On-box sandboxing detection patterns are outdated, update does not work
search cancel

On-box sandboxing detection patterns are outdated, update does not work

book

Article ID: 261422

calendar_today

Updated On:

Products

Content Analysis Software ISG Content Analysis CAS-S400 CAS-S500 CAS-VA CAS-S200

Issue/Introduction

  • on-box Sandboxing detection patterns are outdated and manual update does not find any new version
  • customer is worried that CAS Pattern Detection signatures are not being downloaded properly via system

 

Environment

CAS-S400

3.1.5.0

Cause

Customer is not seeing updates for a long time under Pattern Detection which can give a misconception that the updates are not working on CAS

Resolution

  • Connectivity to source Bluecoat/Broadcom domains is established fine and all other AV patterns are downloaded without an issue;
  • Detection patterns are downloaded from exact same resources - Symantec Global Intelligence Network (GIN);
  • Customer's detection patterns date to 2022-08 (version 3451) which are the latest version.
  • Detection patterns are not being changed frequently unless Symantec Global Intelligence Network (GIN) receives an update from customer’s appliance on unknown suspicious file pattern;
  • Customer can turn on sharing the statistics with Broadcom by enabling the setting under CAS>Settings>GIN;
  • Typically the update comes twice a year based on historic data.
  • All detection patterns are listed under CAS > Malware Analysis > Patterns with their respective descriptions.
  • Patterns are detecting behaviors in which malicious files are acting on the end Windows machine. If monitored Sandboxed VM finds that executed file modified system files or infected the system in any way it will give a risk score. More information about the pattern template is described under this technical description - https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/content-analysis/3-1/solution_malware_analysis/about_patterns.html 

Additional Information

There are other mechanisms that you can purchase additionally to enhance detections in your environment like Cloud Sandboxing, if you feel like On-box Sandboxing isn't enough:

Cloud Sandboxing uses static code analysis that is undetectable by malware authors and cannot be circumvented by VM-evasive behaviors. In fact, due to the years of machine learning accumulated within the technology, the more evasive a program behaves, the easier it is to identify it as a malicious file.

In addition, Cloud Sandboxing uses a behavioral analysis system that monitors files as they run, comparing the behaviors of the program to the behaviors of the billions of malicious samples Symantec has analyzed over the years. As opposed to signatures, Cloud Sandboxing employs behavioral profiles and file reputation data to accurately identify files as benign or malicious.

By performing analysis in the cloud, Symantec Cloud Sandboxing can offer more in-depth processing at a scale and speed that cannot be achieved with an on-premises deployment. You can use Cloud Sandboxing as your sole sandboxing solution, or in conjunction with Content Analysis's on-box sandboxing or other on-premise sandboxing services.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/content-analysis/3-0/about_sandboxing/services_sandboxing_scsb.html