Steps for configuring SEDR 4.0 or ATP Platform 3.2 to point to a local instance of a Content Analysis Server (CAS) with Malware Analysis (MA) virtual sandboxing feature enabled.
SEDR 4.0 and newer
To configure SEDR 4.0 to use CAS/MA for Sandboxing.
Insert a license into CAS for the Malware Analysis feature if not already done
At the command line of CAS, enable the ma feature
Set Default profile for sandboxing within CAS/MA UI
Set CAS/MA HTTPS port to 443
Create an API key within CAS/MA
Within Configure SEDR Sandbox settings
To test sandbox submissions
To set a default profile for sandboxing.
Within CAS/MA, navigate to Services > Sandboxing
On the Symantec On-box Sandboxing tab, under “Scanning Profiles”, click Windows 7 64-bit
On the “Customize and Build” dialog box, click “Set as default profile”.
Click “X” to close the dialog box.
NOTE: Failure to set a default profile causes the CAS/MA to accept the initial file submission request from SEDR or ATP. But then CAS/MA returns a 500 to all follow up requests when SEDR or ATP checks to see if CAS/MA is done analyzing the file. The SEDR or the ATP user interface shows this state on the Logging page by marking the submission with a "6:ERROR" status with a reason of "ERROR_SANDBOX_QUERY_FAIL".
To set CAS/MA HTTPS port to 443.
Within CAS/MA UI, navigate to “Settings > Web Management”.
To the right of HTTPS Administration, in the Port field, type: 443.
Click “Certificate Management”.
Save the certificate to a local file.
To create an API key within CAS/MA
Within the CAS/MA UI, navigate to Settings > Users.
Create a new user with the analyst role.
Use PuTTY or another SSH client to connect to CAS/MA appliance with administrator credentials.
To enter the command mode, type: enable
At the command ending with the hash ('#'), to create an api key, type: ma-actions api-key create user ANALYST
...where ANALYST is the new account with the analyst role.
Note the new API Key and Key ID, preferably by copying each into Notepad or a similar ASCII-only text editor.
To configure SEDR Sandbox settings.
In a web browser, navigate to the UI of SEDR
Log on with a SEDR user or AD user that has admin role within SEDR
Navigate to Settings > Appliances
Do one of the following: Click “Edit Default Appliance” for the default appliance. In the “Appliances” list, click on the appliance that you want to edit. Then scroll down to Sandboxing, and uncheck “Use default” for an appliance in the “Appliances” list
Click “Edit Sandboxing Settings”.
On the “Edit Sandbox Settings” dialog box, click the Service drop-down menu, then select "Symantec Content Analysis (on-premise sandboxing)"
In the Server field, type the host name or IP address of the CAS/MA appliance
In the Port field, type the number of the TCP port where CAS/MA listens for UI requests
In the User field, type the user name of the new CAS/MA user with the analyst role
In the Token field, type the API Key
(OPTIONAL) Check Use Network Proxy to access the sandbox appliance through the ATP network proxy
(OPTIONAL) Check "Validate Server Certificate" and navigate to the server certificate from the CAS/MA NOTE: A certificate that is obtained from sandbox appliance should contain a chain of certificates, not only the leaf certificate. SEDR can also accept a self-signed cert from the sandbox server.
To test SEDR sandbox submissions.
Within SEDR UI, navigate to Settings > Global.
Uncheck “Submit suspicious files to sandbox for analysis”.
Place a test client into a SEP client group that is one of the group inclusions for a SEPM Controller where SEDR is already configured for that SEPM Controller.