Configure General Malware Analysis Settings

You can configure several basic settings required to enable and calibrate the consumption of sessions, manual file upload, and the different scoring modules that Malware Analysis uses to analyze data.

You can also set up file sharing with the data repository. Malware Analysis has three modes of consuming sessions and files. Any combination of the three choices may be used to initiate analysis in Malware Analysis. The choices are:

  • Continuous Polling of the Core service: You can enable and configure continuous polling of the Core service. When enabled and configured, Malware Analysis continuously polls the Core service for sessions tagged for analysis. By default, continuous polling is disabled. You can enable Denial of Service (DOS) attack prevention for use during continuous polling. You can test the connection to the Malware Analysis service that is being continuously polled using an option in the Integration tab.

Note: When adding a Core service as a service for continuous polling on 10.3.5 and earlier Malware Analysis, use the REST port; for example, add a Concentrator to 10.3.5 Malware Analysis with REST port (50105) instead of the native NexGen port (50005).

  • On-Demand Analysis of the Core service: You can analyze sessions based on Investigations initiated directly in NetWitness. This method allows manually controlled consumption of Core sessions and allows tighter control over how files in those sessions are processed (for example, send to sandbox for processing). Document types can bypass the default restrictions and be sent to community or sandbox processing regardless of the configured setting.
  • Manual File Upload: You can manually upload one or more files for analysis by navigating to a visible folder on your computer and selecting files to be uploaded. The maximum size for the uploaded files is configurable.

View the Basic Settings

To view the basic settings:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services grid, select a Malware Analysis service and click netwitness_macon_settingsicon.png > View > Config.
    The Service Config for the service is displayed with the General tab open.
    122_MaCon_ViewtheBasicSettings_1222.png

Configure Continuous Polling

Malware Analysis is rate limited so that 1,000 files per day may be submitted to ThreatGRID’s Cloud for sandbox processing. To optimize your use of the sandbox, Malware Analysis configuration allows you to choose which of several methods of consumption Malware Analysis uses; you can enable or disable continuous polling.

An important consideration when configuring continuous polling is the Denial of Service (DOS) Prevention parameters. By default this feature is disabled because you need to carefully consider the settings for your environment before enabling the feature.

When DOS Prevention is disabled, Malware Analysis analyzes the queued sessions in first-in first-out order. A DOS attack may rapidly fill the queue so that Malware Analysis is busy handling those sessions, while a malware attack is occurring in a later session. The later session with the actual attack may not reach the beginning of the queue and undergo analysis until after the attack has begun.

When DOS Prevention is enabled, Malware Analysis treats too many sessions from a single IP address as a DOS attack. If an IP address exceeds the Number of Sessions per Rate Window, Malware Analysis begins to disregard sessions from that address until the Session Lockout time is reached. Then Malware Analysis resumes analysis of the sessions from that IP address. The disregarded sessions from the IP address are not analyzed at all, so a malware attack may slip through during the Session Lockout period.

Using the DOS Garbage Collection Interval setting, Malware Analysis clears in-memory storage of an IP source after a specified number of seconds. IP addresses with little activity during this interval are cleared from memory. If an IP address is active at intervals that exceed the DOS Garbage Collection Interval, Malware Analysis may not identify it as a DOS attack.

To configure Malware Analysis for continuous polling, in the Continuous Scan Configuration section:

    1. In the General tab, under Continuous Scan Configuration you can configure continuous polling.
122_MaCon_ContinuousPolling_1222.png
  1. To enable continuous polling, click Enabled.
  2. (Optional) If you want to change the default values for querying, enter new values for the Query Expiry, Query Interval, Meta Limit, and Time Boundary.
  3. To configure the Malware Analysis appliance that Malware Analysis queries to retrieve data for analysis, specify the Source Host and Source Port (NwPort).
  4. (Optional) If you want to change the default logon credentials for the Malware Analysis appliance, specify the Username and User Password.
  5. If you want to use SSL for communication between the Malware Analysis appliance and the Core service, enable SSL.
  6. (Optional) If you want to configure Denial of Service (DOS) prevention:
    • Enable the Denial of Service (DOS) Prevention parameter.
    • Set up the DOS prevention session limitations:
      • Specify the number of seconds of the time window during which Malware Analysis counts sessions for a single IP address (DOS Session Rate Window Length). The window is called a Rate Window and a counter is set when the first session is received from that IP source. The default value is 60 seconds.
      • Specify the number of sessions allowed per Rate Window in the DOS Number Session per Rate Window. The default value is 200 sessions. When the number of sessions is reached within the Rate Window; Malware Analysis begins disregarding sessions from the IP address and the disregarded sessions from that IP are not analyzed at all. Malware Analysis continues to disregard sessions until the lockout time is reached.
      • Specify the length of lockout time (during which sessions from the IP address are disregarded and not analyzed) in the DOS Session Lockout Time (Seconds). The default value is 60 seconds. When the lockout duration has elapsed, Malware Analysis resumes analysis of sessions from that IP address.
      • Specify the interval of inactivity for an IP address before NetWitness removes the in-memory object for the IP source in DOS Garbage Collection Interval (Seconds). The default value is 120 seconds.
  7. Click Apply to apply the changes.
    The applied changes become immediately effective as Malware Analysis receives new packets.
  8. Test the connection of the Malware Analysis service to the Core service selected in the Integration tab by clicking the Test Connection button in the Continuous Scan Connection Test section.

Configure Manual File Upload Settings

To configure the maximum file size for manual file upload:

  1. In the Miscellaneous section, type the maximum file size in Megabytes allowed for files uploaded manually for Malware Analysis scanning.
    netwitness_macon_miscellaneous.png
  2. Click Apply.
    The changes become immediately effective.

Configure the Data Repository

Malware Analysis can store a finite number of files on the appliance. The data repository configuration has a file system retention period of 60 days. This setting determines how long files are retained in the Malware Analysis appliance. When old files are deleted, they cannot be recovered. Every day, Malware Analysis deletes files that exceed the file system retention period to ensure that there is no wasted disk space.

The File System Retention Period is the only setting that governs when files are deleted. Files are not deleted based on the amount of disk space being used. If the setting needs to be changed, the administrator must configure the retention period based on the anticipated space usage during the number of retention days specified.

The visible data repository parameters in the NetWitness user interface are:

  • The location of the repository is /var/lib/netwitness/malware-analytics-server/spectrum. Do not edit this value.
  • The file sharing protocol, which allows access through one of the File Sharing Protocols to copy files from the Malware Analysis service.
  • The file retention period in number of days.

To configure file sharing, in the Repository Configuration section:

  1. Click on the File Sharing Protocol and select FTP or SAMBA or None.
  2. Select the number of days that files are maintained in the repository before deletion.
  3. Click Apply.

The changes become immediately effective.

Calibrate Scoring Modules

The Modules Configuration section helps configure the following components of Malware Analysis to:

  • Completely disable any or all of three scoring modules (Static, Community, and Sandbox). Before disabling or enabling any scoring module, ensure that you understand what each scoring module detects.
  • Malware Analysis tags sessions containing Microsoft Office, Windows PE, and PDF files for consumption by the Malware Analysis service. You can configure Malware Analysis to ignore Windows PE, Microsoft Office, and PDF documents entirely. If this is the case, a better option is to adjust your Core settings to ignore these files so they are not tagged for Malware Analysis consumption.

A sample application for using scoring module calibration is this: when setting up rule groups or analyzing system performance, you can test various scenarios in which PDF documents are not analyzed, but Microsoft Office and Windows PE documents are. You can test the scenario in each of the three scoring modules. If you see a measurable improvement in system performance, you can apply this knowledge on a broader scale.

Configure Static Analysis Scoring

netwitness_macon_staticmodulesconfiguration.png

To configure Static analysis scoring, in the Modules Configuration section:

  1. By default the Static module is enabled. To enable or disable Static analysis entirely, click the Enabled checkbox.
  2. To configure handling of PDF, Microsoft Office, and Windows PE files in a session, select any of the checkboxes Bypass PDF, Bypass Office, and Bypass Executable.
  3. To configure your preference for Authenticode validation of digitally signed Windows PE files, click the Validate Windows PE Authenticate Settings via Cloud checkbox. If you want to prevent Windows PE files that are digitally signed from being transmitted to the NetWitness Cloud for validation, remove the check.
    When disabled, ALL static analysis is performed locally (skipping Authenticode validation). Regardless of this setting, PDF and MS Office documents are not subject to Authenticode validation and are not transmitted over the network during static analysis.
  4. Click Apply.The changes become immediately effective as Malware Analysis receives new packets.

Configure Community Analysis Scoring

Once the Community module is enabled, the security community analyzes all documents not prevented from processing. This is achieved by sending network session and file attributes to the NetWitness Cloud for processing. The NetWitness Cloud then may make external connection to security community partners as needed to process the information.

The file content is never sent to the community for analysis. Instead, the MD5/SHA-1 hash of the file is sent for Anti-Virus detection and Blacklisting. Similarly, session Meta is harvested and analyzed as part of this process. Meta elements such as URL and Domain Name are examined and transmitted to the NetWitness Cloud to identify known bad URLs/Domains.

You can enable Community analysis and limit which document types are processed. There is no risk for the file content (except for a hash) being sent outside of your network.

Note: To gain access to the NetWitness Cloud where processing occurs, you must register your Malware Analysis service with NetWitness customer service. There are two methods: register the service using the options in the Integration tab or contact NetWitness Customer Care.

To configure Community analysis scoring, in the Modules Configuration section:

netwitness_macon_configurecontinuousanalysis.png

  1. To enable or disable Community analysis entirely, click the Enabled checkbox. The default value is Disabled.
  2. To configure handling of PDF, Microsoft Office, and Windows PE files in a session, select the specific checkboxes - bypasspdf, bypass office, bypass executable.
  3. Click Apply to save the changes and put them into effect immediately as Malware Analysis receives new packets.

Configure Sandbox Analysis Scoring

By default, the sandbox module is disabled and MS Office and PDF files are prevented from being processed. The intent is to set to the most restrictive settings to force the user to specify whether or not potentially sensitive information is sent outside of the network for processing. If a document type is not prevented from being processed, the entire file (not just the hash) is sent to the destination sandbox server.

In addition, you can choose to preserve the original file name when performing sandbox analysis.

Note: If you do not specify the Preserve Original File Name when Performing sandbox Analysis parameter, NetWitness hashes the files.

netwitness_macon_configuresandboxanalysis.png

When you enable the sandbox module, you must specify whether or not the sandbox processing is performed using a local GFI sandbox, a local ThreatGRID sandbox, or a cloud version of the ThreatGRID sandbox. The cloud version of the ThreatGRID sandbox is provided directly by ThreatGRID and requires an activation key to be obtained from ThreatGRID and configured in the ThreatGRID tab.

GFI Sandbox Settings

To use a locally installed GFI sandbox, you must enable GFI and supply the Server Name and Server Port of the GFI sandbox Server. The Max Poll Period and Polling Interval determine how long to wait for a submitted sample to finish processing and how often to check the status (in seconds). The Ignore Web Proxy Settings option allows you to indicate that you want Malware Analysis to bypass a web proxy when making this connection. If no Web Proxy has been configured in Malware Analysis, the setting is ignored.

netwitness_macon_gfisandbox.png

ThreatGRID Sandbox Settings

Note: Before enabling ThreatGRID scoring, a ThreatGRID-supplied Service Key must be configured so that ThreatGRID can recognize that samples submitted from this site are legitimate. Use NetWitness to register for a ThreatGRID API key, then you can enable and configure a locally installed ThreatGRID sandbox or the ThreatGRID Cloud sandbox. Refer to the following detailed task: Register for a ThreatGRID API Key.

The Ignore Web Proxy Settings allows you to indicate that you want Malware Analysis to bypass a web proxy when making this connection. If no Web Proxy has been configured in Malware Analysis, the setting is ignored.

To configure sandbox scoring, in the Modules Configuration section:

  1. To enable or disable sandbox analysis entirely, click the Enabled checkbox. The default value is Disabled.
  2. To configure handling of PDF, Microsoft Office, and Windows PE files in a session, select any of the three checkboxes Bypass PDF, Bypass Office, Bypass Executable.
  3. Configure the active sandbox vendor. You have three options:
    1. To use a locally installed instance of the GFI sandbox, provide the Server Name and Server Port of the GFI sandbox Server, the Max Poll Period and Polling Interval, and optionally, select the Ignore Web Proxy checkbox.
    2. To use a locally installed instance of ThreatGRID, enable ThreatGRID scoring, provide the ThreatGRID Service Key and optionally, select the Ignore Web Proxy checkbox.
    3. To use the ThreatGRID Cloud, you must first register for a ThreatGRID API key. Then enable ThreatGRID scoring, provide the ThreatGRID Service Key, enter the URL for the ThreatGRID server (https://panacea.threatgrid.com), and optionally, select the Ignore Web Proxy checkbox.
  4. Click Apply.
    The changes become immediately effective.