000026856 - Whitelists and blacklists in RSA ECAT

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026856
Applies ToRSA ECAT 3.4
RSA ECAT 3.5
IssueHow to use whitelists and blacklists with RSA ECAT to manage suspect levels
Resolution

ECAT analyzes all modules running on the target machine (including drivers, DLLS, processes, hooks, files, etc) and assigns a number that is intended to serve as an indicator of potential risk.  This number is referred to as the suspect level.  A suspect level is assigned to each object on a machine and an overall number called the MSL(Machine Suspect Level) is compiled as well - the MSL is simply the sum of all suspicious activity on a system.  In ECAT, you can build and maintain both a blacklist and a whitelist for files.  By doing so, you will affect the suspect score for the file in question as well as the MSL for the machine the file was found on.

Whitelisting a module does not affect the suspect level of that module but the MSL will be affected. 
Blacklisting a module will increase the suspect level of the module which will also increase the MSL of that machine.

Modules found to be infected are automatically added to the Blacklist with the reason "malware found".  This will increase the suspect level of this file (and the MSL as a result of the suspect level increasing).  Many ECAT administrators have extensive whitelists and blacklists and routinely back them up.  Since corporate networks tends to be somewhat homogenous, these whitelists in particular help them control the suspect level.  When a new piece of floating code shows up on a machine, the MSL of that machine will be much higher than the others.  When you add a module to the blacklist you automatically cause the suspect level of both that module and the machine to go up.  By managing suspect levels of the machines monitored by ECAT, it is possible to make a suspicious new module stand out rather than go unnoticed.

Legacy Article IDa66641

Attachments

    Outcomes