5.6.2. Web UI `Health checks` screen

After pressing one of the `HOME` or `GATEWATCHER` buttons, the display area will be as follows:
../../_images/HOMECENTRAL.PNG

The `Status` zone displays the simplified status of the detection systems managed by the GCenter.

../../_images/STATUS.PNG

This area gives the status of the following components:

Benchmark

Engine

For

1

IDS (GCAp probe)

Transmit captured events and files to GCenter

2

Malcore

Detect Malware

3

Codebreaker

Detect Shellcodes

4

CTI

Uses LastInfoSec compromise indices to generate alerts for Advanced Persistent Threat (APT) threats

5

Machine Learning

Detect domain names that have been generated by Domain Generation Algorithm (DGA) for Command & Control (C&C) type threats

6

Codebreaker

Detect Powershells

In order to get detailed information, it is possible to click on the area and open a new screen.

../../_images/HEALTH_CHECKS.PNG

The `Health Checks` screen consists of the following areas:

  • field (1) `GLOBAL STATUS` indicating the status of the detection engines (GCap and GCenter): see The `GLOBAL STATUS`

  • field (8) `MALWARE STATUS` indicating the status of the GCenter Malcore engine: see The `MALWARE STATUS`

  • field (10) `IDS` indicating the status of the GCap Sigflow engine: see The `IDS` zone

  • field (12) `ENGINES DATA` indicating the general status of the data (data queues and database): see The `ENGINES DATA`

5.6.2.1. The `GLOBAL STATUS`

Field (1) `GLOBAL STATUS` includes:

Example of a state with 2 defects

Benchmark

Engine

State

For more information

2

IDS (GCAp probe)
blue check mark: GCaps are connected and up to date
red panel: GCaps are offline or not up to date

refer to The `IDS` zone (10)

3

Malware (detection by Malcore engine)
blue check mark: Malcore engine is active and running
red sign: one or more engines are out of date

refer to The `MALWARE STATUS` (8)

4

Shellcode
blue check mark: Codebreaker goasm engine is active and running
red panel: Codebreaker goasm engine is not active or not working

refer to Engine restart

5

Powershell
blue check mark: Codebreaker gps engine is active and working
red panel: the engine Codebreaker gps is not active or does not work

refer to Engine restart

6

C&C (Command & Control)
blue check mark: gdgadetect Machine Learning engine is active and running
red panel: gdgadetect Machine Learning engine is not active or not working

refer to Engine restart

7

APT (Advanced Persistent Threat)
blue check mark: gcti CTI engine is active and running
red panel: gcti CTI engine is not active or not working

refer to Engine restart

5.6.2.2. The `IDS` zone

The IDS area indicates the status of the GCap probe (11) connected to the GCenter.
The information given is:

  • The name

  • Date of last update

  • The status

  • The state

In the example shown, the message is `All Gcaps are offline or not up to date`.
To find out if the GCaps or GCaps are online or offline, it must be checked in the column `STATE` for each of the GCaps present: in this example, the GCap present is in the state `ONLINE`.
To find out if the GCap Sigflow engine is up to date, check the column `STATE` with the message `OUTDATED`.
For more information on the date of the last update, see the `LAST UPDATE` column.

Note

The engine is in `running` status if the Sigflow engine is installed and the API is up.

Note

To update, refer to Manual installation of an update of signatures and/or anti-viral engines (update) to download and install the latest sigflow.gwp file.

5.6.2.3. The `MALWARE STATUS`

The area (8) `MALWARE STATUS` includes:

  • An antivirus engine (for some licenses): this is the case in this example

  • Or 16 antivirus engines (for other licenses)

The information given is:

  • Engine hash name

  • Date of last engine package update

  • The status which indicates the age of the engine package via the colour signage

  • Package installation status (PRODUCTION = OK)

In the example shown, the status is orange and the message is `One or more engine(s) are not up to date`.
To know the seniority of the current package of the engine, you have to look at the column `LAST UPDATE` to have the date and the icon present in the column `STATUS`: in this example, the package has more than 7 days.

Note

If there is an update issue, refer to Manual installation of an update of signatures and/or anti-viral engines (update) to download and install the latest malcore.gwp file.
To restart the Malcore engine, use the `Restart a GApp` command from the configuration menu and select `gmalcore`.

5.6.2.4. The `ENGINES DATA`

Zone (12) `ENGINES DATA` includes:

  • Data queues waiting in front of engines detecting Malwares, Powershells, shellcodes

  • The size of the Elasticsearch database (in volume and percentage);

5.6.2.5. Engine restart

To restart the Codebreaker goasm engine, use the `Restart a GApp` command from the configuration menu and select `goasm`.
To restart the Codebreaker gps engine, use the `Restart a GApp` command from the configuration menu and select `gps`.
To restart the gdgadetect engine, use the `Restart a GApp` command from the configuration menu and select `gdgadetect`.
To restart the gcti CTI engine, use the `Restart a GApp` command from the configuration menu and select `gcti`.