diff --git a/src/Reporter.cc b/src/Reporter.cc
index 5cd6161c8c..ddbe58aaa0 100644
--- a/src/Reporter.cc
+++ b/src/Reporter.cc
@@ -349,7 +349,7 @@ void Reporter::Weird(file_analysis::File* f, const char* name, const char* addl)
 			return;
 		}
 
-	WeirdHelper(file_weird, {f->GetVal()->Ref(), new StringVal(addl)},
+	WeirdHelper(file_weird, {f->ToVal()->Ref(), new StringVal(addl)},
 	            "%s", name);
 	}
 
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index 2c8167aaec..52a1b20a1f 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -91,7 +91,7 @@ File::File(const std::string& file_id, const std::string& source_name, Connectio
 
 	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Creating new File object", file_id.c_str());
 
-	val = new RecordVal(zeek::id::fa_file);
+	val = make_intrusive<RecordVal>(zeek::id::fa_file);
 	val->Assign(id_idx, make_intrusive<StringVal>(file_id.c_str()));
 	SetSource(source_name);
 
@@ -107,7 +107,6 @@ File::File(const std::string& file_id, const std::string& source_name, Connectio
 File::~File()
 	{
 	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Destroying File object", id.c_str());
-	Unref(val);
 	delete file_reassembler;
 
 	for ( auto a : done_analyzers )
@@ -152,7 +151,7 @@ void File::RaiseFileOverNewConnection(Connection* conn, bool is_orig)
 	if ( conn && FileEventAvailable(file_over_new_connection) )
 		{
 		FileEvent(file_over_new_connection, {
-			IntrusivePtr{NewRef{}, val},
+			val,
 			conn->ConnVal(),
 			val_mgr->Bool(is_orig),
 		});
@@ -301,7 +300,7 @@ bool File::SetMime(const std::string& mime_type)
 	meta->Assign(meta_mime_type_idx, make_intrusive<StringVal>(mime_type));
 	meta->Assign(meta_inferred_idx, val_mgr->False());
 
-	FileEvent(file_sniff, {IntrusivePtr{NewRef{}, val}, std::move(meta)});
+	FileEvent(file_sniff, {val, std::move(meta)});
 	return true;
 	}
 
@@ -340,7 +339,7 @@ void File::InferMetadata()
 		             file_analysis::GenMIMEMatchesVal(matches));
 		}
 
-	FileEvent(file_sniff, {IntrusivePtr{NewRef{}, val}, std::move(meta)});
+	FileEvent(file_sniff, {val, std::move(meta)});
 	}
 
 bool File::BufferBOF(const u_char* data, uint64_t len)
@@ -452,7 +451,7 @@ void File::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
 			if ( FileEventAvailable(file_reassembly_overflow) )
 				{
 				FileEvent(file_reassembly_overflow, {
-					IntrusivePtr{NewRef{}, val},
+					val,
 					val_mgr->Count(current_offset),
 					val_mgr->Count(gap_bytes)
 				});
@@ -595,13 +594,7 @@ void File::Gap(uint64_t offset, uint64_t len)
 		}
 
 	if ( FileEventAvailable(file_gap) )
-		{
-		FileEvent(file_gap, {
-			IntrusivePtr{NewRef{}, val},
-			val_mgr->Count(offset),
-			val_mgr->Count(len)
-		});
-		}
+		FileEvent(file_gap, {val, val_mgr->Count(offset), val_mgr->Count(len)});
 
 	analyzers.DrainModifications();
 
@@ -619,7 +612,7 @@ void File::FileEvent(EventHandlerPtr h)
 	if ( ! FileEventAvailable(h) )
 		return;
 
-	FileEvent(h, zeek::Args{{NewRef{}, val}});
+	FileEvent(h, zeek::Args{val});
 	}
 
 void File::FileEvent(EventHandlerPtr h, val_list* vl)
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index 5b43549aff..d201c416af 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -38,7 +38,12 @@ public:
 	/**
 	 * @return the wrapped \c fa_file record value, #val.
 	 */
-	RecordVal* GetVal() const { return val; }
+	const IntrusivePtr<RecordVal>& ToVal() const
+		{ return val; }
+
+	[[deprecated("Remove in v4.1.  Use ToVal().")]]
+	RecordVal* GetVal() const
+		{ return val.get(); }
 
 	/**
 	 * @return the value of the "source" field from #val record or an empty
@@ -333,7 +338,7 @@ protected:
 
 protected:
 	std::string id;                 /**< A pretty hash that likely identifies file */
-	RecordVal* val;            /**< \c fa_file from script layer. */
+	IntrusivePtr<RecordVal> val;            /**< \c fa_file from script layer. */
 	FileReassembler* file_reassembler; /**< A reassembler for the file if it's needed. */
 	uint64_t stream_offset;      /**< The offset of the file which has been forwarded. */
 	uint64_t reassembly_max_buffer;      /**< Maximum allowed buffer for reassembly. */
diff --git a/src/file_analysis/analyzer/data_event/DataEvent.cc b/src/file_analysis/analyzer/data_event/DataEvent.cc
index 082618c4ec..619605b34a 100644
--- a/src/file_analysis/analyzer/data_event/DataEvent.cc
+++ b/src/file_analysis/analyzer/data_event/DataEvent.cc
@@ -43,7 +43,7 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
 	if ( ! chunk_event ) return true;
 
 	mgr.Enqueue(chunk_event,
-		IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		GetFile()->ToVal(),
 		make_intrusive<StringVal>(new BroString(data, len, false)),
 		val_mgr->Count(offset)
 	);
@@ -56,7 +56,7 @@ bool DataEvent::DeliverStream(const u_char* data, uint64_t len)
 	if ( ! stream_event ) return true;
 
 	mgr.Enqueue(stream_event,
-		IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		GetFile()->ToVal(),
 		make_intrusive<StringVal>(new BroString(data, len, false))
 	);
 
diff --git a/src/file_analysis/analyzer/entropy/Entropy.cc b/src/file_analysis/analyzer/entropy/Entropy.cc
index 7eb2dc17ec..401a9020d6 100644
--- a/src/file_analysis/analyzer/entropy/Entropy.cc
+++ b/src/file_analysis/analyzer/entropy/Entropy.cc
@@ -69,7 +69,7 @@ void Entropy::Finalize()
 	ent_result->Assign(4, make_intrusive<Val>(scc,     TYPE_DOUBLE));
 
 	mgr.Enqueue(file_entropy,
-		IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		GetFile()->ToVal(),
 		std::move(ent_result)
 	);
 	}
diff --git a/src/file_analysis/analyzer/extract/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc
index 68daecab1f..3b4c9ed8b0 100644
--- a/src/file_analysis/analyzer/extract/Extract.cc
+++ b/src/file_analysis/analyzer/extract/Extract.cc
@@ -92,7 +92,7 @@ bool Extract::DeliverStream(const u_char* data, uint64_t len)
 		{
 		File* f = GetFile();
 		f->FileEvent(file_extraction_limit, {
-			IntrusivePtr{NewRef{}, f->GetVal()},
+			f->ToVal(),
 			IntrusivePtr{NewRef{}, Args()},
 			val_mgr->Count(limit),
 			val_mgr->Count(len)
diff --git a/src/file_analysis/analyzer/hash/Hash.cc b/src/file_analysis/analyzer/hash/Hash.cc
index a4b0a8930d..99187d243d 100644
--- a/src/file_analysis/analyzer/hash/Hash.cc
+++ b/src/file_analysis/analyzer/hash/Hash.cc
@@ -52,7 +52,7 @@ void Hash::Finalize()
 		return;
 
 	mgr.Enqueue(file_hash,
-		IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		GetFile()->ToVal(),
 		make_intrusive<StringVal>(kind),
 		hash->Get()
 	);
diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac
index a620d1403c..e9da2468d3 100644
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@@ -66,7 +66,7 @@ refine flow File += {
 			dh->Assign(16, val_mgr->Count(${h.AddressOfNewExeHeader}));
 
 			mgr.Enqueue(pe_dos_header,
-			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+			    connection()->bro_analyzer()->GetFile()->ToVal(),
 			    std::move(dh));
 			}
 		return true;
@@ -76,7 +76,7 @@ refine flow File += {
 		%{
 		if ( pe_dos_code )
 			mgr.Enqueue(pe_dos_code,
-			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+			    connection()->bro_analyzer()->GetFile()->ToVal(),
 			    make_intrusive<StringVal>(code.length(), (const char*) code.data())
 			    );
 		return true;
@@ -105,7 +105,7 @@ refine flow File += {
 			fh->Assign(5, characteristics_to_bro(${h.Characteristics}, 16));
 
 			mgr.Enqueue(pe_file_header,
-			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+			    connection()->bro_analyzer()->GetFile()->ToVal(),
 			    std::move(fh));
 			}
 
@@ -156,7 +156,7 @@ refine flow File += {
 			oh->Assign(23, process_rvas(${h.rvas}));
 
 			mgr.Enqueue(pe_optional_header,
-			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+			    connection()->bro_analyzer()->GetFile()->ToVal(),
 			    std::move(oh));
 			}
 		return true;
@@ -188,7 +188,7 @@ refine flow File += {
 			section_header->Assign(9, characteristics_to_bro(${h.characteristics}, 32));
 
 			mgr.Enqueue(pe_section_header,
-			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+			    connection()->bro_analyzer()->GetFile()->ToVal(),
 			    std::move(section_header)
 			    );
 			}
diff --git a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
index f395e919d9..78d32bbac2 100644
--- a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
+++ b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
@@ -87,7 +87,7 @@ refine flow Flow += {
 			ids_event->Assign(17, val_mgr->Count(${ev.packet_action}));
 
 			mgr.Enqueue(::unified2_event,
-					IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+					connection()->bro_analyzer()->GetFile()->ToVal(),
 					std::move(ids_event));
 			}
 		return true;
@@ -117,7 +117,7 @@ refine flow Flow += {
 			ids_event->Assign(16, val_mgr->Count(${ev.vlan_id}));
 
 			mgr.Enqueue(::unified2_event,
-					IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+					connection()->bro_analyzer()->GetFile()->ToVal(),
 					std::move(ids_event));
 			}
 
@@ -137,7 +137,7 @@ refine flow Flow += {
 			packet->Assign(5, to_stringval(${pkt.packet_data}));
 
 			mgr.Enqueue(::unified2_packet,
-					IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+					connection()->bro_analyzer()->GetFile()->ToVal(),
 					std::move(packet));
 			}
 
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index f2dd74883b..91c1535ec6 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -412,7 +412,7 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
 
 	if ( ocsp_request )
 		mgr.Enqueue(ocsp_request,
-			IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+			GetFile()->ToVal(),
 			val_mgr->Count(version)
 		);
 
@@ -423,7 +423,7 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
 		{
 		zeek::Args rvl;
 		rvl.reserve(5);
-		rvl.emplace_back(NewRef{}, GetFile()->GetVal());
+		rvl.emplace_back(GetFile()->ToVal());
 
 		OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i);
 		OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req);
@@ -454,13 +454,10 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	memset(buf, 0, sizeof(buf));
 
 	const char *status_str = OCSP_response_status_str(OCSP_response_status(resp));
-	StringVal* status_val = new StringVal(strlen(status_str), status_str);
+	auto status_val = make_intrusive<StringVal>(strlen(status_str), status_str);
 
 	if ( ocsp_response_status )
-		mgr.Enqueue(ocsp_response_status,
-			IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-			IntrusivePtr{NewRef{}, status_val}
-		);
+		mgr.Enqueue(ocsp_response_status, GetFile()->ToVal(), status_val);
 
 	//if (!resp_bytes)
 	//	{
@@ -479,22 +476,16 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	// get the basic response
 	basic_resp = OCSP_response_get1_basic(resp);
 	if ( !basic_resp )
-		{
-		Unref(status_val);
 		goto clean_up;
-		}
 
 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
 	resp_data = basic_resp->tbsResponseData;
 	if ( !resp_data )
-		{
-		Unref(status_val);
 		goto clean_up;
-		}
 #endif
 
-	vl.emplace_back(NewRef{}, GetFile()->GetVal());
-	vl.emplace_back(AdoptRef{}, status_val);
+	vl.emplace_back(GetFile()->ToVal());
+	vl.emplace_back(std::move(status_val));
 
 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
 	vl.emplace_back(val_mgr->Count((uint64_t)ASN1_INTEGER_get(resp_data->version)));
@@ -537,7 +528,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 
 		zeek::Args rvl;
 		rvl.reserve(10);
-		rvl.emplace_back(NewRef{}, GetFile()->GetVal());
+		rvl.emplace_back(GetFile()->ToVal());
 
 		// cert id
 		const OCSP_CERTID* cert_id = nullptr;
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index b3bd999dd9..58946c7618 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -61,8 +61,8 @@ bool file_analysis::X509::EndOfFile()
 				return false;
 			// yup, let's call the callback.
 
-			cache_hit_callback->operator()(IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-			                               entry, make_intrusive<StringVal>(cert_sha256));
+			cache_hit_callback->operator()(GetFile()->ToVal(), entry,
+			                               make_intrusive<StringVal>(cert_sha256));
 			return false;
 			}
 		}
@@ -84,7 +84,7 @@ bool file_analysis::X509::EndOfFile()
 	// and send the record on to scriptland
 	if ( x509_certificate )
 		mgr.Enqueue(x509_certificate,
-		            IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		            GetFile()->ToVal(),
 		            IntrusivePtr{NewRef{}, cert_val},
 		            cert_record);
 
@@ -294,7 +294,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 				pBasicConstraint->Assign(1, val_mgr->Count((int32_t) ASN1_INTEGER_get(constr->pathlen)));
 
 			mgr.Enqueue(x509_ext_basic_constraints,
-				IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+				GetFile()->ToVal(),
 				std::move(pBasicConstraint)
 			);
 			}
@@ -435,7 +435,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 		sanExt->Assign(4, val_mgr->Bool(otherfields));
 
 		mgr.Enqueue(x509_ext_subject_alternative_name,
-		            IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		            GetFile()->ToVal(),
 		            std::move(sanExt));
 	GENERAL_NAMES_free(altname);
 	}
diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc
index 19680f6404..723786f42c 100644
--- a/src/file_analysis/analyzer/x509/X509Common.cc
+++ b/src/file_analysis/analyzer/x509/X509Common.cc
@@ -287,12 +287,11 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const EventHa
 	// but I am not sure if there is a better way to do it...
 
 	if ( h == ocsp_extension )
-		mgr.Enqueue(h, IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		mgr.Enqueue(h, GetFile()->ToVal(),
 					std::move(pX509Ext),
 					val_mgr->Bool(global));
 	else
-		mgr.Enqueue(h, IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-		            std::move(pX509Ext));
+		mgr.Enqueue(h, GetFile()->ToVal(), std::move(pX509Ext));
 
 	// let individual analyzers parse more.
 	ParseExtensionsSpecific(ex, global, ext_asn, oid);
diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac
index ad922a5862..9aaf095b71 100644
--- a/src/file_analysis/analyzer/x509/x509-extension.pac
+++ b/src/file_analysis/analyzer/x509/x509-extension.pac
@@ -39,7 +39,7 @@ refine connection MockConnection += {
 			return true;
 
 		mgr.Enqueue(x509_ocsp_ext_signed_certificate_timestamp,
-			IntrusivePtr{NewRef{}, bro_analyzer()->GetFile()->GetVal()},
+			bro_analyzer()->GetFile()->ToVal(),
 			val_mgr->Count(version),
 			make_intrusive<StringVal>(logid.length(), reinterpret_cast<const char*>(logid.begin())),
 			val_mgr->Count(timestamp),
diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif
index 1f74668dd4..909e9ed20f 100644
--- a/src/file_analysis/file_analysis.bif
+++ b/src/file_analysis/file_analysis.bif
@@ -86,10 +86,8 @@ function Files::__lookup_file%(fuid: string%): fa_file
 	%{
 	auto f = file_mgr->LookupFile(fuid->CheckString());
 	if ( f != nullptr )
-		{
-		return IntrusivePtr{NewRef{}, f->GetVal()};
-		}
-	
+		return f->ToVal();
+
 	reporter->Error("file ID %s not a known file", fuid->CheckString());
 	return nullptr;
 	%}