field guide to setting up poc’s - community.mcafee.com · page 2 purpose this guide is intended...
TRANSCRIPT
FIELD GUIDE TO SETTING UP POC’S MICHAEL LAWSON
MCAFEE | 2821 Mission College Blvd Santa Clara, CA 95054
Page 1
Contents Purpose ............................................................................................................................................................................ 2
Planning ............................................................................................................................................................................ 2
Deployment Options ........................................................................................................................................................ 2
Requirements ................................................................................................................................................................... 3
Checklist for Current Solution(s) ...................................................................................................................................... 3
Checklist for ATD Setup .................................................................................................................................................... 3
Setup and Installation of ATD .......................................................................................................................................... 3
Quick Start ........................................................................................................................................................................ 4
IP Configuration. .............................................................................................................................................................. 4
Access the McAfee Advanced Threat Defense Web Application ..................................................................................... 6
Update ATD to Current Version ....................................................................................................................................... 7
Analyzer Virtual Machines ............................................................................................................................................. 11
Use of Pre-Built Images .............................................................................................................................................. 11
Custom Image Guidelines .......................................................................................................................................... 12
Virtual Machine Validation Process. .......................................................................................................................... 12
Post Image Creation check list ................................................................................................................................... 13
Upload Image to ATD ................................................................................................................................................. 14
Convert the Image ...................................................................................................................................................... 14
VM Profile Creation ........................................................................................................................................................ 17
Analyzer Profile Creation ............................................................................................................................................... 22
Configure McAfee Network Security Manger Integration ............................................................................................. 23
Configure McAfee Web Gateway Integration ................................................................................................................ 26
Creat Analyzer Profiles for Network Solutions to use ................................................................................................ 27
Configure McAfee Integration with McAfee® ePolicy Orchestrator® ............................................................................ 29
Final Validation ............................................................................................................................................................... 29
Appendix ........................................................................................................................................................................ 31
Network Ports Outgoing ............................................................................................................................................ 31
Network Ports Incoming ............................................................................................................................................ 32
Windows XP SP3 Pre-Built Image import and preparation guide .............................................................................. 32
Windows Server 2008 Pre-Built Image import and preparation guide ..................................................................... 47
Windows 7 Pre-Built Image import and preparation guide ....................................................................................... 66
Page 2
Purpose This guide is intended assist Sales Engineers with the setup, configuration, and deployment of MATD. Prior to starting a MATD
evaluation it is import to determine the scope, length and the customer’s expectations.
Planning The setup and configuration of ATD does require some time to complete all the tasks. It is recommended that at least 4 hours is
allocated for the completion of all the tasks in this guide. One of the largest consumers of time in this guide is the building of
virtual machines for use as sandboxes or virtual analyzers in ATD. It is recommended that the building of the VMs is done as pre-
work prior to arriving on site. It is also recommened that the integrated solutions be deployed, configured, and validated prior
to installing ATD.
Deployment Options There are three main deployment scenarios Standalone, Integration with Network Security Platform, and Integration with Web
Gateway. Additionally integration with EPO can be added for a more comprehensive solution.
Standalone deployment
This is the simplest way of deploying McAfee Advanced Threat Defense. In this case, it is not integrated with other
externally installed McAfee products. You manually submit the suspicious files using the McAfee Advanced Threat
Defense web application. You can deploy McAfee Advanced Threat Defense as a standalone box with just the minimum
required network connectivity. Therefore, this deployment is typically used to analyze suspicious files in an isolated
network segment. This deployment is also used during the testing and evaluation phase and to fine tune the
configuration.
Integration with Network Security Platform
This involves integrating McAfee Advanced Threat Defense with Network Security Platform Sensor and Manager. Based
on how you have configured this feature, an inline Sensor detects a file download and sends a copy of the file to
McAfee Advanced Threat Defense for analysis. If McAfee Advanced Threat Defense detects a malware in real-time, the
Sensor blocks the download. If McAfee Advanced Threat Defense requires more time for analysis, the Sensor allows the
file to be downloaded. If McAfee Advanced Threat Defense detects a malware after it has been downloaded, it informs
Network Security Platform and you can use the Sensor to quarantine and remediate the host immediately. Whenever
McAfee Advanced Threat Defense identifies a malware, it updates Network Security Platform, so that the next time the
same file is downloaded, the Sensor blocks it. Additionally NSP can be configured for span port operation. In this mode
no files are blocked just sent to ATD for alalysis.
Integration with McAfee® Web Gateway
When a user downloads a file, McAfee® Web Gateway sends a copy of the file to McAfee Advanced Threat Defense for
analysis. The download is allowed or denied based on the findings by McAfee Advanced Threat Defense. Web Gateway
can be configured for span port operation during evaulations. In this configuration no files would be block they would
just be sent to ATD for analysis.
o In-line(blocking) wait for results from ATD
o Transparent submit to ATD do not wait for results from ATD (never block based on ATD results)
Integration with McAfee® ePolicy Orchestrator®
McAfee Advanced Threat Defense retrieves the information regarding the target host of file download. Knowing the
operating system on the target host enables it to create the exact sandbox environment to dynamically analyze the file.
Page 3
Dynamic analysis requires the suspicious file to be executed for a specific time period. During this time, the malware is
likely to have reach the intended target. McAfee Advanced Threat Defense uses this integration to cleanup the affected
host.
This integration also enables you identify the other hosts infected by the same malware and take remedial steps.
Requirements What is required for a MATD evaluation? The customer must current have or is evaluating one of the two solutions below prior
to evaluating MATD. Essentially MATD needs one of the gateway solutions to feed samples to it.
Required at least one.
o McAfee Web Gateway (MWG) Version
o McAfee Network Security Platform (IPS) Version 7.5
o MATD 3000 or 6000 appliance
Optional
o EPO
o Real-time EPO (Real-time Command)
Checklist for Current Solution(s) Current Solution Version Required Customer Version Verified By Advance Threat Defense 3.0.4.55.37306 McAfee Web Gateway 7.4 Network Security Manager 8.0.5.9 IPS Sensor 8.0.3.13 EPO 5.0
Checklist for ATD Setup Requirement Yes No Verified By 1U (3000) or 2U (6000) Management Network Connection Network Sensor Network Connection Power Dual 750w PS Putty or SSH Client FTP Client KVM in datacenter is optional Analyzer VM or VM(s)
Setup and Installation of ATD Most of the ATD configuration can be completed prior to arriving on site. If these items are done prior to arriving on site this can
help ensure a successful evaluation.
Verify Appliance is functional Import and creation of Analyzer Profiles.
Set IP Address Adjust default admin account
Page 4
Set Gateway Create user accounts
Set DNS Proxy Create VM Profile
Set UI_timeout Create Analyzer Profiles
Quick Start Please use the Quick Start Guide included in the box for the Rack and Power Guidelines. Please not the network
interface cable should be plugged into port
IP Configuration. Once the appliance has been racked and powered on it is recommended to use KVM (Keyboard and Monitor to set
the name and IP configuration. However, a serial cable option is available.
Step Instructions Image or amplifying instructions
1. Login to ATD
Using a KVM or Serial Cable. At the logon prompt, log on to the McAfee Advanced Threat Defense Appliance using the default
o Username: atdadmin o Password: atdadmin
2. Serial Cable Settings Name Setting
Baud Rate 115200
Number of Bits 8
Parity None
Stop Bits 1
Control Flow None
3. Set Sensor Name
At the prompt, type set appliance name<Name> to set the name of the McAfee Advanced Threat Defense Appliance. You need to type the values between <> characters, excluding the <> characters. Example: set appliance name appliance_1 The McAfee Advanced Threat Defense Appliance name can be an alphanumeric character string up to 25 characters. The string must begin with a letter and can include hyphens, underscores, periods but not spaces.
4. Set IP and Subnet Mask
Type set appliance ip A.B.C.D E.F.G.H to set the management port IP address and subnet
Page 5
mask of the McAfee Advanced Threat Defense Appliance. Specify a 32‑bit address
written as four eight‑bit numbers separated by periods as in <A.B.C.D>, where A,
B, C, or D is an eight‑bit number between 0‑255. <E.F.G.H> represents the subnet mask. Example: set appliance ip 192.34.2.8 255.255.255.0 Setting the IP address for the first time during the initial configuration of the McAfee Note: Advanced Threat Defense Appliance does not require a McAfee Advanced Threat Defense Appliance reboot. Subsequent changes to the IP address however, require reboot for the change to take effect.
5. Set the default Gateway Note: This has to be done for ATD to have internet access.
Set the address of the default gateway. set appliance gateway <A.B.C.D> Use the same convention as for the set sensor ip command. Example: set appliance gateway 192.34.2.1
6. Port Speed and Duplex
Set the Port Speed and Duplex. Set the port speed and duplex settings for the management port using one of the following commands:
o set mgmport auto: Sets the management port in auto mode for speed and duplex.
o set mgmtport speed (10|100) duplex (full|half): Sets the speed to 10 or 100 Mbps at full or half duplex.
7. Verify Configuration and Connectivity
To verify the configuration, type show. This displays the current configuration details. To check the network connectivity, ping other network hosts. At the prompt, type: ping <IP address> The success message host <ip address> is alive appears. If the host is not reachable, failed to talk to <ip address> appears.
8. Check Software Version Type Show at command prompt. Verify Software, Active, and back up are the same. If not type copyto backup. This will back up the the Active version to the backup version.
9. Change UI Time-out The deault UI time out is set very low. It is recommend that this is increased during setup to allow extra time for configuration.
Page 6
SET_UI_TIMEOUT 3600
10. Change Password
You can change the McAfee Advanced Threat Defense Appliance password by using the passwd command. A password must be between 8 and 25 characters, is
case‑sensitive, and can consist of any alphanumeric character or symbol. McAfee strongly recommends that you choose a password with a combination of characters that is easy for you to remember but difficult for someone else to guess
Access the McAfee Advanced Threat Defense Web Application Step Instructions Image or amplifying instructions.
1. From a client machine, open a session using one of the supported browsers. Use the following to access the McAfee Advanced Threat Defense web application:
URL: http://<McAfee Advanced Threat Defense Appliance host name or IP address>
2. Log in using the values below. •Default user name: admin •Password: admin •Domain: Local
3.
In the Dashboard check the System Health and System Information monitors to verify the installation and performance.
Page 7
4. Under Mange|DNS Setting Enter your Domain: Preferfed DNS Server: Alternate DNS Server:
Note: This will give the VM’s internet access during the profile creation process to allow for activating Windows.
5. Under Manage|Date and Time Setting A. Enable Network Time
Protocol B. Enter NTP Server
Name and Submit C. Check Date and Time
Settings
D. Select Time-zone Setting and Submit
Update ATD to Current Version McAfee is always working to make product improvements ensure you are using the most up-to-date version of the
software.
Step Instructions Image or amplifying instructions.
1. Download the software from
https://secure.mcafee.com/apps/downloads/my-products/login.aspx
Page 8
2. Enter Your Grant Number:
3. Select the correct ATD appliance
4. Select MATA-3000
5. Click ‘I Agree’
Page 9
6. Click to Download the most current release. (MATDFILENAME.MSU)
7. Log into ATD using Default credinentials U: admin P: admin
8. Navigate to Manage |Software Management
Page 10
9. Navigate to the location you downloaded the update to. Select the file and click Open.
10. Select Import.
Note: The file path displayed is incorrect and will be fixed in a future release. Warning: Do not select Reset Database. This will remove all customer data and reset the appliance close to manufacture defaults.
11. The progress bar is displayed.
Page 11
12. Once the update has been applied click OK and wait 2 minutes for the web Sever to be restarted.
13. Once the web server is
restarted. Log in and the Version: should now be updated.
14. Amplifing instructions or
release specific guidance is available in the release notes and product guide.
Analyzer Virtual Machines For dynamic analysis, McAfee Advanced Threat Defense executes a suspicious file(s) in a secure virtual machine (VM) and monitors its behavior for malicious activities. This Virtual Machine is referred to as an Analyzer VM. The next steps cover the process for either creating an Analyzer VM or using a pre-built Analyzer VM.
Use of Pre-Built Images McAfee has provided pre-built images. The instructions for using these images are located at the end of this guide.
The images can be downloaded from
https://sft.mcafee.com/jonpaterson
Page 12
Custom Image Guidelines Guidelines for building a custom image are available from McAfee.
Format: VMware VMDK is the only supported format.
2. Supported Operating Systems
Android 2.3
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2008 64‐bit Service Pack 1
Microsoft Windows 7 32‐bit Service Pack 1
Microsoft Windows 7 64‐bit Service Pack 1
3. Memory: 1024 (need further guidance)
4. CPU: 1 (need further guidance)
5. Hard Drive
Must be IDE
Maximum disk size(s)
Windows 7 64‐bit, the maximum disk size is14 GB.
Windows 7 32‐bit, the maximum disk size is 12 GB.
Windows XP, the maximum disk size is 5 GB.
6. Applications
a) Microsoft Office 2003, 2007, 2012.
a. If installing and older version of Microsoft Office is is recommended that the compatibility pack
is installed in order to analyze the newer formats of Word, Excel, and PowerPoint. (Go to
http://www.microsoft.com/en‐us/download/details.aspx?id=3 and download the required)
b) PDF viewer. Adobe Reader is the most tested but, any PDF viewer is acceptable.
c) Java
7. Security Tools: Any security software or low-level utility tool on an analyzer VM, might interfere with the dynamic analysis of the sample file. The sample-file execution might itself be terminated during dynamic analysis. As a result, the reports might not capture the full behavior of the sample file.
Virtual Machine Validation Process. It is strongly recommended that the VM’s are validated prior to uploading to ATD. This will ensure a successful VM creation.
Page 13
1. Validate the VM. Field
engineering has provided a
small VM for validating
Analzer VM. Start this VM
and Click the terminal icon.
2. In the Terminal window
type the following
‘./validate-vm.bin’
Enter the IP of the VM to be
analyzed.
Look for 6. Host verification
PASS
Note: If the verification fails
troubleshoot the failed
component.
Post Image Creation check list Line System Configuration Yes No
1. Automatic Log-In Enabled
2. Administrator Accout Password
cr@cker42
3. FTP Home Directory Set to C:\
4. FTP Permission Read, Write, List
5. Sigcheck C:\Windows\System32\Sigcheck.exe
6. MergeIDE Run MergeIDE.bat
7. Telnet Service Set to automatic and started
Page 14
Upload Image to ATD The image files are 5GB to 14GB and will take several minutes to upload. It is recommended the ssing an FTP client
with the SFTP protocol will increase the chance for a successful file transfer. The VM images can only be uploaded
using the ATDADMIN/atdadmin (default) account.
Step Instructions Image or amplifying instructions.
1. Using an FTP client i.e. Filezilla upload the name.vmdk to the ATD appliance. Ensure ONLY ACCOUNT ATDADMIN is used for SFTP uploads. Also only SFTP is supported.
Convert the Image The Advance Threat Defense appliance uses a ZEN based hypervisor so the images need to be converted from
VMware (VMDK) to ZEN (img). The conversion process for Windows XP and Windows 2003 Server is approxomily 10
minutes. The conversation process time for all Windows 7 and Windows Server 2008 is 15 minutes.
Step Instructions Image or amplifying instructions.
Page 15
1. Log On to ATD UI HTTP://ATDAPPLIANCE. Enter Username\Password
2. The home page is
displayed. Select ‘Manage’
3. The ‘Manage’ page is
displayed. Select ‘Image Management’
4. Under ‘VMDK’ Select
the Image that you just uploaded and Under ‘Operating System’ Select the matching Operating System. Note: if the wrong operating system is selected ATD will attempt to convert the image using incorrect
Page 16
steps and the conversion will fail.
5. Verify your selection and click ‘Convert’
6. The below status message is displayed. At this point the image is being converted from VMWare to a Zen.IMG.
7. This progress bar will
process will continue for about 3-4 minutes. Note: This Process is not complete. As previously noted please allow 10 to 15 minutes (depending on os type) for the converstion to complete.
8. Once the image conversion has completed the Image Conversion Logs can be viewed by selected the name and click View
9. Pop up window is
displayed. Click the X to close
Page 17
VM Profile Creation This process can take up to 60 minutes to complete as it requires creating and updating of the Analyzer VM
Snapshots.
Step Instructions Image or amplifying instructions.
1. Navigate to Policy\VM Profile Click New
2. Select the image,
enter a name, enter Maximum Licenses and then click Validate.
3. Click on the Check
Status.
Select your Image
Name Click Validate
Click Validate
Page 18
4. The Image Validate Log completes. Note the Host verification PASS. Click the X to close.
5. Click Activate
4. A java applet will
launch a VNC Viewer (Port 6000-6050). This process will start the virtual machine you have created and finalize the hardware installation process. Note: Ensure you have pop up blockers disabled in your browser for this site.
Host Validation Pass
Host Validation Pass
Page 19
5. Click Continue to the Security Warning.
6. Check “I accept and I
want to run this app.” Click Run on the Security Warning.
Page 20
7. Windows boots up.
8. Update with correct
Hardware wizard instructions Note: At this time the VM has internet access and if the VM is Windows 7/Server 2008 it will require reactivation and it is recommended that the activation is complete or the analyzer results can be impacted after the key has expired.
Page 21
9. The VNC viewer will close and
10. Click Save. This will start the snapshot creation process. You have completed VM Profile creation process.
Page 22
Analyzer Profile Creation Step Instructions Image or amplifying instructions.
1. Navigate to Policy\Analyzer Profile. Select New
2. Enter the following.
1. Name 2. Description 3. VM Profile 4. Automatically
Select OS 5. Runtime
Parameters 6. Artifacts and
Logging 7. Analyze Options 8. Save Note: This process is complete it is recommended that you manually upload sample code test ATD Warning: If you Enable Malware Internet Access. The Analyzer VM will have access to the internet and will download live malware. This could cause some unintended consequences.
Page 23
Configure McAfee Network Security Manger Integration Step Instructions Image or amplifying instructions.
1. Create User in ATD for NSM
2. Validate NSM
version 8.0.5.9
(As of 1/16/2014)
Note: Check with support to ensure version is correct)
3. To enable ATD
integration and configure credentials, go to the NSM Manage/ Integration and select Advanced Threat Defense. This presents the pane where ATD can be enabled and configured.
Login ID and password used here, needed when configuring ATD
integration on the NSM.
Default profiles used to analyze any file received from an NSP sensor.
Role and Access needed: Admin User, FTP Access, Restful Access
Enable
Page 24
4. Enter Credentials and Test credentials.
5. Configure Sensor
Check Inherit Settings
6. Define a Advance Threat Defense Policy. Select and Save
Enter ATD
Credentials
Test Connection
Advanced Threat Defense
Set to Low for PoCs
Page 25
7. Deploiy policy to ports
8. Update Sensor with
latest policy changes. Version: 8.0.3.13 (As of 1/16/2014) Note: Check with support to ensure version is correct.
9. Once changes have been deploy Complete will be displayed.
10. If NSP has been correctly configured it will show connectivity is made with ATD.
11. Span port. If using
IPS as a file aggregagtor in span
Page 26
port. The internal network ranges need to be defined.
Configure McAfee Web Gateway Integration Step Instructions Image or amplifying instructions.
1. A MWG is created by deault. It is suggested that you update the password.
2. On MWG go to
Policy\Add Rule Set from Library and enter “Advance Threat Defense”
Page 27
3. Update the User Account Settings ensure that https is used for the URL
Creat Analyzer Profiles for Network Solutions to use Step Instructions Image or amplifying instructions.
1. Log into ATD and go to Policy\Analyzer Profile. Select New
Page 28
2. Enter the following 1. Name 2. Select a VM
Profile 3. Check all
Reports, Log, and Artifacts
4. Check all Analyzer Options except Run All Selected.
Click Save.
3. Got to Manage\User
Management, and under “Default Analzer Profile” select the profile you just created.
Page 29
Configure McAfee Integration with McAfee® ePolicy Orchestrator® Step Instructions Image or amplifying instructions.
1. In ATD go to Manage\EPO Login. Enter the Following: 1. Login ID 2. Password 3. IP Address 4. Port Number
2. ePO is not Configured and enpoint data will now sync to ATD.
Final Validation Step Instructions Image or amplifying instructions.
1. In ATD browes to Analysis. Drag or Browes to submit a file Select an Analyzer Profile Click Submit
2. After a moment this dialog will display. Click okay.
Page 30
3. Go to Analysis Status. Observe the status is “Analyzing” Samples typically take about 1 minute to be analyzed.
4. The status will update
to Completed.
5. Go to Analysis Results
and you should see the same you submitted.
6. Click on the file icon
next to the name and the list of reports is shown. Select Anaysis Summary.
Page 31
7. The Summar report will be displayed.
8. Advance Threat
Defense configuration is now complete.
Appendix
Network Ports Outgoing
Page 32
Network Ports Incoming
Tiger VNC 6000
NSM 8505
User Interface (Browser) 443
McAfee Web Gateway 443
Network Security Manager 8050
Windows XP SP3 Pre-Built Image import and preparation guide
For dynamic analysis, McAfee Advanced Threat Defense executes a suspicious file in a secure virtual machine (VM) and monitors its behavior for malicious activities. This VM is referred to as an analyzer
VM. This document provides the steps for importing the pre-built analyzer VM into VMware Workstation and preparing it for use in a PoC\evaluation. Pre-Analyzer VM creation checklist.
VMWare Workstation 9 or 10 Yes No
License Key for Operating System
Office Installation Media
Note: VMware Fusion and other software hypervisors have not been tested. It is strongly recommended that only
VMWare Workstation is used.
Page 33
1. This document covers the following zip files and MD5 hashs. If your file hash doesn’t match then your results will vary. Note If you don’t have a Windows MD5 hash tool. Here are two recommened tools. WinMD5 http://www.winmd5.com/)
Microsoft http://www.microsoft.com/en-us/download/details.aspx?id=11533
Name: WIN_XP_SP3_ADB9_JV75_FF_SYS.zip MD5 Hash: e1a91f89dc2900d696952b2c02c595dc Password: cr@cker42
2. File Open.
3. Open the VMware
Configuration File
Page 34
4. Once the import is done select “Power on this virtual machine”
5. Select “I copied it”
6. Click “Next”
Page 35
7. Click “I accept this agreement” and then “Next”
8. Enter the Volume License
Product Key and click “Next”
Page 36
9. Click “Not right now” and click “Next”.
10. Click ‘Next’
Page 37
11. Enter ‘cr@cker42’ for the Administrator password twice and click ‘Next’
12. Select ‘No, don’t make
this computer part of a domain’ should be selected and click ‘next’
Page 38
13. Click ‘Skip’ on the Internet Connectivity.
14. Select ‘No, not at this
time’ to the Register with Microsoft and click ‘Next’
Page 39
15. Enter ‘root’ for the user name and click ‘Next’
16. Windows Setup Wizard is
complete click ‘Next’.
Page 40
17. Windows reboots
18. Go to Computer
Management ‘Local Users and Groups’ find the ‘root’ account and right click to delete.
19. Click ‘Yes’ to the warning
and log off Windows.
Page 41
20. Enter ‘cr@cker42’ for the password and logon.
21. Locate and Open Java in
the control panel. Select the ‘Update’ tab and uncheck ‘Check for Updates Automatically’ Then select ‘Do Not Check’ at the pop up window.
Page 42
22. Click ‘Apply’ and then ‘OK’ to close Java.
23. Verify Windows updates
are not enabled. Go to Control Panel\Windows Update Select ‘Turn off Automatic Updates.’ Click ‘Ok’ to exit
Page 43
24. Verify the Windows Firewall is Off.
25. Set Windows to
Automatically logon. Click Start\run and type ‘rundll32 netplwiz.dll,UsersRunDll’
Page 44
26. Uncheck “Users Must enter a username and password to use this computer” Click Apply
27. Enter the Administrator
password “cr@cker42” twice. Click okay and Click okay to exit User Account screen. (It is advisable at this point to reboot in order to validate automatic logon hasben set correctly)
Page 45
28. Open Adobe Reader. Click Edit Preferences and verify that “Check for updates” is not selected. Close Adobe Reader.
29. Open any Office
Application. Enter the customer\Prospects Product Key.
Page 46
30. Go to Tools\Macro\Security and ensure setting is on Low. Do this for all Office Applications.
31. Accept Sigcheck license
agreement. Browse to C:\Windows\System32\ Locate “sigcheck.exe” and double click.
32. Select “Run”
33. Shutdown the VM. Locate
the VMDK and upload to ATD. Use the PoC Guide for the next steps.
Page 47
Windows Server 2008 Pre-Built Image import and preparation guide
For dynamic analysis, McAfee Advanced Threat Defense executes a suspicious file in a secure virtual machine (VM) and monitors its behavior for malicious activities. This VM is referred to as an analyzer
VM. This document provides the steps for importing the pre-built analyzer VM into VMware Workstation and preparing it for use in a PoC\evaluation. Pre-Analyzer VM creation checklist.
VMWare Workstation 9 or 10 Yes No
License Key for Operating System
Office Installation Media
Note: VMware Fusion and other software hypervisors have not been tested. It is strongly recommended that only
VMWare Workstation is used.
1. This document covers the following zip files and MD5 hashs. If your file hash doesn’t match then your results will vary. Note If you don’t have a Windows MD5 hash tool. Here are two recommened tools. WinMD5 http://www.winmd5.com/)
Microsoft http://www.microsoft.com/en-us/download/details.aspx?id=11533
Name: WINSVR_2K8_SP1_ADB9_JV75_FF.zip MD5 Hash: Password: cr@cker42
2. File Open.
Page 48
3. Select the VMWare Configuration File.
4. Once the import is done
select “Power on this virtual machine”
5. Select “I copied it”
Page 49
6. Windows boot screens are displayed.
7. Click next to start the
setup process.
Page 50
8. Select “Yes, I accept” and click Start.
9. Click Okay
Page 51
10. Enter “cr@cker42” in the password field twice and click the arrow to continue.
11. Click OK and Windows
boots to desktop.
Page 52
12. Click “Do not show me this console at login” and click the “X” to close.
13. Click Start and type
“netplwiz” and hit enter.
Page 53
14. Uncheck “Users must enter a user name and password to use this computer.” Click “Apply”
15.
Page 54
16. Enter “cr@cker42” in the password fields twice and click OK to exit.
17. Click ‘OK’ and Click ‘OK’ to
exit netplwiz screen. Note. Rebooting now would validate that no user credentials are required to log-in
18. Locate Java in the Control Panel and open it.
Page 55
19. Click on “Update” and ensure “Check for Updates Automatically” is unchecked. Click “Do Not Check” and Click Apply and OK.
20. Verify Windows updates
are not enabled.
Page 56
21. Ensure Windows Firewall is Off.
22. Open Adobe. Go to
Edit\Preferences and ensure “Check for updates” is not checked.
Page 57
23. Open any Microsoft Office application. Enter the Customer\Prospects Product Key.
24. After entering the
Product Key. Go to Tools\Macro\Security. Ensure it is set to low. Do this for all Office Applications. Close all applications. Clean up the desktop of any shortcuts and empty the recycle bin.
Page 58
25. Open internet Explorer. Select next to the prompt.
26. Select ‘No’ to default
browser and click ‘Next’
Page 59
27. Select ‘Yes, turn on Suggested Sites’
28. Select Use express
settings and click finish.
Page 60
29. Select Tools|Internet Options. Set ‘Home page’ to ‘Use blank’ and click Advanced.
30. Click Advanced and Select
“Allow active content to run in files on My Computer” Click ‘Apply’ and ‘OK’.
Page 61
31. Open FireFox, Select ‘Don’t Import anything’ and click next
32. Uncheck ‘Always perform
this check when starting FireFox’
33. Press the Alt key to show
the menu bar and select Tools\Options
Page 62
34. Select ‘Never check for updates (not recommended: security risk)’ Uncheck ‘Search Engines’ Close FireFox
35. Explore to C:\Tools Double Click on the the sigcheck short cut. Click Agree on the License Terms.
Page 63
36. Activate Windows. Click on Properties of ‘Computer’
37. Click on ‘Change product
key’
Page 64
38. Enter Product Key: and click next.
39. Wait while Windows
Activates.
Page 65
40. Windows Activation is successful. Click close.
41. Shutdown the VM. Locate
the VMDK and upload to ATD. Use the PoC Guide for the next steps.
Page 66
Windows 7 Pre-Built Image import and preparation guide
For dynamic analysis, McAfee Advanced Threat Defense executes a suspicious file in a secure virtual machine (VM) and monitors its behavior for malicious activities. This VM is referred to as an analyzer
VM. This document provides the steps for importing the pre-built analyzer VM into VMware Workstation and preparing it for use in a PoC\evaluation. Pre-Analyzer VM creation checklist.
VMWare Workstation 9 or 10 Yes No
License Key for Operating System
Office Installation Media
Note: VMware Fusion and other software hypervisors have not been tested. It is strongly recommended that only
VMWare Workstation is used.
34. This document covers the following zip files and MD5 hashs. If your file hash doesn’t match then your results will vary. Note If you don’t have a Windows MD5 hash tool. Here are two recommened tools. WinMD5 http://www.winmd5.com/)
Microsoft http://www.microsoft.com/en-us/download/details.aspx?id=11533
Name: WIN7_X86_SP1_ADB9_JV75_FF.zip MD5 Hash: 85be4c25048cc7ab524641abfff4b6d6 Password: cr@cker42 Name: WIN7_X64_SP1_ADB9_JV75_FF.zip MD5 Hash: 0691e51ed6f4c3075dfcadabb71e8c41 Password: cr@cker42
35. File Open.
Page 67
36. Open the VMware Configuration File
37. Once the import is done
select “Power on this virtual machine”
38. Select “I copied it”
Page 68
39. Click “Next”
40. Enter “root” for user and
anything for the computer name.
Page 69
41. Enter “cr@cker42” for the password and a hint.
42. Select “I accept the license
terms” and click next.
Page 70
43. Select “Ask me later” This is important as if you select anything else Windows will start downloading updates and changing the posture of the Virtual Machine.
44. Enter the time.
Page 71
45. Select “Work Network”
46. It is Recommend (not
required) Adjusting Resolution to 1024 X 768 for ease of navigation.
Page 72
47. Go to Computer Management. Select Users. Right Click on Administrator and select properties. Uncheck “Account is Disabled”. Click Apply and Okay. Now Log Off
48. Click on the Administrator
account and enter “cr@cker42” to log on.
49. Go to Computer
Management. Select Users and delete the user root. Click Yes to the warning
Page 73
50. Click “OK” and exit computer management.
51. Select start\run and type
netplwiz. Uncheck “Users Must enter a username and password to use this computer” Click Apply (It is advisable at this point to reboot in order to validate automatic logon has been set correctly)
Page 74
52. Enter the Administrator password “cr@cker42” twice. Click okay and Click okay to exit Netplwiz screen.
Page 75
53. Open Adobe Reader. Click Edit Preferences and verify that “Check for updates” is not selected. Close Adobe Reader.
54. Locate Java in the Control
Panel and open it. (Open Control Manager and type JAVA in the search field) Click on “Update” and ensure “Check for Updates Automatically” is unchecked. Then select “Do Not Check” to the warning. Select “Apply and OK”
Page 76
55. Right Click and select properties on my computer. Click change product key and Activate Windows. Enter the customer\prospects windows key and activate.
56. Verify Windows updates are not enabled. Go to Control Panel\System and Security\Windows Update\Change Settings. Set Important updates drop down to “Never check for updates (not recommended)” Uncheck “Allow all users to install on this computer”
57. Open any Office
Application. Enter the customer\Prospects Product Key.
Page 77
58. Go to Tools\Macro\Security and ensure setting is on Low. Do this for all Office Applications.
59. Verify the Windows
Firewall is disabled.
Page 78
60. Open internet Explorer. Select “Ask me Later”
61. Select “Use blank” and
click on the Advanced Tab at the top.
Page 79
62. Open internet Explorer. Click Advanced and Select “Allow active content to run in files on My Computer”
63. Open FireFox, Select
‘Don’t Import anything’ and click next
64. Uncheck ‘Always perform
this check when starting FireFox’
Page 80
65. Press the Alt key to show the menu bar and select Tools\Options
66. Select ‘Never check for
updates (not recommended: security risk)’ Uncheck ‘Search Engines’ Close FireFox
67.
68. Accept Sigcheck license agreement. Browse to C:\Tools Locate “sigcheck-shortcut” and double click.
Page 81
69. Select “Run”
70. Select “Agree”. Close all
open windows and shut down Windows. Note: The although the MergeIDE folder is not needed for these instructions it is recommended that it is left here for assistance with troubleshooting later.
71. Shutdown the VM. Locate
the VMDK and upload to ATD. Use the PoC Guide for the next steps.