ATP

Question 1

What is ATP?

Answer 1

ATP analyses content from an enterprise and decides howto respond based off of the file reputation, rules and reputation thresholds. Optional module.

Question 2

What are the benefits of implementing ATP in your organization?

Answer 2

• Fast detection and protection against security threats and malware.
• The ability to know which systems or devices are compromised, and how the threat spread through your
  environment.
• The ability to immediately contain, block, or clean specific files and certificates based on their threat
  reputations and your risk criteria.
• Integration with Real Protect scanning to perform automated reputation analysis in the cloud and on client
  systems.
• Real-time integration with McAfee® Advanced Threat Defense and McAfee GTI to provide detailed
  assessment and data on malware classification. This integration allows you to respond to threats and share
  the information throughout your environment.

Question 3

What McAfee Products can optionally integrate with ATP?

Answer 3

• TIE server — A server that stores information about file and certificate reputations, then passes that
  information to other systems.
• Data Exchange Layer — Clients and brokers that enable bidirectional communication between the
  Adaptive Threat Protection module on the managed system and the TIE server.

Question 4

What McAfee Products can optionally integrate with ATP?

Answer 4

• TIE server — A server that stores information about file and certificate reputations, then passes that
  information to other systems.
• Data Exchange Layer — Clients and brokers that enable bidirectional communication between the
  Adaptive Threat Protection module on the managed system and the TIE server.

Question 5

What ATP features fall under “Protect”?

Answer 5

Reputation-based file handling
Integration with the TIE server
Dynamic Application Containment

Question 6

What ATP features fall under “Protect”?

Answer 6

Reputation-based file handling
Integration with the TIE server
Dynamic Application Containment

Question 7

What ATP features fall under “Detect”

Answer 7

Real Protect scanning

Question 8

What ATP features fall under “Correct”

Answer 8

File cleaning
Custom file exclusions
McAfee ePO Dashboards and reports

Question 9

Give a brief overview of what Reputation-based file handling means in regards to ATP?

Answer 9

ATP - alerts when an unknown file enters the
environment.
Instead of sending the file information to McAfee for analysis, Adaptive Threat Protection can block the file
immediately.

Question 10

Give a brief overview of Dynamic Application Containment

Answer 10

Allows unknown files to run in a container, limiting the actions they can take.

When a company first uses a file whose reputation is not known, Adaptive Threat Protection can run it a
container. Containment rules define which actions the contained application can’t perform. Dynamic
Application Containment also contains processes when they load PE files (Portable Executables) and DLLs
(Dynamic Link Libraries) that downgrade the process reputation.

Question 11

Give a brief overview of Real Protect scanning

Answer 11

Performs automated reputation analysis.

Real Protect inspects suspicious files and activities on a client system and detects malicious patterns using
machine-learning techniques. Real Protect client-based and cloud-based scans include DLL scanning to keep
trusted processes from loading untrusted PE and DLL files.

Question 12

T/F: ATP can flag a file as malicious based on it’s reputation, but Threat Prevention takes over the blocking/cleaning function.

Answer 12

False, ATP can both block and clean a file based on it’s reputation

Question 13

What is the protection workflow for ATP like?

Answer 13

1. A file is opened on a client system
   2.ATP checks the local reputation cache for the file: if the file is not in the local reputation cache: ATP will query the TIE Server
2. If the TIE server is not available or the file is not in the TIE server database, ATP queries McAfee GTI for the reputation
3. Depending on the file’s reputation and ATP settings:
   -The file is allowed to open
   -The file is blocked
   -The file is allowed to run in a container
   -The user is prompted for the action to take
4. GTI returns the latest file reputation information to the TIE server, and the TIE server updates the database and sends the updated reputation information to all ATP-enabled systems to immediately protect your environment

Question 14

What is the difference in ATP’s functionality when TIE and DXL are present versus when they are not?

Answer 14

-If TIE and DXL are present, ATP uses DXL to share file and threat info instantly across the whole enterprise. Also, through TIE you can control file reputation at the local level in your environment. You decide which files can run, and which are blocked, and the DXL shares the information immediately throughout your environment. ATP reaches out to the TIE server for threat information

-If TIE and DXL are not present, ATP communicates with McAfee GTI for file reputation information

Question 15

What are the three security levels for ATP?

Answer 15

Productivity - For systems that change frequently, often installing and uninstalling trusted programs and receiving frequent updates.

Balanced - Typical business systems where new programs and changes are installed infrequently. More rules are used with this setting, thus users experience more blocking and prompting

Security - IT-managed systems with tight control and little change. Examples are systems that access critical or sensitive information in a financial or government environment. This setting is also used for servers. The maximum number of rules are used with this setting, thus Users experience even more blocking and prompting

Question 16

What processes does ATP employ when determining the reputation of a file or certificate?

Answer 16

Pre-execution process scanning and post-execution monitoring

Question 17

What is the workflow for Pre-execution process scanning?

Answer 17

1. A Portable Executable file is loaded for execution in a process.
2. Assuming the file is not excluded, ATP will inspect the file to see if its hash is in the local reputation cache.
3. If the file hash is in the local reputation cache, ATP takes that associated action, otherwise ATP will get the file’s prevalence and reputation data from TIE server (or McAfee GTI if the TIE server isn’t available)
4. If ATP rules determine the file reputation for the file, ATP will update the TIE server with reputation information, and ATP will take the associated action. Otherwise, Real Protect client-based scanner will scan the file
5. If Real Protect client-based scanner determined the final reputation for the file, ATP updates the TIE server with reputation information and ATP takes the associated action. If it doesn’t, then the file reputation is declared unknown, and we move to the post-execution process monitoring workflow

Question 18

What is the workflow for Post-execution process monitoring?

Question 19

If sandboxing is enabled, how does that affect the ATP process?

Question 20

If Web Gateway is present, how does that affect the ATP process?

Question 21

If ENS Web Control is present, how does that affect the ATP process?

Question 22

When is the cache flushed?

Question 23

How does Real Protect scanning monitors activity?

Question 24

What is the difference between Client-based scanning and Cloud-based scanning

Question 25

What is the best practice regarding offline scanning for Client-Based Scanning(Real Protect).

Question 26

What is best practice regarding Cloud-based scanning(Real Protect)

Question 27

How does Dynamic Application Containment work?