The Similarity page displays information about files that are similar to the analyzed file.
Using machine-learning (ML) methods, Kaspersky systems extract the requested file features and detect similar malicious files. Information about similar files can be used in an incident response to search more extensively for modifications and variations of a malicious object. This information allows you to optimize perimeter protection from certain threats and take into account different modifications and variations of a malicious object.
Please note, Kaspersky Threat Intelligence Portal and Kaspersky Threat Attribution Engine use different approaches to detect file similarity. Kaspersky Threat Intelligence Portal searches for similarity by special hashes, while Kaspersky Threat Attribution Engine searches by genotypes and strings extracted from the body of the file. For more information, please see Kaspersky Threat Attribution Engine documentation.
The Similarity report page contains the sections described in the table below.
Similarity page
Section |
Description |
Fields |
|---|---|---|
Analyzed file |
Name of the analyzed file and whether similar files were found: Similar files found or Similar files not found. You can download information about detected similar files as an archive by clicking the Export results button. |
— |
Summary |
Date and time when the file analysis started. |
— |
Sample & Content |
Information about similar files. Contains the data described in the table below. Depending on the submitted object, this section contains the following:
|
— |
Info |
General information about the analyzed file. |
MD5—MD5 hash of the executed file. This item is clickable and takes you to the Threat Lookup page, where you can search for information about the MD5 hash. SHA1—SHA1 hash of the executed file. This item is clickable and takes you to the Threat Lookup page, where you can search for information about the SHA1 hash. SHA256—SHA256 hash of the executed file. This item is clickable and takes you to the Threat Lookup page, where you can search for information about the SHA256 hash. File name—Name of the analyzed file. Size—Size of the executed file in bytes. |
Similar files |
Information about detected similar files. You can click the Download data button located by this section to export the corresponding data. The button is available if the section contains data. |
Status—Status of the file that is similar to the analyzed file. If necessary, use the filter to view files with a specific status: Malware, Good, Not categorized. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Confidence—Level of confidence that the object is similar to the submitted file. Kaspersky Threat Intelligence Portal displays similar files with a confidence level from 8 to 11. First seen—Date and time when the similar file was detected by Kaspersky expert systems for the first time (for your local time zone). Last seen—Date and time, accurate to one minute, when the similar file was detected by Kaspersky expert systems for the last time (for your local time zone). Hits—Number of hits (popularity) for the file similar to the analyzed file that was detected by Kaspersky expert systems (rounded to nearest power of 10). MD5—MD5 hash of the file similar to the analyzed file. Items are clickable, you can select the following actions:
|
Statistics for similar files |
Statistical information about detected similar files. |
Similarity—Total number of detected similar files. Confidence summary—Chart that displays the total number of similar files, and the proportion of confidence levels. Status summary—Chart that displays the total number of similar files, and the proportion of files with Malware (red) and Clean (green), Adware and other (yellow), and Not categorized (gray) status. Detection names—Detected objects (for example, HEUR:Exploit.Script.Blocker):
|
Archive content |
Information about files extracted from the submitted archive. This section is displayed if the archive contains more than one file. |
|