Viewing information about files that have been sent for scanning to the Kaspersky Anti Targeted Attack Platform

If necessary, you can see if the file has been scanned in Kaspersky Anti Targeted Attack Platform and what the scan result was. To do so, you must get the information about the application's operation using the kata-collect script.

To get information about application performance using the kata-collect script:

Follow the steps of the instructions given in the Downloading Kaspersky Anti Targeted Attack Platform logs section.

As a result of completing the steps of the instructions, the collect--<archive download date>.tar.gz archive containing the log files of Kaspersky Anti Targeted Attack Platform is placed in the specified directory. Information about files received for scanning is contained in the log, which is located in the /logs/kaspersky/siem/log-history/ directory inside the this archive. If a file was excluded from scanning, information about such a file is also reflected in the log.

You can find any file by its name or MD5 hash.

If the file was obtained by the Sensor component, you can find it by the following fields:

Special considerations for file information logging

When searching for file information in the log, keep in mind the following special considerations for file information logging:

Examples of apt-history log records for the MD5 hash of a file

Examples of apt-history log records for the MD5 hash of a file are listed in the table below.

Examples of apt-history log records for the MD5 hash of a file

Log record

Value

2024-06-11 02:37:03.645586 info apt-history: f0429d4845208857cd303df968ef545e enqueued am, priority: normal

The file was received for processing using the Anti-Malware Engine technology.

2024-06-11 02:37:03.647434 info apt-history: external KSMG sensor with ip 10.0.0.0 provide file with name: File_Name 2024/2025, md5: f0429d4845208857cd303df968ef545e, msg_id: <87c13e55e789aa966089b6bf2e8c453b@localhost.localdomain>

String for objects received for processing in Kaspersky Anti Targeted Attack Platform from Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server.

Information worth paying attention to:

  • external KSMG sensor with ip 10.0.0.0 — IP address of the Kaspersky Secure Mail Gateway server
  • File_Name 2024/2025 — file name
  • md5 — MD5 hash of the file being scanned
  • msg_id — message ID

2024-06-11 02:37:03.847696 info apt-history: f0429d4845208857cd303df968ef545e engine am result {verdict: CLEAN, bases_version: 202406071010, detect_time: 2024-06-11 02:37:03.841275, rescan_priority: 3, sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, multitask_details: {priority: background, tasks: {pdf: 1}}, scanEngines: [sb]}

The result of processing the object using the Anti-Malware Engine technology. Includes the status assigned to the object after scanning (CLEAN) and information about the technologies that will be used to additionally scan the object ("scanEngines: [sb]").

Information worth paying attention to:

  • multitask_details — details about the scan task
  • priority — priority of the scan

    Possible values are 'background', 'must'

  • scanEngines — scanning technology

    Possible values are [yr] for YARA, [sb] for Sandbox.

2024-06-11 02:37:03.886784 info apt-history: f0429d4845208857cd303df968ef545e enqueued sb: {pdf: 1}, priority: low, sb_priority: background

The task was sent to the Sandbox component for processing.

Information worth paying attention to:

  • {pdf: 1} — number and type of objects sent for scanning
  • low — processing priority

    Possible processing priority values are 'low', 'medium', 'high'.

  • background — the type of queue for processing by the Sandbox component.

    Possible values are 'background', 'must'

2024-06-11 02:37:04.179597 info apt-history: f0429d4845208857cd303df968ef545e delivered to sb, sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, node: Server_Name, mtask_id: 900

The task was sent to the Sandbox component for processing.

Information worth paying attention to:

  • node:Server_Name — name of the server with the Sandbox component
  • mtask_id: 900 — task ID

2024-06-11 02:38:44.515070 info apt-history: f0429d4845208857cd303df968ef545e sb result received, sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, node: Server_Name, mtask_id: 900, priority: low

The result of processing the object by the Sandbox component has been received.

2024-06-11 02:38:44.783370 info apt-history: f0429d4845208857cd303df968ef545e engine sb result {bases_version: 202406102122, detect_time: 2024-06-11 02:38:44.776655, verdict: SILENT, hidden: True, details: [{file: //[From WCR <test@mail.com>][Date 11 Jun 2024 03:51:21][Subj Company_Name 2024/2025]/WCR-form.pdf, images: [{verdicts_info: {ScannerVersion: 1.22.3.34, ...}, hidden: True, verdict: SILENT, sb_id: fb15ec106318b0d54babce2379d956f7, image: Win7_x64, task_id: task0, file: //[From WCR <test@mail.com>][Date 11 Jun 2024 03:51:21][Subj Company_Name 2024/2025]/WCR-form.pdf, file_id: 1, filesize: 445856, md5: 0d87eebc9676214f35046a482150e537, tracing_mode: all_events, store_artifacts: False, bases_version: 202406102122, ids_bases_version: 202406101817, version: 1.22.3.34, suspicious_log: [], network_activity: {http: [], dns: []}}], verdict: SILENT, hidden: True, priority: 150}], md5_list: [], file_list: [], sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, sb_names_map: {0: {md5: , name: }, 1: {md5: 0d87eebc9676214f35046a482150e537, name: //[From WCR <test@mail.com>][Date 11 Jun 2024 03:51:21][Subj Company_Name 2024/2025]/WCR-form.pdf}, 2: {md5: 71072dd9a36d7ce560cebc533ecb3cad, name: }}}

The result of processing the objects on all virtual machines of the Sandbox component.

Information worth paying attention to:

  • verdict — results of scanning the file. Generated based on the results of scanning the file on all virtual machines. For detections with the SILENT result, no record is created in the detection database.
  • hidden: True — an object with this result does not require further scanning by Kaspersky Anti Targeted Attack Platform modules.
  • details — information about scanning the object in virtual machines.

    Includes the following fields:

    • file — name of the file for display (WCR-form.pdf). In this record, the field contains the following information:
    • From — sender email address.
    • Date — date and time of the event.
    • Subj — subject of the message.
    • images — information about scanning the object in virtual machines.
    • verdicts_info — results of scanning the file. May be different for each virtual machine the object was scanned on.
    • hidden: True — an object with this result does not require further scanning by Kaspersky Anti Targeted Attack Platform modules.
    • verdict — results of scanning the file on the virtual machine. For detections with the SILENT result, no record is created in the detection database.
    • image — the image in which the file was executed.
    • filesize — size of the file.
    • md5 — MD5 hash of the file.
    • tracing mode: all_events — a record of the operations that the file performs after launch.
    • suspicious log []  — a record of malicious actions that the file performed.

    This field does not have values because the file did not perform any malicious actions.

    • network activity — network activity initiated by the file.
    • http [] — the file did not make any HTTP requests.
    • dns [] — the file did not make any DNS requests.

    The 'suspicious log' and 'network activity' fields only record the fact of malicious activity. If you want to view the details of the alerts, you can do so in the application web interface.

    • priority — priority of the scan

    Possible values are 1 for high, 100 for standard, and 150 for background scan.

    • md5_list — MD5 hashes of files that generated alerts when scanned.
    • file_list — names of files that generated alerts when scanned.
    • sb_names_map — file name to be displayed in the alert details in the application web interface.

2024-06-11 02:38:44.841529 info apt-history: New sb_detect for file alert: {id: 2720, victim: default, state: new, md5: f0429d4845208857cd303df968ef545e}

Information about the results of processing by the Sandbox component is saved in the application database. Recorded for internal use. This does not indicate that a detection is present in the detection database of the application.

Page top