Malware Analysis not Generating Events for all Sessions with spectrum.consume Tag

Issue

Customer cannot find a Malware Analysis event for sessions with spectrum.consume tag.

Cause

Malware Analysis only generates data when the analysis and scoring are above a threshold and the default threshold is below:

• Malware Analysis - 41 (The Malware Analysis event is generated only if either Static, Network, Community and Sandbox score should be greater than or equal to this threshold)

The threshold is defined in the below setting which can be modified. Once the setting is modified, it requires Malware Analysis service restarts.

• Filepath : /var/netwitness/malware-analytics-server/spectrum/conf/eventJobConfig.xml
• Parameter : eventRetentionScoreThreshold (Default : 41)

Workaround

Note that for Adhoc scan of an uploaded file (on-demand scanning), it will supersedes the eventRetentionScoreThreshold setting.  Thus, you can check the scores without changing the setting.
Refer to the community article for details on how to perform Adhoc scan on Malware Analysis.

Resolution

How to change eventRetentionScoreThreshold

1. SSH to Malware Analysis
2. # vi /var/netwitness/malware-analytics-server/spectrum/conf/eventJobConfig.xml
3. Change the value of eventRetentionScoreThreshold
4. Save and Exit the text editor
5. # systemctl restart rsa-nw-malware-analytics-server

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Malware Analysis Server
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS / AlmaLinux
O/S Version: 7 / 8.9

Approval Reviewer Queue

Technical approval queue