000026858 - Why does an extracted file appear as *.raw.exe in RSA Security Analytics?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026858
Applies ToRSA Security Analytics
RSA NetWitness NextGen
RSA NetWitness Investigator
IssueWhy does an extracted file appear as *.raw.exe in RSA Security Analytics?
Resolution

Extracting files from sessions via RSA NetWitness Investigator v9.8 or the RSA Security Analytics Investigation UI produces files with file name *.raw.exe, e.g. 33525512115-9-0.raw.exe.

This is because raw.exe is a placeholder name for when an exe is identified within a session but no discernible filename is present.

For instance, the data channel session of FTP would contain just the file transfer but not the file name (which would be in the control channel session).

Legacy Article IDa66555

Attachments

    Outcomes