MA: Basic Setup

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Sep 19, 2017
Version 2Show Document
  • View in full screen mode

Malware Analysis can operate as a service on a Decoder or as a service on a dedicated appliance. This guide includes instructions for setting up the operating environment and then configuring the Malware Analysis service. After this configuration is complete, analysts can conduct malware analyses.

These are the required configuration steps for Malware Analysis, and also for editing the configuration. Perform the steps in the section in the sequence they are given.

Basic Configuration Checklist

The following checklist provides the sequence for tasks that are required to configure Malware Analysis that has been added to NetWitness Suite in accordance with the Hosts and Services Guide.

StepHigh-Level Task
Step 1 - Configure Malware Analysis Operating Environment

Configure Malware Analysis Operating Environment

This topic describes the procedures for configuring the environment to connect to the Malware Analysis service.

Step 2 - Add Malware Analysis Host and ServiceAdd Malware Analysis Host and Service

Note: To complete this step you must have the NetWitness Suite License Server setup as described in the Licensing Guide. 

In NetWitness Suite, create a Malware Analysis service and activate the license. The default REST port is 60007. Sites that are using the free version of Malware Analysis must configure the service IP address as localhost or loopback.

Step 3 - Configure General Malware Analysis SettingsConfigure General Malware Analysis Settings

Configure the general settings for Malware Analysis.

  • Enable continuous polling.
  • Configure manual file upload limit.
  • Configure the file storage repository and database.
  • Calibrate the Static, Network, Community, and Sandbox scoring modules.
Step 4 - Configure Indicators of CompromiseConfigure Indicators of Compromise

Calibrate Indicators of Compromise that are applied for each scoring module (Static, Network, Community, Sandbox) and for YARA-based IOCs.

Step 5 - Configure Installed Antivirus Vendors Configure Installed Antivirus Vendors

Configure anti-virus vendors that you have installed.

Step 6 - Enable Community ScoringEnable Community Scoring

Register with the RSA cloud and test connections to enable Community scoring.

Step 7 - Configure Auditing on Malware Analysis Host (Optional) Configure Auditing on Malware Analysis Host

Configure auditing thresholds and enable syslog, SNMP, and file auditing.

Step 8 - Configure Hash Filter(Optional) Configure Hash Filter

Configure hash filtering to fine tune Malware Analysis event analysis based on known good or bad file hashes.

Step 9 - Configure Malware Analysis Proxy Settings(Optional) Configure Malware Analysis Proxy Settings

(Optional) Configure Malware Analysis to communicate with the RSA Cloud through a web proxy instead of directly.

Step 10 - Register for a ThreatGrid API key(Optional) Register for a ThreatGrid API Key

Register for ThreatGrid API Key.

You are here
Table of Contents > Malware Analyis Configuration