Data collected in a McAfee GTI File Reputation service query. 4. Data Transport,
Network Traffic, and Security. 5. Data transport. 5. Network traffic. 5. Security. 5.
McAfee Global Threat Intelligence File Reputation Service Best Practices Guide for McAfee VirusScan® Enterprise Software
Table of Contents McAfee Global Threat Intelligence File Reputation Service
3
McAfee GTI File Reputation Service in McAfee VirusScan Enterprise
3
How Does It Work?
4
Selection criteria
4
Protecting Privacy Data collected in a McAfee GTI File Reputation service query Data Transport, Network Traffic, and Security
4 4 5
Data transport
5
Network traffic
5
Security
5
McAfee GTI Proxy Best Practices for Managing McAfee GTI File Reputation Service in McAfee VirusScan Enterprise Software
5 5
Sensitivity settings
5
False positives
6
Rolling out McAfee GTI File Reputation service
6
Running reports to show McAfee GTI File Reputation detections versus .DAT detections
6
Phased approach
6
McAfee Global Threat Intelligence File Reputation Service Reputation systems have been used for years across many disciplines—from doctors diagnosing illnesses to mathematical experts rating financial instruments—to assess situations and make decisions. Reputation calculation tools are more critical today to cybersecurity than ever before, as more and more of our personal and professional transactions occur online. McAfee® Global Threat Intelligence® (McAfee GTI™) File Reputation service provides a level of assurance around identity and integrity in critical Internet-based transactions for which physical world verification is impossible. So how does the McAfee file reputation service offer value? Simply put, it provides near real-time protection against new and emerging threats using the power of McAfee GTI technology. Reputation is expected behavior over time. Reputation systems for Internet security have to be based on threat intelligence that spans the globe and all threat vectors. At McAfee, we calculate the reputations of hundreds of millions of electronic entities—files, websites, web domains, messages, DNS servers, and network connections—using a highly granular scoring system based on a variety of information about the entity’s behaviors, characteristics, and our own experience of how comparable entities behave. Among other inputs, McAfee relies on telemetry data captured from billions of queries from tens of millions of McAfee products per day, ranging from anti-malware clients to web and email gateways and firewalls. These products are deployed around the globe and act as sensors for our cloud-based analysis engine. Because of our extensive breadth, depth, and correlation of sensory and threat intelligence data across all of these threat vectors, combined with the efforts of over 500 researchers, McAfee GTI File Reputation service can stop threats not yet covered by traditional signature-based technology. McAfee GTI File Reputation Service in McAfee VirusScan Enterprise McAfee Global Threat Intelligence File Reputation service is included with McAfee VirusScan® Enterprise software licenses. It is used by thousands of McAfee customers representing tens of millions of corporate workstations and servers around the globe.
Figure 1. The protection gap. With traditional protection, malware is discovered, verified by a security vendor, made available and ultimately deployed. This process can take place over several hours, creating a protection gap.
Figure 2. Compressing the protection gap. Rather than rely solely on signature-based detection of malware where the time from discovery to protection could be hours or even longer, McAfee GTI File Reputation service provides near real-time protection by providing reputation scores for files as they are accessed or when a system is scanned, compressing the protection gap. How Does It Work? When an executable file is accessed by a user, or a manual or automated scan of a workstation or server is performed, files are checked against the McAfee .DAT files to determine if they are malicious. If the file does not match a signature or hash in the .DAT file, and the file meets proprietary criteria, a query will be sent to the cloud to check the file against the McAfee GTI technology database. The same is true if a user downloads a PDF file from a website or as an email attachment. On average, McAfee adds more than 100,000 new file hashes to its threat intelligence database every day. The McAfee GTI File Reputation service provides an instant reputation score that is interpreted by McAfee VirusScan Enterprise software in order to apply a policy, such as block or quarantine. The result is near real-time protection of your endpoint against new and emerging malware. Selection criteria Criteria for what executable or PDF files are deemed suspicious is determined in the .DATs and regularly updated. McAfee leverages a number of proprietary techniques, such as the ability to determine if the file is packed and decision tree techniques. McAfee GTI technology selection criteria are constantly evolving, just like threats, and work is underway to identify environmental clues, such where the file was found on disk. Protecting Privacy Data collected in a McAfee GTI File Reputation service query In no stage of the file reputation communication is privacy or company confidential information provided to McAfee. No user names, files, or file names are transmitted. The primary data collected is simply a hash of the file—not the entire file. In addition, the following is collected: • Source of malware (disk, USB, network, location of malware on disk, sub-process of Internet Explorer) • Engine version • .DAT version • Product version • Context information (on-access scan or on-demand scan)
Data Transport, Network Traffic, and Security Data transport Queries are transported using DNS. DNS provides several advantages: •
Very fast response times—100 millisecond average
•
Small packets—Just two packets averaging ~500 bytes
•
Location awareness—Queries are directed to the nearest McAfee GTI File Reputation cloud server, ensuring the fastest response times. McAfee GTI File Reputation cloud servers are located in the United States, Europe, and Asia Pacific regions
Network traffic The network traffic generated by these queries is incredibly nominal. If the sensitivity setting is set to Very Low or Low, you can expect an average of 10 to 15 queries per day, per machine. If the sensitivity setting is set to Medium, High, or Very High, you can expect an average of 40 to 50 queries per day, per machine. Remember, these are DNS queries. As many as 40 DNS queries are made when a user visits a popular website. Imagine a worst case scenario where each machine is infected by a different piece of malware simultaneously. The network traffic of that case compares favorably to bringing up Microsoft Outlook in the morning. Security The McAfee GTI File Reputation service uses an obfuscated, authenticated query for hash comparison to the McAfee secure servers in the cloud and an encoded, authenticated response. If the initial request/response text record indicates malicious detection, a second record is sent. McAfee GTI Proxy McAfee GTI Proxy is an optional proxy server that can be implemented in your network to route queries from McAfee VirusScan Enterprise software to the McAfee cloud. McAfee GTI Proxy is a virtual appliance that can support up to 100,000 client workstations per server. It features a local cache and is managed by McAfee® ePolicy Orchestrator® (McAfee ePO™) software. McAfee GTI Proxy is a free download for licensed McAfee VirusScan Enterprise software customers (http://www.mcafee.com/us/downloads/). Consider using McAfee GTI Proxy if you do not permit direct DNS (UDP) queries from endpoints in your network. Best Practices for Managing McAfee GTI File Reputation Service in McAfee VirusScan Enterprise Software Sensitivity settings There are five sensitivity settings for McAfee VirusScan Enterprise software. •
Very Low
•
Low
•
Medium
•
High
•
Very High
The setting can be managed via McAfee ePO software for all workstations and servers. Sensitivity settings govern two things: •
What is queried—Selection criteria for whether a file is deemed suspicious and should be queried are the same for the Very Low and Low settings. An extended selection criterion is used for Medium, High, and Very High. Thus, the number of files that might be queried would be more for Medium, High, and Very High settings. PDF files are queried only when downloaded from a website or as an email attachment when the sensitivity setting is at Medium. As stated earlier, even at Very High, the number of queries made should have minimal impact on network bandwidth.
•
Whether the response indicates a malware detection—The response indicates the level of certainty that McAfee has in the malicious nature of the file. Thus, a response with absolute certainty would trigger as a malware detection at any sensitivity setting, but a near certain reputation score would trigger as a detection for the Low settings and above, but not for Very Low.
The table below provides recommended settings based on specific endpoint configurations: Configuration Level
When to Use
Very Low
For desktops and servers with restricted user rights and strong security footprint
Low
Minimum recommendation for laptops or desktops and servers with strong security footprint
Medium
Minimum recommendation for laptops or desktops and servers
High
For deployment to systems or areas which are regularly infected
Very High
In email and on-demand scans on non-operating system volumes
It is strongly recommended that the McAfee GTI File Reputation service sensitivity level be set to Medium. This setting permits a strong level of detection of suspicious files while minimizing any potential false positives. False positives The historic false positive rate that McAfee has recorded for McAfee GTI File Reputation service is 0.00001 percent. For McAfee Platinum Support customers, McAfee also offers a free service called McAfee GetClean. This service allows you to have your trusted applications whitelisted in the McAfee cloud. Contact your McAfee Platinum Support representative for assistance with the McAfee GetClean program. Rolling out McAfee GTI File Reputation service As with any technology that you are beginning to use for the first time, testing and validation can help you and other managers make the right decisions about sensitivity settings. Running reports to show McAfee GTI File Reputation detections versus .DAT detections It is possible to run reports in McAfee ePO software that compare McAfee GTI File Reputation service detections to standard detections from .DATs. Generally, customers report an increase in accurate detections of between 10 percent and 30 percent, but the reports will demonstrate the effectiveness in your own network. Contact your McAfee Sales Engineer to create these reports. Phased approach McAfee suggests that you start with the default sensitivity setting of Low. Monitor the reports for four to six weeks and note any false positive cases from your user base. Then, turn the sensitivity up to Medium, at least for a selected group of workstations and servers in your network, for another four to six weeks. Once again, monitor the daily, weekly, or monthly reports and dashboards and any false positive cases from your user base. About McAfee McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world's largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse, and shop the web more securely. Backed by its unrivaled global threat intelligence, McAfee creates innovative products that empower home users, businesses, the public sector, and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee is relentlessly focused on constantly finding new ways to keep our customers safe. http://www.mcafee.com
2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com
McAfee, the McAfee logo, ePolicy Orchestrator, McAfee Global Threat Intelligence, McAfee ePO, McAfee GTI, and McAfee VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2012 McAfee, Inc. 48302wp_gti-best-practices_0812_kg
