search cancel

File Reputation Service test is failing on Security Analytics

book

Article ID: 228769

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

File Reputation Services (also known as Symantec Intelligence Services or FRS) is failing when run the test under Settings > Data Enrichment

Symantec Intelligence Services subscription is showing valid under License Details.

The log file is showing a '401 unauthorized' message

Cause

This is normally caused by a problem with the credentials being used on the backend to authenticate the Security Analytics appliance for FRS lookups in the Intelligence Services database.  

Resolution

Generate a gindiag report and open a case with technical support so that they can check if the credentials have been properly added on the backend. 

To generate a gindiag report:

  1. Go to the Settings > Data Enrichment
  2. Click the 'Test Services' link
  3. Click Download Diagnostic Data
  4. Open a case with technical support

Additional Information

Here is some sample output of the test.  The key to the problem is the 401 error.

 

File Reputation Service Rules Config Success 
Rules:
name: Symantec File Reputation Service
active: true
Integration providers:
name: Symantec File Reputation Service
active: true
File Reputation Service Credentials Success 
Valid credentials: true
Frs vault file exists: true
File Reputation Service Failure 
Flags:
Score: 5
Result: true
Status: completed
Artifact:
md5: d6473e979be14485d0b3be082a8c6262
host:
sha1: c9af9515f786800be311e47ccf42b677decb5238
sha256: 4156ec20681819cfe4bd1bde685bb9c466ea20bb77a7e4830b55ff3426ee0590
filename: /home/tonic_file
CacheIds:
Responses:
Provider responses:
response:
status: error
err_code: ERR_CODE_UNKNOWN
error_message: exception (unhandled HTTP response: 401 unauthorized)
request_id: ReputationResponse_1635066670c0f4b49d9e5464d5cbd1
integration_provider:
data:
type: file_reputation_service
category: file
integration_provider_uuid: 5fa9d787-ca80-449b-b6b5-63157f000001
name: Symantec File Reputation Service
uuid: 5fa9d787-ca80-449b-b6b5-63157f000001
active: true
ordinal: 20
licensed: true
pivot_url:
class_type: standard
description: With the protocol-agnostic File Reputation Service, you can customize as many rules as you like to send the hashes of potentially malicious files to the Symantec Global Intelligence Network (GIN) for evaluation. Using the comprehensive, real-time threat data from more than 15,000 customers and 75 million endpoints, GIN immediately returns the latest file-reputation information to Security Analytics.
appliance_id: 0
last_modified_date: 2021-09-20 10:19:25+03
integration_provider_type:
name: Symantec File Reputation Service
league: reputation
abyssal: false
bigfile: false
creatable: false
deletable: false
edit_type: internal
pivot_only: false
internal_name: file_reputation_service
user_initiated: true
last_modified_date: 2020-11-10 02:59:17.724164+03
associate_with_action: true
integration_provider_category:
name: file
integration_provider_type_uuid: 5fa9d787-cc3c-4947-8276-63157f000001
integration_provider_category_uuid: 5fa9d783-2b34-46ca-b61c-63157f000001
integration_provider_tonic_actions:
integration_provider_type_field_set:
name: boolean

Attachments