Netskope Help

About Malware

To view files affected by malware in your organization, go to Incidents > Malware.

On the Malware page, you can:

  1. Refresh the malware incident results.

  2. Filter malware incidents by a specific time frame. You can use a predefined time frame or choose Date Range to use the calendar and time menus to customize your own.

  3. Search and filter the malware incidents by a query.

  4. View the primary metrics of the malware incidents:

    • Malware: The total number of malware detected by the scan.

    • Users Affected: The total number of users whose files were affected by malware.

    • Files Affected: The total number of files quarantined or that triggered an alert.

  5. View a list of malware incidents. For each incident, you can see the following information:

    • Malware Name: The name of the detected malware. Click to view malware details.

    • Malware Type: The type of malware detected such as a virus, custom hash hit, etc.

    • Severity: The severity level Netskope assigned to the malware. The severity categories are:

      • High: Viruses

      • Medium: Spyware

      • Low: Other malware

      To learn more about these definitions: Malware Detection Types.

    • #Users: The number of users affected by the malware.

    • #Files: The number of files affected by the malware.

    • Tiimestamp (GMT): The time the file was detected by the scan and an action was taken based on your selected quarantine profile.

  6. Sort the table by the above information.

  7. Export all malware incidents (up to 500,000 rows) to a CSV file.

  8. View up to 100 overrides per page.

  9. View multiple pages of the table.

The features of the Malware page.
Viewing Malware Details

On the Malware page, you can click the malware name to see more comprehensive details.

The Malware Name on the Malware page

On the Malware Details page, you can:

  1. Refresh the malware incident results.

  2. Filter malware incidents by a specific time frame. You can use a predefined time frame or choose Date Range to use the calendar and time menus to customize your own.

  3. View the primary metrics related to malware incident:

    • Type: The type of malware detected such as a virus, custom hash hit, etc. You can click the Info icon for a short description.

    • Users Affected: The total number of users whose files were affected by the malware.

    • Files Affected: The total number of files quarantined or that triggered an alert.

  4. View a list of the users affected by the malware. You can sort the table or click Export to save a list of affected users (up to 500,000 rows) to a CSV file.

  5. View a list of files affected by the malware. For each file, you can see the following information:

    • File Name: The name of the infected file. Click to view the file details.

    • Application: The application associated with the file and affected by the malware.

    • Instance: The name of the Netskope tenant.

    • Exposure: The file sharing settings of the infected file, which are controlled in the application. The settings include:

      • Private

      • Internally Shared

      • Externally Shared

      • Public

    • MD5: The MD5 hash calculated from the file during detection. You can use this hash value to confirm that the file you have downloaded is the same file that was scanned. You can use this if there is a discrepancy or for an internal incident response plan.

    • Mode: The type of Netskope policies that detected the infected file.

      • Inline: The real-time protection policies detected the file.

      • Introspection: The API data protection policies detected the file.

    • Action: The action taken on the infected file based on your configured quarantine profile.

      • Detection: Netskope detected the file and sent an alert.

      • Quarantine: Netskope detected the file and quarantined it.

  6. Sort the table by the above information.

  7. Export all files affected (up to 500,000 rows) to a CSV file.

  8. Click the Menu icon to choose one of the following options:

    • Quarantine: Click to choose a quarantine profile and quarantine the infected file . This option only appears if the infected file triggered an alert.

    • Restore: Click to restore the infected file. This option only appears if the infected file was quarantined.

    • Download: Click to download the malicious file sample as a password-protected ZIP file. You can go to Settings > Threat Protection > API-enabled Protection to get the ZIP password. This option only applies to API Data Protection.

    • Add to File Profile: Click to add the file hash to a file profile, which you can use to allow or block the file. Allowlists and blocklists are supported for real-time protection only.

  9. View up to 100 affected files per page.

  10. View multiple pages of the table.

The features of the Malware Details page under Incidents.
Viewing File Details

On the Malware Details page, you can click the file name to see an in depth analysis.

The File Name in the Files Affected list on the Malware Details page.

On the File Details page, you can:

  1. View summarized information on the infected file:

    • MD5: The MD5 hash value of the file. You can use it to validate data integrity.

    • SHA256: The SHA-256 hash value of the file. You can use it to find identical files.

    • Users Affected: The total number of users affected by the file.

    • Threats Detected: The type of threat detected.

  2. Look up more malware information on VirusTotal, a third-party aggregator of malware information. VirusTotal is a complementary source of information and might not have details on all malware especially in documents that are private to your ogranization.

  3. Add the file hash to a file profile that allows or blocks the infected file. You can use this option to add an infected file to an allowlist so it's exempted from the analytics engine.

  4. Export the infected file details as a STIX report (.xml) or PCAP file (.pcap).

  5. View Netskope AV signature matching for the infected file.

  6. View advanced heuristics analysis for the infected file.

  7. View cloud sandbox analysis for the infected file.

  8. View file analysis from Netskope Threat Intelligence. Netskope's curated threat intelligence includes indicators of compromise (IOCs) gleaned from detections discovered by advanced scanning engines in the Netskope cloud.

  9. View file analysis from an integrated third-party threat detection engine, such as Palo Alto Networks Wildfire, Juniper SkyATP, and Check Point SandBlast. To learn more: Advanced Threat Protection. Click Download Analysis Result to download the results as a PDF file.

The features of the File Details page under Incidents.