Deep scan report of large files with static malware analysis
When you configure a policy with the Allow and Scan action for large files, files that are 5 MB to 2 GB in size are scanned by ETP Proxy. ETP Proxy scans these files after the download is complete. The report is a PDF file that’s available within a four hour period after the file is downloaded. It’s available for download from the provided link for 30 days.
The deep scan report for static malware analysis includes this
information.
| Report Section | Field | Definition |
|---|---|---|
| Analysis Overview | ID | Name of the file. |
| Processing End Timestamp | Time the download ended. The time is in Epoch format. | |
| Processing Start Timestamp | Time the download for the file started and an event was generated. The time is in Epoch format. | |
| Scan Start Timestamp | Time the scan started. The time is in Epoch format. | |
| Scan End Timestamp | Time the scan ended. This time is in Epoch format. | |
| Scan Time | Total time to scan the file in seconds. | |
| Size | Size of the file in bytes. | |
| Source Timestamp | Time the file is seen in the system. This time is in Epoch format. | |
| Type | Type of file that was scanned. For example, the type may be a PDF, Microsoft Word document, Excel spreadsheet, ZIP, or more. | |
| Malicious Streams | Extracted data streams in the document that are malicious. | |
| Tags | Attributes associated with the event. | |
| Matched Streams | Result | Indicates the result of the scan. This field may show these
values:
|
| Name | Name of the stream. | |
| Depth | Number that represents the level of data streams extracted from the file. The base level is 0. Any data stream that is extracted from this base is assigned the next numerical value, such as 1, 2, 3, and so on. | |
| Size | Size of the stream in KB. | |
| Detected File | When the value for this field is TRUE, this indicates that a separate, standalone file was detected. | |
| Type | Type of file that was detected or extracted. | |
| Hash | SHA256 hash of the extracted file or stream. | |
| Matched Stream Details | Details about the data that was detected to determine the file is malicious. | |
| Assembly Details | Snippets of code that match a malicious fingerprint. Evidence and explanation about the malicious code may be provided. | |
| Offset | The distance in bytes from the beginning of the stream. | |
| Length | Length of match or malicious data in bytes. |