ATP

Question 1

Give a high level overview of ATP

Answer 1

An optional module of Endpoint Security that
examines your enterprise content and decides what to do based on file reputation, rules, and reputation
thresholds

Question 2

What are the benefits of implementing ATP in your organization?

Answer 2

• Fast detection and protection against security threats and malware.

• The ability to know which systems or devices are compromised, and how the threat spread through your
environment.

• The ability to immediately contain, block, or clean specific files and certificates based on their threat
reputations and your risk criteria.

• Integration with Real Protect scanning to perform automated reputation analysis in the cloud and on client
systems.

• Real-time integration with McAfee® Advanced Threat Defense and McAfee GTI to provide detailed
assessment and data on malware classification. This integration allows you to respond to threats and share
the information throughout your environment.

Question 3

What McAfee Products can optionally integrate with ATP?

Answer 3

• TIE server — A server that stores information about file and certificate reputations, then passes that
information to other systems.

• Data Exchange Layer — Clients and brokers that enable bidirectional communication between the
Adaptive Threat Protection module on the managed system and the TIE server.

Question 4

What ATP features fall under “Protect”?

Answer 4

Reputation-based file handling
Integration with the TIE server
Dynamic Application Containment

Question 5

What ATP features fall under “Detect”

Answer 5

Real Protect scanning

Question 6

What ATP features fall under “Correct”

Answer 6

File cleaning
Custom file exclusions
McAfee ePO Dashboards and reports

Question 7

Give a brief overview of what Reputation-based file handling means in regards to ATP?

Answer 7

ATP - alerts when an unknown file enters the
environment.
Instead of sending the file information to McAfee for analysis, Adaptive Threat Protection can block the file
immediately.

Question 8

Give a brief overview of Dynamic Application Containment

Answer 8

Allows unknown files to run in a container, limiting the actions they can take.

When a company first uses a file whose reputation is not known, Adaptive Threat Protection can run it a
container. Containment rules define which actions the contained application can’t perform. Dynamic
Application Containment also contains processes when they load PE files (Portable Executables) and DLLs
(Dynamic Link Libraries) that downgrade the process reputation.

Question 9

Give a brief overview of Real Protect scanning

Answer 9

Performs automated reputation analysis.

Real Protect inspects suspicious files and activities on a client system and detects malicious patterns using
machine-learning techniques. Real Protect client-based and cloud-based scans include DLL scanning to keep
trusted processes from loading untrusted PE and DLL files.

Question 10

T/F: ATP can flag a file as malicious based on it’s reputation, but Threat Prevention takes over the blocking/cleaning function.

Answer 10

False, ATP can both block and clean a file based on it’s reputation

Question 11

What is the protection workflow for ATP like?

Answer 11

1. A file is opened on a client system
2. ATP checks the local reputation cache for the file: if the file is not in the local reputation cache: ATP will query the TIE Server
3. If the TIE server is not available or the file is not in the TIE server database, ATP queries McAfee GTI for the reputation
4. Depending on the file’s reputation and ATP settings:
   - The file is allowed to open
   - The file is blocked
   - The file is allowed to run in a container
   - The user is prompted for the action to take
5. GTI returns the latest file reputation information to the TIE server, and the TIE server updates the database and sends the updated reputation information to all ATP-enabled systems to immediately protect your environment

Question 12

What is the difference in ATP’s functionality when TIE and DXL are present versus when they are not?

Answer 12

• If TIE and DXL are present, ATP uses DXL to share file and threat info instantly across the whole enterprise. Also, through TIE you can control file reputation at the local level in your environment. You decide which files can run, and which are blocked, and the DXL shares the information immediately throughout your environment. ATP reaches out to the TIE server for threat information
• If TIE and DXL are not present, ATP communicates with McAfee GTI for file reputation information

Question 13

What are the three security levels for ATP?

Answer 13

Productivity - For systems that change frequently, often installing and uninstalling trusted programs and receiving frequent updates.

Balanced - Typical business systems where new programs and changes are installed infrequently. More rules are used with this setting, thus users experience more blocking and prompting

Security - IT-managed systems with tight control and little change. Examples are systems that access critical or sensitive information in a financial or government environment. This setting is also used for servers. The maximum number of rules are used with this setting, thus Users experience even more blocking and prompting

Question 14

What processes does ATP employ when determining the reputation of a file or certificate?

Answer 14

Pre-execution process scanning and post-execution monitoring

Question 15

What is the workflow for Pre-execution process scanning?

Answer 15

1. A Portable Executable file is loaded for execution in a process.
2. Assuming the file is not excluded, ATP will inspect the file to see if its hash is in the local reputation cache.
3. If the file hash is in the local reputation cache, ATP takes that associated action, otherwise ATP will get the file’s prevalence and reputation data from TIE server (or McAfee GTI if the TIE server isn’t available)
4. If ATP rules determine the file reputation for the file, ATP will update the TIE server with reputation information, and ATP will take the associated action. Otherwise, Real Protect client-based scanner will scan the file
5. If Real Protect client-based scanner determined the final reputation for the file, ATP updates the TIE server with reputation information and ATP takes the associated action. If it doesn’t, then the file reputation is declared unknown, and we move to the post-execution process monitoring workflow

Question 16

What is the workflow for Post-execution process monitoring?

Answer 16

1. If the reputation is known, ATP takes the configured action (Contain, Block, or Clean).
2. If the reputation is not known, ATP allows the process to launch.
3. If Real Protect cloud-based scanner is not enabled, the process is not monitored. If it is enabled, Real Protect cloud-based scanner monitors the process, looking for it to exhibit malicious behavior during its execution. If it detects malicious behavior, Real Protect takes remediation action
4. If Dynamic Application Containment is not enabled, The process runs normally (uncontained). If it is enabled, the process runs in a container. Containment rules determine the actions that the process can take
5. While the process is running in containment, if it triggers enough Block containment rules to exhibit suspicious behaviors, then DAC lowers the reputation, which potentially will result in the process being cleaned. Otherwise, the process remains in containment for the remainder of its life

Question 17

If sandboxing is enabled, how does that affect the ATP process?

Answer 17

1. If the file is new to the environment and the system running the file has access to ATD, the TIE server sends the file to ATD for scanning.
2. ATD scans the file and sends file reputation results to the TIE server through the DXL. The server also updates the database and sends the updated reputation information to all Adaptive Threat Protection-enabled systems to immediately protect your environment. The TIE server processes the reputation and saves it in the database.

Question 18

If Web Gateway is present, how does that affect the ATP process?

Answer 18

If McAfee Web Gateway is present, the following occurs.

• When downloading files, McAfee Web Gateway sends a report to the TIE server that saves the reputation
score in the database.

• When the server receives a file reputation request from the module, it returns the reputation received from
McAfee Web Gateway and other reputation providers.

Question 19

If ENS Web Control is present, how does that affect the ATP process?

Answer 19

• When you download a file, Web Control sends a message to the TIE server with the URL of the download
location, the URL reputation from McAfee GTI, and the hash value of the file.
The information is available on the Associated URL tab on the hash information page.

• When the TIE server receives a file reputation request, it returns this information as part of its response.

Question 20

When is the cache flushed?

Answer 20

Rule configuration defines when to flush the entire cache

The whole Adaptive Threat Protection cache is flushed when the rule configuration changes:

• The state of one or more rules has changed, for example from Enabled to Disabled.
• The rule set assignment has changed, such as from Balanced to Security.

An individual file or certificate cache is flushed when:
• The file has changed on the disk.

• The TIE server publishes a reputation change event.
• The object expires.

By default, items in the cache are flushed between 1 hour and 1 week, depending on type.
Sometimes, the expiration time for an item might differ from the default.

• The cache is full.

Recently accessed cache items are retained; older items expire and are removed.

• Time to live is set in the AMCore Content file or by the reputation provider.

• Connection status in effect when the object was added to the cache.
If an object was added when the reputation provider was not connected to the TIE server or McAfee GTI,
the reputation is updated when connectivity is restored.

Question 21

How does Real Protect scanning monitors activity?

Answer 21

Inspects suspicious files and activities on client systems to detect malicious patterns using machine-learning techniques. The scanner uses this information to detect zero-day malware

Question 22

What is the difference between Client-based scanning and Cloud-based scanning

Answer 22

Client-based Real Protect uses machine learning on the client system to determine whether the file matches known malware. If the client system is connected to the Internet, Real Protect sends telemetry information to the cloud, but doesn’t use the cloud for analysis The client-based scanning sensitivity levels, which are based on mathematical formulas, assign “tolerance” to
suspicious activity to assess whether the file matches known malware. The higher the sensitivity level, the more
malware matches. But, allowing more detections might result in more false positives.

Cloud-based Real Protect collects and sends file attributes and behavioral information to the machine-learning
system in the cloud for malware analysis.
Cloud-based scanning requires connectivity to realprotect1.mcafee.com.

Question 23

What is the best practice regarding offline scanning for Client-Based Scanning(Real Protect).

Answer 23

Because offline scanning might result in increased false positives, enable this option only for
systems without connectivity to McAfee GTI or the TIE server

Question 24

What is best practice regarding Cloud-based scanning(Real Protect)

Answer 24

Disable cloud-based Real Protect on systems that aren’t connected to the Internet.

Question 25

How does Dynamic Application Containment work?

Answer 25

ATP uses an application’s reputation to determine whether DAC runs the application with restrictions.
DAC blocks or logs unsafe actions of the application, based on containment rules

As applications trigger containment block rules, DAC uses this information to contribute to the overall reputation of contained applications

Other technologies, such as Active Response, can request containment

Question 26

What is observe mode and why should you use it?

Answer 26

While in observe mode, ATP generates Would Block, Would Clean, and Would Contain events to show what actions it would take if it were running normally.

This mode should be used during the initial stages of ATP deployment to build file prevalence(how often a file is seen in your environment)