How to Guide

Revision 1.1

McAfee Advanced Threat Defense Email Connector for Cisco

Email Security Appliance

Overview:
This “How to Guide” provides instructions for setting up McAfee® Advanced Threat Defense (ATD) Email
Connector with Cisco© Email Security Appliance (ESA). The McAfee Email Connector, when interoperating
with ESA, will function as a mail transfer agent (MTA) to scan messages that contain attachments.
Through the interoperation of ESA and the Email Connector, ESA scans messages using its varying security
engines and if it determines the message to be delivered/clean but still needs to be scanned by ATD the
message will be relayed to the ATD Email Connector for further inspection. The Email Connector receives
the message from ESA via SMTP, and will begin to scan the attachment using its advanced detection
capability.
Once a verdict is determined for the attachment it will be placed in an X-header of the message and relayed
back to ESA, which at that point the header will be scanned by ESA. If the verdict is determined to be clean,
the message can be sent forward to the intended recipient. If the verdict is determined to be malicious, then
ESA can determine further action based on the policy configuration set forth on the appliance.

1 Configuring the Email Connector on ATD

Advanced Threat Detection Version Compatibility:
• Version 4.0
Email Security Appliance Version Compatibility:
• Version – Any currently supported release

For the purposes of this document we shall assume that a single secure email gateway (SEG) will be
used to handle both the inbound messages and the messages returned from McAfee’s Advanced Threat
Defense (ATD). The assumption that administrator has base knowledge of ATD and Cisco’s Email
Security Appliance (ESA) SEG.

You will be required to make some configuration changes on your Cisco ESA and your McAfee ATD
Email Connector.

1
ATD Email Connector settings
Before ATD will accept SMTP connections from the ESA you must enable the Email Connector and
provide suitable values for the following configuration

• Permitted Hosts – Add the IP address, hostname or subnet from which the ATD Email Connector is
allowed to receive email (the inbound Cisco ESA).
• Smart Host – Set the IP address/hostname and port for the Cisco ESA that will receive the returned
email messages, process the headers, and enforce the threat policy.

Access your ATD Appliance

a. Begin the configuration process.
Under the Manage tab, navigate to Email Connector > Configuration.
Under “Receiving Email”, check the “Enable Email Connector” box.
The Listen Port will be set to 25.
Pull down the menu for “Use TLS Connection” and choose If Available.

b. A Permitted Host will need to be configured – In this case, it will be ESA.

With the Host Type field selected with the IP Address option, and the designated IP Address of ESA
in the required fields, then click Add.

2
2 Configuring the Cisco Email Security Appliance

Messages sent to ATD could take a considerable amount of time to scan if the attachments require a
full sandbox scan. The operation of the ATD Email Connector is such that it does not ‘accept’ the email
from the sending to ESA until its scan is complete and the message is delivered to the configured
smart host.
To preserve ATD resources, the inbound ESA should perform all anti-spam, anti-virus and any other
filtering that may ultimately result in the message being blocked. Redirection of the message to the
ATD Email Connector should only occur when the message would be delivered or further processed if
the ATD verdict is ‘clean’.
This portion will cover the configuration process on ESA to relay messages to ATD, in addition to
accepting messages being sent back from ATD that have been further analyzed. This guide will walk
thru how to configure the routing on the default incoming mail policy. Administrators can leverage this
connectivity on custom policies, but that is out of scope for this document.

3
The goal of the inbound message handling configuration is to:

• Leverage all the security elements licensed for the Cisco Email Security Appliance: Anti-Spam,
Anti-Virus, Outbreak Filters, etc.

• Perform built-in threat detection, attachment filtering and other threat compliance policy actions
to filter messages that violate policy and would not be delivered regardless of the result of the
advanced threat scan.

• Identify inbound messages that should be scanned by ATD

• Redirect the message to ATD for advanced threat scanning.

a. Cisco Email Security Scanning/Delivering to ATD via Content Filter

 Login to your ESA appliance to configure the Incoming Content Filters.

 Under the Mail Policies tab, navigate to Incoming Content Filters.

Click on the “Add Filter” button, at which point you will be taken to the Add Incoming Content
Filter page. Choose a name for the filter name, and once complete, click on the “Add
Condition” button.

4
Under the condition parameters, choose Attachment File Info and add a file filter based on the
file type. Based on the supported file types of ATD, include file type conditions for file types
that you wish to be forwarded to the Email Connector.

Next, under the conditions area, locate the Actions area. Here you will add an action to Send
to Alternative Destination Host.

5
 This host will be the IP (#.#.#.#) of the ATD appliance. Once you have filled the appropriate IP
into the Mail Host field, click “OK”, then submit your changes. Ensure you click the “Commit
Changes” button to publish the changes in configuration.

Once the content filter for incoming mail has been established, head to Incoming Mail Policies
and ensure that the content filter that was created for ATD is applied under the policies for
Content Filters.

Submit and commit the changes.

b. Content Filter for Receiving Scanned email from McAfee ATD and Smart Host back to
ESA

First, there should be a defined “Listener” on ESA dedicated to accept email from ATD. The
documented process in ATD will be receiving email on port 25 from ESA that was described in the
previous section. For delivery acceptance from ATD to ESA, this “Listener” should be customized
on an existing “Listener” on port 4444 (or match what is configured in ATD).

Network – Adding Listeners

6
Setting up the listeners on ESA is necessary to ensure that the ATD appliance will accept
messages being forwarded from ESA.

• Head to the Network tab, and from the pulldown menu, select Listeners.

• Click the “Add Listener” button in the Listeners field

Add the name of the listener.

From the Interface pulldown menu, select mgmt. (or the existing IP interface used for email
processing).

Set TCP Port is set to 4444.

All other settings are left as default. Submit the changes.

7
This dedicated listener should have the security engines disabled to remove the risk of double counting or
skewing the reports. Define in the HAT overview how the inbound email from ATD should be processed. Add
the sending IP Address of ATD to the “WHITELIST” in the HAT for the new listener defined in the previous step
(for example it is Accept From ATD).

Next, you will need to set a filter for accepting the mail as well to define how ESA will route the email.

Under the Mail Policies tab, navigate to Incoming Content Filters.

Click the “Add Filter” button, at which point you will be taken to the Add Outgoing Content Filter page. Choose a
name for the filter name, and once complete, click on the “Add Condition” button.

At this point, two conditions will be implemented which allow scanning of the X-header of the returning message
from ATD. Define two cases with an “and” clause to look for the X-Header added as well as being received on
the newly defined listener. Enabling scanning of the “X-ATD”-#, will ensure that ESA will scan the X-header for
the verdict and determine next steps based on the policy configuration. The recommended values to quarantine
or drop for X-ATD are 4 or 5. The value of 3 should be marked up with a warning to the end user of potential
malicious content and to open with care. Please see the appendix A for the other values of X-ATD.

This example below processes the inbound email by

• This is a filter that checks to make sure it is coming in on the custom/dedicated
listener for email from ATD and looking for an ATD score of 5.

• We then will notify the administrator that this has occurred

• We will add a specific log entry to make sure we can track this in the logs

8
 • Drops the message and does no further processing

After Submitted the filter should be seen at the top of the list

The same way that was done for the processing of emails to be sent to ATD, the administrator needs to add the
defined filter to the default policy. Go to Mail Policies – Incoming Mail Policies and edit the content filters as
before. Note: be careful of the order of the filters enabled as they are processed in the order defined in the list.
Be sure to commit and save your changes.

9
Appendix A:

Headers summary

In-line with convention the ATD Email Connector will always add a ‘Received’ header to a message. Additionally,
since the ATD Email Connector uses Email headers to communicate the results of the ATD scans to the Smart
Host/Secure Email Gateway which is responsible for enforcing the organizational policy, it may also add a
number of headers with the prefix X-ATD.

All of the X-ATD headers discussed below will be removed from a message when it is received by ATD to
prevent interference from outside sources. No other headers will modified.

In this section we describe the headers, their values, and the conditions under which they will be added to a
message being returned from ATD
Basic headers

The basic headers have a very simple format which is intended to be evaluated by a Secure Email Gateway. X-
ATD-VERDICT - This header is added to all messages that have passed through ATD. Its value indicates the
overall threat verdict for the Email. Possible values for this header are shown in the table below

5 Malicious -1 Clean
4 Malicious -2 Failure to scan
3 Likely malicious -3 Scan timeout
2 Low activities -6 No attachments to scan
1 Very low activity -7 Scanning is disabled (see X-
ATDSILENTMODE)
0 Informational -8 ATD is too busy to service new scanning
requests. At least one attachment has not
been scanned and does not have a cached
result (see X-ATD-TOOBUSY)

The value of the X-ATD-VERDICT value indicates the most severe verdict for all of the attachments of the email.
The most severe verdict in relation to other verdicts is calculated by ATD. To ensure ATD is offering the best
protection, inability to scan (due to timeout, failure, or resource shortage) will take priority over all but ‘Malicious’
and ‘likely malicious’ verdicts.

X-ATD-SILENTMODE - This informational header is added to all messages that have passed through ATD when
the email scanning capability is disabled from with the ATD UI by enabling ‘Profiling Mode’. The value of this
header will always be ‘1’.

10
X-ATD-TOOBUSY - This informational header is added to all messages that have passed through ATD while it is
too busy to process new attachments for scanning, and ATD is configured in Email pass-through mode. Its value
will always be ‘1’. Since ATD includes a results cache, the X-ATD-VERDICT should be referenced to determine
whether the attachments were scanned in a previous submission.

Advanced headers

Advanced headers are formatted as comma separated lists. They are made available for interpretation by
custom parsers, for logging and data analytics. They are human readable and may also be useful for
troubleshooting.

X-ATD-FILENAMES - This header is added to all messages that have passed through ATD that have
attachments. It contains a comma separated list the names of all the attachments in a message.

X-ATD-ALTFILENAMES - This header is added to all messages that have passed through ATD that have
attachments. It contains a comma separated list whose entries correspond with those of the X-ATD-
FILENAMES. If the result of scan was retrieved from the cache, filenames in this list represent the filename
under which the attachment was originally scanned.

X-ATD-FILEHASHES - This header is added to all messages that have passed through ATD that have
attachments. It contains a comma separated list of the hashes corresponding with the filenames present in
XATD-FILENAMES.

X-ATD-FILEVERDICTS - This header is added to all messages that have passed through ATD that have
attachments. It contains a comma separated list of the verdicts for each attachment, corresponding with the
filenames and hashes present in X-ATD-FILENAMES. Possible values for this header are shown in the
table below.

5 Malicious -1 Clean
4 Malicious -2 Failure to scan
3 Likely malicious -3 Scan timeout
2 Low activities -4 Attachment filtered by global
file-type rules
1 Very low activity -5 Attachment filtered by file
filtering rules
0 Informational -8 Attachment not scanned. ATD
Too Busy

Sample message

Example of the headers returned by ATD:

Received: from seg.company.com ([10.173.232.95] helo=seg.company.com)

by mailboxes.company.com with esmtp (Exim 4.86_2) (envelope-from
<joe@othercompany.com>) id 1ctAaW-0002aE-GO
for joe@company.com; Wed, 29 Mar 2017 11:12:24 +0100
Received: from vatd2-ec.company.com (unknown [10.173.232.131]) by seg.company.com with smtp (TLS:
TLSv1/SSLv3,256bits,DHE-RSA-AES256-GCM-SHA384)

11
 id 6e81_1f77_9725a691_26ca_4250_8b8d_7151c1875908;
Wed, 29 Mar 2017 10:12:23 +0000
Received: from seg.company.com (unknown [10.173.232.95]) by vatd2-ec.company.com with smtp (TLS:
TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-GCM-SHA384) id
507f_6949_28a3ec56_2d34_4ed3_ae1e_6d29a2e45700; Wed, 29 Mar 2017 15:41:42 +0530
Received: from [10.252.60.50] (unknown [10.252.60.50]) by seg.company.com with smtp
id 6e81_1f66_cfa5dfe7_7322_4656_a65c_517885309124;
Wed, 29 Mar 2017 10:11:42 +0000
To: joe@exchange.company.com
From: Bill <bill@othercompany.com>
Subject: Test ATD Email
Date: Wed, 29 Mar 2017 11:11:41 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="------------68F516BFEF9F32D5955D50AF" X-ATD-FILENAMES:
OCS-Tree.pdf,OCS-Leaf.pdf
X-ATD-ALTFILENAMES: OCS-Tree.pdf,OCS-Leaf.pdf
X-ATD-FILEHASHES: 5718e9d6cc4d870bd750159d7e70b518,9e51ba2ab334a1e0d8df70697a9ccf0c X-
ATD-FILEVERDICTS: -1,0
X-ATD-VERDICT: 0
Advanced Content Filter Example using the above values

McAfee LLC McAfee, the McAfee logo are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the
U.S. 2821 Mission College Blvd. and/or other countries. Copyright © 2017 McAfee LLC. www.mcafee.com
Santa Clara, CA 95054 Cisco and Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and
USA other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks

12