File Reputation Service test is failing on Security Analytics
search cancel

File Reputation Service test is failing on Security Analytics

book

Article ID: 228769

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

File Reputation Services (also known as Symantec Intelligence Services or FRS) is failing when run the test under Settings > Data Enrichment

Symantec Intelligence Services subscription is showing valid under License Details.

The log file is showing a '401 unauthorized' message

Cause

This is normally caused by a problem with the credentials being used on the backend to authenticate the Security Analytics appliance for FRS lookups in the Intelligence Services database.  

Resolution

Generate a gindiag report and open a case with technical support so that they can check if the credentials have been properly added on the backend. 

To generate a gindiag report:

  1. Go to the Settings > Data Enrichment
  2. Click the 'Test Services' link
  3. Click Download Diagnostic Data
  4. Open a case with technical support

Additional Information

Here is some sample output of the test.  The key to the problem is the 401 error.

 

File Reputation Service Rules Config Success 
Rules:
name: Symantec File Reputation Service
active: true
Integration providers:
name: Symantec File Reputation Service
active: true
File Reputation Service Credentials Success 
Valid credentials: true
Frs vault file exists: true
File Reputation Service Failure 
Flags:
Score: 5
Result: true
Status: completed
Artifact:
md5: hash_here
host:
sha1: hash_here
sha256: hash_here
filename: /home/tonic_file
CacheIds:
Responses:
Provider responses:
response:
status: error
err_code: ERR_CODE_UNKNOWN
error_message: exception (unhandled HTTP response: 401 unauthorized)
request_id: ReputationResponse_1635066670c0f4b49d9e5464d5cbd1
integration_provider:
data:
type: file_reputation_service
category: file
integration_provider_uuid: uuid_here
name: Symantec File Reputation Service
uuid: uuid_here
active: true
ordinal: 20
licensed: true
pivot_url:
class_type: standard
description: With the protocol-agnostic File Reputation Service, you can customize as many rules as you like to send the hashes of potentially malicious files to the Symantec Global Intelligence Network (GIN) for evaluation. Using the comprehensive, real-time threat data from more than 15,000 customers and 75 million endpoints, GIN immediately returns the latest file-reputation information to Security Analytics.
appliance_id: 0
last_modified_date: 2021-09-20 10:19:25+03
integration_provider_type:
name: Symantec File Reputation Service
league: reputation
abyssal: false
bigfile: false
creatable: false
deletable: false
edit_type: internal
pivot_only: false
internal_name: file_reputation_service
user_initiated: true
last_modified_date: 2020-11-10 02:59:17.724164+03
associate_with_action: true
integration_provider_category:
name: file
integration_provider_type_uuid: uuid_here
integration_provider_category_uuid: uuid_here
integration_provider_tonic_actions:
integration_provider_type_field_set:
name: boolean
Powered by Wolken Software