Security Analytics is trying to reach out to the internet to various IP addresses for data enrichment by external providers. The external sites provide risk scores for malware found on the internet and updates the tables as they are found. These tables are provided to Security Analytics for better identification.
Dark sites or air gapped sites will not allow Security Analytics data enrichment to validate the risk score for files found in the network. There are several features which need to be deactivated to prevent the sensors from attempting to reach the internet.
How do you disable ClamAV?
All versions of Security analytics
There are several features in Security Analytics that attempt to connect to the internet. Each must be deactivated individually.
mv /etc/monit.d/freshclamd /home/
systemctl restart monit
systemctl disable solera-freshclamd
This process will prevent the service from restarting and kill any running processes.
You can also use tcpdump to discover the traffic coming and going from the Security Analytics server. Use Ctrl C to stop the process.
For example, tcpdump -i bond0 host service_IP_here and port 8443
Or tcpdump -i bond0 not port 22