Information in the Scan results section

The Scan results section can display the following results of alert scanning:

The names of the program modules or components that generated the alert.
One or multiple categories of the detected object. For example, the name of the virus can be shown: Virus.Win32.Chiton.i.
Versions of databases of Kaspersky Anti Targeted Attack Platform modules and components that generated the alert.
Results of alert scanning by program modules and components:
- YARA—Category of the detected file in YARA rules (for example, the category name susp_fake_Microsoft_signer can be displayed).
  The Find on KL TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.
  
  Kaspersky information system Contains and displays reputation information for files and URL addresses.
  
  Click Create a prevention rule to prevent the file from running.
- SB (Sandbox)—Results of the file behavior analysis performed by the Sandbox component.
  You can click Sandbox detect to open a window with detailed information about the results of file behavior analysis.
  
  The Find on KL TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.
  
  Click Create a prevention rule to prevent the file from running.
  
  You can download a detailed log of file behavior analysis in all operating systems by clicking Download debug info.
  
  The file is downloaded in the form of a ZIP archive encrypted with the password “infected”. The name of the scanned file inside the archive is replaced by the file's MD5 hash. The file extension of file inside the archive is not displayed.
  
  By default, the maximum hard drive space for storing file behavior scan logs is 300 GB in all operating systems. Upon reaching this limit, the program deletes the oldest file behavior scan logs and replaces them with new logs.
- URL (URL Reputation) is the category of a malicious, phishing URL or an URL that has been previously used by attackers for targeted attacks on corporate IT infrastructures.
- IDS (Intrusion Detection System) is the category of the detected object based on the Intrusion Detection System database or the name of the IDS user rule that was used to create the alert. For example, the displayed category can be Trojan-Clicker.Win32.Cycler.a.
  Click the link to display the category of the object in the Kaspersky Threats database.
- AM (Anti-Malware Engine)—Category of the detected object based on the anti-virus database. For example, the name of the virus can be shown: Virus.Win32.Chiton.i.
  Click the link to display the category of the object in the Kaspersky Threats database.
  
  The Find on KL TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.
  
  Click Create a prevention rule to prevent the file from running.
  
  Click Download file to download the file to your computer's hard drive.
- TAA (Targeted Attack Analyzer)—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
  Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
  
  The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) database contains descriptions of hacker behavior based on the analysis of real attacks. It is a structured list of known hacker techniques represented as a table.
- IOC—Name of the IOC file used to create the alert.
  Select an IOC file to open a window with the results of the IOC scan.
  
  Click Find events to display the Threat Hunting event table in a new browser tab. A search filter is configured in the search criteria, for example, by MD5, FileFullName. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.