File carving extracts files from the packet logs of the traffic being transmitted across your network. This is an important analysis feature which allows you to close the loop on suspected downloads, payloads from exploits, or policy violations, and to categorically identify malicious behavior or data exfiltration activities.
With VirusTotal integration, extracted files can be immediately scanned for known viruses and payloads without needing to leave the browser. The file carving system can be launched from the real-time or historical records in the Metaflows interface, or from the host flow data in the Ntop interface, and will precisely select packet logs which contain data about the host(s) and event(s) in question.
The images below show the File Carver and Network Antivirus process from start to finish.