Security Analytics is not sending files to the Malware Analysis Appliance

book

Article ID: 168632

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

When trying to submit files to MAA, you sometimes do not get a result.  Messages log shows ERR_CODE_INVALID_VALUE for some files.
 

Resolution

Before sending files to MAA, open an SSH session and tail the messages log

[[email protected] ~]# tail -f /var/log/messages | grep home/apache/artifacts/

You will see messages like these:


Feb 26 04:21:22 BC-SA Data-Enrichment: error: ERR_CODE_INVALID_VALUE : norman cannot scan /home/apache/artifacts/29/BC-SA_2015-02-26T04.05.00+0000_165.12.252.111-62263_104.72.70.32-80_9bb191c6827273aa978cab39a3587950_15.gif of type "GIF image data, version 89a, 1 x 1"
Feb 26 04:21:22 BC-SA Data-Enrichment: classes.util.process:generic_probe-20: Task norman:0a089a8b86cfc3e2990512336e399a099a2ee83b failed to validate: ERR_CODE_INVALID_VALUE : norman cannot scan /home/apache/artifacts/29/BC-SA_2015-02-26T04.05.00+0000_165.12.252.111-62263_104.72.70.32-80_9bb191c6827273aa978cab39a3587950_15.gif of type "GIF image data, version 89a, 1 x 1"


The error in the log means that the sample was blocked at the data enrichment engine itself because of the magic type.  The reason why is because the file type was not supported for submission to MAA.

Try submitting executables, binaries, office documents to verify those do get send to MAA.
Make sure the specific file types you wish to submit are allowed under the Data Enrichment File Types section under Settings > Data Enrichment.