HTTP File Download Details

To access this page, navigate to Monitor > Threat Prevention > HTTP File Download. Click on the File Signature to go to the File Scanning Details page.

Use this page to view analysis information and malware behavior summaries for the downloaded file. This page is divided into several sections:

Report False Positives—Click the Report False Positive button to launch a new screen which lets you send a report to Juniper Networks, informing Juniper of a false position or a false negative. Juniper will investigate the report, however, this does not change the verdict. If you want to make a correction (mark system as clean) you must do it manually.

Printable View—Click this link to organize the information into a print-ready format.

The top of the page provides a quick view of the following information (scroll to the right in the UI to see more boxes):

Threat Level—This is the threat level assigned (0-10), This box also provides the threat category and the action taken.
Top Indicators—In this box, you will find the malware name, the signature it matches, and the IP address/URL from which the file originated.
Prevalence—This box provides information on how often this malware has been seen, how many individual hosts on the network downloaded the file, and the protocol used.

File Summary

Table 29: General Summary Fields

Field	Definition
Threat Level	This is the assigned threat level 0-10. 10 is the most malicious.
Action Taken	The action taken based on the threat level and host settings: block or permit.
Global Prevalence	How often this file has been seen across different customers.
Last Scanned	The time and date of the last scan to detect the suspicious file.
File Name	The name of the suspicious file. Examples: unzipper-setup.exe, 20160223158005.exe,, wordmui.msi.
Category	The type of file. Examples: PDF, executable, document.
File Size	The size of the downloaded file.
Platform	The target operating system of the file. Example. Win32
Malware Name	If possible, Sky ATP determines the name of the malware.
Malware Type	If possible, Sky ATP determines the type of threat. Example: Trojan, Application, Adware.
Malware Strain	If possible, Sky ATP determines the strain of malware detected. Example: Outbrowse.1198, Visicom.E, Flystudio.
sha256 and md5	One way to determine whether a file is malware is to calculate a checksum for the file and then query to see if the file has previously been identified as malware.

In the Network Activity section, you can view information in the following tabs:

Contacted Domains—If available, lists any domains that were contacted while executing the file in the Sky ATP sandbox.
Contacted IPs—If available, lists all IPs that were contacted while executing the file, along with the destination IP’s country, ASN, and reputation. The reputation field is based on Juniper IP intelligence data destination.
DNS Activity— This tab lists DNS activity while executing the file, including reverse lookup to find the domain name of externally contacted servers. This tab also provides the known reputation of the destination servers.

HTTP Downloads

This is a list of hosts that have downloaded the suspicious file. Click the IP address to be taken to the Host Details page for this host. Click the Device Serial number to be taken to the Devices page. From there you can view device versions and version numbers for the Sky ATP configuration, including profile, whitelist, and blacklist versions. You can also view the malware detection connection type for the device: telemetry, submission, or C&C event.

HTTP File Download Details

File Summary

HTTP Downloads

Related Documentation

Help us to improve. Rate this article.