000029628 - False positives for ghost_rat are being reported in RSA Security Analytics and RSA NetWitness investigations

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029628
Applies ToRSA Product Set: Security Analyticss, NetWitness NextGen
RSA Product/Service Type: Security Analytics UI, NetWitness Investigator, Decoder
Platform: CentOS
O/S Version: EL5, EL6
IssueWhen performing investigations in the Security Analytics UI or using the NetWitness Investigator client, entries for ghost_rat are found under the Risk: Warning (risk.warning) meta key, which are all false positives.
CauseThese false positives appear because of the deprecated FlexParser entitled Backdoor.and.RAT.flex which is still present on the Decoder appliance that is consuming the data.
ResolutionIn order to resolve the issue, the Backdoor.and.RAT.flex file must be removed from the /etc/netwitness/ng/parsers directory on the affected Decoder appliance.
After removing the file, a parsers reload must be performed to reflect the change.  Instructions for doing so can be found in the knowledgebase articles below.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.