|Applies To||RSA NetWitness NextGen|
RSA NetWitness Investigator
|Issue||Anti-virus software alerts when drilling into malware in RSA NetWitness Investigator.|
When the thumbnail is rendered the payload of the session is rendered into an HTML page creating a small screenshot. This rendering is exactly what is shown in the content window and leverages the safeguards in place. It does not execute the payload, and scripting in HTML is disabled.
The rendered HTML page is placed in the cache directory. The anti-virus application is watching the file written to the cache directory, and since it has malicious code in it, it triggers.
To prevent this behavior disable thumbnails and also select do not embed application types and disable native content views(always render as hex).
See the screenshot below for the options you can modify in RSA NetWitness Investigator.
|Legacy Article ID||a58577|