Contents
Domain and web address lookup report
After the domain or web address lookup request is processed, available results are displayed on the report page.
A domain lookup report is consistent with a web address lookup report.
In the mobile version of Kaspersky Threat Intelligence Portal, only the following sections are available for the domain or web address: Overview, WHOIS, Dynamic analysis summary, and Sandbox detection names. You can use a desktop version to view the full report.
Depending on the zone of the domain or web address, the requested object and its status (Dangerous, Adware and other, Good, or Not categorized) are displayed on a panel in one of the following colors:
- Red—There are malicious objects related to the domain or web address.
- Orange—The domain or web address can be classified as Not trusted and may host malicious objects.
- Yellow—There are objects related to the domain or web address, which can be classified as Not-a-virus.
- Grey—No data is available for a domain or web address.
- Green—The domain or web address cannot be classified as Dangerous.
The report page contains the following:
- Overview—Displays general information about the requested domain or web address.
- WHOIS—Displays the WHOIS information about the requested domain or web address.
- Premium content—Displays sections that contain blurred data about the requested domain or web address. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.
The following tabs are available if the web address was previously analyzed in Kaspersky Sandbox:
- Detection names—Displays detected items that were registered during the web address analysis.
- Triggered network rules—Displays SNORT and Suricata rules that were triggered during the web address traffic analysis.
- Connected hosts—Displays IP addresses that were accessed in all HTTP and HTTPS requests after the FQDN resolved.
- Suspicious activities—Displays suspicious activities that were registered during the web address analysis.
- HTTP(S) requests—Displays HTTP and HTTPS requests that were registered during the web address analysis.
- DNS requests—Displays DNS requests that were registered during the web address analysis.
- Screenshots—Displays a set of screenshots that were taken during the web address analysis.
Overview for domain or web address
Kaspersky Threat Intelligence Portal provides the following general information about a submitted domain or web address:
General information about domain or web address
Field name |
Description |
|---|---|
IPv4 count |
Number of known IP addresses that the requested domain or web address resolves to. |
Files count |
Number of known malicious files related to the requested web address. |
Created |
Requested domain or web address creation date. |
Expires |
Requested domain or web address expiration date. /Name of the upper-level domain. /Name of the registration organization. /Name of the domain name registrar. |
Categories |
Categories of the requested domain or web address. If the domain or web address does not belong to any of the defined categories, the General category is displayed. |
WHOIS
Kaspersky Threat Intelligence Portal provides WHOIS information about the host of the requested web address.
A host may be specified by a fully qualified domain name (FQDN) or by an IP address in dot-decimal notation.
Kaspersky Threat Intelligence Portal does not process web addresses if the host is specified by a local, private, or service IP address. In this case, the lookup results should be interpreted with caution.
Host specified by FQDN
WHOIS section for FQDN as a host
Field name |
Description |
|---|---|
Domain name |
Name of the domain for the analyzed web address. |
Domain status |
Status of the domain for the analyzed web address. |
Created |
Date when the domain for the analyzed web address was registered. |
Updated |
Date when the registration information about the domain for the analyzed web address was last updated. |
Paid until |
Expiration date of the prepaid domain registration term. |
Registrar info |
Name of the domain registrar for the analyzed web address. |
IANA ID |
IANA ID of the domain registrar. |
Name servers |
List of domain name servers for the analyzed web address. |
Host specified by IP address
WHOIS section for IP address as a host
Field name |
Description |
|---|---|
IP range |
Range of IP addresses in the network that the host belongs to. Also, the flag of the country that the IP address belongs to is displayed. When you hover your mouse over the flag, a tooltip with the country name appears. |
Net name |
Name of the network that the IP address belongs to. |
Net description |
Description of the network that the IP address belongs to. |
Created |
Date when the IP address was registered. |
Changed |
Date when information about the IP address was last updated. |
AS description |
Autonomous system description. |
ASN |
Autonomous system number according to RFC 1771 and RFC 4893. |
Information available to users with Premium Access
Kaspersky Threat Intelligence Portal provides the following detailed information about the requested domain or web address, if available, to users with Premium Access.
DNS resolutions tab
Information about DNS resolutions
Table name |
Description |
Table fields |
|---|---|---|
DNS resolutions for domain/web address |
IP addresses that the requested domain or web address resolves to. |
Status—Status of IP address. Threat score—Probability that the IP address will be dangerous (0 to 100). Hits—Number of IP address detections by Kaspersky expert systems. IP—IP addresses. First resolved—Date and time when the requested domain / web address first resolved to the IP address. Last resolved—Date and time when the requested domain / web address last resolved to the IP address. Peak date—Date of maximum number of requested domain / web address resolutions to the IP address. Daily peak—Maximum number of requested domain / web address resolutions to the IP address per day. |
Downloaded files tab
Information about downloaded files
Table name |
Description |
Table fields |
|---|---|---|
Files downloaded from requested domain / web address |
MD5 hashes of files that were downloaded from the requested domain or web address. |
Status—Status of files that were downloaded. Hits—Number of file downloads from the requested domain / web address, as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded file. Last seen—Date and time when the file was last downloaded from the requested domain / web address. First seen—Date and time when the file was first downloaded from the requested domain / web address. Web address—Web addresses used to download the file. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Accessed files tab
Information about accessed files
Table name |
Description |
Table fields |
|---|---|---|
Files accessed requested domain/web address |
MD5 hashes of files that accessed the requested domain or web address. |
Status—Status of files that accessed the requested domain / web address. Hits—Number of times the file accessed the requested domain / web address. File MD5—MD5 hash of the file that accessed the requested domain / web address. Last seen—Date and time when the file last accessed the requested domain / web address. First seen—Date and time when the file first accessed the requested domain / web address. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Subdomains tab
Information about subdomains
Table name |
Description |
Table fields |
|---|---|---|
Subdomains |
Subdomains for the requested domains. |
Status—Status of subdomains. Subdomain name—Name of the detected subdomain. Web address count—Number of web addresses related to the subdomain. Hosted files—Number of files hosted on the detected subdomain. First seen—Date and time when the subdomain was first detected. |
Referrals tab
Information about referrals
Table name |
Description |
Table fields |
|---|---|---|
Referrals to domain/web address |
Web addresses that refer to the requested domain or web address. |
Status—Status of web addresses that refer to the requested domain / web address. Web address—Web address that refers to the requested domain or web address. Last reference—Date and time when the requested domain / web address was last referred to by listed web addresses. |
Domain referrals tab
Information about domain referrals
Table name |
Description |
Table fields |
|---|---|---|
Domain referred to the following web addresses |
Web addresses that the requested domain links, forwards, or redirects to. |
Status—Status of web addresses that the requested domain links, forwards, or redirects to. Web address—Web address accessed by the requested domain. Last reference—Date and time when the requested domain last linked, forwarded, or redirected to listed web addresses. |
Web address masks tab
Information about web address masks
Table name |
Description |
Table fields |
|---|---|---|
Web address masks |
Masks of the requested web address's domain, which were detected by Kaspersky expert systems. |
Status—Status of web addresses covered by the corresponding mask (Dangerous or Adware and other). Type—Type of the mask. Mask—Requested domain / web address mask. Feeds—Threat Data Feeds that contain the requested domain mask. |