The downloaded files details view is expanded within the Downloaded Files list.

You see a subset of the following available details, depending on which tab you have selected on the Files Downloaded page.

Detail Name

Description

Analysis report

Click the link or the link icon icon to view the analysis report in a new tab.

File type

The high-level type of the downloaded file. See Downloaded Files Over Time for the list of file types.

File type details

If available, more details about the file type. For example, PE executable, application, 32-bit, Intel i386 or Zip archive data.

Filename

If available, the name of the file.

Downloaded

For Unique downloads, the number of times that the file was downloaded by hosts in the network.

Click the number or search icon icon to view the file downloads on the downloads page. The link passes an Analyst UUID filter that restricts the view to downloads of the specific file.

Downloaded by

The IP address(es) of the host(s) in the network that downloaded the file.

If available, click whois icon to view registration information and other data about the host in the WHOIS Pop-Up Window.

URL

The URL of the file download. This as a UTF-8 encoded Unicode string.

URL

The raw URL of the file download. If there are any non-ASCII characters in the URL, those, as well as the backslash character itself, will be backslash-encoded.

Protocol

Network protocols used to download the file. One of HTTP/HTTPS, FTP, or SMB.

Downloaded from

IP address of the contacted host.

If available, click whois icon to view registration information and other data about the host in the WHOIS Pop-Up Windows.

HTTP host

If available, the domain name of the contacted host. This name may be derived from other data including the IP address.

If available, click whois icon to view registration information and other data about the host in the WHOIS Pop-Up Window.

User agent

The user agent string extracted from the HTTP/HTTPS request.

First download

For unique downloads, the timestamp of the first recorded detection of the file download.

Last download

For unique downloads, the timestamp of the most recent detection of the file download.

Timestamp

The timestamp of the detection of the file download.

File size

Size of the file in Bytes.

MD5

The MD5 hash of the downloaded file.

SHA1

The SHA1 hash of the downloaded file.

Submission status

Indicates why the downloaded file was not submitted for full analysis. Typically this is due to pre-filtering or other reasons. Hover your mouse over the question mark icon icon to display a pop-up with further details.

Analyst UUID

The unique identifier returned by the NSX Advanced Threat Prevention service after processing the downloaded file.

Event ID

A link to the associated event for the file download. Click the ID or link icon to view the event. See Detection Events for more information.

Analysis Overview

The analysis overview section provides a summary of the results of the analysis of a downloaded file by the NSX Advanced Threat Prevention service.

To open the full Analysis report in a new tab, click chain in black circle icon. See Using the Analysis Report.

To download the detected file to your local machine, click file download icon on the right side of the screen. From the drop-down menu, select Download file or Download as ZIP.

If you select Download as ZIP, the Download file as a Zip pop-up window appears, prompting you to provide an optional password for the archive. Click Download to complete downloading the .ZIP file.

Important:

The NSX Network Detection and Response application only allows you to download detected files under certain conditions.

If the artifact is considered low risk, file download icon is displayed and you can download it to your local machine.

If the artifact is considered risky, file download icon is not displayed unless your license has the ALLOW_RISKY_ARTIFACT_DOWNLOADS capability.

You must be aware that the artifact can possibly cause harm when opened.

The NSX Network Detection and Response interface might display the Warning: Downloading Malicious File pop-up window. Click the I agree button to accept the conditions and download the file.

For malicious artifacts, you might want to encapsulate the file in a ZIP archive to prevent other solutions that are monitoring your traffic from automatically inspecting the threat.

If you do not have the ALLOW_RISKY_ARTIFACT_DOWNLOADS capability and require the ability to download malicious artifacts, contact VMware Support.

Click expand icon and collapse icon to expand and collapse the sections on the tab.

This Analysis Overview section provides a summary of the analysis results of a file or URL analyzed by the NSX Advanced Threat Prevention service. The section displays the following data.
  • MD5 – The MD5 hash of the file. To search for other instances of this artifact in your network, click <search icon>.
  • SHA1 – The SHA1 hash of the file.
  • SHA256 – The SHA256 hash of the file.
  • MIME Type – The label used to identify the type of data in the file.
  • Submission – The submission timestamp

The Threat Level section starts with a summary of the analysis findings: The file md5 hash was found to be malicious/benign.

It then displays the following data:
Risk assessment
This section displays the risk assessment findings.
  • Maliciousness score – Sets a score out of 100.
  • Risk estimate – An estimate of the risk posed by this artifact:
    • High – This artifact represents a critical risk and you must address it in priority. Such subjects are typically Trojan files or documents that contain exploits, leading to major compromises of the infected system. The risks are multiple: from information leakage to system dysfunction. These risks are partially inferred from the type of activity detected. The score threshold for this category is usually greater than 70.
    • Medium – This artifact represents a long-term risk and you must monitor it closely. It can be a Web page containing suspicious content, potentially leading to drive-by attempts. It can also be an adware or a fake antivirus product that does not pose an immediate serious threat but can cause issues with the functioning of the system. The score threshold for this category is usually from 30-70.
    • Low – This artifact is considered benign and you can ignore it. The score threshold for this category is usually below 30.

  • Antivirus class – The antivirus or malware class to which the artifact belongs. For example, a Trojan horse, worm, adware, ransomware, spyware, and so on.

  • Antivirus family – The antivirus or malware family to which the artifact belongs. For example, valyria, darkside, and so on. To search for other instances of this family, click the search icon.

Analysis overview
The information displayed is sorted by severity and includes the following properties:
  • Severity – A score between 0-100 of the maliciousness of the activities detected during analysis of the artifact. The additional icons indicate the operating systems that can run the artifact.
  • Type – The types of activities detected during analysis of the artifact. These types include:
    • Autostart – Ability to restart after a machine shutdown.
    • Disable – Ability to disable critical components of the system.
    • Evasion – Ability to evade analysis environment.
    • File – Suspicious activity over the file system.
    • Memory – Suspicious activity within the system memory.
    • Network – Suspicious activity at the network level.
    • Reputation – Known source or signed by reputable organization.
    • Settings – Ability to permanently alter critical system settings.
    • Signature – Malicious subject identification.
    • Steal – Ability to access and potentially leak sensitive information.
    • Stealth – Ability to remain unnoticed by users.
    • Silenced – Benign subject identification.
  • Description – A description corresponding to each type of activity detected during analysis of the artifact.
  • ATT&CK Tactics – The MITRE ATT&CK stage or stages of an attack. Multiple tactics are separated by commas.
  • ATT&CK Techniques – The observed actions or tools a malicious actor might use. Multiple techniques are separated by commas.
  • Links – To search for other instances of this activity, click the search icon.
Additional artifacts
This section lists additional artifacts (files and URLs) that were observed during the analysis of the submitted sample and that were in turn submitted for in-depth analysis. This section includes the following properties:
  • Description – Describes the additional artifact.
  • SHA1 – The SHA1 hash of the additional artifact.
  • Content type – The MIME type of the additional artifact.
  • Score – The maliciousness score of the additional artifact. To view the associated analysis report, click icon for analysis report.
Decoded command line arguments
If any PowerShell scripts were executed during the analysis, the system decodes these scripts, making its arguments available in a more human-readable form.
Third-party tools
A link to a report on the artifact on VirusTotal portal.