Executable Details

In the first tile, you can find the following details:

Name—the name of the executable or DLL is shown

Signature Type—information whether the file is signed or not and how it is signed (Trusted/Valid/None/Invalid/Unknown)

Signer Name—if the file is signed, here you can see the signer of the file

Seen On—the number of computers on which the file was discovered

First Seen—when an executable was first seen on any computer in a monitored network

Last Executed—when an executable was last executed on any computer in a monitored network

 

In the second tile, you can find the following details:

Reputation (LiveGrid®)—is the number from 1 to 9, indicating how safe the file is. 1-2 Red is malicious, 3-7 Yellow is suspicious, 8-9 Green is safe

Popularity (LiveGrid®)—how many computers reported an executable to LiveGrid®. For a detailed description, click here

First Seen (LiveGrid®)—when an executable was first seen on any computer connected to LiveGrid®

 

In the third tile, you can find the following details:

File—how many file modifications were made by this executable

Registry—how many registry modifications were made by this executable

Network—how many network connections were made by this executable

 

In the fourth tile, you can find details about Detections (unresolved):

Threats—Unique/total—total count of unresolved threat detections

Warnings—Unique/total—total count of unresolved warning detections

Informational—Unique/total—total count of unresolved informational detections

 

Rest of the values:

Names—all file names that shares the same hash

SHA-1—Hash of the executable. By clicking the down arrow next to the hash, the context menu shows up, where you can use two options:

oHere you will see the preferred virus search page that you can define in the Server Settings tab. By default Virus Total search page

oCopy to clipboard—As the name says it will copy the hash to your clipboard for further use

SHA-256—if available the 256 bit hash is present

MD5—if available the MD5 hash is present

Signature type—information whether the file is signed or not and how it is signed (Trusted/Valid/None/Invalid/Unknown)

Signer name—if the file is signed, here you can see the signer of the file

Whitelist type—information if an executable is whitelisted:

oCertificate—the executable is whitelisted because it is signed by the trusted certificate

oLiveGrid®—the executable is whitelisted because the trustworthiness of the file was confirmed by ESET

File description—file description of the file, for example, "Keyboard Driver for AT-Style Keyboards"

File version—version number of the file, for example, "3.10" or "5.00.RC2"

Company name—company that produced the file, for example, "Microsoft Corporation" or "Standard Microsystems Corporation, Inc."

Product name—the name of the product with which the file is distributed

Product version—version of the product with which the file is distributed, for example, "3.10" or "5.00.RC2"

Internal name—internal name of the file, if one exists, for example, an executable name if the file is a dynamic-link library. If the file has no internal name, this string will be the original file name, without extension

Original file name—the original name of the file, not including a path. This information allows an application to determine whether a file has been renamed by a user. The format of the name depends on the file system for which the file was created

Packer name—the name of packer if a executable is packed

SFX name—self-extracting archive type, if an executable is packed

File size—the size of the file on the disk

First seen—when was executable first identified by EEI on any computer

First executed—when was executable first executed on any computer. When clicked you are redirected to Process Details of this executable

Last executed—when was executable executed last time on any computer

Inspected—If the executable is marked as inspected by the user. You can mark it as inspected, using the button Executables_Inspected_Button or to mark as uninspected using Executables_Uninspected_Button at the bottom of the screen

Marked as safe—marked as safe by security engineers (users of EEI Web Console). If the status is "No" you can change it with the button Executable_Details_Mark_Safelocated at the bottom of the window

Blocked—blocked by Security Engineer (user of EEI Web Console). This can be changed in Executables window or directly here by pressing the button Executable_Details_Block or Executable_Details_UnBlock, depends on the status of the executable. If you press the Executable_Details_Block button, you are redirected to Block Hashes window.

Nearmiss Report—if the detection triggered due to malware, but we can't hundred percent guarantee it is a malware

Comment—if the user added a comment to the computer details it would be shown in here

Reputation (LiveGrid®)—is number from 1 to 9, indicating how safe the file is. 1-2 Red is malicious, 3-7 Yellow is suspicious, 8-9 Green is safe

Popularity (LiveGrid®)—how many computers reported an executable to LiveGrid®. For a detailed description, click here

First Seen (LiveGrid®)—when an executable was first seen on any computer connected to LiveGrid®

Audit Log—here, you see actions that were taken on this detection. These actions are related to the executable:

oMarked as Unsafe—if the executable was marked as safe

oMarked as Safe—if the executable was marked as unsafe

oUnbanned—if the executable was unblocked from blocked hashes list

oBanned—if the executable was blocked in blocked hashes list

oCleaned—if the executable was cleaned by the endpoint

oMarked as Inspected—if the executable was marked as inspected by the user

oMarked as Uninspected—if the executable was marked as uninspected by the user

oDownload Start—if the download of the executable started

oDownload Ready—if the download of the executable is ready for download

oDownload Retry—if the download of the file failed and the retry button was used to make another attempt to download the executable

There is the possibility to download the executable for further investigation by using the button Executable_Details_Download located at the bottom of the window

To filter events triggered by this executable, the user can use the Filter_Eventsbutton at the bottom of the screen and be redirected to the Create event storage filter. To find executables that report most of the low-level events, use Dashboard->Events Load tab.

Computers_Details_Incident—used to create an incident report.