The Events report section displays additional artifacts that the NSX Advanced Threat Prevention service gathers while it processes the sample.
These artifacts are included in the report for you to view.
If the subject generated network traffic, this traffic is collected and displayed in the captured traffic widget.
For an inflated archive, a list of the contents is displayed. Each row shows the mime type, tag (indicates the type of analysis), description, filename (if available from the archive), and score of the artifact. A score is provided only if the artifact is analyzed. In this case, a link to its report is also provided.
If the NSX Advanced Threat Prevention service encountered an error when unpacking an archive, it displays an alert indicating the error condition. Errors include maximum file limit exceeded, maximum depth limit exceeded, and maximum child task limit exceeded.
During analysis, the sample might generate various files. These files are displayed in a list sorted by PATH.
- PATH: The path of the artifact in the file system.
- TYPE: The determined file type. To sort the list by file type, click TYPE.
Click the icon to expand a row. Data for MD5, SHA1, Size (bytes), Packers, and Signatures are displayed. Data might not be available for all fields.
Decoded Command Line Arguments
The arguments to malicious PowerShell scripts are often encoded or obfuscated. If a script was executed during the analysis, the NSX Advanced Threat Prevention service decodes it, making its arguments available in a more human-readable form. These arguments are displayed in a list showing the analysis subject and decoded script.