File details

HOWTO128765

Last Updated September 25, 2018

File details provide information about the activity that Symantec Advanced Threat Protection (ATP) detected occurred with this file or email. It also provides information about the file's relationship with other entities in your environment. You can also perform remediation tasks from this page.

Navigate to the File details page in any of the following ways:

In ATP Manager, click Incident Manager. In the Incident Manager, click on any incident to open the Incident details page.
- On the Incident details page in the Incident graph, right-click on the file node and select Go to details page.
- On the Incident details page in the Events table, click on any file hyperlink (in blue) to open its File details page.
Click on the interactive file node anywhere it appears in ATP Manager to open that File's details page.

Click any of the following links to learn more about that section of the File details page.

Summary | Actions | Details tab | Related Events tab | File Attributes tab

Summary

Beneath the name of the file is a graphic that depicts the health of the file.

Good

Suspicious

Bad

Neutral

Analyzing

Beneath the graphic is the following information:

DISPOSITION	ATP's evaluation of the file. Good The file is whitelisted or Symantec's reputation service indicates that the file is good. Suspicious The file's health is suspicious based on Symantec's machine-learning algorithms that identify the files that are likely to be malicious. However, there is no known detection against it. Your organization should pay particular attention to and thoroughly analyze suspicious files. Bad The file is blacklisted on ATP, Symantec Endpoint Protection has blocked the file, or a Symantec technology deems it to be malicious. Neutral Insufficient information exists to determine the file's disposition. Analyzing ATP is still retrieving and processing data about the file's health.
REASON	The reason that ATP gave the file its disposition.
AV SIGNATURE NAME Only appears when applicable.	The antivirus signature that detected the file is suspicious or malicious.
TARGETED ATTACK	Whether ATP deems this file to be a part of a targeted attack on your organization.

To the right of the graphic is the following information:

SHA256	The file's 256-bit secure hash value. Click on this field to see the full hash value.
MD5	The MD5 hash that is associated with this file's SHA256 hash.
CERTIFICATE	The signor of the file certificate, if the file has been signed.
MIME TYPE	File type is the true file type, which may not necessarily match the file extension.
File Overview
RELATED INCIDENTS	The number of incidents that are related to this file. To see a list of all of the related incidents that are associated with this file, see Related Incidents in the Details table.
CONTENT ANALYSIS MODIFICATIONS	The number of file modifications that sandbox analysis detects. When a file is submitted to the sandbox, it is detonated in a virtual environment. ATP then analyzes the results for the file modifications that are made.
EMAIL DETECTIONS	The number of emails that have this file as an attachment.
EXTERNAL DOMAINS ACCESSED	The number of external computers that the file has communicated with.
Global Reputation
FIRST SEEN	The first time that Insight saw this file worldwide.
PREVALENCE	The number of times a file reputation request has been made on this file worldwide.
Local Reputation
FIRST SEEN	The first time this file has been seen in your network.
PREVALENCE	The number of endpoints in your environment that have this file. To see a list of all of the endpoints that have this file, see Seen on Endpoints in the Details table.

Actions

The actions that you can perform on the File details page are as follows:

Process Dump

Retrieve the endpoint recorder data for this file hash.

You can select the endpoints from which you want to retrieve data.

The Process Dump action appears as an available action if a file was an actor at any point in time. When you generate a process dump, a dialog box appears that contains a list of all of the endpoints on which the file was found. An endpoint that is grayed-out indicates that it is not enrolled with EDR 2.0. This issue occurs if the endpoint was once enrolled with EDR 2.0, but is now unenrolled. Ensure that the endpoint is enrolled and re-attempt the process dump.

See Retrieving endpoint data recorder information.

After you initiate a dump, you can view the status on the Search > Endpoints tab. Then click on the dump in the Search Description field to go to that dump's details page.

See Process Dump Results details page.

This action only appears for the endpoints that are enrolled with ATP. If this page is the result of an endpoint search, this action is only available if the file is an actor in an endpoint data recorded event. ATP supports conducting two dumps concurrently. Additional dumps are queued until previous dumps complete.

See About integrating ATP with Symantec Endpoint Protection.

ATP cancels any inactive dump commands that do not return new results 3 days after they are initiated.

Add to Blacklist | Revoke Blacklist

Adds the file to or removes this file from your Blacklist.

See Remediating malicious files.

Add to Whitelist | Revoke Whitelist

Adds the file to or removes this file from your Whitelist.

See Managing policies.

See Reporting false positive and false negative file convictions.

Submit to Sandbox

Submits the files with unknown reputations to an on-premises sandbox or a cloud-based sandbox for analysis. Sandboxing detects unknown malware and advanced threats by executing files in a virtual environment and observing its behavior.

You can configure ATP to automatically submit suspicious files for virtual sandbox analysis. Files are submitted to whichever sandbox tool your ATP Manager is configured to use (cloud-based sandbox or on-premises sandbox). If your administrator has enabled automatic sandbox submissions, this option is inert since ATP will have already submitted suspicious files for analysis.

See Configuring ATP to use cloud sandboxing or on-premises sandboxing

If ATP does not automatically submit suspicious files for sandbox analysis, you can do it as needed. You can only submit the files that Symantec has not already recognized as having a good reputation or a bad reputation. The files that are submitted to a cloud-based sandbox cannot exceed 10 MB. There is no file size limit for the files that are submitted to an on-premises sandbox.

After the file has been analyzed, you can view the results on the File details page under Cynic Observed File, Registry, System Changes, and Cynic Observed Network Analysis. Files that you submit for sandboxing that are deemed bad appear in the dashboard as endpoint events.

Note:

This action is only supported on the clients that run Symantec Endpoint Protection 12.1 RU6 and later.

See File types that can be submitted for sandboxing.

See Changing the geographic location where you submit files for cloud-based sandboxing.

See How to interpret Symantec Malware Analysis sandboxing results.

Submit to VirusTotal

Submits the SHA256 hash to VirusTotal, then takes you to the VirusTotal website so that you can view the results.

Copy to File Store | Download from File Store

ATP locates the file on the endpoint and stores it in a compressed file in the ATP file store.

After the compressed file is copied to the file store, the option changes to let you download the compressed file to your local computer. When you download the compressed file to the file store, you must assign a password for it.

Open the compressed file on your local computer with the password that you assigned to it and analyze it in your own virtual environment. Or you can submit the file for sandbox analysis.

Non-PE files

You can get a non-portable executable (PE) file (not to exceed 30 MB) in near real time if you are running Symantec Endpoint Protection Manager 14.2 or later. You must also have EDR 2.0 enabled. This action is only supported on the clients that use Symantec Endpoint Protection 14.2 and later.

Note:

ATP is unable to retrieve non-PE files from the endpoint's Symantec Endpoint Protection quarantine.

ATP prompts you to provide access credentials to retrieve non-PE files from an endpoint. ATP requires either the endpoint's end-user's credentials or a domain administrator's credentials.

PE files

You can get PE files from endpoints (even files in the Symantec Endpoint Protection quarantine). However, this action relies on the Symantec Endpoint Protection Manager heartbeat to complete. You do not need to provide credentials to obtain PE file.

See About endpoint detection and response (EDR).

Delete File

Deletes the selected file and the registry entries that point to that file from that endpoint.

Only the files that the endpoint control point finds can be deleted. Files that the network control point or email control point identify cannot be deleted.

If this entity page is created as the result of an endpoint search, ATP supports deleting both PE and non-PE files.

Note:

This action is supported for enrolled as well as non-enrolled clients that run Symantec Endpoint Protection 12.x RU6 MP3 and later. For enrolled clients running Symantec Endpoint Protection 14.0 RU1 and later, this task is performed through EDR 2.0 directly from ATP to the client without the need to wait for the Symantec Endpoint Protection Manager heartbeat. For enrolled clients that run EDR 1.0, this option remains active until the file is deleted from the endpoint through Symantec Endpoint Protection Manager. You can view the status of the file deletion on the Logging > Actions page.

If a file cannot be deleted for any reason, ATP times-out the action 7 days after it is initiated so that the process doesn't run indefinitely. The file delete timeout function applies to both EDR 1.0 and EDR 2.0 endpoints.

The ability to cancel a delete file action (along with canceling the deletion of associated registry entries) is supported on SEP 12.1 RU6 MP5 and later and can only be performed using the API.

Only users with the Admin role or Controller role can perform actions. Actions that are not permitted based on your role appear in ATP Manager as inactive.

The time it takes for an action to complete depends on the action that you take. You can view the status of the commands that you executed on the Logging > Actions tab.

See Checking the status of an action.

Details tab

The Details tab provides additional information about the entity. If more than five rows exist in a section, click Total {n} to view the entire list. In the entire list dialog box, you can click on any entity to view its entity details page.

Related Incidents	Other incidents in which this file entity is associated. Click on a row to open that incident's details page. Tip: You might want to evaluate other related incidents to see if they require similar remediation. See Incident details.
Seen on Endpoints	All of the endpoints in your environment that contain this file. Click on a row to open that endpoint's details page. See Endpoint details. When SONAR detects system changes on an endpoint relating to this file, a Behavior option appears in the row for the affected endpoint. Click the Behavior option to open the Process Behavior details page to view information about the system changes that occurred and their related attributes. See Process Behavior details.
File Download Origins	The domain from which this file was downloaded. Click on a row to open that domain's details page. See Domain details.
File Instances	Other instances of the SHA256 hash in your environment. If the malware polymorphed itself under different names, the different names appear in this row too. Each row also shows whether ATP or Symantec Endpoint Protection blocked the file or whether the file was not blocked. Dashes appear in the Blocked column when the blocked status does not apply to the row. Instances where blocked status may not apply are as follows: Antivirus Ping submissions from a migrated installation Ping submissions do not capture whether a file was blocked or not. It's an indicator of a detection (not what action was taken). Reputation Requests These instances do not capture whether a file was blocked or not.
Emails Associated with this File	Emails that are associated with the file hash. This section only appears when there is at least one email associated.
Content Analysis Patterns	Key observations made from sandbox analysis that resulted in the sample being convicted. Patterns are those actions that the file took that match typical malware (such as modifying the auto-run registry entries, setting up new auto-run entries, checking for debugging).
Content Analysis Observed Activity Summary	Summarizes changes made to the system: what files changed, what registry keys changed, what network activity occurred, and so on. Click on an item to show that file's details page.
Content Analysis Events	Describes the raw events observed in the sandbox in granular detail. Also provides the Process Identifier (PID). Click on a row to open that domain's details page. See Domain details.

Related Events tab

The Related Events tab shows the last 7 days of events that are related to this entity. Click the following link to learn more about using the Events Summary view.

See Working in the Events Summary view.

See Event Summary Type IDs.

File Attributes tab

When SONAR detects system changes on an endpoint relating to this file, a File Attributes tab appears on the File details page. The File Attributes tab provides detailed information about that file's attributes (to the extent that this information is available). These attributes ("static file attributes") are the attributes that apply to a file and do not change regardless of what processes occur. Examples of file attributes are: file image size; the number of strings in a file's resource; that the file has a digital signature.

ATP provides a description of the attributes and their values. Attributes are grouped as follows:

Count of resources
Imported functions
Advanced attributes

ATP lets you filter attributes so that you can narrow the results. Click Show Filters to reveal the filters. Select the attributes that you want to filter by. (Results immediately begin to appear.) Click Hide Filters to hide the filters view. ATP maintains your filter selections until you reset the filter criteria or refresh the page.

Note:

To view a sequential list of the system changes that occurred on the endpoint, on the Details tab under Seen on Endpoint, click the Behavior option. The Process Behavior details page for that endpoint/file relationship appears.

See Process Behavior details.

Legacy ID: v114008894_v127312507

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

File details

Description

Summary

Actions

Details tab

Related Events tab

File Attributes tab

Subscribe To This Article

Related Products

Was this Article Helpful?