Appliance configuration
Spectra Detect Manager allows users to modify configuration settings on Spectra Detect appliances directly from the Manager interface. The Central Configuration feature makes it easier to configure appliances remotely, and to ensure that the settings are consistent and correct across multiple appliances. The appliances must first be connected and authorized on the Manager instance.
Spectra Analyze appliances can be managed using the Spectra Detect Manager APIs.
To start working with this feature, access the Central Configuration page by selecting Central Configuration in the upper right corner of the Manager interface.
The Central Configuration page contains different configuration modules that users can enable. Different combinations of modules and their configuration values can be saved as configuration groups or Hub groups. For example, users can create a configuration group for Worker appliances that should be connected to Spectra Intelligence, and a Hub group for Hub and Worker appliances that should be connected to T1000.
In addition to options described below, appliance groups containing a Hub instance provide more configuration options (such as Connector services) if they are configured as a Spectra Detect Hub group rather than a regular configuration group.
When appliances are added to a group, all settings configured in the modules are applied to them, overwriting their previous settings.
Generally, the Central Configuration workflow includes the following steps:
- Create a configuration group or edit an existing one.
- Select which appliances should be in the group.
- Modify settings in configuration modules.
- Save changes
- Apply modified settings to all appliances in the group.
Central Configuration Page
The Central Configuration page contains the Select configuration group pull-down list at the top, allowing users to switch between existing groups. There are also buttons for creating a new group and deleting the currently selected group.
If there are no configuration groups created on the Manager instance, the default
group is displayed on the Central Configuration page. Users can manage appliances and modify settings in the default group, or create their own groups.
All configuration modules supported by the Manager are listed in the sidebar on the left. Selecting a module opens its configuration dialog on the right side of the page.
If the selected group is a Spectra Detect Hub group, an additional section is present at the top of the page. The section indicates which Hub instance in the group is the primary, and which is the fallback node. Clicking Details in this section displays more information about both Hub instances, such as their router IDs and configured priority values.
To see the list of appliances that can be added to the currently selected configuration group, select Appliances in the sidebar. Appliances that are already in the current group have a tick in the checkbox next to their name. Appliances that are in other configuration groups have an indicator next to the appliance name.
Users can save and/or apply configurations to appliances in the group by clicking on the Save button. This opens a pop-up dialog with the options to Save or Save and Apply the configuration to all appliances in the group.
To apply the configurations to specific appliances, select their checkboxes in the appliance list below, and click the Apply button at the top of the list.
Note that adding or removing appliances does not remove existing configuration on appliances.
Configuration status
The configuration status of appliances can be one of the following:
- Applied
- Not Applied
- Pending
- Error
- Out of Sync
Older appliances (i.e. before Spectra Detect v5.2) will show different status messages.
Adding Appliances to a Configuration Group
Appliances that can be added to the current configuration group are listed in the Appliances section.
Select the checkbox next to the appliance(s) that should be added to the group, and click Save. This opens a dialog with the options to save the selected appliances to the group, and to optionally apply the current group configuration.
An appliance cannot be in two configuration groups at the same time. If an appliance is already in another configuration group, the Manager displays a warning message after clicking Save.
Confirming the change will move the appliance from the previous configuration group to the current one.
When an appliance is successfully added to a configuration group, the group’s configuration has to be manually applied to it either by clicking the Save button and selecting the Save and Apply option, or by selecting its checkbox in the Apply Configuration list and clicking the Apply button. The appliance will restart and start using the new configuration.
The configuration dialogs on the appliance will indicate that the settings are being managed by the Manager. Although the configuration values modified in the group will still be editable in the appliance’s configuration dialogs, any changes saved on the appliance will not be applied as long as the appliance is managed through Central Configuration.
If an appliance is added to a group and the configuration is applied, but the appliance is offline or unreachable by the Manager at that time, its settings will be modified when it becomes reachable.
Creating Configuration Groups
To create a new configuration group, click Add new group at the top of the Central Configuration page.
It’s also possible to create a configuration group by clicking Add new group on the Appliance Management tab on the Dashboard page.
Group names are case-sensitive, so "example" and "Example" are treated as two different groups. Supported characters for group names are a-z
, A-Z
, 0-9
, and the underscore ( _
).
If the group name contains an unsupported character, an error message is displayed. Likewise, a warning is displayed when trying to create a configuration group with a name that is already taken by another group.
The dialog also requires selecting the group type. Two types are supported:
- Configuration group (for Spectra Detect Worker appliances without a Hub),
- Hub group (for setting up a high-availability cluster).
Select the first type ("Configuration Group") and click Add to confirm changes and create a new configuration group. The newly created group will not contain any appliances, and there won’t be any active configuration modules.
Some configuration modules and options apply only to specific appliance types or versions. For example, the "Splunk" configuration module and its options apply only to the Worker. Read more in the configuration modules section.
To enable a configuration module, select it in the sidebar on the Central Configuration page and modify the options in it. The indicator in the sidebar warns about unsaved changes in the module. Unsaved changes are lost if the user navigates away from the Central Configuration page without clicking Save first.
Configuration modules that are not enabled do not have any indicators in the sidebar. Those that are enabled and properly configured have a green indicator. If there are issues with the configuration of a module, the indicator changes to red.
Save changes in the module by clicking Save. The indicator in the sidebar shows whether the module is configured properly. Repeat this procedure for every configuration module that needs to be enabled in the configuration group.
To disable a configuration module, select it in the sidebar and click Remove Central Control.
When this button is clicked, the configuration options are unlocked for editing on each appliance in the group, and are no longer controlled by Spectra Detect Manager. The options configured in the module are not erased automatically when the module is disabled. In other words, the current configuration is preserved, and needs to be modified manually on the appliance.
The full list of supported configuration modules and options for all appliance types is available in the configuration modules section.
Managing Configuration Groups
The following changes can be made to any configuration group on the Manager:
- enable and disable configuration modules
- change options in enabled configuration modules
- add and remove appliances from a group
- move appliances from one group to another
- delete the entire group (does not apply to the default group, which cannot be deleted)
Depending on the type of change, appliances may be automatically restarted. Only applying new configurations to an appliance will trigger a restart of that specific appliance. Adding an appliance to a group, removing it from a group, moving it between groups, or deleting a group will not restart the appliances.
Depending on the type of appliance, the process of restarting and reloading configuration values might take some time. Spectra Detect Worker appliances generally take longer to restart.
Configuration modules
The configuration modules listed in this section can be enabled on the Central Configuration page, and their options can be modified.
Some configuration modules support all versions of Spectra Detect appliances, but specific options within the modules apply only to specific versions. Such options are indicated by a comment in the Manager interface.
General
Root SSH login can be enabled for use with password management systems. These checkboxes are not available by default. To enable them, do the following:
- Log in via SSH to the Manager.
- Run
sudo rlapp configure --sshd-control-enable
. This will enable the checkboxes on the Manager. - In the browser, go to Spectra Detect Manager > Central configuration, select the Hub group which will have root SSH login enabled, then go to General > SSH
- Enable Permit SSH configuration
- Enable Permit root SSH login
Note that this can only be applied to Hub groups.
For SSH credentials, contact ReversingLabs Support .
This section also includes the option to disable the use of swap memory. Swap memory is disk space used as RAM. Note that this option isn’t applicable if the appliances are deployed as Docker images.
Spectra Core
This section lists configuration settings related to static analysis performed by Spectra Core.
Processing Settings
This setting determines which file formats will be unpacked by Spectra Core for detailed analysis. "Best" fully processes all formats supported by the appliance. "Fast" processes a limited set of file formats.
Fast option does not support unpacking and/or validation of several file formats, providing only minimal information for:
- Archives (ActiveMimeMSO, ARC (.arc, .ark), ARSC, BLZ, CGBI, CRTF, DICOM (.dicom, .dcm, .dic), PE .Net Resources, LZ4, LZIP, LZMA, LZOP, MAR, NuGet, PAK, PCAP (http, smtp), PYZ, SQX, TIFF, WARC, XAR, ZOO)
- Documents (bplist, Certutil (.crt, .cert, .pem), CHM, HTML (.html, .htm, .xhtml, .xht), IQY, SettingContent (.xml), SYLK, URL)
- Mobile Applications (Android (.apk), iOS (.ipa), Windows Phone (.xap), APPX)
- Multimedia (BMP, GIF, JPEG, PNG, SWF)
- File System/Firmware (cramfs, HFSP, jffs2, squashfs, yaffs)
- Web Applications (Google Chrome (.crx), Opera (.oex), Mozilla FireFox (.xpi))
- Quarantine formats (KasperskyKLQ, SymantecQBD, SymantecVBN)
- Emails (UUE, YENC)
- Disk Images (VHD, WIM (.wim, .swm))
- ...and others (CxMacro, Docker, PyInstaller, SMTP, sqlite3 (.db, .sqlite), VBE(.vbe, .jse)).
Additionally, the report metadata will no longer include overlay and resources hashes, storyteller descriptions, Spectra Intelligence XREF data, Mitre ATT&CK mappings, IoC reasons, as well as mobile, browser and media details.
CEF Messages Configuration
Spectra Detect can log events using the Common Event Format (CEF) to ensure compatibility with security information and event management software products (SIEMs). CEF is an extensible, text-based logging and auditing format that uses a standard header and a variable extension, formatted as key-value pairs.
Select the checkbox to enable sending CEF messages to a syslog receiver.
String extraction configuration
Spectra Core can extract information from binaries in the form of strings. While useful in some contexts, this metadata can also be very extensive. This section allows setting the minimum and maximum length of extracted strings that make it into the analysis report. A maximum length of zero (0) is interpreted as unlimited length.
Entropy limit: Set the maximum allowed entropy as a floating-point value in range from 0 to 8. Default is 0.0. For every file analyzed by Spectra Core, file entropy can be calculated. A higher entropy value indicates that the file content is more random in nature, and therefore more likely to be compressed or encrypted.
MWP-related settings
MWP goodware factor: The value configured here determines the threshold at which the KNOWN classification for a file (from the Malware Presence algorithm) will change to the Spectra Core Goodware classification. By default, all KNOWN classifications are converted to Goodware. Lowering the value reduces the number of files classified as goodware. Files with a trust factor higher than the configured value are considered to have no threats. Supported values are 0 - 5. The default is 2.
Extended MWP Metadata: Select the checkbox to include extended malware presence metadata in Worker analysis reports for files analyzed with AV engines in the Spectra Intelligence system. Spectra Detect Worker must be connected to Spectra Intelligence, and the user account must have appropriate access rights for this feature to work. Note that extended metadata is displayed in the report only for those files that have been analyzed by AV engines at some point.
Decompression configuration
Decimal value between 0 and 999.9. Used to protect the user from intentional or unintentional archive bombs, terminating decompression if size of unpacked content exceeds a set quota. The maximum allowed decompression ratio is calculated as:
MaximumDecompressionFactor * (1000 / ln(1 + InputFileSize * pow(10, -5)))
The InputFileSize
must be in bytes. To calculate the maximum decompressed file size, multiply this ratio by the InputFileSize
.
Unpacking will stop once the size of all extracted content exceeds the theoretical maximum of the best-performing compression algorithm. Setting it to 0 will disable decompression management. ReversingLabs recommend against disabling decompression management.
Propagation
When propagation is enabled, files can be classified based on the content extracted from them. This means that files containing a malicious or suspicious file will also be considered malicious or suspicious.
Goodware overrides ensure that any files extracted from a parent file and whitelisted by certificate, source or user override can no longer be classified as malicious or suspicious. Additionally, this goodware classification can be propagated from extracted files to their parent files in order to prevent and suppress possible false positives within highly trusted software packages. Goodware overrides will apply to all files with the trust factor value equal to or lower than the value configured here. Trust factor is expressed as a number from 0 to 5, with 0 representing the best trust factor (highest confidence that a file contains goodware).
Enable Classification Scanners
Fine-tune which scanners are used in the static analysis performed by Workers.
- Images: heuristic image classifier
- PECOFF: Heuristic Windows executable classifier
- Documents: Document format threat detection
- Certificates: Checks whether the file certificate passes the certificate validation in addition to checking white and black certificate lists
- Hyperlinks: Embedded hyperlink threat detection
- Emails: Phishing and email threat detection
Ignore the Following Threat Types
Selected threat types will be excluded from final classification decision. The classification returned will be Goodware with reason Graylisting.
- Adware
- Packer
- Riskware
- Hacktool
- Spyware
- Spam
Password List
Appliances use these passwords to decrypt password-protected compressed files submitted for analysis. Prior to submitting password-protected compressed files to the appliance, users can add the password for each file to this list (one password per line). Passwords can also be provided on each upload using the optional user_data
request field.
Spectra Intelligence
Applies to Spectra Detect Worker
Option | Description |
---|---|
Enable Spectra Intelligence | Receive additional classification from the Spectra Intelligence cloud. By default, it is false. |
Spectra Intelligence URL | The host address for the Spectra Intelligence cloud. Click the Test connection button to test the connectivity. The default URL is https://appliance-api.reversinglabs.com |
Username | Spectra Intelligence username |
Password | Spectra Intelligence password |
Timeout | Default Spectra Intelligence connection timeout in seconds (maximum 1000). |
Enable proxy | Enables the configuration of an optional proxy connection. By default, it is false. |
Proxy host | Proxy host name for routing requests from the appliance to Spectra Intelligence (e.g., 192.168.1.15). |
Proxy port | Proxy port number (e.g., 1080). |
Proxy username | User name for proxy authentication. |
Proxy password | Password for proxy authentication. |
Cache Spectra Intelligence results to preserve quota and bandwidth when analyzing sets of samples containing a lot of duplicates or identical extracted files.
Parameter Name | Description |
---|---|
Enable | Enable or disable the caching feature. Default: False |
Cache max size (%) | Maximum cache size expressed as a percentage of the total allocated RAM on the Worker. Default: 6.25, Range: 5 - 15 |
Cache cleanup window | How often to run the cache cleanup process, in minutes. It is advisable for this value to be lower, or at least equal to the TTL value. Default: 10, Range: 5 - 60 |
Maximum number of idle upstream connections | The maximum number of idle upstream connections. Default: 50, Range: 10 - 50 |
Cache entry TTL | Time to live for cached records, in minutes. Default: 120, Range: 1 - 3600 |
T1000 File Reputation Appliance
Applies to Spectra Detect Worker
Option | Description |
---|---|
Enable T1000 | When enabled, an integration with ReversingLabs T1000 instance to receive additional classification information is configured. By default, it is false. |
T1000 URL | The host address for the on-premises T1000 File Reputation appliance. |
Username | T1000 user name for authentication. Note: this user name needs to be created via the T1000 Web administration application. |
Password | T1000 password for authentication. |
Timeout | Default T1000 service connection timeout in seconds (maximum 60). |
Enable proxy | Enables the configuration of an optional proxy connection. By default, it is false. |
Proxy host | Proxy host name for routing request from the appliance to T1000 (e.g., 192.168.1.15). |
Proxy port | Proxy port number (e.g., 1080). |
Proxy username | User name for proxy authentication. |
Proxy password | Password for proxy authentication. |
SNMP
Applies to Spectra Detect Worker
Option | Description |
---|---|
Enable SNMP service | Select the checkbox to enable the Simple Network Management Protocol service. |
Community | Enter the name of an SNMP community list for authentication. Community is a list of SNMP clients authorized to make requests. The SNMP service will not function properly if this field is not configured. |
Enable trap sink | Select the checkbox to enable sending SNMP traps to the sink server. Traps are asynchronous, unsolicited SNMP messages sent by the SNMP agent to notify about important events on the appliances. |
Trap community | Enter the SNMP trap community string. If the Enable SNMP service and Enable trap sink checkboxes are selected, then this field is required. |
Trap sink server | Enter the host name or the IP address of the trap sink server. The sink server is the location to which SNMP traps will be sent. If the Enable SNMP service and Enable trap sink checkboxes are selected, then this field is required. |
SNMP trap thresholds | A set of configuration fields allowing the user to set the thresholds (values that will trigger an SNMP trap) for supported types of events. Thresholds can be configured for average system load in 1, 5, and 10 minutes (as a percentage), used memory and used disk space (as a percentage), the size of Spectra Detect queues (maximum value is 20000) and the size of the classifications queue (maximum value is 20000). |
System Time
Applies to Spectra Detect Worker
Option | Description |
---|---|
Enable network time synchronization | Select the checkbox to enable server clock synchronization via NTP, which uses port 123. |
NTP servers | A list of servers, one per line, to use for system clock synchronization. |
Spectra Detect Worker Configuration
General
Limits
It is possible to set up limits on file processing:
- maximum file size
- number of daily uploads
File size is in MB, and the daily limit includes files uploaded through a connector. It also resets at midnight.
Large Report Size Limit (MB) - Reports over this size will be handled by optimizing memory consumption (RAM), which may result in longer processing and post-processing times. Views are not supported for the full report; they can only be used with the split report option. Use this option when minimizing memory usage is important. Setting to 0 disables this option.
Health Monitoring
Processing and Postprocessing Service Status Check
Processing and postprocessing service status fields can be used to configure how often the services will be checked for timeouts. If any issues are detected, the process will be restarted. The default for both fields is 720 minutes. Setting to 0 will disable this option.
Monit Memory Threshold
Monit Memory Threshold is the percentage of memory, between 50 and 100, that services can use. If memory usage reaches the number configured here, the system will restart services. If this number is set to 100, the restart will be disabled.
Health Thresholds
Set the health thresholds to true or false to enable or disable the thresholds functionality.
- Disk High Threshold: Specify the highest allowed percentage of hard disk usage on the system. If it exceeds the configured value, the appliance will start rejecting traffic.
- Queue High Threshold: Specify the maximum number of items allowed in the queue. If it exceeds the configured value, the appliance will start rejecting traffic.
Cleanup
All values are in minutes
-
File age limit
How long an unprocessed file is present on the appliance before being deleted. Processed files are deleted immediately after processing. Default: 1440.
-
Task age limit
How long before the record of a completed processing task is deleted. Default: 90.
-
Unprocessed task limit
How long before an incomplete processing task is cancelled. Default: 1440.
Spectra Analyze Configuration
- Spectra Analyze IP address or FQDN: Specify the hostname or IP address of Spectra Analyze appliance associated with the Worker. This address will be referenced in Splunk reports to enable retrieving additional processing information.
File Processing
Processing
- Processing Mode: Choose the processing mode of the Worker instance to improve pressure balancing. Supported modes are standard and advanced. In advanced mode, files larger than the threshold specified below are processed individually.
- Large File Threshold: If advanced mode is selected, files larger than the threshold specified here will be processed individually, one by one. If standard mode is enabled, this parameter is ignored. The threshold value is expressed in MB. Default is 100.
- Unpacking Depth: Select how "deep" a file is unpacked. For example, if a file contains other files, each of those containing other files etc., by default (when this value is set to zero), Workers will unpack everything until no more files can be unpacked. Setting this value to something else than zero specifies the depth of recursion, which can be useful for quicker (but shallower) analyses.
- Processing Timeout: Specify how many seconds Worker should wait for a file to process before terminating the task. The default is 28800 seconds (8 hours). The minimum allowed value is 1.
Caching
- Enable caching: When caching is enabled, the SHA1 of file contents is used to determine if there have been recent analysis reports for the same file, and if those reports can be reused instead of processing the file again.
- Cache Timeout: If file processing caching is enabled, this parameter can be used to specify for how long the analysis reports should be preserved in the cache and reused before they expire (in seconds). Restarting the Worker or changing configuration will clean the cache. Setting the value to 0 will use the timeout of 600 seconds.
Scaling
-
Processing
Specify how many copies of Spectra Core instances to run. Changing this setting from the default is not recommended.
-
Post-processing
Specify how many report post-processing instances to run. These instances will then modify and save reports as specified by the user. Increasing this value can increase throughput for servers with extra available cores. Default: 1.
-
Load size
Defines the maximum number of individual files that can simultaneously be processed by a single instance of Spectra Core. When one file is processed, another from the queue enters the processing state. Default is zero (0), which sets the maximum number of files to be processed to the number of CPU cores on the system.
-
Concurrency Count
Defines the number of concurrent threads per Spectra Detect instance that should be used for processing. Default is zero (0), which sets the number of threads to the number of CPU cores on the system. Modifying this option may cause issues with the system. Consult with ReversingLabs Support before making any changes to the parameter.
Analysis Report
Default Report Settings
- Strings: Select the checkbox to enable extracting strings from files during Spectra Detect file analysis.
- Relationships: When enabled, the relationships section of the report lists hashes of files that are found within a given file.
- Relationships for First Report Only: If disabled, the reports for samples that contain children files will include the relationships of all their descendants. This can lead to a lot of redundant information in the report. If enabled, relationship metadata will be included only for the root parent file.
- Network Reputation Report: If enabled, Spectra Detect Worker (4.1+) file analysis reports will contain a new section,
network_reputation
, with reputation information on any network resources found within the file. This feature is unavailable if Spectra Core > Processing Settings is set toFast
, as it relies on interesting strings extracted during analysis.
API Report Settings
This section configures the default report view applied to a Spectra Detect report if no other view has been applied elsewhere. It allows you to specify the report type that should be applied to the Worker analysis report.
Report types are results of filtering the full report. In other words, fields can be included or excluded as required.
- Report Type: Available report types are extended_small, small, medium, and large, as well as classification, classification_tags, extended, mobile_detections and short_cert which contain metadata equivalent to views with the same name. Click the Upload button to submit a custom report type to the appliance.
- Report View: Apply a view for transforming report data to the large report type to ensure maximum compatibility.
See Spectra Detect Product Documentation > Analysis and Classification > Customizing Analysis Reports for detailed information about how report types and views work.
Enable the Top Container Only option to only include metadata for the top container. Reports for unpacked files will not be generated.
Enable the Malicious Only option for the report to contain only malicious and suspicious children.
Additional hashes
- CRC32
- MD5
- SHA384
- SHA512
- SSDEEP
Spectra Core calculates file hashes during analysis and includes them in the analysis report. Select which additional hash types should be calculated for files analyzed on connected Worker appliances. MD5 is selected by default. SHA1 and SHA256 hashes are always included, and therefore aren’t configurable. Note that selecting additional hash types may cause the report to generate slower.
Authentication
Tokens
Specify tokens required for authorizing to the listed Spectra Detect Worker endpoints. Every token must be a string of alphanumeric characters between 16 and 128 characters in length.
Egress Integrations
After analysis, Spectra Detect can save:
- original files
- unpacked files
- file analysis reports
These are forwarded to one or more external storage providers:
- AWS S3
- Network file share (SMB, NFS)
- Microsoft Cloud storage (Azure Data Lake, OneDrive, SharePoint)