Product Guide Revision B McAfee Advanced Threat Defense 3.0.
COPYRIGHT Copyright © 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc.
Contents 1 Preface 7 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7 7 8 ® Malware detection and McAfee Advanced Threat Defense The malware threat scenario . . . . . . . . . . The McAfee Advanced Threat Defense solution .
Contents 5 Creating analyzer VM 41 Create a VMDK file from an ISO image . . . . . . . . . . . . . . . . . . . . . . . . . Import a VMDK file into McAfee Advanced Threat Defense . . . . . . . . . . . . . . . . . Convert the VMDK file to an image file . . . . . . . . . . . . . . . . . . . . . . . . . Managing VM profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . View VM profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create VM profiles . . . . . . . . . . . . .
Contents createDefaultVms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . deleteblacklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . deletesamplereport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . diskcleanup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . factorydefaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . gti_restart . . . . . . . . . . . . . .
Contents 6 McAfee Advanced Threat Defense 3.0.
Preface This guide provides the information you need to work with your McAfee product. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience.
Preface Find product documentation Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... Do this...
1 ® Malware detection and McAfee Advanced Threat Defense Over the years, malware has evolved into a sophisticated tool for malicious activities such as stealing valuable information, accessing your computer resources without your knowledge, and for disrupting business operations. At the same time, technological advancement provides limitless options to deliver malicious files to unsuspecting users.
1 Malware detection and McAfee Advanced Threat Defense The McAfee Advanced Threat Defense solution ® • Block future downloads of the same file: Subsequently, if the file is found to be malicious, your anti-malware protection must prevent future downloads of the same file or its variants. • Identify and remediate affected hosts: Your security system must be able to identify the host which executed the malware, and also detect the hosts to which it has spread.
Malware detection and McAfee Advanced Threat Defense The McAfee Advanced Threat Defense solution ® 1 • It has the McAfee Anti-Malware Engine embedded within it for signature-based detection. • It dynamically analyzes the file by executing it in a virtual sandbox environment. Based on how the file behaves, McAfee Advanced Threat Defense determines its malicious nature. Figure 1-1 Components for malware analysis McAfee Advanced Threat Defense 3.0.
1 Malware detection and McAfee Advanced Threat Defense The McAfee Advanced Threat Defense solution ® McAfee Advanced Threat Defense deployment options You can deploy McAfee Advanced Threat Defense in the following ways: • Standalone deployment — This is a simple way of deploying McAfee Advanced Threat Defense. In this case, it is not integrated with other externally installed McAfee products.
1 Malware detection and McAfee Advanced Threat Defense The McAfee Advanced Threat Defense solution ® • Integration with Network Security Platform — This deployment involves integrating McAfee Advanced Threat Defense with Network Security Platform Sensor and Manager. Based on how you have configured the corresponding Advanced Malware policy, an inline Sensor detects a file download and sends a copy of the file to McAfee Advanced Threat Defense for analysis.
1 Malware detection and McAfee Advanced Threat Defense The McAfee Advanced Threat Defense solution ® • Integration with McAfee® Web Gateway — You can configure McAfee Advanced Threat Defense as an additional engine for anti-malware protection. When your network user downloads a file, the native McAfee Gateway Anti-malware Engine on McAfee® Web Gateway scans the file and determines a malware score.
1 Malware detection and McAfee Advanced Threat Defense The McAfee Advanced Threat Defense solution ® • It is an on-premises solution that has access to cloud-based GTI. In addition, you can integrate it with other McAfee's security products. • McAfee Advanced Threat Defense does not sniff or tap into your network traffic. It analyzes the files submitted to it for malware.
1 Malware detection and McAfee Advanced Threat Defense The McAfee Advanced Threat Defense solution 16 McAfee Advanced Threat Defense 3.0.
2 Setting up the McAfee Advanced Threat Defense Appliance Review this chapter for information regarding the McAfee Advanced Threat Defense Appliance and how to set it up.
2 Setting up the McAfee Advanced Threat Defense Appliance Before you install the McAfee Advanced Threat Defense Appliance Before you install the McAfee Advanced Threat Defense Appliance This section describes the tasks that you must complete before you begin to install a McAfee Advanced Threat Defense. 18 • Read all the provided documentation before installation. • Make sure that you have selected a suitable location for installing the McAfee Advanced Threat Defense Appliance.
Setting up the McAfee Advanced Threat Defense Appliance Before you install the McAfee Advanced Threat Defense Appliance 2 Warnings and cautions Read and follow these safety warnings when you install the McAfee Advanced Threat Defense Appliance. Failure to observe these safety warnings could result in serious physical injury.
2 Setting up the McAfee Advanced Threat Defense Appliance Before you install the McAfee Advanced Threat Defense Appliance Unpack the shipment 1 Open the crate. 2 Remove the first accessory box. 3 Verify you have received all parts as listed in Check your shipment on page 20. 4 Remove the McAfee Advanced Threat Defense Appliance. 5 Place the McAfee Advanced Threat Defense Appliance as close to the installation site as possible. 6 Position the box with the text upright.
Setting up the McAfee Advanced Threat Defense Appliance Before you install the McAfee Advanced Threat Defense Appliance 2 McAfee Advanced Threat Defense Appliance front and back panels Figure 2-1 Front view of ATD-3000 with bezel Figure 2-2 Side view of ATD-3000 without bezel Figure 2-3 ATD-3000 and ATD-6000 front panel Label Description 1 System ID button with integrated indicator light 2 NMI button (recessed, tool required for use) 3 NIC 1 activity indicator light 4 • ATD-3000: NIC 3 activi
2 Setting up the McAfee Advanced Threat Defense Appliance Before you install the McAfee Advanced Threat Defense Appliance Label Description 1 Power supply module 1 2 Power supply module 2 3 Management port (NIC 1) 4 NIC 2 5 NIC 3 6 NIC 4 7 Video connector 8 RJ45 serial-A port 9 USB ports 10 RMM4 NIC port 11 I/O module ports/connectors (not used) 12 Add-in adapter slots from riser card 1 and riser card 2 Figure 2-5 ATD-6000 Appliance back panel 22 Label Description 1 USB port
2 Setting up the McAfee Advanced Threat Defense Appliance Hardware specifications and environmental requests Hardware specifications and environmental requests Specifics ATD-3000 ATD-6000 Dimensions • 734.66 L x 438 W x 43.2 H in millimeters • 712 L x 438 W x 87.3 H in millimeters • 29 L x 17.25 W x 1.70 H in inches • 28 L x 17.24 W x 3.43 H in inches Form Factor 1U rack mountable; fits 19-inch rack 2U rack mountable; fits 19-inch rack Weight 15 Kg (33 lbs) 22.7 Kg (50 lbs.
2 Setting up the McAfee Advanced Threat Defense Appliance Setting up McAfee Advanced Threat Defense Specifics ATD-3000 ATD-6000 Vibration Unpackaged: 5 Hz to 500 Hz, 2.20 g RMS random Unpackaged: 5 Hz to 500 Hz, 2.20 g RMS random Packaged: 5 Hz to 500 Hz, 1.09 g RMS random ESD System cooling requirement in BTU/Hr +/-12 KV except I/O port +/- 8 KV per Intel® Environmental test specification Air Discharged: 12.
Setting up the McAfee Advanced Threat Defense Appliance Setting up McAfee Advanced Threat Defense 2 Install or remove rack handles • To install a rack handle, align it with the two holes on the side of the McAfee Advanced Threat Defense Appliance and attach the rack handle to the Appliance with two screws as shown. Figure 2-6 Installing the rack handle • To remove a rack handle, remove the two screws holding the rack handle in place, and remove the rack handle from the server system as shown.
2 Setting up the McAfee Advanced Threat Defense Appliance Setting up McAfee Advanced Threat Defense 2 At the back of the rack, pull the back mounting-bracket (extending the mounting rail) so that it aligns with the required rack holes. Ensure that the mounting rails are at the same level on each side of the rack. Figure 2-9 Install rail to rack 3 Clip the rail to the rack and secure it. 4 Repeat these steps to secure the second mounting rail to the rack. 5 Slide both the rails to full extent.
2 Setting up the McAfee Advanced Threat Defense Appliance Setting up McAfee Advanced Threat Defense 8 Lift the release tab and push the Appliance into the rack. Figure 2-12 Lift release tab and push Appliance into rack 9 To remove the McAfee Advanced Threat Defense Appliance from the rack, lift the release tab next to the front spool on the chassis and lift it out of the rails. This needs to be done simultaneously on both the sides and requires two people.
2 Setting up the McAfee Advanced Threat Defense Appliance Setting up McAfee Advanced Threat Defense Task 1 Follow these steps to remove the front bezel. a Unlock the bezel if it is locked. b Remove the left end of front bezel from rack handle. c Rotate the front bezel anticlockwise to release the latches on the right end from the rack handle. Figure 2-13 Removing front bezel 2 Follow these steps to install the front bezel.
Setting up the McAfee Advanced Threat Defense Appliance Setting up McAfee Advanced Threat Defense 2 Task 1 Plug a console cable (RJ45 to DB9 serial) to the console port (RJ45 serial-A port) at the back panel of the McAfee Advanced Threat Defense Appliance. Figure 2-15 Connect the console port 2 Connect the other end of the cable directly to the COM port of the computer or port of the terminal server you are using to configure the McAfee Advanced Threat Defense Appliance.
2 Setting up the McAfee Advanced Threat Defense Appliance Setting up McAfee Advanced Threat Defense 6 To set the management port IP address and subnet mask of the McAfee Advanced Threat Defense Appliance, type set appliance ip Specify a 32-bit address written as four eight-bit numbers separated by periods as in , where A, B, C, or D is an eight-bit number between 0-255. represents the subnet mask. Example: set appliance ip 192.34.2.8 255.255.255.
3 Accessing McAfee Advanced Threat Defense web application The McAfee Advanced Threat Defense web application is hosted on the McAfee Advanced Threat Defense Appliance. If you are a McAfee Advanced Threat Defense user with web access, you can access the McAfee Advanced Threat Defense web application from a remote machine using a supported browser. Using the McAfee Advanced Threat Defense web application, you can: • Monitor the state and performance of the McAfee Advanced Threat Defense Appliance.
3 Accessing McAfee Advanced Threat Defense web application Access the McAfee Advanced Threat Defense web application Access the McAfee Advanced Threat Defense web application Task 1 From a client computer, open a session using one of the supported browsers. 2 Use the following to access the McAfee Advanced Threat Defense web application: 3 32 • URL — https:// • Default user name — admin • Password — admin Click Log In.
4 Managing users and performance You use the McAfee Advanced Threat Defense web application to manage user accounts and monitor the McAfee Advanced Threat Defense Appliance's system health and information.
4 Managing users and performance Managing McAfee Advanced Threat Defense users • ATD admin — This is the default user account to access the FTP server on McAfee Advanced Threat Defense. The user name is atdadmin and the password is atdadmin. • McAfee Web Gateway user — This is for the integration between McAfee Web Gateway and McAfee Advanced Threat Defense. As a precaution, make sure you change the default passwords.
Managing users and performance Managing McAfee Advanced Threat Defense users 2 4 Hide the columns you do not want to see. a Move the mouse over the right corner of a column heading and click the drop-down arrow. b Select Columns. c Select only the required column names from the list. Figure 4-2 Select the required column names 3 To sort the user records list based on a particular column name, click the column heading. You can sort the records in the ascending or descending order.
4 Managing users and performance Managing McAfee Advanced Threat Defense users Task 1 Select Manage | User Management | New. The User Management page is displayed. Figure 4-3 Add users 2 36 Enter the appropriate information in the respective fields. Option name Definition Username The user name for accessing the McAfee Advanced Threat Defense web application, FTP server, or RESTful APIs. Password The default password that you want to provide to the user.
Managing users and performance Managing McAfee Advanced Threat Defense users Option name 4 Definition Default Analyzer Select the analyzer profile that must be used for files submitted by the user. For Profile example, if the file is submitted by a Network Security Platform Sensor, the analyzer profile selected in the NSP User record is used. Users, who manually submit files, can override this setting by selecting a different analyzer profile at the time of file submission.
4 Managing users and performance Monitoring the McAfee Advanced Threat Defense performance 3 Make the changes to the required fields and click Save. For information on the fields, see Add users on page 35. Delete Users If you are assigned the admin-user role, you can delete user records. Make sure that the corresponding user is not logged on.
Managing users and performance Troubleshooting 4 Task 1 Select Manage | Software Management. Figure 4-4 McAfee Advanced Threat Defense software upgrade 2 Click Browse and select the required McAfee Advanced Threat Defense software. 3 If you want a fresh database to be created as part of the upgrade, select Reset Database. For example, if the database structure is changed in the version that you want to upgrade to, you might need to create a fresh database.
4 Managing users and performance Troubleshooting Task • To access the Troubleshooting page, select Manage | Troubleshooting. Figure 4-5 Troubleshooting page Tasks • Export McAfee Advanced Threat Defense logs on page 40 • Delete the analysis results on page 40 Export McAfee Advanced Threat Defense logs If you face issues using McAfee Advanced Threat Defense, you can export the log files and provide them to McAfee support for analysis and troubleshooting.
5 Creating analyzer VM For dynamic analysis, McAfee Advanced Threat Defense executes a suspicious file in a secure virtual machine (VM) and monitors its behavior for malicious activities. This VM is referred to as an analyzer VM. This chapter provides the steps for creating an analyzer VM and the VM profile. Any security software or low-level utility tool on an analyzer VM, might interfere with the dynamic analysis of the sample file.
5 Creating analyzer VM Create a VMDK file from an ISO image If you already have a VMDK file, it must be a single file that contains all the files required to create the VM. Contents Create a VMDK file from an ISO image Import a VMDK file into McAfee Advanced Threat Defense Convert the VMDK file to an image file Managing VM profiles View the VM creation log Create a VMDK file from an ISO image Before you begin • Download VMware Workstation 9.0 or above from http://www.vmware.
Creating analyzer VM Create a VMDK file from an ISO image 3 5 In the New Virtual Machine Wizard window, select Custom (Advanced) and click Next. Figure 5-1 Select the configuration type for the virtual machine 4 In the Choose the Virtual Machine Hardware Compatibility window, select Workstation 9.0 from the Hardware compatibility drop-down list. For other fields, leave the default values and click Next.
5 Creating analyzer VM Create a VMDK file from an ISO image 5 In the Guest Operating System Installation window, select either Installer disc or Installer disc image file (iso), browse and select the ISO image, and then click Next. Figure 5-3 Guest Operating System Installation window 6 44 Complete the following in the Easy Install Information window and then click Next. • Windows product key — Enter the license key of the Windows operating system for which you are creating the VMDK file.
Creating analyzer VM Create a VMDK file from an ISO image • Confirm — Enter cr@cker42 • Log on automatically (requires a password) — Deselect this box. 5 Figure 5-4 Easy Install Information window 7 In the VMware Workstation message, click Yes. Figure 5-5 VMware Workstation message McAfee Advanced Threat Defense 3.0.
5 Creating analyzer VM Create a VMDK file from an ISO image 8 Complete the following in the Name the Virtual Machine window and then click Next. • Virtual Machine name — Enter virtualMachineImage • Location — Browse and select the folder where you want to create the VMDK file. Figure 5-6 Name the Virtual Machine window 46 McAfee Advanced Threat Defense 3.0.
Creating analyzer VM Create a VMDK file from an ISO image 9 5 Leave the default values and click Next for the following unless specified otherwise: • Processor Configuration Figure 5-7 Processor configuration for the VM McAfee Advanced Threat Defense 3.0.
5 Creating analyzer VM Create a VMDK file from an ISO image • Memory for the Virtual Machine Figure 5-8 Memory configuration for the VM For Windows XP set 1024 MB as the memory. For Windows 7, set 3072 MB as the memory. 48 McAfee Advanced Threat Defense 3.0.
Creating analyzer VM Create a VMDK file from an ISO image • 5 Network Type Figure 5-9 Network type configuration for the VM • Select I/O Controller Types Figure 5-10 Select the I/O controller type McAfee Advanced Threat Defense 3.0.
5 Creating analyzer VM Create a VMDK file from an ISO image 10 In the Select a Disk Type page, select IDE and click Next. SCSI disks are not compatible with McAfee Advanced Threat Defense. Figure 5-11 Select a disk type 11 In the Select a Disk window, select Create a new virtual disk and click Next. Figure 5-12 Select a disk 50 McAfee Advanced Threat Defense 3.0.
Creating analyzer VM Create a VMDK file from an ISO image 5 12 Complete the following in the Specify Disk Capacity window and then click Next. • Maximum disk size (GB) — Enter the exact values mentioned here based on the operating system. For Windows 7 64-bit, you must enter 14 GB. For Windows 7 32-bit, you must enter 12 GB. For Windows XP, you must enter 5 GB. • Select Allocate all disk space now. • Select Store virtual disk as a single file.
5 Creating analyzer VM Create a VMDK file from an ISO image 13 In the Specify Disk file window, make sure virtualMachineImage.vmdk is displayed by default and click Next. If you specified a different name for Virtual Machine name, that name is displayed here. Figure 5-14 Specify the path to store the disk file 14 Complete the following in the Ready to Create Virtual Machine window. 52 • Power on this virtual machine after creation — Select this option. • Click Finish.
Creating analyzer VM Create a VMDK file from an ISO image 5 This step might take around 30 minutes to complete. Figure 5-15 VM creation progress 15 If the Removable Devices pop-up window is displayed, select Do not show this hint again and click OK. Windows begins to install, which might take around 15 minutes. 16 Stop the VMware Tools installation. The VMware Tools are not compatible with McAfee Advanced Threat Defense. Figure 5-16 Cancel VMware Tools installation McAfee Advanced Threat Defense 3.0.
5 Creating analyzer VM Create a VMDK file from an ISO image 17 Select Public network in the Set Network Location window and click Next. Figure 5-17 Select a network location 18 Complete the following only for Windows XP. a Click OK if the following error message is displayed — Setup cannot continue until you enter your name. Administrator and Guest are not allowable names to use. b Enter the following details in the Windows XP Professional Setup page.
Creating analyzer VM Create a VMDK file from an ISO image 5 21 For Windows 7, in the virtualMachineImage, complete the following. a Select Start | Control Panel | System and Security | Windows Firewall | Turn on Windows Firewall On or Off. b Select Turn off Windows Firewall (not recommended) for both Home or work(private) network location settings and Public network location settings and then click OK. Figure 5-18 Turn off Windows Firewall on the Windows 7 VM McAfee Advanced Threat Defense 3.0.
5 Creating analyzer VM Create a VMDK file from an ISO image c Select Start | Control Panel | Programs | Programs and Features | Turn Windows feature on or off and complete the following. 1 Select Internet Information Services | FTP server and select FTP Extensibility. 2 Select Internet Information Services | Web Management Tools and select IIS Management Service. 3 Select Telnet Server and press OK. This operation might take around 5 minutes to complete.
Creating analyzer VM Create a VMDK file from an ISO image 5 23 In the Telnet Properties(Local Computer) window, you must select Automatic from the Startup type drop-down list. Then select Apply | Start | OK. Figure 5-21 Telnet Properties(Local Computer) window 24 To enable FTP on Windows XP, complete the following. a In the virtualMachineImage, select Start | Control Panel | Add or remove Programs | Add or remove Windows components.
5 58 Creating analyzer VM Create a VMDK file from an ISO image 3 Select Write. 4 Select Log visits and click Apply and then OK. McAfee Advanced Threat Defense 3.0.
Creating analyzer VM Create a VMDK file from an ISO image 5 25 To enable FTP on Windows 7, complete the following. a In the virtualMachineImage, select Start | Control Panel | System and Security | Administrative Tools. Double-click Internet Information Services(IIS), expand the tree under Hostname, and complete the following: Figure 5-22 Navigate to Default Web Site McAfee Advanced Threat Defense 3.0.
5 Creating analyzer VM Create a VMDK file from an ISO image 1 Select Sites and right-click Default Web Site and remove. Confirm by clicking Yes. Figure 5-23 Remove Default Web Site 60 McAfee Advanced Threat Defense 3.0.
Creating analyzer VM Create a VMDK file from an ISO image 2 5 Right-click Sites and select Add FTP Site. Then complete the following. Figure 5-24 Select Add FTP Site a For FTP site name, enter root. b Physical Path: C:\. c Click Next. Figure 5-25 Provide the FTP site information McAfee Advanced Threat Defense 3.0.
5 Creating analyzer VM Create a VMDK file from an ISO image 3 For Bindings and SSL Settings, select No SSL. For all other fields, leave the default values and click Next. Figure 5-26 Binding and SSL settings 4 For Authentication and Authorization Information complete the following. a Select Basic. b For Allow access to, select All Users. c For Permissions, select both Read and Write, and then click Finish. d Close the Internet Information Services (IIS) Manager.
Creating analyzer VM Create a VMDK file from an ISO image 5 26 Set automatic logon. a For Windows XP, select Start | Run, enter rundll32 netplwiz.dll,UsersRunDll and press Enter. b For Windows 7, select Start | Run, enter netplwiz and press Enter. Figure 5-28 Set automatic logon McAfee Advanced Threat Defense 3.0.
5 Creating analyzer VM Create a VMDK file from an ISO image 27 In the User Accounts window, deselect Users must enter a user name and password to use this computer and click Apply. Figure 5-29 User Accounts window 64 McAfee Advanced Threat Defense 3.0.
Creating analyzer VM Create a VMDK file from an ISO image 5 28 In the Automatically Log On pop-up window, complete the following. • User name — Enter Administrator • Password — Enter cr@cker42 • Confirm Password — Enter cr@cker42 Figure 5-30 Credentials for automatic logon McAfee Advanced Threat Defense 3.0.
5 Creating analyzer VM Create a VMDK file from an ISO image Press OK in the message boxes. Figure 5-31 User Accounts window 29 Download Sigcheck on to the VM from http://technet.microsoft.com/en-us/sysinternals/ bb897441.aspx. 30 Extract sigcheck.zip to C:\WINDOWS\system32 location. Figure 5-32 Extract the compressed folders 66 McAfee Advanced Threat Defense 3.0.
Creating analyzer VM Create a VMDK file from an ISO image 5 31 In Windows Explorer, go to C:\ WINDOWS\system32 and double-click sigcheck.exe. Figure 5-33 Run sigcheck.exe 32 If prompted, click Run in the warning message. Figure 5-34 Confirmation message McAfee Advanced Threat Defense 3.0.
5 Creating analyzer VM Create a VMDK file from an ISO image 33 Click Agree for Sigcheck License Agreement. Figure 5-35 Sigcheck license agreement 34 Download MergeIDE.zip from https://www.virtualbox.org/attachment/wiki/Migrate_Windows/ MergeIDE.zip. 35 Extract MergeIDE.zip and run the MergeIDE batch file. Figure 5-36 Run MergeIDE 36 If prompted, select Run in the warning message. Figure 5-37 Warning message 68 McAfee Advanced Threat Defense 3.0.
Creating analyzer VM Create a VMDK file from an ISO image 5 37 Close Windows Explorer. 38 Verify if Windows is activated. Click Start, right-click Computer, then select Properties. It is mandatory that Windows is activated. Figure 5-38 Activate Windows 39 Install a corresponding version of Microsoft Office on the virtual machine. If you are installing an earlier version of Office, go to http://www.microsoft.com/en-us/download/ details.
5 Creating analyzer VM Create a VMDK file from an ISO image a .docx file using Office 2003, you need the corresponding compatibility pack installed. After you download the compatibility pack, install it on the virtual machine. a In VMware Workstation, right-click the virtual machine and select Settings. Figure 5-39 Settings option 70 McAfee Advanced Threat Defense 3.0.
Creating analyzer VM Create a VMDK file from an ISO image b 5 Select CD/DVD (IDE) and then select either Use physical drive or Use ISO image file and browse to the ISO image of Microsoft Office. Then click OK. Figure 5-40 Browse to the ISO image of Microsoft Office c After you enter the license key, select Customize. Figure 5-41 Select to customize the installation McAfee Advanced Threat Defense 3.0.
5 Creating analyzer VM Create a VMDK file from an ISO image d Select Run all from my computer for Microsoft Office. Then select Not Available for applications such as Access, InfoPath, Lync, Outlook, Publisher, and Skydrive. Figure 5-42 Specify the customization 40 To analyze PDF files, download Adobe Reader. This procedure uses Adobe Reader 9.0 as an example. a Install Adobe Reader 9.0. b Open Adobe Reader and click Accept.
Creating analyzer VM Import a VMDK file into McAfee Advanced Threat Defense 5 43 In the Windows Run dialog, enter msconfig. 44 In the System Configuration utility, go to the Startup tab. 45 Deselect reader_sl and jusched and then click OK. 46 Restart the VM. 47 Install the other required applications such as Adobe Flash Player and the required browser. If there are more than one browser installed, you can configure a default browser. 48 Open the default browser and set it up for malware analysis.
5 Creating analyzer VM Convert the VMDK file to an image file Convert the VMDK file to an image file Before you begin • You have uploaded the VMDK file to McAfee Advanced Threat Defense. • You have admin-user permissions in McAfee Advanced Threat Defense. Task 1 In the McAfee Advanced Threat Defense web application, select Manage | Image Management. 2 In the Image Management page, select the VMDK file that you imported from the VMDK Image drop-down.
Creating analyzer VM Managing VM profiles 5 VM profiles contain the operating system and applications in an image file. This enables you to identify the images that you uploaded to McAfee Advanced Threat Defense and then use the appropriate image for dynamically analyzing a file. You can also specify the number of licenses that you possess for the operating system and the applications. McAfee Advanced Threat Defense factors this in when creating concurrent analyzer VMs from the corresponding image file.
5 Creating analyzer VM Managing VM profiles 2 Hide the unneeded columns. a Move the mouse over the right corner of a column heading and click the drop-down arrow. b Select Columns. c Select only the required column names from the list. You can click a column heading and drag it to the required position. 3 To sort the records based on a particular column name, click the column heading. You can sort the records in the ascending or descending order.
Creating analyzer VM Managing VM profiles 3 5 Click Activate to create and activate the VM from the selected image file. When you click Activate, the VM is opened in a pop-up window. So, make sure pop-up blocker is not enabled on your browser. A progress bar indicating the VM creation is displayed. Figure 5-47 Progress of the VM creation Based on your browser settings, warning messages are displayed before the VM starts.
5 Creating analyzer VM Managing VM profiles After you OK the warning messages, the VM starts. Figure 5-50 VM displayed in a pop-up window 4 Activate the VM, shut it down, and also close the pop-up window. Figure 5-51 Shut down the VM Figure 5-52 Close the pop-up window 78 McAfee Advanced Threat Defense 3.0.
Creating analyzer VM Managing VM profiles 5 5 Create the VM profile for the VM that you created by entering the appropriate information in the respective fields. Table 5-1 Option definitions Option name Definition Name The name of the image file is automatically displayed as the name for the VM profile. You cannot modify it. Description Optionally, provide a detailed description of the VM profile.
5 Creating analyzer VM Managing VM profiles Edit VM profiles Before you begin To edit a VM profile, either you must have created it or you must have admin-user role. Task 1 Select Policy | VM Profile. The currently available VM profiles are listed. 2 Select the required record and click Edit. The VM Profile page is displayed. 3 Make the changes to the required fields and click Save.
Creating analyzer VM View the VM creation log 5 View the VM creation log When you create a VM profile using the VM Profile page, McAfee Advanced Threat Defense creates an analyzer VM from the image file you selected in the VM profile record. Simultaneously, it prints the related logs, which you can view in the McAfee Advanced Threat Defense web application. Through these log entries, you can view what is happening as the analyzer VM is being created.
5 Creating analyzer VM View the VM creation log 82 McAfee Advanced Threat Defense 3.0.
6 Configuring McAfee Advanced Threat Defense for malware analysis After you install McAfee Advanced Threat Defense Appliance on your network, you can configure it to analyze malware. For this, you use the McAfee Advanced Threat Defense web application. You must have at least the web-access role to configure malware analysis. This section introduces you to the related terminologies and provides the procedures to set up McAfee Advanced Threat Defense for malware analysis.
6 Configuring McAfee Advanced Threat Defense for malware analysis Terminologies analysis. For static analysis, McAfee Advanced Threat Defense uses the following resources and in the same order: • Local whitelist — This is the list of MD5 hash values of trusted files, which need not be analyzed. This whitelist is based on the McAfee® Application Control database that is used by other solutions in the McAfee suite. This has over 230,000,000 entries. The whitelist feature is enabled by default.
Configuring McAfee Advanced Threat Defense for malware analysis Terminologies 6 Only the following operating systems are supported to create the analyzer VMs: • Windows XP SP2 32-bit • Windows Server 2008 64-bit • Windows XP SP3 32-bit • Windows 7 SP1 32-bit • Windows Server 2003 SP1 32-bit • Windows 7 SP1 64-bit • Windows Server 2003 SP2 32-bit • Android The only pre-installed analyzer VM is an Android 2.3 VM. You must create analyzer VMs for Windows.
6 Configuring McAfee Advanced Threat Defense for malware analysis High-level steps for configuring malware analysis To dynamically analyze a file, the corresponding user must have the VM profile specified in the user's analyzer profile. This is how the user indicates the environment in which McAfee Advanced Threat Defense should execute the file. You can also specify a default Windows 32-bit and a 64-bit VM profile.
Configuring McAfee Advanced Threat Defense for malware analysis How McAfee Advanced Threat Defense analyzes malware? 7 In the Analysis Status page, monitor the status of the analysis. See Monitor the status of malware analysis on page 100 8 After the analysis is complete, view the report in the Analysis Results page. See View the analysis results on page 102.
6 Configuring McAfee Advanced Threat Defense for malware analysis Managing analyzer profiles You use the McAfee Advanced Threat Defense web application to manage analyzer profiles. Figure 6-2 Contents of an analyzer profile View analyzer profiles Based on your user role, you can view the existing analyzer profiles in the McAfee Advanced Threat Defense web application. Task 1 Select Policy | Analyzer Profile. If you have web access, you can view only the analyzer profiles that you created.
Configuring McAfee Advanced Threat Defense for malware analysis Managing analyzer profiles 6 Create analyzer profiles Before you begin If you intend to select the dynamic analysis option in the analyzer profile, make sure that you have created the required VM profile. VM profiles are also required if you want to use the Automatically Select OS option. Task 1 Select Policy | Analyzer Profile | New. The Analyzer Profile page is displayed. McAfee Advanced Threat Defense 3.0.
6 Configuring McAfee Advanced Threat Defense for malware analysis Managing analyzer profiles 2 Enter the appropriate information in the respective fields. Option name Definition Name Enter the name for the analyzer profile. It should allow you to easily identify the characteristics of that analyzer profile. Description Optionally, provide a detailed description of the analyzer profile. VM Profile Select the VM profile McAfee Advanced Threat Defense must use for dynamically analyzing a file.
6 Configuring McAfee Advanced Threat Defense for malware analysis Integration with McAfee ePO Option name Definition Save Creates the analyzer profile record with the information you provided. Cancel Closes the Analyzer Profile page without saving the changes. Edit analyzer profiles Task 1 Select Policy | Analyzer Profile. If you have web access, you can view only the analyzer profiles that you created. If you have admin access, you can view all the analyzer profiles currently in the database.
6 Configuring McAfee Advanced Threat Defense for malware analysis Integration with McAfee ePO To determine the analyzer VM for a file submitted by Network Security Platform or McAfee Web Gateway, McAfee Advanced Threat Defense uses the following sources of information in the same order of priority: 1 McAfee Advanced Threat Defense queries McAfee ePO for the operating system of a host based on its IP address.
Configuring McAfee Advanced Threat Defense for malware analysis Specify proxy server for internet connectivity 6 Task 1 Select Manage | ePO Login. The ePO Login page displays. Figure 6-3 McAfee ePO integration 2 Enter the details in the appropriate fields. Option name Definition Login ID Enter the McAfee ePO login name that McAfee Advanced Threat Defense should use to access the McAfee ePO server.
6 Configuring McAfee Advanced Threat Defense for malware analysis Configure the proxy DNS settings Task 1 Select Manage | HTTP Proxy Setting. The HTTP Proxy Setting page is displayed. Figure 6-4 Proxy Setting page 2 Enter the appropriate information in the respective fields. Option name Definition Enable Proxy Select to connect McAfee Advanced Threat Defense to a proxy server for Internet connectivity.
Configuring McAfee Advanced Threat Defense for malware analysis Configure the proxy DNS settings 2 6 Enter the appropriate information in the respective fields. Option name Definition Domain Enter the Active Directory domain name, for example, McAfee.com. Preferred DNS Server Enter the IPv4 address of the primary DNS proxy server. The DNS queries from analyzer VMs are come to this DNS server. Alternate DNS Server Enter the IPv4 address of the secondary DNS proxy server.
6 Configuring McAfee Advanced Threat Defense for malware analysis Configure the proxy DNS settings 96 McAfee Advanced Threat Defense 3.0.
7 Analyzing malware After you have configured McAfee Advanced Threat Defense, you can upload files for analysis. The following are the methods you can follow to submit files: • Manually upload the file using the McAfee Advanced Threat Defense web application. • Post the file on the FTP server hosted on the McAfee Advanced Threat Defense Appliance. • Use the restful APIs of McAfee Advanced Threat Defense web application to upload the file.
7 Analyzing malware Upload files for analysis using McAfee Advanced Threat Defense web application Table 7-1 Option definitions Option Definition File Either drag and drop the malware file from Windows Explorer or click Browse and select the file. If you want to submit multiple files, upload them in a .zip file. • If you are uploading a password-protected .zip file, make sure you have provided the password in the analyzer profile that you want to use for analysis.
Analyzing malware Upload files for analysis using McAfee Advanced Threat Defense web application 7 requests for user-intervention by the malware are not honored. However, the screen shots of all such requirements are available in the Screenshots section of the Analysis Summary report. Then you can manually resubmit such files in the user-interactive mode to know the actual behavior of the file. This section uses an example to show how files are analyzed in user-interactive mode.
7 Analyzing malware Upload files for analysis using SFTP Upload files for analysis using SFTP Before you begin • Your user name has FTP Access privilege. This is required to access the FTP server hosted on McAfee Advanced Threat Defense. • You have created the required analyzer profile that you want to use. • You have installed an FTP client on your machine. Using SFTP, you can upload the supported file types to the FTP server on McAfee Advanced Threat Defense.
7 Analyzing malware Monitor the status of malware analysis b Set the frequency at which the Analysis Status page must refresh itself. The default refresh interval is 1 minute. c To refresh the Analysis Status page now, click . 3 4 Filter the displayed records to locate the required ones. Table 7-3 Filtering options Option Definition Search Specify the parameter that you want to use to filter the records.
7 Analyzing malware View the analysis results 5 Hide the columns that you do not require. a Move the mouse over the right corner of a column heading and click the drop-down arrow. b Select Columns. c Select only the required column names from the list. You can click a column heading and drag it to the required position. 6 To sort the records based on a particular column name, click the column heading. You can sort the records in the ascending or descending order.
7 Analyzing malware View the analysis results Table 7-5 Column definitions Column Reports Definition Click to display the types of reports available for the sample. Click any of the enabled reports to view the corresponding details. A specific report is enabled only if it is relevant to the analyzed file and also selected in the corresponding analyzer profile. • Analysis Summary (HTML) — This is the comprehensive report that is available for all file types.
7 Analyzing malware View the analysis results Table 7-5 Column definitions (continued) Column Definition Severity Indicates the severity level of the analyzed sample. • Information — Indicates that this is a clean file. White-listed files have this severity level. Corresponds to a severity score of zero. • Very low — Corresponds to a severity score of 1. • Low — Corresponds to a severity score of 2. • Medium — Corresponds to a severity score of 3. • High — Corresponds to a severity score of 4.
Analyzing malware View the analysis results 7 Task 1 To access the Analysis Summary report in the McAfee Advanced Threat Defense web application, do the following: a Select Analysis | Analysis Results. b To view the HTML format of the report, click and then select Analysis Summary (HTML). Alternatively, you can double-click the required record. c 2 To view the PDF of the report, click and then select Analysis Summary (PDF). To access the Analysis Summary report from the reports .
7 Analyzing malware View the analysis results The various sections of the HTML format of the Analysis Summary report are outlined here. Figure 7-4 Analysis Summary report 106 McAfee Advanced Threat Defense 3.0.
Analyzing malware View the analysis results 7 Table 7-6 Analysis Summary report sections Item Description 1 This section displays the details of the sample file. This includes the name, hash values, and the file size in bytes. 2 Analysis Results section on page 108. This section provides the results from the methods used for the file and the results from those methods. This section also displays the overall severity level for the file. 3 Analysis Environment section on page 108.
7 Analyzing malware View the analysis results Table 7-6 Analysis Summary report sections (continued) Item Description 8 GTI URL Reputation. This provides McAfee GTI reputation and severity for the URL. 9 Network activity. This section provides the details of every network operation during dynamic analysis of the sample. 10 Screen-shots section. This section displays all the pop-up windows during dynamic analysis.
7 Analyzing malware View the analysis results • • On the right-hand side, a table provides the properties of the file. This includes information such as: • Signed or unsigned for the digital signature of the file. • Publisher's name if available. • Version details • Original name of the file so that you can search other sources such as the web. Baitexe process infected or not. At the end of each analysis McAfee Advanced Threat Defense creates an additional bait process called Baitexe.
7 Analyzing malware View the analysis results • Process operations: Details the process operation activities such as new process creation, termination, new service creation, and code injection into other processes. • Networking operations: Details networking operations such as DNS queries, TCP socket activities, and HTTP file download. • Other operations: Provides details of operations not belonging to these categories.
Analyzing malware View the analysis results 7 Table 7-9 A section of a sample Disassembly Results report Column 1 Column 2 Column 3 :00401010 e8 1f2c0000 call 00403c34 ;;call URLDownloadToFileA The virtual address of the instruction is shown in column 1, the binary instruction in column 2, and the assembly instruction with comments is in column 3.
7 Analyzing malware View the analysis results This section uses yWorks yEd Graph Editor to explain how to use the Logic Path Graph GML file. In the yEd Graph Editor, you must first set the Routing Style. You need to do this only once, and this setting is saved for further use. 1 In the yEd Graph Editor, select Layout | Hierarchical. 2 In the Incremental Hierarchic Layout dialog, select the Edges tab and select Polyline from the Routing Style drop-down list.
7 Analyzing malware View the analysis results When you open the _logicpath.gml file in yEd Graph Editor, initially you might see many rectangle boxes overlapping each other or a single rectangle box as shown in the following example. Figure 7-7 Open _logicpath.gml file McAfee Advanced Threat Defense 3.0.
7 Analyzing malware View the analysis results In the yEd Graph Editor select Layout | Hierarchical. Figure 7-8 Incremental Hierarchic Layout dialog 114 McAfee Advanced Threat Defense 3.0.
Analyzing malware View the analysis results 7 In the Incremental Hierarchic Layout dialog, click Ok without changing any of the default settings. The following example shows the complete layout of the relationship of all subroutines detected during static disassembly processed. Figure 7-9 Layout of the subroutines relationships The graph depicts an overview of the complexity of the sample as seen by the cross-reference of function calls.
7 Analyzing malware View the analysis results Two colors are used to indicate the executed path. The red dash lines show the non-executed path, and the blue solid lines show the executed path. According to the preceding control graph, the subroutine (Sub_004017A0) at virtual address 0x004017A0 was executed and is shown with a blue solid line pointing to the Sub_004017A0 box. However, the subroutine (GetVersion]) was not called potentially as there is a red dash line pointing to it.
7 Analyzing malware Working with the McAfee Advanced Threat Defense Dashboard convention. Consider that the sample submitted is vtest32.exe. Then the .zip file contains the following results: • vtest32_summary.html (.json, .txt, .xml) — This is the same as the Analysis Summary report. There are four file formats for the same summary report in the .zip file. The html and txt files are mainly for end users to review the analysis report. The .json and .
7 Analyzing malware Working with the McAfee Advanced Threat Defense Dashboard • System Health — Provides the system health details of the McAfee Advanced Threat Defense Appliance. • System Information — Provides the version numbers for the software components of McAfee Advanced Threat Defense Appliance. Task 1 Click Dashboard to view the monitors. 2 Specify the criteria for the data to be displayed in the monitors. a Specify the time period for the information to be displayed in the monitors.
7 Analyzing malware Working with the McAfee Advanced Threat Defense Dashboard File Counters This monitor shows the analysis status for files submitted during the specified time period. For example, if you set the time period for the data in the dashboard as last 5 minutes, this monitor shows the count of files in completed, analyzing, and waiting statuses since the last 5 minutes. If you view this monitor in the stacked bar chart format, it also displays the severity level for the files.
7 Analyzing malware Working with the McAfee Advanced Threat Defense Dashboard • The infected and not infected file counts are indicated using different colors. • To hide the infected or not infected files, click the corresponding confidence level in the legend. • Move the mouse over a particular block in the chart to view the number of files that make up that block. Analyzer Profile Usage This monitor shows the number of times each analyzer profile has been used for analyzing files.
Analyzing malware Working with the McAfee Advanced Threat Defense Dashboard 7 VM Creation Status monitor This monitor displays the status of the analyzer VMs created for the specified time period in the dashboard. For example, if you specified Last 12 hours, this monitor shows the status of analyzer VMs that were created in the last 12 hours.
7 Analyzing malware Working with the McAfee Advanced Threat Defense Dashboard System Information This monitor shows the version numbers of the software components related to McAfee Advanced Threat Defense. Figure 7-17 System Information monitor 122 McAfee Advanced Threat Defense 3.0.
8 CLI commands for McAfee Advanced Threat Defense The McAfee Advanced Threat Defense Appliance supports command-line interface (CLI) commands for tasks such as network configuration, restarting the Appliance, and resetting the Appliance to factory defaults.
8 CLI commands for McAfee Advanced Threat Defense CLI syntax Logging on to the McAfee Advanced Threat Defense Appliance using an SSH client Task 1 Open an SSH client session. 2 Enter the IPv4 address of the McAfee Advanced Threat Defense Appliance and enter 2222 as the SSH port number. 3 At the logon prompt, enter the default user name atdadmin and password atdadmin.
CLI commands for McAfee Advanced Threat Defense Log on to the CLI • 8 set appliance gateway is also required if any of the following are true: • If the McAfee Advanced Threat Defense Appliance is on a different network than the McAfee products you plan to integrate • If you plan to access McAfee Advanced Threat Defense from a different network either using an SSH client or a browser for accessing the McAfee Advanced Threat Defense Web Application Log on to the CLI Before you can enter CLI commands, y
8 CLI commands for McAfee Advanced Threat Defense List of CLI commands Table 8-1 CLI commands for managing the disks Command Description copyto backup Copies the software version on the active disk to the backup disk. For example, if you find the current active software version to be stable, you can back it up to the backup disk. This command works only if the Appliance had been booted from the active disk. copyto active Copies the software version from the backup disk to the active disk.
8 CLI commands for McAfee Advanced Threat Defense List of CLI commands • To check if an MD5 is present in the blacklist, use blacklist query Parameter Description The MD5 hash value of a malware that you want to query if it is present in the blacklist. Example: blacklist query 254A40A56A6E28636E1465AF7C42B71F If the MD5 is present, the details such as the engine ID, malware severity score, and so on, are displayed.
8 CLI commands for McAfee Advanced Threat Defense List of CLI commands Parameter Description The MD5 value of the file for which you want to delete all the reports in McAfee Advanced Threat Defense. Example: deletesamplereport c0850299723819570b793f6e81ce0495 diskcleanup Use this command to delete some of the older analysis reports if the disk space of McAfee Advanced Threat Defense is low. Syntax: diskcleanup This command has no parameters. Exit Exits the CLI. This command has no parameters.
8 CLI commands for McAfee Advanced Threat Defense List of CLI commands list Lists all the CLI commands available to users. Syntax: list This command has no parameters. nslookup Displays nslookup query result for a given domain name. You can use this to verify if McAfee Advanced Threat Defense is able to perform nslookup queries correctly. Syntax: nslookup Parameter Description The domain name for which you want to query for nslookup. Example: nslookup mcafee.
8 CLI commands for McAfee Advanced Threat Defense List of CLI commands reboot Parameter Description reboot active Reboots the Appliance with the software version on the active disk. reboot backup Reboots the Appliance with the software version on the backup disk. reboot vmcreator Recreates the analyzer VMs configured in the McAfee Advanced Threat Defense web application, while rebooting the Appliance.
8 CLI commands for McAfee Advanced Threat Defense List of CLI commands set appliance ip 192.34.2.8 255.255.0.0 set appliance gateway Specifies IPv4 address of the gateway for the McAfee Advanced Threat Defense Appliance. Syntax: set appliance gateway Parameter Description a 32-bit address written as four eight-bit numbers separated by periods. A, B, C or D represents an eight-bit number between 0–255. Example: set appliance gateway 192.34.2.
8 CLI commands for McAfee Advanced Threat Defense List of CLI commands set intfport ip Sets an IP address to an interface port. Syntax: set intfport <1><2><3> ip A.B.C.D E.F.G.H Example: set intfport 1 10.10.10.10 255.255.255.0 set intfport speed duplex Set the speed and duplex setting on the specified interface port. Syntax: set intfport <1><2><3> speed <10 | 100> duplex Parameter Description <1> <2> <3> Enter an interface port ID for which you want to set the speed and duplex.
CLI commands for McAfee Advanced Threat Defense List of CLI commands 8 Default Value: By default, the network port is set to auto (auto-negotiate). set_ui_timeout Specifies the number of minutes of inactivity that can pass before the McAfee Advanced Threat Defense web application connection times out. Syntax: set_ui_timeout <60 - 86400> Parameter Description <60 - 86400> You can set a timeout period from 60 to 86400 seconds.
8 CLI commands for McAfee Advanced Threat Defense List of CLI commands show epo-stats nsp Displays the count of requests sent to McAfee ePO, the count of responses received from McAfee ePO, and the count of requests that failed. Syntax: show epo-stats nsp This command has no parameters. show history Displays the list of CLI commands issued in this session. Syntax: show history This command has no parameters.
8 CLI commands for McAfee Advanced Threat Defense List of CLI commands Information displayed by the show nsp scandetails command includes: • The IP address of the IPS Sensor. • Total number of packets received from the Sensor. • Total number of packets sent to the Sensor. • The timestamp of when the last packet was sent to and received from the Sensor. • The encryption method used for the communication with the Sensor. • Session handle null counts. • Count of internal errors.
8 CLI commands for McAfee Advanced Threat Defense List of CLI commands Table 8-2 System IP routing table (continued) Destination Gateway Genmask Flags Metric Ref Use Iface 13.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 mgmt 0.0.0.0 10.10.10.253 0.0.0.0 UG 0 0 0 mgmt shutdown Halts the McAfee Advanced Threat Defense Appliance so you can power it down. Then, after about a minute, you can power down the McAfee Advanced Threat Defense Appliance manually and unplug both the power supplies.
CLI commands for McAfee Advanced Threat Defense List of CLI commands 8 Syntax: watchdog Parameter Description Enables the watchdog. Disables the watchdog. Use it if the Appliance reboots continuously due to repeated system failure. Displays the status of the watchdog process. whitelist Use the following commands to manage the whitelist of McAfee Advanced Threat Defense.
8 CLI commands for McAfee Advanced Threat Defense List of CLI commands 138 McAfee Advanced Threat Defense 3.0.
Index A NIC ports 18 about this guide 7 C CLI commands issue 123 auto-complete 124 console 123 mandatory commands 124 ssh 123 CLI logon 125 CLI syntax 124 conventions and icons used in this guide 7 D documentation audience for this guide 7 product-specific, finding 8 typographical conventions and icons 7 R rule objects add 35, 76, 89 delete 38, 91 modify 37, 80, 91 view 34, 75, 88 S Sensor logon; ssh 124 ServicePortal, finding product documentation 8 system requirements; client 31 T Technical Suppor
0B00
