Skip to content
This repository has been archived by the owner on Aug 31, 2018. It is now read-only.

Bit9

Jump to bottom
robfry edited this page Nov 10, 2014 · 6 revisions

Home
Detector Setup

Regardless of how you feel about Bit9 or application whitelisting, their software is a treasure trove of fantastic information which can be highly relevant for multiple situations. For FIDO integrating with Bit9 was the first integration I built where I took a vendor's software, which was not a traditional detector, and made it one. What FIDO does to achieve this is poll the Bit9 server at routine intervals for new hashes not seen before on the network, then queries the new hashes against threat feeds. If a file is known to be malicious it will query to gather additional information, such as whether the file was executed instead of just downloaded, in order to properly assess the situation. Below you can find how to configure this functionality.

FIDO comes with a custom SQL view in the installation folder called 'bit9_fido_sql_view.txt' which used to pull relevant information. To create this view:

  1. Copy the SQL from the bit9_fido_sql_view.txt file.
  2. Open Microsoft SQL Server Management Studio and expand the list of databases.
  3. Expand the das database, or the custom Bit9 database name you chose if you didn't select the default, then right-click on the Views folder and select 'New View'.
  4. This will bring up an 'Add Table' menu and you can just click the 'Close' button.
  5. In the third pane from the top of the view which was just created you should see 'Select/From'. Delete these from that space and then paste in the SQL from the bit9_fido_sql_view.txt file.
  6. To save the view go to the File-->Save option, or right-click on the newly created View tab and select the Save view option. You should save the new view as Fido_FileInstanceInfo.

Update the FIDO DB to point it at your Bit9 SQL server.

  1. Go to the configs_detectors table and add a new row.
  2. For the detectortype column enter in 'sql'. Currently Bit9 does not have an API and only SQL queries can be used to retrieve information.
  3. For the detector column enter in 'bit9' and for the vendor column enter in 'Bit9'.
  4. For the server column enter in the FQDN of the server which houses the Bit9 database you want FIDO to query.
  5. For the userid column enter in a username which has access to the Bit9 server and for the pwd column enter in the password of the username.
  6. For the db column the name of the DB should be das, but if you named your Bit9 databased something other than the default das, then enter it here.
Clone this wiki locally