Title
Create new category
Edit page index title
Edit category
Edit link
PE Similarity Search
PE fields
These features are carefully selected based on their ability to provide accurate and relevant results, and they are continuously updated to stay current with the latest malware trends and techniques.
Field name | Type | Description |
|---|---|---|
File size | Number | Size of the input file |
Unix timestamp | Number | A timestamp showing when the file was compiled |
File characteristic | Number | Characteristics defining the behavior of the PE |
DLL characteristic | Number | Features which make a PE actually portable in memory |
Subsystem | Number | Defines whether the PE is made to be a Console or UI application |
Image base | Number | “Base” address used if relocation doesn’t happen |
Linker version(major) | Number | What version of linker what used at compilation time |
Linker version(minor) | Number | What version of linker what used at compilation time |
Entry point section entropy | Number | Entropy of the section where the entry point resides |
Section number | Number | Number of sections present in the PE |
Resource number | Number | Number of resources present in the PE |
Resources to file ratio | Number | Ratio between the size of the resources & the file itself |
CFG | Boolean | Indicator whether CFG (Control Flow Guard) is enabled at compilation time. |
GS | Boolean | Indicator whether GS (Buffer Security Check [Guarded Stack]) is enabled at compilation time. |
ASLR | Boolean | Indicator whether ASLR (Address space layout randomization) is enabled at compilation time. |
Nxcompat | Boolean | Indicator whether NX compatibility (Data Execution Prevention [No eXecute]) is enabled at compilation time. |
SEH | Boolean | Indicator whether SEH (Structured Exception Handler) is enabled at compilation time. |
IsDotnet | Boolean | Whether the executable file is using the .NET framework |
Digitally Signed | Boolean | Whether the digital signature is verified or not. |
Field name | Type | Description |
|---|---|---|
Digital signature verification | String | Whether the digital signature is verified or not. |
Architecture | String | A string describing what target of architecture (eg. 32 or 64bit) the binary was compiled for |
Language | String | What speaking language does the binary target |
Entry point section name | String | Name of the section where the entry point of the PE resides. It’s a calculated value, based on the supplied entry point address & section details. |
Pdb path | String | Path of the PDB file on the compiler machine |
Field name | Type | Description |
|---|---|---|
Verinfo: File Description | String | Version information describing the file description of this application |
Verinfo: File version | String | Version information describing the file version of this application |
Verinfo: Internal name | String | Version information describing the internal name of this application |
Verinfo: Legal copyright | String | Version information describing the legal copyright of this application |
Verinfo: Product name | String | Version information describing the product name of this application |
Verinfo: Product version | String | Version information describing the product version of this application |
Verinfo: Company name | String | Version information describing the company name who created this application |
Field name | Type | Description |
|---|---|---|
Pdb guid | String | GUID of the PDB associated with the binary |
Field name | Type | Description |
|---|---|---|
Rich header compiler ids | String | An ID number to the specific compiler used during the compilation process |
Field name | Type | Description |
|---|---|---|
Memory base address of section | String | In-memory base address of the section |
Memory size of a section | Number | In-memory size of the section |
Size of physical data | Number | Size of the physical data on-disk |
Entropy of section | Number | Entropy of the specific section |
Field name | Type | Description |
|---|---|---|
Size of resources | Number | Size of the resource |
File type of the actual data | String | File type of the actual data |
Language | String | Intended language of the resource |
Sublanguage | String | Intended language of the resource |
Field name | Type | Description |
|---|---|---|
Extracted Urls | String | Extracted URLs from the file |
Extracted Domains | String | Extracted Domains from the file |
Extracted Ips | String | Extracted Ips from the file |
Extracted SHA-512 Hashes | String | Extracted SHA-512 from the file |
Extracted UUIDs | String | Extracted UUIDs from the file |
Extracted Registry Paths | String | Extracted Registry Paths from the file |
Field name | Type | Description |
|---|---|---|
DLL | String | Imported DLL of the input file |
Functions | String | Imported functions from a specific dll |
Field name | Type | Description |
|---|---|---|
Certificate Owner | String | Shows the owner of the certificate |
Certificate isRevoked | Boolean | Shows whether the associated certificate is revoked |
Certificate isSelfSigned | Boolean | Shows whether the associated certificate is selfsigned |
Certificate isExpired | Boolean | Shows whether the associated certificate is expired |
Field name | Type | Example | Description |
|---|---|---|---|
Threat Indicators | String | Number | An identifier to show what kind of rules (Threat indicator) Filescan itself matched on the target file. It can contain more info than what is present in the actual report |
Similarity Search Filters
In addition to advanced technology, Similarity Search provides multi filtering search parameters. This feature offers greater flexibility and ensures that users receive the most accurate and relevant results for their specific needs.
Field name | Type | Possible values | Example | Description | Required |
|---|---|---|---|---|---|
SHA-256 | String | Number | Yes | ||
Submission data | Date | 2023-01-17T12:17:20.000Z | Number | Optional | |
Final Verdict | String | MALICIOUS, LIKELY_MALICIOUS, INFORMATIONAL, SUSPICIOUS, BENIGN, UNKNOWN | MALICIOUS | Verdict of a file | Optional |
Tags | String | peexe,xml | Tags of a file | Optional | |
Threshold | Number | 1 to 100 any integer | Number | Similarity threshold 0% to 100% Higher score means higher similarity | Optional |
Limit | Number | 1 to 100 any integer | Number | Number of returns | Optional |
Field name | Type | Description |
|---|---|---|
File size | Number | Size of the input file |
Entropy | Number | Entropy of the whole file |
Architecture | Number | A string describing what target of architecture (eg. 32 or 64bit) the binary was compiled for |
IsDotnet | Number | Whether the executable file is using the .NET framework |
See the "Technical Datasheet" for a complete list of features: https://docs.opswat.com/filescan/datasheet/technical-datasheet