[Topic About]

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal delivers all of the knowledge acquired by Kaspersky about cyberthreats and legitimate objects, and their relationships, which are brought together into a single, powerful web service. The goal is to provide your security teams with as much data as possible in order to prevent cyberattacks from impacting your organization. The portal retrieves the latest detailed threat intelligence about web addresses, domains, IP addresses, file hashes, statistical/behavioral data, WHOIS data, etc. The result is visibility of new and emerging threats globally, thus helping you to secure your organization and boost incident response.

Kaspersky Threat Intelligence Portal is available for desktops, tablets, and mobile devices.

Threat intelligence is aggregated from a wide variety of highly reliable sources. Then, in real time, all of the aggregated data is carefully inspected and refined by using several preprocessing techniques and technologies, such as statistical systems, similarity tools, sandboxing, behavioral profiling, allowlist-based verification, and analyst validation.

Every submitted file is analyzed by a set of advanced threat detection technologies, such as reputational services, behavior detection technologies, heuristic analysis, Urgent Detection System, and Kaspersky Cloud Sandbox, to monitor its behavior and actions, including network connections and downloaded/dropped objects. The Sandbox is based on the company’s proprietary and patented technology, which is used internally and allows Kaspersky to detect more than 350,000 new malicious objects every day.

Besides advanced threat detection technologies, information about submitted files, web addresses, IP addresses, and hashes is enriched with the most recent threat intelligence aggregated from fused, heterogeneous, and highly reliable sources, such as:

• Kaspersky Security Network
• Botnet Tracking service
• Proprietary web crawlers
• Spam traps
• APT research findings (thanks to our GReAT team)
• Security partners information
• Technical Intelligence (passive DNS, WHOIS)
• OSINT

Finally, the service analyzes the data for malicious and suspicious activity, and then returns a status report for the submitted objects (files, web addresses, IP addresses, or hashes).

How it works

Files or Indicators of Compromise can be submitted through a web interface or RESTful API. Kaspersky Threat Intelligence Portal lets you submit and retrieve threat intelligence on the following objects:

• Files
• MD5, SHA1, and SHA256 hashes
• IP addresses (IPv4)
• Domains
• Web addresses

Kaspersky Threat Intelligence Portal shows whether an object is in the Good, Bad, or Not Categorized zone, while providing contextual data to help you respond to or investigate objects more effectively.

For users with Premium Access, additional functionality includes access to detailed Threat Lookup and Kaspersky Cloud Sandbox reports, APT Intelligence, Crimeware, and Industrial Threat Intelligence, as well as Digital Footprint Reporting.

Page top

[Topic PremiumServices]

Premium Kaspersky Threat Intelligence Portal services

Tracking, analyzing, interpreting, and mitigating constantly evolving IT security threats is a massive undertaking. Companies in every sector lack of the up-to-the-minute, relevant data they need to manage the risks associated with IT security threats. To help these companies access the most relevant threat information, and to support their ongoing struggles against complex cybercrime, Kaspersky offers premium access through our Kaspersky Threat Intelligence Portal—the ultimate web service to help researchers and Security Operation Center analysts work more efficiently while managing thousands of security alerts.

Premium Kaspersky Threat Intelligence Portal services include:

APT Intelligence Reporting

Subscribers to Kaspersky APT Intelligence Reporting receive unique ongoing access to our investigations and discoveries, including threat actor profiles, their TTPs mapped to MITRE ATT&CK, and full technical data provided in a range of formats on every APT as it's discovered, including all the threats that are never made public. The information in these reports helps you to respond quickly to various threats and vulnerabilities—blocking attacks via known vectors, reducing the damage caused by advanced attacks, and enhancing your overall security strategy.

Crimeware Threat Intelligence Reporting

Enables financial institutions to inform their defensive strategies by providing timely information on attacks targeting banks, payment processing companies, insurance companies, etc. Reports include detailed insights into attacks on specific infrastructures, like ATMs and Point-of-Sale devices, and information on tools tailored to attack financial networks, which are used, developed, and sold by cybercriminals on the dark web.

Digital Footprint Intelligence

A digital risk monitoring solution that provides detailed information on attack vectors associated with an organization's entire digital footprint. These include items such as compromised credentials, information leakages, vulnerable services on the network perimeter, and insider threats. By revealing signs of any past, present, or planned attacks, and identifying weak spots vulnerable to exploitation, the solution helps companies to focus their defensive strategy on prime cyberattack targets.

Threat Data Feeds

By integrating up-to-the-minute Threat Data Feeds containing information on not trusted and dangerous IP addresses, web addresses, and file hashes into existing security controls like SIEM systems, security teams can automate the initial alert triage process while providing their triage specialists with enough context to immediately identify alerts to be investigated or escalated to incident response teams for further investigation and response.

CyberTrace

Kaspersky CyberTrace is a threat intelligence fusion and analysis tool that enables seamless integration of any threat intelligence feed you might want to use (in JSON, STIX™, XML, and CSV formats) with SIEM solutions and other log sources to help analysts more effectively leverage threat intelligence in their existing security operations workflow. The tool uses an internal process of parsing and matching incoming data, which significantly reduces SIEM workload. By automatically parsing incoming logs and events, and matching them against threat intelligence feeds, Kaspersky CyberTrace provides real-time situational awareness, which helps security analysts make swift, well-informed decisions.

Threat Lookup

Kaspersky Threat Lookup delivers all of the knowledge acquired by Kaspersky about cyberthreats, and legitimate objects and their relationships, brought together into a single, powerful web service. The goal is to provide security teams with as much data as possible in order to prevent cyberattacks from impacting your organization. Threat Lookup retrieves the latest detailed threat intelligence about web addresses, domains, IP addresses, file hashes, detected object names, statistical/behavior data, WHOIS/DNS data, file attributes, geolocation data, download chains, timestamps, etc. The result is visibility into new and emerging threats globally, helping you secure your organization and boost incident response and improve threat-hunting missions.

Basic access to Kaspersky Threat Lookup is available to all users.

Cloud Sandbox

Making an intelligent decision based on a file's behavior, while simultaneously analyzing the process memory, network activity, etc. is the best way to understand current sophisticated targeted and tailored threats. Based on our proprietary and patented technologies, Kaspersky Cloud Sandbox provides detailed reports on the behavior of probably infected files.

It incorporates all of the knowledge about malware behaviors acquired by Kaspersky over 20 years of continuous threat research, which allows us to detect more than 350,000 new malicious objects each day. While Threat Lookup retrieves the latest and historical threat intelligence, Kaspersky Cloud Sandbox allows that knowledge to be linked to the IOCs generated by the analyzed sample, revealing the full scope of an attack and helping you plan effective response measures.

Sandboxing of web addresses is also available.

Basic summary reports are available to all users.

Industrial Threat Intelligence Reporting

The Kaspersky Industrial Threat Intelligence Reporting Service provides the customer with in-depth intelligence and greater awareness of malicious campaigns targeting industrial organizations, as well as information on vulnerabilities found in the most popular industrial control systems and underlying technologies.

These premium services enable companies to run highly effective and complex incident investigations—gaining an immediate understanding of the nature of threats, connecting the dots as you drill down to reveal interrelated threat indicators, and linking incidents to specific APT actors, campaigns, their motivation, and TTPs.

For more information, please visit https://www.kaspersky.com/enterprise-security/threat-intelligence and https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting.

Page top

[Topic CompareVersions]

Comparison of Kaspersky Threat Intelligence Portal versions

The table below shows the difference between features available for General and Premium Access to Kaspersky Threat Intelligence Portal.

Available features for General and Premium Access to Kaspersky Threat Intelligence Portal

Feature	General Access	Premium Access
Home page
Worldwide cyber-map
TOPs of threats worldwide and for individual countries
Threat dynamics worldwide and for individual countries
Event list displaying recent events
APT Intelligence and Crimeware Threat Intelligence Reporting
Access to service using web interface
Access to service using RESTful API
Email notifications for new or updated reports
APT Intelligence reports
APT C&C Tracking
Crimeware Threat Intelligence reports
Actor profiles
IoC downloads
Industrial Reporting
Industrial reports
Threat Lookup: Hash investigation
Access to service using web interface
Access to service using RESTful API	(for registered users, API token required)
Export results to JSON / STIX / CSV formats
Hash report contents:
General information
Detection names
File signatures and certificates
Container signatures and certificates
File paths
File names
File downloaded from web addresses and domains
File accessed following web addresses
File started following objects
File was started by following objects
File downloaded following objects
File was downloaded by following objects
Threat Lookup: IP address investigation
Access to service using web interface
Access to service using RESTful API	(for registered users, API token required)
Export results to JSON / STIX / CSV formats
IP address report contents:
General information
IP WHOIS
Threat score
DNS resolutions for IP address
Files related to IP address
Hosted web addresses
Threat Lookup: Web address investigation
Access to service using web interface
Access to service using RESTful API	(for registered users, API token required)
Export results to JSON / STIX / CSV formats
Web address report contents:
General information
Domain/IP WHOIS
DNS resolutions for domain
Files downloaded from requested web address
Files accessed requested web address
Referrals to requested web address
Requested object linked, forwarded, or redirected to following web addresses
Masks (record ID in Data Feeds)
Threat Lookup: Domain investigation
Access to service using web interface
Access to service using RESTful API	(for registered users, API token required)
Export results to JSON / STIX / CSV formats
Domain report contents:
General information
Domain WHOIS
DNS resolutions for domain
Files downloaded from requested domain
Files accessed requested domain
Subdomains
Referrals to domain
Domain referred to following web addresses
Web address masks
WHOIS Lookup
WHOIS Hunting
Cloud Sandbox: Upload and execute file
Custom file execution parameters
Access to service using web interface
Access to service using RESTful API	(for registered users, API token required)
Export results to JSON / STIX / CSV formats
File analysis report contents:
General information
Detection names (including Sandbox detects and Triggered Network Rules)
Execution map	(limited)
Suspicious activities	(limited)
Screenshots	(limited)
Loaded PE images	(limited)
File operations	(limited)
Registry operations	(limited)
Process operations	(limited)
Synchronize operations	(limited)
Downloaded files	(limited)
Dropped files	(limited)
HTTP(S) requests	(limited)
DNS requests	(limited)
Cloud Sandbox: Download and execute file
File download from a web resource
Custom file execution parameters
Access to service using web interface
Access to service using RESTful API
Export results to JSON / STIX / CSV formats
File analysis report contents:
File download information
Download request
Download responses
General information
Detection names (including Sandbox detects and Triggered Network Rules)
Execution map
Suspicious activities
Screenshots
Loaded PE images
File operations
Registry operations
Process operations
Synchronize operations
Downloaded files
Dropped files
HTTP(S) requests
DNS requests
Cloud Sandbox: Browse web address
Custom web address browsing parameters
Access to service using web interface
Access to service using RESTful API	(for registered users, API token required)
Export results to JSON / STIX / CSV formats
Web address analysis report contents:
General information
Detection names (including Sandbox detects and Triggered Network Rules)
Connected hosts	(limited)
WHOIS	(limited)
HTTP(S) requests	(limited)
DNS requests	(limited)
Screenshots	(limited)
Digital Footprint Intelligence
Digital Footprint Intelligence reports
Digital Footprint Intelligence notifications
Threat notifications
Export threat notifications
Viewing and changing organization's information
Data Feeds
Threat Intelligence Data Feeds
Incident Response Tools
Threat Data Feeds Supplementary Tools
SIEM Connectors
Related Materials
User account management
View all group accounts
Manage group accounts (create, edit, delete)
Configure email notifications

Page top

[Topic Requirements]

Software requirements

Kaspersky Threat Intelligence Portal has the following hardware and software requirements:

Desktop version

Minimum general requirements:

• 2 GB of free disk space on hard drive
• Internet connection for working with Kaspersky Threat Intelligence Portal online
• Open 443 (HTTPS) and 80 (HTTP) ports
• Monitor that supports a display resolution of 1366x768

Minimum hardware requirements:

• Intel® Pentium® 1 GHz (or a compatible equivalent) for a 32-bit operating system
• Intel Pentium 2 GHz (or a compatible equivalent) for a 64-bit operating system
• 1 GB of free RAM

Supported browsers:

• Mozilla™ Firefox™
• Google Chrome™
• Microsoft® Edge®
• Safari®

Mobile version

Minimum general requirements:

• For mobile version: mobile devices that support a minimum screen resolution of 320x568
• For tablet version: tablets that support a minimum screen resolution of 1024x768

Minimum and recommended hardware requirements:

• CPU 1.2 GHz (recommended 1.5 GHz)
• 50 MB of free RAM
• 50 MB of free disk space on hard drive

Supported operating systems:

• Android 10 or later
• iOS 14.0 or later
• iPadOS 14 or later

Supported browsers:

• Google Chrome™
• Safari®

We recommend that you always use the latest version of the supported browsers. You can download the latest versions from their vendors' official websites:
Mozilla Firefox Google Chrome Microsoft Edge Safari
If you use an unsupported browser, the functionality of Kaspersky Threat Intelligence Portal may be limited.

Page top

[Topic WhatsNew]

What's new

Kaspersky Threat Intelligence Portal offers the following features and enhancements.

Release 06.2024

• Dynamic scanning update:
  • The dynamic scanning technology has been updated to Kaspersky Research Sandbox 2.3.

    This upgrade will enhance detection accuracy, improve countermeasures against anti-evasion techniques, and increase overall service reliability through internal enhancements.

• Kaspersky TAXII Server Demo Access:
  • Demo access to the Kaspersky TAXII Server is now available for registered users of the portal with a dedicated token. This access allows the use of Demo TAXII collections in STIX format (TAXII_Demo_*_Data_Feed via taxii.tip.kaspersky.com), leveraging all integration benefits, including using the OpenCTI platform connector. Please see the connector readme for more information. The TAXII Demo collections have the same types of indicators as the existing Demo Data Feeds in JSON format.
• Minor UI improvements:
  • User awareness of detection categories has been enhanced.
  • The portal logo has been updated.
• Minor bugfix.
• Improved SEO performance.
• Documentation enhancement.

Release 08.2023

• The Portal is now optimized for mobile devices. You can start an investigation using your mobile device or tablet: submit files to Sandbox, lookup hashes, IP addresses, domains, web addresses, and view a worldwide cybermap showing threats around the globe.
• COVID-19-related phishing threats are replaced with a set of Demo Threat Data Feeds, which is available at the bottom of the main page. Demo Thread Data Feeds now include the following:
  • Demo IP Reputation Data Feed
  • Demo Botnet C&C URL Data Feed
  • Demo Malicious Hash Data Feed
  • Demo APT Hash Data Feed
  • Demo APT IP Data Feed
  • Demo APT URL Data Feed
  • Demo Suricata Rules Data Feed
• When sending an object to reanalysis, the email address that you used to sign in to the Portal is now filled automatically.
• A dark theme option has also been added to the web interface. You can now switch between the current bright mode and a dark alternative, either to improve visibility in dim light or for purely aesthetic reasons.
• Minor bugfix.
• Documentation enhancement.

Release 09.2022

• Kaspersky has introduced a worldwide cybermap to graphically display information about global cyber-attacks and the top threats in each country. Users can also specify a threat type or time period to visualize statistical data.
• The Lookup tab has been extended to support Compromised and Spam categories for IP addresses:
  • Compromised IP addresses are usually legitimate, but infected or compromised at the moment of the lookup request.
  • Spam IP addresses are used to send spam emails.
• The Lookup tab now also supports Compromised categories for domains and web addresses. Similar to IP addresses, these resources are usually legitimate, but infected or compromised at the moment of the lookup request.
• RESTful API quotas have been extended from 200 to 2000 requests per day, allowing users to check a greater number of objects considered as suspicious in automated mode.
• The web interface has also been enhanced and redesigned to ensure a smooth user experience.
• Minor bugfix.
• Documentation enhancement.

Release 11.2020

• The web interface is updated to ensure a smooth user experience as new features are introduced.
• More detailed information on submitted files through their static analysis is added. It provides data on the Portable Executable (PE) files structure and extracted strings. The PE format relates to files running on Windows and contains information on how the operating system should execute their code. Based on the results of the analysis, security researchers can identify the object’s functionality and, as long as it has non-typical artifacts, reveal its harmful potential, even if the malware was previously unknown. The results can also be used to create indicators of compromise, detection heuristics, and rules.
• Behavior detection technology is now added to our multi-layered detection approach as one of the most efficient ways to detect advanced threats like fileless malware, ransomware, and zero-day malware.
• New privileged features for registered users through free community access are introduced:
  • An ability to connect applications with the service via the RESTful API, to automate requests for checking dangerous objects, and get query results in the form of a JSON file and without visiting the web service.
  • Receive a limited number of full reports on either a file’s or web address’s behavior by using Kaspersky Cloud Sandbox to get an understanding on the full file’s activities; and events happening on a certain web page, such as downloads, and JavaScript, Adobe Flash execution.
  • To increase privacy, a special submission mode that enables file or indicators checking in a way that the results are not available to others until they submit an object themselves.
  • The full history of searches (both private and public).

Release 07.2020

• Russian localization of Kaspersky Threat Intelligence Portal and Help is now available.

Release 06.2020

• You can now send objects to Kaspersky experts for analysis result re-validation.

Page top

[Topic DataProvision]

Data provision

When using Kaspersky Threat Intelligence Portal, in addition to the data that you provide in accordance with the Terms of Use and the Privacy Statement, the following types of data are automatically obtained and processed for the purposes described below.

All obtained data is stored as described in the Privacy Statement. The storage period is described in the "How long do we keep your personal data?" section. When a storage period expires, the data is deleted from online transaction processing (OLTP) databases.

By submitting a file or a lookup request to Kaspersky Threat Intelligence Portal, you agree to our Terms of Use and the Privacy Statement. If you do not agree to our Terms of Use and/or the Privacy Statement, please do not submit files or lookup requests.

Processed data:

General user actions

To improve detection services and process user requests to Kaspersky Threat Intelligence Portal services, the portal obtains the following data according to the Terms of Use and the Privacy Statement on any user action during their work with Kaspersky Threat Intelligence Portal:

• Date and time when the action was performed
• IP address (also used for blocking users that make frequent attempts to submit files and/or lookup requests to Kaspersky Threat Intelligence Portal)
• Browser information (also used for blocking users that make frequent attempts to submit files and/or lookup requests to Kaspersky Threat Intelligence Portal)

Hash, IP address, domain, web address lookup requests

To search for requested objects and display recent user requests, Kaspersky Threat Intelligence Portal obtains the following data when submitting a lookup request (hash, IP address, domain, or web address):

• Request
• Request results

Uploaded file execution

To perform investigations and display recent user requests, Kaspersky Threat Intelligence Portal obtains the following data when submitting a file for execution:

• Request (executed file)
• File execution results (hash of the executed file, date and time when the file was executed and analyzed, file size, file type, file name, sandbox detection names, triggered network rules, suspicious activities, screenshots, loaded PE images, file operations, registry operations, process operations, sync operations, downloaded files, dropped files, HTTP requests, HTTPS requests, and DNS requests)

Web address analysis

To perform investigations and display recent user requests, Kaspersky Threat Intelligence Portal obtains the following data when analyzing a web address:

• Request (web address)
• Web address analysis results (sandbox detection names, triggered network rules, suspicious activities, hosts, WHOIS information, screenshots, HTTP requests, HTTPS requests, and DNS requests)

Page top

[Topic Licensing]

Licensing

This section covers the main aspects of Kaspersky Threat Intelligence Portal licensing.

In this section About the Terms of Use About the Privacy Statement About report limitations

Page top

[Topic AboutTermsOfUse]

About the Terms of Use

The Terms of Use for Kaspersky Threat Intelligence Portal is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the service.

Carefully read the Terms of Use and the Privacy Statement before using the service. By submitting a file or a lookup request to Kaspersky Threat Intelligence Portal, you agree to our Terms of Use and the Privacy Statement.

To view the Terms of Use for Kaspersky Threat Intelligence Portal:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. Click the Terms of Use link in one of the following locations:
   • On the Analysis () page (File Analysis, Lookup or Web Address Analysis tabs) in the request area.
   • In the account menu that expands when you click your user name. If you are not signed in, click the Sign in () button.
   • In the Submit object for reanalysis window.

The Terms of Use page opens.

Page top

[Topic AboutPrivacyStatement]

About the Privacy Statement

To provide you with the core functionality of Kaspersky Threat Intelligence Portal, AO Kaspersky Lab needs to receive and process information that may legally be considered personal in certain countries. This information is described in the Privacy Statement.

Carefully read the Terms of Use and the Privacy Statement before using the service. By submitting a file or a lookup request to Kaspersky Threat Intelligence Portal, you agree to our Terms of Use and the Privacy Statement.

To view the Privacy Statement:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. Click the Privacy Statement link in one of the following locations:
   • On the Analysis () page (File Analysis, Lookup or Web Address Analysis tabs) in the request area.
   • On the Feedback form page ().
   • In the account menu that expands when you click your user name. If you are not signed in, click the Sign in () button.
   • In the Submit object for reanalysis window.

The Privacy Statement page opens.

Page top

[Topic LimitationQuota]

About report limitations

This section describes the quotas for viewing full reports.

The table below details the limitations for obtaining reports through the web interface and RESTful API.

Report limitations

Report	Access
Web interface
Basic file analysis report	Available if the user submitted the file, or if other users previously submitted the file for analysis (public requests).
Full file analysis report / Full web address analysis report	Available only for registered users, only one report (for a file or web address) being available per day. If a file was already submitted by another Kaspersky Threat Intelligence Portal user during the past hour, the corresponding execution results will be displayed without starting file analysis, regardless of your exceeded quota and report limits. Full file analysis report is available only if the file was previously submitted in the web interface with the Get a full dynamic analysis report check box selected. The check box is available after signing in with Kaspersky Account. Viewing previous reports does not reduce the quota.
RESTful API
Lookup report	Available only for registered users, not more than 2000 requests being available per day.
Basic file analysis report	Available only for registered users, the number of requests is not limited.
Full file analysis report	Available only for registered users, not more than 2000 requests being available per day. Full report is available for a file, if it was previously submitted in the web interface with the Get a full dynamic analysis report check box selected (available after signing in with Kaspersky Account). Full file analysis report also includes the following sections: DynamicAnalysisResults Detections SuspiciousActivities ExtractedFiles NetworkActivities DynamicDetections TriggeredNetworkRules

Full file and web address reports are not available in this version of Kaspersky Threat Intelligence Portal.

Page top

[Topic Interface]

Interface of Kaspersky Threat Intelligence Portal

This section describes the primary elements of the Kaspersky Threat Intelligence Portal interface (see figure below).

Kaspersky Threat Intelligence Portal interface

The worldwide cybermap shows threats around the globe. You can hover your mouse over a country to reveal its global rank of the most attacked countries and the percentage of users whose Kaspersky products have blocked threats of the selected type. To the right of the cybermap, a list of the most attacked countries is displayed.

When you click a specific country on the cybermap, threat ratings and statistics are displayed. These include ranking in the ‘most frequently attacked countries’ list, and the number of detected dangerous objects. Clicking an item in the threats list takes you to the Kaspersky threats website.

For both the worldwide and individual country cybermaps, filtering by type and time is available.

By selecting the information type in the drop-down list, you can view the information for the following types:

• Ransomware—Shows ransomware-class threats: ransomware or blockers.
• Exploits—Shows statistics on exploits detected by various security components.
• Web threats—Shows statistics on threats detected by the Web Anti-Virus component in Kaspersky products.
• Spam—Shows statistics on countries where Kaspersky solutions recorded the largest amount of e-mail spam, as well as the most frequently triggered spam detection methods and technologies.
• Malicious mail—Shows statistics on threats detected in e-mails.
• Network attacks—Shows statistics on threats detected by the Network Attack Blocker component. Typically, these threats include password crackers, port scanners, exploits for various vulnerabilities and other attacks.

  Array of hashes of files that exploit the vulnerability.

  Array contains information via up to 100 files. These are sorted in descending order by the number of detections among Kaspersky Security Network users for the last 90 days.

• Local infections—Shows statistics on threats detected on the devices of Kaspersky users.
• On-demand scan—Shows statistics on threats detected by manual on-demand scans run via the Kaspersky product interface.

By selecting the time period in the drop-down list, you also can filter the displayed information for a specific period:

• Day—Cybermap and other threat statistics for the past 24 hours are displayed.
• Week—Cybermap and other threat statistics for the past seven days are displayed.
• Month—Cybermap and other threat statistics for the past month are displayed.

You can also zoom in on the cybermap by scrolling the map area. Clicking the house button () returns the cybermap zoom to 100%.

The left part of the Kaspersky Threat Intelligence Portal page contains a menu to access the main functions of the portal.

This menu consists of two sections—click the Right Arrow () to expand or Left Arrow () to collapse each section at any time to view the menu in more detail.

Main menu

The main menu provides access to the following sections:

• Analysis (). In this section, you can:
  • On the File Analysis tab—Submit files to be executed in an isolated environment.
  • On the Lookup tab—Request the lookup data for hashes, IP addresses, domains, and web addresses.
  • On the Web Address Analysis tab—Register with Kaspersky Threat Intelligence Portal (General Access) to get access to the web address analysis feature.
• Requests (). In this section, you can:
  • On the Public requests tab—View a list of lookup requests made by other users (public requests).
  • On the My requests tab—View a list of your search results, including lookup requests, file and web address analysis requests, and requests made using the Kaspersky Threat Intelligence Portal API. This tab is available only for registered users.
• Premium Services (). In this section, you can view a description of the premium services offered by Kaspersky Threat Intelligence Portal.
• About Portal (). In this section, you can view general information about Kaspersky Threat Intelligence Portal features.
• Select theme (). This menu lets you choose a dark or light background web interface.
• Select language (). The menu lets you select the localization language for the Kaspersky Threat Intelligence Portal interface. It is available in English and Russian.
• Help (). Takes you to Kaspersky Threat Intelligence Portal Help.
• Send feedback (). Takes you to a page where you can send comments and suggestions about our services and website to the Kaspersky Threat Intelligence Portal team.
• Sign in (). Lets you sign in with Kaspersky Account (General Access). Here, you can also view the Terms of Use and Privacy Statement. Available only if you are not signed in to Kaspersky Threat Intelligence Portal.
• Sign in to premium version (). Lets you sign in with a Kaspersky Threat Intelligence Portal account (Premium Access). Available only if you are not signed in to Kaspersky Threat Intelligence Portal.

Account menu

You can access this menu by clicking your user name in the lower-left corner of the page.

The account menu is only available if you have signed in with your Kaspersky account. Through this menu, you can do the following:

• Change password. Takes you to a page where you can change your Kaspersky Account password.
• Request token. Takes you to a page where you can request an API token, which is required for working with Kaspersky Threat Intelligence Portal API.
• Sign out. Signs you out of Kaspersky Threat Intelligence Portal. Available only if you are signed in to Kaspersky Threat Intelligence Portal.
• Terms of Use. Takes you to the Terms of Use for the Kaspersky Threat Intelligence Portal page. Available only if you are signed in to Kaspersky Threat Intelligence Portal.
• Privacy Statement. Takes you to the Data Privacy Statement Kaspersky Threat Intelligence Portal page. Available only if you are signed in to Kaspersky Threat Intelligence Portal.

Page top

[Topic FileAnalysis]

File analysis

This section explains how you can submit files for execution in a safe environment that is isolated from your corporate network. Also, the file analysis results available in Kaspersky Threat Intelligence Portal are described.

In this section Submitting files Report for analyzed files Automatically detected file types

Page top

[Topic SubmittingFile]

Submitting files

By submitting a file to Kaspersky Threat Intelligence Portal, you agree to our Terms of Use and the Privacy Statement.

Before executing a file in Kaspersky Threat Intelligence Portal, you have to upload it.

To submit a file to Kaspersky Threat Intelligence Portal:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. In the Analysis () section, on the File Analysis tab, select a file that you want to execute, by doing one of the following:
   • Click the Add file button, and then select the required file in the window that opens.
   • Drag and drop the required file to the drop zone.

   When the file is selected, its file name and size are displayed.

   The maximum size of a file that can be uploaded and analyzed is 256 MB. If the size of a file exceeds 256 MB, Kaspersky Threat Intelligence Portal displays a corresponding error message.

   The file must not be empty.

   The drop zone is also available if you select the Requests () item in the main menu.

3. If you want to obtain a dynamic analysis report, select the Get a full dynamic analysis report check box. Selecting this check box is required, if you plan to obtain a full report for the file using API.
4. If you want to analyze the file privately, select the Private submission check box.

   Kaspersky Threat Intelligence Portal allows you to submit objects for analysis privately. Private request results are not displayed on the Public requests tab in the Requests section. For registered users, their private request results are available on the My requests tab.

   However, if an object that you submitted privately was ever submitted publicly by you or another user, then the object analysis results will be added to the Public requests tab and will be available to all Kaspersky Threat Intelligence Portal users.

   Also, if you submit a file for the analysis privately, its hash is not included in the list of public requests, but the Sandbox analysis results will be available to all users who search for the hash of this file.

5. If necessary, you can cancel the selected file upload by clicking the trash can icon ().
6. Click the Analyze button.

File analysis may take up to three minutes. The results are displayed as they become available and can be viewed on the Public requests tab, or on the My requests tab if you submitted the file privately.

If a file was already submitted by another Kaspersky Threat Intelligence Portal user during the past hour, the corresponding execution results will be displayed without starting file analysis, regardless of your exceeded quota and report limits.

Submitted files are executed according to the parameters described in the table below:

File execution parameters

Parameter	Value	Comments
Execution environment	Microsoft Windows® 7 x64	Operating system where the file is executed.
Execution time	100 seconds	The uploaded file will only be executed in the environment. This process takes 100 seconds. The specified time does not include the time required for file analysis and displaying the results.
File type	Automatically defined by Kaspersky Threat Intelligence Portal	If you submit a Microsoft Office document or a Portable Document Format file (.PDF), Kaspersky Threat Intelligence Portal attempts to close this file during the analysis (after 50 seconds). If the file of a different format name ends with one of these extensions, Kaspersky Threat Intelligence Portal attempts to close it. Files with the following extensions: xls, ppt, pub, doc, docm, docx, dotm, dotx, potm, potx, ppam, ppsm, ppsx, pptm, pptx, vsdx, xlam, xlsb, xlsm, xlsx, xltm, xltx, rtf. If you submit a .zip archive, Kaspersky Threat Intelligence Portal attempts to unzip it before execution. An archive can be successfully unzipped if it contains only one file and is not password protected (or if it is protected by a standard password: infected, malware, or virus). If unzipping fails, the file is executed as an archive.
HTTPS traffic	Decrypted	HTTPS traffic that is generated by the object during execution is decrypted.
Internet channel	Auto	Automatically selected Internet channel that belongs to any region and does not direct traffic through the TOR network.

Page top

[Topic FileReport]

Report for analyzed files

After file execution, available analysis results are displayed on the report page.

In the mobile version of Kaspersky Threat Intelligence Portal, only the basic report for the file is displayed. You can use a desktop version to view the full report.

Depending on the executed file's zone, the MD5 hash and status of the executed file (Malware, Adware and other, Clean, or No threats detected) are displayed on the Report for hash panel in one of the following colors:

• Red—The executed file can be classified as Malware.
• Green—The executed file has a Clean or No threats detected status. The No threats detected status is applied if the file was not classified by Kaspersky, but it was previously scanned and/or analyzed, and no threats were detected at the time of the analysis.
• Yellow—The executed file is classified as Adware and other (Adware, Pornware, and other programs).

The panel displays the color as soon as file execution completes. Also, the Submit to reanalyze button appears. You can submit the file to Kaspersky experts for analysis result re-validation.

The report page contains the following:

• Overview—Displays general information about the analyzed file.
• Detection names—Displays information about detects related to the analyzed file and that were previously reported in Kaspersky statistics.
• Dynamic analysis summary—Displays the last file scan date and graphics of detects, suspicious activities, extracted files, and network interactions detected during file execution.
• Results tab—Displays information about dynamic analysis detects and network rules triggered during analysis of traffic from the executed file. For registered users, execution map, information about suspicious activities, and screenshots are also available.
• Static analysis tab—Displays Portable Executable (PE) information and information about strings extracted during file execution.
• Sections that are available for registered users:
  • System activities tab—Displays information about activities that were registered during the file execution.
  • Extracted files tab—Displays information about files that were extracted from network traffic or saved by the executed file during the execution.
  • Network activities tab—Displays information about network activities that were registered during the file execution.
• Premium content—Displays sections that contain blurred data about the executed file. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.

Page top

[Topic Overview]

Overview

Kaspersky Threat Intelligence Portal provides the following general information about analyzed files:

General information about files

Field name	Description
Hits	Number of hits (popularity) of the analyzed file hash detected by Kaspersky expert systems. Number of hits is rounded to the nearest power of 10.
First seen	Date and time when the analyzed file hash was first detected by Kaspersky expert systems.
Last seen	Date and time when the analyzed file hash was last detected by Kaspersky expert systems for the last time.
Format	Analyzed file type.
Size	Analyzed file size.
Signed by	Organization that signed the file hash.
Packed by	Packer name (if any).
MD5	MD5 hash of the analyzed file.
SHA1	SHA1 hash of the analyzed file.
SHA256	SHA256 hash of the analyzed file.

Page top

[Topic DetectionNames]

Detection names

Kaspersky Threat Intelligence Portal provides the following information about detects related to the analyzed file and previously reported in Kaspersky statistics:

• Color of the zone that the detect belongs to (red or yellow).
• Date and time when the detect was last detected by Kaspersky expert systems.
• Name of the detect. You can click any entry to view its description on the Kaspersky threats website.

Page top

[Topic DynamicAnalysisSummaryFile]

Dynamic analysis summary

Kaspersky Threat Intelligence Portal provides the following graphical information about detected items, suspicious activities, extracted files, and network interactions detected during file execution:

Dynamic analysis summary for a file

Chart name	Description
Detects	The total number of objects that were detected during file execution and the proportion of objects with Malware (red) or Adware and other (yellow) statuses.
Suspicious activities	The total number of suspicious activities registered during file execution and the proportion of activities with High (red), Medium (yellow), or Low (grey) levels.
Extracted files	The total number of files that were downloaded or dropped by the file during the execution process, and the proportion of files with the status of Malicious (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), or Not categorized (no or not enough information about the extracted files is available to categorize them, in grey).
Network activities	The total number of registered network interactions that the file performed during the execution process and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and other (requests to resources with the Adware and other status, in yellow), Good (requests to resources with the Good status, in green), or Not categorized (requests to resources with the Not categorized status, in grey).

Page top

[Topic ResultsTab]

Results tab

Kaspersky Threat Intelligence Portal provides information about detected items and activities that were registered during the file execution. For registered users, execution map, information about suspicious activities, and screenshots are also available.

Dynamic analysis detects

Detects that were registered during the file execution.

Dynamic analysis detects

Field name	Description
Status	Danger zone (level) associated with the detect (Malware or Adware and other).
Name	Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description on the Kaspersky threats website.

Triggered network rules

SNORT and Suricata rules that were triggered during analysis of traffic from the executed file.

Triggered network rules

Field name	Description
Zone	Danger zone (level) associated with the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info).
Rule	SNORT or Suricata rule name.

Execution map

Graphically represented sequence of the file activities and relationships between them.

Execution map is available only for registered users.

The root node of the tree represents the executed file. Each tree element is marked according to its danger level (High, Medium, or Low). You can click a tree element to view detailed information. You can also zoom the execution map by scrolling the map area.

Suspicious activities

Suspicious activities registered during the file execution.

This section is available only for registered users.

Suspicious activities

Field name	Description
Zone	Danger zone (level) of the registered activity (High, Medium, Low).
Severity	Numerical value of the danger level of the registered activity (integer 1–999).
Description	Activity description. For example, "Executable has obtained the privilege," "The file has been dropped and executed," or "The process has injected binary code into another process." Certain descriptions contain mapping with MITRE ATT&CK threat classification. For example, "MITRE: T1082 System Information Discovery."

Screenshots

Set of screenshots that were taken during the file execution.

Screenshots are available only for registered users.

Page top

[Topic StaticAnalysisTab]

Static analysis tab

Kaspersky Threat Intelligence Portal provides PE information and information about extracted strings.

PE information

This section displays information about the structure of the executed file in Portable Executable (PE) format, if this information is available.

PE information

Table name	Parameters
Sections	Name—File section name. Virtual size—Section size. Virtual address—Section's relative virtual address (RVA). Raw size—Section size in the file.
Export information	Name—Name of the file. Ordinal—Sequence number of the exported element. RVA—RVA of the exported element. Name—Name of the exported element.
Import information	Library—Name of the imported library (.dll). Function—Function name. Ordinal—Sequence number of the imported element.
Debug information	Time stamp—Date and time when the debug information was created. Type—Type of the debug information.

Extracted strings

This section displays information about strings that were extracted during the file execution.

Extracted strings

Parameter	Description
Line	Extracted string (the first 1000 characters).
Encoding	List of encodings (UTF-8, UTF-16BE, UTF-16LE, ASCII).

Page top

[Topic SystemActivitiesTab]

System activities tab

Kaspersky Threat Intelligence Portal provides information about activities that were registered during the file execution.

This tab is available only for registered users.

Loaded PE images

Loaded PE images that were detected during the file execution.

Loaded PE images

Field name	Description
Path	Full path to the loaded PE image.
Size	Size of the loaded PE image in bytes.

File operations

File operations that were registered during the file execution.

File operations

Field name	Description
Operation	Operation name.
Name	Path and name of the file.
Size	Size of the file in bytes.

Registry operations

Operations performed on the operating system registry that were detected during the file execution. Operations that have led to suspicious activities are shown first.

Registry operations

Field name	Description
Operation	Operation name.
Details	Operation attributes.

Process operations

Interactions of the file with various processes that were registered during the file execution.

Process operations

Field name	Description
Interaction type	Type of interaction between the executed file and a process.
Process name	Name of the process that interacted with the executed file.

Synchronize operations

Operations of created synchronization objects (mutual exclusions (mutexes), semaphores, and events) that were registered during the file execution.

Synchronize operations

Field name	Description
Type	Type of the created synchronization object.
Name	Name of the created synchronization object.

Page top

[Topic ExtractedFilesTab]

Extracted files tab

Kaspersky Threat Intelligence Portal provides information about files that were extracted from network traffic or saved by the executed file during the execution.

This tab is available only for registered users.

Transferred files

Files that were extracted from network traffic during the file execution.

Transferred files

Field name	Description
Status	Status of the transferred file (Clean, Adware and other, Malware, Not categorized).
MD5	MD5 hash of the transferred file.
Traffic	Traffic that the transferred file was extracted from (HTTP or HTTPS).
Detection name	Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description at the Kaspersky threats website.

Dropped files

Files that were saved or changed by the executed file in the operating system.

Dropped files

Field name	Description
Status	Status of the downloaded file (Clean, Adware and other, Malware, Not categorized).
MD5	MD5 hash of the downloaded file.
Detection name	Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click an item to view its description at Kaspersky threats website.
File name	File name of the dropped file.

Page top

[Topic NetworkActivitiesTab]

Network activities tab

Kaspersky Threat Intelligence Portal provides information about network activities that were registered during the file execution.

This tab is available only for registered users.

DNS requests

DNS sessions that were registered during file execution.

DNS requests

Field name	Description
Status	Status of an object in the DNS request.
Type	DNS request type.
Response	Contents of the DNS response. Each item is clickable, and navigates to investigation results on the Lookup tab.

HTTP(S) requests

HTTP and HTTPS requests that were registered during the file execution.

HTTP(S) requests

Field name	Description
Status	Status of a web address in the HTTP(S) request. The web address can belong to one of the following zones: Dangerous (there are malicious objects related to the web address). Adware and other (there are objects related to the web address and that can be classified as not-a-virus). Good (the web address is not malicious). Not categorized (no or not enough information about the web address is available to define the category).
Web address	Web address to which the request was registered.
Method	Method of sending an HTTP(S) request. The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH.
Scheme	Web address scheme that identifies the protocol which was used (HTTP or HTTPS).
Response code	Response code of the HTTP(S) request.
Response length	Size of the response to the HTTP(S) request (in bytes).
Fields	Additional fields (Request headers and Response headers) displayed as key:value. Standard header names are based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Custom headers (for example, x-ms-request-id) are highlighted in blue.

Page top

[Topic PremiumAccessFile]

Information available to users with Premium Access

Kaspersky Threat Intelligence Portal provides the following detailed information about the submitted file, if available, to users with Premium Access.

Signatures and certificates tab

Information about file signatures and certificates

Table name	Description	Table fields
File signatures and certificates	Information about signatures and certificates of the submitted file.	Status—Status of the file certificate. Vendor—Owner of the certificate. Publisher—Publisher of the certificate. Signed—Date and time when the certificate was signed. Issued—Date and time when the certificate was issued. Expires—Expiration date of the certificate. Serial number—Serial number of the certificate.
Container signatures and certificates	Information about signatures and certificates of the container.	Status—Status of the container's certificate. Container MD5—MD5 hash of the container's file. Signed—Date and time when the container's certificate was signed. Issued—Date and time when the container's certificate was issued. Expires—Expiration date of the container's certificate.

Paths tab

Information about file paths

Table name	Description	Table fields
File paths	Known paths to the file on computers using Kaspersky software.	Hits—Number of path detections by Kaspersky expert systems. Path—Path to the submitted file on user computers. Location—Root folder or drive where the submitted file is located on user computers.

Names tab

Information about file names

Table name	Description	Table fields
File names	Known names of the file on computers using Kaspersky software.	Hits—Number of file name detections by Kaspersky expert systems. File name—Name of the submitted file.

Downloads tab

Information about web addresses from which the file was downloaded

Table name	Description	Table fields
File downloaded from web addresses and domains	Web addresses and domains from which the file was downloaded.	Status—Status of web addresses or domains used to download the submitted file. Web address—Web addresses used to download the submitted file. Last downloaded—Date and time when the submitted file was last downloaded from the web address / domain. Domain—Upper domain of the web address used to download the submitted file. IP count—Number of IP addresses that the domain resolves to.

Web addresses tab

Information about web addresses

Table name	Description	Table fields
File accessed the following web addresses	Web addresses accessed by the submitted file.	Status—Status of accessed web addresses. Web address—Web addresses accessed by the submitted file. Last accessed—Date and time when the submitted file last accessed the web address. Domain—Upper domain of the web address accessed by the submitted file. IP count—Number of IP addresses that the domain resolves to.

Started objects tab

Information about started objects

Table name	Description	Table fields
File started the following objects	Objects started by the submitted file.	Status—Status of started objects. Hits—Number of times the submitted file started the object, as detected by Kaspersky expert systems. File MD5—MD5 hash of the started object. Location—Root folder or drive where the started object is located on user computers. Path—Path to the object on user computers. File name—Name of the started object. Last started—Date and time when the object was last started by the submitted file. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).
File was started by the following objects	Objects that started the submitted file.	Status—Status of objects that started the submitted file. Hits—Number of times the submitted file was started, as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that started the submitted file. Location—Root folder or drive where the object is located on user computers. Path—Path to the object on user computers. File name—Name of the object that started the submitted file. Last started—Date and time when the submitted file was last started. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).

Downloaded objects tab

Information about downloaded objects

Table name	Description	Table fields
File downloaded the following objects	Objects downloaded by the submitted file.	Status—Status of downloaded objects. Hits—Number of times the object was downloaded, as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded object. Location—Root folder or drive where the downloaded object is located on user computers. Path—Path to the downloaded object on user computers. File name—Name of the downloaded object. Last downloaded—Date and time when the object was last downloaded by the submitted file. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).
File was downloaded by the following objects	Objects that downloaded the submitted file.	Status—Status of objects that downloaded the submitted file. Hits—Number of times the submitted file was downloaded, as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that downloaded the submitted file. Location—Root folder or drive where the object is located on user computers. File name—Name of the object that downloaded the submitted file. Path—Path to the object on user computers. Last downloaded—Date and time when the submitted file was last downloaded. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).

Page top

[Topic DetectedFileTypes]

Automatically detected file types

Kaspersky Threat Intelligence Portal attempts to automatically detect the type of a file to be executed.

Possible file types are provided below. The list of file types can be modified during a component update.

• Microsoft Word document
• Microsoft Word Open XML Macro-Enabled document
• Microsoft Word Open XML Format document
• Microsoft Word file template
• Microsoft Word Open XML document template
• Java Archive file
• JavaScript file
• Fichier Encoded JavaScript
• Shortcut file used by Microsoft Windows to point to an executable file
• Microsoft Windows Installer Package
• Adobe® Portable Document Format
• Portable Executable format for executable for 64-bit operating systems
• Portable Executable format for Control Panel files for 64-bit operating systems
• Portable Executable format for dynamic-link libraries (DLL) for 64-bit operating systems
• Portable Executable format for executable for 64-bit operating systems
• Portable Executable format for services for 64-bit operating systems
• Portable Executable format for executable for MS-DOS® and Windows operating systems
• Portable Executable format for Control Panel files
• Portable Executable format for Dynamic-link libraries (DLL)
• Portable Executable format for executable for MS-DOS and Windows operating systems
• Portable Executable format for services
• Microsoft PowerPoint® Open XML Macro-Enabled presentation template
• Microsoft PowerPoint Open XML presentation template
• Add-in file used by Microsoft PowerPoint
• Microsoft PowerPoint Open XML Macro-Enabled slide show
• Microsoft PowerPoint Open XML slide show
• Microsoft PowerPoint presentation
• Microsoft PowerPoint Open XML Macro-Enabled presentation
• Microsoft PowerPoint Open XML Presentation
• Microsoft Publisher document
• Rich Text Format file
• Shockwave® Flash® Movie file
• VBScript Encoded Script file
• VBScript file
• Microsoft Visio® Drawing
• Windows Script file
• Microsoft Excel® Open XML Macro-Enabled Add-In
• Microsoft Excel Spreadsheet
• Microsoft Excel Binary Spreadsheet
• Microsoft Excel Open XML Macro-Enabled Spreadsheet
• Microsoft Excel Open XML Spreadsheet
• Microsoft Excel Open XML Macro-Enabled Spreadsheet Template
• Microsoft Excel Open XML Spreadsheet Template

Page top

[Topic LookupRequests]

Lookup requests

This section explains how you can use Kaspersky Threat Intelligence Portal to run lookup requests for hashes, IP addresses, domains, and web addresses. Also, the concept of zones and object lookup results are described.

In this section Submitting hash, IP address, domain, and web address requests Hash lookup report IP address lookup report Domain and web address lookup report About zones and statuses

Page top

[Topic SubmitRequest]

Submitting hash, IP address, domain, and web address requests

By submitting a lookup request to Kaspersky Threat Intelligence Portal, you agree to our Terms of Use and the Privacy Statement.

To submit a lookup request:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. In the Analysis () section, on the Lookup tab, in the Enter your request here field, enter an object or text you want to investigate in Kaspersky Threat Intelligence Portal:
   • Hash (MD5, SHA1, SHA256).
   • IP address (IPv4).
   • Domain.
   • Web address. Web address length is limited to a maximum of 2000 characters. Other characters will be ignored during a web address investigation.
   • Text. In this case, the Search category is displayed on the Requests page (), but the report is not available.

   Kaspersky Threat Intelligence Portal recognizes the type of the requested object automatically.

3. If you want to look up the object privately, select the Private submission check box.

   For registered users, the private request results are available on the My requests tab. However, the lookup results can become public only if another user submits the same object publicly.

4. Press the Enter button.
5. If necessary, pass the reCAPTCHA test:
   1. Select the I'm not a robot check box in the reCAPTCHA widget.
   2. Follow the instructions to pass the reCAPTCHA test.

The request results are displayed on the report page. The page content varies depending on the requested object type.

Page top

[Topic HashReport]

Hash lookup report

After the hash lookup request is processed, available results are displayed on the report page.

A hash lookup report is consistent with a file analysis report.

In the mobile version of Kaspersky Threat Intelligence Portal, only the basic report for the hash is displayed. You can use a desktop version to view the full report.

Depending on the zone, the hash and its status (Malware, Adware and other, Clean, No threats detected, or Not categorized) are displayed on a panel in one of the following colors:

• Red—The hash can be classified as Malware.
• Yellow—The hash is classified as Adware and other (Adware, Pornware, and other programs).
• Grey—No data is available for the hash.
• Green—The executed file has Clean or No threats detected status. The No threats detected status is applied if the file was not classified by Kaspersky, but it was previously scanned and/or analyzed, and no threats were detected at the time of the analysis.

The report page contains the following:

• Overview—Displays general information about the requested hash.
• Detection names—Displays information about detects related to the requested hash and previously reported in Kaspersky statistics.
• Dynamic analysis summary—Displays the last file identified by the requested hash scan date and graphics of detects, suspicious activities, extracted files, and network interactions detected by Kaspersky expert systems.
• Dynamic analysis detects—Displays information about detects registered during the execution of a file identified by the requested hash.
• Triggered network rules—Displays information about SNORT and Suricata rules triggered during analysis of traffic from the file identified by requested hash.
• Premium content—Displays sections that contain blurred data about the requested hash. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.

The following tabs are available if the file identified by the requested hash was previously analyzed in Kaspersky Sandbox:

• Results tab—Displays information about dynamic analysis detects and triggered network rules. For registered users, execution map, information about suspicious activities, and screenshots are also available.
• Static analysis tab—Displays Portable Executable (PE) information and information about strings extracted during file execution.
• Tabs that are available for registered users:
  • System activities tab—Displays information about activities that were registered during the file execution.
  • Extracted files tab—Displays information about files that were extracted from network traffic or saved by the executed file during the execution.
  • Network activities tab—Displays information about network activities that were registered during the file execution.

Page top

[Topic OverviewHash]

Overview for hash

Kaspersky Threat Intelligence Portal provides the following general information about a submitted hash and the file identified by the hash:

General information about hash and file

Field name	Description
Hits	Number of hits (popularity) of the file identified by the requested hash detected by Kaspersky expert systems. Number of hits is rounded to the nearest power of 10.
First seen	Date and time when the file identified by the requested hash was first detected by Kaspersky expert systems.
Last seen	Date and time when the file identified by the requested hash was last detected by Kaspersky expert systems.
Format	Type of the file identified by the requested hash.
Size	Size of the file identified by the requested hash.
Signed by	Organization that signed the hash.
Packed by	Packer name (if any).
MD5	MD5 hash.
SHA1	SHA1 hash (if available).
SHA256	SHA256 hash.

Page top

[Topic DetectionNamesHash]

Detection names

Kaspersky Threat Intelligence Portal provides the following information about known detects related to the hash and previously reported in Kaspersky statistics:

• Color of the zone that the detect belongs to (red or yellow).
• Date and time when the detect was last detected by Kaspersky expert systems.
• Name of the detect. You can click any entry to view its description on the Kaspersky threats website.

Page top

[Topic DynamicAnalysisSummaryHash]

Dynamic analysis summary

Kaspersky Threat Intelligence Portal provides the following graphical information about detected items, suspicious activities, extracted files, and network interactions detected during execution of the file identified by the requested hash:

Dynamic analysis summary for a hash

Chart name	Description
Detects	The total number of objects detected during execution of the file identified by the requested hash, and the proportion of objects with Malware (red) or Adware and other (yellow) statuses.
Suspicious activities	The total number of suspicious activities registered during execution of the file identified by the requested hash and the proportion of activities with High (red), Medium (yellow), or Low (grey) levels.
Extracted files	The total number of files that were downloaded or dropped by the file identified by the requested hash during the execution process, and the proportion of files with the status of Malicious (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), or Not categorized (no or not enough information about the extracted files is available to define the category, in grey).
Network activities	The total number of registered network activities that the file identified by the requested hash performed during the execution process and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and other (requests to resources with the Adware and other status, in yellow), Good (requests to resources with the Good status, in green), or Not categorized (requests to resources with the Not categorized status, in grey).

Page top

[Topic DynamicAnalysisDetectsHash]

Dynamic analysis detects

Kaspersky Threat Intelligence Portal provides the following information about detected objects related to the file identified by the requested hash. If the file identified by the requested hash was previously analyzed in Kaspersky Sandbox, this section is displayed on the Results tab.

Sandbox detection names

Field name	Description
Status	Danger zone (level) associated with object (Malware or Adware and other).
Name	Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description on the Kaspersky threats website.

Page top

[Topic TriggeredNetworkRulesHash]

Triggered network rules

Kaspersky Threat Intelligence Portal provides the following information about SNORT and Suricata rules triggered during analysis of traffic from the file identified by the requested hash. If the file identified by the requested hash was previously analyzed in Kaspersky Sandbox, this section is displayed on the Results tab.

Triggered network rules

Field name	Description
Zone	Danger zone (level) associated with the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info).
Rule	SNORT or Suricata rule name.

Page top

[Topic PremiumAccessHash]

Information available to users with Premium Access

Kaspersky Threat Intelligence Portal provides the following detailed information about the requested hash, if available, to users with Premium Access.

Signatures and certificates tab

Information about file signatures and certificates

Table name	Description	Table fields
File signatures and certificates	Information about signatures and certificates of the file identified by the requested hash.	Status—Status of the file certificate. Vendor—Owner of the certificate. Publisher—Publisher of the certificate. Signed—Date and time when the certificate was signed. Issued—Date and time when the certificate was issued. Expires—Expiration date of the certificate. Serial number—Serial number of the certificate.
Container signatures and certificates	Information about signatures and certificates of the container.	Status—Status of the container's certificate. Container MD5—MD5 hash of the container's file. Signed—Date and time when the container's certificate was signed. Issued—Date and time when the container's certificate was issued. Expires—Expiration date of the container's certificate.

Paths tab

Information about file paths

Table name	Description	Table fields
File paths	Known paths to the file on computers using Kaspersky software.	Hits—Number of path detections by Kaspersky expert systems. Path—Path to the file on user computers identified by the requested hash. Location—Root folder or drive where the file identified by the requested hash is located on user computers.

Names tab

Information about file names

Table name	Description	Table fields
File names	Known names of the file on computers using Kaspersky software.	Hits—Number of file name detections by Kaspersky expert systems. File name—Name of the file identified by the requested hash.

Downloads tab

Information about web addresses from which the file was downloaded

Table name	Description	Table fields
File downloaded from web addresses and domains	Web addresses and domains from which the file was downloaded.	Status—Status of web addresses or domains used to download the file identified by the requested hash. Web address—Web addresses used to download the file identified by the requested hash. Last downloaded—Date and time when the file identified by the requested hash was last downloaded from the web address / domain. Domain—Upper domain of the web address used to download the file identified by the requested hash. IP count—Number of IP addresses that the domain resolves to.

Web addresses tab

Information about web addresses

Table name	Description	Table fields
File accessed the following web addresses	Web addresses accessed by the file identified by the requested hash.	Status—Status of accessed web addresses. Web address—Web addresses accessed by the file identified by the requested hash. Last accessed—Date and time when the file identified by the requested hash last accessed the web address. Domain—Upper domain of the web address accessed by the file identified by the requested hash. IP count—Number of IP addresses that the domain resolves to.

Started objects tab

Information about started objects

Table name	Description	Table fields
File started the following objects	Objects started by the file identified by the requested hash.	Status—Status of started objects. Hits—Number of times the file identified by the requested hash started the object, as detected by Kaspersky expert systems. File MD5—MD5 hash of the started object. Location—Root folder or drive where the started object is located on user computers. Path—Path to the object on user computers. File name—Name of the started object. Last started—Date and time when the object was last started by the file identified by the requested hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).
File was started by the following objects	Objects that started the file identified by the requested hash.	Status—Status of objects that started the file identified by the requested hash. Hits—Number of times the file identified by the requested hash was started, as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that started the file identified by the requested hash. Location—Root folder or drive where the object is located on user computers. Path—Path to the object on user computers. File name—Name of the object that started the file identified by the requested hash. Last started—Date and time when the file identified by the requested hash was last started. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).

Downloaded objects tab

Information about downloaded objects

Table name	Description	Table fields
File downloaded the following objects	Objects downloaded by the file identified by the requested hash.	Status—Status of downloaded objects. Hits—Number of times the object was downloaded, as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded object. Location—Root folder or drive where the downloaded object is located on user computers. Path—Path to the downloaded object on user computers. File name—Name of the downloaded object. Last downloaded—Date and time when the object was last downloaded by the file identified by the requested hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).
File was downloaded by the following objects	Objects that downloaded the file identified by the requested hash.	Status—Status of objects that downloaded the file identified by the requested hash. Hits—Number of times the file identified by the requested hash was downloaded, as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that downloaded the file identified by the requested hash. Location—Root folder or drive where the object is located on user computers. File name—Name of the object that downloaded the file identified by the requested hash. Path—Path to the object on user computers. Last downloaded—Date and time when the file identified by the requested hash was last downloaded. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).

Page top

[Topic IPaddressReport]

IP address lookup report

After the IP address lookup request is processed, available results are displayed on the report page.

Depending on the IP address's zone, the IP address and its status (Dangerous, Not trusted, Good, or Not categorized) are displayed on a panel in one of the following colors:

• Red—The IP address can be classified as Dangerous.
• Orange—The IP address can be classified as Not trusted and may host malicious objects.
• Yellow—The IP address is classified as Adware and other (Adware, Pornware, and other programs).
• Grey—No data is available for the IP address.
• Green—The IP address does not generate malicious activity.

The flag of the country that the requested IP address belongs to is also displayed. When you hover your mouse over the flag, a tooltip with the country name appears. For reserved IP addresses, the crossed out flag () and the Reserved IP address tooltip are displayed. For IP addresses that do not belong to any country, the flag with a question mark () and the No information tooltip are displayed.

The report page contains the following:

• Overview—Displays general information about the requested IP address.
• Geography—Displays the world cyber-map and lights up the country that the requested IP address originates from.
• WHOIS—Displays WHOIS information about the IP address.
• Premium content—Displays sections that contain blurred data about the requested IP address. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.

Page top

[Topic OverviewIP]

Overview for IP address

Kaspersky Threat Intelligence Portal provides the following general information about a submitted IP address:

General information about IP address

Field name	Description
Hits	Hit number (popularity) of the requested IP address. Hit number is rounded to the nearest power of 10.
First seen	Date and time when the requested IP address first appeared in Kaspersky expert systems statistics, according to your computer local time zone.
Created	Date when the requested IP address was registered.
Updated	Date when information about the requested IP address was last updated.
Categories	Categories of the requested IP address. If the IP address does not belong to any of the defined categories, the General category is displayed.

Page top

[Topic Geography]

Geography

Kaspersky Threat Intelligence Portal displays the world cyber-map and lights up the country that the requested IP address originates from.

The cyber-map is displayed only for IP addresses that belong to one known country. Also, the cyber-map is not displayed if the IP address belongs to a reserved range.

Page top

[Topic WHOIS]

WHOIS

Kaspersky Threat Intelligence Portal provides WHOIS information about the requested IP address.

WHOIS information about IP address

Field name	Description
IP range	Range of IP addresses in the network that the requested IP address belongs to.
Net name	Name of the network that the requested IP address belongs to.
Net description	Description of the network that the requested IP address belongs to.
Created	Date when the requested IP address was registered.
Changed	Date when information about the requested IP address was last updated.
AS description	Autonomous system description.
ASN	Autonomous system number.

Page top

[Topic PremiumAccessIP]

Information available to users with Premium Access

Kaspersky Threat Intelligence Portal provides the following detailed information about the requested IP address, if available, to users with Premium Access.

DNS resolutions tab

Information about DNS resolutions

Table name	Description	Table fields
DNS resolutions for IP address	pDNS information for the requested IP address.	Status—Status of domains. Hits—Number of times that the domain resolved to the requested IP address. Domain—Domain that resolves to the requested IP address. First resolved—Date and time when the domain first resolved to the requested IP address. Last resolved—Date and time when the domain last resolved to the requested IP address. Peak date—Date of maximum number of domain resolutions to the requested IP address. Daily peak—Maximum number of domain resolutions to the requested IP address per day.

Related files tab

Information about related files

Table name	Description	Table fields
Files related to IP address	MD5 hashes of files downloaded from web addresses containing domains that resolve to the requested IP address.	Status—Status of downloaded files. Hits—Number of times that a file was downloaded from the requested IP address, as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded file. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Web address—Web addresses used to download the file. Last seen—Date and time that the file was last downloaded from the requested IP address. First seen—Date and time the file was first downloaded from the requested IP address.

Hosted web addresses tab

Information about hosted web addresses

Table name	Description	Table fields
Hosted web addresses	Web addresses of the domain that resolves to the requested IP address.	Status—Status of web addresses and domains. Hits—Number of web address detections by Kaspersky expert systems. Web address—Detected web address. First seen—Date and time when the web address was first detected. Last seen—Date and time when the web address was last detected.

Web address masks tab

Information about web address masks

Table name	Description	Table fields
Web address masks	Masks of detected by Kaspersky expert systems addresses that contain the IP addresses and web addresses of the domain that resolves to the requested IP address.	Status—Status of web addresses covered by the corresponding mask (Dangerous or Adware and other). Type—Type of the mask. Mask—Web address mask. Feeds—Threat Data Feeds that contain the web address mask.

Page top

[Topic DomainURLReport]

Domain and web address lookup report

After the domain or web address lookup request is processed, available results are displayed on the report page.

A domain lookup report is consistent with a web address lookup report.

In the mobile version of Kaspersky Threat Intelligence Portal, only the following sections are available for the domain or web address: Overview, WHOIS, Dynamic analysis summary, and Sandbox detection names. You can use a desktop version to view the full report.

Depending on the zone of the domain or web address, the requested object and its status (Dangerous, Adware and other, Good, or Not categorized) are displayed on a panel in one of the following colors:

• Red—There are malicious objects related to the domain or web address.
• Orange—The domain or web address can be classified as Not trusted and may host malicious objects.
• Yellow—There are objects related to the domain or web address, which can be classified as Not-a-virus.
• Grey—No data is available for a domain or web address.
• Green—The domain or web address cannot be classified as Dangerous.

The report page contains the following:

• Overview—Displays general information about the requested domain or web address.
• WHOIS—Displays the WHOIS information about the requested domain or web address.
• Premium content—Displays sections that contain blurred data about the requested domain or web address. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.

The following tabs are available if the web address was previously analyzed in Kaspersky Sandbox:

• Detection names—Displays detected items that were registered during the web address analysis.
• Triggered network rules—Displays SNORT and Suricata rules that were triggered during the web address traffic analysis.
• Connected hosts—Displays IP addresses that were accessed in all HTTP and HTTPS requests after the FQDN resolved.
• Suspicious activities—Displays suspicious activities that were registered during the web address analysis.
• HTTP(S) requests—Displays HTTP and HTTPS requests that were registered during the web address analysis.
• DNS requests—Displays DNS requests that were registered during the web address analysis.
• Screenshots—Displays a set of screenshots that were taken during the web address analysis.

Page top

[Topic OverviewDomainWebAddress]

Overview for domain or web address

Kaspersky Threat Intelligence Portal provides the following general information about a submitted domain or web address:

General information about domain or web address

Field name	Description
IPv4 count	Number of known IP addresses that the requested domain or web address resolves to.
Files count	Number of known malicious files related to the requested web address.
Created	Requested domain or web address creation date.
Expires	Requested domain or web address expiration date. /Name of the upper-level domain. /Name of the registration organization. /Name of the domain name registrar.
Categories	Categories of the requested domain or web address. If the domain or web address does not belong to any of the defined categories, the General category is displayed.

Page top

[Topic WHOISdomain]

WHOIS

Kaspersky Threat Intelligence Portal provides WHOIS information about the host of the requested web address.

A host may be specified by a fully qualified domain name (FQDN) or by an IP address in dot-decimal notation.

Kaspersky Threat Intelligence Portal does not process web addresses if the host is specified by a local, private, or service IP address. In this case, the lookup results should be interpreted with caution.

Host specified by FQDN

WHOIS section for FQDN as a host

Field name	Description
Domain name	Name of the domain for the analyzed web address.
Domain status	Status of the domain for the analyzed web address.
Created	Date when the domain for the analyzed web address was registered.
Updated	Date when the registration information about the domain for the analyzed web address was last updated.
Paid until	Expiration date of the prepaid domain registration term.
Registrar info	Name of the domain registrar for the analyzed web address.
IANA ID	IANA ID of the domain registrar.
Name servers	List of domain name servers for the analyzed web address.

Host specified by IP address

WHOIS section for IP address as a host

Field name	Description
IP range	Range of IP addresses in the network that the host belongs to. Also, the flag of the country that the IP address belongs to is displayed. When you hover your mouse over the flag, a tooltip with the country name appears.
Net name	Name of the network that the IP address belongs to.
Net description	Description of the network that the IP address belongs to.
Created	Date when the IP address was registered.
Changed	Date when information about the IP address was last updated.
AS description	Autonomous system description.
ASN	Autonomous system number according to RFC 1771 and RFC 4893.

Page top

[Topic PremiumAccessDomainURL]

Information available to users with Premium Access

Kaspersky Threat Intelligence Portal provides the following detailed information about the requested domain or web address, if available, to users with Premium Access.

DNS resolutions tab

Information about DNS resolutions

Table name	Description	Table fields
DNS resolutions for domain/web address	IP addresses that the requested domain or web address resolves to.	Status—Status of IP address. Threat score—Probability that the IP address will be dangerous (0 to 100). Hits—Number of IP address detections by Kaspersky expert systems. IP—IP addresses. First resolved—Date and time when the requested domain / web address first resolved to the IP address. Last resolved—Date and time when the requested domain / web address last resolved to the IP address. Peak date—Date of maximum number of requested domain / web address resolutions to the IP address. Daily peak—Maximum number of requested domain / web address resolutions to the IP address per day.

Downloaded files tab

Information about downloaded files

Table name	Description	Table fields
Files downloaded from requested domain / web address	MD5 hashes of files that were downloaded from the requested domain or web address.	Status—Status of files that were downloaded. Hits—Number of file downloads from the requested domain / web address, as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded file. Last seen—Date and time when the file was last downloaded from the requested domain / web address. First seen—Date and time when the file was first downloaded from the requested domain / web address. Web address—Web addresses used to download the file. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).

Accessed files tab

Information about accessed files

Table name	Description	Table fields
Files accessed requested domain/web address	MD5 hashes of files that accessed the requested domain or web address.	Status—Status of files that accessed the requested domain / web address. Hits—Number of times the file accessed the requested domain / web address. File MD5—MD5 hash of the file that accessed the requested domain / web address. Last seen—Date and time when the file last accessed the requested domain / web address. First seen—Date and time when the file first accessed the requested domain / web address. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).

Subdomains tab

Information about subdomains

Table name	Description	Table fields
Subdomains	Subdomains for the requested domains.	Status—Status of subdomains. Subdomain name—Name of the detected subdomain. Web address count—Number of web addresses related to the subdomain. Hosted files—Number of files hosted on the detected subdomain. First seen—Date and time when the subdomain was first detected.

Referrals tab

Information about referrals

Table name	Description	Table fields
Referrals to domain/web address	Web addresses that refer to the requested domain or web address.	Status—Status of web addresses that refer to the requested domain / web address. Web address—Web address that refers to the requested domain or web address. Last reference—Date and time when the requested domain / web address was last referred to by listed web addresses.

Domain referrals tab

Information about domain referrals

Table name	Description	Table fields
Domain referred to the following web addresses	Web addresses that the requested domain links, forwards, or redirects to.	Status—Status of web addresses that the requested domain links, forwards, or redirects to. Web address—Web address accessed by the requested domain. Last reference—Date and time when the requested domain last linked, forwarded, or redirected to listed web addresses.

Web address masks tab

Information about web address masks

Table name	Description	Table fields
Web address masks	Masks of the requested web address's domain, which were detected by Kaspersky expert systems.	Status—Status of web addresses covered by the corresponding mask (Dangerous or Adware and other). Type—Type of the mask. Mask—Requested domain / web address mask. Feeds—Threat Data Feeds that contain the requested domain mask.

Page top

[Topic AboutZones]

About zones and statuses

All investigated objects are assigned to zones. A zone indicates the danger level of the object. All related objects are assigned to their own zones. Their zones and the zone of the investigated object may not match.

The list of zones is common for all types of objects, but not all zones can be applied to all types of objects.

Each type of object has its own set of statuses that most accurately describe the danger of objects of this type.

The relationships between the zones and statuses for all object types are provided in the table below.

Zones and statuses

Zone	Danger level	Hash status	IP address status	Domain status	Web address status
Red	High	Malware	Dangerous	Dangerous	Dangerous
Orange	Medium	n/a*	Not trusted	Not trusted	Not trusted
Yellow	Medium	Adware and other	Adware and other	Adware and other	Adware and other
Grey	Info	Not categorized	Not categorized	Not categorized	Not categorized
Green	Low	Clean / No threats detected	Good / No threats detected	Good / No threats detected	Good / No threats detected

* n/a – Not applicable

Page top

[Topic WebAddressAnalysis]

Web address analysis

This section explains how you can emulate opening a web address in a safe environment that is isolated from your corporate network. The web address analysis results available in Kaspersky Threat Intelligence Portal are also described.

Web address analysis is available only for registered users.

In this section Starting web address browsing Report for web address

Page top

[Topic StartingURLbrowse]

Starting web address browsing

Before submitting a web address to analysis, you have to register in Kaspersky Threat Intelligence Portal.

By submitting a web address to Kaspersky Threat Intelligence Portal, you agree to our Terms of Use and the Privacy Statement.

To analyze a web address,

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. In the Analysis () section, on the Web Address Analysis tab, enter the required web address in the Enter your request here field.
3. If necessary, you can remove the entered web address by clicking .
4. Press the Enter button.

Browsing the submitted web address is emulated according to the parameters described in the table below:

Web address browsing emulation parameters

Parameter	Value	Comments
Browsing environment	Microsoft Windows 10 x64	Operating system where the web address is browsed.
Browsing time	100 seconds	Time that the web address browsing is emulated (in seconds).
HTTPS traffic	Decrypted	HTTPS traffic that is generated during the web address browsing is decrypted.
Internet channel	Auto	Automatically selected Internet channel that belongs to any region and does not direct traffic through the TOR network.

Page top

[Topic WebAddressReport]

Report for web address

After web address browsing emulation, available analysis results are displayed on the report page.

Depending on the web address's zone, it's status (Dangerous, Adware and other, Good, or Not categorized) is displayed on a panel in one of the following colors:

• Red—There are malicious objects related to the web address.
• Orange—The web address can be classified as Not trusted and may host malicious objects.
• Yellow—There are objects related to the web address and that can be classified as Not-a-virus.
• Grey—No data is available for a web address.
• Green—The web address cannot be classified as Dangerous.

The report page contains the following:

• Overview—Displays general information about the analyzed web address.
• Summary—Displays statistical information about the analyzed web address.
• WHOIS—Displays the WHOIS information about the analyzed web address.
• Detection names—Displays detected items that were registered during the web address analysis.
• Triggered network rules—Displays SNORT and Suricata rules that were triggered during the web address traffic analysis.
• Connected hosts—Displays IP addresses that were accessed in all HTTP and HTTPS requests after the FQDN resolved.
• Suspicious activities—Displays suspicious activities that were registered during the web address analysis.
• HTTP(S) requests—Displays HTTP and HTTPS requests that were registered during the web address analysis.
• DNS requests—Displays DNS requests that were registered during the web address analysis.
• Screenshots—Displays a set of screenshots that were taken during the web address analysis.
• Premium content—Displays sections that contain blurred data about the analyzed web address. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.

Page top

[Topic OverviewWebAddress]

Overview for web address

Kaspersky Threat Intelligence Portal provides the following general information about an analyzed web address:

General information about web address

Field name	Description
IPv4 count	Number of known IP addresses that the analyzed web address resolves to.
Files count	Number of known malicious files related to the analyzed web address.
Web address count	Number of known malicious web addresses related to the analyzed object.
Hits	Number of the requested web address detections by Kaspersky expert systems.
Created	Analyzed web address creation date.
Expires	Analyzed web address expiration date.
Domain	Name of the upper-level domain.
Registration organization	Name of the registration organization.
Registrar name	Name of the domain name registrar.
Categories	Categories of the analyzed web address. If the web address does not belong to any of the defined categories, the General category is displayed.

Page top

[Topic Summary]

Dynamic analysis summary

Kaspersky Threat Intelligence Portal provides the following graphical information about detected items, connected hosts, extracted files, and network interactions detected during web address analysis:

Dynamic analysis summary for a web address

Chart name	Description
Detects	The total number of objects detected during web address analysis, and the proportion of objects with Malware (red) or Adware and other (yellow) statuses.
Connected hosts	The total number of unique IP addresses related to the analyzed web address, and the proportion of IP addresses with the status of Dangerous (in red), Not trusted (in orange), Good (in green), or Not categorized (no or not enough information about the IP address is available to define the category, in grey).
Extracted files	The total number of files that were transferred or dropped during the analysis process, and the proportion of files with the status of Malicious (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), or Not categorized (no or not enough information about the extracted files is available to define the category, in grey).
Network activities	The total number of registered network activities that were performed during the analysis process, and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and other (requests to resources with the Adware and other status, in yellow), Good (requests to resources with the Good status, in green), or Not categorized (requests to resources with the Not categorized status, in grey).

Page top

[Topic WHOISWebAddress]

WHOIS

Kaspersky Threat Intelligence Portal provides WHOIS information about the host of the analyzed web address.

A host may be specified by a fully qualified domain name (FQDN) or by an IP address in dot-decimal notation.

Kaspersky Threat Intelligence Portal does not process web addresses if the host is specified by a local, private, or service IP address. In this case, the results should be interpreted with caution.

Host specified by FQDN

WHOIS section for FQDN as a host

Field name	Description
Domain name	Name of the domain for the analyzed web address.
Domain status	Status of the domain for the analyzed web address.
Created	Date when the domain for the analyzed web address was registered.
Updated	Date when the registration information about the domain for the analyzed web address was last updated.
Paid until	Expiration date of the prepaid domain registration term.
Registrar info	Name of the domain registrar for the analyzed web address.
IANA ID	IANA ID of the domain registrar.
Name servers	List of domain name servers for the analyzed web address.

Host specified by IP address

WHOIS section for IP address as a host

Field name	Description
IP range	Range of IP addresses in the network that the host belongs to. The flag of the country that the IP address belongs to is also displayed. When you hover your mouse over the flag, a tooltip with the country name appears.
Net name	Name of the network that the IP address belongs to.
Net description	Description of the network that the IP address belongs to.
Created	Date when the IP address was registered.
Changed	Date when information about the IP address was last updated.
AS description	Autonomous system description.
ASN	Autonomous system number, according to RFC 1771 and RFC 4893.

Page top

[Topic SandboxDetectionNamesURL]

Sandbox detection names

Kaspersky Threat Intelligence Portal provides information about detected items that were registered during the web address analysis.

Sandbox detection names

Field name	Description
Zone	Danger zone (level) to which the threat refers (High, Medium, Low, Info).
Name	Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description at the Kaspersky threats website.

Page top

[Topic TriggeredIDSrules]

Triggered network rules

Kaspersky Threat Intelligence Portal provides information about SNORT and Suricata rules that were triggered during the web address traffic analysis.

Triggered network rules

Field name	Description
Zone	Danger zone (level) of the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info).
Rule	SNORT or Suricata rule name.

Page top

[Topic ConnectedHosts]

Connected hosts

Kaspersky Threat Intelligence Portal provides information about IP addresses that were accessed in all HTTP(S) requests after the FQDN resolved.

Connected hosts

Field name	Description
Status	Status (danger level) of IP addresses that the domain for the requested web address resolved to (Dangerous, Not trusted, Not categorized, Good).
IP	IP address to which a domain from the Resolved from domain column in this table resolved. The flag of the country that the IP address belongs to is displayed. When you hover your mouse over a flag, a tooltip with the country name appears.
ASN	Autonomous system number according to RFC 1771 and RFC 4893.
Resolved from domain	Fully qualified domain name (FQDN) that resolved to the IP address from the IP column in this table.

Page top

[Topic SuspiciousActivities]

Suspicious activities

Kaspersky Threat Intelligence Portal provides information about dangerous activities that were registered during the web address analysis.

Suspicious activities

Field name	Description
Zone	Danger zone (level) of the registered activity (High, Medium, Low).
Severity	Numerical value of the danger level of the registered activity (integer 1–999).
Description	Suspicious activity description. For example, "Executable has obtained the privilege," "The file has been dropped and executed," or "The process has injected binary code into another process." Certain descriptions contain mapping with MITRE ATT&CK™ threat classification. For example, "MITRE: T1082 System Information Discovery."

Page top

[Topic HTTPrequests]

HTTP(S) requests

Kaspersky Threat Intelligence Portal provides information about HTTP and HTTPS requests that were registered during the web address analysis.

HTTP(S) requests

Field name	Description
Status	Status of a web address in the HTTP or HTTPS request.
Scheme	Web address scheme that identifies the protocol that was used (HTTP or HTTPS).
URL	Web address to which the request was registered.
IP	IP address as a host.
Request	Information about the HTTP or HTTPS request.
Response	Information about the HTTP or HTTPS response.

Page top

[Topic DNSrequests]

DNS requests

Kaspersky Threat Intelligence Portal provides information about DNS requests that were registered during the web address analysis.

DNS requests

Field name	Description
Type	DNS request type.
Request	Contents of the DNS request.
Response	Response to the DNS request.

Page top

[Topic Screenshots]

Screenshots

Kaspersky Threat Intelligence Portal provides screenshots that were taken during web address browsing.

Page top

[Topic ViewPublicRequests]

Viewing public request results

Kaspersky Threat Intelligence Portal allows you to view public requests—lookup requests that were made by other users.

To view public request results:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. In the Requests () section, select the Public requests tab.

   The Public requests table opens.

3. Click the required item (hash, IP address, or domain) in the table and select Show report in the drop-down menu.

   The report page opens for the selected object.

   This version of Kaspersky Threat Intelligence Portal displays only general information about submitted objects. Certain sections contain blurred data (for example, the DNS resolutions for IP address section on the report page for the IP address). Premium Access to Kaspersky Threat Intelligence Portal is required to view a full lookup report.

See also: Domain and web address lookup report IP address lookup report Licensing

Page top

[Topic PrivateRequests]

Private requests

Kaspersky Threat Intelligence Portal allows you to submit objects for analysis privately. Private request results are not displayed on the Public requests tab in the Requests section. For registered users, their private request results are available on the My requests tab.

However, if an object that you submitted privately was ever submitted publicly by you or another user, then the object analysis results will be added to the Public requests tab and will be available to all Kaspersky Threat Intelligence Portal users.

Also, if you submit a file for the analysis privately, its hash is not included in the list of public requests, but the Sandbox analysis results will be available to all users who search for the hash of this file.

The My requests tab displays the results of your latest 100 requests (both private and public), including the following:

• File analysis in the Sandbox.
• Web address analysis in the Sandbox.
• Hash, IP address, domain, and web address lookup requests.
• API requests.

Information about the objects that are assigned the Not categorized status are also displayed.

Items in the My requests tab are sorted by date, in descending order.

You can click an item in the table and copy it to clipboard (Copy in the drop-down menu) or view the analysis/lookup results (Show report in the drop-down menu).

In this section Submitting private requests Viewing private request results

Page top

[Topic SubmitPrivateRequests]

Submitting private requests

To submit a private request:

When sending a file to the analysis or running a lookup request, select the Private submission check box before you submit your request.

The request results are displayed on the My requests tab. This tab is available only for registered users.

Page top

[Topic ViewingMyRequests]

Viewing private request results

Viewing private request results history is available only for registered users.

To view your private request results:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. Make sure you are signed in with your Kaspersky Account.
3. In the Requests () section, select the My requests tab.

   The My requests table opens. For each item, the following information is displayed:

   • Status—Status of the object (for example, Malware). An icon and the color of the status displayed will match the object's zone.
   • Type—The requested object's type (for example, Domain).
   • Request—The request in the normalized form. For files, their hashes are displayed, not their file names.
4. Click the required item (hash, IP address, or domain) in the table and select Show report in the drop-down menu.

   The report page opens for the selected object.

Page top

[Topic AdditionalAnalysis]

Submitting objects for re-validation

Kaspersky Threat Intelligence Portal allows you to submit objects to Kaspersky experts for analysis result re-validation, if you disagree with the scan results. You can send files and hashes of previously submitted files for re-validation only if these objects were previously analyzed in the Kaspersky Threat Intelligence Portal sandbox. Also, you can submit IP addresses, web addresses, and domains (public requests).

To submit an object for additional analysis:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. In the Requests () section, select the Public requests tab or the My requests tab (if available).

   The table that contains request results opens.

3. Click the required item (hash, IP address, web address or domain) in the table and select Show report in the drop-down menu.

   The report page opens for the selected object.

4. Click the Submit to reanalyze button.

   This button also becomes available on the Report page for the analyzed file after the analysis is completed.

5. In the window that opens, provide your email address so that Kaspersky experts can contact you.
6. If necessary, in the Comment field, specify the reason for sending the object for re-validation or write another comment.

   The comment length is limited to 2000 characters.

7. Click Submit.

If you submit more than 10 objects from your account within 24 hours, the reCAPTCHA test appears for each subsequent request.

Page top

[Topic SignIn]

Signing in

This section explains how you can sign in to Kaspersky Threat Intelligence Portal to get access to premium services and view detailed reports for submitted objects.

You can work with Kaspersky Threat Intelligence Portal in one of the following ways:

• Sign in with a Kaspersky Threat Intelligence Portal account (Premium Access)—You get access to premium features, according to your group's license and your permissions.
• Sign in with a Kaspersky Account—You can view detailed reports for submitted objects, excluding data that is available only for users with Premium Access. You can submit private requests and submit web addresses to be analyzed in Kaspersky Sandbox. Premium features of Kaspersky Threat Intelligence Portal are not available.
• Without registration and sign in—You can view only basic information about submitted objects. Detailed reports, web address analysis in Kaspersky Sandbox, and other premium features of Kaspersky Threat Intelligence Portal are not available.

In this section Signing in with a Kaspersky Threat Intelligence Portal account (Premium Access) Signing in with a Kaspersky Account Changing a password for Kaspersky Account Signing out

Page top

[Topic SignInPremium]

Signing in with a Kaspersky Threat Intelligence Portal account (Premium Access)

If your organization has a current Kaspersky Threat Intelligence Portal license, and you have a valid and enabled account, you can sign in to the premium version to use services that are available for you.

To sign in to Kaspersky Threat Intelligence Portal with Premium Access:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. In the menu, click the Sign in to premium version () button.

   The Kaspersky Threat Intelligence Portal sign-in page opens.

3. Enter the user name and password that you received from your administrator or Kaspersky technical account manager.

For more information, please refer to the documentation for the premium version of Kaspersky Threat Intelligence Portal.

Page top

[Topic SignInKLaccount]

Signing in with a Kaspersky Account

Kaspersky Account is a personal account that provides Kaspersky users with the ability to authenticate and manage their account settings.

You can sign in to Kaspersky Account with the same account that you use for a variety of Kaspersky resources and services. For example, if you have a registered account on My Kaspersky or Kaspersky’s Technical Support website, you already have access to Kaspersky Account.

If you do not have an account, you can sign up now.

To sign in to Kaspersky Threat Intelligence Portal with Kaspersky Account:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. In the menu, click Sign in ().
3. Read and accept the Terms of Use and Privacy Statement by clicking corresponding check boxes.
4. Click the Sign in with Kaspersky Account button. This button is active only when you accept the Terms of Use and Privacy Statement (see step 3).

   If you are already signed in to your Kaspersky Account, the Analysis page of Kaspersky Threat Intelligence Portal opens.

5. If you have a Kaspersky Account, but are not signed in, the Sign in page opens. Enter your email address and password, and then click the Sign in button. You can also sign in by using your Facebook account.
6. If you do not have a Kaspersky Account, on the Sign in page, click the Create a new account link.

   The Create account page opens. On this page, you can register your Kaspersky Account. If necessary, you can change your password later.

For more information, please refer to the Kaspersky Account documentation.

Page top

[Topic ChangePassword]

Changing a password for Kaspersky Account

If necessary, you can change your Kaspersky Account password.

To change the Kaspersky Account password:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. Sign in with your Kaspersky Account.
3. In the <your email address> () drop-down menu, click Change password.

   The Change password page opens.

4. Enter a new password in the Password field.

   The password must contain at least 8 characters and include at least one numeral, one uppercase and one lowercase letter, and no spaces. The password must not duplicate one of your recent passwords.

5. Re-enter your new password in the Confirm password field.
6. Click the Save button.

   The new password is saved.

Please refer to the Kaspersky Account documentation for more information.

Page top

[Topic SignOut]

Signing out

To sign out of Kaspersky Threat Intelligence Portal:

In the <your email address> () drop-down menu, click the Sign out button.

You are signed out.

Page top

[Topic RequestDemoTAXIIserverToken]

Requesting Demo TAXII Server Token

You can import threat intelligence data provided by the Kaspersky Threat Intelligence Portal to the OpenCTI Platform using the Kaspersky Feeds for OpenCTI connector. This connector analyzes the description property of STIX objects received from the TAXII server to produce additional STIX objects. It also analyzes their STIX relationships to help generate more comprehensive threat intelligence. To learn more about the Kaspersky Feeds for OpenCTI connector, please visit our GitHub.

To pull Demo Kaspersky Threat Data Feeds directly into third-party systems (e.g., OpenCTI) via TAXII, you need a Demo TAXII Server Token.

You can request, view, copy, and revoke your Demo TAXII Server Token.

To use the Kaspersky Threat Intelligence Portal API, you need to request an API token.

To request a Demo TAXII Server Token:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. Make sure you are signed in with your Kaspersky Account.
3. In the <your email address> () drop-down menu, click Request token.

   The Request Token page opens.

4. In the Demo TAXII Server Token section, click the Request token button.

   The generated Demo TAXII Server Token appears — use the eye icon to view or hide the token.

   Information about the token's validity period and number of days before expiration is displayed.

5. If necessary, you can copy the token by clicking the button.

To revoke a Demo TAXII Server Token:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. Make sure you are signed in with your Kaspersky Account.
3. In the <your email address> () drop-down menu, click Request token.

   The Request Token page opens.

4. In the Demo TAXII Server Token section, click the Revoke token button.

   The token becomes invalid.

To pull Demo Kaspersky Threat Data Feeds directly into third-party systems again, you must generate a new Demo TAXII Server token.

See also Managing an API token

Page top

[Topic WorkingWithAPI]

Working with the API

This section explains how to use Kaspersky Threat Intelligence Portal. You can lookup objects and submit files to the Sandbox analysis by using the Kaspersky Threat Intelligence Portal API.

To work with Kaspersky Threat Intelligence Portal API, you must request an API token.

You can access Kaspersky Threat Intelligence Portal API at the following location:

https://opentip.kaspersky.com/api/v1/<endpoint>

In this section Managing an API token Looking up a hash Looking up an IP address Looking up a domain Looking up a web address Getting basic file analysis report Getting full file analysis report

Page top

[Topic ManagingToken]

Managing an API token

To be able to use the Kaspersky Threat Intelligence Portal API, you must sign in by using the Kaspersky Account, and then request an API token (hereinafter also referred to as "token").

You can request, view, copy, and revoke your token. The generated token is used as the header parameter X-API-KEY when you run requests by using the Kaspersky Threat Intelligence Portal API.

You can view your token at any time on the Request Token page.

If you revoke the token, it becomes invalid, and cannot be used for working with the Kaspersky Threat Intelligence Portal API.

The maximum token validity period is one year.

To use Kaspersky Feeds for OpenCTI Connector to obtain Demo Threat Data Feeds, you need to request a Demo TAXII Server Token.

To request a token:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. Make sure you are signed in with your Kaspersky Account.
3. In the <your email address> () drop-down menu, click Request token.

   The Request Token page opens.

4. In the API Token section, do the following:
   1. If necessary, specify a validity period or expiration date for the token by using the calendar.

      By default, one year is specified.

      The validity period for the token cannot be changed after it is generated. You can only request another token, and then specify a new required date.

   2. Click the Request token button.

      The generated token appears in the API token field — use the eye icon to view or hide the token.

      Information about the token's validity period and number of days before expiration is displayed.

5. If necessary, you can copy the token by clicking the button.

To revoke a token:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. Make sure you are signed in with your Kaspersky Account.
3. In the <your email address> () drop-down menu, click Request token.

   The Request Token page opens.

4. In the API Token section, click the Revoke token button.

   The API token becomes invalid.

To be able to work with the Kaspersky Threat Intelligence Portal API again, you must generate a new API token.

See also Requesting Demo TAXII Server Token

Page top

[Topic HashLookupAPI]

Looking up a hash

Expand all | Collapse all

Kaspersky Threat Intelligence Portal provides an API for looking up a hash.

Request

Request method: GET

Endpoint: https://opentip.kaspersky.com/api/v1/search/hash

Query parameter: request—Hash that you want to investigate.

cURL command sample: curl --request GET 'https://opentip.kaspersky.com/api/v1/search/hash?request=<hash>' --header 'x-api-key: <API token>' Here: <hash>—The hash that you want to investigate. <API token>—The API token that you requested in the web interface.

Responses

200 OK

400 Bad Request

401 Unauthorized

403 Forbidden

404 Not Found

Page top

[Topic IPLookupAPI]

Looking up an IP address

Expand all | Collapse all

Kaspersky Threat Intelligence Portal provides an API for looking up an IP address.

Request

Request method: GET

Endpoint: https://opentip.kaspersky.com/api/v1/search/ip

Query parameter: request—IP address that you want to investigate.

cURL command sample: curl --request GET 'https://opentip.kaspersky.com/api/v1/search/ip?request=<IP address>' --header 'x-api-key: <API token>' Here: <IP address>—The IP address that you want to investigate. <API token>—The API token that you requested in the web interface.

Responses

200 OK

400 Bad Request

401 Unauthorized

403 Forbidden

Page top

[Topic DomainLookupAPI]

Looking up a domain

Expand all | Collapse all

Kaspersky Threat Intelligence Portal provides an API for looking up a domain.

Request

Request method: GET

Endpoint: https://opentip.kaspersky.com/api/v1/search/domain

Query parameter: request—Domain that you want to investigate.

cURL command sample: curl --request GET 'https://opentip.kaspersky.com/api/v1/search/domain?request=<domain>' --header 'x-api-key: <API token>' Here: <domain>—The domain that you want to investigate. <API token>—The API token that you requested in the web interface.

Responses

200 OK

400 Bad Request

401 Unauthorized

403 Forbidden

404 Not Found

Page top

[Topic URLLookupAPI]

Looking up a web address

Expand all | Collapse all

Kaspersky Threat Intelligence Portal provides an API for looking up a web address.

Request

Request method: GET

Endpoint: https://opentip.kaspersky.com/api/v1/search/url

Query parameter: request—Web address that you want to investigate.

cURL command sample: curl --request GET 'https://opentip.kaspersky.com/api/v1/search/url?request=<web address>' --header 'x-api-key: <API token>' Here: <web address>—The web address that you want to investigate. <API token>—The API token that you requested in the web interface.

Responses

200 OK

400 Bad Request

401 Unauthorized

403 Forbidden

404 Not Found

414 URI Too Long

Page top

[Topic SubmitFileAPI]

Getting basic file analysis report

Expand all | Collapse all

Kaspersky Threat Intelligence Portal provides an API for sending a file for analysis in the Sandbox and getting a basic report.

Request

Request method: POST

Endpoint: https://opentip.kaspersky.com/api/v1/scan/file

Query parameter: filename—Name of the file you want to analyze.

cURL command sample: curl --request POST 'https://opentip.kaspersky.com/api/v1/scan/file?filename=<file name>' --header 'x-api-key: <API token>' --header 'Content-Type: application/octet-stream' --data-binary '@<path to file>' Here: <file name>—The name of the file that you want to analyze. <API token>—The API token that you requested in the web interface. <path to file>—The full path to the file that you want to analyze.

Responses

200 OK

400 Bad Request

401 Unauthorized

413 Payload Too Large

Page top

[Topic GetFileReport]

Getting full file analysis report

Expand all | Collapse all

Kaspersky Threat Intelligence Portal provides an API for getting the full analysis results of a file previously submitted to the Sandbox in the web interface.

The full report is available only if the Get a full dynamic analysis report check box was selected while submitting the file. The check box is available after signing in with Kaspersky Account.

You can use the scan/file method to obtain the file hash (MD5, SHA1, SHA256).

Request

Request method: POST

Endpoint: https://opentip.kaspersky.com/api/v1/getresult/file

Query parameter: request—Hash for which you want to get the analysis results.

cURL command sample: curl --request POST 'https://opentip.kaspersky.com/api/v1/getresult/file?request=<file hash> --header 'x-api-key: <API token>' Here: <file hash>—The hash of the file that you want to get analysis results for. <API token>—The API token that you requested in the web interface.

Responses

200 OK

400 Bad Request

401 Unauthorized

403 Forbidden

Page top

[Topic SendFeedback]

Sending feedback

By using the feedback form, you can send your comments and suggestions about services and our website to the Kaspersky Threat Intelligence Portal team.

To send your feedback about Kaspersky Threat Intelligence Portal:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. In the menu, click the Send feedback button ().

   The Feedback form window opens.

3. Enter your feedback about Kaspersky Threat Intelligence Portal services and website.

   The feedback length is limited to 2000 characters.

4. If necessary, pass the reCAPTCHA test:
   1. Select the I'm not a robot check box in the reCAPTCHA widget.
   2. Follow the instructions to pass the reCAPTCHA test.
5. Click the Send button to send your feedback to the Kaspersky Threat Intelligence Portal team.

   The comment field must have a comment and must not have only spaces entered. Otherwise, this button is unavailable.

6. Click the Cancel button to cancel sending the feedback.

Page top

[Topic RequestingDemo]

Requesting a demo

Kaspersky Threat Intelligence Portal provides general information about submitted objects. Some sections do not contain data (for example, the DNS resolutions for IP address section on the report page for the IP address). To view a full report for the submitted objects and explore other Kaspersky Threat Intelligence Portal features, you have to request demo access to Kaspersky Threat Intelligence Portal.

To request a demo:

1. Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
2. On the Premium Services () page, click the Find out more button.

   The Request a Call page opens.

3. Enter required contact information and comments, if necessary.
4. Select the I want to request a demo check box.
5. Select the required check box and, if necessary, pass the reCAPTCHA test.
6. Click the Submit button.

See also: Domain and web address lookup report IP address lookup report Licensing

Page top

[Topic ThirdPartyCode]

Information about third-party code

Information about third-party code is contained in a file legal_notices.txt.

Page top

[Topic TrademarkNotices]

Trademark notices

Registered trademarks and service marks are the property of their respective owners.

Adobe, Flash, Shockwave are either registered trademarks or trademarks of Adobe in the United States and/or other countries.

iPadOS, Safari are trademarks of Apple Inc.

IOS is a registered trademark or trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

Android, Google Chrome are trademarks of Google LLC.

Intel, Pentium are trademarks of Intel Corporation in the U.S. and/or other countries.

Microsoft, Excel, Microsoft Edge, MS-DOS, PowerPoint, Visio, Windows are trademarks of the Microsoft group of companies.

Mozilla, Firefox are trademarks of the Mozilla Foundation in the U.S. and other countries.

Java, JavaScript are registered trademarks of Oracle and/or its affiliates.

Tor is a trademark of The Tor Project, U.S. Registration No. 3,465,432.

Page top