Case 3:17-cv-05659-WHA Document 369-23 Filed 02/14/19 Page 1 of 3
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
`Exhibit 22
`
`

`

`Case 3:17-cv-05659-WHA Document 369-23 Filed 02/14/19 Page 2 of 3
`Case 3:17-cv-05659-WHA Document 369-23 Filed 02/14/19 Page 2 of 3
`
`2/13/2018
`
`HTTP File Download Details
`
`To access this page, navigate to Monitor > File Scanning > HTTP File Download. Click on the
`File Signature link to go to the File Scanning Details page.
`
`Use this page to view analysis information and malware behavior summaries for the downloaded
`file. This page is divided into several sections:
`
`Table 32: Links on he HTTP File Download Details Page
`
`Link
`| Report
`_ False
`| Positive
`
`| Purpose
`Click this button to launch a new screen which lets you send a report to Juniper
`_ Networks, informing Juniper of a false position or a false negative. Juniper wil
`—
`investigate the report, however, this does not change the verdict. If you want to
`_ make a correction (mark system as clean) you must do it manually.
`
`Download | Whenthere is a STIX report available, a download link appears on this page.
`_ STIX
`_ Click the link to view gathered, open-source threat information, such as
`_ Report
`_ blacklisted files, addresses and URLs.
`| STIX (Structured Threat Information eXpression) is a language used for
`_
`reporting and sharing threat information using TAXI] (Trusted Automated
`_ exchangeofIndicator Information). TAXII is the protocol for communication
`_ over HTTPSofthreat information between parties.
`| STIX and TAXII are an open community-driven effort of specifications that
`_ assist with the automated exchangeof threat information. This allows threat
`_
`information to be represented in a standardized format for sharing and
`_ consuming. Sky ATP uses this information as well as other sources. This
`| occurs automatically. There is no administrator configuration required for STIX.
`
`_ STIX reportswill vary. View a sample report at the bottom of this page.
`
`Note: Sky ATP can also share threat intelligence. You can control what threat
`information is shared from the Threat Sharing page. See Configuring Threat
`intelligence Sharing.
`
`|
`_
`
`Download
`_ Zipped
`_ Files
`|
`
`Click this link to download the quarantined malware for analysis. Thelink allows
`_ you to download a password-protected zippedfile containing the malware. The
`_ password forthe zipfile is the SHA256 hash of the malware exefile (64
`_ characters long, alpha numeric string) shown in the General tab in the Sky ATP
`_ UI for the file in question.
`
`The top of the page provides a quick view of the following information (scroll to the right in the UI
`to see more boxes):
`
`«
`
`«
`
`«
`
`Threat Level—This is the threat level assigned (0-10), This box also provides the threat
`category and the action taken.
`
`Top indicators—Iin this box, you will find the malware name, the signature it matches,
`and the IP address/URLfrom whichthe file originated.
`
`Prevalence—This box provides information on how often this malware has been seen,
`how manyindividual hosts on the network downloaded the file, and the protocol used.
`
`https:/Avwwjuniper. net/documentation/en_US/release-independent/sky-atp/help/information-products/pathway-pages/topic- 111408htmi#jd0e6675
`
`1/3
`
`FINJAN-JN 044731
`
`

`

`Case 3:17-cv-05659-WHA Document 369-23 Filed 02/14/19 Page 3 of 3
`Case 3:17-cv-05659-WHA Document 369-23 Filed 02/14/19 Page 3 of 3
`
`2/13/2018
`
`HTTP File Download Details
`
`File Summary
`
`Table 33: General Summary Fields
`
`| Definition
`This is the assigned threat level 0-10. 101issthe most malicious.
`
`|
`
`The action taken based on the threat level and host settings: block or permit.
`
`: Field
`Threat
`_ Level
`Action
`Taken
`_ How often this file has been seen across different customers.
`Global
`_ Prevalence —
`Last
`_ Scanned
`
`The time and date ofthe last scan to detect the suspicious file.
`
`_ File Name
`
`Category
`File Size
`Platform
`Malware
`Name
`Malware
`i Type
`Malware
`_ Strain
`sha256
`-andmd5
`
`The name of the suspicious file. Examples: unzipper-setup.exe,
`20160223158005.exe, wordmul. msi.
`Thetypeoffile. Examples: POF,executable,document.
`| The size ofthedownloaded file
`Thetarget operating system of the file. Example. Win32
`if possible, Sky ATP determines the nameof the malware.
`
`If possible, Sky ATP determines the type of threat. Example: Trojan,
`Application, Adware.
`If possible, Sky ATP determines the strain of malware detected. Example:
`: Outbrowse. 1198, Visicom.E, Flystudio.
`One way to determine whethera file is malware is to calculate a checksum for
`the file and then query to seeif the file has previously been identified as
`_ malware.
`
`In the Network Activity section, you can view information in the following tabs:
`
`«
`
`CGontacted Domains—lf available, lists any domains that were contacted while
`executing the file in the Sky ATP sandbox.
`
`e Gontacted iPs—if available, lists all IPs that were contacted while executing the file,
`along with the destination |P’s country, ASN, and reputation. The reputation field is based
`on Juniper IP intelligence data destination.
`
`«
`
`DNS Activity— This tab lists DNS activity while executing the file, including reverse
`lookup to find the domain name of externally contacted servers. This tab also provides
`the known reputation of the destination servers.
`
`HTTP Downloads
`
`https:/Avwwjuniper net/documentation/en_US/release-independent/sky-atp/help/information-products/pathway-pages/topic- 111408. htmi#jd0e6675
`
`2/3
`
`FINJAN-JN 044732
`
`