`
`
`
`Blue Coat Malware Analysis Appliance 4.2.11
`Administration Guide
`
`
`
`2/2/2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 1
`
`

`

`
`
`
`
`Copyright © 2017 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat
`logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be
`trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All
`warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The
`information in this document is subject to change without notice.
`
`THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
`WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-
`INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
`SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE
`FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS
`SUBJECT TO CHANGE WITHOUT NOTICE. SYMMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER
`TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS,
`REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU
`AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE
`THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO
`EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.
`
` Americas:
`
`
`
`Symantec Corporation
`350 Ellis Street
`Mountain View, CA 94043
`
`
`
`
`
`
`
`Rest of the World:
`
`Symantec Limited
`Ballycoolin Business Park
`Blanchardstown, Dublin 15, Ireland
`
`MAA Administration Guide 4.2.x
`
`2 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 2
`
`

`

`
`
`
`
`Table of Contents
`
`1.
`
`Initial Setup ................................................................ 7
`
`7.2. Create a New Firewall ............................................ 32
`
`1.1. Assumptions ................................................................. 7
`1.2. Requirements ............................................................... 7
`
`2. Network Setup ........................................................... 8
`
`2.1. Network Configuration ............................................ 9
`
`8. Plugins ...................................................................... 34
`
`8.1. Plugin Structure ........................................................ 34
`8.2. General Example ....................................................... 35
`8.3. Proc Dump Example ............................................... 35
`
`3. Basic Actions ............................................................ 11
`
`9. Enhance Analysis with Services.............................. 38
`
`3.1. Change Password ..................................................... 11
`3.2. Log Out ......................................................................... 11
`3.3. Restart or Shutdown ............................................... 11
`
`4. Base Images.............................................................. 12
`
`4.1. Activating Base Images ......................................... 12
`
`5.
`
`iVM Profiles .............................................................. 15
`
`5.1. Build a New Profile .................................................. 15
`5.2. Disable Automatic Update Checks .................. 19
`5.3. Application Installation .......................................... 21
`5.4. Finalize and Build the Profile .............................. 22
`5.5. Modifying Profiles .................................................... 23
`5.6. Deleting Profiles........................................................ 23
`5.7. EMET............................................................................... 24
`
`9.1. Reputation ................................................................... 38
`9.2. VirusTotal ..................................................................... 38
`9.3. YARA .............................................................................. 39
`9.4. Advanced Features .................................................. 40
`
`10. MAA Updates ........................................................... 43
`
`10.1. Update Settings ........................................................ 43
`10.2. Check for Updates ................................................... 44
`10.3. Offline Updates ......................................................... 45
`
`11. Define Access with User Roles ............................... 47
`
`11.1. Create Users ............................................................... 47
`11.2. User Role Privileges Matrices ............................. 49
`11.3. Generate API Keys ................................................... 52
`
`12. Licensing ................................................................... 54
`
`6. Default Task Settings .............................................. 27
`
`13. Storage Options ....................................................... 54
`
`6.2. IntelliVM Options ..................................................... 27
`6.3. SandBox Options ...................................................... 28
`6.4. MobileVM Options .................................................. 29
`
`13.1. Internet Cloud Storage .......................................... 54
`13.2. Local Serialized Storage ........................................ 54
`13.3. Local Database Storage ........................................ 54
`
`7. Task Firewalls ........................................................... 30
`
`14. Mag2.py Utility ........................................................ 55
`
`7.1. Modify Existing Firewalls....................................... 30
`
`14.1. Analyzing a ZIP Archive ........................................ 55
`
`© 2017 Blue Coat Systems, Inc.
`
`3 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 3
`
`

`

`
`
`15. Health System .......................................................... 56
`
`15.1. Health State ................................................................ 56
`15.2. Health Stats ................................................................. 57
`15.3. Health Rules ................................................................ 58
`
`16. System Time ............................................................. 59
`
`16.1. Configure the Local Time Settings................... 59
`16.2. Enable / Add NTP Servers.................................... 59
`
`17. Monitoring and Event Logging .............................. 61
`
`17.1. Enable Syslog ............................................................. 61
`17.2. Enable SNMP Polling .............................................. 61
`
`18. Appendix ................................................................... 64
`
`18.1. System Processes ..................................................... 64
`18.2. Syslog Raw Output .................................................. 64
`18.3. Create a Customer SSL Certificate and Key
`with CLI ......................................................................... 66
`
`19. Terms of Agreement ............................................... 67
`
`19.1. Base Image License Terms ................................... 67
`
`
`
`MAA Administration Guide 4.2.x
`
`4 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 4
`
`

`

`About this Guide
`This manual is intended for users with Administrator or Sysconfig permissions on the Blue Coat Malware Analysis
`Appliance (MAA). The functions that are found under the Analysis Settings, System Settings, and System Info
`menus are addressed.
`
`
`
`
`This manual assumes that the reader is well versed in network terminology and operations, and is familiar with
`malware in general and malware analysis in particular. An understanding of Windows system events and network
`intrusion techniques is helpful as well.
`
`System Requirements
`
`The Malware Analysis appliance contains all of the necessary hardware, software, and connectivity needed to
`analyze malware in isolated or networked environments.
`
`Suggested Browsers
`
`The following browsers support the Malware Analysis appliance user interface:
`
`Version
`Browser
`44.0.2403.130 m (Windows)
`Google Chrome
`40.0.3 (Windows)
`Firefox
`9.0 (10601.1.56.2) (Mac OS)
`Safari
`32.0.1948.69 (Windows)
`Opera
`Internet Explorer 11.0.9600
`
`
`
`© 2017 Blue Coat Systems, Inc.
`
`5 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 5
`
`

`

`
`
`Related Documents
`• Blue Coat Malware Analysis Appliance Quick-Start Guide (included with appliance)
`
`• Blue Coat Malware Analysis Appliance Analysis Center Guide
`
`• Blue Coat Malware Analysis Appliance Remote API User Guide
`
`• Blue Coat Malware Analysis Appliance System Configuration Guide
`
`Help and Support
`
`We strongly recommend that you read this guide thoroughly before attempting to configure the Malware Analysis
`appliance and that you use it as a reference during installation, configuration, and ongoing usage.
`If you encounter any difficulty with the setup or usage of the Malware Analysis appliance, please contact your
`Blue Coat sales representative or sales engineer, or visit our support website at bluecoat.com/support/technical-
`
`support.
`
`MAA Administration Guide 4.2.x
`
`6 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 6
`
`

`

`Initial Setup: Assumptions
`
`1. Initial Setup
`1.1. Assumptions
`This document assumes that the user has already followed the steps in the Quick-Start Guide that was included
`with the Malware Analysis appliance (MAA), which means that:
`
`• The Malware Analysis appliance has been unboxed
`
`• The Malware Analysis appliance has been rack-mounted or properly prepared for rack-mounting
`
`• A network cable has been connected to the management port
`
`• Optional — A null-modem cable connects the Malware Analysis appliance to a serial terminal
`
`1.2. Requirements
`• Blue Coat MAA-S400 Series or MAA-S500 Series Malware Analysis appliance
`
`• System licenses for the Windows operating systems on the VMs
`
`• System licenses for each application that is installed on a VM profile, as required by the vendor
`
`© 2017 Blue Coat Systems, Inc.
`
`7 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 7
`
`

`

`2. Network Setup
`Figure 1 displays the two possible Internet connections for a Malware Analysis appliance: the Backend interface
`and the Dirty Line interface.
`
`Network Setup: Requirements
`
`
`Figure 1— Rear View: MAA-S500 Series and MAA-S400 Series Appliances
`
`Backend Interface
`The Backend interface — the primary interface, called eth0 by default — is connected to your organization's LAN.
`The Malware Analysis appliance uses this interface for the UI connection, system and pattern updates, and base-
`image activation.
`
`Dirty Line Interface
`The Dirty Line interface — the secondary interface, called eth1 by default — is used by the VM profiles to access
`the Internet during analysis. (The SandBox uses an emulated network.) This connection should not pass through
`your organization's security measures. Any filtering is performed by the Task Firewalls.
`
`MAA Administration Guide 4.2.x
`
`8 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 8
`
`

`

`Network Setup: Network Configuration
`
`2.1. Network Configuration
`During initial setup, the Malware Analysis appliance obtains an IP address for the Backend interface via DHCP.
`To further configure network settings follow these steps:
`2.1.1. Select System Settings > Network.
`In the Backend Settings section, determine if you want to use IPv4 or IPv6, then do one of the following:
`2.1.2.
`• Select DHCP.
`o Optional — Specify a new interface name
`• Select Static.
`o Optional — Specify a new interface name
`o Specify the IPv4 or IPv6 address, netmask, gateway, and DNS server
`IPv6 Notes
`
`• Activation and syslog settings also accept IPv6 addresses
`
`• Use offline activation
`
`•
`
`•
`
`In an IPv6 only network, a dedicated dirty line for IPv4 traffic out is required, and a IPv6 proxy
`can’t be set during activation
`
`If you don’t have a dedicated dirty line with IPv4, enable an IPv4 management port during
`activation, then enable the IPv6 only network after activation; the dirty line is the same as the
`backend
`
`• For customization and analysis, a dedicated dirty line for IPv4 traffic out of iVMs is required
`2.1.3. Click Save Backend Settings.
`2.1.4.
`In the Internet Settings (Dirty-line) section, do one of the following:
`
`• Select Same as backend. This option forces the VMs to use the Backend interface instead of the
`Dirty Line interface, which means that your organization's security measures are applied to the
`sample analyses in addition to the task firewalls.
`
`• Select DHCP.
`o Optional — Specify a new interface name.
`• Select Static.
`o Optional — Specify a new interface name.
`o Specify the IP address, netmask, and gateway.
`2.1.5. Click Save Internet Settings.
`2.1.6. Optional:
`•
`In the Proxy Settings section specify a server for the MAA to use when accessing the Internet, for
`example, when contacting the update server. This proxy is not used by the VMs during activation or
`during sample analysis.
`
`© 2017 Blue Coat Systems, Inc.
`
`9 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 9
`
`

`

`Network Setup: Network Configuration
`
`• The Enable/Disable Port 80 selection is set to disabled by default. This facilitates secure
`communication with the appliance management port, SSL on port 443. Blue Coat recommends
`leaving this selection at the default.
`
`
`
`
`
`MAA Administration Guide 4.2.x
`
`10 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 10
`
`

`

`Basic Actions: Change Password
`
`3. Basic Actions
`Once you are logged on, basic actions include, for example, logging off, restarting, and changing your password.
`
`3.1. Change Password
`To change your password, click your user name at the far right side of the top menu, and select Change
`Password. Enter and verify the new password on the Change Password screen, then click Change Password
`to apply the changes.
`
`3.2. Log Out
`To log out of the appliance, click your user name at the far right side of the top menu, and select Logout. You will
`be immediately logged out of the appliance, and need to log in again in order to continue working.
`
`3.3. Restart or Shutdown
`To restart the appliance, or shut it down entirely, select System Settings > Restart/Shudown. Follow up by
`clicking the required Restart or Shutdown.
`
`© 2017 Blue Coat Systems, Inc.
`
`11 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 11
`
`

`

`Base Images: Activating Base Images
`
`4. Base Images
`Base images include complete Windows operating systems along with a number of preinstalled applications or
`components that are used to facilitate malware detection from various file types. Base images do not run directly
`within MAA. Instead, they are used to create profiles that actually run within the IntelliVM virtual machine
`framework.
`Four (4) base images ship with MAA 4.2.x:
`
`• Windows XP, Service Pack 3 (32-bit)
`
`• Windows 7, Service Pack 1 (32-bit)
`
`• Windows 7, Service Pack 1 (64-bit)
`
`• Windows 8 (64-bit)
`
`Also see Appendix: Base Image License Terms
`
`Note
`
`Base images are installed at the factory; users cannot add new base images. However, users can create an unlimited number of custom profiles that
`are derived from the existing base images.
`
`4.1. Activating Base Images
`Before you can build a profile on a base image, you must activate the base image with a license key.
`4.1.1. Log in to the MAA web interface with Administrator credentials.
`4.1.2. Select Analysis Settings > IntelliVM Profiles. The IntelliVM Profiles page is displayed.
`
`Figure 2 — IntelliVM Profiles
`
`
`
`MAA Administration Guide 4.2.x
`
`12 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 12
`
`

`

`4.1.3. Click Manage Activations. The Manage Activations page is displayed.
`
`Base Images: Activating Base Images
`
`Figure 3 — Manage Activations Page
`
`
`
`4.1.4. As needed, specify a proxy server that the iVMs can use to access the internet while activating the base
`images.
`
`• server — IP number or hostname of the proxy server
`• port — Port number of the server
`• user — (optional) Username to log on to the server
`• password — (optional) Password for the username
`4.1.5. Click Update Proxy to save the settings.
`4.1.6. Enter a license key for a base image and click Add this base image. The activation and build process
`will take 20–60 minutes.
`
`
`
`
`
`Figure 4 — Base Image Activated
`
`© 2017 Blue Coat Systems, Inc.
`
`13 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 13
`
`

`

`Note
`
`If the activation fails, you may need to perform an offline activation, which requires that you call Microsoft to get a confirmation ID. Consult Microsoft
`Knowledge Base document 326851 for more information.
`
`Base Images: Activating Base Images
`
`MAA Administration Guide 4.2.x
`
`14 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 14
`
`

`

`iVM Profiles: Build a New Profile
`
`5. iVM Profiles
`IntelliVM (iVM) kernel technology monitors system events for signs of malicious behavior in a virtualized
`environment. Profiles can be customized to add flexibility to analyze non-traditional malware and to precisely
`mirror custom environments to detect advanced and targeted threats.
`Malware Analysis Appliance VMs are software-based emulations of physical computers. The VMs simulate the
`architecture, functionality, and connections of a standalone workstation or handheld device, but because the
`environment is not actually connected to a network, any malware that executes on a VM is unable to infect a real
`device or network.
`By using various VM profiles to imitate real environments, analysts can quickly spot behavioral anomalies that are
`typical of anti-analysis and advanced malware evasion techniques. VMs can easily be set up to match various
`Windows and Android environments — such as patched and unpatched versions that run a variety of
`applications, browsers, and plugins — to quickly spot different malicious behaviors on multiple system types. VMs
`are then easily reverted to a known non-infected state for the next round of testing.
`A profile consists of a base image plus customizations to replicate a particular Windows environment.
`Customizations can include commercial and custom applications, additional web browsers, and patches such as
`Windows Updates.
`You can create, modify, or delete VM profiles as needed to replicate production environments or to test the
`behavior of malware across different configurations.
`
`5.1. Build a New Profile
`In this section, instructions are provided to build a new profile called "Sales Win 7."
`5.1.1. Log in to the MAA web interface with Administrator credentials.
`5.1.2. Select Analysis Settings > IntelliVM Profiles. The IntelliVM Profiles page is displayed.
`
`Figure 5 — IntelliVM Profiles Page
`
`
`
`5.1.3. The first profile in the list, "Windows 7," was automatically built when the Windows 7 base image was
`activated. It is also automatically set as the default profile.
`
`© 2017 Blue Coat Systems, Inc.
`
`15 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 15
`
`

`

`5.1.4. Click Add New Profile. The Creating New IntelliVM Profile page is displayed.
`
`iVM Profiles: Build a New Profile
`
`
`
`
`
`Figure 6 — Creating New IntelliVM Profile Dialog
`
`5.1.5. For Profile Name, type a unique name for the profile.
`5.1.6. For Base Image, select the desired image. Only the base images that you have licensed are displayed.
`5.1.7. Optional — For Description, add any desired notations.
`5.1.8. Click Create Profile. The IntelliVM Profiles page is displayed again, with the new profile in the list.
`
`Figure 7 — IntelliVM Profiles List
`
`
`
`Note
`
`Before a profile has been built, you may click Edit Details to change the base image. After the profile has been built, you cannot change the base image.
`
`5.1.9. Click Build Profile. The Customize IntelliVM Profile: [Profile Name] page is displayed
`
`Figure 8 — Customization and Build Page
`
`
`
`MAA Administration Guide 4.2.x
`
`16 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 16
`
`

`

`5.1.10. Click Start Customization.
`
`iVM Profiles: Build a New Profile
`
`Figure 9 — Entering Customization Mode
`
`
`
`5.1.11. Several minutes will elapse while the profile is prepared for customization.
`
`Caution While you are in customization mode, all processing in all IntelliVMs is suspended.
`
`
`
`
`
`Figure 10 — Manual Customization Message
`
`5.1.12. When the profile is ready for customization, the following message is displayed: To manually customize your
`profile you can connect via RDP to on port 3389/tcp. Default login credentials are "admin" with no password.
`
`Note
`
`Blue Coat recommends that you not close your browser while customizing a profile.
`
`5.1.13. On a Windows workstation, launch Remote Desktop Connection. The Remote Desktop Connection dialog
`is displayed.
`
`Figure 11 — Remote Desktop Connection Dialog
`
`
`
`© 2017 Blue Coat Systems, Inc.
`
`17 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 17
`
`

`

`5.1.14. Click Show Options.
`
`iVM Profiles: Build a New Profile
`
`
`Figure 12 — Expanded Remote Desktop Connection Dialog
`
`5.1.15. For Computer, type the IP address of the MAA and the port number in the following format:
`<ip_address>:3389.
`5.1.16. For User name, type admin.
`5.1.17. Click Connect, and then click OK. The desktop of the iVM is displayed.
`
`MAA Administration Guide 4.2.x
`
`18 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 18
`
`

`

`iVM Profiles: Disable Automatic Update Checks
`
`5.2. Disable Automatic Update Checks
`Before adding any customizations, verify that the applications that are already installed on the iVM are not
`checking for updates automatically:
`5.2.1. From the Control Panel in the iVM, select Windows Update and verify that updates are not being
`installed automatically.
`
`5.2.2. Launch the Microsoft Silverlight Configuration dialog.
`
`Figure 13 — Windows Update Control
`
`
`
`
`
`5.2.3. Click the Updates tab, and verify that Never check for updates is selected.
`
`Figure 14 — Silverlight Updates Dialog
`
`© 2017 Blue Coat Systems, Inc.
`
`19 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 19
`
`

`

`5.2.4. Launch the Adobe Reader, select Edit > Preferences, select Updater from the Categories list, and verify
`that Do not download or install updates automatically is selected.
`
`iVM Profiles: Disable Automatic Update Checks
`
`Figure 15 — Adobe Reader Preferences Dialog
`
`
`
`5.2.5. For any other non-Microsoft applications that are on the iVM or that you later install, verify that the
`automatic update checks are disabled.
`5.2.6. Do you want to further customize the iVM profile?
`
`Yes — Continue the procedure.
`
`No — Go to Finalize and Build the Profile.
`
`MAA Administration Guide 4.2.x
`
`20 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 20
`
`

`

`iVM Profiles: Application Installation
`
`5.3. Application Installation
`
`Note
`
`The customer is responsible for obtaining the appropriate licenses for software that is installed on the iVMs. Contact the vendors of the respective
`software to obtain the proper license type for the iVMs.
`
`5.3.1. To transfer installation files to your iVM, use one of the following methods:
`
`• From inside the iVM, map a shared network drive or folder.
`
`
`Figure 16 — Network Entities on the iVM
`
`• Connect to the Internet to download software from an Internet resource or vendor site. (This
`connection is made through the Backend interface.)
`
`Note
`
`To use a different proxy to access the Internet from inside the iVM, configure that proxy inside the iVM's Windows environment.
`
`5.3.2.
`
`o The tsclient entity is the workstation that is accessing the iVM via Remote Desktop.
`Install, license, and configure the applications to resemble a typical computing environment at your
`organization.
`
`© 2017 Blue Coat Systems, Inc.
`
`21 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 21
`
`

`

`iVM Profiles: Finalize and Build the Profile
`
`5.4. Finalize and Build the Profile
`When you have finished customizing the profile, you must finalize and build it.
`5.4.1. Log out of the Remote Desktop session.
`
`5.4.2. Return to the Customize IntelliVM Profile: [Profile Name] page on the MAA's Web interface.
`5.4.3. Click Build Profile.
`
`Figure 17 — Profile Building
`
`
`
`5.4.4. Several minutes will elapse while the profile is being built.
`5.4.5. When the profile has finished building, select System Settings > IntelliVM Profiles to return to the
`IntelliVM Profiles page.
`
`Figure 18 — iVM List
`
`
`
`5.4.6. The new profile is ready for use. You may begin to send samples to the new profile, or you may select
`one of the following:
`
`• Edit Details — Return to the Creating New IntelliVM Profile page and change the description or
`name. (You cannot change the base image of an already-built profile.)
`
`• Customize Profile — Click to add further customizations to the iVM profile.
`• Delete Profile — Click to delete the profile; you will see a warning message. This action cannot be
`undone.
`
`• Set as Default — Click to make this profile your default profile.
`
`MAA Administration Guide 4.2.x
`
`22 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 22
`
`

`

`iVM Profiles: Modifying Profiles
`
`5.5. Modifying Profiles
`You may modify two aspects of a profile: the iVM itself or the iVM's details.
`
`Note
`
`You cannot change the base image of an already-built profile.
`
`5.5.1. Select Analysis Settings > IntelliVM Profiles.
`
`
`Figure 19 — iVM List
`
`
`
`• To modify the details, click Edit Details. Edit either the profile name or its description, and then click
`Save Changes.
`
`Figure 20 — Editing Details
`
`
`
`• To modify a profile, click Customize Profile, and then follow the instructions in steps 5.1.11 through
`5.1.17 to access the iVM through Remote Desktop. When you have finished the modifications, you
`must build the profile again.
`
`5.6. Deleting Profiles
`5.6.1. To delete a profile select Analysis Settings > IntelliVM Profiles.
`
`Caution
`
`Deleting a profile cannot be undone. If you do not intend to deactivate a particular base image, do not delete the last profile that is associated with that
`image. Deleting a profile that has tasks assigned to it will result in an IVM_Error when that task reaches the top of the queue.
`
`© 2017 Blue Coat Systems, Inc.
`
`23 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 23
`
`

`

`iVM Profiles: EMET
`
`5.7. EMET
`Microsoft® Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software
`from being successfully exploited.
`
`Note
`
`It is recommended that you first deploy EMET on a new profile to verify that it works as expected.
`
`5.7.1. Download and install .NET Framework 4.0 on the iVM.
`
`Note
`
`For EMET to work with Internet Explorer 10 on Windows 8, Microsoft KB 2790907 or a more recent version of the Compatibility Update for Windows 8 must
`be installed.
`
`5.7.2. Download EMET 5.1 and the user-guide PDF from technet.microsoft.com/security and begin the installation.
`5.7.3. On the EMET Configuration Wizard page, select Keep Existing Settings and click Finish.
`5.7.4. From the Start menu open the EMET GUI.
`
`Figure 21 — Apps Button
`
`
`
`5.7.5. Click the Apps button to open the Application Configuration window.
`
`Figure 22 — Default Action
`
`
`
`MAA Administration Guide 4.2.x
`
`24 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 24
`
`

`

`5.7.6. Change the default action to Audit only.
`5.7.7. Click Add Application to add the executables that you want to monitor.
`
`iVM Profiles: EMET
`
`Figure 23 — Adding Applications
`
`
`
`5.7.8. For each application, verify that the following features are enabled. (The other default features should be
`left as-is):
`
`• EAF
`
`• EAF+*
`
`• LoadLib
`
`• MemProt
`
`• Caller§
`
`• StackPivot
`
`• SimExecFlow§
`
`• ASR*
`
`* Further application settings are required; see the EMET user guide
`
`§ Applicable only with 32-bit processes
`
`Note
`
`Some mitigations are not compatible with particular applications. Refer to Microsoft KB 2909257 to verify your settings and clear any incompatible
`mitigations.
`
`5.7.9. Click OK to go back to the EMET default window.
`5.7.10. On the iVM, start the applications that you added and click Refresh.
`
`© 2017 Blue Coat Systems, Inc.
`
`25 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 25
`
`

`

`iVM Profiles: EMET
`
`Figure 24 — Running EMET
`
`
`
`5.7.11. Verify that the processes have a green check in the Running EMET column.
`5.7.12. Close all applications, close the remote desktop session, and build the profile.
`5.7.13. Verify that EMET works by running some samples that will trigger it. The following MD5 is of a known
`malware sample: C32AD4D6F6A00C85E6BD152852D5D09F (SimExecFlow and StackPivot).
`
`Note
`
`Blue Coat is not able to provide actual samples because they are genuinely malicious. Visit the VirusTotal web site to obtain live malware samples.
`
`MAA Administration Guide 4.2.x
`
`26 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 26
`
`

`

`Default Task Settings: IntelliVM Options
`
`6. Default Task Settings
`You can specify default task settings to be used for automatic sample submission, from the Security Analytics
`Platform or the Content Analysis System, and for samples that are submitted using the Web UI and RAPI.
`
`Note
`
`Only a subset of available options can be set as defaults.
`
`To configure default task settings, follow these instructions:
`6.1.1. Select Analysis Settings > Default Task Settings.
`6.1.2. For Environment Type, select one of the following. Click the item to see which options are available for
`that environment.
`
`•
`
`IntelliVM — Emulated Windows XP, 7, or 8 operating system
`
`• SandBox — Simulated Windows environment
`
`• MobileVM — Emulated Android operating system
`
`6.2. IntelliVM Options
`6.2.1. For Event Collection, select one or more checkboxes for the following:
`• Drop all registry events — Filter out registry events.
`• Drop all file system events — Filter out file system events.
`6.2.2. Under IntelliVM Options, specify the Execution time limit in seconds.
`6.2.3. For Override file extension, specify a file extension for the MAA to use if the file types and their
`extensions do not match.
`
`Note
`
`MAA will detect the actual file type regardless of the extension (e.g., an EXE masquerading as a PDF) unless an entry is made here. If entered, MAA will
`treat the sample file(s) as the type entered.
`
`6.2.4. Select Get dropped files to preserve any files that the sample creates. The files are saved as task
`resources and are automatically scanned by YARA rules.
`
`6.2.5. Under Analytics, select one or both of the checkboxes for the following:
`
`• Create an HTTP Archive resource from the packet capture (HAR)
`• Store body of HTTP requests in HAR
`
`Note
`
`Consult the Malware Analysis Appliance Analysis Center Guide for more information on HAR.
`
`6.2.6. Click the Advanced Options tab.
`
`© 2017 Blue Coat Systems, Inc.
`
`27 of 67
`
`Updated 02 Feb 2017
`
`Patent Owner Finjan, Inc. - Ex. 2051, p. 27
`
`

`

`Default Task Settings: SandBox Options
`
`6.2.7. Use Execution Arguments to control how the sample is launched. The default value is {sample}, which will
`be replaced with the fully qualified path of the sample. You can also use this space to pass parameters
`into IntelliVM plugins. For example:
`• paint.exe {sample} — Opens the sample in paint.exe, regardless of file extension.
`{sample} --param1 [parameter1] — Passes values to the sample as it runs. (You would need to
`•
`know which values the sample requests and in what order.)
`6.2.8. For Guest Path, type a file path to override the default, which is c:\Windows\temp.
`6.2.9. Under Other Options, select one or more of the checkboxes for the following:
`• Enable task logging — Creates a task resource that contains debugging information about the task
`execution.
`
`• Save prefiltered event data