000015773 - Anti-virus software alerts when drilling into malware in RSA NetWitness Investigator

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015773
Applies ToRSA NetWitness NextGen
RSA NetWitness Investigator
IssueAnti-virus software alerts when drilling into malware in RSA NetWitness Investigator.
Cause

When the thumbnail is rendered the payload of the session is rendered into an HTML page creating a small screenshot. This rendering is exactly what is shown in the content window and leverages the safeguards in place. It does not execute the payload, and scripting in HTML is disabled.

The rendered HTML page is placed in the cache directory. The anti-virus application is watching the file written to the cache directory, and since it has malicious code in it, it triggers.

Resolution

To prevent this behavior disable thumbnails and also select do not embed application types and disable native content views(always render as hex). 

 

See the screenshot below for the options you can modify in RSA NetWitness Investigator.

Legacy Article IDa58577

Attachments

    Outcomes