MA: Basic Setup

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode

Security Analytics Malware Analysis can operate as a service on a Security Analytics Decoder or as a service on a dedicated appliance. This guide includes instructions for setting up the operating environment and then configuring the Security Analytics Malware Analysis service.  After this configuration is complete, analysts can conduct malware analyses.

The following checklist lists the basic setup tasks; see the individual subtopics for details on each step in the sequence. 

StepHigh-Level TaskDone
1If your site is using a dedicated appliance, do one of the following:
  • If your site is adding a new dedicated Security Analytics Malware Analysis appliance, install the physical Security Analytics Malware Analysis appliance in your network and configure the operating environment.
  • If your site is upgrading a dedicated Spectrum appliance to a dedicated Security Analytics Malware Analysis appliance, re-image the Spectrum appliance with Security Analytics Malware Analysis.

(See Step 1: Configure Malware Analysis Operating Environment)


Note: To complete this step you must have the Security Analytics License Server setup as described in the Security Analytics Licensing Guide. 

In Security Analytics, create a Malware Analysis service and activate the license. The default REST port is 60007. Sites that are using the free version of Security Analytics Malware Analysis must configure the service IP address as localhost or loopback. (See Step 2: Add Malware Analysis Host and Service)
3Configure the general settings for Security Analytics Malware Analysis. (See Step 3: Configure General Malware Analysis Settings)
  • Enable continuous polling.
  • Configure manual file upload limit.
  • Configure the file storage repository and database.
  • Calibrate the Static, Network, Community, and Sandbox scoring modules.
4Calibrate Indicators of Compromise that are applied for each scoring module (Static, Network, Community, Sandbox) and for YARA-based IOCs. (See Step 4: Configure Indicators of Compromise) 
5Configure anti-virus vendors that you have installed. (See Step 5: Configure Installed Antivirus Vendors) 
6(Optional) Configure auditing thresholds and enable syslog, SNMP, and file auditing. (See (Optional) Configure Auditing on Malware Analysis Host) 
7(Optional) Configure hash filtering to fine tune Security Analytics Malware Analysis event analysis based on known good or bad file hashes. (See (Optional) Configure Hash Filter) 
8(Optional) Configure Malware Analysis to communicate with the RSA Cloud through a web proxy instead of directly. (See (Optional) Configure Malware Analysis Proxy Settings) 
9(Optional) Register for ThreatGrid API Key. (See (Optional) Register for a ThreatGrid API Key) 
You are here: MA: Basic Setup