Problem: Service sa-scheduler-services is degraded on Security Services Platform. It is unable to communicate with the analyst_api service. Verdicts for various submissions may not be up to date.

Impact: 

Analyst API Service unreachable issue would lead to the loss of the following malware prevention functionality:

• Verdicts for various submissions may not be up to date.
• There is an increased possibility of false positives (e.g., files being marked as Malicious even when they are published by a trusted source).

vDefend SSP >= 5.0

Connectivity to the Analyst API Service may be interrupted due to several factors, including but not limited to:

• The Analyst API Service running on Malscape is inaccessible from the SSP platform.

• The cloud-connector-proxy service on the SSP is down.

• SSP proxy settings are misconfigured.

Maintenance Window Required: No

To address false positives related to the Malware Prevention Service and ensure proper connectivity to the Analyst API service, please follow the steps outlined below:

1. Wait for Automatic Recovery

In many cases, the issue may be resolved on its own. If the Analyst API service becomes temporarily unreachable, the alarm will automatically move to the "Resolved" state once connectivity is restored.
It is recommended to wait for 10 to 15 minutes to allow the system to attempt an automatic reconnection before proceeding with any of the steps below.

2. Verify Network Connectivity

Ensure that outbound network access is allowed to the external Analyst API service[Refer VMware-vDefend Ports and Protocols]. Review firewall rules, DNS settings, and any recent changes that may be restricting access. If any changes were made, revert them to restore connectivity.

3. Verify SSP Proxy Settings

If a proxy is in use, ensure that the SSP proxy settings are correctly configured.

a. Verify Connectivity to Proxy Server

Contact your network administrator to confirm:

• The firewall allows traffic between the SSP subnet and the proxy server.
• The proxy server has internet access and can reach external services.

b. Verify Proxy Server Configuration

Ensure that the proxy settings are correctly configured, including:

• Proxy scheme (HTTP/HTTPS), host address, and port number.
• Authentication credentials (if required).
• Certificate validity (if applicable).

c. Update Proxy Configuration

If any updates are required, navigate to System → Administration → Server Configurations → Proxy Server in the SSP UI and update the settings accordingly.

4. Mitigation Step

If false positives persist, you can leverage the allow-listing capability of the Malware Prevention Service as a temporary workaround.
For instructions on how to enable allow-listing, please refer to the SSP Documentation.

5. Contact Support

If the issue is not resolved after verifying network and proxy settings:

• Collect the SSP Support Bundle.
• Raise a support ticket with Broadcom and attach the support bundle for further assistance.