If necessary, you can see if the file has been scanned in Kaspersky Anti Targeted Attack Platform and what the scan result was. To do so, you must get the information about the application's operation using the kata-collect script.
To get information about application performance using the kata-collect script:
Follow the steps of the instructions given in the Downloading Kaspersky Anti Targeted Attack Platform logs section.
As a result of completing the steps of the instructions, the collect--<archive download date>.tar.gz archive containing the log files of Kaspersky Anti Targeted Attack Platform is placed in the specified directory. Information about files received for scanning is contained in the log, which is located in the /logs/kaspersky/siem/log-history/ directory inside the this archive. If a file was excluded from scanning, information about such a file is also reflected in the log.
You can find any file by its name or MD5 hash.
If the file was obtained by the Sensor component, you can find it by the following fields:
Special considerations for file information logging
When searching for file information in the log, keep in mind the following special considerations for file information logging:
Examples of apt-history log records for the MD5 hash of a file
Examples of apt-history log records for the MD5 hash of a file are listed in the table below.
Examples of apt-history log records for the MD5 hash of a file
Log record |
Value |
2024-06-11 02:37:03.645586 info apt-history: f0429d4845208857cd303df968ef545e enqueued am, priority: normal |
The file was received for processing using the Anti-Malware Engine technology. |
2024-06-11 02:37:03.647434 info apt-history: external KSMG sensor with ip 10.0.0.0 provide file with name: File_Name 2024/2025, md5: f0429d4845208857cd303df968ef545e, msg_id: <87c13e55e789aa966089b6bf2e8c453b@localhost.localdomain> |
String for objects received for processing in Kaspersky Anti Targeted Attack Platform from Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server. Information worth paying attention to:
|
2024-06-11 02:37:03.847696 info apt-history: f0429d4845208857cd303df968ef545e engine am result {verdict: CLEAN, bases_version: 202406071010, detect_time: 2024-06-11 02:37:03.841275, rescan_priority: 3, sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, multitask_details: {priority: background, tasks: {pdf: 1}}, scanEngines: [sb]} |
The result of processing the object using the Anti-Malware Engine technology. Includes the status assigned to the object after scanning (CLEAN) and information about the technologies that will be used to additionally scan the object ("scanEngines: [sb]"). Information worth paying attention to:
|
2024-06-11 02:37:03.886784 info apt-history: f0429d4845208857cd303df968ef545e enqueued sb: {pdf: 1}, priority: low, sb_priority: background |
The task was sent to the Sandbox component for processing. Information worth paying attention to:
|
2024-06-11 02:37:04.179597 info apt-history: f0429d4845208857cd303df968ef545e delivered to sb, sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, node: Server_Name, mtask_id: 900 |
The task was sent to the Sandbox component for processing. Information worth paying attention to:
|
2024-06-11 02:38:44.515070 info apt-history: f0429d4845208857cd303df968ef545e sb result received, sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, node: Server_Name, mtask_id: 900, priority: low |
The result of processing the object by the Sandbox component has been received. |
2024-06-11 02:38:44.783370 info apt-history: f0429d4845208857cd303df968ef545e engine sb result {bases_version: 202406102122, detect_time: 2024-06-11 02:38:44.776655, verdict: SILENT, hidden: True, details: [{file: //[From WCR <test@mail.com>][Date 11 Jun 2024 03:51:21][Subj Company_Name 2024/2025]/WCR-form.pdf, images: [{verdicts_info: {ScannerVersion: 1.22.3.34, ...}, hidden: True, verdict: SILENT, sb_id: fb15ec106318b0d54babce2379d956f7, image: Win7_x64, task_id: task0, file: //[From WCR <test@mail.com>][Date 11 Jun 2024 03:51:21][Subj Company_Name 2024/2025]/WCR-form.pdf, file_id: 1, filesize: 445856, md5: 0d87eebc9676214f35046a482150e537, tracing_mode: all_events, store_artifacts: False, bases_version: 202406102122, ids_bases_version: 202406101817, version: 1.22.3.34, suspicious_log: [], network_activity: {http: [], dns: []}}], verdict: SILENT, hidden: True, priority: 150}], md5_list: [], file_list: [], sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, sb_names_map: {0: {md5: , name: }, 1: {md5: 0d87eebc9676214f35046a482150e537, name: //[From WCR <test@mail.com>][Date 11 Jun 2024 03:51:21][Subj Company_Name 2024/2025]/WCR-form.pdf}, 2: {md5: 71072dd9a36d7ce560cebc533ecb3cad, name: }}} |
The result of processing the objects on all virtual machines of the Sandbox component. Information worth paying attention to:
|
2024-06-11 02:38:44.841529 info apt-history: New sb_detect for file alert: {id: 2720, victim: default, state: new, md5: f0429d4845208857cd303df968ef545e} |
Information about the results of processing by the Sandbox component is saved in the application database. Recorded for internal use. This does not indicate that a detection is present in the detection database of the application. |