Configuring Malware Analysis Settings

Use the CLI to configure sandbox malware analysis and live malware analysis.

No configuration is needed for sandbox analysis (default setting), unless a proxy is used in the management network to download local files to the Malware Analysis appliance for analysis. When configuring a sandbox Web proxy server, make sure that the proxy is connected to the Malware Analysis appliance ether1 management port.

To configure sandbox proxy settings:

  1. Enable the CLI configuration mode.
    2. hostname > enable
    hostname # configure terminal
  2. Enter the CLI command to configure for sandbox malware analysis.
    3. hostname (config) # malware sandbox
  3. Specify either the URL or the domain of the proxy server. 
    4. hostname (config) # malware sandbox proxy http://proxy-URL

    where proxy-URL is one of the following formats:

    • URL: http://<IP address>:<port number> For example, http://172.16.101.24:22
    • Domain: https://<proxy server domain> For example, http://malware.repo.com

The following example shows how to configure settings for a sandbox proxy:

hostname (config) # malware sandbox proxy http://malware.repo.com

To configure live malware analysis settings:

  1. Enable the CLI configuration mode.
    2. hostname > enable
    hostname # configure terminal
  2. Enter the CLI command to configure for live malware analysis.
    3. hostname (config) # malware live
  3. Specify the external IP address and subnet mask for the ether2 port.
    hostname (config) # malware live external ip IP address  subnet mask

    For example, 192.168.211.129 255.255.255.0

    where IP address resides on the same network segment as the ether2 interface.

  1. Specify the default gateway IP address for the ether2 network interface.
  2. hostname (config) # malware live default-gateway ip IP address
  3. Specify the IP address for the MVX Guest Images for the Domain Name System (DNS).
    4. hostname (config) # malware live nameserver ip IP address

    where IP address is accessed on the ether2 interface.

  4. Specify the HTTP proxy server, IP address, and port number.
    5. hostname (config) # malware live http-proxy ip port number
  5. Specify that the malware URLs are downloaded to the appliance before analysis in the virtual machine begins.
    6. hostname (config) # malware live prefetch

The following example shows how to configure settings for live malware analysis:

hostname (config) # malware live default-gateway ip 192.168.211.1
hostname (config) # malware live external ip 192.168.211.129 255.255.255.0
hostname (config) # malware live nameserver ip 8.8.8.8
hostname (config) # malware live http-proxy ip 0.0.0.0:0

Verifying the Malware Analysis Settings

Use the show malware config command to verify the settings that you configured for live malware analysis and sandbox analysis.

To verify the settings for live malware analysis and sandbox analysis:

  1. Enable the CLI configuration mode.

    2. hostname > enable

    hostname # configure terminal

  2. Enter the show malware config command.
    3. hostname (config) # show malware config
    Malware Analysis Mode Enabled: yes
    Malware Download Timeout     : 120 (sec)
    Malware Analysis VMs         : 100 (percent)
    Live Analysis Configuration
    Default Gateway: 192.168.211.1
    External IP: 192.168.211.129/24
    Internal IP: 169.254.100.1/24
    Name Server: 8.8.8.8
    Http Proxy: 0.0.0.0:0
    Sandbox Analysis Configuration
    Sandbox Proxy URL: http://malware.repo.com

Configuring EML Parsing Settings

By default, the Malware Analysis appliance analyzes your saved email (.eml) files for malware issues. Use the eml attachment limit command to configure the maximum number of attachments that can be analyzed per .eml file. Use the eml recursive limit command to configure the maximum recursive depth of the .eml file to be analyzed.

EML parsing is configured only using the CLI.

To configure EML parsing settings:

  1. Enable the CLI configuration mode.
    2. hostname > enable
    hostname # configure terminal
  2. Set the number of attachments.
    3. hostname (config) # eml attachment limit count

    where count is the number of attachments to analyze per .eml file. The default number is 5. The range is 0–20.

  3. Set the maximum recursive depth of the .eml file.
    4. hostname (config) # eml recursive limit count

    where count is the maximum recursive depth of the .eml file to be analyzed. The default number is 3. The range is 0–3.

  4. Verify the current .eml file configuration. Enter the show eml command.
    5. hostname (config) # show eml
    EML attachments limit     : 5
    EML extraction recursive limit     : 3