Analyze files

Advanced Threat Defense performs static and dynamic analysis on the files you submit.

File guidelines
Guideline Definition
File submission methods You can submit files using the following methods:
  • Log on to the Advanced Threat Defense web interface and manually upload the files.
  • Post the files on the FTP server, which is hosted on the Advanced Threat Defense Appliance.
  • Use the Advanced Threat Defense web interface RESTful APIs. For more information, see the McAfee Advanced Threat Defense APIs Reference Guide.
    Note: The maximum file size supported is 128 MB if you use the Advanced Threat Defense web interface, RESTful APIs, or Web Gateway.
  • Integrate Advanced Threat Defense with Network Security Platform and Web Gateway, which automatically submit samples to Advanced Threat Defense.
Maximum file size The Advanced Threat Defense web interface, RESTful APIs, and Web Gateway support a maximum of 128 MB in file size.
File name requirements
  • Advanced Threat Defense supports unicode.
  • File names can be up to 200 bytes long
  • File names can contain non-English and special characters.

    When you use the following characters, file names are displayed as the file MD5 hash value:

    • "
    • '
    • `
    • <
    • >
    • |
    • ;
    • *
    • ?
    • #
    • $
    • *
    For example, you submit vtest;32.exe. Advanced Threat Defense displays the file name as e2cfe1c89703352c42763e4b458fc356.exe.

  • If you use the \ character, Advanced Threat Defense is unable to display the character and any following characters.
  • If you use a space in the file name, Advanced Threat Defense displays it as _.
Static analysis Static analysis of Visual Basic for Applications scripts (VBA scripts) embedded inside a Microsoft Office application takes place inside the virtual machine. The analysis enhances the ability to identify threats that are disguised as VBA scripts.
Dynamic analysis Dynamic analysis of Flash files occurs after you install the Internet Explorer-based Flash plug-in or Flash player on the virtual machine. The Flash plug-in is supported only for Internet Explorer on the virtual machine. When you install the Flash player and Flash plug-in, the Flash plug-in takes precedence.
Pre-filtering Advanced Threat Defense supports file sample pre-filtering for these software:
  • Adobe Reader
  • Adobe Flash
  • Microsoft Office
  • Ichitaro word processor
The pre-filtering functionality ascertains classified Microsoft Office samples as clean, even before these samples are submitted for dynamic analysis. This reduces load on the virtual machines.

Supported file types
File Types Static Analysis Dynamic Analysis
32-bit Portable Executables (PE) files;

64-bit PE+ files

  • .exe
  • .dll
  • .scr
  • .sys
  • .com
  • .cpl
  • .exe
  • .dll
  • .scr
  • .cpl
Microsoft Office Suite documents
  • .doc
  • .docx
  • .xls
  • .xlsx
  • .xlsb
  • .xlsm
  • .ppt
  • .pptx
  • .rtf
  • .xltm
  • .xltx
  • .xlam
  • .docm
  • .dotm
  • .dotx
  • .ppam
  • .pps
  • .ppsx
  • .ppsm
  • .ppt
  • .pptm
  • .shs
  • .sldm
  • .sldx
  • .thmx
  • .doc
  • .docx
  • .xls
  • .xlsx
  • .xlsb
  • .xlsm
  • .ppt
  • .pptx
  • .rtf
  • .xltm
  • .xltx
  • .xlam
  • .docm
  • .dotm
  • .dotx
  • .ppam
  • .pps
  • .ppsx
  • .ppsm
  • .ppt
  • .pptm
  • .shs
  • .sldm
  • .sldx
  • .thmx
  • .xar
JustSystems Ichitaro documents
  • .jtd
  • .jtdc
  • .jtd
  • .jtdc
Adobe
  • .pdf
  • .swf
  • .pdf
  • .swf
Compressed files
  • .gz
  • .tgz
  • .zip
  • .cab
  • .7z
  • .msi
  • .lzh
  • .lzma
  • .iso
  • .xar
  • .gz
  • .tgz
  • .zip
  • .cab
  • .7z
  • .msi
  • .lzh
  • .rar
  • .iso
  • .xar
Android application package .apk .apk
Java
  • .jar
  • .class
  • .js
  • Java bin files
  • .jar
  • .class
  • .js
  • Java bin files
Image files
  • .jpeg
  • .png
  • .gif
Not supported
Other file types
  • .cmd
  • .bat
  • .cgi
  • .vbs
  • .xml
  • .url
  • .htm
  • .html
  • .eml
  • .mht
  • .msg
  • .vb
  • .vba
  • .vbe
  • .vbs
  • .ace
  • .arj
  • .chm
  • .lnk
  • .mof
  • .ocx
  • .potm
  • .potx
  • .ps1
  • .reg
  • .wsc
  • .wsf
  • .wsh
  • .cmd
  • .bat
  • .cgi
  • .vbs
  • .xml
  • .url
  • .htm
  • .html
  • .eml
  • .mht
  • .msg
  • .vbe
  • .vbs
  • .ace
  • .arj
  • .chm
  • .ins
  • .lnk
  • .ocx
  • .potm
  • .potx
  • .ps1
  • .reg
  • .wsc
  • .wsf
  • .wsh