AV-Suite

AV-Suite is a cloud-based detection service that stores verdicts for both malicious (blacklist) and nonmalicious (whitelist) objects. Information about a sample is sent to AV-Suite by the Malware Analysis appliance. This service is accessed by the Malware Analysis appliance using the AV-Suite Integration feature to provide verdicts based on advanced detection analytics in the cloud. Because dynamic analysis can be slow, AV-Suite helps to ensure the optimal appliance and analysis engine performance by not submitting samples that were whitelisted by AV-Suite to dynamic analysis.

Before an object is submitted to the Malware Analysis appliance for dynamic analysis, the appliance queries the AV-Suite server for a verdict. If a clean verdict is returned from AV-Suite for the file, the Malware Analysis appliance will not analyze the file for malicious content and the appliance will not perform dynamic analysis for this sample. If a malicious or riskware verdict is returned from AV-Suite, the Malware Analysis appliance will still perform dynamic analysis to generate an OS Change report.

When retroactive detection is enabled on the appliance, the appliance can alert on previously undetected objects. The Malware Analysis appliance can alert on previously undetected objects when a new verdict is generated for that object within the DTI Cloud.

Task List for Managing AV-Suite

Complete the steps for managing AV-Suite in the following order:

  1. Log in to the CLI.
  2. Validate DTI access on the Malware Analysis appliance by using the show fenet status command. For details about how to validate DTI access, refer to the Malware Analysis System Administration Guide.
  3. Verify that unity.fireeye.com is the DTI server address for AV-Suite to store both blacklist and whitelist object hashes and analysis results. Use the show fenet dti configuration command. For details about how to set the DTI server address for AV-Suite, refer to the Malware Analysis System Administration Guide.

    IMPORTANT: By default, this address for managed appliances is the address of the managing Central Management appliance. For more effective detection and remediation, FireEye recommends a direct connection to unity.fireeye.com.

  4. Verify that AV-Suite integration is enabled and that AV-suite version 6 is configured. Use the show static-analysis config command. For details about AV-Suite integration, see Enabling or Disabling AV-Suite Integration Using the CLI.
  5. Enable static analysis and AV-Suite integration on whitelist submissions. For details about how to enable AV-Suite Integration on whitelist submissions, see Enabling or Disabling AV-Suite Integration on Whitelist Submissions Using the CLI.
  6. Enable retroactive detection from AV-Suite. Use the analysis retro-hunt enable command. For details about how to enable retroactive detection from AV-Suite, see Enabling or Disabling Retroactive Detection From AV-Suite.
  7. Configure the settings for retroactive detection from AV-Suite. For details about how to configure the settings for retroactive detection from AV-Suite, see Configuring Retroactive Detection From AV-Suite.