McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software



Similar documents
Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

McAfee Security Architectures for the Public Sector

GOOD PRACTICE GUIDE 13 (GPG13)

How To Buy Nitro Security

How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform

Encryption Made Simple

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

McAfee Server Security

McAfee Certified Product Specialist McAfee epolicy Orchestrator

Endpoint Security for DeltaV Systems

McAfee Endpoint Protection for SMB. You grow your business. We keep it secure.

IBM Endpoint Manager for Core Protection

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

McAfee Web Reporter Turning volumes of data into actionable intelligence

Solutions Brochure. Security that. Security Connected for Financial Services

How To Protect Your Data From Attack

Securing the Internet of Things OEM capabilities assure trust, integrity, accountability, and privacy.

Technology Blueprint. Protect Your VoIP/SIP Servers. Insulating your voice network and its servers from attacks and disruption

Direct or Transparent Proxy?

Technology Blueprint. Protect Your . Get strong security despite increasing volumes, threats, and green requirements

Total Protection for Compliance: Unified IT Policy Auditing

Seven Requirements for Hybrid Web Delivery Getting the best of both on-premises and SaaS

Database Security in Virtualization and Cloud Computing Environments

Reputation: The Foundation Of Effective Threat Protection

White Paper. Scalable Network Security for the Virtualized Data Center

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version and earlier

Bypassing CAPTCHAs by Impersonating CAPTCHA Providers

Encryption Made Simple

McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

McAfee MOVE / VMware Collaboration Best Practices

Analyzing HTTP/HTTPS Traffic Logs

Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

End-user Security Analytics Strengthens Protection with ArcSight

Product Guide. McAfee Endpoint Security 10

Power, Patch, and Endpoint Managers Expand McAfee epo Platform Capabilities While Cutting Endpoint Costs

Data Center Connector for vsphere 3.0.0

Microsoft SharePoint 2013 with Citrix NetScaler

McAfee Network Security Platform Administration Course

McAfee MOVE AntiVirus (Agentless) 3.6.0

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Technology Blueprint. Protecting Intellectual Property in . Guarding against information-stealing malware and outbound data loss

McAfee Threat Intelligence Exchange Software

Reducing the cost and complexity of endpoint management

V1.4. Spambrella Continuity SaaS. August 2

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

McAfee MOVE AntiVirus Multi-Platform 3.5.0

McAfee Application Control / Change Control Administration Intel Security Education Services Administration Course

Getting Ahead of Malware

Technology Blueprint. Protect Your Servers. Preserve uptime by blocking attacks and unauthorized changes

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

McAfee epolicy Orchestrator

Data Sheet: Endpoint Security Symantec Protection Suite Enterprise Edition Trusted protection for endpoints and messaging environments

Agent or Agentless Policy Assessments: Why Choose?

Cisco Security Intelligence Operations

McAfee Public Cloud Server Security Suite

ESET Security Solutions for Your Business

Portal Administration. Administrator Guide

Cisco Advanced Malware Protection for Endpoints

Technology Blueprint. Defend Against Denial of Service Attacks. Protect each IT service layer against exploitation and abuse

TrustDefender Mobile Technical Brief

Malware and Other Malicious Threats

McAfee Phishing Quiz. Partner Enablement Guide

Technical Product Overview. Employing cloud-based technologies to address security risks to endpoint systems

Symantec Endpoint Protection

McAfee Network Security Platform Services solutions for Managed Service Providers (MSPs)

WildFire. Preparing for Modern Network Attacks

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

Kaspersky Endpoint Security 8 for Windows and Kaspersky Security Center

Insight. Security Response. Deployment Best Practices

Proven LANDesk Solutions

Data Center Connector for OpenStack

How To Use A Microsoft Mobile Security Software For A Corporate Account On A Mobile Device

Cisco Advanced Malware Protection for Endpoints

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

McAfee - Overview. Anthony Albisser

About Help Desk. McAfee Help Desk 2.0 Software. Product Guide. Functions of McAfee Help Desk software. Quarantine release.

End to End Security do Endpoint ao Datacenter

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Microsoft Dynamics CRM 2015 with NetScaler for Global Server Load Balancing

Web Request Routing. Technical Brief. What s the best option for your web security deployment?

Internet Explorer Exploit Protection ENTERPRISE BRIEFING REPORT

Symantec Endpoint Protection

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

How To Protect Your Data From Being Hacked On Security Cloud

McAfee Advanced Threat Defense 3.6.0

Securing Data Center Servers: A Review of McAfee Data Center Security Suite Products

Symantec Endpoint Protection

Product Guide. McAfee Endpoint Security for Mac Threat Prevention

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

Endpoint protection for physical and virtual desktops

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

Transcription:

McAfee Global Threat Intelligence File Reputation Service Best Practices Guide for McAfee VirusScan Enterprise Software

Table of Contents McAfee Global Threat Intelligence File Reputation Service McAfee GTI File Reputation Service in McAfee VirusScan Enterprise How Does It Work? Selection criteria Protecting Privacy Data collected in a McAfee GTI File Reputation service query Data Transport, Network Traffic, and Security Data transport Network traffic Security McAfee GTI Proxy Best Practices for Managing McAfee GTI File Reputation Service in McAfee VirusScan Enterprise Software Sensitivity settings False positives Rolling out McAfee GTI File Reputation service Running reports to show McAfee GTI File Reputation detections versus.dat detections Phased approach 3 3

McAfee Global Threat Intelligence File Reputation Service Reputation systems have been used for years across many disciplines from doctors diagnosing illnesses to mathematical experts rating financial instruments to assess situations and make decisions. Reputation calculation tools are more critical today to cybersecurity than ever before, as more and more of our personal and professional transactions occur online. McAfee Global Threat Intelligence (McAfee GTI ) File Reputation service provides a level of assurance around identity and integrity in critical Internet-based transactions for which physical world verification is impossible. So how does the McAfee file reputation service offer value? Simply put, it provides near real-time protection against new and emerging threats using the power of McAfee GTI technology. Reputation is expected behavior over time. Reputation systems for Internet security have to be based on threat intelligence that spans the globe and all threat vectors. At McAfee, we calculate the reputations of hundreds of millions of electronic entities files, websites, web domains, messages, DNS servers, and network connections using a highly granular scoring system based on a variety of information about the entity s behaviors, characteristics, and our own experience of how comparable entities behave. Among other inputs, McAfee relies on telemetry data captured from billions of queries from tens of millions of McAfee products per day, ranging from anti-malware clients to web and email gateways and firewalls. These products are deployed around the globe and act as sensors for our cloud-based analysis engine. Because of our extensive breadth, depth, and correlation of sensory and threat intelligence data across all of these threat vectors, combined with the efforts of over 00 researchers, McAfee GTI File Reputation service can stop threats not yet covered by traditional signature-based technology. McAfee GTI File Reputation Service in McAfee VirusScan Enterprise McAfee Global Threat Intelligence File Reputation service is included with McAfee VirusScan Enterprise software licenses. It is used by thousands of McAfee customers representing tens of millions of corporate workstations and servers around the globe. Figure 1. The protection gap. With traditional protection, malware is discovered, verified by a security vendor, made available and ultimately deployed. This process can take place over several hours, creating a protection gap.

Figure 2. Compressing the protection gap. Rather than rely solely on signature-based detection of malware where the time from discovery to protection could be hours or even longer, McAfee GTI File Reputation service provides near real-time protection by providing reputation scores for files as they are accessed or when a system is scanned, compressing the protection gap. How Does It Work? When an executable file is accessed by a user, or a manual or automated scan of a workstation or server is performed, files are checked against the McAfee.DAT files to determine if they are malicious. If the file does not match a signature or hash in the.dat file, and the file meets proprietary criteria, a query will be sent to the cloud to check the file against the McAfee GTI technology database. The same is true if a user downloads a PDF file from a website or as an email attachment. On average, McAfee adds more than 100,000 new file hashes to its threat intelligence database every day. The McAfee GTI File Reputation service provides an instant reputation score that is interpreted by McAfee VirusScan Enterprise software in order to apply a policy, such as block or quarantine. The result is near real-time protection of your endpoint against new and emerging malware. Selection criteria Criteria for what executable or PDF files are deemed suspicious is determined in the.dats and regularly updated. McAfee leverages a number of proprietary techniques, such as the ability to determine if the file is packed and decision tree techniques. McAfee GTI technology selection criteria are constantly evolving, just like threats, and work is underway to identify environmental clues, such where the file was found on disk. Protecting Privacy Data collected in a McAfee GTI File Reputation service query In no stage of the file reputation communication is privacy or company confidential information provided to McAfee. No user names, files, or file names are transmitted. The primary data collected is simply a hash of the file not the entire file. In addition, the following is collected: Source of malware (disk, USB, network, location of malware on disk, sub-process of Internet Explorer) Engine version.dat version Product version Context information (on-access scan or on-demand scan)

Data Transport, Network Traffic, and Security Data transport Queries are transported using DNS. DNS provides several advantages: Very fast response times 100 millisecond average Small packets Just two packets averaging ~00 bytes Location awareness Queries are directed to the nearest McAfee GTI File Reputation cloud server, ensuring the fastest response times. McAfee GTI File Reputation cloud servers are located in the United States, Europe, and Asia Pacific regions Network traffic The network traffic generated by these queries is incredibly nominal. If the sensitivity setting is set to Very Low or Low, you can expect an average of 10 to 1 queries per day, per machine. If the sensitivity setting is set to Medium, High, or Very High, you can expect an average of 0 to 0 queries per day, per machine. Remember, these are DNS queries. As many as 0 DNS queries are made when a user visits a popular website. Imagine a worst case scenario where each machine is infected by a different piece of malware simultaneously. The network traffic of that case compares favorably to bringing up Microsoft Outlook in the morning. Security The McAfee GTI File Reputation service uses an obfuscated, authenticated query for hash comparison to the McAfee secure servers in the cloud and an encoded, authenticated response. If the initial request/response text record indicates malicious detection, a second record is sent. McAfee GTI Proxy McAfee GTI Proxy is an optional proxy server that can be implemented in your network to route queries from McAfee VirusScan Enterprise software to the McAfee cloud. McAfee GTI Proxy is a virtual appliance that can support up to 100,000 client workstations per server. It features a local cache and is managed by McAfee epolicy Orchestrator (McAfee epo ) software. McAfee GTI Proxy is a free download for licensed McAfee VirusScan Enterprise software customers (http://www.mcafee.com/us/downloads/). Consider using McAfee GTI Proxy if you do not permit direct DNS (UDP) queries from endpoints in your network. Best Practices for Managing McAfee GTI File Reputation Service in McAfee VirusScan Enterprise Software Sensitivity settings There are five sensitivity settings for McAfee VirusScan Enterprise software. Very Low Low Medium High Very High The setting can be managed via McAfee epo software for all workstations and servers. Sensitivity settings govern two things: What is queried Selection criteria for whether a file is deemed suspicious and should be queried are the same for the Very Low and Low settings. An extended selection criterion is used for Medium, High, and Very High. Thus, the number of files that might be queried would be more for Medium, High, and Very High settings. PDF files are queried only when downloaded from a website or as an email attachment when the sensitivity setting is at Medium. As stated earlier, even at Very High, the number of queries made should have minimal impact on network bandwidth. Whether the response indicates a malware detection The response indicates the level of certainty that McAfee has in the malicious nature of the file. Thus, a response with absolute certainty would trigger as a malware detection at any sensitivity setting, but a near certain reputation score would trigger as a detection for the Low settings and above, but not for Very Low.

The table below provides recommended settings based on specific endpoint configurations: Configuration Level Very Low Low Medium High Very High When to Use For desktops and servers with restricted user rights and strong security footprint Minimum recommendation for laptops or desktops and servers with strong security footprint Minimum recommendation for laptops or desktops and servers For deployment to systems or areas which are regularly infected In email and on-demand scans on non-operating system volumes It is strongly recommended that the McAfee GTI File Reputation service sensitivity level be set to Medium. This setting permits a strong level of detection of suspicious files while minimizing any potential false positives. False positives The historic false positive rate that McAfee has recorded for McAfee GTI File Reputation service is 0.00001 percent. For McAfee Platinum Support customers, McAfee also offers a free service called McAfee GetClean. This service allows you to have your trusted applications whitelisted in the McAfee cloud. Contact your McAfee Platinum Support representative for assistance with the McAfee GetClean program. Rolling out McAfee GTI File Reputation service As with any technology that you are beginning to use for the first time, testing and validation can help you and other managers make the right decisions about sensitivity settings. Running reports to show McAfee GTI File Reputation detections versus.dat detections It is possible to run reports in McAfee epo software that compare McAfee GTI File Reputation service detections to standard detections from.dats. Generally, customers report an increase in accurate detections of between 10 percent and 30 percent, but the reports will demonstrate the effectiveness in your own network. Contact your McAfee Sales Engineer to create these reports. Phased approach McAfee suggests that you start with the default sensitivity setting of Low. Monitor the reports for four to six weeks and note any false positive cases from your user base. Then, turn the sensitivity up to Medium, at least for a selected group of workstations and servers in your network, for another four to six weeks. Once again, monitor the daily, weekly, or monthly reports and dashboards and any false positive cases from your user base. About McAfee McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world's largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse, and shop the web more securely. Backed by its unrivaled global threat intelligence, McAfee creates innovative products that empower home users, businesses, the public sector, and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee is relentlessly focused on constantly finding new ways to keep our customers safe. http://www.mcafee.com 2821 Mission College Boulevard Santa Clara, CA 90 888 87 87 www.mcafee.com McAfee, the McAfee logo, epolicy Orchestrator, McAfee Global Threat Intelligence, McAfee epo, McAfee GTI, and McAfee VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2012 McAfee, Inc. 8302wp_gti-best-practices_0812_kg

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information