(Optional) Configure Dedicated Appliance

You can configure the NetWitness operating environment to connect to a NetWitness Malware Analysis service.

Malware Analysis operates as a service on a dedicated Malware Analysis appliance. If your site is using a dedicated appliance, do one of the following:

  • If your site is adding a new dedicated NetWitness Malware Analysis appliance, install the physical appliance in your network and configure the operating environment.
  • If your site is upgrading a dedicated Spectrum appliance to a dedicated NetWitness Malware Analysis appliance, re-image the Spectrum appliance as a Malware Analysis appliance.

Malware Analysis is dependent on the Core infrastructure to operate. The following steps are necessary before Malware Analysis can successfully analyze data.

  1. Configure the onboard Broker on the Malware Analysis appliance to connect another Broker or Concentrator in the existing Core infrastructure.

Note: If no Core infrastructure exists, only manually uploaded files can be analyzed.

  1. Use NetWitness Live to find all Live resources with the malware analysis tag and deploy these resources to each Decoder service that will be capturing traffic for Malware Analysis to analyze. NetWitness uses this proprietary set of parsers and feeds to find events that are likely to be malware.
  2. Configure communications ports. Malware Analysis requires a number of different communications ports to be open, including TCP/443 for HTTPS. These are described below in Network Connections.
  3. Configure the NextGen source to which Malware Analysis will connect. This is the Broker or the Concentrator.
    Malware Analysis is now ready to begin analyzing network traffic.

Network Connections

The inbound and outbound network connections must be configured for the Malware Analysis appliance to properly communicate with services, NetWitness sources for software updates, and other critical information.

Your network firewall must be configured to allow the Malware Analysis access to the internet. Proxy servers may be used to facilitate these connections, if necessary.

Inbound Connections

TCP/22 - Secure Shell access to the Malware Analysis server to review log files and troubleshoot. Access can be limited to IP addresses that will be managing Malware Analysis.

  • TCP/443 - HTTPS web-based connection to access the Malware Analysis user interface.
  • TCP/50008 - JMX port for performance troubleshooting, using an application such as JVisualVM. This is optional and access can be limited to IP addresses that will be managing Malware Analysis.

Outbound Connections

  • TCP/443 - HTTPS connections to SSL-based web servers. Some features include Malware Analysis sending files or documents to servers for analysis, which require a secure connection. Use of a web proxy server is supported.
  • (TCP/443 - SSL connection from Malware Analysis to the NetWitness Cloud. Use of a SOCKS proxy server is supported. Customer infrastructure changes may be required to ensure that 443 is open to cloud.netwitness.com.)
  • TCP/50103 - REST API port used to communicate with a Broker. (NetWitness 10.3.x and earlier)
  • TCP/50105 - REST API port used to communicate with a Concentrator. (NetWitness 10.3.x and earlier)
  • TCP/50003 TCP/56003 - Ports used to communicate with a Broker. (NetWitness 10.4 and later)
  • TCP/50005 TCP/56005 - Ports used to communicate with a Concentrator. (NetWitness 10.4 and later)
  • ICMP - JMS connection from NetWitness to the Malware Analysis service to verify if the hostname and ip address entered is valid for a successful test connection.