Article Number
000002343
Applies To
NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Malware Analysis Server
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS / AlmaLinux
O/S Version: 7 / 8.9
Issue
Customer cannot find a Malware Analysis event for sessions with spectrum.consume tag.
Cause
Malware Analysis only generates data when the analysis and scoring are above a threshold and the default threshold is below:
- Malware Analysis - 41 (The Malware Analysis event is generated only if either Static, Network, Community and Sandbox score should be greater than or equal to this threshold)
The threshold is defined in the below setting which can be modified. Once the setting is modified, it requires Malware Analysis service restarts.
- Filepath : /var/netwitness/malware-analytics-server/spectrum/conf/eventJobConfig.xml
- Parameter : eventRetentionScoreThreshold (Default : 41)
[root@MalwareAnalysis ~]# cat /var/netwitness/malware-analytics-server/spectrum/conf/eventJobConfig.xml
<config>
<shapeCode>gNEo/xPKabD1Hx0sKj3UpaIHhlzil/5+oPLZseEKrUQ=</shapeCode>
<shapeMap/>
<staticScoreThreshold>0.0</staticScoreThreshold>
<communityScoreThreshold>0.0</communityScoreThreshold>
<sandboxScoreThreshold>50.0</sandboxScoreThreshold>
<eventRetentionScoreThreshold>41.0</eventRetentionScoreThreshold>
<sessionHighWaterMark>10000</sessionHighWaterMark>
Resolution
How to change eventRetentionScoreThreshold
- SSH to Malware Analysis
- # vi /var/netwitness/malware-analytics-server/spectrum/conf/eventJobConfig.xml
- Change the value of eventRetentionScoreThreshold
- Save and Exit the text editor
- # systemctl restart rsa-nw-malware-analytics-server
Workaround
Note that for Adhoc scan of an uploaded file (on-demand scanning), it will supersedes the
eventRetentionScoreThreshold setting. Thus, you can check the scores without changing the setting.
Refer to
the community article for details on how to perform Adhoc scan on Malware Analysis.
