Configuration Notes

After successfully setting up the Suspicious Object Hub and registering the Suspicious Object Node Control Manager servers, note the following configuration information.

Note:

After unregistering a Node Control Manager server, all previously synchronized objects remain in the Node Control Manager server suspicious object lists.

Configuration

Hub Control Manager

Node Control Manager

Synchronization interval

N/A

5 minutes (default)

Suspicious Object list synchronization

From the Hub Control Manager to Nodes:

  • Virtual Analyzer list

  • User-Defined list

From a Node Control Manager to the Hub:

  • Virtual Analyzer list

Note:
  • The Hub Control Manager server does not send data from the Notes column of the User-Defined list or the Exception list to the Node Control Manager servers.

  • When synchronizing lists, the User-Defined list has a higher priority than the Virtual Analyzer list.

    • If an object is added to both the User-Defined list and the Virtual Analyzer list on the Hub Control Manager before the next synchronization, the Hub Control Manager server deploys both lists to the Node Control Manager servers.

    • If an object in the Node Control Manager Virtual Analyzer list also exists in the Hub Control Manager User-Defined list, the suspicious object risk level changes to "High" on the Node Control Manager Virtual Analyzer list during the next synchronization.

  • Automatic synchronization of the Exception list from a migrated Control Manager 6.0 installation requires enabling Suspicious Object Hub and Node Control Manager architecture on the Control Manager 6.0 server prior to migration.

    • The Control Manager 7.0 installation preserves the Suspicious Object Hub and Node architecture from the migrated Control Manager 6.0 installation.

    • To enable Suspicious Object Hub and Node Control Manager architecture on the Control Manager 6.0 server before migration, locate the m_iTmcmSoDist_ForceSyncWhitelist tag in the SystemConfiguration.xml file and change the value to "1".

Configuring Suspicious Object settings

Recommended

Configuring Suspicious Objects through the Hub Control Manager ensures consistency across the registered Node Control Manager servers.

Not recommended

Important:

To ensure that all the suspicious object lists on the Node Control Manager servers remain synchronized, do not perform any actions (for example, Add or Expire objects) on suspicious object lists through the Node Control Manager server consoles.