search cancel

Configuring a test SEDR 4.0 or test ATP 3.2 to use CAS/MA as a local virtual sandbox

book

Article ID: 173769

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

Symantec Endpoint Detection and Response (SEDR)
Advanced Threat Protection (ATP) Platform

Steps for configuring SEDR 4.0 or ATP Platform 3.2 to point to a local instance of a Content Analysis Server (CAS) with Malware Analysis (MA) virtual sandboxing feature enabled.

Environment

  • ATP 3.2
  • SEDR 4.0 and newer

Resolution

To configure SEDR 4.0 to use CAS/MA for Sandboxing.

  1. Insert a license into CAS for the Malware Analysis feature if not already done
  2. At the command line of CAS, enable the ma feature
  3. Set Default profile for sandboxing within CAS/MA UI
  4. Set CAS/MA HTTPS port to 443
  5. Create an API key within CAS/MA
  6. Within Configure SEDR Sandbox settings
  7. To test sandbox submissions

 

To set a default profile for sandboxing.

  1. Within CAS/MA, navigate to Services > Sandboxing
  2. On the Symantec On-box Sandboxing tab, under “Scanning Profiles”, click Windows 7 64-bit
  3. On the “Customize and Build” dialog box, click “Set as default profile”.
  4. Click “X” to close the dialog box.

    NOTE: Failure to set a default profile causes the CAS/MA to accept the initial file submission request from SEDR or ATP. But then CAS/MA returns a 500 to all follow up requests when SEDR or ATP checks to see if CAS/MA is done analyzing the file. The SEDR or the ATP user interface shows this state on the Logging page by marking the submission with a "
    6:ERROR" status with a reason of "ERROR_SANDBOX_QUERY_FAIL".


To set CAS/MA HTTPS port to 443.

  1. Within CAS/MA UI, navigate to “Settings > Web Management”.
  2. To the right of HTTPS Administration, in the Port field, type: 443.
  3. Click “Certificate Management”.
  4. Save the certificate to a local file.


To create an API key within CAS/MA

  1. Within the CAS/MA UI, navigate to Settings > Users.
  2. Create a new user with the analyst role.
  3. Use PuTTY or another SSH client to connect to CAS/MA appliance with administrator credentials.
  4. To enter the command mode, type:
    enable
  5. At the command ending with the hash ('#'), to create an api key, type:
    ma-actions api-key create user ANALYST

    ...where ANALYST is the new account with the analyst role.
  6. Note the new API Key and Key ID, preferably by copying each into Notepad or a similar ASCII-only text editor.

 

To configure SEDR Sandbox settings.

  1. In a web browser, navigate to the UI of SEDR
  2. Log on with a SEDR user or AD user that has admin role within SEDR
  3. Navigate to Settings > Appliances
  4. Do one of the following: Click “Edit Default Appliance” for the default appliance. In the “Appliances” list, click on the appliance that you want to edit. Then scroll down to Sandboxing, and uncheck “Use default” for an appliance in the “Appliances” list
  5. Click “Edit Sandboxing Settings”.
  6. On the “Edit Sandbox Settings” dialog box, click the Service drop-down menu, then select "Symantec Content Analysis (on-premise sandboxing)"
  7. In the Server field, type the host name or IP address of the CAS/MA appliance
  8. In the Port field, type the number of the TCP port where CAS/MA listens for UI requests
  9. In the User field, type the user name of the new CAS/MA user with the analyst role
  10. In the Token field, type the API Key
  11. (OPTIONAL) Check Use Network Proxy to access the sandbox appliance through the ATP network proxy
  12. (OPTIONAL) Check "Validate Server Certificate" and navigate to the server certificate from the CAS/MA NOTE: A certificate that is obtained from sandbox appliance should contain a chain of certificates, not only the leaf certificate. SEDR can also accept a self-signed cert from the sandbox server.
  13. Click Save.

 

To test SEDR sandbox submissions.

  1. Within SEDR UI, navigate to Settings > Global.
  2. Uncheck “Submit suspicious files to sandbox for analysis”.
  3. Place a test client into a SEP client group that is one of the group inclusions for a SEPM Controller where SEDR is already configured for that SEPM Controller.
  4. On the test client, copy a unique suspicious file, such as EICAR malware C from 7Blessings, here:
    http://7blessings.co.uk/malware.php#malwareeicarc
  5. Within the SEDR UI, on the “Search” tab, locate the log entry for the suspicious file detection from the SEP client. Click the file name to open the Entity for that detection.
  6. On the Entity page, click “Get File”.
  7. Navigate to the Logging page to monitor the Get File command.
  8. When the file is local to the file system of the SEDR appliance, return to the Entity page and click "Submit to Sandbox".
  9. Return to the Logging page to monitor the file submission to the CAS/MA sandbox.