We have added support for further customizing the behavior of our network antivirus system. Not all application providers adhere to signing their executables and/or use sound software engineering principles. This causes some Virus Total Antivirus solutions to exhibit some false positives.
White List
To remedy this situation, you can now set up a white list using regular expressions to exclude the virus scanning from certain sources. The user-definable white list is in /nsm/etc/carverwhitelist on your sensor.
Some example white list entries are:
washingtonpost\.com.*\.zip
lavasoft\.com.*\.zip
Notice that you need to escape special characters like ‘.’
The two expressions above would skip content analysis from the washingtonpost.com and lavasoft.com domain. If you see some repeated Virus Total false positives from specific URLs, please add them to this list so that the false positives can stop. You can have comment lines beginning with the character #.
Minimum Score
We also added support for raising the minimum threshold to declare a sample to be malicious. Our default value is 4, meaning that at least 4 out of 55+ antivirus solutions need to report a hit in order for us to generate an incident report. It was noted that this limit might be too low in certain diverse environments. So, we added the ability for customers to change this value by setting the environment variable VTMINSCORE.
To change this on your sensor edit the file /nsm/etc/mss.sh and add the statement anywhere after the first line of the script:
export VTMINSCORE=<minimum vale>
Setting <minimum_value> to anything other than 4, will change the threshold for us to generate incident reports and email alerts. If you set it to less than 4, you will get more reports. If you set it to more than 4, you will get less reports.
As always, do not hesitate to call us at 1-877-664-7774 or send us an email at support @ metaflows.com for any questions.