Malware Analysis Appliance getting large task queue
Last Updated August 16, 2017
Symantec Malware Analysis Appliance (MAA) is showing abnormally high task queues
Analysis of data capture:
-Tasks observed to be queued in MAA (Analysis Center>View All Tasks) and can see duplicate samples being queued
-System statistics in System info from MAA User interface showing a spike of task processing for complete 24 hours/7 days and IntellVM queue.
-Checking the output of 'https:///rapi/system/queues' shows burst of tasks processing
Some of the reasons as to why MAA is processing abnormally high tasks:
If CAS sends files to two or more iVM profiles
If CAS is set to use a lot of plugins in each of the profiles
If there are more than 1 CAS configured to connect/send files to one MAA
If .ttf is being select in CAS for file submission to MAA
For the greatest capacity, recommend to use only a single iVM profile for automated tasks in production. Multiple profiles can be used with manual analysis when manual analysis occurs infrequently in most environments; CAS UI>Services>Sandboxing>Blue Coat Malware Analysis Appliance>Tasks
Select only 1 specific plugin to be used for selected iVM profile in CAS sandboxing settings.
Unselect .ttf files for file submission in CAS sandboxing settings; CAS UI>Services>Sandboxing>File Types and Extensions