.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
NetWitness - How to force Malware Analysis to restart analysis at a specific Session ID
Issue
If the Malware Analysis service temporarily goes down, it may miss some files that need to be processed for malware analysis when it comes back up.
Resolution
You can use the REST string below to force the Malware Analysis service to restart analysis from a certain session ID.
http://
Refer to the legend below when using the syntax.
For example, if wished to recover the session ID range 1-101 on a Decoder with the hostname nwdecoder pointing to the Malware Analysis appliance with the hostname nwmalware, you would use the syntax below.
http://login:password@nwdecoder :50104/decoder/config/recovery?msg=setrecov&force-content-type=text/plain&expiry=600&device=
nwmalware&key=sessions.invalid&value=1-101
The next time the Malware Analysis service queries the core appliance, it will go back to that session ID but won't delete any events. It will drain events in the queue that are greater than this session ID.
Product Details
NetWitness Product Set: NetWitness PlatformNetWitness Product/Service Type: Malware Analysis
NetWitness Version/Condition: 11.x, 12.x
Platform: Centos 7 / AlmaLinux 8.9
Summary
How to ensure that, if the Malware Analysis service temporarily goes down, that all of the sessions during that time will still be processed.
Approval Reviewer Queue
Technical approval queue