Viewing information about files that have been sent for scanning to the Kaspersky Anti Targeted Attack Platform

If necessary, you can see if the file has been scanned in Kaspersky Anti Targeted Attack Platform and what the scan result was. To do so, you must get the information about the application's operation using the kata-collect script.

To get information about application performance using the kata-collect script:

Follow the steps of the instructions given in the Downloading Kaspersky Anti Targeted Attack Platform logs section.

As a result of completing the steps of the instructions, the collect--<archive download date>.tar.gz archive containing the log files of Kaspersky Anti Targeted Attack Platform is placed in the specified directory. Information about files received for scanning is contained in the log, which is located in the /logs/kaspersky/siem/log-history/ directory inside the this archive. If a file was excluded from scanning, information about such a file is also reflected in the log.

You can find any file by its name or MD5 hash.

If the file was obtained by the Sensor component, you can find it by the following fields:

File source information:
- The source IP address and destination IP address, if the file was obtained from traffic.
- The sender email address and recipient email address, if the file was received by email.
- The IP address and ID of the external system, if the file was received from an external system.
- The IP address and name of the host if the file was received from an Endpoint Agent host.
- The user account name if the file was manually uploaded to Kaspersky Anti Targeted Attack Platform.
Source type: span, smtp, icap, pop3, external (external system), endpoint (Endpoint Agent host), upload (manually uploaded file).
For email messages, the Message-ID field is logged.

Special considerations for file information logging

When searching for file information in the log, keep in mind the following special considerations for file information logging:

File information is logged twice: when the file is obtained from traffic and when the file is scanned. If the Sensor component is installed separately from the Central Node in your infrastructure, the file receipt record goes to the log of the Sensor component, and the file scanning record goes to the log of the Central Node component to which the Sensor is connected. If the Central Node component and the Sensor are installed on the same server, both records are written to the Central Node log.
For a compound file (for example, an archive or an email message), the hash of the parent file and the name and hash of the child file are logged if the child file was scanned by one of the Kaspersky Anti Targeted Attack Platform technologies.

Examples of apt-history log records for the MD5 hash of a file

Examples of apt-history log records for the MD5 hash of a file are listed in the table below.

Examples of apt-history log records for the MD5 hash of a file

Log record	Value
2024-06-11 02:37:03.645586 info apt-history: f0429d4845208857cd303df968ef545e enqueued am, priority: normal	The file was received for processing using the Anti-Malware Engine technology.
2024-06-11 02:37:03.647434 info apt-history: external KSMG sensor with ip 10.0.0.0 provide file with name: File_Name 2024/2025, md5: f0429d4845208857cd303df968ef545e, msg_id: <87c13e55e789aa966089b6bf2e8c453b@localhost.localdomain>	String for objects received for processing in Kaspersky Anti Targeted Attack Platform from Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server. Information worth paying attention to: external KSMG sensor with ip 10.0.0.0 — IP address of the Kaspersky Secure Mail Gateway server File_Name 2024/2025 — file name md5 — MD5 hash of the file being scanned msg_id — message ID
2024-06-11 02:37:03.847696 info apt-history: f0429d4845208857cd303df968ef545e engine am result {verdict: CLEAN, bases_version: 202406071010, detect_time: 2024-06-11 02:37:03.841275, rescan_priority: 3, sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, multitask_details: {priority: background, tasks: {pdf: 1}}, scanEngines: [sb]}	The result of processing the object using the Anti-Malware Engine technology. Includes the status assigned to the object after scanning (CLEAN) and information about the technologies that will be used to additionally scan the object ("scanEngines: [sb]"). Information worth paying attention to: multitask_details — details about the scan task priority — priority of the scan Possible values are 'background', 'must' scanEngines — scanning technology Possible values are [yr] for YARA, [sb] for Sandbox.
2024-06-11 02:37:03.886784 info apt-history: f0429d4845208857cd303df968ef545e enqueued sb: {pdf: 1}, priority: low, sb_priority: background	The task was sent to the Sandbox component for processing. Information worth paying attention to: {pdf: 1} — number and type of objects sent for scanning low — processing priority Possible processing priority values are 'low', 'medium', 'high'. background — the type of queue for processing by the Sandbox component. Possible values are 'background', 'must'
2024-06-11 02:37:04.179597 info apt-history: f0429d4845208857cd303df968ef545e delivered to sb, sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, node: Server_Name, mtask_id: 900	The task was sent to the Sandbox component for processing. Information worth paying attention to: node:Server_Name — name of the server with the Sandbox component mtask_id: 900 — task ID
2024-06-11 02:38:44.515070 info apt-history: f0429d4845208857cd303df968ef545e sb result received, sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, node: Server_Name, mtask_id: 900, priority: low	The result of processing the object by the Sandbox component has been received.
2024-06-11 02:38:44.783370 info apt-history: f0429d4845208857cd303df968ef545e engine sb result {bases_version: 202406102122, detect_time: 2024-06-11 02:38:44.776655, verdict: SILENT, hidden: True, details: [{file: //[From WCR <test@mail.com>][Date 11 Jun 2024 03:51:21][Subj Company_Name 2024/2025]/WCR-form.pdf, images: [{verdicts_info: {ScannerVersion: 1.22.3.34, ...}, hidden: True, verdict: SILENT, sb_id: fb15ec106318b0d54babce2379d956f7, image: Win7_x64, task_id: task0, file: //[From WCR <test@mail.com>][Date 11 Jun 2024 03:51:21][Subj Company_Name 2024/2025]/WCR-form.pdf, file_id: 1, filesize: 445856, md5: 0d87eebc9676214f35046a482150e537, tracing_mode: all_events, store_artifacts: False, bases_version: 202406102122, ids_bases_version: 202406101817, version: 1.22.3.34, suspicious_log: [], network_activity: {http: [], dns: []}}], verdict: SILENT, hidden: True, priority: 150}], md5_list: [], file_list: [], sb_hash: 77f5b6276dd9b1c534b6c9adcff86845, sb_names_map: {0: {md5: , name: }, 1: {md5: 0d87eebc9676214f35046a482150e537, name: //[From WCR <test@mail.com>][Date 11 Jun 2024 03:51:21][Subj Company_Name 2024/2025]/WCR-form.pdf}, 2: {md5: 71072dd9a36d7ce560cebc533ecb3cad, name: }}}	The result of processing the objects on all virtual machines of the Sandbox component. Information worth paying attention to: verdict — results of scanning the file. Generated based on the results of scanning the file on all virtual machines. For detections with the SILENT result, no record is created in the detection database. hidden: True — an object with this result does not require further scanning by Kaspersky Anti Targeted Attack Platform modules. details — information about scanning the object in virtual machines. Includes the following fields: file — name of the file for display (WCR-form.pdf). In this record, the field contains the following information: From — sender email address. Date — date and time of the event. Subj — subject of the message. images — information about scanning the object in virtual machines. verdicts_info — results of scanning the file. May be different for each virtual machine the object was scanned on. hidden: True — an object with this result does not require further scanning by Kaspersky Anti Targeted Attack Platform modules. verdict — results of scanning the file on the virtual machine. For detections with the SILENT result, no record is created in the detection database. image — the image in which the file was executed. filesize — size of the file. md5 — MD5 hash of the file. tracing mode: all_events — a record of the operations that the file performs after launch. suspicious log [] — a record of malicious actions that the file performed. This field does not have values because the file did not perform any malicious actions. network activity — network activity initiated by the file. http [] — the file did not make any HTTP requests. dns [] — the file did not make any DNS requests. The 'suspicious log' and 'network activity' fields only record the fact of malicious activity. If you want to view the details of the alerts, you can do so in the application web interface. priority — priority of the scan Possible values are 1 for high, 100 for standard, and 150 for background scan. md5_list — MD5 hashes of files that generated alerts when scanned. file_list — names of files that generated alerts when scanned. sb_names_map — file name to be displayed in the alert details in the application web interface.
2024-06-11 02:38:44.841529 info apt-history: New sb_detect for file alert: {id: 2720, victim: default, state: new, md5: f0429d4845208857cd303df968ef545e}	Information about the results of processing by the Sandbox component is saved in the application database. Recorded for internal use. This does not indicate that a detection is present in the detection database of the application.

Page top