Changing File Status or Remediate

Note: By default, the blocking option is disabled in the policy. To enable blocking, in the policy configuration, change the Blocking option to Enabled under Response Action Settings. For more information, see the NetWitness Endpoint Configuration Guide.

To change the status of a file:

  1. Do one of the following:

    • Go to Hosts (Processes, Autoruns, Files, Drivers, Libraries, or Anomalies tab).
    • Go to Files.
  2. Select one or more files and do one of the following:

    Change File Status

    • Right-click and select Change File Status from the context menu.
    • Click Change File Status in the toolbar.
  3. In the Change File Status dialog, select a status - Blacklist, Whitelist, Graylist, or Neutral.

    Change File Status

    Note: You cannot whitelist certain Microsoft files, such as cscript.exe, wscript.exe, cmd.exe, bash.exe, as there is a potential risk of them being used for malicious purposes. For more information, see Files Restricted from Whitelisting.

    If you select Blacklist or Graylist, the following options are displayed:

    1. Category: Select the appropriate category type: Generic Malware, APT: Advanced Persistent Threats, Attacker Tool, Unidentified, Ransomware.

      Caution: Before blocking, make sure that you review the file because this may cause the system or software to be unusable.

    2. Remediate: Select Block to block the file.

      Note: Blocking is supported only for Windows hosts.
      You cannot block the following:
      - Memory DLL and floating code
      - Files that are signed by Microsoft or RSA.

  4. Add a comment and click Save.

You can change the status of only 100 files at a time. When the status is changed, it impacts the file status on all hosts on which the file is present. The status is sent as a session under the File category, and available for investigation. If the file is seen in subsequent scan or tracking, the corresponding sessions contain a meta value with the file status (except Neutral).

Files Restricted from Whitelisting

To view or update the files that are restricted from whitelisting, do the following:

  1. On the NW server, run the nw-shell command from the command line.
  2. Run the login command and enter your credentials.
  3. Connect to the Endpoint Server using the following command:

    connect endpoint-server

  4. Run the following commands to view the list of files:

    • cd endpoint/file/status/restricted/get
    • invoke Whitelist
  5. Run the following commands to add files to the list:

    • cd endpoint/file/status/restricted/get
    • invoke '{"id":"<filename>","restrictedStatus":["Whitelist"], "enable":true}
  6. Run the following commands to delete files from the list:

    • cd endpoint/file/status/restricted/update
    • invoke '{"id":"<filename>","restrictedStatus":["Whitelist"], "enable":false}