This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA Security Analytics Malware Analysis Sandbox is not populating with numbers (Exception raised while evaluating event xxx)

Article Number

000031847

Applies To

RSA Product Set: Security Analytics
RSA Product/Service Type: Malware Analysis
RSA Version/Condition: 10.4.1.1
Platform: CentOS
O/S Version: EL6

Issue

The Sandbox module in the Malware Analysis tool is not populating with any numbers. The following error message is seen in spectrum 
2015-11-02 14:39:30,358 [nextGenEventExecutor-18(ModuleTask@2b4e6e5f <IP_Address>:56003/65503783756)] 
ERROR com.netwitness.api.services.result.EvaluationContext - 
Exception raised while evaluating event 65503783756 : java.security.ProviderException: java.security.KeyException

Cause

This errors occurs when the installed Java version is not correct.

Resolution

To resolve the error, download the correct version of Java associated with that specific version of Security Analytics by following the instructions below.
  1. Download the correct Java rpm package, java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm from the Red Hat Customer Portal.
  2. Stop the rsaMalwareDevice service: 
    stop rsaMalwareDevice
  3. Install the rpm package: 
    rpm -ivh java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm --force
  4. Once this has been completed, remove the Java version that is installed and causing the error on the Malware Analysis module: 
    rpm -evh java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_7.x86_64
  5. Connect to the Security Analytics server via SSH as the root user.
  6. Modify the file /etc/puppet/modules/java/manifests/init.pp and comment out the line ensure => latest, as shown below. 
    package {
    
 "java-1.7.0-openjdk" :
          
 ensure => installed,
            
 #ensure => latest,

    }
    When specifying latest, Puppet installs a package if absent and upgrades the package to a newer version when they become available.  In this instance, an older version needs to be installed so the ensure command is commented out.  This prevents the Java package from reverting back to its original version and uses the version that is currently installed.
  7. Perform a puppet catalog run on the Malware Analysis appliance. 
    puppet agent -t
  8. Start the rsaMalwareDevice service again. 
    start rsaMalwareDevice

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Workaround

Sometimes just having a package present isn't enough.  You also want to ensure it stays up to date. By specifying latest, Puppet will install a package if absent and upgrade the package to newer versions when they become available. This last part is where latest differs from installed.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-13 08:27 AM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.