NetWitness Community

RomanZeltser · ‎2017-05-12

I have been told that enVision is outdated product, and there is no path to upgrade it. We have it disabled. If this is a case, why do we need IPDB active if enVision is not needed anymore?IPDB works together with enVision by taking the data from it and helping to create the reporting.

If I am correct about enVision, what should be done to disable IPDB and Health and Wellness alert messages (I can't delete it from there)?

NaushadKasu1 · ‎2017-05-12

The reason nwipdbextractor exists is because although enVision is end-of-life, it will have a lot of data for customers that they need to retain for compliance reasons (3 years, 5 years etc..). So, until that time passes, it may be required for that data to be not only stored but also queried where the nwipdbextractor comes in.

If you want to get rid of the binary on the system, see below. If you want to not see those alarms, you can go into H&W and disable that alarm under the Hosts section of H&W Policies.

You can also disable nwipdbextractor using the following steps but after upgrade, the changes will be overwritten and steps below will have to be re-applied:

·        stop nwipdbextractor (this takes several minutes to complete.)
·        yum erase nwipdbextractor
·        rm -f /etc/collectd.d/NwIPDBExtractor.conf
·        service collectd restart

RomanZeltser · ‎2017-05-12

Thank you very much. Since we have no data for compliance reason (I had to rebuild the system over after the disaster recovery), it makes sense to remove IPDB. Your instruction on how to do it is appreciated, too.

===============

Roman Zeltser, CISSP

Sr. IM Security Analyst

CDR Associates

307 International Circle

Suite 300

Hunt Valley, MD 21030

P: 410-560-2269 x.1261

rzeltser@cdrassociates.com<mailto:rzeltser@cdrassociates.com>

ThomasFedorchuk · ‎2017-05-12

Also, along with the comments from Naushad above you should remove the ipdbextractor service from the "mongo puppet" database. This KB article explains the process.

https://community.rsa.com/docs/DOC-46084

RomanZeltser · ‎2017-05-12

It is helpful. Thanks.

I have executed what you have suggested. So far, the server reports the missed malware-analysis-solo class...

RomanZeltser · ‎2017-05-12

The IPDB Alert is still visible in the Health & Wellness:

RomanZeltser · ‎2017-05-12

Thomas,

I see the following messages in the monitored log:

what does it mean?

NaushadKasu1 · ‎2017-05-12

Go to Admin -> Health & Wellness -> Policies -> IPDB Extractor (policy in the left panel) and disable the alerting.

NaushadKasu1 · ‎2017-05-12

This is a bug in extra audit logging that will be fixed in 10.6.3.1 or 10.6.4.0 (I forgot which build but expected to be fixed in future). Safe to ignore for now.

ThomasFedorchuk · ‎2017-05-12

It looks like you cut/pasted the command into your ssh window and the dash in between "reporting" and "engine" got dropped... you'll need to re-do the command but make sure all the character from the article are in the command..

/etc/puppet/scripts/addService.py db51aab5-5071-480f-93af-6bfb32e24816 reporting-engine,saserver,appliance,incident-management,malware-analysis-colo,broker

NetWitness Community

enVision confusion