Upload Files for Malware Analysis Scanning

There are two methods for analysts to upload files for Malware Analysis scanning.

A Malware Analyst with permission to Initiate Malware Analysis Scan can upload files to scan using the Scan Files option in the Select a Malware Analysis Service dialog.

It is also possible to upload a file for scanning using a watched file share.

Upload Files Manually

This topic provides instructions for initiating on-demand scanning of an uploaded file. When you upload a file for scanning, NetWitness starts the upload job and adds it to the jobs queue. When the job is complete, you can view the scan in Malware Analysis.

To upload a file to scan:

  1. Go to Investigate > Malware Analysis.
    The Select a Malware Analysis Service dialog is displayed, with available Malware Analysis hosts and services for the current user in the left panel.
    netwitness_slctmwasrvc_750x317.png
  2. Click View Scan.
    The Scan for Malware dialog is displayed.
    netwitness_scanmw.png
  3. Click netwitness_ic-add.png
    A view of the files system is displayed so that you can choose files to upload.
  4. Select one or more files from the list and click Open.
    The file names are added. Malware Analysis escapes the filename characters before processing a file. The maximum number of filename characters after escaping is 200. If the filename is greater than 200 characters, Malware Analysis truncates the filename characters and displays the truncated filename in the NetWitness user interface.
  5. Continue adding and deleting files until you have a list of the files that you want to upload.
  6. Name the scan and select the types of files to bypass. This is useful for a zip archive that contains different types of files, and overrides the default bypass settings.
  7. Click Scan.
    The scan job is submitted and NetWitness displays a confirmation message for successful submission. The scan request is added to the Scan Jobs List dashlet. The bypass settings in this dialog override the default settings in the basic Malware Analysis configuration settings.
  8. The job is added to the Scan Jobs List in the Select a Malware Analysis Service dialog and in the Unified dashboard Scan Jobs List dashlet.
  9. To view the scan when complete, double-click the scan.
    The Malware Summary of Events for the selected scan is displayed.

Upload Files from a Watched Folder

To upload files from a watched folder, you can drop files into a watched file share for Malware Analysis. Analysts can share YARA rules, hash files, and infected zip archives with Malware Analysis.

Malware Analysis watches a file share and automatically consumes files placed in specific folders in the file share. This feature is useful for:

  • Bulk import of hash files from /var/lib/rsamalware/spectrum/hashWatch.
  • Addition of custom-YARA rules to the Indicators of Compromise (IOC) list on the host from /var/lib/netwitness/malware-analytics-server/spectrum/yara/watch.
  • Creation of on-demand scan jobs from a zip archive of infected zip files from /var/lib/rsamalware/spectrum/infectedZipWatch/watch.

Analysts need to prepare the files for consumption in accordance with requirements, the file extension must be correct, and the file must be copied to the correct watched folder in the file share.

Import a Hash List

To import a hash list from the watched directory, the hash list must be in the specified format and must be sorted on md5. You can drop a file formatted into a folder (/var/lib/rsamalware/spectrum/hashWatch) on the Malware Analysis host, and it is automatically imported into the local hash database. This is described in "Configure Hash Filter" in the Malware Analysis Configuration Guide.

To import a hash list using the watched folder method:

  1. Copy the hash lists that you want to import into the /var/lib/rsamalware/spectrum/hashWatch directory.
    NetWitness Malware Analysis automatically watches this folder and processes files placed there.
    1. Malware Analysis adds every hash found in the hash lists to the hash filter.
    2. If there are processing errors, they are logged in: /var/lib/rsamalware/spectrum/hashWatch/error
    3. Processed files are cataloged here: /var/lib/rsamalware/spectrum/hashWatch/processed
    4. Processed files are not removed from the hashWatch directory.
  2. After importing hashes in bulk, the System Administrator can use a cronjob to clean up old processed files.

Import YARA rules to the IOC List

Customers with advanced skills and knowledge can add detection capabilities to Malware Analysis by authoring YARA rules and publishing them in Live or placing YARA rules in a watched folder for the host to consume. Implement Custom YARA Content provides complete information on the prerequisites for using custom YARA content and authoring rules.

When the rules are ready, place the custom YARA files in the folder that the Malware Analysis service watches:
/var/lib/netwitness/malware-analytics-server/spectrum/yara/watch
The file is consumed within one minute.
Once consumed, NetWitness moves the file to the processed folder, and the new rule is added to the Malware Analysis Service Config view > Indicators of Compromise tab.

netwitness_yara_and_ioc.png

Import Files into the Scan Jobs List

When you obtain samples from perimeter security solutions and would like to perform further analysis on the files, you can zip the files and password protect the archive with infected, then add to the watched folder for consumption by Malware Analysis. This zipped archive is ready to be placed in the watched folder: /var/lib/rsamalware/spectrum/infectedZipWatch/watch.

Note: The maximum size of the archive is 100 MB.

To analyze infected, password-protected zip files, Malware Analysis consumes archives place in a watched folder and creates an on-demand job that is added to the Scan Jobs List.

  1. While logged on as administrator, place the files to be processed in a zip file with password infected at /var/lib/rsamalware/spectrum/infectedZipWatch/watch
    In a minute or two Malware Analysis consumes the archive and creates an on-demand job in the Scan Jobs List. The scan job name is the name of the file, the user is file share, and the Event Type is 1. The archive is moved to /var/lib/rsamalware/spectrum/infectedZipWatch/processed
  2. After the job is added to the Scan Job List, run a script or cronjob to clean up the zip file in /var/lib/rsamalware/spectrum/infectedZipWatch/processed.