Advanced File Analysis report

With Forcepoint Web Security, when Advanced File Analysis is enabled on the Settings > Scanning > Scanning Options page, you can use the Reporting > Advanced File Analysis report page to view specific information about the results of advanced file analysis.

The report provides visibility into suspicious files accessed through your network and sent to Forcepoint Advanced Malware Detection for further analysis.

Forcepoint Advanced Malware Detection is available as either a cloud-based service or an on premises service.

Use the options above the table to filter the data that is displayed.

  • The Time period for the report.
    • Select Today, 2 days, 7 days (the default), 14 days, 30 days, 60 days, or 90 days from the drop down.

      If you are using Microsoft SQL Express, the maximum time period is 30 days.

    • The Total number of incidents reported for that time period is provided.
  • The threat levels to be reported. Check the box next to:
    • Malicious to include files that analysis has found to be malicious.
    • Suspicious to include files found to have suspicious characteristics.
    • No threat detected to report on files in which analysis did not find any malicious or suspicious characteristics.
    • No analysis available to include files for which no results have been returned. Either these files are an unsupported file type, or an error occurred during the analysis.

      The total number of files recorded for each threat level is provided. If filters are in use, some of these records may not be included in the report.

    The top (up to 200) results that match your filter are displayed in a table. By default, the following columns are included:

  • Threat Level: an assessment of the level of threat (malicious, suspicious, or none) associated with a file.

    Depending on which Forcepoint Advanced Malware Detection platform you are using, you can click a link in this column to either:

    • Open a cloud-based report detailing the information provided in that row.
    • Access the appliance and view a detailed report. You may first be prompted for logon credentials.
      Note: If the appliance was installed using a hostname, the link will work only if the hostname is resolvable on the network.
  • Incident time: the date and time the file was sent for analysis.
  • User: the user name (or IP address) associated with the activity that prompted the file analysis.
  • Source: the IP address of the client machine in your network that sent or received the file.

    Click an IP address to open an investigative report that will provide more details for the browsing being done from that source on the day the file was analyzed.

    The Source IP link will not be available to delegated administrators whose role does not have both the Access investigative reports and Report on all clients options enabled.

  • Destination: the IP address of the recipient of the HTTP request.
  • URL: the URL from which the file is being downloaded or to which the file is being posted.

    In some cases the URL may be truncated. Hover over the entry to view the complete URL.

  • Analyzed by: the IP address of the Forcepoint Advanced Malware Detection data center (cloud-based) or cluster (on premises).

Use the Customize option to add or remove columns from the table. In the window provided, check the box next to the column headings you want to include. Clear the box next to any column heading you want to remove.

  • Platform: The platform that provided the file analysis (Cloud Service or On Premises).
  • Severity: the level of severity of the threat, on a scale of 1 to 10.
  • Result Type: indicates whether there was a Hash match or this was considered New analysis.

    Hash match means that the file hash (not the file) was actually sent for analysis and was found in the records of the analysis platform. The file is recognized and the Threat Level is known.

    New analysis means we have don’t have a record of having seen the file before so the entire file was sent for analysis. Analysis shows whether or not the file contains a threat.

  • Protocol: the protocol used to transfer the file.
  • File Name: the name of the file sent for analysis.
  • File Hash: a SHA1 hash of the file sent for analysis.
  • File Size (KB): the total file size, in kilobytes.
  • File Type: the type of file sent for analysis. Types include PDF, Image, Executable, Document, and Web Page as well as others.
  • Content Gateway: the IP address of the Content Gateway machine that sent the file for analysis

Customized column selections are stored and do not reset each time you navigate away from the page. The columns reset to the default selections with each log on to the Forcepoint Security Manager.

Use the other links and options to:

  • Change the sort order. (Default sort is by Threat Type).

    Use the arrows beside a column heading to change the report’s sort order.

  • Export the contents of the report to a CSV file.

    Click Export to CSV to add the data to a file named excel.csv, by default. If the displayed data has been filtered, the same filter is used. All columns are included in the exported data, even if not previously selected for the report.

    A maximum of 10,000 rows can be included in the exported data. Any data that exceeds the limit will not be included in the spreadsheet.

  • Navigate between report pages.

    Use the paging options below the table to display other report pages.

  • Refresh the data.

    Click Refresh to update the displayed data to include information that was added to the log database files since the report was initially displayed.

Configure delegated administrator access to the Advanced File Analysis report using the Report on all clients options in the Reporting Permissions section of the Delegated Administration > Edit Roles page. The menu option Advanced File Analysis report is not available to administrators whose role does not have that option selected.