File submission to FireEye MAS results in ERR_CODE_RUNTIME_EXCEPTION in Security Analytics


Article ID: 168203


Updated On:


Security Analytics


When files are submitted to FireEye MAS 7.x through Data Enrichment these files will not create an analysis task.
Instead the /var/log/messages log will show something like this:

Nov 6 06:09:55 bluecoat-10g Data-Enrichment: error: ERR_CODE_RUNTIME_EXCEPTION : Failed to submit artifact: % File bluecoat-10g_2014-11-06T08.45.00-0500_24.99.233.46-51098_192.168.2.122-80_172e6256e2f6ca8f587b322dcab6c94f1_22.exe does not exist


This can be caused by insufficient privileges of the user specified for MAS submission.


Make sure the MAS user is an admin user, not analyst.

To verify the problem you can use the attached python script.
Connect to the Security Analytics appliance via SSH.

1. Backup the existing script file:  cp /usr/lib64/python3.3/site-packages/derp/providers/ /usr/lib64/python3.3/site-packages/derp/providers/fireeye.bak
1. Replace the file in /usr/lib64/python3.3/site-packages/derp/providers  with the attached version of the file
2. Restart derpd:
service derpd restart
3. Request for FireEye analysis
4.  /var/log/messages will show the permission error if you search for the submitted filename.