Cisco Cisco FirePOWER Appliance 8130
34-25
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Captured Files
Understanding the Captured Files Table
License:
Malware
The Defense Center logs when a managed device captures a file being transmitted in monitored network
traffic, according to the settings in an applied file policy.
traffic, according to the settings in an applied file policy.
The table view of captured files, which is the final page in predefined captured file workflows, and which
you can add to custom workflows, includes a column for each field in the captured files table. Some
fields in the table view of captured files are disabled by default. To enable a field for the duration of your
session, click the expand arrow (
you can add to custom workflows, includes a column for each field in the captured files table. Some
fields in the table view of captured files are disabled by default. To enable a field for the duration of your
session, click the expand arrow (
) to expand the search constraints, then click the column name under
Disabled Columns
. The following table describes the captured file fields.
Table 34-6
Captured File Fields
Field
Description
Last Changed
The last time the information associated with this file was updated.
File Name
The most recently detected file name associated with the file’s SHA-256 hash value.
Disposition
One of the following file dispositions:
•
Malware
indicates that the cloud categorized the file as malware, or that the file’s threat score
exceeded the malware threshold defined in the file policy.
•
Clean
indicates that the cloud categorized the file as clean, or that a user added the file to the
clean list.
•
Unknown
indicates that a malware cloud lookup occurred before the cloud assigned a disposition.
The file is uncategorized.
•
Custom Detection
indicates that a user added the file to the custom detection list.
•
Unavailable
indicates that the Defense Center could not perform a malware cloud lookup.
•
N/A
indicates a Detect Files or Block Files rule handled the file and the Defense Center did not
perform a malware cloud lookup.
SHA256
The SHA-256 hash value of the file, as well as a network file trajectory icon representing the most
recently detected file event and file disposition.
recently detected file event and file disposition.
To view the network file trajectory, click the trajectory icon. For more information, see
.
Threat Score
The threat score most recently associated with this file:
•
Low
(
)
•
Medium
(
)
•
High
(
)
•
Very High
(
)
To view the Dynamic Analysis Summary report, click the threat score icon.
Type
The type of file, for example,
HTML
or
MSEXE
.
Category
The general categories of file type, for example:
Office Documents
,
Archive
,
Multimedia
,
Executables
,
PDF files
,
Encoded
,
Graphics
, or
System Files
.
Storage Status
Whether the file is stored on a managed device.
Analysis Status
Whether the file was submitted for dynamic analysis.
Last Sent
The time the file was most recently submitted to the cloud for dynamic analysis.