000036229 - Malware Analysis Time difference issue depending on OS timezone configuration in RSA Security Analytics 10.6.x

Document created by RSA Customer Support Employee on Apr 11, 2018Last modified by RSA Customer Support Employee on Apr 21, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036229
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Malware Analysis, User Interface, NetWitness Admin Server
RSA Version/Condition: 10.6.x
IssueIf Security Analytics Server and Malware Analysis OS timezone are not configured as UTC, it displays differences between "time meta-value" of Investigation and "time meta-value" of Malware GUI.
In case of KST(Korea Standard Time) OS timezone, it shows 30 minutes time meta-value differences between Investigation and Malware GUI as shown below.

Malware UI
User-added image

Investigation UI
User-added image
CauseThis is because the RSA Security Analytics Server and Malware Analysis OS timezones are not configured to use UTC as shown in the example below.

# date
Mon Apr  9 14:23:39 KST 2018
# ls -ltr /etc/localtime
lrwxrwxrwx. 1 root root 30 Mar 15 09:33 /etc/localtime -> /usr/share/zoneinfo/Asia/Seoul


 
ResolutionYou can fix this issue if you change the RSA Security Analytics Server and Malware Analysis OS timezones to be UTC.
WorkaroundIf the customer does not allow to change current OS timezone, follow these steps to fix this issue.
  1. Connect to the Malware Analysis appliance via SSH.
     
  2. Add the following phrase ("-Duser.timezone=UTC") starting JAVA_OPTS variable from /etc/init/rsaMalwareDevice.conf as shown below.
     
    User-added image
  3. Restart the Malware Analysis service.

    # stop rsaMalwareDevice
    # start rsaMalwareDevice


After above steps, the time difference issue will be resolved.

Attachments

    Outcomes