|Applies To||RSA Product Set: Security Analyticss, NetWitness NextGen|
RSA Product/Service Type: Security Analytics UI, NetWitness Investigator, Decoder
O/S Version: EL5, EL6
|Issue||When performing investigations in the Security Analytics UI or using the NetWitness Investigator client, entries for ghost_rat are found under the Risk: Warning (risk.warning) meta key, which are all false positives.|
|Cause||These false positives appear because of the deprecated FlexParser entitled Backdoor.and.RAT.flex which is still present on the Decoder appliance that is consuming the data.|
|Resolution||In order to resolve the issue, the Backdoor.and.RAT.flex file must be removed from the /etc/netwitness/ng/parsers directory on the affected Decoder appliance.|
After removing the file, a parsers reload must be performed to reflect the change. Instructions for doing so can be found in the knowledgebase articles below.