MA: Step 3: Configure General Malware Analysis Settings

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

Several basic settings are required to enable and calibrate the consumption of sessions, manual file upload, and the different scoring modules that Security Analytics Malware Analysis uses to analyze data. You can also set up file sharing with the data repository.

Security Analytics Malware Analysis has three modes of consuming sessions and files. Any combination of the three choices may be used to initiate analysis in Malware Analysis. The choices are:

  • Continuous Polling of the Security Analytics Core service:  You can enable and configure continuous polling of the Security Analytics Core service. When enabled and configured, Security Analytics Malware Analysis continuously polls the Security Analytics Core service for sessions tagged for analysis. By default, continuous polling is disabled. You can enable Denial of Service (DOS) attack prevention for use during continuous polling. You can test the connection to the Malware Analysis service that is being continuously polled using an option in the Integration tab. 

Note: When adding a Core service as a service for continuous polling on 10.3.5 and earlier Malware Analysis, use the REST port; for example, add a Concentrator to 10.3.5 Malware with REST port (50105) instead of the native NexGen port (50005).

  • On-Demand Analysis of the Security Analytics Core service: You can analyze sessions based on Investigations initiated directly in Security Analytics. This method allows manually controlled consumption of Security Analytics Core sessions and allows tighter control over how files in those sessions are processed (for example, send to Sandbox for processing). Document types can bypass the default restrictions and be sent to community or sandbox processing regardless of the configured setting. 
  • Manual File Upload: You can manually upload one or more files for analysis by navigating to a visible folder on your computer and selecting files to be uploaded. The maximum size for the uploaded files is configurable.

View the Basic Settings

To view the basic settings:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Malware Analysis service and ic-actns.png > View > Config.
    The Service Config for the service is displayed with the General tab open.
    GnrlTab.png

Configure Continuous Polling

Security Analytics Malware Analysis is rate limited so that 1,000 files per day may be submitted to ThreatGrid’s Cloud for sandbox processing. To optimize your use of the sandbox, Malware Analysis configuration allows you to choose which of several methods of consumption Security Analytics Malware Analysis uses. 

104MWAContScanConfig.png

To configure Security Analytics Malware Analysis for continuous polling, in the Continuous Scan Configuration section:

  1. To enable continuous polling, click Enable.
  2. (Optional) If you want to change the default values for querying, enter new values for the Query Expiry, Query Interval, Meta Limit, Referring Window, and Time Boundary.
  3. To configure the Malware Analysis appliance that Security Analytics Malware Analysis queries to retrieve data for analysis, specify the Source Host and Source Port.
  4. (Optional) If you want to change the default logon credentials for the Malware Analysis appliance, specify the Username and User Password.
  5. If you want to use SSL for communication between the Malware Analysis appliance and the Security Analytics Core service, enable SSL.
  6. (Optional) If you want to configure Denial of Service (DOS) prevention:
    • Enable the Denial of Service (DOS) Prevention parameter.
    • Set up the DOS prevention session limitations:
      • Specify the length of the Rate Window session in DOS Session Rate Window Length (Seconds).
      • Specify the number of sessions allowed per Rate Window in the DOS Number Session per Rate Window.
      • Specify the maximum length of each Rate Window session before Security Analytics locks out the user in DOS Session Lockout Time (Seconds).
      • Specify how often Security Analytics collects garbage from each session in DOS Garbage Collection Interval (Seconds)
  7. Click Apply.
    The changes become immediately effective as Security Analytics Malware Analysis receives new packets.
  8. Test the connection of the Malware Analysis service to the Core service selected in the Integration tab by clicking the Test Connection button in the Continuous Scan Connect Test section. 

Configure Manual File Upload Settings

To configure the maximum file size for manual file upload:

  1. In the Miscellaneous section, type the maximum file size in Megabytes allowed for files uploaded manually for Malware Analysis scanning.
    104MWAServConVMisc.png
  2. Click Apply.
    The changes become immediately effective.

Configure the Data Repository

Security Analytics Malware Analysis can store a finite number of files on the appliance. The data repository configuration has a file system retention period of 60 days. This setting determines how long files are retained in the Security Analytics Malware Analysis appliance. When old files are deleted, they cannot be recovered. Every day, Malware Analysis deletes files that exceed the file system retention period to ensure that there is no wasted disk space.

104MWARepositConfig.png

The File System Retention Period is the only setting that governs when files are deleted. Files are not deleted based on the amount of disk space being used. If the setting needs to be changed, the administrator must configure the retention period based on the anticipated space usage during the number of retention days specified.

The visible data repository parameters in the Security Analytics user interface are:

  • The location of the repository is /var/lib/netwitness/spectrum. Do not edit this value.
  • The file sharing protocol, which allows access through one of the File Sharing Protocols to copy files from the Malware Analysis service.
  • The file retention period in number of days.

To configure file sharing, in the Data Repository section:

  1. Click in the File Sharing Protocol to select FTP or SAMBA.
  2. Select the number of days that files are maintained in the repository before deletion.
  3. Click Apply.

The changes become immediately effective.

Calibrate Scoring Modules

The Modules configuration section provides a means of configuring Security Analytics Malware Analysis to:

  • Completely disable any or all of three scoring modules (Static, Community, and Sandbox). Before disabling or enabling any scoring module, ensure that you understand what each scoring module detects.
  • Security Analytics Malware Analysis tags sessions containing Microsoft Office, Windows PE, and PDF files for consumption by the Malware Analysis service. You can configure Malware Analysis to ignore Windows PE, Microsoft Office, and PDF documents entirely. If this is the case, a better option is to adjust your Security Analytics Core settings to ignore these files so they are not tagged for Security Analytics Malware Analysis consumption.

A sample application for using scoring module calibration is this: when setting up rule groups or analyzing system performance, you can test various scenarios in which PDF documents are not analyzed, but Microsoft Office and Windows PE documents are. You can test the scenario in each of the three scoring modules. If you see a measurable improvement in system performance, you can apply this knowledge on a broader scale.

Configure Static Analysis Scoring

104ModConfigStatic.png

To configure Static analysis scoring, in the Modules Configuration section:

  1. By default the Static module is enabled. To enable or disable Static analysis entirely, click the Enabled checkbox.
  2. To configure handling of PDF, Microsoft Office, and Windows PE files in a session, select any of the checkboxes Bypass PDF, Bypass Office, and Bypass Executable.
  3. To configure your preference for Authenticode validation of digitally signed Windows PE files, click the Validate Windows PE Authenticate Settings via Cloud checkbox. If you want to prevent Windows PE files that are digitally signed from being transmitted to the RSA Cloud for validation, remove the check.
    When disabled, ALL static analysis is performed locally (skipping Authenticode validation). Regardless of this setting, PDF and MS Office documents are not subject to Authenticode validation and are not transmitted over the network during static analysis.
  4. Click Apply.
    The changes become immediately effective as Security Analytics Malware Analysis receives new packets.

Configure Community Analysis Scoring 

Once the Community module is enabled, the security community analyzes all documents not prevented from processing. This is achieved by sending network session and file attributes to the RSA Cloud for processing. The RSA Cloud then may make external connection to security community partners as needed to process the information. 

CommAnly.png

The file content is never sent to the community for analysis. Instead, the MD5/SHA-1 hash of the file is sent for Anti-Virus detection and Blacklisting. Similarly, session Meta is harvested and analyzed as part of this process. Meta elements such as URL and Domain Name are examined and transmitted to the RSA Cloud to identify known bad URLs/Domains.

You can enable Community analysis and limit which document types are processed. There is no risk for the file content (except for a hash) being sent outside of your network.

Note: To gain access to the RSA Cloud where processing occurs, you must register your Malware Analysis service with RSA customer service. There are two methods: register the service using the options in the Integration tab or contact RSA Customer Care.

To configure Community analysis scoring, in the Modules Configuration section:

  1. To enable or disable Community analysis entirely, click the Enabled checkbox. The default value is Disabled.
  2. To configure handling of PDF, Microsoft Office, and Windows PE files in a session, select any of the three checkboxes Bypass PDF, Bypass Office, Bypass Executable.
  3. Click Apply to save the changes and put them into effect immediately as Security Analytics Malware Analysis receives new packets.

Configure Sandbox Analysis Scoring

By default, the Sandbox module is disabled and MS Office and PDF files are prevented from being processed. The intent is to set to the most restrictive settings to force the user to specify whether or not potentially sensitive information is sent outside of the network for processing. If a document type is not prevented from being processed, the entire file (not just the hash) is sent to the destination sandbox server.

In addition, you can choose to preserve the original file name when performing Sandbox analysis.

Note: If you do not specify the Preserve Original File Name when Performing Sandbox Analysis parameter, Security Analytics hashes the files.

104MWAConfigSBView.png

When you enable the Sandbox module, you must specify whether or not the Sandbox processing is performed using a local GFI sandbox, a local ThreatGrid sandbox, or a cloud version of the ThreatGrid sandbox. The cloud version of the ThreatGrid sandbox is provided directly by ThreatGrid and requires an activation key to be obtained from ThreatGrid and configured in the ThreatGRID tab.

GFI Sandbox Settings

To use a locally installed GFI Sandbox, you must enable GFI and supply the Server Name and Server Port of the GFI Sandbox Server. The Max Poll Period and Polling Interval determine how long to wait for a submitted sample to finish processing and how often to check the status (in seconds). The Ignore Web Proxy Settings option allows you to indicate that you want Security Analytics Malware Analysis to bypass a web proxy when making this connection. If no Web Proxy has been configured in Security Analytics Malware Analysis, the setting is ignored.

104MWAConfigGFISBView.png

ThreatGrid Sandbox Settings

Note: Before enabling ThreatGrid scoring, a ThreatGrid-supplied Service Key must be configured so that ThreatGrid can recognize that samples submitted from this site are legitimate. Use Security Analytics to register for a ThreatGrid API key, then you can enable and configure a locally installed ThreatGrid sandbox or the ThreatGrid Cloud sandbox. Refer to the following detailed task: Register for a ThreatGrid API Key.

The Ignore Web Proxy Settings allows you to indicate that you want Security Analytics Malware Analysis to bypass a web proxy when making this connection. If no Web Proxy has been configured in Security Analytics Malware Analysis, the setting is ignored.

104MWAConfigThreatGView.png

To configure Sandbox scoring, in the Modules Configuration section:

  1. To enable or disable Sandbox analysis entirely, click the Enabled checkbox. The default value is Disabled.
  2. To configure handling of PDF, Microsoft Office, and Windows PE files in a session, select any of the three checkboxes Bypass PDF, Bypass Office, Bypass Executable.
  3. Configure the active sandbox vendor. You have three options:
    1. To use a locally installed instance of the GFI sandbox, provide the Server Name and Server Port of the GFI Sandbox Server, the Max Poll Period and Polling Interval, and optionally, select the Ignore Web Proxy checkbox.
    2. To use a locally installed instance of ThreatGrid, enable ThreatGrid scoring, provide the ThreatGrid Service Key and optionally, select the Ignore Web Proxy checkbox.
    3. To use the ThreatGrid Cloud, you must first register for a ThreatGrid API key. Then enable ThreatGrid scoring, provide the ThreatGrid Service Key, enter the URL for the ThreatGrid server (https://panacea.threatgrid.com), and optionally, select the Ignore Web Proxy checkbox.
  4. Click Apply.
    The changes become immediately effective.
You are here: Basic Setup > Step 3: Configure General Malware Analysis Settings

Attachments

    Outcomes