The scan results page is the main place where information about a particular hash is displayed. The information is grouped into several tabs, each containing specific information. Not all the tabs will be visible all the time. E.g.: the "Extracted files" tab will only be displayed for archives, and the "Sanitized" tab will only be displayed for sanitized files (CDR). Each of the tabs is accessible under a specific link that can be copied or sent as a reference.
Description of main functionalities
Contains a summary of the scanned file:
the file name and corresponding SHA256
the multiscan score
the vulnerability score
the possibility to download the sanitized version of the scanned file (if the file can be sanitized)
If the file has vulnerabilities associated to it, the top 5 CVEs will be displayed.
If the hash is in our list of top 50 hashes, this will also be displayed on the overview page.
The "Analyze Again" button will rescan the file. This button is available only if the engine definitions we have on the scan servers are never than the engine definitions of the scan, and if the file is not a privately scanned file.
This tab contains useful information regarding the scanned file as: hash information, the date that file was uploaded for the first time, the date that the file was scanned last time, its file type. extension and size.
This tab is available only if the scanned file is an archive and it contains nested files. Here you can see a list of all the files attached to your archive, together with their individual scan results. If you click on any of the listed files, you will be routed to its scan result.
Supported archive types: ZIP, TAR, RAR, GZ, BZ2, 7Z, XZ, CRX, RPM, Z, LZ, XPI, CAB.
In order to rescan a certain file that is attached to your archive, you need to rescan the entire archive. There is a "Parent Archive" button on each of the scan results pages of the files inside the archive that links to the containing archive, where the "Analyze Again" button can be found.
Vulnerabilities are security flaws in IT applications that could expose endpoints to different types of cyber-attacks and malicious software.
MetaDefender cloud maps files to each application and its version and is able to provide vulnerability information at the hash level.
Through our API, you will be able to retrieve all the known vulnerabilities for all the applications reported for that hash. Basically, you will know if you are exposed to potential exploits if any of the existing hashes belong to applications with known vulnerabilities, and you will be able to do this directly through hash lookups, resulting in a faster diagnosis.
On MetaDefender Cloud, scans and data sanitization requests are performed asynchronously, and each scan request is tracked by a data ID. On this tab we display the multiscan report of the sanitized file, assuring you the highest quality of our sanitization services. For the file types that don't support sanitization, this tab won't be visible.
Please refer to Data Sanitization for more information.
We leverage both signature and heuristic scanning with up to 43 scan engines in the cloud to increase malware detection rates. The multiscanning result is shown in the form of a table with the following information:
scan time: duration of the scan
last updated: the time of the signature update of the particular engine
result: whether the file is considered clean or not
Please refer to File Scanning for more information.
Possible scan results
Scanned files can have different results, due to various use cases, that can be identified by "scan_all_result_i" variable. Please refer to Description on scan result codes for more information.
This section contains information regarding:
Application Information: operating systems for which a particular application version was reported, including the kernel version, service pack, system architecture, and OS language
Network Connections: a ll the network connections made by the applications are listed and ranked based on how many times the connection was reported for the selected application. Non-routable IPs are not scanned through MetaDefender.
Loaded Components: a ll the components loaded by the applications are listed and ranked by the frequency at which the component was reported for the selected application. Since there are applications that report hundreds of loaded components, you can expect to see low numbers in the usage percentage column. Component rank is calculated based on the total number of reported components and how many times each component was seen.
File Names: same hash can be reported with multiple file names. For each file name, you can see a list of file paths as well as the usage percentage for each path. For privacy reasons, we alter any full paths that contain user names or other confidential data, and present it in a simplified format, while still showing how each path differs.
PE Info: t his information can be used to understand binaries; PE information is particularly helpful because it gives more insight into the files themselves: who the file is signed by, the date the file was compiled, the associated DLLs that get downloaded, etc. These all help to develop a better context around the file.
A general report of all the scans of the file. The information is ordered from the most recent scan to the oldest one, displaying the date of each scan and the correlated result.
We display up to the last 300 scans for a particular hash.
APK data is information extracted from Android manifest files. We display:
summary with android package version, name and application version
all the permissions requested by the app
services, receivers, and providers
the list of intent filters
More data can be retrieved via API.
The cause of missing data on given tabs
If there's data missing on any of the available tabs, that means there is no information available. If you think that some information may be added, please contact us.