Deep scan report of large files with static malware analysis

When you configure a policy with the Allow and Scan action for large files, files that are 5 MB to 2 GB in size are scanned by ETP Proxy. ETP Proxy scans these files after the download is complete. The report is a PDF file that’s available within a four hour period after the file is downloaded. It’s available for download from the provided link for 30 days.

The deep scan report for static malware analysis includes this information.
Report Section Field Definition
Analysis Overview ID Name of the file.
Processing End Timestamp Time the download ended. The time is in Epoch format.
Processing Start Timestamp Time the download for the file started and an event was generated. The time is in Epoch format.
Scan Start Timestamp Time the scan started. The time is in Epoch format.
Scan End Timestamp Time the scan ended. This time is in Epoch format.
Scan Time Total time to scan the file in seconds.
Size Size of the file in bytes.
Source Timestamp Time the file is seen in the system. This time is in Epoch format.
Type Type of file that was scanned. For example, the type may be a PDF, Microsoft Word document, Excel spreadsheet, ZIP, or more.
Malicious Streams Extracted data streams in the document that are malicious.
Tags Attributes associated with the event.
Matched Streams Result Indicates the result of the scan. This field may show these values:
  • Clean
  • Malicious
  • Known malicious
    Note: “Known Malicious” indicates results were found in the cache of a previous scan, while “Malicious” is the result of the file scan.
  • Suspicious
Name Name of the stream.
Depth Number that represents the level of data streams extracted from the file. The base level is 0. Any data stream that is extracted from this base is assigned the next numerical value, such as 1, 2, 3, and so on.
Size Size of the stream in KB.
Detected File When the value for this field is TRUE, this indicates that a separate, standalone file was detected.
Type Type of file that was detected or extracted.
Hash SHA256 hash of the extracted file or stream.
Matched Stream Details Details about the data that was detected to determine the file is malicious.
Assembly Details Snippets of code that match a malicious fingerprint. Evidence and explanation about the malicious code may be provided.
Offset The distance in bytes from the beginning of the stream.
Length Length of match or malicious data in bytes.