Starting file download and execution

Before executing a file, you can download it from a web resource and select execution options.

To download and execute a file:

  1. On the Threat Analysis () → Download and execute file page, in the URL field, specify a link to a file that you want to download and execute.

    You can download files only from HTTP or HTTPS web addresses.

    If you execute a multi-file (packed) object, make sure it contains less than 1000 files. Kaspersky Threat Intelligence Portal scans all files in the object, but only 1000 files are available for downloading. We recommend that you execute objects that contain less than 1000 files. The size of individual files in the packed object must not exceed 256 MB. The total size of all files when unpacked must not exceed 1 GB.

  2. If you want to execute an archive, make sure its format is supported.

    If necessary, enter a password for the archive in the Archive password (optional) field (up to 256 characters). Any characters are allowed, although double-quote (") and backslash (\) characters must be escaped to ensure they are not interpreted as control characters in JSON.

    If you do not enter a password for a password-protected archive, Kaspersky Threat Intelligence Portal tries to unpack an archive using default passwords. You can show or hide the password by clicking the eye icon.

  3. Turn on the Sandbox toggle switch to execute a file in Kaspersky Sandbox.
  4. If necessary, click Advanced options to specify advanced settings in the opened side-bar:
    • In the File execution environment drop-down list, select the operating system that you want to use as an execution environment.

      Available values:

      • Auto (Kaspersky Threat Intelligence Portal automatically determines the optimal operating system for the type of downloaded file)
      • Microsoft Windows XP SP3 x86
      • Microsoft Windows 7 x86
      • Microsoft Windows 7 x64
      • Microsoft Windows 10 x64
      • Android x86
      • Android Arm

      The Auto execution environment is selected by default.

    • In the File execution time (sec) field, specify the object execution time in seconds.

      By default, the Auto value is selected: Kaspersky Threat Intelligence Portal automatically selects the optimal execution time for your object.

      To specify the execution time manually (from 30 to 500 seconds), click the Auto field and use the slider.

      To return to the recommended value, click the Reset to Auto button.

      A downloaded object will be executed in the selected environment during the specified execution time. The specified time does not include the time required for analysis and displaying results.

    • If you want to specify the region of a network channel that the file uses to access the internet, select the required region in the Internet access options drop-down list.

      Available values:

      • Auto—The internet channel belongs to any region and does not direct traffic through the TOR network. If no region is available, the Tarpit value is selected.
      • Tor—The internet channel that does not belong to any region and directs traffic through the TOR network.
      • Tarpit—The access to the internet is emulated. This option is used when internet is not available or the analyzed object should not have access to the internet.
      • Countries and regions (for example, AU, DE). The list of channels for countries is not fixed, and can be modified.

      The Auto item is selected by default. For more details about channels, refer to Internet channel values.

      The list of available regions can contain individual countries through which the executed file can access the internet.

    • In the Change file name and extension to field, you can specify another name and extension for the downloaded file. In this case, Kaspersky Threat Intelligence Portal attempts to execute the file according to the specified extension. Also, Kaspersky Threat Intelligence Portal determines the file type after downloading the file to Kaspersky Sandbox, and processes the file accordingly. The results page displays the extension determined by Kaspersky Threat Intelligence Portal.

      You can use the portable executable (PE) format to process files that are not images. To do this, you must explicitly specify a file extension in the file name or in the Change file name and extension to field.

      Most characters can be used to specify a file extension. Reserved characters <, >, :, ", /, \, |, ?, * cannot be used.

      You can enter up to 254 characters to specify a file name and extension.

      If the file extension is not specified, Kaspersky Threat Intelligence Portal attempts to determine it automatically, and then executes the file.

      For more details about file types, refer to the Automatically detected file types section.

    • You can use Kaspersky Threat Intelligence Portal to open password-protected documents during execution. To do this, enter the password in the Document password (optional) field. You can show or hide the password by clicking the eye icon. This field is empty by default.
    • Kaspersky Threat Intelligence Portal can start object execution with specific parameters. To do this, enter the required parameters in the Command line parameters field.

      This field is optional and available only when a Microsoft Windows execution environment is selected. Command line examples are described in the Appendices.

    • If you want to decrypt HTTPS traffic that is generated by the object during execution, select the Decrypt HTTPS check box. The check box is selected by default.

      The check box is unavailable if Microsoft Windows XP SP3 x86 is selected as the file execution environment.

      Disabling HTTPS traffic decryption may reduce the probability of malware detection. This functionality allows you to obtain artifacts with information about the object interaction via HTTPS during the task execution. We recommend disabling HTTP traffic decryption only if you are sure that it for some reason will interfere with a certain object analysis.

    • If you want Kaspersky Threat Intelligence Portal to follow the links in documents opened in the Kaspersky Sandbox, select the Click links check box.

      Selecting this option can increase the level of detection of malicious objects and malicious object behavior. This check box is selected by default.

  5. Turn on the Attribution toggle switch to use Kaspersky Threat Attribution Engine technology to find attribution entities related to the analyzed file.
  6. If necessary, click Advanced options to specify advanced settings in the opened side-bar:
    • If you want Kaspersky Threat Intelligence Portal to unpack the contents of the attached file before analysis using Kaspersky Threat Attribution Engine technology, select the Unpack check box. If a password you specified in the Archive password (optional) field does not match, Kaspersky Threat Intelligence Portal tries to unpack an archive using default passwords. If no password matches, then only the archive will be analyzed, and the Error status will be assigned to the task. The report will be available and contain information only about the archive.

      The check box is selected by default.

    • If you want the Kaspersky Threat Intelligence Portal to ignore similarity thresholds for compared samples, select the Reset similarity thresholds check box. The check box is cleared by default.

      If this check box is cleared, Kaspersky Threat Intelligence Portal considers your sample to be a similar to a previously analyzed actor's sample if they have a number of common genes or strings greater than or equal to a threshold value set by Kaspersky experts. For each actor, a threshold is specified separately. In this case, Kaspersky Threat Intelligence Portal returns fewer results, but the proportion of useful results is higher.

      If you select this check box, Kaspersky Threat Intelligence Portal considers your sample to be a similar to a previously analyzed actor's sample if they have at least one common gene or string. In this case, Kaspersky Threat Intelligence Portal returns more results. It is useful to enable this parameter if all parts of the code in your sample are malicious, and you want to find more similar actor samples.

  7. Turn on the Similarity toggle switch to search for similar files. This toggle switch is available only if you turn on the Sandbox toggle switch. Kaspersky Threat Intelligence Portal searches for similar files only if a single file or an archive containing one file is downloaded. If you download an archive containing more than one file, Kaspersky Threat Intelligence Portal searches for similar files for the downloaded archive, but not for the files in the archive.
  8. Click the Start analysis button to start the file execution process.

    Kaspersky Threat Intelligence Portal will display object execution results.

    An entry describing execution results for each analysis technology appears separately in the History table. You can start to analyze results when the process finishes and the Execution state field is Completed.

  9. If you want to execute a previously analyzed file, in the History table, click the rescan button () by the required object, and repeat steps 2–6 of this procedure. The file will be downloaded again. For archived tasks (the HistoryArchived tab), rescan is not available. You have to specify the link and start execution again.

    If the previously specified internet channel is no longer available, the Auto item is selected by default.

    If the file is executed again later, results may differ from those shown in the History table for the same file. This is because Kaspersky expert systems update information about objects in real time. Therefore, execution results depend on the threat landscape.

Up to 1000 of the latest file executions and web address analysis results for a user are stored. When the maximum number of stored results is reached, the oldest results are assigned Archived status. For archived tasks, you can only view or delete a brief summary. For more details about archived tasks, refer to the About archived (discarded) tasks section.

Page top