Sending probably infected objects to Kaspersky Kaspersky for analysis
3 August 2023
If the behavior of a file gives you a reason to suspect that it contains a threat, and Kaspersky Industrial CyberSecurity for Nodes considers the file to be clean, you may have encountered an unknown threat whose signature has not yet been added to the databases. You can send this file to Kaspersky for analysis. Kaspersky's Anti-Virus analysts will analyze it and, if they detect a new threat, will add a record identifying it in the databases. When you rescan the object after the database has been updated, it is likely that Kaspersky Industrial CyberSecurity for Nodes will identify the object as infected and will be able to disinfect it. You will not only be able to keep the object, but will also prevent a virus outbreak.
Only quarantined files can be sent for analysis. Quarantined files are stored in encrypted form and are not deleted by the Anti-Virus application installed on the mail server when they are sent.
A quarantined object cannot be sent to Kaspersky for analysis after the license expires.
To send a file for analysis to Kaspersky:
- If the file was not quarantined, first move it into Quarantine.
- In the Quarantine node, open the context menu on the file you want to send for analysis and select Send object for analysis in the context menu.
- In the confirmation window that opens, click Yes if you are sure you want to send the selected object for analysis.
- If a mail client is configured on the protected device on which the Application Console is installed, a new email message is created. Review it and click the Send button.
The Receiver field contains the Kaspersky email address email@example.com. The Subject field will contain the text "Quarantined object".
The body of the message will contain the following text: "This file will be sent to Kaspersky for analysis." Any additional information about the file, why you considered it probably infected or dangerous, how it behaves, or how it affects the system, can be included in the body of the message.
An archive named <object name>.cab will be attached to the message. This archive will contain a <uuid>.klq file with the object in encrypted form, a <uuid>.txt file with information about the object extracted by Kaspersky Industrial CyberSecurity for Nodes, and a Sysinfo.txt file, which contains the following information about Kaspersky Industrial CyberSecurity for Nodes and the operation system installed on the protected device:
- Name and version of the operating system.
- Name and version of Kaspersky Industrial CyberSecurity for Nodes.
- Release date of the latest database update installed.
- Active key.
This information is required by Kaspersky's anti-virus analysts to analyze your file faster and more efficiently. However, if you do not wish to send this information, you can delete the Sysinfo.txt file from the archive.
If a mail client is not installed on the protected device with the Application Console, the application prompts you to save the selected encrypted object to file. This file can be sent to Kaspersky manually.
To save an encrypted object to a file:
- In the window that opens with a prompt to save the object, click OK.
- Select a folder on the drive of the protected device where the file containing the object will be saved.
The object will be saved to a CAB file.