The Total Files tab shows all of the files reported in this notification, including files written by other files.

If the same file (that is, a file with the same hash) is written to multiple locations, it appears multiple times in the Total Files list. The following table shows the included columns:

Table 1. Total Files Tab Columns

Column

Description

Sequence

Sequence of each file’s appearance when a suspected malware instance is analyzed by the network security device. The first file in the sequence is the top-level process.

Operation

The operation performed on a file (start, create, close, etc.)

File Name

File name reported by the network security device.

Size

File size reported by the network security device.

MD5

MD5 hash of the file.

File Path

File path of the file name reported in the notification.

Parent File Name

File name of the parent process of this file.

Parent File Path

File path for the parent process of this file.

SHA1

SHA1 hash of the file (if reported).

SHA-256

SHA-256 hash of the file (if reported). Only shown for Palo Alto Networks notifications.

Known File

Is this file known to the Carbon Black App Control Server (Yes/No).

The Operation column provides important information about what was done for each file included in the notification. You can sort or filter on this field to determine what was done to a file. The notification might report that one file was created and another overwritten – files having these two operations are included in the New and Modified Files list. A file also might be opened or terminated.

If a file is known to your Carbon Black App Control Server, its listing on the Total Files tab includes a View Details button, which opens the File Details page for the file.

The Action menu for this tab includes the following commands for selected files:

  • Ban Globally – Bans file(s) for all policies; requires no further configuration
  • Ban By Policy – Opens a dialog box for creation of policy-specific and report-only bans
  • Remove Approval Or Ban – Removes any active bans/approvals immediately.
  • Find By Name – Redirects to Find files page filtered by selected file names
  • Find By Size – Redirects to Find files page filtered to show results of a search for files matching the sizes of the selected files as reported in the external notification
  • Find By Hash – Redirects to Find files page filtered to show results of a search by hash for the selected files as reported in the external notification
  • View Carbon Black Reputation Data – Redirects to Carbon Black File Reputation (if activated) for report on this file by hash