How to change which FireEye base profile Security Analytics uses for Data Enrichment


Article ID: 168388


Updated On:


Patch Management Solution for Windows Security Analytics


With newer versions of the FireEye MAS server (specifically 7.x), the base profiles have changed.  In the past, Security Analytics(Solera Networks) used the winxp-base profile as the default.  That profile has been removed in the MAS 7.x version.  Starting with Security Analytics version 7.1.5, the default profile has been changed to winxp-sp2.  However, you may want to use a different profile and there is currently no way to change this profile from the GUI.


These steps assume that you have already configured the Security Analytics appliance to point to your FireEye MAS server with a user that has appropriate rights (Settings > Data Enrichment in the GUI)

In order to change the default profile that Security Analytics uses for sending files to the FireEye MAS appliance, you must do the following:

1.  Log in to the CLI as the root user.
2.  Make a backup of the current fireeye configuration file:

cp /usr/lib64/python3.3/site-packages/derp/providers/ /usr/lib64/python3.3/site-packages/derp/providers/fireeye.bak

3.  Edit the current file

vi /usr/lib64/python3.3/site-packages/derp/providers/

4.  Press the '/' key to start a search and then enter 'win' and press Enter.

The cursor should take you to this line:

'ssh {0[username]}@{0[remote]} cli \\"malware analyze live url file:{1[filename]} timeout 60 priority normal guestos winxp-sp2 no-prefetch force\\"',

Make note of the guestos.  In this case the guestos is 'winxp-sp2'  

5.  To change the base profile, press the letter I for Insert and change the guestos parameter to the desired profile.  The default list of profiles supported in FireEye MAS version 7.x are as follows:


6.  Once the change has been made, press the ESC key to go back to command mode and then enter :wq to save and exit.

7.  Restart the derpd process by entering:  service derpd restart

FireEye submissions should now be sent to the correct profile.