Skip to main content
McAfee Enterprise MVISION Cloud

Configuration Elements to Use Advanced Threat Defense

To enable the additional scanning of web objects by Advanced Threat Defense, suitable rules must be implemented on Secure Web Gateway. You can import rule sets that contain such rules from the rule set library. After importing this rule set, a list and settings are also implemented.

Rule sets for the additional scanning

There is a rule set for forwarding a web object depending on the additional scanning, as well as a rule set for forwarding a web object before the additional scanning and delivering any warning information afterwards.

  • Advanced Threat Defense library rule set — This rule set implements the workflow that lets a web object additionally be scanned by Advanced Threat Defense and forwarded to the user depending on the scanning result.

After importing this rule set, a list and settings are also implemented.

  • ATD - Init Offline Scan nested library rule set — This nested rule set has the same criteria as the rule set  that forwards a web object to the user depending on the result of the additional scanning.

The rule set applies if previous scanning by Secure Web Gateway has resulted in a configured degree of probability that a web object is infected, the web object is on the list of web objects that can be scanned, and a particular object size is not exceeded.

The rule set contains only one rule that uses the Antimalware.MATD.InitBackgroundScan property in its criteria. The value of this property is true by default.

In this case, data for the current transaction is recorded. This includes all data that is related to a request for web access and the response to it from a web server, such as the IP address of the client, authentication information, the URL of the web server, and the requested web object that was sent as the body of the response message.

An internal request is sent to initiate scanning by Advanced Threat Defense. After this has been completed, the requested web object is forwarded to the user while the scanning is performed later on, using the data that was recorded.

If the value of the Antimalware.MATD.InitBackgroundScan property is false, scanning by Advanced Threat Defense could not be initiated and a rule event is used to display an error message.

  • ATD - Handle Offline Scan nested library rule set — This nested rule set has the Antimalware.MATD.IsBackgroundScan property for its criteria. The value of this criteria is true by default.

In this case, the data that was recorded by the rule in the ATD - Init Offline Scan rule set, is used by Advanced Threat Defense to scan the web object specified by the data.

The rule set has a rule that uses an event to increase a counter if a scanned web object has been found to be infected, a rule that uses another event to create and send a message about the infected web object to the administrator, and finally a rule that stops the processing cycle.

List and settings for the additional scanning

The Advanced Threat Defense library rule set provides rules for enabling the use of Advanced Threat Defense on Secure Web Gateway and forwarding a requested web object to the user depending on the scanning result.

After importing this rule set, a list and settings are also implemented.

  • Advanced Threat Defense Supported Types list — This list is used within the criteria of the library rule set. Only web objects belonging to the media types on this list are passed on to Advanced Threat Defense for scanning.

    The list contains several media types by default. You can add media types to the list or remove them.

  • Gateway ATD settings — These are settings for the Anti-Malware module (or engine) on Secure Web Gateway, which handles virus and malware filtering, including the additional use of Advanced Threat Defense.

The settings include mainly options for configuring the following:

  • Communication between Secure Web Gateway and the server that Advanced Threat Defense runs on
  • Severity grade that lets a web object, for example, a file, be classified as malicious

When an object is scanned by Advanced Threat Defense, the result is a severity grade on a scale from 0 to 5 (very high severity).

You can set a value on this scale, for example, 3, which means all objects with a scanning result of 3 or higher are considered to be malicious.

For these objects, the Antimalware.Infected property is set to true, so a rule that uses this property in its criteria will block a web object and prevent it from being passed on to the user who requested access to it.

  • Was this article helpful?