Cloud Storage Security Help Docs
Need live support? Join our office hoursRelease NotesPolicies
Search
⌃K
Links

Problem Files

The Problem Files page is where you will find details about any findings surfaced during antivirus scanning and data classification.

Overview

Depending on which product(s) you are using this page may have a different name in the navigation.
  • AV: Problem Files
  • DC: Classification Results
  • AV and DC: Findings
Antivirus for Amazon S3
Data Classification for Amazon S3
Infected, Unscannable and Error files are deemed collectively as Problem Files. They represent files that are infected with malware (Infected), password protected / KMS encrypted / file size limit exceeded (Unscannable) and where the cross account role is broken or the file no longer exists (Error). This page will present the list of problem files found by Antivirus for Amazon S3 whether from new objects coming in or through the evaluation of your existing objects. The list of problem files is a running tally of all issues you've discovered. You may take actions on the files directly in the bucket and and through the page. Whether the file has been cleaned and moved or deleted, the data will tell you whether the file still exists and needs to be dealt with or if it no longer exists. Actions that you can take on the files include restoring back to original bucket (in case of false positive) as well as taking further investigative actions by initiating a Static or Dynamic Analysis which can detonate the file in a sandbox to see what the file actually does.
The files are broken down by bucket and account so you know where the file entered and into which account.
Problem Files page
Matching, Unclassifiable and Error files are deemed collectively as Problem Files. They represent files that have classified data (Matching), password protected / KMS encrypted / file size limit exceeded (Unclassifiable) and where the cross account role is broken or the file no longer exists (Error). This page will present the list of problem files found by Classification for Amazon S3 whether from new objects coming in or through the evaluation of your existing objects. The list of problem files is a running tally of all issues you've discovered. You may take actions on the files directly in the bucket and and through the page. Whether the file has been cleaned and moved or deleted, the data will tell you whether the file still exists and needs to be dealt with or if it no longer exists.
The files are broken down by bucket and account so you know where the file entered and into which account.
Problem Files page

Getting the Results Set

You will not see any results when you land on this page. You must first apply filters to get to your working data set. You can then search amongst the results. There are three pieces of data you will provide for the filter:
  1. 1.
    One or multiple accounts.
  2. 2.
    The types of problem files.
  3. 3.
    The date range.
Problem Files Filters

Accounts

Accounts
The Accounts (count in past 24h) is a multi-select picker where you can choose one or more accounts to review. If you have many accounts, you can search by typing into the field to limit the account list further. You are presented the account nickname, the account number and the number of problem files found in the last 24 hours.

Problem File Types

Problem File Types
The Problem File Types is a multi-select picker where you can choose one or more of the problem types to review. There are four choices of problem file types (three if you're using only AV or only DC):
  1. 1.
    Infected
  2. 2.
    Error
  3. 3.
    Unscannable (if using AV)
  4. 4.
    Unclassifiable (if using DC)
By default, all problem types are chosen, but you can limit this by clearing the undesirable types out.

Date Range

Date Range
The Date Range is a date/time calendar with presets where you can select the specific time range to evaluate. By default, the time selected is the last 24 hours.
With all three fields populated, the Apply Filters button will be enabled. Click the button to retrieve the filtered results.
Results may be truncated as follows:
  • 5000 results, at most, will be returned.
  • 1000 results, at most, will be returned per account
So as not to "spam" you on the Problem Files page or in the scan results notifications, we are throttling the number of entries we write to both for two particular scenarios: 1) the bucket is encrypted (and we do not have permissions to the key), therefore every object would fail to scan and 2) access to a linked account has been broken so we cannot grab the objects and therefore every object would fail to scan.
In both scenarios, you could end up with thousands (or much more) of unscannable and/or unclassifiable messages depending on the object counts for the given bucket(s) or account(s). We will write one message per hour for each unscannable and/or unclassifiable scenario (per bucket and per account).

Allowing Suspect Files - False Positives / Acceptable Risks

It is inevitable that false positives will occur or known and previously identified as risky files will be acceptable to use within your environment. If you are leveraging the default quarantining behavior of the solution you will then need a mechanism to bring the file back to the original production bucket for continued use. You need to restore the file without it immediately being picked up again so it can be used going forward.
Allowing Infected Files
You have two restore options:
  1. 1.
    Once
  2. 2.
    Permanent.
Once will move the object from the quarantine bucket back to the original bucket and path. The scanning agents will skip this file one time, but if it is processed again (i.e. Scheduled Scan, On-Demand Scan, or upload) it will be caught again. This can be useful if you want to make sure you are checking the file again in case you didn't just accept it, but also fixed it.
Permanent will allow the file for continued use for the problems/infections found indefinitely. If you believe an item to be a false positive and will permanently be in place in the given file then permanent is the right choice. Even if you upload a new version of the object, that particular issue will still be allowed. If new issues are found (different infection) then it will still be processed as an infected file according to your settings.
In either case, the scan-result tag placed on the object will changed from Infected to InfectedAllowed.
If you have any policies or rules in place for object handling that key off of a scan-result=clean, you will want to augment to include scan-result=InfectedAllowed as well.

Static and Dynamic Analysis

Examples of Static and Dynamic Analysis
Additional analysis of problem files may be required when it isn't obvious if the file is truly a problem or not. We offer two additional methods (in addition to the in-tenant scanning engine that identified the problem file initially): Static Analysis and Dynamic Analysis.
We're leveraging the SophosLabs Intelix Platform to perform this analysis. On any file shown in the Problem Files table click the Action button and select the analysis you'd like to run. Browse the report there below the file line item or download it for later. You will always be able to come back and view this report as we have saved them for you.
Problem Files SophosLabs Intelix

Static Analysis

Harness the power of multiple machine learning models, global reputation, deep file scanning, and more without needing to execute the file in real time.
These static analyzers generate rich reports, including industry-wide detection coverage, and ensure speedy analysis to determine a verdict or identify files that need further analysis via dynamic file analysis.
Click the Actions button (
Problem Files Actions button
) and select Run Static Analysis
Run Static Analysis
You will be prompted to acknowledge that you will be sending the specified file outside of your AWS Account to the Cloud Storage Security OEM slice of the SophosLabs Cloud Sandbox.
Static Analysis Dialog
The file will be sent to the sandbox for static analysis. A report will be generated and displayed within the line item. This can be downloaded and/or reviewed later at any time.
Static Analysis Report
As part of the static analysis you will also receive a VirusTotal report.
VirusTotal Report

Dynamic Analysis

Detonate malware in real-time in a sandbox utilizing the latest analysis techniques for unmatched visibility into malicious files among the unknown. Every activity and behavior is recorded to reveal the true nature and capabilities of a potential threat.
Advanced anti-evasion technologies thwart malware that attempts to detect if it’s in a sandbox or running in a virtual machine, leaving malware with no place to hide.
Click the Actions button (
Problem Files Actions button
) and select Run Dynamic Analysis
Run Dynamic Analysis
You will be prompted to acknowledge that you will be sending the specified file outside of your AWS Account to the Cloud Storage Security OEM slice of the SophosLabs Cloud Sandbox. The file will be sent to the sandbox to be detonated for dynamic analysis. A report will be generated and displayed within the line item. This can be downloaded and/or reviewed later at any time.
Dynamic Analysis Report
You can see a detailed Activity Tree of what took place when the file was detonated.
Activity Tree
At any time after the fact, for both the Static and Dynamic Analysis, you can come back to this page to review the reports.
Show previously run Analysis

Searching the Data

The main data fields are presented within the table:
  1. 1.
    Object name
  2. 2.
    Uploaded to bucket
  3. 3.
    Account
  4. 4.
    Result
  5. 5.
    Scan on date
  6. 6.
    Quarantine bucket
  7. 7.
    File exists check.
File Exists indicates whether that file is still available. The Search field above the filtered results is a global search across the entire table. Start by typing in the value for any of the fields and it will start filtering the table down to the matching values. You can also space separate search criteria to search by multiple values.
For example, you want to search by a particular originating bucket and the infected status. Your search bar might look like partial-bucket-name infected. That will search by both the bucket name as well as the status of infected. It is very simple to drill down to what you are looking for.

Searching Tips

You may see a short delay after typing in your search value since we won't actually trigger the search until typing has stopped for 1 second.
  • Match words out of order: For example if you search for Virus Found it would match a row containing the words Virus and Found, regardless of the order or position that they appear in the table.
  • Partial word matching: As filtering provides immediate feedback, parts of words can be matched in the result set. For example Vir will match Virus.
  • Multiple searches: The table provides functionality to enter multiple words separated by a space and the search will return all rows containing at least one of those words.
  • Preserved text: This table adds the ability to search for an exact phrase by enclosing the search text in double quotes. For example "Virus Found" will match only text which contains the phrase Virus Found. It will not match Virus is in Found.
Previous
Scheduled Scans
Next
Monitoring
Last modified 1mo ago