Introduction

Forcepoint Advanced Malware Detection and Protection (AMDP) is an advanced file sandbox, sometimes referred to as a “Network Sandbox”, designed to detect zero-day malicious files currently not detectable via traditional signature based solutions and static analysis alone.

AMDP is integrated into Forcepoint’s Web Security and Secure SD-WAN products for fast and easy setup.

This guide describes the process to install the AMDP On-Premises Manager and Engine components on hardware provided by the customer.

The AMDP On-Premises Manager is offered as part of the on-premises deployment configuration to customers with stringent privacy and policy constraints. In this configuration, the AMDP On-Premises Manager stores, within the customer's data center, all the information regarding the detection of infected hosts and the analysis of software files.

The AMDP On-Premises Manager collects information from Forcepoint appliances, processes it, and presents it to the End User. More precisely, the AMDP On-Premises Manager receives files (i.e., executables and documents) that are received or downloaded by the users and passes them to an Analysis Engine. The results of the analysis are collected and presented to the Admin User via a web portal using an incident-centered approach in which evidence from run-time analysis, network monitoring, and anomaly detection are correlated to provide prioritized and actionable threat intelligence.

The AMDP On-Premises Engine component receives files (i.e., executables and documents) from the AMDP On-Premises Manager. It runs these files, then returns analysis results back to SWG and Secure SD-WAN. Alerts can be configured to notify when AMDP detects an issue.

The Engine is managed by the Manager. However, as an important part of the installation process, the Engine must be made known to the Manager.

Network topology

Integrating AMDP with Secure SD-WAN Engine

P - Primary / Production Network

E- Engine Network

S- Sandbox Network

Integrating AMDP with third party router and firewall

P - Primary / Production Network

E- Engine Network

S- Sandbox Network

Note: The Engine network should be isolated as the sandbox machines execute here.