|Applies To||RSA NetWitness NextGen|
RSA NetWitness NextGen 9.5 and above
RSA NetWitness Investigator
|Issue||Duplicate meta (e.g. "windows_executable" vs. "windows executable") exists during RSA NetWitness investigations.|
When reviewing meta data in Investigator, I see many metas which are likely duplicate. I would like to remove either of the meta values.
This can be attributed to using multiple different versions of parsers that perform similar task.
For example access_db and windows_installer are generated by now depreciated parser file_fingerprints. We recommend to disable this parser and use set of "fingerprint_*" parsers instead. See the attached document, 'Disabling Parsers'.
The duplicate executable meta can be offten attributed to parsers "CMS Windows Executable" ("windows_executable" meta) and "Advanced Windows Executable" ("windows executable" meta). The difference is that "CMS" parser is provided by default and the "Advanced" parser comes with (and is required by) Spectrum.
If you run Spectrum you can therefore disable the "CMS" parser to avoid duplicate meta generation.
|Notes||If "Advanced Windows Executable" is enabled and "CMS Windows Executable" parser is disabled, some of the Application Rules from CMS will not work.|
For example, "Filter Google Updates" <name=nw140020 rule="alias.host ends google.com && filetype = windows_executable,windows_installer,windows_dll" order=13 filter type=application> will not work as the "Advanced Windows Executable" will register "windows executable" not "windows_executable" as the "filetype".
A workaround is to modify all affected rule (i.e. that has "filetype") to use <"windows executable", "windows installer", "windows dll">. Alternatively, you can enable both "Windows Executable" parsers and simply ignore the duplicate meta.
|Legacy Article ID||a58919|