We have been analyzing our downloaded files directly on the server and have seen that some files are downloaded 70-150 times and given the same name, but with different random numbers. From the documentation, this shouldn't be possible as netwitness endpoint should only download files to server once for each file (regardless of other filters) - furthermore another quirk is that all of the downloaded files usually are downloaded during the course of 2 days. Anyone else experiencing the same issue (and does anyone know a fix to the issue)?
Unique files will only be automatically downloaded once by the Console Server. If you're seeing multiple files of the same name, they must be different in some way. Perhaps different versions of a program or library?
The differences between the files is highlighted by those random characters after the file name. This is the SHA-256 hash of the file. The Console Server examines the file hashes to determine whether the file has already been downloaded, not just the name. This way, should malware masquerade as a legitimate program already on the system and use its file name, it will still be captured by Endpoint and be automatically downloaded since the file hash will not match a file already known.
Thank you for your reply. The scenario that you describe is also what I would expect when reading the documentation. Unfortunately things are a bit different on our systems. What I have seen is for instance a file called (this is a ficticiuos example):
The SHA256 is identical for all of the files, the only part changing is the trailing random characters. So far I have only encountered this issue on files downloaded in 2014 and 2015, but I wanted to know if anyone else had seen the same behavior and if it had been spotted recently?