Confirm that Advanced Threat Protection receives traffic and detects EICAR from a test client

book

Article ID: 178963

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

 

Resolution

While installing or reinstalling EndPoiint Detection Response or  Advanced Threat Protection (ATP) Platform to monitor traffic from a SPAN or TAP device, it is necessary to confirm that ATP receives traffic from a test client and detects various forms of threats in that traffic.
 

  1. Identify which monitoring ports are in use.
  2. Determine whether a given ethernet port is currently receiving traffic
  3. Determine whether a given ethernet port is currently receiving traffic from a test client
  4. Determine whether a given ethernet port currently receives traffic and logs an event when EICAR is received.
  5. Repeat steps 2-5 for each additional monitoring port in an UP state.

 

  • To identify which monitoring ports are in use, at the admin command line interface (CLI) of ATP Platform, type:
    ifconfig -a

    NOTE: In the results, ignore eth0 (the management port) and lo (the loop back address). Focus on those remaining ports that are UP. All ports that are UP and have statistics are most likely receiving at least some traffic.

 

  • To determine whether a given ethernet port is currently receiving traffic, type:
    tcpdump -i eth4

    ...where eth4 is the ethernet interface which ifconfig identified as UP.

    NOTE: Output should consist of summary header information for tcp packets received at the monitoring port. If a screen full of output with numerous lines does not appear, where those lines include at least one hostname and/or IP address, the attached device is not sending network traffic to that monitoring interface.

 

  • To determine whether a given ethernet port is currently receiving traffic from a particular test client
    1. At the CLI of ATP Platform, type:
        tcpdump -i eth4 host ip_address

    2. On the test client, open a client browser and navigate to an HTTP only website

    NOTE: Output should consist of summary header information for tcp packets received at the monitoring port. If output does not include IP addresses or host names associated with the target domain used in the client browser, then the attached network device is not sending that traffic to the monitoring interface of ATP appliance.

 

  • To determine whether a given ethernet port currently receives traffic and logs an event when EICAR is received
    1. At the CLI of ATP Platform, type:
        tcpdump -i eth4 host ip_address

    2. On the test client, open a client browser and navigate to http://testatp.coe.org.uk/.
    3. Click on "Antivirus test" to download a copy of EICAR to the test client.

        NOTE: On the CLI of ATP Platform, lines specific to the IP address of the test client and the hostname or IP address of test.symantec.com should appear.

    4. In the user interface of ATP, click Events. After up to five minutes, an event related to the test client's IP address should appear.

        NOTE: If the event does not appear, check status of the scanner appliance to see if there's a communications problem between the ATP scanner and the ATP management server.