Performance Tuning Recommendations

For general performance tuning and system resource preservation, OPSWAT recommends you to perform the following:

  • Exclude specific MIME Types when a large number of files of a specific file type are constantly waiting to be scanned. A good example of this occurring are in environments where a good portion of the traffic is streaming video. Also exclude file types that may not be a threat to your computing environment.
  • Exclude sites that pose little to no threat to your environment such as those that provide reputable streaming media services that are regularly visited by your users.
  • Whitelist specific hashes at the traffic collection-level which are known good.
  • Activate the whitenoise hashes with the highest tallies.

MIME Exceptions

When third-party integrations are enabled, they are provided all files captured by the MetaDefender NDR engine from both HTTP and SMTP sessions. If you see any indication in the host status that the integrations are unable to process the number of files being sent to them, it is recommended to filter those MIME Types from being analyzed to ensure the system does not become oversubscribed.

  1. Click Filtration > MIME Exceptions.
  2. Click the HTTP or SMTP protocol tab as required. By default, integrations for MetaDefender NDR File Threat Discovery Engine and MetaDefender NDR File Analyzer are enabled.
  3. Click Add New Exception and select the MIME Type corresponding to specific integrations/suppliers. Files with those MIME Type received over the selected protocol will no longer be scanned by those suppliers.

HTTP Host Exclusions

As traffic is captured and the file content is extracted and analyzed, it may become apparent based on the host status measures that heavily trafficked sites, such as those that provide streaming media services, may be causing a significant amount of system resource consumption. In situations where that is the case, it may be necessary to exclude such hosts from collection.

  1. Click Filtration > HTTP Host Exclusions.
  2. Click New Exclusion on the left pane.
  3. In the right pane, enter the host or TLD to be excluded from scan, and click Add. The collection services re-launch and ignore content from sites containing the TLD entered.

By default, MetaDefender NDR Managers will exclude the following hosts from analysis:

  • acroipm.adobe.com
  • agsupdate.adobe.com
  • crl.disa.mil
  • ctldl.windowsupdate.com
  • dl.google.com
  • download.mcafee.com
  • downloadcenter.mcafee.com
  • download.microsoft.com
  • download.nai.com
  • download.windowsupdate.com
  • epd-akam-us.oracle.com
  • forefrontdl.microsoft.com
  • inquest.net
  • packages.dmd.metaservices.microsoft.com
  • sdlc-esd.oracle.com
  • securityresponse.symantec.com
  • sync.bigfix.com
  • update.nai.com
  • crl.godaddy.com
  • crl3.digicert.com
  • crl.startssl.com
  • crl.usertrust.com
  • gtssl-crl.geotrust.com
  • crl.comodoca.com
  • crl.omniroot.com
  • SVRSecure-G3-crl.verisign.com
  • gtssl2-crl.geotrust.com
  • EVIntl-crl.verisign.com
  • SVRIntl-G3-crl.verisign.com
  • EVSecure-crl.verisign.com
  • crl.globalsign.com
  • crl4.digicert.com
  • pki.google.com
  • crl-ssl.certificat2.com
  • crl.microsoft.com
  • mscrl.microsoft.com
  • sd.symcb.com
  • svr-sgc-crl.thawte.com
  • crl.entrust.net
  • crl.netsolssl.com
  • crl2.netsolssl.com
  • crl.certum.pl
  • rapidssl-crl.geotrust.com
  • crl.globessl.com
  • crl.e-szigno.hu
  • crl.trustwave.com
  • crl.tcs.terena.org
  • crl.starfieldtech.com
  • gtssldv-crl.geotrust.com
  • crl.siteblindadocerts.com
  • crl.ssl.com
  • svr-dv-crl.thawte.com
  • svr-ov-crl.thawte.com
  • repo1.secomtrust.net
  • crl.incommon.org
  • certificates.godaddy.com
  • crl.ca.vodafone.com
  • crl.cacert.org
  • SVRIntl-crl.verisign.com
  • hasbro.com
  • intel.com
  • postsignum.cz
  • sureseries-crl.cybertrust.ne.jp
  • crl.comodo.net
  • crl.cs.auscert.org.au
  • crl.csctrustedsecure.com
  • crl.europeanssl.eu
  • crl.gandi.net
  • crl.geotrust.com
  • crl.quovadisglobal.com
  • crl.register.com
  • crl.securetrust.com
  • crl.serverpass.telesec.de
  • crl.thawte.com
  • crl.trendmicro.com
  • crl.xi.tcclass2-ii.trustcenter.de
  • crl2.alphassl.com
  • evssl-crl.geotrust.com
  • SVRSecure-G2-crl.verisign.com
  • crl.pki.goog
  • crl.apple.com
  • crls.yandex.net
  • crls1.wosign.com
  • gn.symcb.com
  • gv.symcb.com
  • ss.symcb.com
  • yandex.crl.certum.pl
  • crl.securebusinessservices.com
  • startssl.com
  • crl.verisign.com
  • crl.globalsign.net
  • public-trust.com
  • crl1.netlock.hu
  • EVSecure-crl.geotrust.com
  • trustcenter-crl.certificat2.com
  • certplus.com
  • crl.webspace-forum.de
  • crl.swisssign.net
  • crl.tcclass2-ii.trustcenter.de
  • telstra-crl.pki.telstra.com.au
  • repository.secomtrust.net
  • crl.sgssl.net
  • SVRSecure-crl.verisign.com
  • cdp1.public-trust.com
  • certificates.starfieldtech.com
  • crl1.hongkongpost.gov.hk
  • crl.crosstrust.net
  • ldap2.sheca.com
  • ssignadcrl01.jcsinc.co.jp
  • netrustconnector.netrust.net
  • cnnic.cn
  • gca.nat.gov.tw
  • grca.nat.gov.tw
  • crl.globalSign.net
  • crl.identrust.com
  • trustcenter.de
  • crl.ford.com
  • crl.rsasecurity.com
  • pks.experian.com
  • crl.pki.abb.com
  • crl.pki.wellsfargo.com
  • crl.aetna.com
  • pki.saic.com
  • ch.siemens.com
  • tcs-ca.tcs.com
  • cadence.com
  • crl.tbs-internet.com
  • cdp1.pca.dfn.de
  • cdp2.pca.dfn.de
  • pki.telesec.de
  • crl.pki.fraunhofer.de
  • cdp1.com-strong-id.net
  • crl.camerfirma.com
  • a-cert.at
  • igc.application.developpement-durable.gouv.fr
  • lsu.edu
  • crl.pkioverheid.nl
  • portal.actalis.it
  • proxy.fineid.fi
  • caps.fujixerox.co.jp
  • crl.digi-sign.com
  • swissdigicert.ch
  • crl.pki.saic.com
  • crl.vodafone-pki.com
  • epscd.catcert.net
  • epscd2.catcert.net
  • fedir.comsign.co.il
  • sertifikati.ca.posta.rs
  • ac.siger.gob.mx
  • certificadodigital.com.br
  • accv.es
  • SVRSecure-T1-crl.verisign.com
  • crl.globaltrust.it
  • crl.pki.belgium.be
  • crl.firmasicura.it
  • justice.gouv.fr
  • pki.admin.ch
  • pki1.sempra.com
  • igccrl.sante.gouv.fr
  • correo.com.uy
  • repository.publicca.hinet.net
  • epki.com.tw
  • multicert.com
  • sigen-ca.si
  • repositorio.icpbrasil.gov.br
  • lcr.certificados.com.br
  • crl.e-trust.be
  • globaltrust.eu
  • crl.firmaprofesional.com
  • scrldp1.ica.cz
  • cert.managedpki.com
  • certicamara.com
  • public.wisekey.com
  • kamusm.gov.tr
  • cert.fnmt.es
  • crl.ix.tcclass3.tcuniversal-i.trustcenter.de
  • crl.tcuniversal-I.trustcenter.de
  • sigov-ca.gov.si
  • gdcrl.gi-de.com
  • e-szigno.hu
  • crls.ecce.gov.pt
  • crls.ecee.gov.pt
  • postarca.posta.si
  • certification.tn
  • sbca.telesec.de
  • crl.e-tugra.com
  • ca.intesasanpaolo.com
  • www2.postsignum.cz
  • postsignum.ttc.cz
  • crl.tcuniversal-III.trustcenter.de
  • crl.certsign.ro
  • pki.kasbank.com
  • crl.marketware.eu
  • fokozott.e-szigno.hu
  • ra2a.ssc.lt
  • ssc.lt
  • qcrldp1.ica.cz
  • e-me.lv
  • eme.lv
  • crl.izenpe.com
  • crl.I.tcclass4.tcuniversal-III.trustcenter.de
  • crl.oces.certifikat.dk
  • crl.certigna.fr
  • sk.ee
  • crl.infonotary.com
  • crl1.camerfirma.com
  • csupdate.earthlink.net
  • trustis.com
  • vnec3.jcsinc.co.jp
  • pki.dimc.dhs.gov
  • fpkia.gsa.gov
  • pki.nalco.com
  • liberty.edu
  • validation-trustcenter-crl.certificat2.com
  • pki.registradores.org
  • RootCA.twca.com.tw
  • sslserver.twca.com.tw
  • crl.affirmtrust.com
  • ecar.parlamento.pt
  • acabogacia.org
  • cert-services.e-control.at
  • sil.e-guven.com
  • sr.symcb.com
  • crl.sca1b.amazontrust.com
  • cdp.rapidssl.com
  • cdp.thawte.com
  • gp.symcb.com
  • cdp1.digicert.com
  • cdp.geotrust.com
  • tm.symcb.com
  • clients1.google.com
  • ocsp.ca.vodafone.com
  • ocsp.gandi.net
  • ocsp.incommon-rsa.org
  • ocsp.msocsp.com
  • ocsp.sca1b.amazontrust.com
  • ocsp.trendmicro.com
  • ocsp2.globalsign.com
  • rapidssl-ocsp.geotrust.com
  • yandex.ocsp-responder.com
  • gn.symcd.com
  • gp.symcd.com
  • gt.symcd.com
  • gu.symcd.com
  • gv.symcd.com
  • gz.symcd.com
  • s2.symcb.com
  • sd.symcd.com
  • sh.symcd.com
  • sr.symcd.com
  • ss.symcd.com
  • tg.symcd.com
  • ti.symcd.com
  • tj.symcd.com
  • tn.symcd.com
  • ocsp5.wosign.com
  • ocsp6.wosign.com
  • ocsp8.wosign.com
  • ocsp.int-x1.letsencrypt.org
  • ocsp.int-x2.letsencrypt.org
  • ocsp.int-x3.letsencrypt.org
  • ocsp.int-x4.letsencrypt.org
  • ctrootsha2.ocsp.omniroot.com
  • vassg141.ocsp.omniroot.com
  • vassg142.ocsp.omniroot.com
  • vpssg142.ocsp.omniroot.com
  • commercial.ocsp.identrust.com
  • ocsp.affirmtrust.com
  • ocsp.comodoca.com
  • ocsp.comodoca2.com
  • ocsp.comodoca3.com
  • ocsp.comodoca4.com
  • ocsp.digicert.com
  • ocsp.entrust.net
  • ocsp.geotrust.com
  • ocsp.globalsign.com
  • ocsp.godaddy.com
  • ocsp.netsolssl.com
  • ocsp.omniroot.com
  • ocsp.quovadisglobal.com
  • ocsp.root-x1.letsencrypt.org
  • ocsp.starfieldtech.com
  • ocsp.startssl.com
  • ocsp.swisssign.net
  • ocsp.thawte.com
  • ocsp.trust-provider.com
  • ocsp.trustwave.com
  • ocsp.usertrust.com
  • ocsp.verisign.com
  • ocsp.wosign.com
  • ocsp.ws.symantec.com
  • ocsp1.wosign.com
  • ocsp2.wosign.cn
  • detectportal.firefox.com
  • msftconnecttest.com
  • msftncsi.com
  • captive.apple.com
  • clients2.google.com
  • clients3.google.com
  • clients4.google.com
  • clients5.google.com
  • clients6.google.com
  • gstatic.com
  • ssl.gstatic.com

Whitelist

A set of common files that are deemed safe by analysts can be prevented from being examined or queued for scanning by the active integrations. In such cases, analysts may not want to see alerts generated for that file in the future and hence can whitelist them.

To add and activate one or more MD5 to the whitelist, perform the following steps:

  1. Click Filtration > Whitelist.
  2. Click Add Hashes on the left pane.
  3. Type the list of hashes to be excluded from scan; each separated by a comma, and click Add. Files with the specified MD5 are added to the whitelist and are displayed in the top row of the list.

Whitenoise

Whitenoise file entries can be observed and activated for general performance tuning which will reduce system load. For tuning purposes, MetaDefender NDR automatically maintains a tallied list of reoccurring hashes captured and creates entries for them on the Whitenoise tab of the Filtration page with an Inactive status. These MD5s/files must be manually reviewed before activation. The entries are automatically created based on the number of times files are seen in network traffic.

  1. Click Filtration > Whitenoise.
  2. Enable the Inactive status of the files by clicking their respective check boxes. The status instantly changes to Active and displays the activation date.

Once an MD5 is actively whitelisted, future occurrences of receipt will no longer be recorded by the system.

Tip: You can turn the Toggle All button on the left pane to On or Off to activate or deactivate the statuses of all MD5's respectively.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard