Unable to submit files to CASMA appliance for sandbox analysis from SEDR appliance console

book

Article ID: 170440

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

Symantec Endpoint Detection and Response (SEDR) supports submitting files to the Content Analysis Service / Malware Analysis (CAS/MA) appliance for sandbox analysis.  Users have configured the settings in SEDR appliance console to use on-premises sandboxing, but files aren't submitted. 

Cause

The Malware Analysis (MA) feature of the Content Analysis Server (CAS), or CAS/MA, accepts incoming files on the same HTTPS port for its User Interface (UI). The default port for CAS/MA HTTPS UI is port 8082. The UI of CAS/MA appliance may be configured to accept HTTPS traffic for its UI on any single port above 1025. Changing the HTTPS port for the CAS/MA UI also changes the port for the listener for the onbox malware analysis feature of CAS/MA.

Environment

SEDR 4.0.

Resolution

  • For SEDR 4.0.0, configure the port in the separate field provided.
  • For ATP 3.0.5, append the target port number to the IP address of host number on the Settings> Global page in the Sandboxing section.
  • For ATP 3.0.0, configure port forwarding on an intervening device such that ATP’s outgoing port 443 goes to CAS/MA’s incoming HTTPS port.

 

 If you receive a specific error message after specifying the port number, please troubleshoot each specific error message as a separate issue. For intermittent connectivity issues, at the SEDR CLI, use the following command to check network connectivity between the management interface of the SEDR appliance console and the HTTPS UI port of CAS/MA

 

tcp_check IP_ADDRESS PORT

 

... where IP_ADDRESS is the actual ip address of the CAS/MA UI and PORT is the actual tcp port where CAS/MA serves its user interface.