About Malware

About Malware

To view files affected by malware in your organization, go to Incidents > Malware.

Viewing File Incidents

In the Files tab, you can:

  1. Refresh the malware incident results.
  2. Filter malware incidents by a specific time frame. You can use a predefined time frame or choose Date Range to use the calendar and time menus to customize your own.
  3. Click + Add Filter to filter the malware incidents and narrow your search results. You also can click The Netskope Query Mode Icon. to search and filter the malware incidents by a query.
  4. View the primary metrics of the malware incidents:
    • Users Affected: The total number of users whose files were affected by malware.
    • Malware: The total number of malware detected by the scan.
    • Incidents: The total number of malware incidents detected with Real-Time Protection.
  5. View a list of files affected by the malware. For each file, you can see the following information:
    • File Name: The names of the files associated with the malware. Click to view the file details.
    • Application: The application associated with the file and affected by the malware.
    • User: The user affected by the malware.
    • Instance: The instance of the accessed application.
    • Exposure: The file sharing settings of the infected file, which are controlled in the application. The settings include:
      • Private
      • Internally Shared
      • Externally Shared
      • Public
    • MD5: The MD5 hash calculated from the file during detection. You can use this hash value to confirm that the file you have downloaded is the same file that was scanned.
    • Mode: The type of Netskope policies that detected the infected file.
      • Inline: The real-time protection policies detected the file.
      • Introspection: The API data protection policies detected the file.
    • Action: The action taken on the infected file based on your policy.
    • #Incidents: The number of incidents caused by the infected file for inline access mode. Click to see the following information:
      • Last Seen: The time the incident occurred with the infected file. For each new incident, Netskope creates a new timestamp and incident ID.
      • Incident ID: The unique ID for each time Netskope sees the infected file inline. Click to go to Skope IT Alerts and see all the transactions associated with the incident ID and MD5 of the infected file.
      • Policy Action: The action taken on the infected file based on your policy.

        Note

        Incident information is only available for Inline mode. For Introspection mode, the column always displays zero incidents.

    • Malware Name: The name of the detected malware.
    • Severity: The severity level Netskope assigned to the malware. The severity categories are:
    • Detection Engines: The threat engines that detected the infected file.
    • Detection Time (GMT): The last time Netskope detected the file hash in GMT.
    • Detection Time: The last time Netskope detected the file hash in your local time zone.
  6. Sort the table by the above information.
  7. Export all malware incidents (up to 500,000 rows) to a CSV file. All incidents display Detection for the Last_action column.
  8. Click The Settings icon. to customize table columns or restore the default ones.
  9. Click The More icon. to choose one of the following options:
    • Download: Click to download the malicious file sample as a password-protected ZIP file. You can go to Settings > Threat Protection > API-enabled Protection to get the ZIP password. This option only applies to API Data Protection (Introspection).
    • Report False Positive: Click to do the following.
      • Report false positive: Click to report the file to Netskope as a false positive, which opens a Netskope Support case to track the resolution. To use this feature, you must be logged in to your tenant and have an active account on the Netskope Support Portal.
      • Add to file profile: Click to add the file hash to a file profile, which you can use to allow or block the file. Allowlists and blocklists are supported for real-time protection only.
    • View Alerts: Click to go to Skope IT Alerts and see all the transactions associated with the incident ID and MD5 of the infected file.
    • Download Retention File: Click to download the retained malicious file sample as a password-protected ZIP file. The password is infected. This option only applies to Real-Time Protection (Inline).
  10. View up to 100 malware incidents per page.
  11. View multiple pages of the table.
The Files tab on the Malware page.

Viewing Detection Engine Details

In the Detection Engine tab, you can:

  1. Refresh the malware incident results.
  2. Filter malware incidents by a specific time frame. You can use a predefined time frame or choose Date Range to use the calendar and time menus to customize your own.
  3. Click + Add Filter to filter the malware incidents and narrow your search results. You also can click The Netskope Query Mode Icon. to search and filter the malware incidents by a query.
  4. View the primary metrics of the malware incidents:
    • Users Affected: The total number of users whose files were affected by the malware.
    • Malware: The total number of malware detected by the scan.
    • Incidents: The total number of malware incidents detected with Real-Time Protection.
  5. View a list of threat detection engines involved with the malware incidents. For each engine, you can see the following information:
    • Detection Engine: The Netskope or integrated partner threat engines that detected the malicious files.
    • Malware: The total number of malware detected by the threat engine.
    • #Users: The total number of users affected by the malware.
    • #Files: The total number of files affected by the malware. Click to view the file details.
      The File Details pane on the Detection Engine page.
  6. Sort the table by the above information.
  7. Export a list of the detection engine details (up to 500,000 rows) to a CSV file.
  8. View up to 100 affected files per page.
  9. View multiple pages of the table.
The Detection Engine tab on the Malware page.

Viewing File Details

On the Malware Details page, you can click the file name to see an in depth analysis.

The File Name column in the Files tab.

On the File Details page, you can:

  1. View summarized information on the infected file:
    • MD5: The MD5 hash value of the file. You can use it to validate data integrity. Click to copy it to your clipboard.
    • SHA256: The SHA-256 hash value of the file. You can use it to find identical files. Click to copy it to your clipboard.
    • Users Affected: The total number of users affected by the file.
    • Threats Detected: The type of threat detected.
  2. Go to Skope IT Alerts and see all the malware detection alerts associated with the MD5 of the infected file.
  3. Look up more malware information on VirusTotal, a third-party aggregator of malware information. VirusTotal is a complementary source of information and might not have details on all malware especially in documents that are private to your organization.
  4. Click to:
    • Report the file to Netskope as a false positive and open a Netskope Support case to track the resolution.
    • Add the file hash to a file profile that allows or blocks the infected file. You can use this option to add an infected file to an allowlist so it’s exempted from the analytics engine.
  5. Export the infected file details as a STIX report (.json) or PCAP file (.pcap).
  6. View Netskope AV signature matching for the infected file.
  7. View advanced heuristics analysis for the infected file.
  8. View cloud sandbox analysis for the infected file.
  9. View detections from Netskope Threat Intelligence. Netskope’s curated threat intelligence includes indicators of compromise (IOCs) gleaned from detections discovered by advanced scanning engines in the Netskope cloud.
  10. View file analysis from an integrated third-party threat detection engine, such as Palo Alto Networks Wildfire, Juniper SkyATP, and Check Point SandBlast. To learn more: Advanced Threat Protection. Click Download Analysis Result to download the results as a PDF file.
The Malware File Details page.
Share this Doc

About Malware

Or copy link

In this topic ...