Viewing information about files that have sent for scanning to the Kaspersky Anti Targeted Attack Platform

If necessary, you can see if the file has been scanned in Kaspersky Anti Targeted Attack Platform and what the scan result was. To do so, you must get the information about the application's operation using the kata-collect script.

To get the information about the application's operation using the kata-collect script.

Sign in to the management console of the server for which you want to get information over SSH or through a terminal.
If you are using Kaspersky Anti Targeted Attack Platform in distributed solution and multitenancy mode, you need to perform these steps on each Central Node server. If your organization's infrastructure has separately installed Sensor components, you must also follow these steps on servers that have this component. If the application is deployed as a cluster, you must perform these steps on one of the servers with the 'manager' role in Docker swarm. To view the role of a server, use the $ docker node ls command.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).
When the system prompts you, enter the administrator user name and password that were specified while installing the component.
The application component administrator menu is displayed.
In the list of sections of the application administrator menu, select the Technical Support Mode section.
Press Enter.
This opens the Technical Support Mode confirmation window.
Confirm that you want to manage the application in Technical Support Mode. To do so, select Yes and press Enter.
Run the script by executing the command:
sudo kata-run.sh kata-collect --output-dir <path>

You can also specify one or multiple parameters for this command (see the table below).

Parameters of the kata-collect utility

Required parameter	Parameter	Description
Yes	`--output-dir <path>`	Create a directory at the specified path, where <path> is an absolute or relative path of the directory where you want to save the archive with the downloaded data. If no path is specified, the data archive is saved in the /tmp/collect directory by default.
No	`--no-prometheus`	Skip preparing and dumping the prometheus database. This parameter significantly speeds up the script.
No	`--no-siem-logs`	Skip downloading the data that is written to the SIEM system.
No	`--siem-logs-range-start <YYYY-MM-DD-HH>`	Download the data written to the SIEM system starting from this date (inclusive).
No	`--siem-logs-range-end <YYYY-MM-DD-HH>`	Download the data written to the SIEM system ending with this date (inclusive).

Example:

Command to get information about the operation of the application with SIEM system data filtered by date and without the prometheus database:

sudo kata-run.sh kata-collect --output-dir <path> --no-prometheus --siem-logs-range-start <YYYY-MM-DD-HH> --siem-logs-range-end <YYYY-MM-DD-HH>

When the script finishes, a collect--<archive download date>tar.gz archive is saved to the specified directory. Information about files received for scanning by Kaspersky Anti Targeted Attack Platform is contained in the log, which is located in the /logs/kaspersky/siem/log-history/ directory inside the created archive. If a file was excluded from scanning, information about such a file is also reflected in the log.

You can find any file by its name or MD5 hash.

If the file was obtained by the Sensor component, you can find it by the following fields:

File source information:
- The source IP address and destination IP address, if the file was obtained from traffic.
- The sender email address and recipient email address, if the file was received by email.
- The IP address and ID of the external system, if the file was received from an external system.
- The IP address and name of the host if the file was received from an Endpoint Agent host.
- The user account name if the file was manually uploaded to Kaspersky Anti Targeted Attack Platform.
Source type: span, smtp, icap, pop3, external (external system), endpoint (Endpoint Agent host), upload (manually uploaded file).
For email messages, the Message-ID field is logged.

Special considerations for file information logging

When searching for file information in the log, keep in mind the following special considerations for file information logging:

File information is logged twice: when the file is obtained from traffic and when the file is scanned. If the Sensor component is installed separately from the Central Node in your infrastructure, the file receipt record goes to the log of the Sensor component, and the file scanning record goes to the log of the Central Node component to which the Sensor is connected. If the Central Node component and the Sensor are installed on the same server, both records are written to the Central Node log.
For a compound file (for example, an archive or an email message), the hash of the parent file and the name and hash of the child file are logged if the child file was scanned by one of the Kaspersky Anti Targeted Attack Platform technologies.

Examples of apt-history log records for the MD5 hash of a file

Examples of apt-history log records for the MD5 hash of a file are listed in the table below.

Examples of apt-history log records for the MD5 hash of a file

Log record	Value
2024-06-11 02:37:03.645586 info apt-history: f0429d4845208857cd303df968ef545e enqueued am, priority: normal	The file was received for processing using the Anti-Malware Engine technology.
2024-06-11 02:37:03.647434 info apt-history: external KSMG sensor with ip 10.0.0.0 provide file with name: File_Name 2024/2025, md5: f0429d4845208857cd303df968ef545e, msg_id: <87c13e55e789aa966089b6bf2e8c453b@localhost.localdomain>	String for objects received for processing in Kaspersky Anti Targeted Attack Platform from Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server. Information worth paying attention to: external KSMG sensor with ip 10.0.0.0 — IP address of the Kaspersky Secure Mail Gateway server. File_Name 2024/2025 — file name md5 — MD5 hash of the file being scanned msg_id — message ID
2024-06-11 02:37:03.847696 info apt-history: f0429d4845208857cd303df968ef545e engine am result {verdict: CLEAN, bases_version: 202406071010, detect_time: 2024-06-11 02:37:03.841275, rescan_priority: 3, sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, multitask_details: {priority: background, tasks: {pdf: 1}}, scanEngines: [sb]}	The result of processing the object using the Anti-Malware Engine technology. Includes the status assigned to the object after scanning (CLEAN) and information about the technologies that will be used to additionally scan the object ("scanEngines: [sb]"). Information worth paying attention to: multitask_details — details about the scan task priority — priority of the scan Possible values are 'background', 'must' scanEngines — scanning technology Possible values are [yr] for YARA, [sb] for Sandbox.
2024-06-11 02:37:03.886784 info apt-history: f0429d4845208857cd303df968ef545e enqueued sb: {pdf: 1}, priority: low, sb_priority: background	The task was sent to the Sandbox component for processing. Information worth paying attention to: {pdf: 1} — number and type of objects sent for scanning low — processing priority Possible processing priority values are 'low', 'medium', 'high'. background — the type of queue for processing by the Sandbox component. Possible values are 'background', 'must'
2024-06-11 02:37:04.179597 info apt-history: f0429d4845208857cd303df968ef545e delivered to sb, sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, node: Server_Name, mtask_id: 900	The task was sent to the Sandbox component for processing. Information worth paying attention to: node:Server_Name — name of the server with the Sandbox component mtask_id: 900 — task ID.
2024-06-11 02:38:44.515070 info apt-history: f0429d4845208857cd303df968ef545e sb result received, sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, node: Server_Name, mtask_id: 900, priority: low	The result of processing the object by the Sandbox component has been received.
2024-06-11 02:38:44.783370 info apt-history: f0429d4845208857cd303df968ef545e engine sb result {bases_version: 202406102122, detect_time: 2024-06-11 02:38:44.776655, verdict: SILENT, hidden: True, details: [{file: //[From WCR <test@mail.com>][Date 11 Jun 2024 03:51:21][Subj Company_Name 2024/2025]/WCR-form.pdf, images: [{verdicts_info: {ScannerVersion: 1.22.3.34, ...}, hidden: True, verdict: SILENT, sb_id: fb15ec106318b0d54babce2379d956f7, image: Win7_x64, task_id: task0, file: //[From WCR <test@mail.com>][Date 11 Jun 2024 03:51:21][Subj Company_Name 2024/2025]/WCR-form.pdf, file_id: 1, filesize: 445856, md5: 0d87eebc9676214f35046a482150e537, tracing_mode: all_events, store_artifacts: False, bases_version: 202406102122, ids_bases_version: 202406101817, version: 1.22.3.34, suspicious_log: [], network_activity: {http: [], dns: []}}], verdict: SILENT, hidden: True, priority: 150}], md5_list: [], file_list: [], sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, sb_names_map: {0: {md5: , name: }, 1: {md5: 0d87eebc9676214f35046a482150e537, name: //[From WCR <test@mail.com>][Date 11 Jun 2024 03:51:21][Subj Company_Name 2024/2025]/WCR-form.pdf}, 2: {md5: 71072dd9a36d7ce560cebc533ecb3cad, name: }}}	The result of processing the objects on all virtual machines of the Sandbox component. Information worth paying attention to: verdict — results of scanning the file. Generated based on the results of scanning the file on all virtual machines. For alerts with the SILENT result, no record is created in the alerts database. hidden: True — an object with this result does not require further scanning by Kaspersky Anti Targeted Attack Platform modules. details — information about scanning the object in virtual machines. Includes the following fields: file — name of the file for display (WCR-form.pdf). In this record, the field contains the following information: From — sender email address. Date — date and time of the event. Subj — subject of the message. images — information about scanning the object in virtual machines. verdicts_info — results of scanning the file. May be different for each virtual machine the object was scanned on. hidden: True — an object with this result does not require further scanning by Kaspersky Anti Targeted Attack Platform modules. verdict — results of scanning the file on the virtual machine. For alerts with the SILENT result, no record is created in the alerts database. image — the image in which the file was executed. filesize — size of the file. md5 — MD5 hash of the file. tracing mode: all_events — a record of the operations that the file performs after launch. suspicious log [] — a record of malicious actions that the file performed. This field does not have values because the file did not perform any malicious actions. network activity — network activity initiated by the file. http [] — the file did not make any HTTP requests. dns [] — the file did not make any DNS requests. The 'suspicious log' and 'network activity' fields only record the fact of malicious activity. If you want to view the details of the alerts, you can do so in the application web interface. priority — priority of the scan Possible values are 1 for high, 100 for standard, and 150 for background scan. md5_list — MD5 hashes of files that generated alerts when scanned. file_list — names of files that generated alerts when scanned. sb_names_map — file name to be displayed in the alert details in the application web interface.
2024-06-11 02:38:44.841529 info apt-history: New sb_detect for file alert: {id: 2720, victim: default, state: new, md5: f0429d4845208857cd303df968ef545e}	Information about the results of processing by the Sandbox component is saved in the application database. Recorded for internal use. This does not indicate that an alert is present in the alerts database of the application.

Page top