000016950 - Advanced Windows Executable Parser Associated Alerts/Reports Using 'windows_executable' Stop Returning Results in RSA NetWitness NextGen

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016950
Applies ToRSA NetWitness NextGen
RSA NetWitness Informer
RSA NetWitness Informer 2.x
RSA Live
IssueAdvanced Windows Executable Parser Associated Alerts/Reports Using "windows_executable" Stop Returning Results in RSA NetWitness NextGen.
Your organization makes use of the Advanced Windows Executable parser distributed via NetWitness Live and alerts/reports that found hits for filetype="windows_executable" no longer work.
CauseWith the March 10th, 2011 release of the Advanced Windows Executable Parser version 1.2, "windows_executable" was changed to "windows executable".
ResolutionTo resovle the issue, update any rules that reference filetype="windows_executable" with filetype="windows executable".
NotesThe only change is that an underscore "_" was been replaced with a whitespace " " between "windows" and "executable".
Legacy Article IDa58627

Attachments

    Outcomes