Analyze Downloaded Files

Analyzing Downloaded Files

To perform a deep analysis of suspicious files, you can manually or automatically download the file to the server.

Note: Saving or analyzing downloaded file works the same way irrespective of whether the file is downloaded manually or automatically.

Note: Downloaded files are stored in the Endpoint Server which may fill up the disk space. To utilize the storage efficiently without impacting the health of Endpoint Server, NetWitness recommends you to configure an external storage mount, so all the Endpoint Server can use the configured location to store the downloaded data.
By default, all files are downloaded to /var/netwitness/endpoint-server/<files>/. If you want to change the location, make sure that you have endpoint-server.configuration.manage permissions and do the following:
1. In the Explore view, go to endpoint/download,
2. In the base-path, provide the location of the directory.

Caution: By default, the status File Download Disk Usage stats in the Health and Wellness view shows unhealthy if the disk usage reaches 60% and the file download stops automatically when the disk usage is 70%. You can customize the warning or fatal thresholds in the > Services > Endpoint Server > view > Explore > rsa.endpoint.file-download-disk-thresholds.warning-percent and rsa.endpoint.file-download-disk-thresholds.fatal-percent parameters respectively.

For the downloaded file, you can:

Search for strings in the executable
View text content for scripts
View imported libraries and functions
Save a local copy for further analysis

Download Files to Server

Downloading file to server is not supported for memory DLL and floating code.

Note: Downloading files may take significant time. Additional requests to the agent during download are queued and processed when the download is complete.

Automatic File Download

By default, the files that are unsigned and size lesser than or equal to 1 MB are downloaded automatically to the NetWitness Endpoint server. And, only single copy of each file is downloaded automatically. You can limit the volume of files to be downloaded in the > Endpoint Sources > Policies tab, so the files matching certain criteria are only downloaded automatically. For more information on automatic file download settings, see "Create an EDR Policy" section in the NetWitness Endpoint Configuration Guide.

The status of the download is displayed in the Files tab > Downloaded column.

Manual File Download

To manually download files to the server from the Hosts view:

Go to Hosts.
Select the hostname to open the Host Details view.
In any of the Processes, Autoruns, Files, Drivers, Libraries, or Anomalies tabs, select the file, and do one of the following:
- Right-click and select Download File to Server from the context menu.
- Select Download File to Server from the More Actions drop-down list in the toolbar.

To download files to the server from the Files view:

Go to Files.
Select the file and do one of the following:
- Right-click and select Download File to Server from the context menu.
- Select Download File to Server from the More Actions drop-down list in the toolbar.

The status of the download is displayed in the Downloaded column. The download statuses are Downloaded, Not downloaded, and Error.

Save Downloaded Files

You can retrieve a downloaded file and save it to your local file system for further analysis. Downloaded files are stored in the server in the configured location. This option is enabled only if the file is downloaded to the server.

To save a file:

Go to Hosts or Files .
Right-click the file you want to save and select Save a Local Copy.
Browse the location and click Save.