Attachments page

The Attachments page consists of two tabs and a number of widgets. The tabs let you select between Unique and All attachments. The widgets provide an overview of the detected attachments.

At the top of the page is the portal settings widget.

Unique tab

The Unique tab displays distinct file attachments downloaded from email messages that have been analyzed.

Attached files over time

The Mail attachments widget provides an overview of the number of files that were detected by the sensors monitoring inbound email traffic. The graph is a daily histogram of received attachments, grouped by high level file type.

The displayed file types are:

  • Archive Archive formats such as ZIP or RAR

  • Document Includes other types of Office documents

  • Executable Binary program formats such as Windows Portable Executable

  • Java Java application or applet

  • Media Macromedia (Adobe) Flash file

  • Other Other recognized file format

  • PDF Portable Document Format files

  • Script An executable script such as JavaScript, Python, and others

  • Unknown Unknown file type

Filters

An easy-to-use filtering mechanism is provided that allows you to focus on the information that you are interested in. Click the plus icon to expand the Filters widget.

Note:

The use of filters is optional.

Click Filter by and select an item from the pull-down menu. Select from Analysis tags, Analyst UUID, Blocked, File type, MD5, Message ID, or Minimum score.

You can combine multiple filters to narrow the focus. You can also deploy multiple instances of some filters.

Delete an individual filter by clicking the Remove minus button next to its entry. Delete all the selected filters by clicking the cancel/close icon. This also collapses the Filters widget.

Click Apply reload to apply the selected filters.

Analysis tags

Restrict displayed attachments/URLs by their analysis tags. These are labels assigned to a file or URL by the system analysis. They can identify a threat or threat class, or refer to specific malicious behavior that was detected.

Analyst UUID

Restrict displayed files to the system analysis UUID for the downloaded file. This is an internal unique identifier for the analysis of a file.

Blocked

Filter messages/attachments/URLs by their Blocked status, Yes or No.

File type

Restrict displayed files to one or more high-level file types. See the list of file types.

MD5

Restrict displayed files to the MD5 hash of the downloaded file.

Message ID

Restrict displayed files to those matching the defined message ID.

Minimum score

Restrict displayed files to those assigned a score greater than your chosen value (from 1 to 100) by the system analysis.

File downloads

The Downloaded files list displays the distinct file attachments downloaded from email messages and processed by the VMware backend.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. The default is 20 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

Each row is a summary of a downloaded file. Click the plus icon (or anywhere on an entry row) to access a detailed view of the downloaded file.

The list is sorted by score and includes the following fields:

MD5

The MD5 hash of the downloaded file.

Type

The high-level type of the downloaded file. See the list of file types.

Size

Size in bytes of the downloaded file.

Mail

Lists the number of messages with this attachment. Click search to view the details of the message and attachments.

AV Class

A label defining the antivirus class of the downloaded file. If the label has a tag icon, you can click that for a pop-up description.

Malware

A label defining the malware type of the downloaded file. If the label has a tag icon, you can click that for a pop-up description.

Score

The score assigned to the downloaded file by the analysis indicates the critical level of the detected threat and ranges from 0 to 100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30 and 69 are considered to be medium-risk.

  • Threats that are between 1 and 30 are considered to be benign.

For details, see Maliciousness score and Risk estimate.

If the stop icon appears, it indicates the artifact has been blocked.

The list is sorted by decreasing order (most critical threats at the top). Click the angle up icon to sort the list in increasing order (least critical threats at the top), then click the angle down icon to toggle back to the default.

All tab

The All tab displays all file attachments downloaded from email messages that have been analyzed.

Attached files over time

The Mail attachments widget provides an overview of the number of files that were detected by the sensors monitoring inbound email traffic. The graph is a daily histogram of received attachments, grouped by high level file type.

The displayed file types are:

  • Archive Archive formats such as ZIP or RAR

  • Document Includes other types of Office documents

  • Executable Binary program formats such as Windows Portable Executable

  • Java Java application or applet

  • Media Macromedia (Adobe) Flash file

  • Other Other recognized file format

  • PDF Portable Document Format files

  • Script An executable script such as JavaScript, Python, and others

  • Unknown Unknown file type

Filters

An easy-to-use filtering mechanism is provided that allows you to focus on the information that you are interested in. Click the plus icon to expand the Filters widget.

Note:

The use of filters is optional.

Click Filter by and select an item from the pull-down menu. Select from Analysis tags, Analyst UUID, Blocked, File type, MD5, Message ID, Minimum score, Recipient, Sender or Subject.

You can combine multiple filters to narrow the focus. You can also deploy multiple instances of some filters.

Delete an individual filter by clicking the Remove minus button next to its entry. Delete all the selected filters by clicking the cancel/close icon. This also collapses the Filters widget.

Click Apply reload to apply the selected filters.

Analysis tags

Restrict displayed attachments/URLs by their analysis tags. These are labels assigned to a file or URL by the system analysis. They can identify a threat or threat class, or refer to specific malicious behavior that was detected.

Analyst UUID

Restrict displayed files to the system analysis UUID for the downloaded file. This is an internal unique identifier for the analysis of a file.

Blocked

Filter messages/attachments/URLs by their Blocked status, Yes or No.

File type

Restrict displayed files to one or more high-level file types. See the list of file types.

MD5

Restrict displayed files to the MD5 hash of the downloaded file.

Message ID

Restrict displayed files to those matching the defined message ID.

Minimum score

Restrict displayed files to those assigned a score greater than your chosen value (from 1 to 100) by the system analysis.

Recipient

Restrict to messages with a specific recipient.

Sender

Restrict to messages sent by a specific address.

Subject

Filter messages/attachments/URLs by the subject line.

Mail attachments

The Mail attachments list displays the file attachments downloaded from email messages and processed by the VMware backend.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. The default is 20 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

Each row is a summary of a downloaded file. Click the plus icon (or anywhere on an entry row) to access a detailed view of the downloaded file.

The list is sorted by score and includes the following fields:

Timestamp

Indicates when the message was received. The time is shown in the currently selected timezone.

The list is sorted by timestamp, by default in decreasing order (latest attachment at the top). Click the angle up icon to sort the list in increasing order (oldest attachment at the top). Click the angle down icon to toggle to the default.

Sensor

Name of the sensor that detected the message.

Sender

The email address of the sender of the message. This email address may be spoofed.

Click the sort icon to sort the list alphabetically by the sender.

Recipient

The email address of the recipient of the message.

Click the sort icon to sort the list alphabetically by the recipient.

Subject

The provided subject of the message.

Click the sort icon to sort the list alphabetically by the subject.

Filename

The name of the attached file.

MD5

The MD5 hash of the downloaded file.

Type

The high-level file type of the downloaded file. Supported types are currently:

  • Archive Archive formats such as ZIP or RAR

  • Document Includes other types of Office documents

  • Executable Binary program formats such as Windows Portable Executable

  • Java Java application or applet

  • Media Macromedia (Adobe) Flash file

  • Other Other recognized file format

  • PDF Portable Document Format files

  • Script An executable script such as JavaScript, Python, and others

  • Unknown Unknown file type

AV Class

A label defining the antivirus class of the downloaded file. If the label has a tag icon, you can click that for a pop-up description.

Malware

A label defining the malware type of the downloaded file. If the label has a tag icon, you can click that for a pop-up description.

Score

The score assigned to the downloaded file by the analysis indicates the critical level of the detected threat and ranges from 0 to 100:

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30 and 69 are considered to be medium-risk.

  • Threats that are between 1 and 30 are considered to be benign.

For details, see Maliciousness score and Risk estimate.

If the stop icon appears, it indicates the artifact has been blocked.

The list is sorted by decreasing order (most critical threats at the top). Click the angle up icon to sort the list in increasing order (least critical threats at the top), then click the angle down icon to toggle back to the default.