The File downloads tab in the Host Profile page of the NSX Network Detection and Response UI shows the malicious files downloaded by the host with details about their contents and corresponding threat levels

The Quick search text box above the list provides fast, as-you-enter search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

The columns to be displayed in the list can be customized by clicking the icon.

Each row is a summary of a downloaded file. Click the icon (or anywhere on an entry row) to view details of the downloaded file.

The list is sorted by score and includes the following columns.

Column Name

Description

Timestamp

The timestamp of the detection of the file download

Host

The host that downloaded the file.

Sensor

The sensor that detected the file download.

Contacted IP

The IP address of the contacted host.

Location

For a download, this is the URL of the file in the supported format. For example, \\127.0.0.2\samba_share\1128dedb.exe for an SMB download or http://www.example.com/download/example.zip for an HTTP download.

For an upload, "Upload" is displayed.

Filename

The name of the file downloaded.

MD5

The MD5 hash of the downloaded file.

Type

The high-level file type of the downloaded file. See Unique Tab for the list of currently supported types.

AV Class

A label defining the antivirus class of the downloaded file. If the label has a tag icon, you can click that icon for a description in a pop-up window.

Malware

A label defining the malware type of the downloaded file. If the label has a tag icon, you can click that icon for a description in a pop-up window.

Score

The score assigned to the downloaded file by the analysis indicates the critical level of the detected threat and ranges from 0–100:

  • Threats that are 70 or higher are considered to be critical.

  • Threats that are between 30–69 are considered to be medium-risk.

  • Threats that are between 1–29 are considered to be benign.

For details about maliciousness core and risk estimate, see Analysis Report: Overview Tab.

If the blocked icon icon appears, it indicates the artifact has been blocked. The list is sorted by decreasing order (most critical threats at the top). Click up arrow icon to sort the list in increasing order (least critical threats at the top), then click down arrow icon to toggle back to the default.