Downloaded files details

The downloaded files details view is expanded within the downloaded files list. You will see a subset of these details, depending on which tab on the Files downloaded page you have selected.

  • Analysis report Click the link or link icon to view the analysis report in a new tab.

  • File type The high-level type of the downloaded file. See the list of file types.

  • File type details If available, more details about the file type. For example, PE executable, application, 32-bit, Intel i386 or Zip archive data.

  • Filename If available, the name of the file.

  • Downloaded For Unique downloads, the number of times that the file was downloaded by hosts in the network.

    Click the number or details icon to view the file downloads on the downloads page. The link passes an Analyst UUID filter that restricts the view to downloads of the specific file.

  • Downloaded by The IP address(es) of the host(s) in the network that downloaded the file.

    If available, click the globe icon to view registration information and other data about the host in the WHOIS pop-up.

  • Sensor The Sensor that detected the file download.

  • URL The URL of the file download. This as a UTF-8 encoded Unicode string.

  • URL The raw URL of the file download. Usually this is the same as the URL. If there are any non-ASCII characters in the URL, those, as well as the backslash character itself, will be backslash-encoded.

  • Protocol Network protocols used to download the file. One of HTTP/HTTPS, FTP, or SMB.

  • Downloaded from IP address of the contacted host.

    If available, click the globe icon to view registration information and other data about the host in the WHOIS pop-up.

  • HTTP host If available, the domain name of the contacted host. This name may be derived from other data including the IP address.

    If available, click the globe icon to view registration information and other data about the host in the WHOIS pop-up.

  • User agent The user agent string extracted from the HTTP/HTTPS request.

  • First download For Unique downloads, the timestamp of the first recorded detection of the file download.

  • Last download For Unique downloads, the timestamp of the most recent detection of the file download.

  • Timestamp The timestamp of the detection of the file download.

  • File size Size of the file in Bytes.

  • MD5 The MD5 hash of the downloaded file.

  • SHA1 The SHA1 hash of the downloaded file.

  • Submission status Indicates why the downloaded file was not submitted for full analysis. Typically this is due to pre-filtering or other reasons. Hover your mouse over the help icon to display a pop-up with further details.

  • Analyst UUID The unique identifier returned by the VMware backend after processing the downloaded file.

  • Event ID A link to the associated event for the file download. Click the ID or link icon to view the event.

Analysis overview

The analysis overview section provides a summary of the results of the analysis of a downloaded file by the VMware backend.

Click link to open the full Analysis report in a new tab.

Click file download to download the detected file to your local machine. From the pull-down menu. select Download file or Download as ZIP.

If you select Download as ZIP, the Download file as a zip pop-up is displayed, prompting you to provide an optional password for the archive.

Important:

The VMware NSX Network Detection and Response only allows you to download detected files under certain conditions.

If the artifact is considered low risk, file download is displayed and you can download it to your local machine.

If the artifact is considered risky, file download is not displayed unless your license has the ALLOW_RISKY_ARTIFACT_DOWNLOADS capability.

You must be aware that the artifact can possibly cause harm when opened.

The User Portal may display a pop-up: Warning: Downloading Malicious File. Click the I agree button to accept the conditions and download the file.

For malicious artifacts. you may want to encapsulate the file in a zip archive to prevent other solutions that are monitoring your traffic from automatically inspecting the threat.

If you do not have the ALLOW_RISKY_ARTIFACT_DOWNLOADS capability and require the ability to download malicious artifacts, contact VMware Support.

Click plus / minus to expand/collapse the sections on the tab.

The Analysis overview section provides a summary of the results of the analysis of a file or URL by the VMware backend. It displays the following data:

  • MD5 hash. Click search to search for other instances of this artifact in your network. Click Intelligence pages icon to view the artifact in Intelligence pages.

  • SHA1 hash. Click Intelligence pages icon to view the artifact in Intelligence pages.

  • SHA256 hash. Click Intelligence pages icon to view the artifact in Intelligence pages.

  • MIME type.

  • Submission timestamp.

The Threat level section starts with a summary of the analysis findings: "The file md5 hash was found to be malicious/benign".

It then displays the following data:

Risk assessment

This section displays the risk assessment findings.

  • Maliciousness score Sets a score out of 100.

  • Risk estimate An estimate of the risk posed by this artifact:

    • High This artifact represents a critical risk and must be addressed in priority. Such subjects are typically Trojan files or documents containing exploits, leading to major compromises of the infected system. The risks are multiple: from information leakage to the system dysfunction. These risks can be partially inferred from the Type of activity detected. The score threshold for this category is usually above 70.

    • Medium This artifact can represent a long-term risk and needs to be monitored closely. Such subjects can be a web page containing suspicious content, potentially leading to drive-by attempts. They can also be adware or fake antivirus products that do not pose an immediate serious threat but can cause issues with the functioning of the system. The score threshold for this category is usually from 30 to 70.

    • Low This artifact is considered benign and can be ignored. The score threshold for this category is usually below 30.

  • Antivirus class Click search to search for other instances of this class. Click Intelligence pages icon to view this class in Intelligence pages.

  • Antivirus family Click search to search for other instances of this family. Click Intelligence pages icon to view this family in Intelligence pages.

Analysis overview

The analysis overview list is sorted by severity and includes the following fields:

  • Severity This is a score between 0 and 100 of the maliciousness of the activities detected during analysis of the artifact. Additional icons indicate the operating systems that can run the artifact.

  • Type The types of activities detected during analysis of the artifact. These include:

    • Autostart Ability to restart after a machine shutdown.

    • Disable Ability to disable critical components of the system.

    • Evasion Ability to evade analysis environment.

    • File Suspicious activity over the file system.

    • Memory Suspicious activity within the system memory.

    • Network Suspicious activity at the network level.

    • Reputation Known source or signed by reputable organization.

    • Settings Ability to permanently alter critical system settings.

    • Signature Malicious subject identification.

    • Steal Ability to access and potentially leak sensitive information.

    • Stealth Ability to remain unnoticed by users.

    • Silenced Benign subject identification.

  • Description A description corresponding to each type of activity detected during analysis of the artifact.

  • ATT&CK Tactic(s) The MITRE ATT&CK stage or stages of an attack. Multiple tactics are comma separated.

  • ATT&CK Technique(s) The observed actions or tools a malicious actor might utilize. Multiple techniques are comma separated.

  • Links Click search to search for other instances of this activity. Click Intelligence pages icon to view this activity in Intelligence pages.

Additional artifacts

This section lists additional artifacts (files and URLs) that were observed during the analysis of the submitted sample and that were in turn submitted for in-depth analysis. The includes the following fields:

  • Description Describes the additional artifact.

  • SHA1 The SHA1 hash of the additional artifact.

  • Content type The MIME type of the additional artifact.

  • Score The maliciousness score of the additional artifact. Click link to view the associated analysis report.

Decoded command line arguments

If any PowerShell scripts were executed during the analysis, the system decodes these scripts, making its arguments available in a more human-readable form.

Third-party tools

A link to a report on the artifact on VirusTotal.