Analyzing Downloaded Files
To perform a deep analysis of suspicious files, you can manually or automatically download the file to the server.
Note: Saving or analyzing downloaded file works the same way irrespective of whether the file is downloaded manually or automatically.
Note: Downloaded files are stored in the Endpoint Server which may fill up the disk space. To utilize the storage efficiently without impacting the health of Endpoint Server, NetWitness recommends you to configure an external storage mount, so all the Endpoint Server can use the configured location to store the downloaded data.
By default, all files are downloaded to /var/netwitness/endpoint-server/<files>/. If you want to change the location, make sure that you have endpoint-server.configuration.manage permissions and do the following:
1. In the Explore view, go to endpoint/download,
2. In the base-path, provide the location of the directory.
Caution: By default, the status File Download Disk Usage stats in the Health and Wellness view shows unhealthy if the disk usage reaches 60% and the file download stops automatically when the disk usage is 70%. You can customize the warning or fatal thresholds in the > Services > Endpoint Server > view > Explore > rsa.endpoint.file-download-disk-thresholds.warning-percent and rsa.endpoint.file-download-disk-thresholds.fatal-percent parameters respectively.
For the downloaded file, you can:
- Search for strings in the executable
- View text content for scripts
- View imported libraries and functions
- Save a local copy for further analysis
Download Files to Server
Downloading file to server is not supported for memory DLL and floating code.
Note: Downloading files may take significant time. Additional requests to the agent during download are queued and processed when the download is complete.
Automatic File Download
By default, the files that are unsigned and size lesser than or equal to 1 MB are downloaded automatically to the NetWitness Endpoint server. And, only single copy of each file is downloaded automatically. You can limit the volume of files to be downloaded in the > Endpoint Sources > Policies tab, so the files matching certain criteria are only downloaded automatically. For more information on automatic file download settings, see "Create an EDR Policy" section in the NetWitness Endpoint Configuration Guide.
The status of the download is displayed in the Files tab > Downloaded column.
Manual File Download
To manually download files to the server from the Hosts view:
-
Go to Hosts.
-
Select the hostname to open the Host Details view.
-
In any of the Processes, Autoruns, Files, Drivers, Libraries, or Anomalies tabs, select the file, and do one of the following:
- Right-click and select Download File to Server from the context menu.
- Select Download File to Server from the More Actions drop-down list in the toolbar.
To download files to the server from the Files view:
-
Go to Files.
-
Select the file and do one of the following:
- Right-click and select Download File to Server from the context menu.
- Select Download File to Server from the More Actions drop-down list in the toolbar.
The status of the download is displayed in the Downloaded column. The download statuses are Downloaded, Not downloaded, and Error.
Save Downloaded Files
You can retrieve a downloaded file and save it to your local file system for further analysis. Downloaded files are stored in the server in the configured location. This option is enabled only if the file is downloaded to the server.
To save a file:
- Go to Hosts or Files .
- Right-click the file you want to save and select Save a Local Copy.
- Browse the location and click Save.
Analyze Downloaded Files
You can use the Analyze File option to view detailed information about a downloaded file. This option is enabled only if the file is downloaded to the server. To analyze a file:
-
Go to Hosts or Files.
-
Right-click the downloaded file and select Analyze File. The File Analysis view opens and properties of the are is displayed in the right panel.
-
View strings in the file in the Strings view while analyzing an executable (such as macho, pe, elf). This view contains the string, offset in the binary, unicode, and the length of the string. You can search for or filter on a specific string value in the Filter String field.
-
View the text content of the file and look for any suspicious behavior in the script file.
For example, if the file contains C2 information in the form of domain names or IP addresses, it is highly suspicious.
If you see unprintable keyboard keys listed within the file, such as: [F1], [F2]…[Page Up], [Enter], [ESC], and so on, that may be indicative of a keystroke logger.