Unable to submit files to CASMA appliance for sandbox analysis from SEDR appliance console
Last Updated January 22, 2019
Symantec Endpoint Detection and Response (SEDR) supports submitting files to the Content Analysis Service / Malware Analysis (CAS/MA) appliance for sandbox analysis. Users have configured the settings in SEDR appliance console to use on-premises sandboxing, but files aren't submitted.
The Malware Analysis (MA) feature of the Content Analysis Server (CAS), or CAS/MA, accepts incoming files on the same HTTPS port for its User Interface (UI). The default port for CAS/MA HTTPS UI is port 8082. The UI of CAS/MA appliance may be configured to accept HTTPS traffic for its UI on any single port above 1025. Changing the HTTPS port for the CAS/MA UI also changes the port for the listener for the onbox malware analysis feature of CAS/MA.
For SEDR 4.0.0, configure the port in the separate field provided.
For ATP 3.0.5, append the target port number to the IP address of host number on the Settings> Global page in the Sandboxing section.
For ATP 3.0.0, configure port forwarding on an intervening device such that ATP’s outgoing port 443 goes to CAS/MA’s incoming HTTPS port.
If you receive a specific error message after specifying the port number, please troubleshoot each specific error message as a separate issue. For intermittent connectivity issues, at the SEDR CLI, use the following command to check network connectivity between the management interface of the SEDR appliance console and the HTTPS UI port of CAS/MA
tcp_check IP_ADDRESS PORT
... where IP_ADDRESS is the actual ip address of the CAS/MA UI and PORT is the actual tcp port where CAS/MA serves its user interface.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe