topic Re: Traps local analysis behavior in General Topics

Traps local analysis behavior

soporteseguridad — Mon, 25 Sep 2017 09:46:06 GMT

Hi,

Last week we had a problem with TRAPS. We have ESM in the cloud, and we have traps agents in diferente sites. One of these sites had a problem with the internet, so traps could not contact the cloud. The case is that we have executables that traps detect as viruses and that we allowed, so once that agent could not contact with the cloud eliminated these executables. It seems like local analysis it detects the virus and it eliminates the executables.

How local analysis works? I thought that local analysis kept signatures in case it could not contact the cloud

Thanks a a lot

Re: Traps local analysis behavior

BPry — Mon, 25 Sep 2017 12:47:01 GMT

@soporteseguridad,

Can you verify that the effected users had actually already tried to launch these executables prior to being unable to reach the ESM? If they hadn't then this kind of makes sense and you should investigate the 'ESM Unreachable' options available within the WildFire policies tab.

If the agents didn't already lookup the verdict for that file and have it within their cache, the file would have simply done local analysis and took any action that it's told to take. With the ESM not being reachable the agent doesn't have any idea that you have 'whitelisted' these executables unless the verdict already exists in the agent cache. I'm also not positive if this cache is maintained during a restart.

Re: Traps local analysis behavior

soporteseguridad — Mon, 25 Sep 2017 13:33:59 GMT

Yes, i confirm that affected users had launched these executables before. i attach a screenshot with Widlfire tab

any recommendation?

Re: Traps local analysis behavior

BPry — Mon, 25 Sep 2017 18:07:15 GMT

@soporteseguridad,

What version of Traps are you running?

The setting that I'm talking about is actually located under the Policies tab, under the Malware section click on WildFire. The listed policies there if you click on edit on one of them it should show 'Unknown Verdict Configuration' with two options for 'WildFire Verdict is Unavailable' along with 'ESM Unreachable' like the picture below. What exactly does it show there.

If it quarantined the file I'm guessing that your 'Quarantine Prevented Files' option is currently set to On.

Re: Traps local analysis behavior

soporteseguridad — Tue, 26 Sep 2017 13:30:13 GMT

hi,

version is 4.0.4. These are the screenshots:

thanks a lot for your help

Re: Traps local analysis behavior

BPry — Tue, 26 Sep 2017 18:18:14 GMT

@soporteseguridad,

So this is what I think happened.

The file wasn't in the agent cache for whatever reason; either it hadn't been opened before, the computer was restarted and the cache cleared, or the cache cleared because the user had opened enough files that the cache removed the existing verdict override cache entry to make room for additional cache information. Without knowing how long the outage is and how many files were scanned that's almost impossible to know for sure.

You have local analysis turned on for unknown files which in my mind is 'good' but you also have unreachable options set to allow unknown files. As soon as local analysis kicks in and classifies something, the file is no longer unknown. The file is known with whatever verdict the local analysis engine gives it.

Really I think it is a combination of things. The cache likely got cleared or overwritten due to one of the reasons above, and the local analysis paired with the unreachable options means that, to the best of my knowledge, you are never actually hitting those options. The file doesn't stay in an unknown state after local analysis and therefore it's following whatever the local analysis says to do with the file.

Re: Traps local analysis behavior

soporteseguridad — Wed, 27 Sep 2017 06:40:07 GMT

Perfect. Thanks a lot for your findings. Any advice in order to prevent this another time???? This problem occurred to one whole site (site with internet outage), not just one device?

Re: Traps local analysis behavior

BPry — Wed, 27 Sep 2017 13:36:45 GMT

If this is just a set of executables I would include them in the Executable Files Whitelist. This makes it so that the agent itself knows that you've whitelisted the executable and you won't have to worry about the file getting a malicious verdict. If you simply have a verdict override and you lose the connection to the ESM you are relying on the cache entry being present on the agent; if you switch any verdict override for specified executables to this whitelist then the agent doesn't have to rely on connection to the ESM or having the cache entry.