Skip to content
  • There are no suggestions because the search field is empty.

NetWitness - How to force Malware Analysis to restart analysis at a specific Session ID

Issue

If the Malware Analysis service temporarily goes down, it may miss some files that need to be processed for malware analysis when it comes back up.


Resolution

You can use the REST string below to force the Malware Analysis service to restart analysis from a certain session ID.
 
http:// : @ : / /config/recovery?msg=setrecov&force-content-type=text/plain&expiry=600&device= &key=sessions.invalid&value=

Refer to the legend below when using the syntax.
  • Column 1:
  • Column 2: The username of the service being accessed via REST.  (The default username is admin.)

  • Column 1:
  • Column 2: The password of the service being accessed via REST.  (The default password is netwitness.)

  • Column 1:
  • Column 2: The Decoder/Concentrator/Broker at which the Malware Analysis is pointing.

  • Column 1:
  • Column 2: The port of the service being accessed via REST.  (i.e. 50103 for Brokers, 50104 for Packet Decoders, etc.)

  • Column 1:
  • Column 2: The type of service being accessed via REST.  (i.e. decoder, concentrator, broker)

  • Column 1:
  • Column 2: The hostname of the Malware Analysis appliance.

  • Column 1:
  • Column 2: The session ID range from which you want to recover.  (i.e. 1-101, 100-200, 200-300, etc.)


For example, if wished to recover the session ID range 1-101 on a Decoder with the hostname nwdecoder pointing to the Malware Analysis appliance with the hostname  nwmalware, you would use the syntax below.
 
http://login:password@nwdecoder :50104/decoder/config/recovery?msg=setrecov&force-content-type=text/plain&expiry=600&device= nwmalware&key=sessions.invalid&value=1-101
 
The next time the Malware Analysis service queries the core appliance, it will go back to that session ID but won't delete any events.  It will drain events in the queue that are greater than this session ID.

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Malware Analysis
NetWitness Version/Condition: 11.x, 12.x
Platform: Centos 7 / AlmaLinux 8.9

Summary

How to ensure that, if the Malware Analysis service temporarily goes down, that all of the sessions during that time will still be processed.


Approval Reviewer Queue

Technical approval queue