Contents
Report for web address
After web address browsing emulation, available analysis results are displayed on the report page.
Depending on the web address's zone, it's status (Dangerous, Adware and other, Good, or Not categorized) is displayed on a panel in one of the following colors:
- Red—There are malicious objects related to the web address.
- Orange—The web address can be classified as Not trusted and may host malicious objects.
- Yellow—There are objects related to the web address and that can be classified as Not-a-virus.
- Grey—No data is available for a web address.
- Green—The web address cannot be classified as Dangerous.
The report page contains the following:
- Overview—Displays general information about the analyzed web address.
- Summary—Displays statistical information about the analyzed web address.
- WHOIS—Displays the WHOIS information about the analyzed web address.
- Detection names—Displays detected items that were registered during the web address analysis.
- Triggered network rules—Displays SNORT and Suricata rules that were triggered during the web address traffic analysis.
- Connected hosts—Displays IP addresses that were accessed in all HTTP and HTTPS requests after the FQDN resolved.
- Suspicious activities—Displays suspicious activities that were registered during the web address analysis.
- HTTP(S) requests—Displays HTTP and HTTPS requests that were registered during the web address analysis.
- DNS requests—Displays DNS requests that were registered during the web address analysis.
- Screenshots—Displays a set of screenshots that were taken during the web address analysis.
- Premium content—Displays sections that contain blurred data about the analyzed web address. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.
Overview for web address
Kaspersky Threat Intelligence Portal provides the following general information about an analyzed web address:
General information about web address
Field name |
Description |
---|---|
IPv4 count |
Number of known IP addresses that the analyzed web address resolves to. |
Files count |
Number of known malicious files related to the analyzed web address. |
Web address count |
Number of known malicious web addresses related to the analyzed object. |
Hits |
Number of the requested web address detections by Kaspersky expert systems. |
Created |
Analyzed web address creation date. |
Expires |
Analyzed web address expiration date. |
Domain |
Name of the upper-level domain. |
Registration organization |
Name of the registration organization. |
Registrar name |
Name of the domain name registrar. |
Categories |
Categories of the analyzed web address. If the web address does not belong to any of the defined categories, the General category is displayed. |
Dynamic analysis summary
Kaspersky Threat Intelligence Portal provides the following graphical information about detected items, connected hosts, extracted files, and network interactions detected during web address analysis:
Dynamic analysis summary for a web address
Chart name |
Description |
---|---|
Detects |
The total number of objects detected during web address analysis, and the proportion of objects with Malware (red) or Adware and other (yellow) statuses. |
Connected hosts |
The total number of unique IP addresses related to the analyzed web address, and the proportion of IP addresses with the status of Dangerous (in red), Not trusted (in orange), Good (in green), or Not categorized (no or not enough information about the IP address is available to define the category, in grey). |
Extracted files |
The total number of files that were transferred or dropped during the analysis process, and the proportion of files with the status of Malicious (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), or Not categorized (no or not enough information about the extracted files is available to define the category, in grey). |
Network activities |
The total number of registered network activities that were performed during the analysis process, and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and other (requests to resources with the Adware and other status, in yellow), Good (requests to resources with the Good status, in green), or Not categorized (requests to resources with the Not categorized status, in grey). |
WHOIS
Kaspersky Threat Intelligence Portal provides WHOIS information about the host of the analyzed web address.
A host may be specified by a fully qualified domain name (FQDN) or by an IP address in dot-decimal notation.
Kaspersky Threat Intelligence Portal does not process web addresses if the host is specified by a local, private, or service IP address. In this case, the results should be interpreted with caution.
Host specified by FQDN
WHOIS section for FQDN as a host
Field name |
Description |
---|---|
Domain name |
Name of the domain for the analyzed web address. |
Domain status |
Status of the domain for the analyzed web address. |
Created |
Date when the domain for the analyzed web address was registered. |
Updated |
Date when the registration information about the domain for the analyzed web address was last updated. |
Paid until |
Expiration date of the prepaid domain registration term. |
Registrar info |
Name of the domain registrar for the analyzed web address. |
IANA ID |
IANA ID of the domain registrar. |
Name servers |
List of domain name servers for the analyzed web address. |
Host specified by IP address
WHOIS section for IP address as a host
Field name |
Description |
---|---|
IP range |
Range of IP addresses in the network that the host belongs to. The flag of the country that the IP address belongs to is also displayed. When you hover your mouse over the flag, a tooltip with the country name appears. |
Net name |
Name of the network that the IP address belongs to. |
Net description |
Description of the network that the IP address belongs to. |
Created |
Date when the IP address was registered. |
Changed |
Date when information about the IP address was last updated. |
AS description |
Autonomous system description. |
ASN |
Autonomous system number, according to RFC 1771 and RFC 4893. |
Sandbox detection names
Kaspersky Threat Intelligence Portal provides information about detected items that were registered during the web address analysis.
Sandbox detection names
Field name |
Description |
---|---|
Zone |
Danger zone (level) to which the threat refers (High, Medium, Low, Info). |
Name |
Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description at the Kaspersky threats website. |
Triggered network rules
Kaspersky Threat Intelligence Portal provides information about SNORT and Suricata rules that were triggered during the web address traffic analysis.
Triggered network rules
Field name |
Description |
---|---|
Zone |
Danger zone (level) of the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info). |
Rule |
SNORT or Suricata rule name. |
Connected hosts
Kaspersky Threat Intelligence Portal provides information about IP addresses that were accessed in all HTTP(S) requests after the FQDN resolved.
Connected hosts
Field name |
Description |
---|---|
Status |
Status (danger level) of IP addresses that the domain for the requested web address resolved to (Dangerous, Not trusted, Not categorized, Good). |
IP |
IP address to which a domain from the Resolved from domain column in this table resolved. The flag of the country that the IP address belongs to is displayed. When you hover your mouse over a flag, a tooltip with the country name appears. |
ASN |
Autonomous system number according to RFC 1771 and RFC 4893. |
Resolved from domain |
Fully qualified domain name (FQDN) that resolved to the IP address from the IP column in this table. |
Suspicious activities
Kaspersky Threat Intelligence Portal provides information about dangerous activities that were registered during the web address analysis.
Suspicious activities
Field name |
Description |
---|---|
Zone |
Danger zone (level) of the registered activity (High, Medium, Low). |
Severity |
Numerical value of the danger level of the registered activity (integer 1–999). |
Description |
Suspicious activity description. For example, "Executable has obtained the privilege," "The file has been dropped and executed," or "The process has injected binary code into another process." Certain descriptions contain mapping with MITRE ATT&CK threat classification. For example, "MITRE: T1082 System Information Discovery." |
HTTP(S) requests
Kaspersky Threat Intelligence Portal provides information about HTTP and HTTPS requests that were registered during the web address analysis.
HTTP(S) requests
Field name |
Description |
---|---|
Status |
Status of a web address in the HTTP or HTTPS request. |
Scheme |
Web address scheme that identifies the protocol that was used (HTTP or HTTPS). |
URL |
Web address to which the request was registered. |
IP |
IP address as a host. |
Request |
Information about the HTTP or HTTPS request. |
Response |
Information about the HTTP or HTTPS response. |
DNS requests
Kaspersky Threat Intelligence Portal provides information about DNS requests that were registered during the web address analysis.
DNS requests
Field name |
Description |
---|---|
Type |
DNS request type. |
Request |
Contents of the DNS request. |
Response |
Response to the DNS request. |
Screenshots
Kaspersky Threat Intelligence Portal provides screenshots that were taken during web address browsing.
Page top