Views:

After identifying a suspicious file object in your local environment, you can collect the file in a password-protected archive and download the file from Response Management.

The following services can run this task:
  • TrendAI Vision One™
    • Windows agent
    • Linux agent
    • macOS agent
  • Apex One as a Service
    • Windows agent
  • Cloud One - Endpoint & Workload Security
    • Windows agent
    • Linux agent
    • macOS agent
  • Deep Discovery Inspector
  • Virtual Network Sensor
WARNING
WARNING
Downloading suspicious samples may potentially harm your endpoint. Take necessary precautions before continuing. TrendAI Vision One™ automatically stores the collected samples in a password-protected .zip archive.

Procedure

  1. Right-click the suspicious file you want to collect, and select Collect File from the drop-down menu.
    The Collect File Task screen appears.
    Note
    Note
    • This task does not support collection of files larger than 4 GB, protected Windows files, and UNC paths for file objects.
    • The maximum file size for this task depends on the agent version installed on the target endpoint:
      OS
      Agent version
      Maximum file size
      Linux
      Before 20.0.2.29760
      128 MB
      20.0.2.29760 and later
      4 GB
      Windows
      Before 20.0.2.29760
      128 MB
      20.0.2.29760 and later
      4 GB
  2. Specify a Description for the response or event.
  3. Click Create.
    TrendAI Vision One™ creates the task and displays the current task status in Response Management.
  4. Monitor the task status.
    1. Go to Workflow and AutomationResponse Management .
    2. Locate the task using the search bar or by selecting Collect File from the Action drop-down list.
    3. View the task status.
      • Pending approval (pending_approval=f0525c66-199a-46f5-b40a-902bd498cf53.jpg): The automated response task was created in Workbench and is waiting for approval.
      • Rejected (rejected=bd05fc87-5b5d-4d84-bfb1-3a6dc09ddac5.jpg): The automated response task created in Workbench was rejected.
      • In progress (in_progress=GUID-A55897DB-3DEA-4F5C-B7F9-70B3D7FB9EDE=1=en-us=Low.jpg): TrendAI Vision One™ sent the command and is waiting for a response.
      • Queued (queued=GUID-65C0DF81-E50D-4D51-9602-2E9B7A0E5F14=1=en-us=Low.jpg): The managing server queued the command because the agent was offline.
      • Successful (successful=GUID-1E31AD86-DE2E-48B5-85F7-7C78A3E8BB11=1=en-us=Low.jpg): The command was successfully executed.
      • Unsuccessful (error=5cc21722-7ceb-480c-b9c2-a47d420cf1cc.jpg): An error or time-out occurred when attempting to send the command to the managing server, the Security Agent is offline for more than 12 hours, or the command execution timed out.
  5. Download the sample file.
    1. In Response Management, find the Collect File task and click the options button (options_icon=GUID-408062FA-DA13-4ECA-81EB-31A5B68355A1=1=en-us=Low.jpg) at the right of the row.
    2. Click Download File.
    3. On the screen that appears, record the password for the archived sample.
    4. Click OK to download the file.
      WARNING
      WARNING
      Downloading suspicious samples may potentially harm your endpoint. Take necessary precautions before continuing. TrendAI Vision One™ automatically stores the collected samples in a password-protected .zip archive.
      Use a file archiver to extract and decompress the file contents.