MCAFEE ATD: Sandbox stays at STATUS BAD

We just had a case where an MCAFEE ATD-3000 Sandbox was staying at the Status BAD.

A person hat submitted a file to analyze with XVIEW (Look into the Sandbox) and did shutdown the W7 VM after that analyze.

NO > Rebuild of the VM's did not solve

NO > Reboot of the Sandbox did not solve

Logon to Sandbox with SSH and PORT 2222 not 22 (Logon with cliadmin)

CLI: reboot active

Logon to Sandbox with SSH and PORT 2222 not 22 (Logon with cliadmin)

CLI: removeSampleInWaiting

After this the FILE in the queue which may generated the error did disappear and the status went back to "GOOD"

Found in doku file: ATD_3.6.2_Product_Guide_revA.pdf

Switzerland: Embedded WinWord OLE Ransomware active around Switzerland 26.10.2016

 

Embedded WinWord OLE Ransomware active around Switzerland 26.10.2016

Files: Abrechnung_XXXX.DOCX,

Format: Microsoft WinWord 2007

MALWARE: LNK/Agent.A5E3!tr.dldr

 

Following WinWord with Embedded OLE Object drops through most of the Fortigate/Mcafee/Trend Spam, Firewall, IPS, TIE, Sandboxes. Most only scanners does not detect it.

Microsoft describes this here:

https://blogs.technet.microsoft.com/mmpc/2016/06/14/wheres-the-macro-malware-author-are-now-using-ole-embedding-to-deliver-malicious-files/

26.10.2016, 14:00 Uhr

This how the WinWord Looks

If you click

You MAY have to click again….. ;-)

 

 

MCAFEE ATD Sandbox did not detect anything 15:38 Uhr, 26.10.2016

Summary

Threat Level

Informational

File Name

Abrechnung_129.docx

MD5 Hash Identifier

B147662DDFDAE09D7BECD016CB3C6801

SHA-1 Hash Identifier

451157E2807E4E0E511BAFF1BACB4B6659219A4F

SHA-256 Hash Identifier

0EDE5F8D769B2E8F16793ACB90FD61BC88AB400AC0A5CB54B66E481EA63F96CD

File Size

39750 bytes

File Type

application/vnd.openxmlformats-officedocument.wordprocessingml.document

File Submitted

2016-10-26 14:42:33

Duration

45 seconds

Sandbox Replication

39 seconds

 

 

 

Some others in that direction:

After running the OLE Object it does HIT on the Sandbox.

On most commercial Sandbox you have to activate the OLE manual…

Sites it connects to:

 

URL

Port

Reputation

Category Name

Risk Group

Functional Group

198.20.239.21

80

Clean

---

---

---

37VIRGINIASLIM.TOP

80

Failed

---

---

---

46.101.10.156

80

Failed

---

---

---

WPAD

80

Failed

---

---

---

 

It does use CALC.EXE ONLY on the "Sandbox Systems" since these are old state and thus extra not patched. Or it's a new discovered 0day for calc.exe on real machines.

File download with Powershell:

 

Fortigate takes business serious and did report back to us after the sample was submitted around 1.5hr later

 

 

Around 18:XX o'clock Mittwoch

Thank you for submitting your sample to Fortinet. The sample "___Abrechnung_129.docx" with MD5:b147662ddfdae09d7becd016cb3c6801 should already be detected as LNK/Agent.A5E3!tr.dldr

This signature was released in AVDB v40.307 on October 26th, 2016 at 10AM PST

 

If for any reason you believe that the file is still not being detected, please let us know.

 

We have escalated this sample to our Fortisandbox team and we will conduct further investigation as to the nature of Fortisandbox missing this sample.

 

Regards,

 

 

 

 

Backup: Acronis Backup 12 doppelt so schnell wie Veeam 9.X

This could be an alternative if you don't like the VEEAM suite and you have large amount of physical Servers where you already have Acronis in place.

Neither pricing nor any other smaller things will be a turnaround in that market where Veeam gained almost 70% during the last few years.

https://www.acronis.cz/wp-content/uploads/2016/07/Acronis-Backup-12-vs-Veaam-Availability-Suite-9-NTL-Summary.pdf

http://www.networktestinglabs.com/Acronis-Backup-vs-Veeam.html

http://www.lanline.de/acronis-backup-12-ermoglicht-restores-sekunden-html/

https://www.youtube.com/watch?v=q8oBGdhHJM8

 

Quelle: Acronis-Backup-12-vs-Veaam-Availability-Suite-9-NTL-Summary.pdf

 

Gartner 06/2016, Acronis nicht drauf aber als Newcomer…

http://www.netcomplex.pl/zdjecia/ak/79/gartner-reprint-backup-06_201606141436.pdf

 

 

 

MCAFEE: TIE Threat Exchange 2.0 first look

We were heavy waiting for the TIE 2.X update because we think you should not use 1.3 in Enterprise with a lot of new files daily. You simply could not manage it good with the Reports, Dashboard they had in 1.3.

We have heard the same from Mcafee internals. And for a product at that price range nobody seemed to understand how this was pushed out. We just talk about the Query and Filters and the Interface not

the product itself that has worked. Well let's be fair with the Ransomware Peak and enterprise struggling for solution AND also INTEL/MCAFE/INVESTOR Sales the reason is clear somehow also. Company's wanted a solution quick and NOW!

TIE Server:

Version on TIE Server after upgrade

EPP products and the new TIE release

 

Short report from our first integration of TIE 2.0

Update went good and is described in the PDF

  • Check that you have Framework 5.0.3 on the clients
  • Check that you have DXL 2.0
  • Make a VMWARE Snapshot of all before you begin (Make a EPO-Snapshot also), Make a SQL DUMP!
  • Don't forget to DEFRAG the PostgreSQL DB as mentioned in the documentation (Logon with ROOT SSH and then run the command in fully in one string) *2
  • There are Colors and GREEN/RED Button as we wanted now ;-) [Intel Security Ideas Forum: TIE: Want to see in EPO at once if a Executable will RUN flag in GREEN or RED ] Thank you guys!
  • You can SORT and see in the TIE Page on first page the LOCAL Reputation and if it will run or not
  • You can better sort and have more fields to select

   

*2 Defrag of POSTGRESQL

 

 

One bug found and NO i am not going to OPEN a ticket and upload MER for you lazy Tier 1. Call us if you want the info ;-) And yes send FREE TOTALPROTECTION for us for the BUGS we report you….

 BUG: In the DASHBOARD if you select "Composite Reputation" as add. Field you get this error. Maybe CACHE related but then please advise in UPGRADE Documentation.

   

 ERROR: Error Message: com.mcafee.orion.core.template.db.exception.ExecuteTransactionException: ERROR: missing FROM-clause entry for table "file_rep_enterprise" Position: 198Error Message: com.mcafee.orion.core.template.db.exception.ExecuteTransactionException: ERROR: missing FROM-clause entry for table "file_rep_enterprise" Position: 198

Not sure if this is any way related to an old problem we had based on older SQL version:

 Butsch.ch | Mcafee EPO: Error after TIE integration on EPO 5.3 in VSE Report

    

Sample from TIE 2.0

This post was cross posted on MCAFEE Forum:

https://community.mcafee.com/message/421674#421674

Check TIE in general if you don't know what it does:

http://www.butsch.ch/post/Ransomware-Schweiz-Mcafee-TIE-Threat-Intelligence-Exchange-im-Einsatz.aspx

 

Mcafee: Endpoint Migration Assistant Shows NULL shortly after upgrade to EPO 5.3.X

Mcafee: Endpoint Migration Assistant Shows NULL shortly after upgrade to EPO 5.3.X

There is a knowledgebase which describes a cache Bug after you Update EPO 5.1 to 5.3.x. The same BUG is valid if you check in Endpoint 10.2 and want to migrate

the Policy's. Clear all in Internet Explorer 11 Cache and it will display correct after that.

https://kc.mcafee.com/corporate/index?page=content&id=KB77920

https://community.mcafee.com/message/419967#419967