Configure Installed Antivirus Vendors

You can compare file analysis results from your installed antivirus (AV) vendors versus community results from the Malware Analysis knowledge base. While a file is being analyzed by community analysis, Malware Analysis checks an antivirus knowledge base to determine if the sample is already known to be malicious. If the file is known to be malicious, NetWitness flags the file to indicate whether a primary antivirus vendor or a secondary antivirus vendor identified the sample. NetWitness classifies vendors as primary and secondary to indicate the level of reputation the vendors have in the industry, and Indicators of Compromise factor the reputation into scoring. For example, detection made solely by secondary antivirus vendors may score less than detection by primary vendors.

Note: When choosing AV vendor software to install on your network, it is highly recommended that you include at least one from NetWitness Primary Vendors list. For more information, please see the Supported Antivirus Vendors.

You can identify the antivirus vendors installed on your network to NetWitness. NetWitness compares the antivirus results during community analysis against the results from the installed vendors selected in the AV tab. If a match is detected, the file being analyzed is flagged to indicate that your locally installed primary or secondary antivirus software detected the sample.

The example below shows the community analysis results for a file that had a score of 100. Under Indicators of Compromise, you can see that the file was flagged by the listed AV vendors in the Community. Under AV Vendor Results, NetWitness indicates whether the AV vendors installed in your environment flagged the file as malicious. If your installed AV vendors detected the virus, the name of the malware is displayed. If your installed AV vendors did not detected the virus, --Not detected-- is displayed next the AV vendor name. Under Not Installed Vendors, you can click + to expand the section and see if other vendors not installed on your system detected the virus.

netwitness_104commresavdet.jpg

Identify Installed AV Software

To identify Antivirus software installed on your network:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Malware Analysis service, and in the row select netwitness_ic-actns.png > View > Config.

  3. In the Service Config View, select the AV tab.

  4. Select the checkbox next to each antivirus vendor (primary and other) whose software is installed on your network.
  5. To save the changes, click Apply.
    The Community Analysis results will indicate whether your software flagged an event.
  6. (Optional) If you want to reset the list of installed AV software to the default value (none), click Reset.
    All selections are removed.
  7. To save changes, click Apply.