The Overview tab in the Analysis Report page of the NSX Network Detection and Response UI provides a summary of the analysis results for the file analyzed by the NSX Advanced Threat Prevention service.

To download the detected file to your local machine, click file download icon on the right side of the screen. From the drop-down menu, select Download file or Download as ZIP.

If you select Download as ZIP, the Download file as a Zip pop-up window appears, prompting you to provide an optional password for the archive. Click Download to complete downloading the .ZIP file.

Important:

The NSX Network Detection and Response application only allows you to download detected files under certain conditions.

If the artifact is considered low risk, file download icon is displayed and you can download it to your local machine.

If the artifact is considered risky, file download icon is not displayed unless your license has the ALLOW_RISKY_ARTIFACT_DOWNLOADS capability.

You must be aware that the artifact can possibly cause harm when opened.

The NSX Network Detection and Response interface might display the Warning: Downloading Malicious File pop-up window. Click the I agree button to accept the conditions and download the file.

For malicious artifacts, you might want to encapsulate the file in a ZIP archive to prevent other solutions that are monitoring your traffic from automatically inspecting the threat.

If you do not have the ALLOW_RISKY_ARTIFACT_DOWNLOADS capability and require the ability to download malicious artifacts, contact VMware Support.

Analysis Overview Section

Note: If the NSX Advanced Threat Prevention service encountered errors during the file analysis, a highlighted block is displayed. It contains a list of the errors encountered.
This Analysis Overview section provides a summary of the analysis results of a file or URL analyzed by the NSX Advanced Threat Prevention service. The section displays the following data.
  • MD5 – The MD5 hash of the file. To search for other instances of this artifact in your network, click <search icon>.
  • SHA1 – The SHA1 hash of the file.
  • SHA256 – The SHA256 hash of the file.
  • MIME Type – The label used to identify the type of data in the file.
  • Submission – The submission timestamp

Threat Level Section

The Threat Level section starts with a summary of the analysis findings: The file md5 hash was found to be malicious/benign.

It then displays the following data:
Risk assessment
This section displays the risk assessment findings.
  • Maliciousness score – Sets a score out of 100.
  • Risk estimate – An estimate of the risk posed by this artifact:
    • High – This artifact represents a critical risk and you must address it in priority. Such subjects are typically Trojan files or documents that contain exploits, leading to major compromises of the infected system. The risks are multiple: from information leakage to system dysfunction. These risks are partially inferred from the type of activity detected. The score threshold for this category is usually greater than 70.
    • Medium – This artifact represents a long-term risk and you must monitor it closely. It can be a Web page containing suspicious content, potentially leading to drive-by attempts. It can also be an adware or a fake antivirus product that does not pose an immediate serious threat but can cause issues with the functioning of the system. The score threshold for this category is usually from 30-70.
    • Low – This artifact is considered benign and you can ignore it. The score threshold for this category is usually below 30.
  • Antivirus class – The antivirus or malware class to which the artifact belongs. For example, a Trojan horse, worm, adware, ransomware, spyware, and so on.

  • Antivirus family – The antivirus or malware family to which the artifact belongs. For example, valyria, darkside, and so on. To search for other instances of this family, click the search icon.

Analysis overview
The information displayed is sorted by severity and includes the following properties:
  • Severity – A score between 0-100 of the maliciousness of the activities detected during analysis of the artifact. The additional icons indicate the operating systems that can run the artifact.
  • Type – The types of activities detected during analysis of the artifact. These types include:
    • Autostart – Ability to restart after a machine shutdown.
    • Disable – Ability to disable critical components of the system.
    • Evasion – Ability to evade analysis environment.
    • File – Suspicious activity over the file system.
    • Memory – Suspicious activity within the system memory.
    • Network – Suspicious activity at the network level.
    • Reputation – Known source or signed by reputable organization.
    • Settings – Ability to permanently alter critical system settings.
    • Signature – Malicious subject identification.
    • Steal – Ability to access and potentially leak sensitive information.
    • Stealth – Ability to remain unnoticed by users.
    • Silenced – Benign subject identification.
  • Description – A description corresponding to each type of activity detected during analysis of the artifact.
  • ATT&CK Tactics – The MITRE ATT&CK stage or stages of an attack. Multiple tactics are separated by commas.
  • ATT&CK Techniques – The observed actions or tools a malicious actor might use. Multiple techniques are separated by commas.
  • Links – To search for other instances of this activity, click the search icon.
Additional artifacts
This section lists additional artifacts (files and URLs) that were observed during the analysis of the submitted sample and that were in turn submitted for in-depth analysis. This section includes the following properties:
  • Description – Describes the additional artifact.
  • SHA1 – The SHA1 hash of the additional artifact.
  • Content type – The MIME type of the additional artifact.
  • Score – The maliciousness score of the additional artifact. To view the associated analysis report, click .
Decoded command line arguments
If any PowerShell scripts were executed during the analysis, the system decodes these scripts, making its arguments available in a more human-readable form.
Third-party tools
A link to a report on the artifact on VirusTotal portal.