Product guide

ManualsBrandsMcafee ManualsOtherQUICKCLEAN 3.0

100

To determine the analyzer VM for a file submitted by Network Security Platform or McAfee Web

Gateway, McAfee Advanced Threat Defense uses the following sources of information in the same

order of priority:

McAfee Advanced Threat Defense queries McAfee ePO for the operating system of a host based on

its IP address. If information from this source or if the corresponding analyzer VM is not available,

it goes to the next source.

If Device Profiling is enabled, the Sensor provides the operating system and application details

when forwarding a file for analysis. If information from this source or if the corresponding analyzer

VM is not available, it goes to the next source.

From the analyzer profile in the corresponding user record, McAfee Advanced Threat Defense

determines the VM profile. If information from this source or if the corresponding analyzer VM is

not available, it goes to the next source.

The VM profile that you selected as the default. From the VM profiles in your setup, you can select

one of them as the default one.

When McAfee Advanced Threat Defense receives host information for a particular IP address from

McAfee ePO, it caches this detail.

• The cached IP address to host information data has a time to live (TTL) value of 48 hours.

• For the first 24 hours, McAfee Advanced Threat Defense just uses the host information in the

cache.

• For the second 24 hours, that is from 24 to 48 hours, McAfee Advanced Threat Defense uses the

host information from the cache but also queries McAfee ePO and updates its cache. This updated

information is valid for the next 48 hours.

• If the cached information is more than 48 hours old, it treats it as if there is no cached information

for the corresponding IP address. That is, it attempts to find the information from other sources

and also sends a query to McAfee ePO.

The following explains how McAfee Advanced Threat Defense collaborates with McAfee ePO.

Network Security Platform or McAfee Web Gateway sends a file to McAfee Advanced Threat Defense

for analysis. When Network Security Platform sends a file, the IP address of the target host is also

sent.

McAfee Advanced Threat Defense checks its cache to see if there is a valid operating system

mapped to that IP address.

If it is the first time that a file for that IP address is being analyzed, there is no information in the

cache. So, it determines the analyzer VM from the device profiling information in case of Network

Security Platform and user record in case of McAfee Web Gateway. Simultaneously, it sends a

query to McAfee ePO for host information based on the IP address.

McAfee ePO then queries Real Time for ePolicy Orchestrator

(Real Time for McAfee ePO

™

) for host

information.

McAfee ePO then forwards the host information to McAfee Advanced Threat Defense, which is

cached for further use.

Configure McAfee ePO integration

Integration with McAfee ePO, enables McAfee ePO to gather information such as the operating system

and browsers installed on the target host. McAfee Advanced Threat Defense uses this information to

select the best analyzer VM for dynamic analysis.

Configuring McAfee Advanced Threat Defense for malware analysis

Integration with McAfee ePO

McAfee Advanced Threat Defense 3.0.4 Product Guide