM window when I submit a sample in X-mode?
ATD must use the test mode to ensure compatibility with Windows 7 during sample analysis.
NOTE: There's no influence on analysis results.
ATD Analyzer Profile setting offers two options to control how the downselector and scanner run against a sample.
Continue to run all engines even after the file is found malicious and Skip files if previously analyzed.
What happens if I select both options?
The 'Continue to run all engines even after the file is found malicious' option has higher precedence over the 'Skip files if previously analyzed' option.
If you enable both, ATD doesn't skip files if they're previously analyzed.
When I create a VM with Hardware version 9 on VMware Workstation Pro, I see a warning that version 9 isn't supported. Will the company ever support VMs created with Hardware version 9?
Yes, after testing, VMs with Hardware version 9 are now supported. You can ignore this message.
Which URLs does ATD try to connect to when proxy testing the GTI HTTP and Malware Site Proxies?
In both cases, ATD tries to connect using "http://www.google.com/". If this URL isn't accessible, ATD displays the following error: Test connection failed.
How often does ATD automatically check for updates? What's the interval between update checks?
When you enable automatic updates, ATD automatically checks at the following intervals:
DAT: Every 90 minutes
Detection package: Daily
Application software: Daily
The Point Products portlet shows my integrated product with a yellow background color, with a past time stamp.
But the integrated point product says the connection to ATD/TIS is good. Why?
The Point Products portlet shows the time stamp of the last sample submission. It's not the latest successful login to ATD/TIS. Point Product portlet shows a yellow status if the integrated client hasn't sent a new sample within the last 30 minutes.
What's the criteria for the Malicious, Not Malicious, Clean, and Not Rated categories in the File Counters and Email Counters portlets?
'Malicious' applies to severity 3, 4, or 5. The 'Not Malicious' category applies to a sample with severity 1 or 2. 'Clean' is severity -1. 'Not rated' is severity 0.
What's the criteria for Recent Malware by Filename portlet?
The Recent Malware by Filename portlet shows the file name of the samples recently convicted as malicious (severity 3, 4, or 5).
Why do I need to activate Windows and Office twice in the VM creation process as documented in the installation guide?
The installation guide tells me to activate Windows and Office in VMware or Hyper-V when creating a VM image, and then activate them again after uploading the VM image to ATD/TIS and converting it. Why?
Hypervisor gives an abstract hardware layer to the guest VM OS. VMware and Hyper-V also give their own abstract hardware layer to the guest. Finally, ATD/TIS also gives its own abstract hardware layer to the guest. When you create your VM using VMware/Hyper-V, and then upload the VM to ATD/TIS and convert it, the VM receives a different abstract hardware layer from the ATD/TIS hypervisor.
This operation is like moving the system HDD/SSD between bare-metal Windows systems with different hardware components. Microsoft created a licensing validator so as to detect siginificant hardware component changes, requiring users to reactivate in such a case. Therefore, uploading the VM image to ATD/TIS triggers licensing reactivation for Windows and Office.
Is it possible to move an instance of vTIS/vATD from one hypervisor host to another? Is vMotion in ESXi supported?
No. It's not supported.
What validation checks does ATD perform before it accepts the web certificate?
The appliance checks for both the certificate and key in the uploaded certificate in PEM format.
ATD checks for the correct key length and accepts it only if it's 2048 bits or more.
ATD checks for a hash/signature algorithm and accepts only SHA256 and above.
ATD checks for validity of the certificate by checking the expiry date.
ATD checks for OCSP or CRL for revocation. The certificate must have the OCSP/CRL URL. It accepts HTTP URLs only.
ATD checks the host name validation for the presented identifier in the SAN or CN field of the certificate. The certificate must have a proper hostname/FQDN/IP in SAN/CN.
What web certificate file format does ATD accept?
ATD accepts a valid certificate with an unencrypted private key in PEM format. The web certificate file must be arranged in the following format:
-----BEGIN RSA PRIVATE KEY-----
(your private key data)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(your certificate data)
-----END CERTIFICATE-----
NOTE:
There must be no empty lines between the END RSA PRIVATE KEY line and BEGIN CERTIFICATE line. These two lines must appear sequentially.
If you have separate files (one certificate file and one private key file), you can combine them using a text editor and then upload the file to ATD.
If you're using ATD 4.0 and generate a Certificate Signing Request (CSR) with the CSR Generation feature in the manager, your signed web certificate mustn't contain the private key section.
How does the ATD 4.x CSR Generation feature work?
The feature generates a private key and a CSR pair, and stores them in the ATD back-end. You can download the CSR from the manager, and then sign it using your preferred CA to generate the appliance for your web certificate. After your web certificate is signed, you can upload it with your CA certificate to the appliance.
NOTE: The web certificate doesn't need the private key section in the file, as long as your web certificate originates from the CSR.
The ATD back-end holds the private key for the CSR, and uses it with the signed certificate.
What happens if I delete an entry under CSR Generation?
The ATD back-end keeps the private key along with the CSR. The private key is used for validating your web certificate.
If you delete an entry under CSR Generation from the ATD GUI, your CSR and its private key are deleted. This deletion causes a certificate validation failure.
How do I combine the certificate and private key files?
Open both the certificate file and private key file in a text editor.
Copy the entire contents of the private key file, and then paste it to the start of the certificate file.
Save the web certificate file.
Upload the combined certificate file to ATD.
Does ATD accept an encrypted private key in the web certificate file?
No. You need to use an unencrypted private key in the web certificate file.
In the ATD 4.x manager, there's a Trusted CA Certificate field, in addition to the conventional CA Certificate field, which is also present in ATD 3.x manager. Which one must I use for my CA certificate in ATD 4.x?
Use the Trusted CA Certificate field. The CA Certificate field is present only for backward compatibility.
Does ATD 4.x support intermediate CA under the Manage, Security, Manage Certificate, Trusted CA Certificate field?
Yes.
How does ATD 4.x check the certificate chain if I upload an intermediate CA to the Trusted CA Certificate field?
ATD performs chain validation for the non-root CA certificate using the Authority information Access (AIA) URL. It accepts HTTP URLs only. If the non-root CA certificate doesn't have the AIA field, ATD claims certificate validation failure. The certificate must have the AIA field with the HTTP URL.
Do I need to upload the intermediate certificate, along with the root CA certificate, to validate the certificate chain of my web certificate?
No. ATD requires only the root CA certificate to validate your web certificate.
What requirements does ATD need for my web certificate, to validate the certificate chain?
Your web certificate must have the AIA field point to the URL of the issuer of your web certificate (signer certificate).
How does ATD validate my web certificate against root CA certificate?
ATD checks the AIA field of your web certificate, and extracts the URL of the issuer of your web certificate. Then, ATD tries to download the certificate of the issuer of your web certificate.
If your issuer is an intermediate certificate, ATD tries to download another issuer of the issuer (traversing one level higher in the certificate chain) by referring to the AIA field of the issuer.
If the issuer that's reached by traversing AIA is the root CA, ATD compares the root CA that's achieved by traversing AIA with your root CA that you've uploaded to the ATD GUI.
Validation succeeds if both the root CAs are identical.
Can ATD's integration with Active Directory support nested groups?
Yes. But, you must use the subtree option of the BaseDN search.
I'm configuring an FTP server to be used as a repository for my ATD Scheduled Database Backup; are there any limitations or requirements?
Your FTP server must support the SIZE command. If the configured FTP server doesn't support it or the command is disabled, your backup fails when the SIZE command is run.
NOTE: The SIZE command is defined in RFC 3659: Extensions to FTP. ATD uses this command to confirm the success of uploading.
Does ATD support LDAP and RADIUS?
ATD supports LDAP. ATD does not support RADIUS.
Does ATD support the configuration of IPv6?
No. ATD currently doesn't support IPv6; but, this support is projected for a future update.
Does ATD support Common Criteria certification?
Yes. Common Criteria certification is supported in ATD.
Are there any IP address ranges that must be avoided or are used by ATD?
ATD 4.0.2 mustn't be deployed in the ranges 192.168.55.0/24 (used by Email Connector) and 192.168.122.0/24 (used by VM).
ATD 4.0.4 and later mustn't be deployed in the ranges 192.168.55.0/24 (used by Email Connector) and 192.168.122.0/24 (used by VM) by default.
You can change these internal ranges by using theset internal net CLI command. To see the current internal network ranges, use the show internal net CLI command.
NOTE: Setting your VMs to this range means that they aren't seen or available.
What package must I use to view a Disassembly Results Report?
To view this report <file name>.asm file, use Notepad++. The advantage of using this package is that it performs syntax highlighting.
What package must I use to view a Logic Path Graph?
To view the graph<file name>.gml,use yEd.
The virtual appliance is restricted to eight sandboxes. But, I've purchased a license for more than eight sandboxes; for example, the v1016, 16 sandbox license.
Does this mean that vATD isn't restricted to eight sandboxes?
No, these packages, v1016, v3032, and v6064, are sold to allow you to install a scalable clustered setup.
For example, the v1016 16 license package allows you to set up a pair of vATD appliances, allowing eight sandboxes on each cluster node. This setup provides scale and redundancy.
Can I use a hardware load balancer with ATD?
No. You must use the built-in load balancer. Our product that submits the sample obtains the results by sending a query, and listing the explicit audit ID issued by the first ATD at the time of sample submission. If the query is sent to a different server because of load balancing, it either returns an incorrect result or the query is rejected.
Where can the ATD appliance be sited?
The ATD appliance doesn't have to be placed in-line with traffic or at the edge of the network. It can be placed centrally or on an appropriate network segment, and the NSP Sensor forwards data to it.
What's the required free disk space in a VM deployed on ATD?
250 MB. If your VM has an available disk space of lesser than 250 MB, the validation process reports FAIL at the Free Space stage.
Can I use the LAN2 interface as the communication port of the ATD server?
Yes. Either LAN1 or LAN2 can be used as the communication port of the ATD server when the ATD server is managed using an IP address.
NOTE: You might need to set up static routes for the traffic sent between Email Gateway and the ATD appliance when you use the LAN2 interface.
Why is the connection speed of my ATD appliance slow?
The NIC is incorrectly configured, which causes the NIC auto-negotiation to fail.
From the ATD CLI, you can run the showcommand to view the interface settings for the management NIC.
You can manually configure the network configuration by running the set mgmtport speed [10/100/1000] duplex fullcommand.
Or, you can perform the auto-negotiation again by running the set mgmtport autocommand.
How are the drives used on the ATD servers?
VM images and snapshots are saved on the SSD drives; System Disk and Data Disk partitions are on the HDDs.
Files saved on each partition:
Data Disk:vmdk, sample files, sample reports, and log files.
System Disk: ATD System Software, system logs.
Can I mix and match ATD model appliances in an ATD cluster? For example, can I combine 2x ATD-3000 and 1x ATD-6000 to create a cluster?
Yes. You can mix and match ATD appliances to create a cluster; but, you can't add a virtual device to the cluster.
Can I use old and new model appliances in the same cluster?
Yes. For example, you can add a new ATD-3100 or ATD-6100 appliance to your existing cluster of ATD-3000 or ATD-6000 appliances.
IMPORTANT: All appliances must run the same version of ATD software.
Can I cluster virtual ATD appliances and are they supported?
Yes. You can cluster a vATD device with other vATD devices; but, you can't mix and match virtual appliances with physical ATD appliances. Your cluster must be either all virtual or all physical devices. Clusters of mixed vATD appliances and physical appliances are not supported.
Is a cluster with primary and secondary appliances located in different DCs or networks supported?
No. Only clusters with both appliances on the same network are supported.
Can I operate ATD on a closed network without internet connectivity? How are updates made?
ATD has a virtual network and doesn't need internet access to function. ATD currently doesn't support offline updates. Updates need to be downloaded and imported. The internet simulator currently emulates the following services:
HTTP
SMTP
FTP
TELNET
DNS
Does ATD support NIC bonding, teaming, or network aggregation?
No. ATD doesn't support these technologies.
Must I use the main network for internet access for samples, or must I implement a separate network or line?
We recommend that you segment your network in such a way so as to not threaten the reputation of your main IP address. You can either implement a complete segregated network or implement a specific IP address only used for this functionality; in that way, if it ends up with a poor reputation, it doesn't affect your other business.
Which port is used to pass URL Download traffic when the Malware Interface is configured?
URL Download traffic passes through the Malware Interface only when the Malware Interface is configured. If the Malware Interface isn't configured, URL Download traffic passes through the Management Port.
Does the activation VM, opened from the ATD Manager to activate Windows and Office, use the malware DNS server, malware proxy server, and malware interface?
No. The activation VM uses the malware DNS server, no proxy, and the interface according to the system routing table.
Does the sandbox VM in which the sample is executed use the malware DNS server, malware proxy server, and malware interface?
Yes. The sandbox VM uses the malware DNS server, malware proxy server (if configured), and malware interface for the malware gateway.
How can I view the ATD and NSP Channel Status?
To check on the status of the ATD and NSP communication link, type the status command from the NSP Sensor command line.
For example: [McAfee MATD Communication] Status : up
IP : 172.23.80.7
Port : 8505
NOTE: If it isn't up, it says down.
Does the NSP Sensor send files to the ATD appliance when traffic is sent over HTTPS and the NSP Sensor has the correct certificate to decrypt?
Yes. File extraction over HTTPS for malware analysis is supported. If the NSP Sensor has the SSL feature enabled and the correct certificate imported, the NSP Sensor can decrypt the files over HTTPS and send files to the ATD appliance for malware analysis.
How can I confirm whether the NSP Sensor is connected to ATD?
Open a command-line session to the NSP Sensor, run the statuscommand, and view the information under McAfeeMATDCommunication for confirmation.
How can I confirm whether a file has been sent to ATD?
Open a command-line session to the NSP Sensor, run the malwareenginestats command, and view the output.
Example:
MALWARE STATISTICS FOR MATD ENGINE:
--------------------------------------------------
Number of files sent: 4
Number of responses received: 4
Number of files ignored: 0
Which physical port does the NSP Sensor use to communicate with the ATD appliance?
The NSP Sensor uses its management port to communicate with the ATD appliance.
Can NSP block malicious files when integrated with ATD?
Yes, with the following considerations:
NSP can block only in a static detection.
Dynamic detection takes longer; but, NSM pulls the dynamic scan report when it's complete.
ATD performs an initial static scan and reports back to the NSM. If the file is matched, the NSM blocks it.
NSP maintains the file only for six seconds, and dynamic analysis might take longer than this time period to execute. But, if detection is present during the dynamic scan, the NSM pulls the report from ATD.
Why does the NSP Sensor not send many files to ATD?
The NSP Sensor needs to process the entire file. Sometimes, your network configuration (for example, asymmetric traffic flow) might not allow the NSP Sensor to see the entire file. To work around these situations, set the NSP Sensor to permitfor flow control instead of permit out of order in the NSP Sensor TCP settings (Devices, Policy, Advanced, TCP Settings).
Why are my signature updates failing?
Incorrect DNS settings usually cause this issue. Confirm that these settings are correct under DNS Proxy setting.
What's the maximum file size that ATD can scan with NSP?
The file scan limit for NSP is set to 25 MB.
Can different Sensors be set to different scanning profiles?
No.
How can I validate that NSM can send files to ATD?
The status command on the NSP Sensor shows whether it can communicate:
[McAfee MATD Communication] Status : up
IP : 172.18.18.218
Port : 8505
Download a PE or Office file via the NSP Sensor and make sure that it's being analyzed on ATD.
When Email Gateway sends more number of samples than ATD can handle and overloads the appliance, can I be notified of this situation?
No. When ATD is overloaded, samples from Email Gatewayare rejected and you can see them only in the ATD Analysis Status page marked as Rejected. There's no email or other notification for this rejection from ATD.
Do I need to break integration with Email Gatewayor Web Gateway before upgrading my ATD software?
No. You don't need to break this integration before performing an ATD upgrade.
What's the maximum file size that ATD scans with Web Gateway?
The file scan limit for Web Gateway is 128 MB (122.07 MiB).
The Email Connector offers the "Action when system is overloaded" setting under Manage, EC, Configuration. What are the criteria for the Email Connector to treat the system as overloaded?
Email Connector has two criteria for treating the system as overloaded:
Number of concurrent SMTP connections to Email Connector — If Email Connector already has the maximum allowed concurrent SMTP connections, any new incoming connections are treated according to the setting: Action when system is overloaded.
Estimated average processing time — The System is treated as overloaded when the estimated average processing time for all samples shown in the show filequeue CLI command exceeds double the time configured in the MEG Wait-Time Threshold in Seconds setting.
NOTE: This setting is located under Manage,ATD Configuration, Global Settings.
What's the number of maximum allowed concurrent SMTP connections?
ATD up to version 4.6.2 has a fixed limit of 300, regardless of the ATD model, physical or virtual appliance, or standalone or cluster.
ATD 4.8 has the following maximum concurrent SMTP connections:
vATD in standalone: 80
vATD in cluster: 350
Physical ATD in standalone: 250
Physical ATD in cluster: 550
What's the recommended concurrent SMTP sessions from my secure email gateway to the ATD 4.8 Email Connector?
We recommend that you configure your secure email gateway to establish less concurrent SMTP sessions than the maximum limits listed above.
For further details, see the ATD 4.8 Installation guide.
What happens if I select "Reject SMTP connections" (under Manage, EC, Configuration, Action when system is overloaded setting), and the overload criteria are met?
The Email Connector responds with the 421 ATD System Overloaded error in the SMTP welcome banner, instead of the 220 McAfee ATD Email Connector.
Your Secure Email Gateway then recognizes the 421 code and treats it as a transient error.
What happens if I select "Deliver emails unscanned" (under Manage, EC, Configuration, Action when system is overloaded setting), and the overload criteria are met?
The Email Connector accepts the SMTP connection, and then forwards or delivers email without scanning samples, but adds the following email headers:
X-ATD-TOOBUSY: 1
X-ATD-VERDICT: -8
What's the expected status for an Email Connector in the Dashboard on my ATD cluster?
The Email Connector runs only on the Primary Node. When the Backup Node assumes the Active role, the Email Connector is automatically UP on the backup node. So, you see the following status:
Active Primary Node: Healthy
Backup Node: Uninitialized
What's Deep Neural Network (DNN) and why does ATD use it?
DNN is a centralized system that uses machine learning to identify malicious indicators in a sample. ATD uses this machine learning to improve its prediction accuracy.
How does ATD send information to your company for machine learning?
ATD collects DNN-related information for future improvement, and sends it to us through the management interface port, using the telemetry feature.
Does ATD send sample files to your company for inspection for machine learning?
No.
Does the ATD appliance learn from its own scan results and improve its individual detection?
No. Learning is performed in-house. The improved detection information is shipped with an updated detection package or ATD release.
IMPORTANT: There's no local DNN learning or profile to configure or reset.
Does ATD dynamically check the latest machine learning results via the internet each time it scans a sample?
No. Checks and predictions are performed using the local detection package. No real-time checks are sent to us; only result-related information is collected and sent via telemetry.
Does DNN cause any sizing or performance implications?
No. The introduction of DNN to ATD doesn't hold any sizing or performance implications for the appliance. All sizing and performance information from us is unaffected.
What's TAXII?
Trusted Automated eXchange of Indicator Information (TAXII™) is a transport mechanism that allows you to automate the exchange of threat information. The information is shared in the form of a STIX report to the TAXII server. ATD generates a STIX report when malicious files are detected, and the report is then sent to your TAXII server. For ATD to do so, you need to configure your TAXII server information about ATD.
What versions of STIX and TAXII does ATD support?
ATD currently supports STIX version 1.2 and TAXII - version 1.x.
Can I use HTTP for TAXII server communication instead of HTTPS?
No. ATD 4.2.0.x supports HTTPS only.
Do I need to specify the port number of the TAXII server even if the TAXII service is listening on the standard HTTPS port 443?
A port number is required on ATD 4.2.0.x. You need to fill in the URL field; for example, https://192.168.0.100:443
I've installed my TAXII server and configured my ATD to use the TAXII server. When I click Test Connection in the ATD manager, it returns PASS for all criteria, but ATD lists the TAXII server Status as UNKNOWN. Is there an issue with my TAXII server, ATD, or both?
The TAXII status is UNKNOWN after a configuration change is made (for example, after you click Apply) on the ATD appliance.
Its status is marked as UP, only after at least one STIX report is published successfully from the ATD to the TAXII server.
This status is reported because ATD doesn't know whether the channel is working until publishing from ATD is successful. The channel is marked as DOWN if one STIX push fails.
Why do I see the results of scanning multiple instances of the samples vary between different sandbox OS types?
When you submit a sample to multiple VM profiles with different operating system types, ATD might return different severity levels for each VM profile. As long as these verdicts are consistent under the same category, that is, either the nonmalicious category (informational, very low, low) or malicious category (medium, high, very high), it's an expected behavior.
For example, ATD can return a low-severity verdict in Windows 7 VM, but very low in Windows 10 VM. Every time the sandbox VM spins up for scanning a sample, several events and network activities can occur in the VM based on OS type, service pack, or applications. ATD records the benign safe activities, which can slightly augment the verdict under the same category.
Why do I see a low-severity verdict when scanning a targeted attack?
A targeted attack is designed to exploit a specific operating system or application. This sample behaves differently in each VM profile, and might not leave malicious activities in a non-target environment.
How does the sandbox react if I submit an incomplete sample?
If you submit a corrupted part sample, for example a DLL file, the sandbox only returns incomplete results. But, other scanning technologies, such as static analysis engines, family classification, and machine learning, detect the threat from the sample.
How do I configure ATD to perform sandbox scanning when my sample is filtered by a static analysis engine?
Enable the Continue to run all engines even after file is found malicious option, with any down selector and sandbox. ATD then performs sandbox analysis.
Overall, engine reporting is based on the engine that provides the highest severity verdict.
How does the sandbox handle an exploit sample submission?
An exploit exhibits malicious behavior when it's executed in a vulnerable application or environment. Many become dormant when executed in a non-vulnerable application or environment. If you submit such an exploit sample to the sandbox VM, which is either patched or doesn't have the vulnerable application, then the sample doesn't perform its malicious activity. It results in no detection in sandbox scanning.
The ATD sandbox covers and detects multiple sandbox evasion techniques. ATD detects malicious samples even when they use VM detection techniques.
How do the mechanisms used in the sandbox and static engines compare?
Detection mechanisms used in sandbox and static engines are different. Static engines can detect infected corrupted files. But, the sandbox can't detect them because the samples don't run.
Static signatures can catch downloaders, but these downloaders might leave no malicious activity behind in the sandbox.
If malicious Command and Control servers or links are down during sandbox analysis, malicious commands or payloads don't run. This limitation results in no detection.