Getting a file

The
Get File
action of Symantec Endpoint Detection and Response lets you get a file from an endpoint for further analysis. The action is available from the
Actions
menu on the
Results
grid of the
Search
tab and from the Files details page of the Console.
You can get a file from the endpoint in the following ways:
  • When the file is present on the endpoint, and the same file is also present in the file store.
    A file in the file store is only available for a month's duration.
  • When the file is present only on the endpoint.
The maximum PE file size that you can get is 100 MB.  The maximum non-PE file size is 1 MB.
The
Get File
feature is supported for endpoints that run SEP 14.0 and later.
Getting a file from an endpoint when the file is present in the File store
  1. Log on to the Symantec Endpoint Service console, and select the
    Investigate
    menu.
  2. In the
    Security tab > Search
    ,  select the file that you want to get from an endpoint.
  3. From the
    Action
    menu, select
    Get File
    .
  4. On the
    Get File
    wizard page, select the file that you want to download from the endpoint and click
    Next
    .
  5. On the
    Download File
    page, click
    Download
    .
    The file is encrypted and renamed to its SHA256 hash without a file extension and is downloaded in the archive file format. The password to access the file is mentioned. You can copy the password using the copy icon next to the password.
Getting a file from an endpoint when the file is present on the endpoint.
  1. Log on to the Symantec Endpoint Service console, and select the
    Investigate
    menu.
  2. In the
    Security tab > Search
    ,  select the file that you want to get from an endpoint.
  3. From the
    Action
    menu, select
    Get File
    .
  4. On the
    Get File
    wizard, select the file that you want to download from the endpoint and click
    Next
    .
    You can perform the
    Get File
    action for a maximum file size of 20 MB.
  5. On the
    Get File
    page, select if the file that you want to get is a
    Portable Executable
    (PE) file or a
    Non-Portable Executable
    file (Non-PE). and click
    Get
    .
  6. If the file is a
    Non- Portable Executable
    (PE) file, then you must either enter the credentials of the endpoint or the domain administrator credentials.
  7. Click
    Get
    .
You can view the logs for the
Get File
action from the
Activity History
tab of the
Devices
menu.