Walkthrough - Configuring a test SEDR 4.0 or test ATP 3.2 to use CAS/MA as a local virtual sandbox
Last Updated May 23, 2019
Steps for configuring Symantec Endpoint Detection and Response (SEDR) 4.0 or Advanced Threat Protection (ATP) Platform 3.2 to point to a local instance of a Content Analysis Server (CAS) with Malware Analysis (MA) virtual sandboxing feature enabled.
SEDR 4.0 and newer
To configure SEDR 4.0 to use CAS/MA for Sandboxing
Insert a license into CAS for the Malware Analysis feature if not already done
At the command line of CAS, enable the ma feature
Set Default profile for sandboxing within CAS/MA UI
Set CAS/MA HTTPS port to 443
Create an API key within CAS/MA
Within Configure SEDR Sandbox settings
To test sandbox submissions
To set a default profile for sandboxing
Within CAS/MA, navigate to Services>Sandboxing
On the Symantec On-box Sandboxing tab, under Scanning Profiles, click Windows 7 64-bit
On the Customize and Build dialog box, click Set as default profile
Click X to close the dialog box
NOTE: Failure to set a default profile will later result in CAS/MA accepting initial file submission request from SEDR or ATP, but then CAS/MA will return a 500 to all followup requests when SEDR or ATP checks to see if CAS/MA is done analyzing the file. The SEDR or ATP user interface shows this state on the Logging page by marking the submission with a "6:ERROR" status with a reason of "ERROR_SANDBOX_QUERY_FAIL"
To set CAS/MA HTTPS port to 443
Within CAS/MA UI, navigate to Settings>Web Management
To the right of HTTPS Administration, in the Port field, type: 443
Click Certificate Management
Save the certificate to a local file
To create an API key within CAS/MA
Within the CAS/MA UI, navigate to Settings>Users.
Creat a new user with the analyst role.
Use Putty or another SSH client to connect to CAS/MA appliance with administrator credentials
To enter the command mode, type: enable
At the command ending with the hash ('#'), to create an api key, type: ma-actions api-key create user ANALYST
...where ANALYST is the new account with the analyst role.
Note the new API Key and Key ID, preferably by copying each into Notepad or a similar ASCII-only text editor
To configure SEDR Sandbox settings
In a web browser, navigate to the UI of SEDR
Log in with a SEDR user or AD user that has admin role within SEDR
Navigate to Settings> Appliances
Do one of the following: Click Edit Default Appliance for the default appliance. In the Appliances list, click on the appliance that you want to edit. Then scroll down to Sandboxing, and uncheck Use default for an appliance in the Appliances list
Click Edit Sandboxing Settings
On the Edit Sandbox settings dialog box, click the Service drop-down menu, then select "Symantec Content Analysis(on-premise sandboxing)"
In the Server field, type the hostname or IP address of the CAS/MA appliance
In the Port field, type the number of the TCP port where CAS/MA listens for UI requests
In the User field, type the username of the new CAS/MA user with the analyst role
In the Token field, type the API Key
(OPTIONAL) Check Use Network Proxy to access the sandbox appliance through the ATP network proxy
(OPTIONAL) Check "Validate Server Certificate" and navigate to the server certificate from the CAS/MA NOTE: A certificate obtained from sandbox appliance should contain a chain of certificates, not just the leaf certificate. SEDR can also accept a self-signed cert from the sandbox server.
To test SEDR sandbox submissions
Within SEDR UI, navigate to Settings> Global
Uncheck Submit suspicious files to sandbox for analysis
Place a test client into a SEP client group that is one of the group inclusions for a SEPM Controller where SEDR is already configured for that SEPM Controller