This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Has anyone experienced multipe downloads of the same files within a short timeframe?

ChristinaHaustr
Beginner
Beginner

‎2017-02-22 04:01 PM

We have been analyzing our downloaded files directly on the server and have seen that some files are downloaded 70-150 times and given the same name, but with different random numbers. From the documentation, this shouldn't be possible as netwitness endpoint should only download files to server once for each file (regardless of other filters) - furthermore another quirk is that all of the downloaded files usually are downloaded during the course of 2 days. Anyone else experiencing the same issue (and does anyone know a fix to the issue)?

Labels:
0 Likes
2 REPLIES 2

NickMerante
Occasional Contributor Occasional Contributor
Occasional Contributor

‎2017-02-28 03:57 PM

Hi Christina,

 

Unique files will only be automatically downloaded once by the Console Server.  If you're seeing multiple files of the same name, they must be different in some way.  Perhaps different versions of a program or library? 

 

The differences between the files is highlighted by those random characters after the file name.  This is the SHA-256 hash of the file.  The Console Server examines the file hashes to determine whether the file has already been downloaded, not just the name.  This way, should malware masquerade as a legitimate program already on the system and use its file name, it will still be captured by Endpoint and be automatically downloaded since the file hash will not match a file already known.

0 Likes

ChristinaHaustr
Beginner
Beginner
In response to NickMerante

‎2017-03-01 02:11 AM

Hi Nick,

Thank you for your reply. The scenario that you describe is also what I would expect when reading the documentation. Unfortunately things are a bit different on our systems. What I have seen is for instance a file called (this is a ficticiuos example):

MediaPlayer_958d2473f83c6ab6b8487abcdab80dcbad2ff5df76c9638d8d61eda1eef2e4278_45nm.exe_

MediaPlayer_958d2473f83c6ab6b8487abcdab80dcbad2ff5df76c9638d8d61eda1eef2e4278_78hr.exe_

MediaPlayer_958d2473f83c6ab6b8487abcdab80dcbad2ff5df76c9638d8d61eda1eef2e4278_19yt.exe_

etc.

The SHA256 is identical for all of the files, the only part changing is the trailing random characters. So far I have only encountered this issue on files downloaded in 2014 and 2015, but I wanted to know if anyone else had seen the same behavior and if it had been spotted recently?

Regards,

Christina

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.