Leveraging the File Detail page

NAVIGATION  Alerts > Alert Detail > click an object

SECURITY   Datto EDR subscription with administrator or analyst-level platform access

IMPORTANT  Specific retention periods apply to all record types in Datto EDR and Datto AV. For more information, refer to Datto EDR and Datto AV data retention policies

The File Detail page enables you to view granular information about objects flagged as potential threats by Datto EDR. From this location, you can also manage the object's flags, download it, or queue it for heuristic threat analysis.

This article describes the page's layout and functions.

Overview

To access the File Detail page, perform the following steps:

  1. In the top navigation menu, click Alerts.

  2. Click any alert triggered by a file or script to view its details. The Alert Detail page will load.

  3. From the Alert Detail page, click the value shown in the Name field of the File pane.

  1. The File Detail page will load, with the Overview filter selected by default.

    As you navigate, you'll see the following features and fields:

Feature Definition
Overview

Returns the current view to the File Detail page
Instances

Pivots the current view to the Files section of the Search page with the object's hash pre-populated, enabling you to quickly review all endpoints where files with a matching attribute are present
Connections

Pivots the current view to the Connections section of the Search page with the object's hash pre-populated, enabling you to quickly review all network activity where files with a matching attribute were involved
Download

Enables you to download a copy of the object to your local machine

IMPORTANT  Using this feature downloads a potentially malicious, non-quarantined file to your computer. Proceed with caution.
Field name Definition
Threat Level

EDR's assessment of the risk level of the object; when associated with a host, indicates whether or not the endpoint appears to have been compromised

Threat Name

Name of the malware sample, including category, type, designation, and variant information, as defined by the antivirus community

AV Hits

Number of antivirus engines reporting the file is bad out of the total queried
As Of Date and time that Datto EDR fetched the results
Field name Definition
Entropy

Byte randomness of the file, measured between 0 and 8

  • 8 represents random content.

  • 6.5 is typical of executables.

IMPORTANT  Executables above 7.2 are often packed or encrypted, making analysis more difficult.
Flag User-defined workflow or status category to which the logged item belongs; to create and personalize flags, visit > Admin > File Flags; click to change or remove the flag
Signed If is present in this field, the file is digitally signed
Catalog

Indicates whether the binary is in the Windows catalog
Analyze Click Submit for Analysis to queue the file for heuristic analysis by Datto EDR's cloud-based threat intelligence engine
Field name Definition
Path

EDR's assessment of the risk level of the object; when associated with a host, indicates whether or not the endpoint appears to have been compromised

Size

Size of the file
First Seen

Indicates the first date and time this object was seen by Datto EDR on the endpoint
Last Seen

Details the most recent time and date this object was seen by Datto EDR on the endpoint
Field name Definition
MD5

Surfaces the object's hashes of the types indicated
SHA1

SHA256
SSDEEP

If the object is digitally signed, this pane provides details about the signature.

Field name Definition

Subject

Name of the subject issuing a request to the registration authority (RA) for the signature
Issuer

The certificate authority (CA) issuing the signature

Clicking any of the links shown in this pane will automatically initiate a search for the object's hash details via the selected search method.

This free-text field enables you to create notes about the object and view notes posted by other administrators or analysts.