Article Number
000033678
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Malware Analysis
RSA Version/Condition: 10.3, 10.4, 10.5, 10.6
Platform: CentOS
O/S Version: 6
Issue
Customer cannot find a Malware Analysis event although the session was tagged with spectrum.comsume.
Cause
Malware Analysis only generates data when the analysis and scoring are above a threshold and the default threshold is below:
- Malware Analysis - 41 (The Malware Analysis event is generated only if either Static, Network, Community and Sandbox score should be greater than equal to this threshold)
The threshold is defined in the below setting which can be modified. Once the setting is modified, it requires Malware Analysis service restarts.
- Filepath : /var/lib/rsamalware/spectrum/conf/eventJobConfig.xml
- Parameter : eventRetentionScoreThreshold (Default : 41)
[root@MA ~]# cat /var/lib/rsamalware/spectrum/conf/eventJobConfig.xml
<config>
<staticScoreThreshold>0.0</staticScoreThreshold>
<communityScoreThreshold>0.0</communityScoreThreshold>
<sandboxScoreThreshold>50.0</sandboxScoreThreshold>
<eventRetentionScoreThreshold>41.0</eventRetentionScoreThreshold>
<sessionHighWaterMark>10000</sessionHighWaterMark>
Resolution
How to change eventRetentionScoreThreshold
- SSH to Malware Analysis
- # vi /var/lib/rsamalware/spectrum/conf/eventJobconfig.xml
- Change the value of eventRetentionScoreThreshold
- Save and Exit the text editor
- # restart rsaMalwareDevice
Workaround
Note that for Adhoc scan of an uploaded file (on-demand scanning), it will supersedes the
eventRetentionScoreThreshold setting. Thus, you can check the scores without changing the setting.
Refer
the sadocs page in detail of the Adhoc scan on Malware Analysis
