The table below contains possible sections available for a hash investigation in JSON format.
Section in API
|
Section in web interface
|
Description
|
LicenseInfo
|
—
|
Information on the license used.
AccessType—License type ("Commercial" or "Trial").
DayRequests—Number of requests performed in the current day (for a commercial license).
DayQuota—Daily limit of requests (for a commercial license).
TokenExpirationDate—Date when an API token expires. If there is no API token requested, the null value is returned.
|
Zone
|
On the Threat Lookup results page, the panel with the requested object and its status appears in a certain color, depending on the zone of the investigated object.
|
Color of the zone that a hash belongs to.
|
RelatedObjects
|
—
|
Information about the presence of malicious objects associated with the indicator.
HasRedZone—Shows whether there are malicious objects (zone=red) related to the indicator: true—there are related malicious objects; false—no related malicious objects.
|
FileGeneralInfo
|
Overview
|
General information about the requested hash.
Md5—MD5 hash of the file requested by hash.
Sha1—SHA1 hash of the file requested by hash.
Sha256—SHA256 hash of the file requested by hash.
FirstSeen—Date and time when the requested hash was detected by Kaspersky expert systems for the first time, according to your computer local time zone.
LastSeen—Date and time when the requested hash was detected by Kaspersky expert systems for the last time, according to your computer local time zone.
Signer—Organization that signed the requested hash.
SignerZone—Color of the zone indicating the signer's trust level (red, gray, green).
SignerStatus—Trust level of the object signature (Discredited, Not trusted, Trusted).
Packer—Packer name.
Size—Size of the object that is being investigated by hash (in bytes).
Type—Format of the object that is being investigated by hash.
HitsCount—Number of hits (popularity) of the requested hash detected by Kaspersky expert systems.
HasApt—Shows whether the file is related to an advanced persistent threat (APT) attack.
RelatedAptReports—Array of objects that describe APT Intelligence reports, Crimeware Threat Intelligence reports, and Industrial reports, to which the requested hash is related. Each object contains a report's ID, type, and title. The report ID can be used as an argument (publication_id) for the get_one endpoint, which is used to obtain specific information for a report. If the requested hash is not related to reports, an empty array is returned.
|
DetectionsInfo
|
Detection names
|
Information about detected objects.
LastDetectDate—Date and time when the object was last detected by Kaspersky expert systems.
DescriptionUrl—Link to the detected object description in Kaspersky threats website (if available).
Zone—Color of the zone that the detection object belongs to.
DetectionName—Name of the detected object.
DetectionMethod—Method used to detect the object.
|
FilePaths
|
File paths
|
Information about known paths to the file identified by the requested hash on computers using Kaspersky software.
Path—Path to the file on user computers identified by the requested hash.
Location—Root folder or drive where the file identified by the requested hash is located on user computers.
FilePathHitsCount—Number of path detections by Kaspersky expert systems.
|
FileNames
|
File names
|
Information about known names of the file identified by the requested hash on computers using Kaspersky software.
FileName—Name of the file identified by the requested hash.
FileNamesHitsCount—Number of file name detections by Kaspersky expert systems.
|
FileDownloadedFromUrls
|
File downloaded from URLs and domains
|
Information about web addresses and domains from which the file identified by the requested hash was downloaded.
Url—Web addresses accessed by the file identified by the requested hash.
IsUrlTruncated—Shows whether private data was filtered in the displayed web address.
Zone—Color of the zone that the web address belongs to.
Domain—Upper domain of the web address accessed by the file identified by the requested hash.
LastDownloadDate—Date and time when the file identified by the requested hash last accessed the web address.
IpsCount—Number of IP addresses that the domain resolves to.
|
FileAccessedUrls
|
File accessed the following URLs
|
Information about web addresses that were accessed by the file identified by the requested hash.
Url—Web addresses accessed by the file identified by the requested hash.
IsUrlTruncated—Shows whether private data was filtered in the displayed web address.
Zone—Color of the zone that the web address belongs to.
Domain—Upper domain of the web address used to download the file identified by the requested hash.
LastDownloadDate—Date and time when the file identified by the requested hash was last downloaded from the web address / domain.
IpsCount—Number of IP addresses that the domain resolves to.
|
FileStartedObjects
|
File started the following objects
|
Information about objects that started the file identified by the requested hash.
Zone—Color of the zone that a file belongs to.
HitsCount—Number of times the file identified by the requested hash was started as detected by Kaspersky expert systems.
Md5—MD5 hash of the object that started the file identified by the requested hash.
Location—Root folder or drive where the object is located on user computers.
Path—Path to the object on user computers.
Name—Name of the object that started the file identified by the requested hash.
LastStartDate—Date and time when the file identified by the requested hash was last started.
DetectionName—Name of the detected object.
|
FileStartedBy
|
File was started by the following objects
|
Information about objects that were started by the file that was identified by the requested hash.
Zone—Color of the zone that a file belongs to.
HitsCount—Number of times the file identified by the requested hash started the object as detected by Kaspersky expert systems.
Md5—MD5 hash of the started object.
Location—Root folder or drive where the started object is located on user computers.
Path—Path to the object on user computers.
Name—Name of the started object.
LastStartDate—Date and time when the object was last started by the file identified by the requested hash.
DetectionName—Name of the detected object.
|
FileDownloadedObjects
|
File downloaded the following objects
|
Information about objects that were downloaded by the file identified by the requested hash.
Zone—Color of the zone that a file belongs to.
HitsCount—Number of times the object was downloaded as detected by Kaspersky expert systems.
Md5—MD5 hash of the downloaded object.
Location—Root folder or drive where the downloaded object is located on user computers.
Path—Path of the downloaded object on user computers.
Name—Name of the downloaded object.
LastDownloadDate—Date and time when the object was last downloaded by the file identified by the requested hash.
DetectionName—Name of the detected object.
|
FileDownloadedBy
|
File was downloaded by the following objects
|
Information about objects that downloaded the file identified by the requested hash.
Zone—Color of the zone that a file belongs to.
HitsCount—Number of times the file identified by the requested hash was downloaded as detected by Kaspersky expert systems.
Md5—MD5 hash of the object that downloaded the file identified by the requested hash.
Location—Root folder or drive where the object is located on user computers.
Path—Path to the object on user computers.
Name—Name of the object that downloaded the file identified by the requested hash.
LastDownloadDate—Date and time when the file identified by the requested hash was last downloaded.
DetectionName—Name of the detected object.
|
FileCertificates
|
File signatures and certificates
|
Information about signatures and certificates of the file identified by the requested hash.
ParentMd5—MD5 hash of the certificate.
SerialNumber—Serial number of the certificate.
Vendor—Owner of the certificate.
Publisher—Publisher of the certificate.
TimeStamp—Date and time when the certificate was signed.
Issued—Date and time when the certificate was issued.
Expires—Expiration date of the certificate.
IsDirectlySigned—Shows whether a certificate is embedded into the file.
IsDiscredited—Shows whether the certificate is discredited.
IsTrusted—Shows whether the certificate is trusted.
IsRevoked—Shows whether the certificate is revoked.
IsGray—Shows whether the certificate is in a Gray zone.
IsGood—Shows whether the certificate is in a Good zone.
|
FileParentCertificates
|
Container signatures and certificates
|
Information about container certificates of the file identified by the requested hash.
ParentMd5—MD5 hash of the container's certificate.
SerialNumber—Serial number of the container's certificate.
Vendor—Owner of the container's certificate.
Publisher—Publisher of the container's certificate.
TimeStamp—Date and time when the container's certificate was signed.
Issued—Date and time when the container's certificate was issued.
Expires—Expiration date of the container's certificate.
IsDirectlySigned—Shows whether a container's certificate is embedded into the file.
IsDiscredited—Shows whether the container's certificate is discredited.
IsTrusted—Shows whether the container's certificate is trusted.
IsRevoked—Shows whether the container's certificate is revoked.
IsGray—Shows whether the container's certificate is in a Gray zone.
IsGood—Shows whether the container's certificate is in a Good zone.
|
FileUnpackedFrom
|
File was unpacked from the following objects
|
Information about parent objects of the file identified by the requested hash.
Zone—Color of the zone that the parent object belongs to.
ParentMd5—MD5 hash of the parent object.
ChildMd5—MD5 hash of the child object. For direct parent objects (level=0), the MD5 hash of the requested object is provided.
ParentFileSize—Size of the parent object (in bytes).
ParentFileType—File type of the parent object.
ParentDetectionName—Detected objects related to the parent object (for example, HEUR:Exploit.Script.Blocker).
Level—Parent level. The direct parent of the requested object has level=0. The parent of the requested object's parent has level=1, and so on. The maximum possible level is 5.
|
FileUnpackedObjects
|
File contains the following objects
|
Information about child objects of the file identified by the requested hash.
Zone—Color of the zone that the child object belongs to.
ChildMD5—MD5 hash of the child object.
ParentMD5—MD5 hash of the parent object. For direct child objects (level=0), the MD5 hash of the requested object is displayed.
ChildFileSize—Size of the child object (in bytes).
ChildFileType—File type of the child object.
ChildDetectionName—Detected objects related to the child object (for example, HEUR:Exploit.Script.Blocker).
Level—Child level. The direct child of the requested object has level=0. The child of the requested object's child has level=1, and so on. The maximum possible level is 5.
|
SimilarFiles
|
Similar files
|
Md5—MD5 hash of the object similar to the file identified by the requested hash.
Confidence—Trust level of the object similar to the file identified by the requested hash.
Status—Status of the object similar to the file identified by the requested hash.
DetectionName—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).
Hits—Number of hits (popularity) for the object similar to the file identified by the requested hash that was detected by Kaspersky expert systems (rounded to nearest power of 10).
FirstSeen—Date and time when the similar object was detected by Kaspersky expert systems for the first time (for your local time zone).
LastSeen—Date and time, accurate to one minute, when the similar object was detected by Kaspersky expert systems for the last time (for your local time zone).
Type—Type of the object similar to the file identified by the requested hash.
Size—Size of the object similar to the file identified by the requested hash (in bytes).
|
DataFeeds
|
Data Feeds
|
List of Threat Data Feeds that contain information about the requested hash. If the requested hash is not mentioned in Threat Data Feeds, this section is not returned.
|