How to fix malware interface route misconfiguration issues [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Description and cautions

This article may be useful in certain cases, when you see that virtual machines running on the KATA Sandbox can not access internet using the properly configured malware interface. One can notice the issue based on several symptoms, such as VM activation errors, samples sent to Sandbox for processing not accessing internet, etc... We recommend to use the following article to check if the malware channel works properly on the KATA Sandbox server or not:

 

Details

In case if the tests listed above indeed show that malware channel fails to connect to the internet, we recommend to do the following checks among others:

1. Run the following command on the sandbox server to check the currently configured network settings for the Sandbox:
   
   # /opt/kaspersky/sandbox/bin/sbnetworking all show 
   
   check in the command's output if the malware interface is configured properly, i.e. it's intended IP, subnet, gateway, etc.
   
   Example of such output below:
   
   
   
   Correct values if they are misconfigured somehow from the web interface and don't forget to apply the settings afterwards and restart the host, to propagate those (prompt for restart will pop-up in the Sandbox web interface after applying those).
2. Run the following command to check the system log on the Sandbox server if there are certain errors related to networking in general and malware interface in particular:
   
   # journalctl -u network
   
   # journalctl -u sandbox-networking.service
   
   In case if all checks listed above were passed, and there are no misconfigurations found and/or no specific errors were found in system journal, then try checking if routing is properly configured for the malware channel, i.e. run the following command:
   
   # ip route show table 701
   
   Expected output below:
   
   
   
   if the output will be missing the default route entry via configured gateway for the malware interface, then add it manually like so:
   
   # ip route add default via <gateway's IP> table 701
   
   after adding the route, double check that it indeed exists:
   
   # ip route show table 701
   
   then restart the sandbox-networking service manually or the Sandbox server itself:
   
   # systemctl restart sandbox-networking.service
    
   Please note, that restarting sandbox-networking service may take a while especially on production servers that are processing a lot of samples at the moment and/or have a lot of worker slots. Thus it is highly recommended to detach this Sandbox server from KATA for the time of restart and expect 40 minutes - several hours downtime to complete the procedure.
   
   after restarting the sandbox-networking service check if you can ping public locations successfully from internet interface's namespace:
   
   # /opt/kaspersky/sandbox/bin/ns_exec /var/run/netns/dom1 /bin/ping -c 3 8.8.8.8