McAfee Advanced Threat Defense deployment options

You can deploy McAfee Advanced Threat Defense in the following ways:

  • Standalone deployment — This is a simple way of deploying McAfee Advanced Threat Defense. In this case, it is not integrated with other externally installed McAfee products. When deployed as a standalone Appliance, you can manually submit the suspicious files using the McAfee Advanced Threat Defense web application. Alternatively, you can submit the samples using an FTP client. This deployment option is used, for example, during the testing and evaluation phase, to fine-tune configuration, and to analyze suspicious files in an isolated network segment. Also, research engineers might use the standalone deployment option for detailed analysis of malware.
  • Integration with Network Security Platform — This deployment involves integrating McAfee Advanced Threat Defense with Network Security Platform Sensor and Manager.

    Based on how you have configured the corresponding Advanced Malware policy, an inline Sensor detects a file download and sends a copy of the file to McAfee Advanced Threat Defense for analysis. If McAfee Advanced Threat Defense detects a malware within a few seconds, the Sensor can block the download. The Manager displays the results of the analysis from McAfee Advanced Threat Defense.

    If McAfee Advanced Threat Defense requires more time for analysis, the Sensor allows the file to be downloaded. If McAfee Advanced Threat Defense detects a malware after the file has been downloaded, it informs Network Security Platform, and you can use the Sensor to quarantine the host until it is cleaned and remediated. You can configure the Manager to update all the Sensors about this malicious file. Therefore, if that file is downloaded again anywhere in your network, your Sensors might be able to block it.

    For information on how to integrate Network Security Platform and McAfee Advanced Threat Defense, refer to the latest Network Security Platform Integration Guide.

  • Integration with McAfee® Web Gateway — You can configure McAfee Advanced Threat Defense as an additional engine for anti-malware protection. When your network user downloads a file, the native McAfee Gateway Anti-malware Engine on McAfee® Web Gateway scans the file and determines a malware score. Based on this score and the file type, McAfee® Web Gateway sends a copy of the file to McAfee Advanced Threat Defense for deeper inspection and dynamic analysis. A progress page informs your users that the requested file is being analyzed for malware. Based on the malware severity level reported by McAfee Advanced Threat Defense, McAfee® Web Gateway determines if the file is allowed or blocked. If it is blocked, the reasons are displayed for your users. You can view the details of the malware that was detected in the log file.

    This design ensures that only those files that require an in-depth analysis are sent to McAfee Advanced Threat Defense. This balances your users' experience in terms of download speed and security. For information on how to integrate McAfee Advanced Threat Defense and McAfee® Web Gateway, see the McAfee® Web Gateway Product Guide, version 7.4.

  • Integration with McAfee® ePolicy Orchestrator (McAfee ePO) — This integration enables McAfee Advanced Threat Defense to retrieve information regarding the target host. Knowing the operating system on the target host, enables it to select a similar virtual environment for dynamic analysis.
  • Integration with McAfee® Next Generation Firewall (McAfee NGFW)McAfee Next Generation Firewall integrates security features with high availability and manageability. It integrates application control, Intrusion Prevention System (IPS), and evasion prevention into a single, affordable solution. Following steps should be performed by McAfee Next Generation Firewall customer in order to integrate McAfee Next Generation Firewall with McAfee Advanced Threat Defense:
    1. Create a user called “ngfw” on Advanced Threat Defense after logging into Advanced Threat Defense as "admin". This user has the same privileges as the "nsp" user.
    2. Restart amas from the CLI.
    3. Use "ngfw" user on SCM to make REST API calls.
    Remember: There is no change to the existing SOFA protocol for file submission. Since a user called “ngfw” exists, all file submissions via the SOFA channel is assumed to be from McAfee NGFW appliances.
    CAUTION: Advanced Threat Defense is not able to support McAfee Network Security Platform and McAfee Next Generation Firewall in the same environment.

How the deployment options address the 4 major aspects of anti-malware process cycle:

  • Detection of file download: As soon as a user accesses a file, the inline Network Security Platform Sensor or McAfee® Web Gateway detects this and sends a copy of the file to McAfee Advanced Threat Defense for analysis.
  • Analysis of the file for malware: Even before the user fully downloads the file, McAfee Advanced Threat Defense can detect a known malware using sources that are local to it or on the cloud.
  • Block future downloads of the same file: Every time McAfee Advanced Threat Defense detects a medium, high, or very high severity malware, it updates its local black list.
  • Identify and remediate affected hosts: Integration with Network Security Platform enables you to quarantine the host until it is cleaned up and remediated.