In the Kaspersky CyberTrace web user interface you can select the Retroscan tab. Before using retrospective scan you can configure it in the "Retrospective scan settings" section.
Retrospective scanning allows you to rescan incoming events with objects that were not considered malicious. The reason for these checking results could be that at the time of receiving such objects, Kaspersky CyberTrace did not contain information about related threats. However, because threat data feeds are continuously updated, it can be useful to save events that do not contain detected indicators and then rescan these events manually or according to a schedule.
When retrospective scan is in progress, all indicators (with type other than CONTEXT) obtained from the events by applying regular expressions are matched with the indicators of the feeds used in Kaspersky CyberTrace.
The indicators are matched according to the regular expressions enabled in retrospective scan settings on the Fields saved for retroscan tab.
You can edit or add new regular expressions by selecting the Settings tab and then the Matching tab. If saved, the regular expressions will be available in the retrospective scan settings section on the Fields saved for retroscan tab.
The retrospective scan result is not displayed on the page with detections.
In case of detection, the events, which appeared in CyberTrace after adding an indicator to a feed, will be displayed in the Detections section and will not be subject to retrospective scanning.
For example, if an indicator was added to a feed after its IP/Hash/URL had been obtained by means of a regular expression used in retrospective scan, and if there were no detections related to this indicator, then the next retrospective scan run will display information about this indicator in the Detected indicators section, while the Date and time field will display date and time of indicator detection by retrospective scan.
Each event related to this indicator will have its own record in the retrospective scan report.
The Retroscan tab allows you to launch the retrospective scan manually and view the results that are received after the scan process is finished.
On this tab, you can perform the following actions:
Also, this tab displays the following:
The size of events is displayed with a delay of up to one hour. The actual current size of saved events may exceed the displayed value.
The table contains the following columns of data:
The result contains detected indicators.
The result does not contain detected indicators.
The retrospective scan process was canceled.
If necessary, you can configure displaying only those results that contain detected indicators.
Retroscan results
Launching a retrospective scan
To launch a retrospective scan:
Click the Start retroscan button.
If needed, you can cancel the scan process.
Launching the retrospective scan can be unavailable for several reasons:
Configuring display of retrospective scan results that contain detection events
To display only the results that contain detection events:
Select Show only retroscan results with detection above the Retroscan results table.
Specifying the results period
You can specify the time period for displaying results by selecting one of the Retroscan results period options above the Retroscan results table. You can select one of the following periods:
Specifying the time period for retroscan results
Viewing results of a single retrospective scan
To view detailed information about a single retrospective scan task:
On the page that opens, you can find detailed information about the first 50 detection events. To see all events, download the full report in CSV format (see below).
On the page, the following information is displayed:
You can view detailed information about each indicator by clicking the indicator that you want.
Downloading a report with the results of the retrospective scan
To download a report:
Click the Download report link near the Detected indicators section.
The generated CSV file contains the following data: