ATP Flashcards

1
Q

What is ATP?

A

ATP analyses content from an enterprise and decides howto respond based off of the file reputation, rules and reputation thresholds. Optional module.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the benefits of implementing ATP in your organization?

A
  • Fast detection and protection against security threats and malware.
  • The ability to know which systems or devices are compromised, and how the threat spread through your
    environment.
  • The ability to immediately contain, block, or clean specific files and certificates based on their threat
    reputations and your risk criteria.
  • Integration with Real Protect scanning to perform automated reputation analysis in the cloud and on client
    systems.
  • Real-time integration with McAfee® Advanced Threat Defense and McAfee GTI to provide detailed
    assessment and data on malware classification. This integration allows you to respond to threats and share
    the information throughout your environment.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What McAfee Products can optionally integrate with ATP?

A
  • TIE server — A server that stores information about file and certificate reputations, then passes that
    information to other systems.
  • Data Exchange Layer — Clients and brokers that enable bidirectional communication between the
    Adaptive Threat Protection module on the managed system and the TIE server.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What McAfee Products can optionally integrate with ATP?

A
  • TIE server — A server that stores information about file and certificate reputations, then passes that
    information to other systems.
  • Data Exchange Layer — Clients and brokers that enable bidirectional communication between the
    Adaptive Threat Protection module on the managed system and the TIE server.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What ATP features fall under “Protect”?

A

Reputation-based file handling
Integration with the TIE server
Dynamic Application Containment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What ATP features fall under “Protect”?

A

Reputation-based file handling
Integration with the TIE server
Dynamic Application Containment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What ATP features fall under “Detect”

A

Real Protect scanning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What ATP features fall under “Correct”

A

File cleaning
Custom file exclusions
McAfee ePO Dashboards and reports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Give a brief overview of what Reputation-based file handling means in regards to ATP?

A

ATP - alerts when an unknown file enters the
environment.
Instead of sending the file information to McAfee for analysis, Adaptive Threat Protection can block the file
immediately.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Give a brief overview of Dynamic Application Containment

A

Allows unknown files to run in a container, limiting the actions they can take.

When a company first uses a file whose reputation is not known, Adaptive Threat Protection can run it a
container. Containment rules define which actions the contained application can’t perform. Dynamic
Application Containment also contains processes when they load PE files (Portable Executables) and DLLs
(Dynamic Link Libraries) that downgrade the process reputation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Give a brief overview of Real Protect scanning

A

Performs automated reputation analysis.

Real Protect inspects suspicious files and activities on a client system and detects malicious patterns using
machine-learning techniques. Real Protect client-based and cloud-based scans include DLL scanning to keep
trusted processes from loading untrusted PE and DLL files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

T/F: ATP can flag a file as malicious based on it’s reputation, but Threat Prevention takes over the blocking/cleaning function.

A

False, ATP can both block and clean a file based on it’s reputation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the protection workflow for ATP like?

A
  1. A file is opened on a client system
    2.ATP checks the local reputation cache for the file: if the file is not in the local reputation cache: ATP will query the TIE Server
  2. If the TIE server is not available or the file is not in the TIE server database, ATP queries McAfee GTI for the reputation
  3. Depending on the file’s reputation and ATP settings:
    -The file is allowed to open
    -The file is blocked
    -The file is allowed to run in a container
    -The user is prompted for the action to take
  4. GTI returns the latest file reputation information to the TIE server, and the TIE server updates the database and sends the updated reputation information to all ATP-enabled systems to immediately protect your environment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the difference in ATP’s functionality when TIE and DXL are present versus when they are not?

A

-If TIE and DXL are present, ATP uses DXL to share file and threat info instantly across the whole enterprise. Also, through TIE you can control file reputation at the local level in your environment. You decide which files can run, and which are blocked, and the DXL shares the information immediately throughout your environment. ATP reaches out to the TIE server for threat information

-If TIE and DXL are not present, ATP communicates with McAfee GTI for file reputation information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the three security levels for ATP?

A

Productivity - For systems that change frequently, often installing and uninstalling trusted programs and receiving frequent updates.

Balanced - Typical business systems where new programs and changes are installed infrequently. More rules are used with this setting, thus users experience more blocking and prompting

Security - IT-managed systems with tight control and little change. Examples are systems that access critical or sensitive information in a financial or government environment. This setting is also used for servers. The maximum number of rules are used with this setting, thus Users experience even more blocking and prompting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What processes does ATP employ when determining the reputation of a file or certificate?

A

Pre-execution process scanning and post-execution monitoring

17
Q

What is the workflow for Pre-execution process scanning?

A
  1. A Portable Executable file is loaded for execution in a process.
  2. Assuming the file is not excluded, ATP will inspect the file to see if its hash is in the local reputation cache.
  3. If the file hash is in the local reputation cache, ATP takes that associated action, otherwise ATP will get the file’s prevalence and reputation data from TIE server (or McAfee GTI if the TIE server isn’t available)
  4. If ATP rules determine the file reputation for the file, ATP will update the TIE server with reputation information, and ATP will take the associated action. Otherwise, Real Protect client-based scanner will scan the file
  5. If Real Protect client-based scanner determined the final reputation for the file, ATP updates the TIE server with reputation information and ATP takes the associated action. If it doesn’t, then the file reputation is declared unknown, and we move to the post-execution process monitoring workflow
18
Q

What is the workflow for Post-execution process monitoring?

A
19
Q

If sandboxing is enabled, how does that affect the ATP process?

A
20
Q

If Web Gateway is present, how does that affect the ATP process?

A
21
Q

If ENS Web Control is present, how does that affect the ATP process?

A
22
Q

When is the cache flushed?

A
23
Q

How does Real Protect scanning monitors activity?

A
24
Q

What is the difference between Client-based scanning and Cloud-based scanning

A
25
Q

What is the best practice regarding offline scanning for Client-Based Scanning(Real Protect).

A
26
Q

What is best practice regarding Cloud-based scanning(Real Protect)

A
27
Q

How does Dynamic Application Containment work?

A