Netskope Help

Malware

To view files affected by malware, go to Incidents > Malware.

Malware.png

Primary metrics appear in the panels on top, and a table provides more specific information. The search field on top allows you to filter the malware shown on the page by entering key words. The information shown on this page includes:

  • Malware: The total number of malware detected by the scan.

  • Users Affected: The total number of users that have files affected by this malware.

  • Files Affected: The total number of files quarantined or that triggered an alert.

  • Malware Name: The name of the malware detected.

  • Malware Type: The malware detected, like virus, custom hash hit, etc.

  • Severity: The severity assigned to the malware. Refer to Malware Detection Types for definitions. Severity categories are:

    • High = Viruses

    • Medium = Spyware

    • Low = All others

  • Users: The number of users affected by this particular malware.

  • Files: The number of files quarantined or alerts sent for this particular malware.

  • Last Action Date: The date the first file was detected by the scan and an action was taken based on the quarantine profile you selected.

Click an item on the page to see more comprehensive details. The details page provides this information about the malware you selected:

  • Malware Type: The malware detected, like virus, custom hash hit, etc.

  • Users Affected: The number of users affected by this particular malware.

  • Files Affected: The total number of files quarantined or that triggered an alert.

  • About: A short description of the malware type.

  • Users Affected: Lists the users that have files that were affected by the specific malware listed in the Malware Name column.

  • File Name: The file name detected by the malware scan. Click the file name to view the API Data Protection page for the file.

  • Application: The application affected by the malware.

  • Instance: The Netskope tenant instance name.

  • Exposure: The sharing setting for the infected file. The sharing setting is controlled in the app associated with the file detected. The options include: private, internally shared, externally shared, and public.

  • MD5 File: The MD5 hash calculated from the file at the time of detection. You can use this to confirm that the file you have downloaded is the same file that was scanned. This will be helpful to have in case of a discrepancy or for an internal incident response plan.

  • Action: The action taken on the file. The action is the alert being sent or the file being quarantined based on the quarantine profile. 

  • Menu: Click the menu icon (...)  to the right of the Action column to specify whether to: quarantine a file, restore a file (release from quarantine), or mark the file as safe so this file doesn't create a false positive. 

    • Quarantine a file: Applies only to API Data Protection when the action specified is detected. Allows a quarantine action when a quarantine profile is selected. This action is asynchronous and the action field will reflect the new state upon task completion and is logged. Click Quarantine, select a quarantine profile, and then click Quarantine

    • Restore a file: Applies only to API Data Protection for files that have been quarantined using the quarantine action. Allows a quarantined file to be restored. This action is asynchronous and the Action field will reflect the new state after task completion and is logged. Click Restore, verify the file to restore, and then click Restore.

    • Download file: Applies only to API Data Protection. Allows a detected malware file sample to be downloaded as a password protected zip file. The password for the zip file is shown at Settings > Threat Protection > API-enabled Protection. Click Download to get the zip file.

    • Mark a file as safe: Applies to all malware files. Allows providing feedback to Netskope Threat Research that the file was deemed safe for your tenant. An additional link "add to file hash list" is provided in the notification. Using this link, the file can be added to the selected (one or more) file hash list(s) for allowlist. Click Mark Safe, verify the file to mark as safe, and then click Mark Safe.

To export this information to a file, click Export CSV and then click Files or Users.

For more information about an infected file, click on a file name to open the Summary page.  The Summary page provides this information about the file:

  • The hashes used

  • The analytics engine(s) used to detect the infected file

  • The specifics of what each analytics engine found.

VirusTotal, a third party aggregator of malware information, can be reviewed alongside the malware detection details. To view information VirusTotal has about the malware, click Lookup VirusTotal. VirusTotal is only a complementary source of information and may not always have details on every malware especially in documents that are private to the enterprise.

The ability to use a custom allowlist in the malware detection profile is available only in the Real-time Protection policies at this time. To allowlist a file so it is not detected by an analytics engine, click Add to Hash List and add it to an existing file hash list, or click Create to add a new file hash list.