This section explains how you can execute files and emulate opening of web addresses in safe environments that are isolated from your corporate network using Kaspersky Sandbox, Similarity, and Kaspersky Threat Attribution Engine technologies.
After you upload a file to the selected environment or start the web address analysis, Kaspersky Threat Intelligence Portal displays various results, including a graphical representation. Execution results can be downloaded as archives. All results, or data from certain sections, can be downloaded for further analysis.
During file execution, screenshots are taken for each change in the file execution environment. You can view screenshots online, or you can download all of them as an archive.
You can also analyze objects by using the Kaspersky Threat Intelligence Portal API.
Using Kaspersky Threat Attribution Engine technology, Kaspersky Threat Intelligence Portal automatically analyzes the "genetics" of malware, looking for code similarities with previously investigated advanced persistent threat (APT) samples and linked attribution entities. The portal compares the "genotypes" (small binary pieces of analyzed files) with the APT malware samples database and provides a report on malware origin, attribution entities, and file similarity with known APT samples.
When you send a file for analysis, Kaspersky Threat Intelligence Portal uses the Kaspersky Threat Attribution Engine technology to find genotypes and strings, and compares them with known genotypes and strings. As a result of this comparison, the analyzed file can be associated with one or more known attribution entities. An attribution entity is an actor, campaign, or known malware, or a combination of these three aspects.
For more information, please see Kaspersky Threat Attribution Engine documentation.
Using machine-learning (ML) methods, Kaspersky Threat Intelligence Portal searches for files that are similar to the analyzed file. Kaspersky systems extract the analyzed file features and detect similar malicious files. Information about similar files can be used in an incident response to search more extensively for modifications and variations of a malicious object. Also, this information allows you to optimize perimeter protection from certain threat and take into account different modifications and variations of a malicious object.
On the Threat Analysis () page, available usage quotas for Kaspersky Sandbox, Similarity, and Kaspersky Threat Attribution Engine technologies are displayed. If necessary, you can apply for a quota increase for a corresponding technology by clicking the Increase your quota link. In the side-bar that opens, you have to add a comment if necessary, and click Send.
Analysis results are displayed in the History table on the Threat Analysis page. You can click the required task area to expand it and view more details.
The Active tab displays the latest 1000 task results. Older task results are displayed on the Archived tab.
Result history table
Table field |
Description |
---|---|
Created |
Date and time when a task was created. |
Object |
Submitted object name. When expanded, the following information is displayed:
|
Details |
Task execution state, and the status of Kaspersky Sandbox, Similarity, and Kaspersky Threat Attribution Engine technologies for the analyzed object. Displayed status depends on the technology you selected for object execution. The History table displays the object status defined at the moment the request was processed. Task execution state is displayed near the corresponding technology name. If the task execution fails, the error reason is displayed. For Kaspersky Sandbox, status can be one of the following:
|
Actions |
Action you can perform to object execution results. For recent tasks (the Active tab):
|
When you click on the item in the History table, brief information about the analyzed object is displayed. Displayed fields depend on the analyzed object.