Changing File Status or Remediate

Note: By default, the blocking option is disabled in the policy. To enable blocking, in the policy configuration, change the Blocking option to Enabled under Response Action Settings. For more information, see the NetWitness Endpoint Configuration Guide.

To change the status of a file:

  1. Do one of the following:

    • Go to Hosts (Processes, Autoruns, Files, Drivers, Libraries, or Anomalies tab).
    • Go to Files.
  2. Select one or more files and do one of the following:

    certificates_909x359.png

    • Right-click and select Change File Status from the context menu.
    • Click Change File Status in the toolbar.
  3. In the Change File Status dialog, select a status - Blacklist, Whitelist, Graylist, or Neutral.

    netwitness_changefilestatus.png

    Note: You cannot whitelist certain Microsoft files, such as cscript.exe, wscript.exe, cmd.exe, bash.exe, as there is a potential risk of them being used for malicious purposes. For more information, see Files Restricted from Whitelisting.

    If you select Blacklist or Graylist, the following options are displayed:

    1. Category: Select the appropriate category type: Generic Malware, APT: Advanced Persistent Threats, Attacker Tool, Unidentified, Ransomware.

      Caution: Before blocking, make sure that you review the file because this may cause the system or software to be unusable.

    2. Remediate: Select Block to block the file.

      Note: Blocking is supported only for Windows hosts that are running in advanced mode. All PE files along with the following file extensions can be blocked.
      .exe, .com, .sys, .dll, .scr, .ocx, .bat, .ps1, .vbs, .vbe, .vb, .wsh, .wsf, .cmd
      You cannot block the following:.
      - Memory DLL and floating code
      - Files that are signed by Microsoft or RSA.
      To delete a blocked file, users can log in to the host and execute the delete command using the elevated command prompt.

  4. Add a comment and click Save.

You can change the status of only 100 files at a time. When the status is changed, it impacts the file status on all hosts on which the file is present. The status is sent as a session under the File category, and available for investigation. If the file is seen in subsequent scan or tracking, the corresponding sessions contain a meta value with the file status (except Neutral).

Import File Hashes using the Block Hash tool

The Block Hash tool allows you to import a set of file hashes which can be set to block state and change the file bias status (whitelist, blacklist, and graylist). The tool allows you to block the imported file hashes (suspicious, invalid, and malicious) and prevent them from opening or executing on the hosts. You can block up to a maximum of 50,000 file hashes using this tool.

Note: For more information on changing the file status or blocking the file, see Changing File Status or Remediate.

IMPORTANT:
- Enter only valid SHA256 hashes; otherwise, the blocking functionality might break.
- Do not block any file hashes signed by RSA, Microsoft, and Apple. It might make your Endpoints unresponsive.
- Make sure the number of hashes entered in the JSON file is less than the number of the available limit of hashes that can be blocked (the maximum limit is 50,000).
For example: If 100 file hashes are already blocked as part of NetWitness deployment, you can only block 49,900 more file hashes using this tool.

JSON File Format

The example below describes the JSON file format for blocking and blacklisting the file hashes.

Sample demoblock.JSON:

[{

"checksums":["1b30e463ebe0131db66fce7d4aa43f3e149064d85c4c0dc5218b077886da2804","67fa30e463ebe0131db66fce7d4aa43f3e149064d85c4c0dc5218b077dsbhb561","78vbba909e463ebe0131dsdsdb66fce7d4aa43f3e1dsdsd49064d85dsdsman61n"],

"fileStatus": "Blacklist",

"comment”: "File blocking set through new tool",

"remediationAction": "Block"

}]

The example below describes the JSON file format only for blacklisting the file hashes.

Sample demoblock.JSON:

[{

"checksums":["2b30e463ebe0131db66fce7d4aa43f3e149064d85c4c0dc5218b077886da2800","97fa30e463ebe0131db66fce7d4aa43f3e149064d85c4c0dc5218b077dsbhb500","38vbba909e463ebe0131dsdsdb66fce7d4aa43f3e1dsdsd49064d85dsdsman68c"],

"fileStatus": "Blacklist",

"comment": "File status change set through new tool",

}]

To block the file hashes using the Block Hash tool:

  1. SSH to node 0 and copy the JSON file (containing the file hashes to be blocked) stored in it.

  2. Run the tool.

    nw-block-hashes-tool <absolute path of json residing on node 0> <ESA node IP/hostname>

    Note: Enter the JSON file path in <absolute path of json residing on node 0> and enter the ESA node IP in <ESA node IP/hostname>.
    For Example: nw-block-hashes-tool /root/demoblock.json 10.125.250.118.

    netwitness_blockhash.png

  3. Enter the Admin Server password.

  4. Follow the instructions displayed on the screen. Enter any one of the following options when prompted.

    • yes: Enter yes to proceed with the execution of the script.

    • no: Enter no to stop the execution of the script.

      Note: At this stage, the tool validates the number of incoming file hashes through the JSON file and the number of existing file hashes already blocked in the deployment. If the total of the file hashes (incoming through JSON file and existing as blocked in the deployment) exceeds the maximum limit of 50,000, the tool stops the execution, and it will not proceed further.

Files Restricted from Whitelisting

To view or update the files that are restricted from whitelisting, do the following:

  1. On the NW server, run the nw-shell command from the command line.
  2. Run the login command and enter your credentials.
  3. Connect to the Endpoint Server using the following command:

    connect endpoint-server

  4. Run the following commands to view the list of files:

    • cd endpoint/file/status/restricted/get
    • invoke Whitelist
  5. Run the following commands to add files to the list:

    • cd endpoint/file/status/restricted/get
    • invoke '{"id":"<filename>","restrictedStatus":["Whitelist"], "enable":true}
  6. Run the following commands to delete files from the list:

    • cd endpoint/file/status/restricted/update
    • invoke '{"id":"<filename>","restrictedStatus":["Whitelist"], "enable":false}