MA: Services Config View - General Tab

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Nov 29, 2016
Version 2Show Document
  • View in full screen mode
  

This topic introduces the configuration settings in the Service Config view > General tab for Security Analytics Malware Analysis, which has parameters specific to the Malware Analysis service. In this tab, you configure:

  • The processing parameters for Core services that are capturing data.
  • The repository for captured data.
  • The static, community, and sandbox scoring categories used to analyze data.

The following task provides detailed procedures: Configure General Malware Analysis Settings.

This is an example of the General tab.

Features

This tab has four sections: Continuous Scan Configuration, Repository Configuration, Miscellaneous, and Modules Configuration.

Continuous Scan Configuration Section

This table describes the features of the Continuous Scan Configuration section.

                                                                         
ParameterDescription
EnabledCompletely disable or enable continuous polling of the Security Analytics Core service. By default this is not selected (disabled).
QueryWhile the Decoder is analyzing network traffic, it creates a meta field called content with a value of spectrum.consume in sessions that are likely to contain malware. By default, Security Analytics Malware Analysis only performs analysis on events that have this particular meta value. By changing this query, Malware Analysis can be configured to analyze different types of events.
Making this query too broad may force Malware Analysis to analyze too many events, causing it to fall behind or perform poorly.
The default query is select * where content=’spectrum.consume’
Query ExpiryWhen Malware Analysis queries the Security Analytics Core service for meta, it gets a result back within a few seconds. If there is a problem, such as a network connectivity issue, Malware Analysis abandons the query after this configured amount of time.
The default value is 3600 seconds.
Query IntervalHow often, in minutes, to query for new session meta and files.
Meta LimitEach time Malware Analysis queries the Security Analytics Core service, it pulls an amount of meta, up to this meta limit. Using this setting, in conjunction with the query interval, you can tune the performance of Malware Analysis in the Security Analytics Core infrastructure.
The default value is 25000.
Time BoundaryMalware Analysis analyzes sessions that occurred after the Time Boundary. This setting is most important when installing a new Malware Analysis appliance, because it determines how far back in time to begin analysis. Setting the boundary too many hours in the past may cause Malware Analysis to analyze too many past events, causing a large delay before you see any traffic happening in real time.
The default value is 24 hours.
Source HostHostname of the Security Analytics Malware Analysis appliance.
This is the IP address, or the hostname, of the service that Malware Analysis queries to retrieve its data for analysis. Do not use localhost as the source host.
Depending on the model of the appliance and the configuration of the Security Analytics infrastructure, this source host can vary.
Source PortMalware Analysis communicates with the Security Analytics infrastructure using the REST service listening on this port. This port number is specific to the type of the Security Analytics Core service that is being used as the Source host. This corresponds to the outbound connections for your Security Analytics Core service.
UsernameUsername. The default value is admin.
Malware Analysis must authenticate to the Source host each time it queries for data. In most cases, the account used by Malware Analysis is the same account used to access the Core service through Security Analytics. However, it is recommended to create a new account on the Security Analytics Core service dedicated to Malware Analysis.
User PasswordUser password. The default value is netwitness.
SSLUse SSL when communicating with Security Analytics Core. If Malware Analysis is using an SSL connection to communicate with a Core service, check this option.
The default value is unchecked.
Denial of Service (DOS) PreventionThe Denial of Service Prevention feature provides safeguards against malware that intentionally generates high volumes of network connections between two endpoints containing Windows PE content. Generating a high volume of connections artificially inflates the amount of traffic that security services monitoring the network must consume and analyze resulting in a denial of service. This feature helps identify these sessions so that you can have the analysis processing disregard them.
The default value is unchecked.
DOS Session Rate Window Length (Seconds)Malware Analysis uses this parameter with the DOS Number Sessions per Rate Window and DOS Session Lockout Time (Seconds) parameters to identify a Denial of Service Attack and determine how long to disregard sessions from a single IP address.
To identify a Denial of Service Attack, Malware Analysis monitors the number of sessions established by a single IP address during a specific time frame. The DOS Session Rate Window Length (Seconds) defines this time frame. If the number of sessions exceeds the DOS Number Sessions per Rate Window setting within the number of seconds defined in DOS Session Rate Window Length, Malware Analysis identifies the activity as a Denial of Service attempt. In this case, traffic from the IP address is disregarded for the length of time specified in DOS Session Lockout Time (Seconds).
The default value is: 60 seconds
DOS Number Sessions per Rate Window Malware Analysis uses this parameter with the DOS Session Rate Window Length (Seconds) and DOS Session Lockout Time (Seconds) parameters to identify a Denial of Service Attack and determine how long to disregard sessions from the IP address.
To identify a Denial of Service Attack, Malware Analysis monitors the number of sessions established by a single IP source during a specific time frame. The DOS Session Rate Window Length (Seconds) defines this time frame. If the number of sessions exceeds the DOS Number Sessions per Rate Window setting within the number of seconds defined in DOS Session Rate Window Length, Malware Analysis identifies the activity as a Denial of Service attempt. In this case, traffic is disregarded for the length of time specified in DOS Session Lockout Time (Seconds).
The default value is: 200 sessions
DOS Session Lockout Time (Seconds)Malware Analysis uses this parameter with the DOS Session Rate Window Length (Seconds) and DOS Number Sessions per  Rate Window parameters to identify a Denial of Service Attack and determine how long to disregard such an attack.
To identify a Denial of Service Attack, Malware Analysis monitors the number of sessions established by a single IP address during a specific time frame. The DOS Session Rate Window Length (Seconds) defines this time frame. If the number of sessions exceeds the DOS Number Sessions per Rate Window setting within the number of seconds defined in DOS Session Rate Window Length, Malware Analysis identifies the activity as a Denial of Service attempt. In this case, traffic is disregarded for the length of time specified in DOS Session Lockout Time (Seconds).
The default value is: 60 seconds
DOS Garbage Collection Interval (Seconds)Performs garbage collection on the internal memory structure used to track Denial of Service attempts.
If memory usage is abnormally high, you can decrease this setting to free unused memory more often. If CPU usage is abnormally high, you can increase this setting to eliminate processing overhead (at the expense of memory usage).
The default value is: 120 seconds

Repository Configuration Section

Security Analytics Malware Analysis stores all of the files that are analyzed for future use. These files can be downloaded through the user interface or accessed via one of the file sharing protocols.

This table describes the features of the Repository Configuration section.

                       
ParameterDescription
Directory PathAll files are stored in the following directory on the Security Analytics Malware Analysis appliance:
/var/lib/netwitness/spectrum
File Sharing ProtocolPossible values for the file sharing protocol are FTP, SAMBA, and None. You can enable FTP access and SAMBA file sharing to allow a user access to the stored files on the Security Analytics Malware Analysis from a remote location. No credentials are required to access these files. The port required for FTP access is TCP/21. The default file sharing protocol is None.
Retention (in days)Security Analytics Malware Analysis maintains files stored in the repository for a specified number of days. You can set the number of days that files are retained before being deleted. The default value is 60 days.

Miscellaneous Configuration Section (10.3 SP2 and Later)

This table describes the features of the Miscellaneous Configuration section.

               
ParameterDescription
Maximum File SizeLimits the size of each file that you can scan for manually. This parameter applies to the feature described in "Upload Files for Malware Scanning" in the Investigation and Malware Analysis Configuration Guide. The default value is 64 MB.
If the file size limit is exceeded, Security Analytics prevents you from scanning the file.

Modules Configuration Section

The Modules Configuration section allows configuration of the static, community, and sandbox scoring categories.

Static Analysis Configuration

The static module is the only scoring category that is enabled by default. This table describes the parameters for configuring static analysis.

                               
FeatureDescription
EnabledCompletely disable or enable static analysis. By default this is selected (enabled).
Bypass PDFDisable analysis of PDF documents. By default this is not selected; all PDF files undergo static analysis.
Bypass OfficeDisable analysis of Office documents. By default this is not selected; all MS Office files undergo static analysis.
Bypass ExecutableDisable analysis of Windows PE documents. By default this is not selected; all Windows PE files undergo static analysis.
Validate Windows PE Authenticate Settings via Cloud

Specify whether or not Windows PE files are sent to the RSA-Netwitness Cloud for Authenticode validation. The default value is selected.

  • When selected, any Windows PE file that is digitally signed is transmitted over the network (in its entirety) to the RSA-Netwitness Cloud for validation. If the intent is to prevent Windows PE files from leaving the customer network, you should disable this option.
  • When not selected, ALL static analysis is performed locally (skipping Authenticode validation). Regardless of this setting, PDF and M/S Office documents are not subject to Authenticode validation and are not transmitted over the network during static analysis.

Community Analysis Configuration

By default, the community module is disabled and the options are selected to prevent PDFs and MS Office documents from being processed. The intent is to default the settings to the most restrictive choices so that no sensitive documents leave the network unless the user chooses. This table describes the parameters for configuring Community analysis.

                           
FeatureDescription
EnabledCompletely disable or enable static analysis. By default this is not selected (disabled).
Bypass PDFDisable analysis of PDF documents. By default this is selected; PDF files are not processed.
Bypass OfficeDisable analysis of Office documents. By default this is selected; Microsoft Office documents are not processed.
Bypass ExecutableDisable analysis of Windows PE documents. By default this is selected; Windows PE documents are not processed

Sandbox Analysis Configuration

By default, the sandbox module is disabled and MS Office and PDF files are prevented from being processed. The intent is to set the most restrictive settings to force the user to specifically choose whether or not potentially sensitive information is sent outside of the network for processing. If the document type is not prevented from being processed, the file is sent to the destination sandbox server in its entirety (not limited to a hash of the file contents). 

This table describes the parameters for configuring Sandbox analysis.

                               
FeatureDescription
EnabledCompletely disable or enable sandbox analysis. By default this is not selected (disabled).
Bypass PDFDisable analysis of PDF documents. By default this is selected; PDF files are not processed. When not selected, all PDF files are submitted in their entirety to the Sandbox for analysis.
Bypass OfficeDisable analysis of Office documents. By default this is selected; Microsoft Office documents are not processed. When not selected, all MS Office files are submitted in their entirety to the Sandbox for analysis.
Bypass ExecutableDisable analysis of Windows PE documents. By default this is selected; Windows PE documents are not processed. When not selected, all Windows PE documents are submitted in their entirety to the Sandbox for analysis.
Preserve Original File Name when Performing Sandbox Analysis

In 10.3 SP2 and later, enable the ability to hash for filenames when they are sent to a local sandbox. By default this is not selected.

Note: If you do not select this parameter, Security Analytics hashes the files.

GFI Sandbox Settings

In the GFI Sandbox section, you can enable sandbox processing by GFI and configure the locally installed GFI sandbox. The table describes the parameters for configuring the GFI sandbox.

                               
FeatureDescription
EnabledWhen enabled, sandbox processing is performed by a local copy of GFI. The default value is disabled. If you enable GFI, you need to configure the remaining parameters.
Server NameThe GFI Sandbox server name. No default value.
Server PortThe GFI Sandbox server port. Default value is 80.
Max Poll PeriodDetermines how long to wait for a submitted sample to finish processing. Default value is 600 seconds.
Ignore Web Proxy SettingsTells Security Analytics Malware Analysis to bypass the web proxy, if a web proxy is configured, when making this connection. If no web proxy has been configured in Security Analytics Malware Analysis, the setting is ignored.

ThreatGrid Sandbox Settings

In the ThreatGrid Sandbox section, you can enable sandbox processing by ThreatGrid and choose whether to use the locally installed ThreatGrid or the ThreatGrid Cloud for sandbox analysis.

  • If you have a local copy of ThreatGrid, configure sandbox processing to use the local copy.
  • If no local instance of ThreatGrid has been purchased and installed, configure the ThreatGrid Cloud.

The table describes the parameters for configuring the ThreatGrid sandbox.

Note: Before enabling this service, you must configure a ThreatGrid-supplied Service Key.  The service key allows ThreatGrid to recognize that samples submitted from this site are legitimate.

                           
FeatureDescription
EnabledWhen enabled, sandbox processing is performed by ThreatGrid, either a local copy or the ThreatGrid Cloud. The default value is disabled.
Service KeyBefore enabling the sandbox module, a ThreatGrid-supplied Service Key must be configured. The service key allows ThreatGrid to recognize that samples submitted from this site are legitimate.
URLThe URL for the ThreatGrid server to be used (if you are not using a locally installed ThreatGrid). The ThreatGrid Cloud is reachable via https://panacea.threatgrid.com
Ignore Web Proxy SettingsTells Security Analytics Malware Analysis to bypass the web proxy, if a web proxy is configured, when making this connection. If no Web Proxy has been configured in Security Analytics Malware Analysis, the setting is ignored.
You are here
Table of Contents > Malware Analysis References > Services Config View - General Tab

Attachments

    Outcomes