Introduction

Welcome to the Cisco Secure Malware Analytics Appliance Administration Guide. This chapter provides a brief description of the appliance, the intended audience and how to access relevant product documentation.

About the Secure Malware Analytics Appliance

The Secure Malware Analytics appliance provides safe and highly secure on-premises advanced malware analysis, with deep threat analytics and content. A Secure Malware Analytics Appliance provides the complete malware analysis platform, installed on a Cisco Secure Malware Analytics M5 Appliance server (v2.7.2 and later). It empowers organizations operating under various compliance andSecure Malware Analytics policy restrictions, to submit malware samples to the appliance.


Note

Cisco UCS C220 M4 (TG5400) servers are still supported for Secure Malware Analytics Appliance but the servers are end of life.

Many organizations that handle sensitive data, such as banks and health services, must follow various regulatory rules and guidelines that do not allow certain types of files, such as malware artifacts, to be sent outside of the network for malware analysis. By maintaining a Cisco Secure Malware Analytics Appliance on-premises, organizations are able to send suspicious documents and files to it to be analyzed without leaving the network.

With a Secure Malware Analytics Appliance, security teams can analyze all samples using proprietary and highly secure static and dynamic analysis techniques. The appliance correlates the analysis results with hundreds of millions of previously analyzed malware artifacts, to provide a global view of malware attacks and campaigns, and their distributions. A single sample of observed activity and characteristics can quickly be correlated against millions of other samples to fully understand its behaviors within an historical and global context. This ability helps security teams to effectively defend the organization against threats and attacks from advanced malware.

What's New In This Release

The following changes have been implemented in this guide in Version 2.17:

Table 1. Changes in Version 2.17

Feature or Update

Section

Updated screenshots and instructions.

Configuration Using the Admin UI
New topic for Updates proxy. A SOCKS5 proxy can now be used for downloading updates. Updates Proxy
New topic for SSH Configuration. SSH Configuration
Added info on the new Send Test email button Email
The legacy TGSH-dialog is replaced by a modern Admin TUI Reconnecting to Admin TUI
The Admin UI now provides a visual cue to allow users to understand whether a RADIUS private key has been installed. About the Admin UI

Audience

This guide is intended to be used by the Secure Malware Analytics Appliance administrator after the appliance has been set up and configured, and an initial test malware sample has been successfully submitted and analyzed. It describes how to manage organizations and users for the malware analysis tool, appliance updates, backups, and other server administration tasks.

This guide also provides information for administrators who are integrating the Secure Malware Analytics Appliance with other Cisco products and services, such as Cisco Email Security Appliance, Cisco Web Security Appliance, and Secure Endpoint Private Cloud devices.


Note

For information about Secure Malware Analytics Appliance setup and configuration, see the Cisco Threat Grid Appliance Getting Started Guide.

About This Guide

This guide provides planning information, configuration tasks, and general administrative tasks, and is organized as follows:

Chapter

Description

Introduction

 Provides brief description of the appliance, the intended audience, how to access relevant product documentation, log in names and passwords, how to reset the administrator password, and contacting Support.

Planning

Describes the environmental, hardware, and network requirements that should be reviewed prior to setup and configuration.

Network Configuration Using the TGSH Dialog

Provides information about using the Admin TUI to make changes to your initial network configuration, reconnecting to the Admin TUI, and configuring the network in recovery mode.

Configuration Using the Admin UI

Provides information about using the Admin UI to make configuration changes to your appliance. See About the Admin UI for a complete list of tasks that can be performed.

Status

Provides information about viewing system information in the Admin UI, such as installed system packages and their version, detailed logs, and available storage.

Operations

Provides information about activating configuration changes, reloading the Admin UI, managing jobs and power settings, and installing updates.

Support

Provides instructions for starting a live support session and taking support snapshots to aid in resolving issues with the appliance.

Organizations and Users

Provides instructions for creating organizations, managing users, and activating a new device user account.

Inbound and Outbound Connections

Provides information about connecting other Cisco appliances (ESA and WSA), and Secure Endpoint Private Cloud to the Secure Malware Analytics Appliance.

Removing All Data with the Wipe Appliance Boot Option

Describes how to use the Wipe Appliance boot option to remove all data from the Secure Malware Analytics Appliance, including clusters.

CIMC Configuration

Provides information about using the CIMC utility to set up remote server management.

User Documentation

Secure Malware Analytics Appliance User Guides

The latest versions of Cisco Secure Malware Analytics Appliance product documentation can be found on Cisco.com.

Figure 1. User Guides on Cisco.com

Secure Malware Analytics Portal UI Online Help

Secure Malware Analytics Portal user documentation, including Release Notes, Using Secure Malware Analytics Online Help, API documentation, and other information is available from the ? (Help) icon located in the navigation bar in the upper right corner of the Secure Malware Analytics user interface.

Figure 2. Secure Malware Analytics Portal Online Help

Use the online help Search feature located at the top of the left column to find appliance-specific information.

Figure 3. Online Help Search Feature

Secure Malware Analytics Portal UI Administration Guide

A portal online help topic is available for administrators, with instructions on how to manage users and other information. Click the Administration tab and choose Administration Guide.

Figure 4. Administration Guide for the Secure Malware Analytics Portal UI

Email Security Appliance and Web Security Appliance Documentation

For information on connecting an Email Security Appliance (ESA) or Web Security Appliance (WSA), see Integrations.

See the instructions for Enabling and Configuring File Reputation and Analysis Services in the online help or user guide for your ESA/WSA:

Login Names and Passwords (Default)

The default login names and passwords are listed in the following table:

User

Login/Password

Admin UI and Shell User

Use the initial Secure Malware Analytics/Admin TUI randomly generated password, and then the new password entered during the first step of the Admin UI configuration workflow.

If you lose the password, follow the instructions in Resetting the Administrator Password.

Secure Malware Analytics Web portal UI Administrator

Login: admin

Password: Initialize with the first Admin UI password, and then it becomes independent.

CIMC

Login: admin

Password: password

Password Criteria

Passwords must include the following:

  • Minimum of 8 characters

  • At least one number

  • At least one special character

  • Uppercase and lowercase characters

Resetting the Administrator Password

The default administrator password is only visible in the Admin TUI during the initial appliance setup and configuration. Once the initial configuration is completed, the password is no longer displayed in visible text.


Note

LDAP authentication is available for Admin TUI and Admin UI login when you have multiple administrators. If the appliance is configured for LDAP authentication only, resetting the password in recovery mode will reconfigure the authentication mode to allow login with system password as well.

If you lose the administrator password and are unable to log in to the Admin UI, complete the following steps to reset the password.

Procedure

Step 1

Reboot the Secure Malware Analytics Appliance: click the Operations tab and choose Power, and then click the Reboot button. The appliance reboots, and opens the BIOS window.

Figure 5. BIOS Window - Choose Boot Menu <F6> for Recovery Mode
Step 2

In the BIOS window, press F6 to open the Boot menu.

Step 3

Choose Recovery and press Enter.

Figure 6. Boot Menu

The Secure Malware Analytics Shell opens in Recovery Mode.

Figure 7. Secure Malware Analytics Shell (tgsh) in Recovery Mode
Step 4

Run passwd to change the password.

Figure 8. Enter New Password
Note 

The command prompt is not always visible in this mode and logging output may be displayed at any point on top of your input. This does not affect input; you can keep typing blindly. Ignore the two lines of logging output.

Step 5

Enter (blindly) the password and press Enter.

Step 6

Re-type the password and press Enter.

Note 

The password will not be displayed.

Step 7

Type reboot and press Enter to start the appliance in normal mode.

Note 

The exit command is no longer required before rebooting for a password reset to take effect (for v2.10 and later).