Scan results in Sandbox

The object scan results window in Sandbox can display the following alert details:

• File—Full name and path of the scanned file.
• File size—Size of the file.
• MD5—MD5 hash of a file.

  Clicking the link with MD5 opens a list in which you can select one of the following actions:

  • Find on TIP.
  • Find events.
  • Find alerts.
  • Create prevention rule.
  • Copy value to clipboard.
• Detected—One or multiple categories of detected objects. For example, when the application detects a file infected with the Trojan-Downloader.JS.Cryptoload.ad virus, the Detected field shows the Trojan-Downloader.JS.Cryptoload.ad category for this alert.
• Time processed—Time when the file was scanned.
• Database versions—Versions of the databases of modules and components of Kaspersky Anti Targeted Attack Platform that generated the alert.

You can click New prevention rule in the upper right corner of the window to prevent the file from running.

Information about the file behavior analysis results is provided for each operating system in which the Sandbox component performed a scan. For the Windows 7 operating system (64-bit), you can view file activity logs for two Sandbox component scan modes: Quick scan mode and Full logging mode.

The following activity logs may be available for each scan mode:

• Activity list—Actions of the file within the operating system.
• Activity tree—Graphical representation of the file analysis process.
• HTTP activity log—Log of the file's HTTP activity. It contains the following information:
  • Destination IP—IP address to which the file is attempting to go from the operating system.
  • Method—HTTP request method, for example, GET or POST.
  • URL—URL of the website link that the file is attempting to open from the operating system.

  Clicking links in the Destination IP column opens a list in which you can select one of the following actions:

  • Find on TIP.
  • Find events.
  • Find alerts.
  • Copy value to clipboard.

  Clicking a link in the URL column opens a list in which you can select one of the following actions:

  • Find on TIP by URL.
  • Find on TIP by domain name.
  • Find events.
  • Find alerts.
  • Copy value to clipboard.
• IDS activity log—Log of the file's network activity. It contains the following information:
  • Source IP—IP address of the host on which the file is saved.
  • Destination IP—IP address to which the file is attempting to go from the operating system.
  • Method—HTTP request method, for example, GET or POST.
  • URL—URL of the website link that the file is attempting to open from the operating system.

  Clicking links in the Destination IP column opens a list in which you can select one of the following actions:

  • Find on TIP.
  • Find events.
  • Find alerts.
  • Copy value to clipboard.

  Clicking a link in the URL column opens a list in which you can select one of the following actions:

  • Find on TIP by URL.
  • Find on TIP by domain name.
  • Find events.
  • Find alerts.
  • Copy value to clipboard.
• DNS activity log —Log of the file's DNS activity. It contains the following information:
  • Request type (Request or Response).
  • DNS name —Domain name of the server.
  • Type —Type of DNS request, for example A or CNAME.
  • Host—Host name or IP address that was interacted with.

  Clicking a link in the DNS name or Host columns opens a list in which you can select one of the following actions:

  • Find on TIP.
  • Find events.
  • Find alerts.
  • Copy value to clipboard.

You can click Download full log in the lower part of each scanning mode (Quick scan mode and Full logging mode) to download the log of file behavior analysis in each operating system to your computer