000031150 - Some extracted files from SMB sessions are incomplete or corrupted in RSA Security Analytics 10.4.x and 10.5.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031150
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Packet Decoder, Packet Hybrid, Packet AIO
RSA Version/Condition: 10.4.x, 10.5.x
Platform: CentOS
O/S Version: EL6
IssueWhen files in SMB sessions are extracted from the Investigation, some appear to be incomplete or corrupted and have different hash values compare to the original files'.
Some other files are complete and have the same hash values as the original.
The issue is noticed with the use of the latest native SMB, SMB flex or SMB LUA parsers.
 
CauseWhen an SMB session is processed and saved across multiple sessions by the Decoder, the Decoder does not extract the entire files from these sessions in response to a content call initiated by the Investigation. Hence some of the extracted files appear to be incomplete or corrupted.
ResolutionThis issue is currently being investigated by the Engineering team in order to resolve it in a future release. If you are experiencing this issue, contact RSA Support and quote this article number for further assistance.
WorkaroundThere is no known workaround at present.

Attachments

    Outcomes