Services Config View - General Tab

This topic introduces the configuration settings in the Service Config view > General tab for Malware Analysis, which has parameters specific to the Malware Analysis service. In this tab, you can configure:

  • The processing parameters for Core services that are capturing data.
  • The repository for captured data.
  • The static, community, and sandbox scoring categories used to analyze the data.

Workflow

netwitness_113_malware_configworkflow_step3.png

What do you want to do?

Role I Want to... Show me how
Administrator Configure General Malware Analysis Settings* Configure General Malware Analysis Settings
Administrator Configure Indicators of Compromise Configure Indicators of Compromise

Administrator

Configure Auditing on Malware Analysis Host

(Optional) Configure Auditing on Malware Analysis Host

Administrator Configure Hash Filter (Optional) Configure Hash Filter

Administrator

Configure Installed Anti virus Vendor

Configure Installed Antivirus Vendors

Administrator Configure Malware Analysis Proxy Settings (Optional) Configure Malware Analysis Proxy Settings

Administrator

Register a TreadGRID API Key

(Optional) Register for a ThreatGRID API Key

Administrator Enable Community Analysis Enable Community Analysis

*You can perform this task in the current view

Quick Look

This is an example of the General tab.

netwitness_gnrltab.png

1 Displays the General Tab.
2 Allows you to Configure Continuous Scan.
3 Allows you to Configure Repository.
4 Displays Miscellaneous Settings.
5 Allows you to Configure Modules.

This tab has four sections: Continuous Scan Configuration, Repository Configuration, Miscellaneous, and Modules Configuration.

Continuous Scan Configuration Section

netwitness_104contscanconfig.png

This table describes the features of the Continuous Scan Configuration section.

Parameter Description
Enabled Completely disable or enable continuous polling of the Core service. By default this is not selected (disabled).
Query

While the Decoder is analyzing network traffic, it creates a meta field called content with a value of spectrum.consume in sessions that are likely to contain malware. By default, Malware Analysis only performs analysis on events that have this particular meta value. By changing this query, Malware Analysis can be configured to analyze different types of events.

Making this query too broad may force Malware Analysis to analyze too many events, causing it to fall behind or perform poorly.
The default query is select * where content='spectrum.consume’

Query Expiry When Malware Analysis queries the Core service for meta, it gets a result back within a few seconds. If there is a problem, such as a network connectivity issue, Malware Analysis abandons the query after this configured amount of time.
The default value is 3600 seconds.
Query Interval How often, in minutes, to query for new session meta and files.
Meta Limit

Each time Malware Analysis queries the Core service, it pulls an amount of meta, up to this meta limit. Using this setting, in conjunction with the query interval, you can tune the performance of Malware Analysis in the Core infrastructure.
The default value is 25000.

Time Boundary Malware Analysis analyzes sessions that occurred after the Time Boundary. This setting is most important when installing a new Malware Analysis appliance, because it determines how far back in time to begin analysis. Setting the boundary too many hours in the past may cause Malware Analysis to analyze too many past events, causing a large delay before you see any traffic happening in real time.
The default value is 24 hours.
Source Host

Hostname of the Malware Analysis appliance.
This is the IP address, or the hostname, of the service that Malware Analysis queries to retrieve its data for analysis. Do not use localhost as the source host.
Depending on the model of the appliance and the configuration of the NetWitness infrastructure, this source host can vary.

Note: When you change the host name or the host IP address, ensure that you re add the Source Host in the Malware Service config page, and restart the service to take the source host field changes into effect.

Source Port Malware Analysis communicates with the NetWitness infrastructure using the REST service listening on this port. This port number is specific to the type of the Core service that is being used as the Source host. This corresponds to the outbound connections for your Core service.
Username Username. The default value is admin.
Malware Analysis must authenticate to the Source host each time it queries for data. In most cases, the account used by Malware Analysis is the same account used to access the Core service through NetWitness. However, it is recommended to create a new account on the Core service dedicated to Malware Analysis.
User Password User password. The default value is netwitness.
SSL Use SSL when communicating with Core. If Malware Analysis is using an SSL connection to communicate with a Core service, check this option.
The default value is unchecked.
Denial of Service (DOS) Prevention

The Denial of Service Prevention feature provides safeguards against malware that intentionally generates high volumes of network connections between two endpoints containing Windows PE content. Generating a high volume of connections artificially inflates the amount of traffic that security services monitoring the network must consume and analyze resulting in a denial of service. This feature helps identify these sessions so that you can have the analysis processing disregard them.
The default value is unchecked.

DOS Session Rate Window Length (Seconds)

Malware Analysis uses this parameter with the DOS Number Sessions per Rate Window and DOS Session Lockout Time (Seconds) parameters to identify a Denial of Service Attack and determine how long to disregard sessions from a single IP address.
To identify a Denial of Service Attack, Malware Analysis monitors the number of sessions established by a single IP address during a specific time frame. The DOS Session Rate Window Length (Seconds) defines this time frame. If the number of sessions exceeds the DOS Number Sessions per Rate Window setting within the number of seconds defined in DOS Session Rate Window Length, Malware Analysis identifies the activity as a Denial of Service attempt. In this case, traffic from the IP address is disregarded for the length of time specified in DOS Session Lockout Time (Seconds).
The default value is: 60 seconds.

DOS Number Sessions per Rate Window

Malware Analysis uses this parameter with the DOS Session Rate Window Length (Seconds) and DOS Session Lockout Time (Seconds) parameters to identify a Denial of Service Attack and determine how long to disregard sessions from the IP address.

To identify a Denial of Service Attack, Malware Analysis monitors the number of sessions established by a single IP source during a specific time frame. The DOS Session Rate Window Length (Seconds) defines this time frame. If the number of sessions exceeds the DOS Number Sessions per Rate Window setting within the number of seconds defined in DOS Session Rate Window Length, Malware Analysis identifies the activity as a Denial of Service attempt. In this case, traffic is disregarded for the length of time specified in DOS Session Lockout Time (Seconds).
The default value is: 200 sessions

DOS Session Lockout Time (Seconds)

Malware Analysis uses this parameter with the DOS Session Rate Window Length (Seconds) and DOS Number Sessions per Rate Window parameters to identify a Denial of Service Attack and determine how long to disregard such an attack.

To identify a Denial of Service Attack, Malware Analysis monitors the number of sessions established by a single IP address during a specific time frame. The DOS Session Rate Window Length (Seconds) defines this time frame. If the number of sessions exceeds the DOS Number Sessions per Rate Window setting within the number of seconds defined in DOS Session Rate Window Length, Malware Analysis identifies the activity as a Denial of Service attempt. In this case, traffic is disregarded for the length of time specified in DOS Session Lockout Time (Seconds).
The default value is: 60 seconds

DOS Garbage Collection Interval (Seconds)

Performs garbage collection on the internal memory structure used to track Denial of Service attempts.

If memory usage is abnormally high, you can decrease this setting to free unused memory more often. If CPU usage is abnormally high, you can increase this setting to eliminate processing overhead (at the expense of memory usage).
The default value is: 120 seconds

Repository Configuration Section

netwitness_104mwarepositconfig.png

Malware Analysis stores all of the files that are analyzed for future use. These files can be downloaded through the user interface or accessed via one of the file sharing protocols.

This table describes the features of the Repository Configuration section.

Parameter Description
Directory Path All files are stored in the following directory on the Malware Analysis appliance:
/var/lib/netwitness/spectrum
File Sharing Protocol Possible values for the file sharing protocol are FTP, SAMBA, and None. You can enable FTP access and SAMBA file sharing to allow a user access to the stored files on the Malware Analysis from a remote location. No credentials are required to access these files. The port required for FTP access is TCP/21. The default file sharing protocol is None.
Retention (in days) Malware Analysis maintains files stored in the repository for a specified number of days. You can set the number of days that files are retained before being deleted. The default value is 60 days.

Miscellaneous Configuration Section (10.3 SP2 and Later)

netwitness_macon_miscellaneous.png

This table describes the features of the Miscellaneous Configuration section.

Parameter Description
Maximum File Size

Limits the size of each file that you can scan for manually. This parameter applies to the feature described in "Upload Files for Malware Scanning" in the Investigation and Malware Analysis Configuration Guide. The default value is 64 MB.

If the file size limit is exceeded, prevents you from scanning the file.

Modules Configuration Section

The Modules Configuration section allows configuration of the static, community, and sandbox scoring categories.

Static Analysis Configuration

netwitness_macon_staticmodulesconfiguration.png

The static module is the only scoring category that is enabled by default. This table describes the parameters for configuring static analysis.

Feature Description
Enabled Completely disable or enable static analysis. By default this is selected (enabled).
Bypass PDF Disable analysis of PDF documents. By default this is not selected; all PDF files undergo static analysis.
Bypass Office Disable analysis of Office documents. By default this is not selected; all MS Office files undergo static analysis.
Bypass Executable Disable analysis of Windows PE documents. By default this is not selected; all Windows PE files undergo static analysis.
Validate Windows PE Authenticate Settings via Cloud

Specify whether or not Windows PE files are sent to the NetWitness Cloud for Authenticode validation. The default value is selected.

  • When selected, any Windows PE file that is digitally signed is transmitted over the network (in its entirety) to the NetWitness Cloud for validation. If the intent is to prevent Windows PE files from leaving the customer network, you should disable this option.
  • When not selected, ALL static analysis is performed locally (skipping Authenticode validation). Regardless of this setting, PDF and M/S Office documents are not subject to Authenticode validation and are not transmitted over the network during static analysis.

Community Analysis Configuration

netwitness_macon_configurecontinuousanalysis.png

By default, the community module is disabled and the options are selected to prevent PDFs and MS Office documents from being processed. The intent is to default the settings to the most restrictive choices so that no sensitive documents leave the network unless the user chooses. This table describes the parameters for configuring Community analysis.

Feature Description
Enabled

Completely disable or enable community analysis. By default this is not selected (disabled).

Note: Before you enable community, you must log in to live account. For more information about live account, see Live Services Management Guide.

Bypass PDF Disable analysis of PDF documents. By default this is selected; PDF files are not processed.
Bypass Office Disable analysis of Office documents. By default this is selected; Microsoft Office documents are not processed.
Bypass Executable Disable analysis of Windows PE documents. By default this is selected; Windows PE documents are not processed

Sandbox Analysis Configuration

netwitness_macon_configuresandboxanalysis.png

By default, the sandbox module is disabled and MS Office and PDF files are prevented from being processed. The intent is to set the most restrictive settings to force the user to specifically choose whether or not potentially sensitive information is sent outside of the network for processing. If the document type is not prevented from being processed, the file is sent to the destination sandbox server in its entirety (not limited to a hash of the file contents).

This table describes the parameters for configuring Sandbox analysis.

Feature Description
Enabled Completely disable or enable sandbox analysis. By default this is not selected (disabled).
Bypass PDF Disable analysis of PDF documents. By default this is selected; PDF files are not processed. When not selected, all PDF files are submitted in their entirety to the Sandbox for analysis.
Bypass Office Disable analysis of Office documents. By default this is selected; Microsoft Office documents are not processed. When not selected, all MS Office files are submitted in their entirety to the Sandbox for analysis.
Bypass Executable Disable analysis of Windows PE documents. By default this is selected; Windows PE documents are not processed. When not selected, all Windows PE documents are submitted in their entirety to the Sandbox for analysis.
Preserve Original File Name when Performing Sandbox Analysis

In 10.3 SP2 and later, enable the ability to hash for filenames when they are sent to a local sandbox. By default this is not selected.

Note: If you do not select this parameter, NetWitness hashes the files.

GFI Sandbox Settings

netwitness_macon_gfisandbox.png

In the GFI Sandbox section, you can enable sandbox processing by GFI and configure the locally installed GFI sandbox. The table describes the parameters for configuring the GFI sandbox.

Feature Description
Enabled When enabled, sandbox processing is performed by a local copy of GFI. The default value is disabled. If you enable GFI, you need to configure the remaining parameters.
Server Name The GFI Sandbox server name. No default value.
Server Port The GFI Sandbox server port. Default value is 80.
Max Poll Period Determines how long to wait for a submitted sample to finish processing. Default value is 600 seconds.
Ignore Web Proxy Settings Tells Malware Analysis to bypass the web proxy, if a web proxy is configured, when making this connection. If no web proxy has been configured in Malware Analysis, the setting is ignored.

ThreatGRID Sandbox Settings

netwitness_macon_threatgrid.png

In the ThreatGRID Sandbox section, you can enable sandbox processing by ThreatGRID and choose whether to use the locally installed ThreatGRID or the ThreatGRID Cloud for sandbox analysis.

  • If you have a local copy of ThreatGRID, configure sandbox processing to use the local copy.
  • If no local instance of ThreatGRID has been purchased and installed, configure the ThreatGRID Cloud.

The table describes the parameters for configuring the ThreatGRID sandbox.

Note: Before enabling this service, you must configure a ThreatGRID-supplied Service Key. The service key allows ThreatGRID to recognize that samples submitted from this site are legitimate.

Feature Description
Enabled When enabled, sandbox processing is performed by ThreatGRID, either a local copy or the ThreatGRID Cloud. The default value is disabled.
Service Key Before enabling the sandbox module, a ThreatGRID-supplied Service Key must be configured. The service key allows ThreatGRID to recognize that samples submitted from this site are legitimate.
URL The URL for the ThreatGRID server to be used (if you are not using a locally installed ThreatGRID). The ThreatGRID Cloud is reachable via https://panacea.threatgrid.com
Ignore Web Proxy Settings Tells Malware Analysis to bypass the web proxy, if a web proxy is configured, when making this connection. If no Web Proxy has been configured in Malware Analysis, the setting is ignored.