Jump to content

How to fix malware interface route misconfiguration issues [KATA/KEDRE]


Recommended Posts

Antipova Anna

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Description and cautions

This article may be useful in certain cases, when you see that virtual machines running on the KATA Sandbox can not access internet using the properly configured malware interface. One can notice the issue based on several symptoms, such as VM activation errors, samples sent to Sandbox for processing not accessing internet, etc... We recommend to use the following article to check if the malware channel works properly on the KATA Sandbox server or not:

 

Details

In case if the tests listed above indeed show that malware channel fails to connect to the internet, we recommend to do the following checks among others:

  1. Run the following command on the sandbox server to check the currently configured network settings for the Sandbox:

    # /opt/kaspersky/sandbox/bin/sbnetworking all show 

    check in the command's output if the malware interface is configured properly, i.e. it's intended IP, subnet, gateway, etc.

    Example of such output below:

    image.thumb.png.5b41bde1c3bc434ae1a8d7550a7b6d30.png

    Correct values if they are misconfigured somehow from the web interface and don't forget to apply the settings afterwards and restart the host, to propagate those (prompt for restart will pop-up in the Sandbox web interface after applying those).
  2. Run the following command to check the system log on the Sandbox server if there are certain errors related to networking in general and malware interface in particular:

    # journalctl -u network

    # journalctl -u sandbox-networking.service

    In case if all checks listed above were passed, and there are no misconfigurations found and/or no specific errors were found in system journal, then try checking if routing is properly configured for the malware channel, i.e. run the following command:

    # ip route show table 701

    Expected output below:
    image.thumb.png.6f83b3583f2916a0e389a2ddc93252a8.png


    if the output will be missing the default route entry via configured gateway for the malware interface, then add it manually like so:

    # ip route add default via <gateway's IP> table 701

    after adding the route, double check that it indeed exists:

    # ip route show table 701

    then restart the sandbox-networking service manually or the Sandbox server itself:

    # systemctl restart sandbox-networking.service
     
    Please note, that restarting sandbox-networking service may take a while especially on production servers that are processing a lot of samples at the moment and/or have a lot of worker slots. Thus it is highly recommended to detach this Sandbox server from KATA for the time of restart and expect 40 minutes - several hours downtime to complete the procedure.

    after restarting the sandbox-networking service check if you can ping public locations successfully from internet interface's namespace:

    # /opt/kaspersky/sandbox/bin/ns_exec /var/run/netns/dom1 /bin/ping -c 3 8.8.8.8
    image.thumb.png.7b954ba1e158ca6111cfb6c190bd8bb6.png
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...