Unique tab

The Unique tab displays distinct file downloads in the network that have been analyzed.

Downloaded files over time

The Downloaded files widget provides an overview of the number of files that were downloaded in the monitored network. The graph is a daily histogram of downloaded files, grouped by high level file type.

The widget shows only distinct file downloads that have been analyzed.

The displayed file types are:

  • Archive Archive formats such as ZIP or RAR

  • Document Includes other types of Office documents

  • Executable Binary program formats such as Windows Portable Executable

  • Java Java application or applet

  • Media Macromedia (Adobe) Flash file

  • Other Other recognized file format

  • PDF Portable Document Format files

  • Script An executable script such as JavaScript, Python, and others

  • Unknown Unknown file type

Filters

An easy-to-use filtering mechanism is provided that allows you to focus on the information that you are interested in. Click the plus icon to expand the Filters widget.

Note:

The use of filters is optional.

Click Filter by and select an item from the pull-down menu. Select from Analysis tags, Analyst UUID, Application protocol, Contacted IP, File type, Files, Host IP, HTTP Host, MD5, or Minimum score.

You can combine multiple filters to narrow the focus. You can also deploy multiple instances of some filters.

Delete an individual filter by clicking the Remove minus button next to its entry. Delete all the selected filters by clicking the cancel/close icon. This also collapses the Filters widget.

Click Apply reload to apply the selected filters.

Analysis tags

Restrict displayed files by their analysis tags. These are labels assigned to a file or URL by the system analysis. They can identify a threat or threat class, or refer to specific malicious behavior that was detected.

Analyst UUID

Restrict displayed files to the system analysis UUID for the downloaded file. This is an internal unique identifier for the analysis of a file.

Application protocol

Restrict displayed files transferred over one of the specified protocols. Supported values are HTTP/HTTPS, FTP, and SMB.

Contacted IP

Restrict displayed files to the IP address from which the file was downloaded. Like the Host IP filter, this supports IP addresses, CIDR blocks or IP address ranges.

File type

Restrict displayed files to one or more high-level file types. See the list of file types.

Files

Select Malicious to restrict displayed files to malicious files. These are files that were assigned a score of 70 or more (out of 100) by the system analysis.

Host IP

Restrict displayed files to the IP address of the host in the network that downloaded the file. This filter supports selecting one or more IP addresses, CIDR blocks (for example, 192.168.0.0/24) or IP address ranges (for example, 1.1.1.5-1.1.1.9).

HTTP Host

Restrict displayed files to the host name(s) from which the file was downloaded.

Note:

This value is extracted from the HTTP Host header in the HTTP request that downloaded the file. Therefore, it is under the control of the client and can be spoofed by a malicious software, such as a malware binary already running on an infected host.

MD5

Restrict displayed files to the MD5 hash of the downloaded file.

Minimum score

Restrict displayed files to those assigned a score greater than your chosen value (from 1 to 100) by the system analysis.

Downloaded files list

The Downloaded files list displays the distinct files that have been downloaded by hosts in the network and processed by the VMware backend.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. The default is 20 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

Each row is a summary of a downloaded file. Click the plus icon (or anywhere on an entry row) to access a detailed view of the downloaded file.

The list is sorted by score and includes the following fields:

MD5

The MD5 hash of the downloaded file.

Type

The high-level type of the downloaded file. See the list of file types.

Size

Size in bytes of the downloaded file.

Downloads

Number of times that the file was downloaded by hosts in the network.

The displayed number and details icon provide a link to the detailed downloads page. The link passes an Analyst UUID filter that restricts the view to downloads of this specific file.

AV Class

A label defining the antivirus class of the downloaded file. If the label has a tag icon, you can click that for a pop-up description.

Malware

A label defining the malware type of the downloaded file. If the label has a tag icon, you can click that for a pop-up description.

Score

The score assigned to the downloaded file by the analysis indicates the critical level of the detected threat and ranges from 0 to 100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30 and 69 are considered to be medium-risk.

  • Threats that are between 1 and 30 are considered to be benign.

For details, see Maliciousness score and Risk estimate.

If the stop icon appears, it indicates the artifact has been blocked.

The list is sorted by decreasing order (most critical threats at the top). Click the angle up icon to sort the list in increasing order (least critical threats at the top), then click the angle down icon to toggle back to the default.