MA: Configure Installed Antivirus Vendors

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Sep 19, 2017
Version 2Show Document
  • View in full screen mode
  

You can compare file analysis results from your installed antivirus (AV) vendors versus community results from the Malware Analysis knowledge base. While a file is being analyzed by community analysis, Malware Analysis checks an antivirus knowledge base to determine if the sample is already known to be malicious. If the file is known to be malicious, NetWitness Suite flags the file to indicate whether a primary antivirus vendor or a secondary antivirus vendor identified the sample. NetWitness Suite classifies vendors as primary and secondary to indicate the level of reputation the vendors have in the industry, and Indicators of Compromise factor the reputation into scoring. For example, detection made solely by secondary antivirus vendors may score less than detection by primary vendors.

Note: When choosing AV vendor software to install on your network, it is highly recommended that you include at least one from NetWitness Suite Primary Vendors list.

 

 

You can identify the antivirus vendors installed on your network to NetWitness Suite. NetWitness Suite compares the antivirus results during community analysis against the results from the installed vendors selected in the AV tab. If a match is detected, the file being analyzed is flagged to indicate that your locally installed primary or secondary antivirus software detected the sample.

The example below shows the community analysis results for a file that had a score of 100. Under Indicators of Compromise, you can see that the file was flagged by the listed AV vendors in the Community. Under AV Vendor Results, NetWitness Suite indicates whether the AV vendors installed in your environment flagged the file as malicious. If your installed AV vendors detected the virus, the name of the malware is displayed. If your installed AV vendors did not detected the virus, --Not detected-- is displayed next the the AV vendor name. Under Not Installed Vendors, you can click + to expand the section and see if other vendors not installed on your system detected the virus.

Identify Installed AV Software

To identify antivirus software installed on your network:

  1. In the main menu, select ADMIN > Services.
  2. Select a Malware Analysis service, and in the row select > View > Config.
  3. In the Service Config View, select the AV tab.
  4. Select the checkbox next to each antivirus vendor (primary and other) whose software is installed on your network.
  5. To save the changes, click Apply.
    The Community Analysis results will indicate whether your software flagged an event.
  6. (Optional) If you want to reset the list of installed AV software to the default value (none), click Reset.
    All selections are removed.
  7. To save changes, click Apply.
You are here
Table of Contents > Malware Analyis Configuration > Step 5. Configure Installed Antivirus Vendors

Attachments

    Outcomes