Basic Setup

Malware Analysis can operate as a service on a Decoder or as a service on a dedicated appliance. This guide includes instructions for setting up the operating environment and then configuring the Malware Analysis service. After this configuration is complete, analysts can conduct malware analysis.

These are the configuration steps for Malware Analysis, and also for editing the configuration. Perform the steps in the section in the sequence they are given.

netwitness_113_malware_configworkflow.png

Basic Configuration Checklist

The following checklist provides the sequence for tasks that are required to configure Malware Analysis that has been added to NetWitness in accordance with the Hosts and Services Guide.

Step High-Level Task
Step 1 - (Optional) Configure Dedicated Appliance

(Optional) Configure Dedicated Appliance

This topic describes the procedures for configuring the environment to connect to the Malware Analysis service.

Step 2 - Configure General Malware Analysis Settings

Configure General Malware Analysis Settings

  • Enable continuous polling.
  • Configure manual file upload limit.
  • Configure the file storage repository and database.
  • Calibrate the Static, Network, Community, and Sandbox scoring modules.
Step 3 - Configure Indicators of Compromise

Configure Indicators of Compromise

Calibrate Indicators of Compromise that are applied for each scoring module (Static, Network, Community, Sandbox) and for YARA-based IOCs.

Step 4 - Configure Installed Antivirus Vendors

Configure Installed Antivirus Vendors

Step 5 - Enable Community Scoring

Enable Community Analysis

Register with the NetWitness cloud and test connections to enable Community scoring.

Step 6 - Configure Auditing on Malware Analysis Host

(Optional) Configure Auditing on Malware Analysis Host

Configure auditing thresholds and enable Syslog, SNMP, and file auditing.

Step 7 - Configure Hash Filter

(Optional) Configure Hash Filter

Configure hash filtering to fine tune Malware Analysis event analysis based on known good or bad file hashes.

Step 8 - Configure Malware Analysis Proxy Settings

(Optional) Configure Malware Analysis Proxy Settings

(Optional) Configure Malware Analysis to communicate with the NetWitness Cloud through a web proxy instead of directly.

Step 9 - Register for a ThreatGRID API key

(Optional) Register for a ThreatGRID API Key