search cancel

Security Analytics is trying to reach out to the internet

book

Article ID: 228154

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

Security Analytics is trying to reach out to the internet to various IP addresses for data enrichment by external providers.  The external sites provide risk scores for malware found on the internet and updates the tables as they are found.  These tables are provided to Security Analytics for better identification.

Dark sites or air gapped sites will not allow Security Analytics data enrichment to validate the risk score for files found in the network.  There are several features which need to be deactivated to prevent the sensors from attempting to reach the internet.

How do you disable ClamAV?

Environment

All versions of Security analytics

Resolution

There are several features in Security Analytics that attempt to connect to the internet.  Each must be deactivated individually.

  • Select the Analyze -> Rules menu to find Activated Rules in the Data Enrichment Group.  Each of these will need to be deactivated.  Under Actions on the right, the activation button needs to turn red to be deactivated.
  • Select Settings -> Data Enrichment, and under Actions, deactivate each section for any providers not being used in your rules.  These will prevent any new rules which use the external providers from being activated.
  • Select System Health -> Tests from the menu on the left side. Under Actions, deactivate the groups Data Enrichment, Intelligent Services, and Software Updates.  This will prevent the tests from running which will reach out to the internet.  These tests might check connectivity to providers or will try to discover Security Analytics updates which might be available.
  • To disable clamav, login as root from the command line and run the following commands.
    1. mv /etc/monit.d/freshclamd /home/

    2. systemctl restart monit

    3. systemctl disable solera-freshclamd

    4. pkill freshclam

         This process will prevent the service from restarting and kill any running processes.

Additional Information

You can also use tcpdump to discover the traffic coming and going from the Security Analytics server. Use Ctrl C to stop the process.

For example, tcpdump -i bond0 host service_IP_here and port 8443

Or tcpdump -i bond0 not port 22