Executable details

The Executables details window consists of the following parts:

•Name—The executable or DLL’s name.

•Select Tags—Assign existing tags to a computer or create custom tags.

•Signature Type—The signature type, if signed: Trusted, Valid, None, Invalid or Unknown. The executable is signed if the value is Present, but ESET Inspect cannot identify the certificate's status. While uncommon for Windows, on MacOS, Endpoint does not verify signatures, and the only states are Present or None.

•Seen on—The computers where the file was discovered. Click Seen on to be redirected to the Computers view, where you can find a filtered list.

•First Seen—When an executable was first seen on any computer in a monitored network.

•Last Executed—When an executable was last executed on any computer in a monitored network.

•Reputation (LiveGrid®)—A number from 1 to 9, indicating how safe the file is: 1–2 (red) is malicious, 3–7 (yellow) is suspicious, 8–9 (green) is safe.

•Popularity (LiveGrid®)—How many computers reported an executable to LiveGrid®.

•First Seen (LiveGrid®)—When an executable was first seen on any computer connected to LiveGrid®.

Popularity	No. computers affected in LiveGrid®	Color	Description
0	0	Red	Not seen
1	1–9	Red	Low
2	10–99	Yellow	Medium
3	100–999	Yellow	Medium
4	1 000–9 999	Yellow	Medium
5	10 000–99 999	Green	High
6	100 000–999 999	Green	High
7	1 000 000–9 999 999	Green	High
8	10 000 000–99 999 999	Green	High
9	100 000 000–999 999 999	Green	High
10	1 000 000 000–9 999 999 999	Green	High
11	10 000 000 000–99 999 999 999	Green	High

•File—Number of file modifications the executable made.

•Registry—Number of registry modifications the executable made.

•Network—Number of network connections the executable made.

Unresolved Detections

Threats	Threat severity detections are present.
Warnings	Warning severity detections are present.
Informational	Informational severity detections are present.

•Names—The executable or DLL’s names.

•SHA-1—The executable's hash.

Click the gear icon next to the hash to show the context menu, where you can find two options:

•Open the Virus Total search page, which you can define in the Settings tab.

•Copy to clipboard to add the hash to your clipboard.

•SHA-256—Available when the 256-bit hash is present.

•MD5—Available when the MD5 hash is present.

•User Id—macOS only; same as the Windows file description column.

•Signature CN #1—macOS only; same as the Windows product name column.

•Signature CN #2—macOS only; same as the Windows file version column.

•Signature CN #3—macOS only; same as the Windows product version column.

•Signature CN #4—macOS only; same as the Windows internal name column.

•Signature CN #5—macOS only; same as the Windows original filename.

•Signature Id—macOS only; same as the Windows company name column.

•Whitelist type—Information for whitelisted executables:

•Certificate—The executable is whitelisted because it is signed by the trusted certificate.

•LiveGrid®—The executable is whitelisted because ESET confirmed the file's trustworthiness.

•File description—The file's full description, for example, Keyboard Driver for AT-Style Keyboards.

•File version—The file’s version number, for example, "3.10" or "5.00.RC2".

•Company name—Company that produced the file, for example, Microsoft Corporation.

•Product name—The product’s name that distributed the file.

•Product version—The product’s version that distributed the file.

•Internal name—Internal filename, if assigned; for example, an executable name if the file is a dynamic-link library. If the file has no internal name, this string will be the original filename without the file extension.

•Original file name—The original filename, not including a path. Allows an application to determine whether a user has renamed a file. The name format depends on the file system for which the file was created.

•Packer name—The packer’s name, if applicable.

•SFX name—Self-extracting archive type on a packed executable.

•File size—The file size on the disk.

•First seen—When was executable first identified by ESET Inspect on any computer.

•First executed—When the executable was first executed on any computer. Click to be redirected to the executable’s Process details.

•Last Executed—When an executable was last executed on any computer in a monitored network.

•Marked as safe—Marked as safe by users of ESET Inspect Web Console. If the status is "No," use the action button to change.

•Blocked—Blocked by users of ESET Inspect Web Console.

•Nearmiss report—If the detection is triggered by malware, but we cannot guarantee it is malware.

•Note—A text field for adding notes. Click the Set note blue string on the window's right side.

•Status—The behavioral analysis result or the absence of a result (Unknown/Clean/Suspicious/Highly suspicious/Malicious).

•State—The executable's present station in the analysis workflow.

•Sent On—The time when the executable was sent to ESET LiveGuard.

•Last Processed On—The time when the executable was last processed.

•Behavior—The link to the executable’s behavioral report.

•Origin Executables—The Executable or DLL responsible for creating this executable. Click the executable's name to be redirected to Executable details.

•Origin Emails—The executable that comes from an email attachment. Includes information From the sender's email address, To whom it was sent and the Subject.

•Origin Websites—The downloaded HTTP website URL is shown here, if applicable. HTTPS is an encrypted connection and is not recorded. This information is unavailable if you disable SSL processing in your ESET Endpoint Security product:

oSetup > Advanced setup > Web and email > SSL/TLS > Enable SSL/TLS protocol filtering

•Dropped Executables—The executables dropped by this executable. Click the executable's name to be redirected to Executable details.

•Audit Log—Actions taken on this detection; currently: Resolved, Unresolved, Commented and Priority Changed.

•Comments—Add a comment.

Action buttons:

Incident	oCreate an incident report oAdd to a current incident oAdd to recent incident, which shows the last three incidents oSelect incident to add to
Block	Go to the Block Hashes tab.
Unblock	Remove hash from Blocked Hash section.
Mark as Safe	Mark targets in Safe state; many rules determine the risk. Mark as Safe impact detections. Select the targets you want to mark as safe from the target window. Mark as Safe does not guarantee that a specific module will not be included in detections. There are several hundred rules—some raise detections regardless of which module executed the suspicious action, including trusted modules like PowerShell. Other rules evaluate risk based on the module. Such rules consider the “safe” flag. This flag means that the user analyzed the module and determined it is unlikely to be malicious, so rules assume that the risk is earlier in the evaluation.
Mark as Unsafe	Mark an executable as unsafe.
Download executable	The affected executable or DLL's download window appears.
Submit to ESET LiveGuard	Manually submit a file for ESET LiveGuard analysis.

Statistics

Lists statistical information about a specific executable or executable with the same file checksum.

•Seen on—Number of computers where the executable occurred.

•Executed on—Number of computers on which the executable executed.

•Executions count—Total number of executions.

•Sent bytes—Total number of bytes sent by the file from all computers for all processes.

•Network connections—Number of network connections the file made.

•File modifications—Number of files modified (written to, deleted, renamed).

•Registry modifications—Number of registry entries modified.

•Executable drops—Number of dropped executables.

•HTTP Events—Number of HTTP events.

•DNS Events—Number of DNS events.

•Events/24H—Number of events within 24 hours.

Detections

Provides the same options as the main Detections, but only those triggered by this specific executable. Click a Detection to be redirected to its Detection details.

Seen on

Lists all computers where the executable or executables with the same file checksum were seen.

˄˅