File details provide information about the activity that Symantec Advanced Threat Protection (ATP) detected occurred with this file or email. It also provides information about the file's relationship with other entities in your environment. You can also perform remediation tasks from this page.
Navigate to the File details page in any of the following ways:
In ATP Manager, click Incident Manager. In the Incident Manager, click on any incident to open the Incident details page.
Click on the interactive file node anywhere it appears in ATP Manager to open that File's details page.
Click any of the following links to learn more about that section of the File details page.
Summary | Actions | Details tab | Related Events tab | File Attributes tab
Beneath the name of the file is a graphic that depicts the health of the file.
Beneath the graphic is the following information:
To the right of the graphic is the following information:
The actions that you can perform on the File details page are as follows:
Retrieve the endpoint recorder data for this file hash. You can select the endpoints from which you want to retrieve data. The Process Dump action appears as an available action if a file was an actor at any point in time. When you generate a process dump, a dialog box appears that contains a list of all of the endpoints on which the file was found. An endpoint that is grayed-out indicates that it is not enrolled with EDR 2.0. This issue occurs if the endpoint was once enrolled with EDR 2.0, but is now unenrolled. Ensure that the endpoint is enrolled and re-attempt the process dump. See Retrieving endpoint data recorder information. After you initiate a dump, you can view the status on the Search > Endpoints tab. Then click on the dump in the Search Description field to go to that dump's details page. See Process Dump Results details page. This action only appears for the endpoints that are enrolled with ATP. If this page is the result of an endpoint search, this action is only available if the file is an actor in an endpoint data recorded event. ATP supports conducting two dumps concurrently. Additional dumps are queued until previous dumps complete. See About integrating ATP with Symantec Endpoint Protection. ATP cancels any inactive dump commands that do not return new results 3 days after they are initiated. |
|||
Adds the file to or removes this file from your Blacklist. |
|||
Adds the file to or removes this file from your Whitelist. See Managing policies. See Reporting false positive and false negative file convictions. |
|||
Submits the files with unknown reputations to an on-premises sandbox or a cloud-based sandbox for analysis. Sandboxing detects unknown malware and advanced threats by executing files in a virtual environment and observing its behavior. You can configure ATP to automatically submit suspicious files for virtual sandbox analysis. Files are submitted to whichever sandbox tool your ATP Manager is configured to use (cloud-based sandbox or on-premises sandbox). If your administrator has enabled automatic sandbox submissions, this option is inert since ATP will have already submitted suspicious files for analysis. See Configuring ATP to use cloud sandboxing or on-premises sandboxing If ATP does not automatically submit suspicious files for sandbox analysis, you can do it as needed. You can only submit the files that Symantec has not already recognized as having a good reputation or a bad reputation. The files that are submitted to a cloud-based sandbox cannot exceed 10 MB. There is no file size limit for the files that are submitted to an on-premises sandbox. After the file has been analyzed, you can view the results on the File details page under Cynic Observed File, Registry, System Changes, and Cynic Observed Network Analysis. Files that you submit for sandboxing that are deemed bad appear in the dashboard as endpoint events.
See File types that can be submitted for sandboxing. See Changing the geographic location where you submit files for cloud-based sandboxing. See How to interpret Symantec Malware Analysis sandboxing results. |
|||
Submits the SHA256 hash to VirusTotal, then takes you to the VirusTotal website so that you can view the results. |
|||
ATP locates the file on the endpoint and stores it in a compressed file in the ATP file store. After the compressed file is copied to the file store, the option changes to let you download the compressed file to your local computer. When you download the compressed file to the file store, you must assign a password for it. Open the compressed file on your local computer with the password that you assigned to it and analyze it in your own virtual environment. Or you can submit the file for sandbox analysis. Non-PE files You can get a non-portable executable (PE) file (not to exceed 30 MB) in near real time if you are running Symantec Endpoint Protection Manager 14.2 or later. You must also have EDR 2.0 enabled. This action is only supported on the clients that use Symantec Endpoint Protection 14.2 and later.
ATP prompts you to provide access credentials to retrieve non-PE files from an endpoint. ATP requires either the endpoint's end-user's credentials or a domain administrator's credentials. PE files You can get PE files from endpoints (even files in the Symantec Endpoint Protection quarantine). However, this action relies on the Symantec Endpoint Protection Manager heartbeat to complete. You do not need to provide credentials to obtain PE file. |
|||
Deletes the selected file and the registry entries that point to that file from that endpoint. Only the files that the endpoint control point finds can be deleted. Files that the network control point or email control point identify cannot be deleted. If this entity page is created as the result of an endpoint search, ATP supports deleting both PE and non-PE files.
If a file cannot be deleted for any reason, ATP times-out the action 7 days after it is initiated so that the process doesn't run indefinitely. The file delete timeout function applies to both EDR 1.0 and EDR 2.0 endpoints. The ability to cancel a delete file action (along with canceling the deletion of associated registry entries) is supported on SEP 12.1 RU6 MP5 and later and can only be performed using the API. |
Only users with the Admin role or Controller role can perform actions. Actions that are not permitted based on your role appear in ATP Manager as inactive.
The time it takes for an action to complete depends on the action that you take. You can view the status of the commands that you executed on the Logging > Actions tab.
See Checking the status of an action.
The Details tab provides additional information about the entity. If more than five rows exist in a section, click Total {n} to view the entire list. In the entire list dialog box, you can click on any entity to view its entity details page.
Related Incidents |
Other incidents in which this file entity is associated. Click on a row to open that incident's details page. Tip: You might want to evaluate other related incidents to see if they require similar remediation. See Incident details. |
Seen on Endpoints |
All of the endpoints in your environment that contain this file. Click on a row to open that endpoint's details page. See Endpoint details. When SONAR detects system changes on an endpoint relating to this file, a Behavior option appears in the row for the affected endpoint. Click the Behavior option to open the Process Behavior details page to view information about the system changes that occurred and their related attributes. |
File Download Origins |
The domain from which this file was downloaded. Click on a row to open that domain's details page. See Domain details. |
File Instances |
Other instances of the SHA256 hash in your environment. If the malware polymorphed itself under different names, the different names appear in this row too. Each row also shows whether ATP or Symantec Endpoint Protection blocked the file or whether the file was not blocked. Dashes appear in the Blocked column when the blocked status does not apply to the row. Instances where blocked status may not apply are as follows:
|
Emails Associated with this File |
Emails that are associated with the file hash. This section only appears when there is at least one email associated. |
Content Analysis Patterns |
Key observations made from sandbox analysis that resulted in the sample being convicted. Patterns are those actions that the file took that match typical malware (such as modifying the auto-run registry entries, setting up new auto-run entries, checking for debugging). |
Content Analysis Observed Activity Summary |
Summarizes changes made to the system: what files changed, what registry keys changed, what network activity occurred, and so on. Click on an item to show that file's details page. |
Content Analysis Events |
Describes the raw events observed in the sandbox in granular detail. Also provides the Process Identifier (PID). Click on a row to open that domain's details page. See Domain details. |
The Related Events tab shows the last 7 days of events that are related to this entity. Click the following link to learn more about using the Events Summary view.
See Working in the Events Summary view.
When SONAR detects system changes on an endpoint relating to this file, a File Attributes tab appears on the File details page. The File Attributes tab provides detailed information about that file's attributes (to the extent that this information is available). These attributes ("static file attributes") are the attributes that apply to a file and do not change regardless of what processes occur. Examples of file attributes are: file image size; the number of strings in a file's resource; that the file has a digital signature.
ATP provides a description of the attributes and their values. Attributes are grouped as follows:
ATP lets you filter attributes so that you can narrow the results. Click Show Filters to reveal the filters. Select the attributes that you want to filter by. (Results immediately begin to appear.) Click Hide Filters to hide the filters view. ATP maintains your filter selections until you reset the filter criteria or refresh the page.
Note: |
To view a sequential list of the system changes that occurred on the endpoint, on the Details tab under Seen on Endpoint, click the Behavior option. The Process Behavior details page for that endpoint/file relationship appears. |
Subscribing will provide email updates when this Article is updated. Login is required.
This will clear the history and restart the chat.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)