Results tab
Kaspersky Threat Intelligence Portal provides information about detected items and activities that were registered during file execution. The execution results are displayed in separate tables, each of which contains up to 10 entries.
Results
Table name |
Description |
Table fields |
Comments |
|---|---|---|---|
Detection names |
Detections registered during file execution. |
Status—Status of the detected object (Malware or Adware and other). Name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view a description on the Kaspersky threats website. |
Items in the table are sorted by status. |
Triggered network rules |
SNORT and Suricata rules triggered during analysis of traffic from the executed file. |
Status—Danger zone (level) of the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info). Rule—SNORT or Suricata rule name. |
Items in the table are sorted in the Status field from High to Info status. |
File download information |
Information about the file download process. This table is available only when an object was downloaded from a web address. |
Method—Method of sending an HTTP request. The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH. User agent—Identification string of the user agent (browser) that was used to open the specified web address (for example, Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36). |
— |
Download request |
Information about the request that was made to the submitted web address, from which the file was downloaded. This table is available only when an object was downloaded from a web address. |
Name—The Value—The |
Only information about the |
Download responses |
Detailed information about responses for the web address from which the file was downloaded. This table is available only when an object was downloaded from a web address. |
Status—Status (threat level)of the web address in the request. Categories—Category of the web address from which the file was downloaded. Protocol—Protocol that was used (HTTP or HTTPS). URL—Web address to which the request was registered. Items are clickable and navigate to the Threat Lookup page, where you can search for information about the web address. Response code—Response code of the HTTP request. Response length—Size of the response to the HTTP request in bytes. Response headers—Additional fields displayed as key:value. Standard header names are based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. |
— |
Execution map |
Graphical representation of the sequence of file activities and relationships between them. The root node of the tree represents the executed file. |
— |
Each tree element is marked according to its danger level (High, Medium, or Low). You can view the execution map in full-screen ( You can also zoom in on the execution map by scrolling the map area. For each element, a brief and detailed description is available. Use the minus/plus buttons ( |
Suspicious activities |
Registered suspicious activities. |
Status—Danger zone (level) of the registered activity (High, Medium, Low). Severity—Numerical value of the danger level of the registered activity (integer 1–999). Description—Description of suspicious activity. For example, "Executable has obtained the privilege", "The file has been dropped and executed", or "The process has injected binary code into another process". Certain descriptions include a mapping to the MITRE ATT&CK™ threat classification. For example, "MITRE: T1082 System Information Discovery". |
— |
MITRE ATTCK matrix |
Information about known tactics, techniques and procedures (TTPs), and mapping with MITRE ATT&CK classification for the executed object. |
— |
All elements in the matrix are clickable and take you to the MITRE ATT&CK web site. To view sub-techniques (if available), you can expand certain elements. |
Screenshots () |
Set of screenshots taken during file execution. Screenshots are taken for each action the object performs. |
— |
Screenshots are available as a gallery with preview images, and as full-size images. To view a full-size image, click the desired screenshot. You can zoom in and out on images for a better view. You can also download screenshots by clicking the Download data button. |
) or normal (
) mode.
/
) to expand or collapse the description for all elements. You can also expand or collapse an element description separately by clicking the drop-down icon. Clicking the element opens the tab with a detailed description.