This article guides the user on how to track malicious file activity and the correlation with other available data points.
Tracking malicious file activity (Please refer portal guide in the portal downloads section: Symantec MSS Portal Users Guide page 68-69)
Regarding malicious file activity , when the portal identifies a link between malicious file download events generated by network security device logs and similar events from endpoint logs, the resulting incident is marked as correlated. For example, a firewall log generates an event showing that it detected the download of a file known to be malware. Subsequently, an endpoint log generates an event stating that the same known malware file was blocked. These events are combined to create a correlated incident with a wealth of information that you can opt to export to PDF for analysis and remediation. See “To view correlated incident events” on page 76. The correlated incident provides an overlay with the following information, if available:
outcome, file name, reputation, source URL, MD5/SHA256 hash, and malware behavior, including affected operating systems, known effects of infection, and the associated malware subtypes.
Note the following definitions to better understand the expanded file information.The result of firewall or endpoint protection action/inaction relating to this event. Outcome shows as one of the following terms:
■ Blocked: Malicious file transfer blocked.
■ Not Blocked: Malicious file was downloaded.
■ Protected: Host protected by endpoint protection.
■ Infected: Host infected by malicious file.
Indicates the trust level that Symantec assigns to a file, based on a stringent evaluation methodology. Reputation shows as one of the following terms:
■ Symantec Trusted: This file is Symantec Trusted.
■ Good: Symantec has a high indication that the file is trusted.
■ Trending Good: Symantec does not yet have enough information about the file to assign a trust level, but early indications are that the file is good.
■ Unproven: Symantec does not have enough information about the file to assign a trust level to the file.
■ Poor: Symantec has a few indications that the file is not trusted.
■ Untrusted: Symantec has a high indication that the file is not trusted.
Indicates how frequently Symantec's global community of users downloaded this file. Treat files with low prevalence with caution.
Indicates when Symantec's global community of users first downloaded this file. Treat new files with caution.