Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Endpoint: Analyzing Downloaded Files

Document created by RSA Information Design and Development Employee on Apr 11, 2019Last modified by RSA Information Design and Development Employee on Sep 10, 2020
Version 26Show Document
  • View in full screen mode
 

Analyzing Downloaded Files

To perform a deep analysis of suspicious files, you can manually or automatically download the file to the server.

Note: Saving or analyzing downloaded file works the same way irrespective of whether the file is downloaded manually or automatically.

Note: Downloaded files are stored in the Endpoint Server which may fill up the disk space. To utilize the storage efficiently without impacting the health of Endpoint Server, RSA recommends you to configure an external storage mount, so all the Endpoint Server can use the configured location to store the downloaded data.
By default, all files are downloaded to /var/netwitness/endpoint-server/<files>/. If you want to change the location, make sure that you have endpoint-server.configuration.manage permissions and do the following:
1. In the Explore view, go to endpoint/download,
2. In the base-path, provide the location of the directory.

Caution: By default, the status File Download Disk Usage stats in the Health and Wellness view shows unhealthy if the disk usage reaches 60% and the file download stops automatically when the disk usage is 70%. You can customize the warning or fatal thresholds in the > Services > Endpoint Server > view > Explore > rsa.endpoint.file-download-disk-thresholds.warning-percent and rsa.endpoint.file-download-disk-thresholds.fatal-percent parameters respectively.

For the downloaded file, you can:

  • Search for strings in the executable
  • View text content for scripts
  • View imported libraries and functions
  • Save a local copy for further analysis

Download Files to Server

Downloading file to server is not supported for memory DLL and floating code.

Note: Downloading files may take significant time. Additional requests to the agent during download are queued and processed when the download is complete.

Automatic File Download

By default, the files that are unsigned and size lesser than or equal to 1 MB are downloaded automatically to the NetWitness Endpoint server. And, only single copy of each file is downloaded automatically. You can limit the volume of files to be downloaded in the > Endpoint Sources > Policies tab, so the files matching certain criteria are only downloaded automatically. For more information on automatic file download settings, see "Create an EDR Policy" section in the RSA NetWitness Endpoint Configuration Guide.

The status of the download is displayed in the Files tab > Downloaded column.

Manual File Download

To manually download files to the server from the Hosts view:

  1. Go to Hosts.

  2. Select the hostname to open the Host Details view.

  3. In any of the Processes, Autoruns, Files, Drivers, Libraries, or Anomalies tabs, select the file, and do one of the following:

    Download to server

    • Right-click and select Download File to Server from the context menu.
    • Select Download File to Server from the More Actions drop-down list in the toolbar.

To download files to the server from the Files view:

  1. Go to Files.

  2. Select the file and do one of the following:

    Download to server

    • Right-click and select Download File to Server from the context menu.
    • Select Download File to Server from the More Actions drop-down list in the toolbar.

The status of the download is displayed in the Downloaded column. The download statuses are Downloaded, Not downloaded, and Error.

Save Downloaded Files

You can retrieve a downloaded file and save it to your local file system for further analysis. Downloaded files are stored in the server in the configured location. This option is enabled only if the file is downloaded to the server.

To save a file:

  1. Go to Hosts or Files .
  2. Right-click the file you want to save and select Save a Local Copy.
  3. Browse the location and click Save.

Analyze Downloaded Files

You can use the Analyze File option to view detailed information about a downloaded file. This option is enabled only if the file is downloaded to the server. To analyze a file:

  1. Go to Hosts or Files.

  2. Right-click the downloaded file and select Analyze File. The File Analysis view opens and properties of the are is displayed in the right panel.

    Analyze files

  3. View strings in the file in the Strings view while analyzing an executable (such as macho, pe, elf). This view contains the string, offset in the binary, unicode, and the length of the string. You can search for or filter on a specific string value in the Filter String field.

  4. View the text content of the file and look for any suspicious behavior in the script file.

    For example, if the file contains C2 information in the form of domain names or IP addresses, it is highly suspicious.

    File containing C2 information

    If you see unprintable keyboard keys listed within the file, such as: [F1], [F2]…[Page Up], [Enter], [ESC], and so on, that may be indicative of a keystroke logger.

    Indicators of keystroke logging

You are here
Table of Contents > Analyze Downloaded Files

Attachments

    Outcomes