# 3.1 Files
#### ๐ Overview
The **Files** submodule within the Analyzed section provides a complete historical log of all **scanned file attachments** processed by ShieldsGuard SEG.
These files are typically extracted from emails and analyzed in real-time using static and dynamic malware analysis engines. The verdict assigned to each file allows analysts to identify harmful content before it reaches end users.
> ๐ก๏ธ Every file scanned here is a potential entry point for ransomware, trojans, and spyware. Monitoring this data is critical for your email security posture.
***
#### ๐ง What Youโll See
| Column | Description |
| ----------------- | ------------------------------------------------------------------------- |
| **File Name** | The original or hashed name of the file |
| **Analysis Time** | Timestamp of when the file was processed |
| **Verdict** | Final analysis result (e.g., MALICIOUS, SUSPICIOUS, CLEAN, MAX FILE SIZE) |
| **Actions** | View contextual details (related email, sender, etc.) |
***
#### ๐งช Verdict Types
| Verdict Label | Meaning |
| --------------------- | ---------------------------------------------------------------- |
| **MALICIOUS** | Confirmed malware or dangerous file behavior |
| **SUSPICIOUS** | Indicators of compromise or obfuscation, but not fully confirmed |
| **MAXIMUM FILE SIZE** | File exceeds configured scan threshold, not analyzed |
| **CLEAN** | File passed all security checks |
> โ ๏ธ Files flagged as MALICIOUS are automatically quarantined and blocked from delivery.
***
#### ๐ Use Cases
| Scenario | Benefit |
| -------------------------- | ------------------------------------------------------ |
| Track malware campaigns | Identify reused or recurring malicious attachments |
| Audit file-based threats | Analyze when and how a file entered the system |
| Investigate delivery paths | Correlate file to sender, recipient, and source domain |
| Triage based on file type | Block dangerous extensions (.exe, .zip, .js, .rar) |
***
#### ๐ค Integration with Email
Each file is directly linked to the email message it was extracted from. You can:
* View the full **Mail ID** and associated metadata
* Analyze the **Sender Domain**, **Attachments**, and **URLs** in the same panel
* Take action (e.g., block domain, quarantine user)
***
#### ๐ก๏ธ File Type Intelligence
Common file formats analyzed:
* `.doc`, `.xls`, `.pdf` โ Office-based exploits
* `.zip`, `.rar`, `.tar` โ Archive attacks with embedded payloads
* `.js`, `.vbs`, `.ps1` โ Script-based threats
* `.exe`, `.dll` โ Direct executables
* `.img`, `.iso`, `.lnk` โ Advanced initial access formats
***
#### โ๏ธ Analyst Tips
* Filter files by verdict to quickly review only **malicious** or **suspicious** entries.
* Use timestamps to correlate large-scale attack waves or targeted campaigns.
* Combine this module with **3.3 Mail** for full context.
***
> ๐ฏ The Files module is your forensic vault for malicious attachments โ a vital tool for hunting, prevention, and incident response.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.shieldsguard.com/shieldsguard-seg/3.-analyzed/3.1-files.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.