Investigating Files

Note: The information in this topic applies to RSA NetWitness Platform Version 11.3 and later.

The Files view provides a holistic view of all files in your deployment. You can apply various filters, sort, and categorize files into different status to reduce the number of files for analysis and identify suspicious or malicious files.

Best Practices

The following are some best practices and tips that may help you investigate efficiently to identify and isolate threats or attacks:

Workflow for files

  • Whitelist all files signed by RSA, Microsoft, and any other known good vendors. Use the filters to list the files and change the status of all these files to whitelist. For more information, see Filter Files and Changing File Status or Remediate.

    Note: Some Microsoft signed files are restricted from whitelisting as there is a potential risk of them being used for malicious purposes. To view the list, see Files Restricted from Whitelisting.

  • Change the status of certificate and the associated files automatically. For more information, see Analyze Certificates.
  • Filter to exclude whitelisted, files with valid signature, known good files based on reputation status. For more information, see Filter Files.
  • Lookup Google or VirusTotal with the filename or hash to get more information about a suspected file. For more information, see Launch an External Lookup for a File.
  • Analyze the files using one or more of these indicators:

    1. Risk score - Displays the risk score for a file. Analysts can view the associated alerts and events for further investigation. For more information, see Analyze Files Using the Risk Score.
    2. On Hosts - Indicates the number of hosts on which a file exist. If a file is present on fewer hosts with a high risk score, it may require further investigation. You can also sort or filter using On Hosts column to narrow down the search during investigation. For more information, see Analyze Hosts with File Activity.

    3. File status - To manage suspected and legitimate files, analysts can use the file status to manage. For more information on the various file status, see Changing File Status or Remediate.
    4. Reputation status - Indicates the reputation of a file hash for analyst to narrow-down the files to investigate. For more information, see File Reputation.
    5. Signature - A valid signature on a file signed by a trusted vendor, such as Microsoft and Apple indicates that the file is not a risk. If a file is unsigned, it may be malicious, and needs investigation.
    6. File name - Many trojans write random file names when dropping their payloads to prevent an easy search across the hosts in the network based on the filename. For example, if a file is named svch0st.exe, scvhost.exe, or svchosts.exe, it indicates that the legitimate Windows file named svchost.exe is being mimicked.
  • Investigate a particular file name or hash by pivoting to Navigate or Events view to view context, file activity on different hosts, and any file transfers across the network through packet data. For more information, see Analyzing Events.
  • Investigate files using a rule-based detection technique. YARA helps to identify threats effectively using easy-to-create malware descriptions called YARA rules. For more information, see Analyze Files Using YARA.

  • Download suspicious files to the server for deeper analysis. For more information, see Analyzing Downloaded Files.
  • Change the status of the file (blacklist or graylist), and block an infected or malicious file. For more information, see Changing File Status or Remediate.

View Files

You can view all files present on a specific Endpoint server or consolidated list of all files on multiple Endpoint servers using the Endpoint Broker for analysis. To view files:

  1. Go to Files.

  2. Select one of the following:

    Selecting a server

    • Endpoint Broker Server to view all files across all Endpoint servers.
    • Endpoint Server to view files on a specific Endpoint server.

  3. Select the file that you want to analyze.
  4. Click a row to view the following details:

    View file details

Filter Files

You can narrow down the investigation by filtering files using file name, on hosts, file status, risk score, remediation, reputation status, operating system, size, entropy, format, signature, company name, checksum (MD5 and SHA256), downloaded status, and YARA rules.

Note: While filtering on a large data set, use at least one indexed field with the Equals operator for better performance. The following fields are indexed in the database - Filename, MD5, SHA256, Operating System, First Seen Time, Format, File Status, On Host, and Reputation Status.

Filter files

Select the parameters in the Filters tab. Click Save to save the search and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters list. To delete a filter, hover over the name and click Delete.

Note: Special characters are not allowed in the filter name except underscore ( _ ) and hyphen (-) while saving the filter.

For example, to filter the files based on file reputation, select the reputation status in the Filter panel.

Note: For the file size, 1 KB is calculated as 1024 bytes. For example, if the actual size of the file is 8421 bytes, the UI will display it as 8.2 KB instead of 8.22 KB. It is recommended to search using the bytes format when using the Equals operator.

Add and Sort Columns in the Table

By default, the Files view displays a few columns, and files are sorted based on the risk score. To add or remove columns:

  1. Go to Files.

  2. Select the columns by clicking Settings in the right-hand corner.
    Select Columns for Files

  3. Scroll down or enter the keyword to search and select the required columns.

  4. To sort the column in ascending or descending order, click the arrow on the column header.

Analyze Files Using the Risk Score

To analyze files using the risk score:

  1. Go to Files.

    The Files view is displayed.

  2. In the Server drop-down list, select the Endpoint server or Endpoint Broker server to view the files.

  3. Select the file and do any of the following.
    • Click a row to view the risk associated with the file in the Risk Details panel.

    • Click the hostname to investigate the host.

      The Details tab is displayed.

  4. In the Alert Severity panel, click the alert severity, such as Critical, High, Medium, or All.
    The list of distinct alerts is displayed along with the total number of events associated with the alert.

  5. Click an alert to view the associated events.

    Note: Only the latest 1000 events are displayed.

  6. To view all the metadata associated with a specific event, click the event header. The information such as source path, target path, filename, and others is displayed.

    View metadata

  7. Hover over one of the meta values for IP, Hostname, Mac, File name, File hash, User, and Domain to view additional information about the specific metadata. A hover box displays a list of the data sources that have context data available for meta value. These are the possible data sources: NetWitness Endpoint, Incidents, Alerts, Hosts, Files, Feeds, and Live Connect.

    View information about specific metadata

  8. To investigate the original event and destination domain of the event, do any of the following:

    Investigate the event

    • To reconstruct an event in a readable form that matches the original, click the Investigate Original Event link highlighted in blue. For more information on event reconstruction, see the NetWitness Investigate User Guide.

    • For details about the elements associated with an event, click the Investigate Destination Domain link highlighted in blue. For more information on Contextual Information for an Event, see the NetWitness Investigate User Guide.

      Note: Investigate Destination Domain link is not displayed if there is no domain.dst event.

    • To view a list of processes captured on the hosts and investigate a particular process, click the Analyze Process link highlighted in blue. For more information on process analysis, see Investigating a Process.

      Note: Analyze Process link is not displayed if there is no createprocess event.

Analyze Hosts with File Activity

To view the list of hosts on which a file exist, do the following:

Note: By default, the system detects the best data source for the On Hosts aggregation. To change the data source, in the Explore view, modify the investigate service ID under endpoint/investigate.

  1. In the Files tab, click the row for the file you want to analyze.

  2. In the right panel, click the Hosts tab. The list of hosts along with the risk score are displayed.

    Active on

  3. Click the host name to open the host details.

  4. Click netwitness_pivot.png to analyze events on the host in the Events view. For more information, see Analyzing Events.

Analyze Files Using YARA

YARA helps analysts with rule-based detection capabilities in identifying and classifying malware. You can easily create malware descriptions using YARA rules. Administrators must enable and configure YARA on the Endpoint server. To learn more about enabling and configuring YARA, refer to RSA NetWitness Endpoint Configuration Guide.

Files must be downloaded to the Endpoint server and YARA scans the downloaded files automatically. The scan results are displayed under YARA STATUS on the Files tab.

To analyze the scanned files,

  1. Go to Files.
  2. Select the Endpoint server from the server drop-down , to view files.
  3. Select a file that is downloaded to the Endpoint server and do any of the following:
    • Click a row to view the YARA scan details associated with the file in the File Details panel.
    • If any file matches one or more YARA rules, the File Details panel displays the matching rule names besides scan time.
    • YARA STATUS field displays the status of the YARA scan. Following are the available statuses and their definitions
      • Matched - The file matches with one or more YARA rules
      • Not Matched - The file does not match with any of the YARA rules
      • Not Yet Scanned - There is no scan performed for this file. Files will be scanned automatically once they have been downloaded. After the scan YARA status will be updated to either Matched or Not Matched

      Note: When a file matches with a YARA rule, high severity alerts are triggered and, the file's risk score is updated. In the subsequent scans, If the same file doesn't match with a YARA rule, the risk score will be reset.

    Note: If a downloaded file has an error, it will not be scanned by YARA and, the Downloaded column will display the file download status as Error.

    netwitness_yaramatch.png

  4. On the Filters pane, scroll to the YARA RULES section. This section provides options to filter the files based on YARA scan status:
    • Select Matched to view the files that match YARA rules.
    • You can also view the files that do not match YARA rules or not yet scanned against YARA rules, by selecting Not Matched or Not Yet Scanned from the YARA RULES section.
  5. netwitness_yarafilter.png

For more information on investigating with YARA, see NetWitness Investigate User Guide.

Analyze Files Using OPSWAT

OPSWAT (MetaDefender Core) provides advanced malware detection capabilities by scanning files with multiple anti-malware engines simultaneously. Administrators need to enable and configure OPSWAT on the Endpoint server. To learn more about enabling and configuring OPSWAT, see NetWitness Endpoint Configuration Guide.

All downloaded files (executable) will automatically be sent to OPSWAT server for scanning once OPSWAT is enabled and configured on the endpoint servers.

netwitness_opstatug.png

Scan files with OPSWAT

Downloaded files are automatically sent to the OPSWAT server for scanning. However, you can also initiate the scan manually using options under the More Actions menu. Executable files with the following file extensions, pe, script, macro, and elf are supported by this feature. The maximum file size limit is set to 10MB by default. You can increase or decrease it if required.

Automatic scan:

The endpoint server will automatically send all (executable) downloaded files to the OPSWAT server. The scan results will be displayed under the OPSWAT STATUS column on the Files tab.

Manual Scan:

You can also manually initiate an OPSWAT scan using the options under the More Actions menu on the Files tab.

The More Actions menu provides the following options:

  • Manual Scan - Scan selected files

  • Manual Scan - Scan all files

Manual Scan - Scan selected files

  1. Select the files that need to be sent to the OPSWAT server for scanning.

  2. Select More Actions > Scan with OPSWAT.

  3. netwitness_opscansel.png

  4. Click Scan on the confirmation pop-up.

    netwitness_opscanselpp.png

Manual Scan - Scan all files

  1. Select More Actions > Scan All with OPSWAT.

  2. netwitness_opscanall.png

  3. Click Scan on the confirmation pop-up.

    netwitness_opscanallpp.png

View OPSWAT Scan Results

The scan results will be displayed under the OPSWAT STATUS column on the Files tab as follows:

netwitness_opinfect.png - File is infected

netwitness_opsusp.png - Suspicious file

netwitness_opunsuc.png - Scan failed; see troubleshooting section for more information.

netwitness_opnothreat.png - The file is clean as of the last scanned time.

netwitness_opnot.png - Not yet scanned.

Click on a file to view scan results under the FILE DETAILS panel.

  • Scan Time: States the last scanned time.

  • Scan details: States whether a file is infected or suspicious or no threat detected, names of anti-malware engines that identified the threat.

netwitness_op_fd.png

Alerts and Impact on Risk scores

Alerts: Critical alerts will be triggered when OPSWAT finds a file as infected, and High severity alerts when a file is found suspicious.

Risk score: If a file is found infected or suspicious by OPSWAT, the risk score of that file and the corresponding host will be increased.

netwitness_op_alrs.png

Launch an External Lookup for a File

While analyzing a file, you can search Google or VirusTotal with the filename or hash to get more information about the file. To launch the search:

  1. Go to Files.

  2. View the details of the file name and hash from the table MD5, SHA1, and SHA256 columns, or view the details in the File Details tab on the right panel.
  3. Select one or more files, and right-click or in the More Actions drop-down list in the toolbar, do the following:

    External lookup

    1. Select Google Lookup and perform a search on the filename, MD5, SHA1, or SHA256.
    2. Select VirusTotal Lookup and perform a search on MD5, SHA1, or SHA256.

    Note: To open files in multiple tabs, make sure you enable the pops-up in the browser.

Set Files Preference

By default, the Files view displays a few columns and the files are sorted based on the risk score. If you want to view specific columns and sort data on a specific field:

  1. Go to Files.
  2. Select the columns by clicking Settings in the right-hand corner. The following example shows the drop-down list displayed while adding columns:
    Select Columns for Files
  3. Sort the data on the required column.

Note: The selections you make here become your default view every time you log in to the Files view.

Export Global Files

To extract the list of global files to a comma-separated values (csv) file:

Note: While filtering on a large data set, use at least one indexed field with the Equals operator for better performance. You can export up to 100k files at a time.

  1. Go to Files.

  2. Filter the files by selecting the required filter option.

  3. Add columns by clicking Settings in the right-hand corner.

  4. Click Export to CSV to export the files to a csv file.

    Export to CSV

You can either save or open the CSV file.

Analyze Certificates

Note: The information in this topic applies to RSA NetWitness Platform Version 11.3 and later.

The Certificates view provides a list of code-signing certificates reported by hosts found in your deployment and their associated properties. You can select the certificates under a specific Endpoint server.

To view the certificates in an Endpoint server:

  1. Go to Files.

  2. From the drop-down menu, select the Endpoint server to view certificates present on that server. To view a consolidated list of certificates, select the Endpoint Broker server.

  3. Select a file and do one of the following:

    View certificates

    • Right-click and select View Certificates from the context menu.

    • Click View Certificates in the toolbar.

Change the Certificate Status

You can assign a Whitelist status to the certificate signed by certain trusted vendors and this status can be automatically applied to all files that is signed by this certificate. If you consider abc a trusted vendor, you can set the status for the certificates signed by abc as Whitelist.

Similarly, you can also set the certificate status as Blacklist or Neutral. If a company's certificate is stolen or compromised, you can blacklist this certificate and remediate.

To change the certificate status:

  1. Select a certificate, and click Change Certificate Status.

    Change Certificate Status

  2. In the Change Certificate Status dialog, select a status - Blacklist, Whitelist, or Neutral.

    Note: If you have manually updated a file status in the Files or Hosts view, changing the status in the Certificate view does not impact the file status as the manual update takes precedence. For example, if you have whitelisted the file vmci.sys that is signed by VMware, Inc. in the Files or Hosts view, and you have blacklisted VMware, Inc. in the Certificate view, the file vmci.sys remains Whitelisted though the certificate is blacklisted.

  3. Add a comment and click Save.

  4. Click < Files to go to the Files view.

Note: In a multi-server environment, changing the status of a certificate in one endpoint server updates the respective files in other endpoint servers. For example, if a certificate status is set to Blacklist on one endpoint server, all files signed by this certificate are set to Blacklisted on all endpoint servers.

Filter Certificates

You can filter certificates on status, signature, friendly name, and thumb print.

Filter Certificates

Click Save to save the filter and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters list. To delete a filter, hover over the name, and click Delete.

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

Resetting Risk Score of Files

You can reset the risk score for a file in these situations:

  • If the alerts or events triggered by the host or a file are considered to be false positive, you can make required changes to the Endpoint Application rules or ESA rules.
  • After you take required action on a malicious file.

When you reset the risk score, the risk calculation for the file is deleted and score is set to 0. The risk score on all the hosts on which this file exists is recalculated. You can reset the risk score for a single file or multiple files.

To reset the risk score of a file:

  1. Go to Files.

  2. Select the Endpoint Server or Endpoint Broker.

  3. Select one or more files and do one of the following:

    Reset risk score

    • Right-click and select Reset Risk Score from the context menu.
    • Click More Actions > Reset Risk Score in the toolbar.

    All the alerts associated with the score are deleted.

    Note: You can select a maximum of 100 files to reset the score.

  4. Refresh the page to view and confirm if the file's score is reset. This may take sometime for changes to take effect.