Services Config View - General TabServices Config View - General Tab
This topic introduces the configuration settings in the Service Config view > General tab for Malware Analysis, which has parameters specific to the Malware Analysis service. In this tab, you can configure:
- The processing parameters for Core services that are capturing data.
- The repository for captured data.
- The static, community, and sandbox scoring categories used to analyze the data.
WorkflowWorkflow
What do you want to do?What do you want to do?
Role | I Want to... | Show me how |
---|---|---|
Administrator | Configure General Malware Analysis Settings* | Configure General Malware Analysis Settings |
Administrator | Configure Indicators of Compromise | Configure Indicators of Compromise |
Administrator |
Configure Auditing on Malware Analysis Host |
|
Administrator | Configure Hash Filter | (Optional) Configure Hash Filter |
Administrator |
Configure Installed Anti virus Vendor |
|
Administrator | Configure Malware Analysis Proxy Settings | (Optional) Configure Malware Analysis Proxy Settings |
Administrator |
Register a TreadGRID API Key |
|
Administrator | Enable Community Analysis | Enable Community Analysis |
*You can perform this task in the current view
Quick LookQuick Look
This is an example of the General tab.
1 | Displays the General Tab. |
2 | Allows you to Configure Continuous Scan. |
3 | Allows you to Configure Repository. |
4 | Displays Miscellaneous Settings. |
5 | Allows you to Configure Modules. |
This tab has four sections: Continuous Scan Configuration, Repository Configuration, Miscellaneous, and Modules Configuration.
Continuous Scan Configuration SectionContinuous Scan Configuration Section
This table describes the features of the Continuous Scan Configuration section.
Parameter | Description |
---|---|
Enabled | Completely disable or enable continuous polling of the Core service. By default this is not selected (disabled). |
Query |
While the Decoder is analyzing network traffic, it creates a meta field called content with a value of spectrum.consume in sessions that are likely to contain malware. By default, Malware Analysis only performs analysis on events that have this particular meta value. By changing this query, Malware Analysis can be configured to analyze different types of events. Making this query too broad may force Malware Analysis to analyze too many events, causing it to fall behind or perform poorly. |
Query Expiry | When Malware Analysis queries the Core service for meta, it gets a result back within a few seconds. If there is a problem, such as a network connectivity issue, Malware Analysis abandons the query after this configured amount of time. The default value is 3600 seconds. |
Query Interval | How often, in minutes, to query for new session meta and files. |
Meta Limit |
Each time Malware Analysis queries the Core service, it pulls an amount of meta, up to this meta limit. Using this setting, in conjunction with the query interval, you can tune the performance of Malware Analysis in the Core infrastructure. |
Time Boundary | Malware Analysis analyzes sessions that occurred after the Time Boundary. This setting is most important when installing a new Malware Analysis appliance, because it determines how far back in time to begin analysis. Setting the boundary too many hours in the past may cause Malware Analysis to analyze too many past events, causing a large delay before you see any traffic happening in real time. The default value is 24 hours. |
Source Host |
Hostname of the Malware Analysis appliance. Note: When you change the host name or the host IP address, ensure that you re add the Source Host in the Malware Service config page, and restart the service to take the source host field changes into effect.
|
Source Port | Malware Analysis communicates with the NetWitness infrastructure using the REST service listening on this port. This port number is specific to the type of the Core service that is being used as the Source host. This corresponds to the outbound connections for your Core service. |
Username | Username. The default value is admin. Malware Analysis must authenticate to the Source host each time it queries for data. In most cases, the account used by Malware Analysis is the same account used to access the Core service through NetWitness. However, it is recommended to create a new account on the Core service dedicated to Malware Analysis. |
User Password | User password. The default value is netwitness. |
SSL | Use SSL when communicating with Core. If Malware Analysis is using an SSL connection to communicate with a Core service, check this option. The default value is unchecked. |
Denial of Service (DOS) Prevention |
The Denial of Service Prevention feature provides safeguards against malware that intentionally generates high volumes of network connections between two endpoints containing Windows PE content. Generating a high volume of connections artificially inflates the amount of traffic that security services monitoring the network must consume and analyze resulting in a denial of service. This feature helps identify these sessions so that you can have the analysis processing disregard them. |
DOS Session Rate Window Length (Seconds) |
Malware Analysis uses this parameter with the DOS Number Sessions per Rate Window and DOS Session Lockout Time (Seconds) parameters to identify a Denial of Service Attack and determine how long to disregard sessions from a single IP address. |
DOS Number Sessions per Rate Window |
Malware Analysis uses this parameter with the DOS Session Rate Window Length (Seconds) and DOS Session Lockout Time (Seconds) parameters to identify a Denial of Service Attack and determine how long to disregard sessions from the IP address. To identify a Denial of Service Attack, Malware Analysis monitors the number of sessions established by a single IP source during a specific time frame. The DOS Session Rate Window Length (Seconds) defines this time frame. If the number of sessions exceeds the DOS Number Sessions per Rate Window setting within the number of seconds defined in DOS Session Rate Window Length, Malware Analysis identifies the activity as a Denial of Service attempt. In this case, traffic is disregarded for the length of time specified in DOS Session Lockout Time (Seconds). |
DOS Session Lockout Time (Seconds) |
Malware Analysis uses this parameter with the DOS Session Rate Window Length (Seconds) and DOS Number Sessions per Rate Window parameters to identify a Denial of Service Attack and determine how long to disregard such an attack. To identify a Denial of Service Attack, Malware Analysis monitors the number of sessions established by a single IP address during a specific time frame. The DOS Session Rate Window Length (Seconds) defines this time frame. If the number of sessions exceeds the DOS Number Sessions per Rate Window setting within the number of seconds defined in DOS Session Rate Window Length, Malware Analysis identifies the activity as a Denial of Service attempt. In this case, traffic is disregarded for the length of time specified in DOS Session Lockout Time (Seconds). |
DOS Garbage Collection Interval (Seconds) |
Performs garbage collection on the internal memory structure used to track Denial of Service attempts. If memory usage is abnormally high, you can decrease this setting to free unused memory more often. If CPU usage is abnormally high, you can increase this setting to eliminate processing overhead (at the expense of memory usage). |
Repository Configuration SectionRepository Configuration Section
Malware Analysis stores all of the files that are analyzed for future use. These files can be downloaded through the user interface or accessed via one of the file sharing protocols.
This table describes the features of the Repository Configuration section.
Parameter | Description |
---|---|
Directory Path | All files are stored in the following directory on the Malware Analysis appliance: /var/lib/netwitness/spectrum |
File Sharing Protocol | Possible values for the file sharing protocol are FTP, SAMBA, and None. You can enable FTP access and SAMBA file sharing to allow a user access to the stored files on the Malware Analysis from a remote location. No credentials are required to access these files. The port required for FTP access is TCP/21. The default file sharing protocol is None. |
Retention (in days) | Malware Analysis maintains files stored in the repository for a specified number of days. You can set the number of days that files are retained before being deleted. The default value is 60 days. |
Miscellaneous Configuration Section (10.3 SP2 and Later)Miscellaneous Configuration Section (10.3 SP2 and Later)
This table describes the features of the Miscellaneous Configuration section.
Parameter | Description |
---|---|
Maximum File Size |
Limits the size of each file that you can scan for manually. This parameter applies to the feature described in "Upload Files for Malware Scanning" in the Investigation and Malware Analysis Configuration Guide. The default value is 64 MB. If the file size limit is exceeded, prevents you from scanning the file. |
Modules Configuration SectionModules Configuration Section
The Modules Configuration section allows configuration of the static, community, and sandbox scoring categories.
Static Analysis ConfigurationStatic Analysis Configuration
The static module is the only scoring category that is enabled by default. This table describes the parameters for configuring static analysis.
Feature | Description |
---|---|
Enabled | Completely disable or enable static analysis. By default this is selected (enabled). |
Bypass PDF | Disable analysis of PDF documents. By default this is not selected; all PDF files undergo static analysis. |
Bypass Office | Disable analysis of Office documents. By default this is not selected; all MS Office files undergo static analysis. |
Bypass Executable | Disable analysis of Windows PE documents. By default this is not selected; all Windows PE files undergo static analysis. |
Validate Windows PE Authenticate Settings via Cloud |
Specify whether or not Windows PE files are sent to the NetWitness Cloud for Authenticode validation. The default value is selected.
|
Community Analysis ConfigurationCommunity Analysis Configuration
By default, the community module is disabled and the options are selected to prevent PDFs and MS Office documents from being processed. The intent is to default the settings to the most restrictive choices so that no sensitive documents leave the network unless the user chooses. This table describes the parameters for configuring Community analysis.
Feature | Description |
---|---|
Enabled |
Completely disable or enable community analysis. By default this is not selected (disabled). Note: Before you enable community, you must log in to live account. For more information about live account, see Live Services Management Guide. |
Bypass PDF | Disable analysis of PDF documents. By default this is selected; PDF files are not processed. |
Bypass Office | Disable analysis of Office documents. By default this is selected; Microsoft Office documents are not processed. |
Bypass Executable | Disable analysis of Windows PE documents. By default this is selected; Windows PE documents are not processed |
Sandbox Analysis ConfigurationSandbox Analysis Configuration
By default, the sandbox module is disabled and MS Office and PDF files are prevented from being processed. The intent is to set the most restrictive settings to force the user to specifically choose whether or not potentially sensitive information is sent outside of the network for processing. If the document type is not prevented from being processed, the file is sent to the destination sandbox server in its entirety (not limited to a hash of the file contents).
This table describes the parameters for configuring Sandbox analysis.
Feature | Description |
---|---|
Enabled | Completely disable or enable sandbox analysis. By default this is not selected (disabled). |
Bypass PDF | Disable analysis of PDF documents. By default this is selected; PDF files are not processed. When not selected, all PDF files are submitted in their entirety to the Sandbox for analysis. |
Bypass Office | Disable analysis of Office documents. By default this is selected; Microsoft Office documents are not processed. When not selected, all MS Office files are submitted in their entirety to the Sandbox for analysis. |
Bypass Executable | Disable analysis of Windows PE documents. By default this is selected; Windows PE documents are not processed. When not selected, all Windows PE documents are submitted in their entirety to the Sandbox for analysis. |
Preserve Original File Name when Performing Sandbox Analysis |
In 10.3 SP2 and later, enable the ability to hash for filenames when they are sent to a local sandbox. By default this is not selected. Note: If you do not select this parameter, NetWitness hashes the files. |
GFI Sandbox SettingsGFI Sandbox Settings
In the GFI Sandbox section, you can enable sandbox processing by GFI and configure the locally installed GFI sandbox. The table describes the parameters for configuring the GFI sandbox.
Feature | Description |
---|---|
Enabled | When enabled, sandbox processing is performed by a local copy of GFI. The default value is disabled. If you enable GFI, you need to configure the remaining parameters. |
Server Name | The GFI Sandbox server name. No default value. |
Server Port | The GFI Sandbox server port. Default value is 80. |
Max Poll Period | Determines how long to wait for a submitted sample to finish processing. Default value is 600 seconds. |
Ignore Web Proxy Settings | Tells Malware Analysis to bypass the web proxy, if a web proxy is configured, when making this connection. If no web proxy has been configured in Malware Analysis, the setting is ignored. |
ThreatGRID Sandbox SettingsThreatGRID Sandbox Settings
In the ThreatGRID Sandbox section, you can enable sandbox processing by ThreatGRID and choose whether to use the locally installed ThreatGRID or the ThreatGRID Cloud for sandbox analysis.
- If you have a local copy of ThreatGRID, configure sandbox processing to use the local copy.
- If no local instance of ThreatGRID has been purchased and installed, configure the ThreatGRID Cloud.
The table describes the parameters for configuring the ThreatGRID sandbox.
Note: Before enabling this service, you must configure a ThreatGRID-supplied Service Key. The service key allows ThreatGRID to recognize that samples submitted from this site are legitimate.
Feature | Description |
---|---|
Enabled | When enabled, sandbox processing is performed by ThreatGRID, either a local copy or the ThreatGRID Cloud. The default value is disabled. |
Service Key | Before enabling the sandbox module, a ThreatGRID-supplied Service Key must be configured. The service key allows ThreatGRID to recognize that samples submitted from this site are legitimate. |
URL | The URL for the ThreatGRID server to be used (if you are not using a locally installed ThreatGRID). The ThreatGRID Cloud is reachable via https://panacea.threatgrid.com |
Ignore Web Proxy Settings | Tells Malware Analysis to bypass the web proxy, if a web proxy is configured, when making this connection. If no Web Proxy has been configured in Malware Analysis, the setting is ignored. |