How to reinitialize RSA Netwitness Malware Analysis DB

Issue

Customer wants to reinitialize Malware Analysis DB as the customer is not able to start up the service properly due to broken DB table or data.

Cause

The customer deleted DB files under /var/lib/pgsql or spectrum database accidentally.

Resolution

Background : The customer cannot start up Malware Analysis service due to corrupted DB. As the step requires reinstallation of the Malware Analysis package on OS level, the proper YUM repository should be prepared in advance.

This step will REMOVE all the current data(previous analysis results on DB) on Malware Analysis and reinitialize all the database and tables for MA. It will take less than 10 min to complete except the Optional step. 

1. SSH to Malware Analysis​
2. # stop rsaMalwareAnalysis
3. # mkdir /root/MAbackup/
4. # cp /var/lib/rsamalware/spectrum/logs /root/MAbackup : Backup spectrum.log for troubleshooting purpose just in case
5. # cp /var/lib/rsamalware/spectrum/conf /root/MAbackup : Backup configuration files for restore
6. (Optional) If you want to backup repository files, please backup /var/lib/rsamalware/spectrum/repository. 
7. # rm -rf /var/lib/pgsql/* 
8. # service postgresql-9.1 initdb 
9. # yum reinstall rsaMalwareDevice : Make sure it will reinstall the same version before the start. As part of the installation process, spectrum database will be reconfigured.
10. # stop rsaMalwareAnalysis
11. Restore the configuration from /root/MAbackup/conf 
12. # start rsaMalwareAnalysis
13. Set proper time boundary
    • Log in Netwitness UI
    • Navigate to Administration > Service > Malware Analysis > Config
    • Set proper value for Time Boundary
14. Enable continuous analysis

Product Details

RSA Product Set: Netwitness
RSA Product/Service Type: Malware Analysis
RSA Version/Condition: 10.3, 10.4, 10.5, 10.6
Platform: CentOS
O/S Version: 6

Approval Reviewer Queue

ASOC Approval Group