Module
Return the information about the current module
Property |
Type |
Description |
Example |
|---|---|---|---|
SignerName |
String |
Name of the signer, if any |
"Microsoft Windows" |
CompanyName |
String |
From version info, name of the company that produced the file |
"Microsoft Corporation" |
FileDescription |
String |
From version info, file description shown to users |
"Microsoft Windows Resource Leak Diagnostic" |
FileOrigin |
Int/Symbols |
File delivered through RDP |
Possible values are: •RDP—0 |
ProductName |
String |
From version info, name of the product with which the file is distributed |
"Microsoft Windows Operating System" |
FileVersion |
String |
From version info, the version number of the file |
"10.0.14393.0" |
ProductVersion |
String |
From version info, the version number of the product with which the file is distributed |
"10.0.14393" |
InternalName |
String |
From version info, internal name of the file |
"RdrLeakDiag.exe" |
OriginalFileName |
String |
From version info, original name of the file |
"RdrLeakDiag.exe" |
PackerName1 |
String |
Name of the packer |
"UPX" |
SFXName |
String |
Name of the sfx packer |
"Zip" |
Sha1 |
Hash |
sha1 hash of the executable |
fa7ebffd41bc44c47ea1b11928ee368c19f6d6a2 |
MD5 |
Hash |
md5 hash of the executable |
|
Sha256 |
Hash |
sha256 hash of the executable |
|
SignatureType |
Int/Symbols |
Signature type of the executable |
Possible values are: •Trusted—90—the signature is trusted by Endpoint •Valid—80—the signature is trusted by the OS •Adhoc—75—the certificate is self signed •None—70—there is no signature in the file •Invalid—60—the signature is not valid/corrupted/revoked •Unknown—50—failed to verify certificate •Present—50—the signature is present, but the certificate status is unknown |
Whitelist |
Int/Symbols |
Whitelist type of the executable |
Possible values are: •None—no whitelisting for this file •Authoritative—the file is whitelisted by EndPoint •LiveGrid—the file is whitelisted from LiveGrid •Certificate—the file certificate is whitelisted |
EmulationStatus |
Int |
The status of the file emulation (if the file was emulated by advanced heuristics) |
0—Was not emulated 1—Was emulated |
FileSize |
Long |
Filesize in bytes |
41984 |
IsElf |
Bool |
The file is an ELF file |
true/false |
IsExe |
Bool |
The file is a Windows executable |
true/false |
IsDLL |
Bool |
The file is a PE DLLs |
true/false |
IsNative |
Bool |
The file is a native PE executable |
true/false |
DaysSinceLastNearMiss |
Int |
Number of days since the file was recognized as nearmiss. Nearmiss—the detection is triggered due to malware, but it may be a false positive (we cannot guarantee it is malware) |
|
MachoSignatureId |
String |
Identifier of a Mach-O file present in the signature |
"com.apple.ls" |
IsMacho |
Bool |
Defines whether a file is a Mach-O (macOS) file or not |
|
MachoUserId |
String |
Unique developer ID assigned by Apple |
|
MachoSignerCns |
String |
Set of common names from certificates in Mach-O file |
|
MachoIsProtected |
Bool |
Module is a protected Mach-O executable |
|
Tags |
String |
Allows a user to filter by a module that has a specified tag attached |
|
|
1Names of packers may change in the future. Therefore we recommend using isnotempty or isempty value for the condition. |
Supported Operations and their components:
|
Module |
|---|---|
CreateProcess |
X |
LoadDLL |
X |
CodeInjection |
X |