RSA NetWitness Endpoint: Yara and/or OPSWAT integration in 11.x

Issue

The Yara and OPSWAT MetaDefender programs can be integrated with NetWitness Endpoint 4.4.x (formerly known as ECAT) and earlier versions.

This article is to provide details about the integration into NetWitness Endpoint 11.x.

Workaround

For NetWitness versions earlier than 11.6 where the Yara and OPSWAT MetaDefender programs are not supported, can manually download Modules/Files from the NetWitness UI to local disk, then use the program to scan the file(s).

See in the NetWitness UI, Investigate > Files
Select File(s) then click More Actions > Save a Local Copy

The Yara program can be run against the downloaded file(s) to determine if it matched a known malicious or otherwise suspicious signature or string.

The downloaded file(s) can also be uploaded through the MetaDefender URL for analysis by OPSWAT as well.

This would be an entirely manual process and would not provide an updated status back into the NetWitness Suite.

Resolution

The RSA NetWitness Suite 11.x allows builds of NetWitness Endpoint as both a standalone Endpoint or an Endpoint Log Hybrid server.

The Yara program is now support for integration NetWitness 11.6.0.0 and above.
Yara is not supported in versions earlier than NetWitness 11.6.

See the Yara announcement under the Endpoint Highlights in the RSA announces the release of RSA NetWitness Platform 11.6
The integration of OPSWAT MetaDefender program (and other third-party tools) with NetWitness 11.x is currently not supported.
RSA Engineering is working towards support for the OPSWAT MetaDefender program in the future NetWitness 11.6.1.0 release.

Product Details

RSA Product Set: NetWitness Endpoint
RSA Product/Service Type: NetWitness Endpoint
RSA Version/Condition: 11.x
Platform: Linux, Windows

Summary

Yara rules and OPSWAT MetaDefender integration was a feature in ECAT 4.4.x and below. This article discusses this feature in NetWitness Endpoint 11.x

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue