ON THIS PAGE
SMB File Download Details
To access this page, navigate to Monitor > ATP > File Scanning > SMB File Download. Click on the File Hash link in Full File tab to go to the SMB File Download Details page.
SMB protocol is supported only for Security Director Cloud use cases.
Use this page to view analysis information and malware behavior summaries for the downloaded file. This page is divided into several sections:
Button/Link |
Purpose |
---|---|
Report False Positive |
Click this button to launch a new screen which lets you send a report to Juniper Networks, informing Juniper of a false position or a false negative. Juniper will investigate the report; however, this does not change the verdict. |
Download STIX Report |
When there is a STIX report available, a download link appears on this page. Click the link to view gathered, open-source threat information, such as blocklisted files, addresses and URLs. STIX (Structured Threat Information eXpression) is a language used for reporting and sharing threat information using TAXII (Trusted Automated eXchange of Indicator Information). TAXII is the protocol for communication over HTTPS of threat information between parties. STIX and TAXII are an open community-driven effort of specifications that assist with the automated exchange of threat information. This allows threat information to be represented in a standardized format for sharing and consuming. Juniper ATP Cloud uses this information as well as other sources. This occurs automatically. There is no administrator configuration required for STIX. STIX reports will vary. View a sample report at the bottom of this page. Note:
Juniper ATP Cloud can also share threat intelligence. You can control what threat information is shared from the Threat Sharing page. See Configure Threat Intelligence Sharing. |
Download Zipped File |
(When available) Click this link to download the quarantined malware for analysis. The link allows you to download a password-protected zipped file containing the malware. The password for the zip file is the SHA256 hash of the malware exe file (64 characters long, alpha numeric string) shown in the General tab for the file in question. |
Download PDF Report |
Click this link to download a detailed report on the file in question. The report includes file threat level, protocol seen, file category and size, client IP address and username, and much more information, if available. This data is provided in a formatted PDF with a TOC. |
The top of the page provides a quick view of the following information (scroll to the right in the UI to see more boxes):
-
Threat Level—This is the threat level assigned (0-10), This box also provides the file name and threat category.
-
Top Indicators—In this box, you will find the signature match for the file name, and the antivirus details.
-
Prevalence—This box provides information on how often this malware has been seen, how many individual hosts on the network downloaded the file, and the protocol used.
File Summary
Field |
Definition |
---|---|
General | |
Threat Level |
This is the assigned threat level 0-10. 10 is the most malicious. |
Global Prevalence |
How often this file has been seen across different customers. |
Last Scanned |
The time and date of the last scan to detect the suspicious file. |
File Information | |
File Name |
The name of the suspicious file. Examples: unzipper-setup.exe, 20160223158005.exe,, wordmui.msi. |
Category |
The type of file. Examples: PDF, executable, document. |
Size |
The size of the downloaded file. |
Platform |
The target operating system of the file. Example. Win32 |
Malware Name |
If possible, Juniper ATP Cloud determines the name of the malware. |
Type |
If possible, Juniper ATP Cloud determines the type of threat. Example: Trojan, Application, Adware. |
Strain |
If possible, Juniper ATP Cloud determines the strain of malware detected. Example: Outbrowse.1198, Visicom.E, Flystudio. |
Other Details | |
sha256 and md5 |
One way to determine whether a file is malware is to calculate a checksum for the file and then query to see if the file has previously been identified as malware. |
SMB Downloads
This is a list of hosts that have downloaded the suspicious file. Click the Host Identifier link to be taken to the Host Details page for this host.