Scan modes

Full scan

This is the default mode, the most heavy execution. It executes all configured scan tasks based on the workflow configuration and gives a detailed result.

Triage scan

This is an experimental execution mode which will be continuously improved

The fastest execution mode with limited capability. It’s able to tell if a submitted file is surely benign or malicious, but not always produces a final verdict. The goal of this scan type is to produce a verdict as soon as possible with the execution of a limited set of scan tasks.

Smart scan

This is an experimental execution mode which will be continuously improved

Optimal if execution time is important but a final verdict is also required. A triage scan is executed first, if it results a final verdict, that’s the final result. Otherwise additional scan tasks are executed until a final verdict is produced.

Feature comparison

Scan taskTriage scanFull and Smart scan
File certificate validationYesYes
Allow-listingYesYes
OPSWAT reputation lookupYesYes
Embedded file, script, macro and data extractionYesYes
Support MITRE ATT&CK frameworkYesYes
File downloadsNoYes
Image text analysis (OCR)NoYes
Microsoft Office file emulationNoYes
Powershell script emulationNoYes
URL emulation (ML based phishing detection)NoYes
Fuzzy hash lookupNoYes
Integrate with other open-source intelligence vendors (e.g., VirusTotal)NoYes
YARA pattern matchingNoYes
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard