Configure file analysis

You can specify a size limit that applies globally to all file filters. Any file that exceeds this limit will not be hashed.

1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
2. Click the System Settings icon and then click File Analysis.
3. In the Size Limit (MB) field, specify a file size, in MB.
   The range is from 1 to 1,000,000 MB. The default value is 10 MB.
4. Click Save.

You can create custom file filters that determine which files are hashed on the ExtraHop system. The ExtraHop Default filter is automatically enabled and is configured to hash executable media type files and files observed on any protocols, localities, and file extensions supported by file analysis. You can disable the default filter but you cannot modify the filter configuration.

1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
2. Click the System Settings icon and then click File Analysis.
3. In the File Filters section, click Add Filter.
4. In the Name field, enter a unique name for the filter.
5. From the Protocol drop-down list, select one of the following protocol options:
   • Any protocol (default)
   • HTTP
   • SMP
   • FTP
   Selecting Any protocol only hashes files observed on HTTP, SMB, or FTP protocols.
6. From the Locality drop-down list, select one of the following flow direction options:
   • Any locality (default)
   • Inbound
   • Internal
   • Outbound
7. In the File Format section, select the type of files to filter:
   • To filter by media type, click Media Type, and then select one of the following media options:
     • Archive
     • Document
     • Executable
   • To filter by file extension, click File Extension, and then type one or more file extensions, separated with a comma. You can enter extensions in either of the following formats: txt or .txt.
8. In the Options section, select the Enable file filter checkbox to enable the filter and begin hashing files that match the criteria.
9. (Optional): If the file filter is enabled, you can select the Display hashed files in Files table checkbox to display hashed files and associated metadata in the Files table available from the Assets page.
10. Click Save.

For RevealX 360, ExtraHop consoles manage file analysis settings by default. For RevealX Enterprise, ExtraHop sensors manage these settings.

1. Log in to the console or sensor that is currently managing file analysis settings through https://<extrahop-hostname-or-IP-address>.
2. Click the System Settings icon and then click File Analysis.
3. Transfer management of file analysis to a different system.

   Option	Description
   Transfer from sensor to console	Click Transfer Management. From the Managing Console drop-down list, select a console name.
   Transfer from console to sensor	Click N of N connected sensors. The Management Settings window displays a list of sensors that the console manages shared settings and a list of sensors that manage their own settings. Click the name of the sensor that you want to manage its own settings. Log in to the sensor. Click Transfer Management. From the Managing Console drop-down list, select Sensor Appliance - Self.