View Security Events by Files
- Click 'Security Sub-Systems' > 'Security Dashboards' > 'File View'
‘File view’ groups together all events that involve a particular file.
- A file can generate events in different security modules, on multiple devices, at different times
- All these events are grouped together and shown as a single row:
- You can expand the row to view individual events
- Click '+' at the left of the row to view all events related to the file:
- You can expand the row to view individual events:
- Click the '+' at the left of a row to expand it and view a list of all events for a file.
Security Dashboards - File View – Column Descriptions |
|
---|---|
Column Header |
Description |
Date/Time |
The time at which the event occurred. |
Components |
The security module that reported the event. This can be 'Antivirus', 'Containment', 'Application Control' or 'Autorun Control'. |
Action |
The response to the event.
This shows how the file was handled by the CCS component mentioned
above. List of possible actions: Antivirus:
Containment:
Autorun Control:
|
Number of devices |
On how many devices the event was detected. |
File Name |
The label of the executable file affected by
the action.
|
File Path |
The installation location of the executable file on the endpoint.
|
File Hash |
The SHA 1 hash value of the executable file
|
Current Comodo Rating |
The most recent trust rating of the file as manually set by the admin, if any.
The present trust rating of the file as per the Comodo File Look-up Service (FLS). |
Current Admin Rating |
The most recent trust rating of the file as manually set by the admin, if any.
|
Controls |
|
Action on Endpoints |
Delete or restore a file from quarantine on the endpoint. Applies only to 'Malware quarantined' events.
|
Change rating |
Assign a new admin rating to a file (trusted, malicious or unrecognized).
|
File Details |
View complete information about the file that caused the event. You can also view a history of actions taken by the file.
|
Download Valkyrie Report |
Get a detailed Valkyrie analysis report for a file as a PDF.
|
Check Valkyrie Details |
View the Valkyrie analysis on a file.
|
Export |
Save the list of events as a comma separated values (csv) file.
|
- Use the search fields to filter events by component, date, file name, and other criteria.
- Click the funnel icon at top-right to view more filter options:
The file view interface lets you:
Sort, Search and Filter Options
- Use the search fields to filter events by security component, date/time, file name, and other criteria.
- Click the funnel icon at top-right to open more filter options:
- Use the search fields to filter the events by date/time, component, action, device name, file name, file path or SHA1 hash value.
- By default, 'Security Dashboards' > 'File View' does not show the files that are ignored by auto-containment rules.
- Select 'Show containment ignored events' to include the files ignored by auto-containment rules in the list
- To display all items again, clear any search filters and click 'OK'.
You can use any combination of filters simultaneously to search for specific apps.
- You can delete or restore quarantined items from the 'Security Dashboards' interface.
- Select a company or group to view events in that group
Or
- Select 'Show all' to view all events
- Select the event(s) in which the file(s) of interest are moved to quarantine.
- Click 'Action on Endpoint' on top
- Select 'Delete File' / 'Delete Autorun from device' to remove the file from the respective devices
- Select 'Restore from Quarantine' / 'Restore Autorun' to move the files back to their original location.
Rate
Files as Trusted, Malicious or Unrecognized
If required, you can rate the files affected by the events as unrecognized, trusted or malicious. Please make sure before marking a file as trusted. Any new file ratings will be sent to endpoints during the next sync.
- Click 'Security Sub-Systems' > 'Security Dashboards' > 'File View'
- Select a company or group to view events in that group
Or
- Select 'Show all' to view all events
- Select the event(s) involving the file(s) of interest.
- Click the 'Change Rating' button
- Set your preferred rating from the options:
The new rating will be propagated to all endpoints during the next synchronization.
- You can view the complete details of the executable file that effected security events on managed endpoints from the 'File View' interface.
- You can also view the history of actions taken on the file on all endpoints on which it was discovered.
View details about the file that caused the event
- Click 'Security Sub-Systems' > 'Security Dashboards' > 'File View'
- Select a company or group to view events in that group
Or
- Select 'Show all' to view all events
- Select the event involving the file of interest
- Click the 'File Details' button
- Alternatively, click the label of the file in the 'File Name' column
The information is shown in two tabs:
- The 'File Details' tab shows the particulars of the file.
- The interface also allows you to:
- Change the admin trust rating of the file
- Delete the file from the endpoints or restore the file from quarantine, if the file has been moved to quarantine by antivirus on the endpoints.
- Get a Valkyrie analysis report of the file as a PDF
- View Valkyrie analysis details of the file
The 'File Summary' pane shows the following details:
- Last detected file name - Label of the file when it was most recently scanned
- SHA1 - SHA1 hash value of the file
- First Seen by Comodo - Date and time at which the file was first reported to Comodo threat labs
- First Seen on my Network - Date and time at which the file was first detected on one of your devices
- Number of endpoints - The count of Windows devices on which the file was found
- Click 'Calculate' to update the number of devices on which the file is currently found
- Comodo Rating - The trust verdict on the file from Comodo threat labs
- Last Update of Comodo Rating - Date and time at which the Comodo rating last changed
- Admin Rating - The trust rating most recently assigned to the file by an administrator, if any.
- Version - The version number of the executable file
To handle a quarantined file
- Click 'Action on Endpoint' on the top
- Select 'Delete File' to remove the file the device, on which the selected events occurred.
- Select 'Restore from Quarantine' to move the file from quarantine to their original location on the device.
To assign or change the admin rating of the file
- Click 'Change Rating' on the top
- Set your preferred rating from the options:
The new rating will be propagated to all endpoints during the next synchronization.
To download Valkyrie report of a file
- Click the 'Download Valkyrie Report' button
- See Get Valkyrie Report of a file for more details on the report
To view the Valkyrie analysis results of the file
- Click the 'Check Valkyrie Details' button
- See View Valkyrie analysis details of file for more details on the results
- The 'File History' tab shows the timeline of events induced by the file and actions taken on it at all devices in which it was found.
- The interface also allows you to:
- Change the admin trust rating of the file
- Delete the file from the endpoints or restore the file from quarantine, if the file has been moved to quarantine by antivirus on the endpoints.
Security Dashboards - Event View - File History - Column Descriptions |
|
---|---|
Column Header |
Description |
Date/Time |
The time at which the event occurred. |
Components |
Whether the 'Antivirus', 'Containment' or 'Application Control' that reported the event. |
Action |
The nature of the event showing the how the file was handled by the CCS component. The possible actions are: Antivirus:
Application Control:
Autorun Control:
|
Device Name |
The label of the Windows endpoint on which the event occurred.
|
Additional Info |
Provides the current status of the event or the action taken on the affected file. |
Controls |
|
Action on Endpoints |
Allows you to delete a file or restore a file from quarantine on the endpoint. Applicable only for events involving 'Malware quarantined' action. |
Change rating |
Allows you to change the rating of the affected file to trusted, malicious or unrecognized. |
Handle a quarantined file
- Click 'Action on Endpoint' on the top
- Select 'Delete File' to remove the file the device, on which the selected event occurred.
- Select 'Restore from Quarantine' to move the file from quarantine to their original location on the device.
Assign or change the admin rating of the file
- Click 'Change Rating' on the top
- Set your preferred rating from the options:
The new rating will be propagated to all endpoints during the next synchronization.
Get the Valkyrie Report on a file
Background:
|
Download the Valkyrie report on a file
- Click 'Security Sub-Systems' > 'Security Dashboards' > 'File View'
- Select a company or group to view events in that group
Or
- Select 'Show all' to view all events
- Select the event involving the file of interest
- Click the 'Download Valkyrie' button
- The PDF opens in a new browser tab.
- The report contains granular details of various tests on the file
View Valkyrie analysis of a file
- Click 'Security Sub-Systems' > 'Security Dashboards' > 'File View'
- Select a company or group to view events in that group
Or
- Select 'Show all' to view all events
- Select the event involving the file of interest
- Click the 'Check Valkyrie Details' button
- The Valkyrie 'file verdict' page opens in a new tab.
- The page contains the results of various tests, and a trust verdict from each test.
- For more details on Valkyrie tests, see http://help.comodo.com/topic-397-1-773-9563-Introduction-to-Comodo-Valkyrie.html.
You can save the list of events as a comma separated values (CSV) file for future analysis.
- Click 'Security Sub-Systems' > 'Security Dashboards' > 'File View'
- Apply any filters that you require.
- Click 'Export' > 'Export to CSV'
- The CSV file will be available in 'Dashboard' > 'Reports'
- See Reports in The Dashboard for more details.