Content & Malware Analysis

 View Only
  • 1.  Windows profile

    Posted Aug 21, 2020 10:46 AM
    Hi everyone 

    Customizing windows profile can we add it to domain ? because some types of malware can react to domain ore even specific domain.

    Thank you for your time


  • 2.  RE: Windows profile

    Broadcom Employee
    Posted Sep 10, 2020 01:52 PM
    Hello Jakub, 

    Since you can install applications on the windows VM , meaning making system changes, also the CAS allow you to import Custom Windows Images , that means that you should be able to join the Win VM to the Domain(technicaly)  as long as you have allowed traffic from the VM to your internal network, this means that you would need to configure the "Dirty Line" to be able to access your internal network where your AD seats, though you dont want the Dirty Line to be able access your internal resources, because the Dirty line is used by the Win VM for the mean of if there is a virus detonated in the VM environment and that virus needs a way to the internet , by design it has to use the CAS Dirty Line.

    But should you decided to give it a try : I would disable Sandboxing on CAS and then Configure the Dirty line so it can access the internal resources and (you need to make sure CAS has the right DNS servers configured etc) and then try to join the VM to the domain. Once it is done , set the Dirty line back to the settings it was . But then if it fails i am not sure how far the Technical support team will go to assist you in troubleshooting this.

    Before you join the VM to the Domain make sure of the this for your company security sake!
    • Sanboxing is disabled.
    • Or The CAS is not in production.
    • Or The CAS is not scanning any files etc.

    Bottom line is DO NOT JOIN the VM of the CAS to the Domain while CAS is scanning files or has the Sanboxing Enabled.

    I hope this helps.

    Slava


  • 3.  RE: Windows profile

    Broadcom Employee
    Posted Sep 10, 2020 02:29 PM
    Hello Jakub, 

    It is important to mention that , what you are asking for is a possibility , however this is not officially supported, this means that the Front Line Support will not be able to troubleshoot nor assist you with this.

    Slava