000033678 - Cannot find Malware Analysis event in RSA Security Analytics

Document created by RSA Customer Support Employee on Aug 5, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033678
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Malware Analysis
RSA Version/Condition: 10.3, 10.4, 10.5, 10.6
Platform: CentOS
O/S Version: 6
IssueCustomer cannot find a Malware Analysis event although the session was tagged with spectrum.comsume.
CauseMalware Analysis only generates data when the analysis and scoring are above a threshold and the default threshold is below:
  • Malware Analysis - 41 (The Malware Analysis event is generated only if either Static, Network, Community and Sandbox score should be greater than equal to this threshold)
The threshold is defined in the below setting which can be modified. Once the setting is modified, it requires Malware Analysis service restarts.
  • Filepath : /var/lib/rsamalware/spectrum/conf/eventJobConfig.xml
  • Parameter : eventRetentionScoreThreshold (Default : 41)
[root@MA ~]# cat /var/lib/rsamalware/spectrum/conf/eventJobConfig.xml
ResolutionHow to change eventRetentionScoreThreshold
  1. SSH to Malware Analysis
  2. # vi /var/lib/rsamalware/spectrum/conf/eventJobconfig.xml
  3. Change the value of eventRetentionScoreThreshold
  4. Save and Exit the text editor
  5. # restart rsaMalwareDevice
WorkaroundNote that for Adhoc scan of an uploaded file (on-demand scanning), it will supersedes the eventRetentionScoreThreshold setting.  Thus, you can check the scores without changing the setting.
Refer the sadocs page in detail of the Adhoc scan on Malware Analysis