The Good, the bad, or the ugly?

We created a new service that can provide a detailed dossier on any file Kaspersky Lab’s systems have encountered.

If you are building a system for software categorization, make secure gateways, or work on an incident response team, you know that the information that can be found in a file is not always enough. Sometimes it is useful to know the public URL from which the file was downloaded, information about the corresponding product and its vendor, data on digital signatures and certificates, or statistical information.

Where can you get such information to augment your security-related solution or service? Allowlists contain only information about legitimate software. Stream-based threat feeds can help catch a threat, but they lack the details needed for forensics. That is why we decided to make a new service, one that can provide access to our knowledge on any file, be it good, bad, or gray.

This new service, Kaspersky Online File Reputation, can provide a detailed dossier on any file Kaspersky Lab systems have encountered. Here are the main advantages of this service:

  • It contains data on more than 5 billion files at present (about half completely safe, more than 1 billion definitely malicious, and the rest in a gray zone, potentially malicious for a variety of reasons);
  • It can be used without installing any additional software (especially advantageous in the view of geopolitical complications in some countries): You send each file’s metadata (hash) to our servers and get its profile — or just receive regular updates;
  • You can choose the level of detail according to your needs. If you implement default allow or default deny modes, you can still subscribe to receive only a verdict. If your task is categorization, we can add data on how the file was automatically categorized by our systems. And if you are analyzing cyberthreats in a security operations center, you may need complete file dossiers. In that case we can provide more than 50 aspects — when the file was encountered for the first time, how often it shows up in your country, which containers were used, and much more.

It’s quite rare to be able to check some of those aspects. For example, if you encounter a yet-unknown, but digitally signed file, we can provide information based on the digital fingerprint of the certificate, which can be sent with the file’s hash. Our service will determine whose certificate it is, check if it’s stolen or expired, and return a verdict on whether the file can be trusted — even if no one has ever seen it before. That may sound a little strange, but keep in mind that some companies give their clients unique, signed installers. Google and Dropbox work that way, and even Microsoft Windows generates unique files for each PC.

The average throughput capability of the service is 200,000 requests per hour, but that, too, can be adjusted to the needs of the client. Want to learn more or jump right in? You can get started on the service’s homepage.