Cisco and McAfee decide users just can't be trusted not to click on dodgy attachments

[brambedkar59]

Cisco's adding McAfee's Advanced Threat Defense to platforms supported by its Email Security Appliance platform.

The alliance is designed to make integration between the two systems easy – the Advanced Threat Defence (ATD) e-mail connector is a single checkbox in the McAfee UI, plus selecting permitted hosts and the file extension types that should be scanned.

If the Email Security Appliance (ESA) spots an incoming e-mail with an attachment it doesn't recognise, it'll forward the message to the McAfee ATD system. ATD then checks the attachment against known signatures, and if it comes up blank, it will run the attachment in a sandbox.

 

[ForgottenSeer 58943]

We deploy Trend HES which has been doing this for a couple of years now. McAfee's Email filter has gone legacy, it was a failed business model so now they are trying to shop out their API for sandboxing, etc.

Intel Security will discontinue McAfee SaaS products

We setup our corporate clients with HES using a 4 policy system for guarding attachments;

First policy checks for attachments allow/deny rules. For example by default we block DOCM, WSF, etc. Attachments w/passwords are blocked, etc.
Second policy we use is to check for 'traits' that are malicious - quarantine attachments that match. (file size, other traits)
Third policy checks for malware/viruses/scripts in signature based scanning.
Fourth policy tosses it into a sandbox and evaluates behavior. This adds a 5 minute to 30 minute delay to emails with attachments.

Using a 4 policy method, we're only seen a couple of malicious attachments in 3 years make it past to the thousands of endpoints we manage. False positives are kept really low because of the tailored rules.