Advanced File Analysis report

With TRITON AP-WEB, when Advanced File Analysis is enabled on the Settings > Scanning > Scanning Options page, you can use the Reporting > Advanced File Analysis report page to view specific information about the results of advanced file analysis. The report is designed to provide visibility into suspicious files accessed through your network and sent to either of the following for analysis:

The File Sandbox (for those who have purchased the Web Sandbox module).

Threat Protection (for those who have purchased Threat Protection).

Use the options above the table to filter the data that is displayed.

The Time period for the report.

Select Today, 2 days, 7 days (the default), 14 days, 30 days, 60 days, or 90 days from the drop down.

If you are using Microsoft SQL Express, the maximum time period is 30 days.

The Total number of incidents reported for that time period is provided.

The threat levels to be reported. Check the box next to:

Malicious to include files that analysis has found to be malicious.

Suspicious to include files found to have suspicious characteristics.

No threat detected to report on files in which analysis did not find any malicious or suspicious characteristics.

The number of files included in the table is provided for each threat level.

The top (up to 200) results that match your filter are displayed in a table. By default, the following columns are included:

Threat Level: an assessment of the level of threat (malicious, suspicious, or none) associated with a file.

Click a link in this column to:

(if the File Sandbox is doing the analysis) open a File Sandbox Analysis report detailing the information provided in that row.

(if Threat Protection is doing the analysis) access the Threat Protection machine and view a detailed Threat Protection report. You may first be prompted for logon credentials.


	Note If Threat Protection was installed using a hostname, the link will work only if the hostname is resolvable on the network.

Incident time: the date and time the file was sent for analysis.

User: the user name (or IP address) associated with the activity that prompted the file analysis.

Source: the IP address of the client machine in your network that sent or received the file.

Click an IP address to open an Investigative Report that will provide more details for the browsing being done by that source IP on the day the file was analyzed.

Destination: the IP address of the recipient of the HTTP request.

URL: the URL from which the file is being downloaded or to which the file is being posted.

In some cases the URL may be truncated. Hover over the entry to view the complete URL.

Analyzed by: the IP address of the Threat Protection cluster or the location of the File Sandbox data center.

Use the Customize option to add or remove columns from the table. In the window provided, check the box next to the column headings you want to include. Uncheck the box next to any column heading you want to remove.

Platform: The platform that provided the file analysis (Threat Protection or File Sandbox).

Severity: the level of severity of the threat, on a scale of 1 to 10.

Result Type: indicates whether there was a Hash match or this was considered New analysis.

Hash match means that the file hash (not the file) was actually sent for analysis and was found in the records of the analysis platform. The file is recognized and the Threat Level is known.

New analysis means we have don't have a record of having seen the file before so the entire file was sent for analysis. Analysis shows whether or not the file contains a threat.

Protocol: the protocol used to transfer the file.

File Name: the name of the file sent for analysis.

File Hash: a SHA1 hash of the file sent for analysis.

File Size (KB): the total file size, in kilobytes.

File Type: the type of file sent for analysis. Types include PDF, Image, Executable, Document, and Web Page as well as others.

Content Gateway: the IP address of the Content Gateway machine that sent the file for analysis

Note that customized column selections are not stored. The columns reset each time you exit and return to the page.


	Note URL hostnames and file names that contain foreign characters may not display properly in the report.

Use the other links and options to:

Change the sort order. (Default sort is by Threat Type).

Use the arrows beside a column heading to change the report's sort order.

Export the contents of the report to a CSV file.

Click Export to CSV to add the data to a file named excel.csv, by default. If the displayed data has been filtered, the same filter is used. All columns are included in the exported data, even if not previously selected for the report.

A maximum of 10,000 rows can be included in the exported data. Any data that exceeds the limit will not be included in the spreadsheet.

Navigate between report pages.

Use the paging options below the table to display other report pages.

Refresh the data.

Click Refresh to update the displayed data to include information that was added to the log database files since the report was initially displayed.

Configure delegated administrator access to the Advanced File Analysis report using the Access investigative reports and Report on all clients options in the Reporting Permissions section of the Delegated Administration > Edit Roles page. The menu option Advanced File Analysis report will not be available to administrators whose role does not have both options selected.