Analyzing File Data

You can analyze file data-related anomalies on a server.

Procedure

1. From the navigation pane in the Command Center, click Monitoring > Threat Indicators.

   The Threat Indicators panel appears.

2. Click the action button for a server, and then click Threat scan.

   The Threat scan dialog box appears.

3. Enter a start date and end date for the analysis.

4. Select an index server.

5. Under Anomaly types, select File data analysis.

6. Click Analyze.

   The system performs the job, and the results appear in the Threat scan tab.

Report Description

The Threat Indicators report for file data-related anomalies is divided into multiple tiles and tables.

Total Files

This tile shows the total number of files analyzed.

Total Size

This tile shows the total size of the files analyzed.

Suspicious Files

This tile shows the number of suspicious files found.

Suspicious File Size

This tile shows the total size of the suspicious files found.

Suspicious File Types

This chart shows the types (indicated by their extensions) of suspicious files detected. You can click a bar in the chart to populate the Suspicious files table (described below).

Suspicious Files and Threats

This chart shows a graphical representation of the suspicious files detected. You can click a segment in the chart to populate the Suspicious files table (described below).

Suspicious Activity Timeline

This chart shows a graphical representation of the timeline of suspicious activity detected. You can click a node on the graph to populate the Suspicious files table (described below). You can also click the Group list to re-draw the chart based on a desired timeframe (that is, Monthly, Hourly, etc.).

Suspicious Files Table

To populate this table, click the Suspicious File Types chart, Suspicious Files and Threats chart, or Suspicious Activity Timeline chart (see above).

• The following columns will appear in the Suspicious files table, populated with the data that you clicked:

  Column	Description
  File path	The path to the affected set of files.
  Versions	The number of file versions analyzed.
  Actions	To ignore anomalies for a set of files, click the action button , and then click Mark safe. To mark a set of files as corrupt, click the action button , and then click Mark corrupt.

• To see all file versions for a set of files, click the down arrow next to a file path. The following columns will appear in the Suspicious files sub-table:

  Column	Description
  File name	The path to the affected set of files.
  Modified time	The number of file versions analyzed.
  Suspicious	Indicates if the system identifies the file as suspicious.
  Marked corrupt	Indicates if a user has already marked a version of file corrupt.
  Backup job ID	The ID of the backup job that backed up that file.
  Actions	To ignore an anomaly for a version of a file, click the action button , and then click Mark safe. To mark a version of a file as corrupt, click the action button , and then click Mark corrupt.

• To see detailed information for a file, do the following:

  • Click the name of the file.

    A window appears, showing a preview of the file (if available), the status of the file, the entropy value, the file path, the file's modified time, the backup job ID for the file, and the file's owner.

    Note

    • The entropy value is displayed only if the file's entropy value is 6 or higher (on a scale from 1 to 8).

    • To enable/disable file preview, use the additional setting enableAnomalyFilePreviewAndDownload. For more information, see Enabling File Preview and File Download for File Data Anomaly Report.

  • To download the file to your computer, click the Download button (if available).

    Note

    To enable/disable file download, use the additional setting enableAnomalyFilePreviewAndDownload. For more information, see Enabling File Preview and File Download for File Data Anomaly Report.