Secure One Services Group

Expand all | Collapse all

MAA did not block the first sample malware

  • 1.  MAA did not block the first sample malware

    Posted 12-11-2017 11:35 PM

    Hi,

    I have one question regarding MAA.

    We have installed MAA and integrate with ASG.No issue during integration.Then we tested with one sample malware website (from bluecoat) and the file is able download for the first time.

    Download was blocked by CAS when we try for second time.

    From my undestanding,ASG CAS/MAA will block the malware file when user try to dowload.Any advice?

    Thanks

    Firdaus



  • 2.  RE: MAA did not block the first sample malware

    Broadcom Employee
    Posted 12-12-2017 09:20 PM

    Hey,

    Yes we can support Real Time Sandboxing and as internally called RTS.

    You can find RTS guide in community .. I believe.

    But you should consider Client PC should hold on the downloads when the time running the Sample were Sandboxing.

     

    Regards,

    Young.

     

     

     

     



  • 3.  RE: MAA did not block the first sample malware

    Posted 12-13-2017 04:27 AM

    MAA usually takes a long time. So I guess you have configured this in such a way that you do not wait for the full emulation.

    But with out the exact details of the configuration it is impossible to tell.



  • 4.  RE: MAA did not block the first sample malware

    Broadcom Employee
    Posted 12-12-2017 09:01 PM

    hi:

      we focused on fixing the result of "Other:Android.Reputation.2" on our side,and builded an application again,It's ok when we scaned it on www.virustotal.com without signature,but when we gave it an android signature and scaned it again a few hours later,the result of  "Other:Android.Reputation.2" appeared again.So we think it was false positive at this time.The attachment is our new application with password "infected",we hope you can help us remove the FP,thank you!



  • 5.  RE: MAA did not block the first sample malware

    Posted 03-08-2018 02:10 AM

    Hi JM,

    Thanks for your feedback.

    Taking from your sentence "Waiting for result is more secure since the file is not served to the user until proven safe. With this option however the user does not receive the requested file immediately but has to wait for the sandbox verdict. Even if you display a patience page it provides a bad user experience. That's why this option is disabled by default."

     

    Is this process will hold/queue the other process or scanning until current file has been scan and send back to ASG/SG?

    If yes,then there will be impact on user performance issue.How to prevent it?

    Thanks 

    FZ.



  • 6.  RE: MAA did not block the first sample malware

    Broadcom Employee
    Posted 12-13-2017 05:46 PM

    Hi Firdaus

    Depending on your ASG/CAS settings, an unknown file whose type or extension is set to be sent to sandbox for detonation will be simultaneously sent to the sandbox and served to the requesting user during the first download attempt, unless a matching 'Wait For Result' condition is met - i.e. the Wait For Result option for that file type or extension is checked (real-time analysis). 

    Once properly analyzed by the MAA, the result is send back to the ASG/CAS and shared with Symantec GIN (Global Intelligence Network). If the file is found to be malicious, MAA updates its threat cache, notifies the ASG/CAS admin and sends info to webpulse. If it is safe, MAA updates its clean cache, notifies GIN and serves the file. Thus, future requests of the same file will be blocked or allowed based on the cached response.

    That may explain why the first sample was not blocked in your case.

    Waiting for result is more secure since the file is not served to the user until proven safe. With this option however the user does not receive the requested file immediately but has to wait for the sandbox verdict. Even if you display a patience page it provides a bad user experience. That's why this option is disabled by default.

    Hope this helps

    JM