The problem is now fixed, here are the steps you need to take in order for malware analysis to work:
- Deploy all available Live resources for Malware analysis. The target is every packet decoder you plan to include in malware monitoring.
- Add packet concentrator / broker to the Malware analysis broker
- Know / change the password for every service - concentrators, brokers and the malware services
- In the continuous monitoring configuration, we've pointed the Malware broker service at port 50003 (56003 for SSL).
- In order for Integration -> Test connection button to success, all above steps PLUS actively incoming packet sessions bust be present.
Bonus problems we've encountered:
If local Threat Grid appliance is installed, import the certificate from its console website (IP) to the Malware server.
Original post below
I'm having issues configuring a Malware Analytics server for Continuous Monitoring.
I have a Packet Concentrator that I want it to be monitored for files being transferred.
Files then should be automatically scanned by Malware Analytics.
On the first step to configure Continuous Scan, we provided the IP of the Packet Concentrator, its port 50005 and its service account.
I successfully used the same account to connect the Packet Decoder to the Concentrator, the Concentrator to the Malware Broker.
When we test the Integration connection following error appears:
Fail to establish a connection to the core device.
Checking the logs, Invalid username or password error appears.
We changed the password (Service -> Security tab) on both Malware Analytics and Packet Concentrator services, both were restarted.
Using SSL seems to stop the error log but still no connection is established.
We tried with new account created on the Packet Concentrator, still the same error.
Otherwise the manual upload and static analysis works just fine.
Can you give us some insight on what might be the problem?
Attached are screenshots of Malware Analytics & Broker configurations and logged errors.