Content & Malware Analysis

 View Only

  • 1.  CAS Query

    Posted Apr 29, 2020 07:48 AM
    Edited by Sulman Mushtaq Mushtaq Hussain Apr 22, 2021 03:00 PM
    Hello everyone, I have one query. We have CAS with IVM profile for Windows 7 and Windows 10 which are customized with custom applications. 

    Now my question is once a file or URL is submitted from either proxy or Email Gateway does that file or URL will get executed in each of the IVMs, in that case the same file or URL will be executed in all profiles? Can we force the analysis to be done only in 1 IVM profile to make the processing faster?

    Second question, the different multiple file or URL samples which we are detonating in the IVM profiles are they being executed simultaneously at the same time or they are executed or detonated sequentially, first analysis has to finish before we can analyze the second sample?



    ------------------------------
    Symantec Enthusiast
    ------------------------------


  • 2.  RE: CAS Query

    Posted Apr 29, 2020 08:02 AM
    anyone would like to reply?

    ------------------------------
    Symantec Enthusiast
    ------------------------------

    Original Message


  • 3.  RE: CAS Query

    Posted Apr 30, 2020 06:35 AM
    Appreciate your responses. thanks

    ------------------------------
    Symantec Enthusiast
    ------------------------------

    Original Message


  • 4.  RE: CAS Query

    Broadcom Employee
    Posted Apr 30, 2020 07:10 AM
    Hi

    CA will send all files configured to be sandboxed to all profiles defined under Symantec Malware Analysis tasks.
    Multiple profiles will increase the number of tasks by that factor. So, configuring two profiles under Symantec Malware Analysis will double the load in the sandbox since every file will be detonated twice.
    CA does this in parallel, so there is no decision based on whether one profile detects something or not.

    hth
    Original Message


  • 5.  RE: CAS Query

    Posted May 01, 2020 06:33 AM
    Hi Paul, thanks for the reply? So that means having multiple IVMs increases the time for analysis as the same sample will be executed in multiple profiles? 

    So doesn't it then make sense to keep the number of IVM profiles to a minimum as having more number of profiles doesn't add any real value? What are the best practices? 

    The only reason I could think of having multiple profiles is when we want to test multiple plugins with different profiles?

    ------------------------------
    Symantec Enthusiast
    ------------------------------

    Original Message


  • 6.  RE: CAS Query

    Broadcom Employee
    Posted May 04, 2020 09:25 AM
    Hi

    yes that's correct, the more profiles the greater the load on the CAS,
    it makes sense to reduce the number of profiles but typically customers don't have a single desktop environment and are forced to create multiple profiles

    as far as I'm aware there are no published best practices around thi
    Original Message


  • 7.  RE: CAS Query

    Posted May 11, 2020 04:37 AM

    Hi Paul, thanks for the replies I really appreciate it. I just have couple of more clarifications in this regard as well.

    1) So in the case where customers doesn't have much of different desktop environments in terms of customization they have for each and mostly running the standard commercial stuff. In that case does it make sense to have only two IVMs 1 for win-7 and 1 for win-10? As the more IVM profiles we create the more processing and time would be required as the same sample will get executed/analyzed in each of the IVMs we have created?

    2) Does any sample analysis is also happening on thes base VMs we have for Win-7 and Win-10 from which we are creating these IVM profiles ? Can we limit the analysis to only happen in the IVM profiles we have created? What added value is offered when we are also doing the analysis in the base VMs?

    3) We will be integrating the CASMA with Symantec Messaging Gateway (SMG) on CASMA we are planning to create 2 IVM profiles, 1 for Win-7 and 1 for Win-10? Would you like to recommend anything in this regard or have any feedback?


    Looking forward for your valuable feedback. Thanks



    ------------------------------
    Symantec Enthusiast
    ------------------------------

    Original Message


  • 8.  RE: CAS Query

    Posted May 12, 2020 05:26 AM
    Please reply @Paul Vilarino

    Thanks​​​

    ------------------------------
    Symantec Enthusiast
    ------------------------------

    Original Message


  • 9.  RE: CAS Query

    Broadcom Employee
    Posted May 21, 2020 09:41 AM
    1)
    depending on the desktop environments it may be possible to do everything with one profile,but it couls also be that an exploit is only available in one version of windows,  if that is the case then having one profile is a risk


    2)
    you can't limit execute in to a single profile, the advantage of having multiple profiles is it allows you to mimic the customers environment where normally they will have multiple desktop/lap to OSs

    3)
    sorry I don't have any experience with SMG,
    Original Message