Problem Files

The Problem Files page is where you will find details about any findings surfaced during antivirus scanning and data classification.


Depending on which product(s) you are using this page may have a different name in the navigation.

  • AV: Problem Files

  • DC: Classification Results

  • AV and DC: FindingsInfected, Unscannable and Error files are deemed collectively as Problem Files. They represent files that are infected with malware (Infected), password protected / KMS encrypted / file size limit exceeded (Unscannable) and where the cross account role is broken or the file no longer exists (Error). This page will present the list of problem files found by Antivirus for Amazon S3 whether from new objects coming in or through the evaluation of your existing objects. The list of problem files is a running tally of all issues you've discovered. You may take actions on the files directly in the bucket and and through the page. Whether the file has been cleaned and moved or deleted, the data will tell you whether the file still exists and needs to be dealt with or if it no longer exists. Actions that you can take on the files include restoring back to original bucket (in case of false positive) as well as taking further investigative actions by initiating a Static or Dynamic Analysis which can detonate the file in a sandbox to see what the file actually does.

The files are broken down by bucket and account so you know where the file entered and into which account.

Getting the Results Set

You will not see any results when you land on this page. You must first apply filters to get to your working data set. You can then search amongst the results. There are five pieces of data you will provide for the filter:

  1. One or multiple accounts.

  2. The types of problem files.

  3. The date range.

  4. The analysis run type.

  5. The results per page to display.


The Accounts (count in past 24h) is a multi-select picker where you can choose one or more accounts to review. If you have many accounts, you can search by typing into the field to limit the account list further. You are presented the account nickname, the account number and the number of problem files found in the last 24 hours.

Problem File Types

The Problem File Types is a multi-select picker where you can choose one or more of the problem types to review. There are five choices of problem file types (four if you're using only AV or only DC):

  1. Infected

  2. Suspicious (this is a Sophos-only finding that means the engine didn't find anything infected within the file but has found the file to have suspicious characteristics that do not fit the file type)

  3. Error

  4. Unscannable (if using AV)

  5. Unclassifiable (if using DC)

By default, all problem types are chosen, but you can limit this by clearing the undesirable types out.

Date Range

The Date Range is a date/time calendar with presets where you can select the specific time range to evaluate. By default, the time selected is the last 24 hours (It actually counts from 00:00 of the previous day to 23:59 of the present one).

With all three fields populated, the Apply Filters button will be enabled. Click the button to retrieve the filtered results.

So as not to "spam" you on the Problem Files page or in the scan results notifications, we are throttling the number of entries we write to both for two particular scenarios: 1) the bucket is encrypted (and we do not have permissions to the key), therefore every object would fail to scan and 2) access to a linked account has been broken so we cannot grab the objects and therefore every object would fail to scan.

In both scenarios, you could end up with thousands (or much more) of unscannable and/or unclassifiable messages depending on the object counts for the given bucket(s) or account(s). We will write one message per hour for each unscannable and/or unclassifiable scenario (per bucket and per account).

Page Size & Pagination

The Page Size dropdown allows you to choose how many results, per page, are displayed in the report table. You can select 10, 100, 1,000, or 5,000 results per page. If your dataset has more results that can display on a single page, you can use the pagination controls to navigate back and forth between the pages of results.

Click the page number to jump to that specific page, use the < and > controls to jump one page forward or back, and use << or >> to jump back to the first page or to the last available page.

Allowing Suspect Files - False Positives / Acceptable Risks

It is inevitable that false positives will occur or known and previously identified as risky files will be acceptable to use within your environment. If you are leveraging the default quarantining behavior of the solution you will then need a mechanism to bring the file back to the original production bucket for continued use. You need to restore the file without it immediately being picked up again so it can be used going forward.

You have two restore options:

  1. Once

  2. Permanently

Once will move the object from the quarantine bucket back to the original bucket and path. The scanning agents will skip this file one time, but if it is processed again (i.e. Scheduled Scan, On-Demand Scan, or upload) it will be caught again. This can be useful if you want to make sure you are checking the file again in case you didn't just accept it, but also fixed it.

Permanently will allow the file for continued use for the problems/infections found indefinitely. If you believe an item to be a false positive and will permanently be in place in the given file then permanent is the right choice. Even if you upload a new version of the object, that particular issue will still be allowed. If new issues are found (different infection) then it will still be processed as an infected file according to your settings.

In either case, the scan-result tag placed on the object will changed from Infected to InfectedAllowed.

If you have any policies or rules in place for object handling that key off of a scan-result=clean, you will want to augment to include scan-result=InfectedAllowed as well.

Static and Dynamic Analysis

Additional analysis of problem files may be required when it isn't obvious if the file is truly a problem or not. We offer two additional methods (in addition to the in-tenant scanning engine that identified the problem file initially): Static Analysis and Dynamic Analysis.

We're leveraging the SophosLabs Intelix Platform to perform this analysis. On any file shown in the Problem Files table click the Action button and select the analysis you'd like to run. Browse the report there below the file line item or download it for later. You will always be able to come back and view this report as we have saved them for you.

Static Analysis

Harness the power of multiple machine learning models, global reputation, deep file scanning, and more without needing to execute the file in real time.

These static analyzers generate rich reports, including industry-wide detection coverage, and ensure speedy analysis to determine a verdict or identify files that need further analysis via dynamic file analysis.

You will be prompted to acknowledge that you will be sending the specified file outside of your AWS Account to the Cloud Storage Security OEM slice of the SophosLabs Cloud Sandbox.

The file will be sent to the sandbox for static analysis. A report will be generated and displayed within the line item. This can be downloaded and/or reviewed later at any time.

As part of the static analysis you will also receive a VirusTotal report.

Dynamic Analysis

Detonate malware in real-time in a sandbox utilizing the latest analysis techniques for unmatched visibility into malicious files among the unknown. Every activity and behavior is recorded to reveal the true nature and capabilities of a potential threat.

Advanced anti-evasion technologies thwart malware that attempts to detect if it’s in a sandbox or running in a virtual machine, leaving malware with no place to hide.

You will be prompted to acknowledge that you will be sending the specified file outside of your AWS Account to the Cloud Storage Security OEM slice of the SophosLabs Cloud Sandbox. The file will be sent to the sandbox to be detonated for dynamic analysis. A report will be generated and displayed within the line item. This can be downloaded and/or reviewed later at any time.

You can see a detailed Activity Tree of what took place when the file was detonated.

At any time after the fact, for both the Static and Dynamic Analysis, you can come back to this page to review the reports.

Searching the Data

The main data fields are presented within the table:

  1. Object name

  2. Uploaded to bucket

  3. Account

  4. Result

  5. Scan on date

  6. Quarantine bucket

  7. File exists check.

File Exists indicates whether that file is still available. The Search field above the filtered results is a global search across the entire table. Start by typing in the value for any of the fields and it will start filtering the table down to the matching values. You can also space separate search criteria to search by multiple values.

For example, you want to search by a particular originating bucket and the infected status. Your search bar might look like partial-bucket-name infected. That will search by both the bucket name as well as the status of infected. It is very simple to drill down to what you are looking for.

Searching Tips

You may see a short delay after typing in your search value since we won't actually trigger the search until typing has stopped for 1 second.

  • Match words out of order: For example if you search for Virus Found it would match a row containing the words Virus and Found, regardless of the order or position that they appear in the table.

  • Partial word matching: As filtering provides immediate feedback, parts of words can be matched in the result set. For example Vir will match Virus.

  • Multiple searches: The table provides functionality to enter multiple words separated by a space and the search will return all rows containing at least one of those words.

  • Preserved text: This table adds the ability to search for an exact phrase by enclosing the search text in double quotes. For example "Virus Found" will match only text which contains the phrase Virus Found. It will not match Virus is in Found.

Export Data

The Problem Files report gives you two options for exporting the data into a CSV format:

Export Filter to CSV

This option allows you to export all results that match the current filter configuration. You do not need to apply your filters before exporting. With this option, all data that matches the filters will be exported into the CSV file.

Export Table to CSV

This option will export the data that is currently displayed within the results table. This option allows you to export a subset of results to CSV, and is impacted by both the table page selection and any filtering executed by search.

If you want to export all results from your filter configuration, it is best to use the Export Filter to CSV option.

Rescanning problem files

You can rescan any problem files that are found to be infected, unscannable, suspicious, or have an error. If you are scanning a file with a single scanning engine, it is a good practice to change the scanning engine or enable multi-engine scanning to see if a different scanning engine will treat the file any differently.

All you need to do is select the files that you want to rescan, click Selected Actions, and then click Rescan. This action will force our scanner to attempt to scan the file again. If the file is found to be clean it will be tagged as such. Otherwise it will again be tagged with a different finding.

If a file is found to be unscannable or produces an error upon being scanned, we will not charge you for the data that scan used. Once you rescan, if the file is scanned successfully and is found to be clean, infected, or suspicious the scan will count towards your scanning data.

Last updated