All tab

The All tab displays all instances of file downloads that were analyzed in the network.

Downloaded files over time

The Downloaded files widget provides an overview of the number of files that were downloaded in the monitored network. The graph is a daily histogram of downloaded files, grouped by high level file type.

The widget shows all file downloads that have been analyzed.

See the list of file types.

Filters

An easy-to-use filtering mechanism is provided that allows you to focus on the information that you are interested in. Click the plus icon to expand the Filters widget.

Note:

The use of filters is optional.

Click Filter by and select an item from the pull-down menu. Select from Analysis tags, Analyst UUID, Application protocol, Contacted IP, File type filter, Files, Host IP, HTTP Host, MD5, or Minimum score.

You can combine multiple filters to narrow the focus. You can also deploy multiple instances of some filters.

Delete an individual filter by clicking the Remove minus button next to its entry. Delete all the selected filters by clicking the cancel/close icon. This also collapses the Filters widget.

Click Apply reload to apply the selected filters.

Analysis tags

Restrict displayed files by their analysis tags. These are labels assigned to a file or URL by the system analysis. They can identify a threat or threat class, or refer to specific malicious behavior that was detected.

Analyst UUID

Restrict displayed files to the system analysis UUID for the downloaded file. This is an internal unique identifier for the analysis of a file.

Application protocol

Restrict displayed files transferred over one of the specified protocols. Supported values are HTTP/HTTPS, FTP, and SMB.

Contacted IP

Restrict displayed files to the IP address from which the file was downloaded. Like the Host IP filter, this supports IP addresses, CIDR blocks or IP address ranges.

File type filter

Restrict displayed files to one or more high-level file types. See the list of file types.

Files

Select Malicious to restrict displayed files to malicious files. These are files that were assigned a score of 70 or more (out of 100) by the system analysis.

Host IP

Restrict displayed files to the IP address of the host in the network that downloaded the file. This filter supports selecting one or more IP addresses, CIDR blocks (for example, 192.168.0.0/24) or IP address ranges (for example, 1.1.1.5-1.1.1.9).

HTTP Host

Restrict displayed files to the host name(s) from which the file was downloaded.

Note:

This value is extracted from the HTTP Host header in the HTTP request that downloaded the file. Therefore, it is under the control of the client and can be spoofed by a malicious software, such as a malware binary already running on an infected host.

MD5

Restrict displayed files to the MD5 hash of the downloaded file.

Minimum score

Restrict displayed files to those assigned a score greater than your chosen value (from 1 to 100) by the system analysis.

Downloaded files list

The File download list displays all of the files that have been downloaded by hosts in the network and processed by the VMware backend.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. The default is 20 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

Each row is a summary of a downloaded file. Click the plus icon (or anywhere on an entry row) to access a detailed view of the downloaded file.

The list is sorted by timestamp and includes the following fields:

Timestamp

The timestamp of the detection of the file download.

Host

The host that downloaded the file.

Sensor

The sensor that detected the file download.

Contacted IP

IP address of the contacted host.

Location

For a download, this is the URL of the file in the supported format. For example, \\127.0.0.2\samba_share\1128dedb.exe for an SMB download or http://www.example.com/download/example.zip for an HTTP download.

For an upload, "Upload" is displayed.

MD5

The MD5 hash of the downloaded file.

Type

The high-level type of the downloaded file. See the list of file types.

AV Class

A label defining the antivirus class of the downloaded file. If the label has a tag icon, you can click that for a pop-up description.

Malware

A label defining the malware type of the downloaded file. If the label has a tag icon, you can click that for a pop-up description.

Score

The score assigned to the downloaded file by the VMware NSX Network Detection and Response analysis. Click the sort icon to sort the list by score.

If the stop icon appears, it indicates the artifact has been blocked.