Analyze URLs

Advanced Threat Defense analyzes the URL in an analyzer VM determined by the user profile, and reports the file analysis results. Advanced Threat Defense uses only the local blacklist and dynamic analysis for the downloaded file. In addition, the McAfee GTI reputation of the URL is reported. The behavior of the browser when opening the URL is also analyzed for malicious activity.

Follow these methods to submit URLs:

  • Manually upload the URL using the Advanced Threat Defense web interface.
  • Use the restful APIs to upload URLs. See the McAfee Advanced Threat Defense RESTful APIs Reference Guide.

Malicious websites typically contain multiple types of malware. When a victim visits the website, the malware that suits the vulnerabilities present in the endpoint is downloaded. You can create multiple analyzer VMs, each with different operating systems, browsers, applications, browser plug-ins that are relevant to your network. Also, if the browsers and operating systems are unpatched, it might enable you to analyze the actual behavior of web sites.

The advantage of using Advanced Threat Defense is that, you can get a detailed report of previously unknown malicious domains, websites, and IP addresses as well as the current behavior of known ones. You can also get a detailed analysis report for even benign sites that are recently compromised.

Advanced Threat Defense analyzes the URL samples and generates a Graph Modeling Language (GML) file. This file is in an ASCII plain text format, which contains data to generate a graphical representation of the logic execution path. You cannot directly view this file in the Advanced Threat Defense web interface.

  • Full Logic Path is not available for Non-PE files. If you submit a non-PE file with FLP enabled, Advanced Threat Defense will ignore the setting and proceed with dynamic analysis.
  • GTI Reputation is enabled by default. This setting allows Advanced Threat Defense to analyze URLs.