ESET PRIVATE Scanning Solution – Table of Contents

Querying for dynamic scan result

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

When a dynamic scan is initiated using the ESET scanner agent and the initial response indicates that dynamic analysis is pending, it may be necessary to retrieve the outcome once the deep scan is completed. "Querying for dynamic scan result" refers to this follow-up action, where the completed analysis and verdict are explicitly requested after the dynamic scan has finished.

How it works

After submitting a file for dynamic scanning, the scanner may return a status of DEEP_SCAN_STATUS_PENDING, meaning the file is still being analyzed, and the result is not yet available.

To retrieve the final scan result—whether the file is clean, malicious, or potentially unwanted—as well as any observed behaviors and detailed metadata, use a follow-up command with the --deep_scan_result option and -v to specify the cryptographic hash ID (SHA256) of the file scanned previously.

If the result is still unavailable when the query is issued, the scanner responds with a deepScanExpectedEndTime field. This value indicates when the result is expected to be ready and helps determine when to attempt the query again.

This follow-up command sends a request that checks if the analysis is finished and, if so, returns the complete scan results, including the final threat classification and behavioral findings.

The outcome of the dynamic scan may vary depending on the file type category (such as basic files or .apk packages), as different categories can exhibit unique behaviors during analysis. Consequently, the scan results will reflect these distinctions accordingly.

Performing a dynamic scan query for an .apk file

The example below provides the result of a completed dynamic (deep) scan for an .apk file and includes additional details about the file’s final threat verdict, behavioral findings observed during analysis, and any relevant metadata gathered throughout the scanning process. This example was specifically chosen to highlight how the scan outcome can vary depending on the file type. In particular, .apk files often yield some of the most complex results due to their structure and behavior during analysis.

Command:

scanner_agent -t 'example.com/load_balancer:50052' -s -a
'http://example.com/scanner/protocol/openid-connect/token -u 'username' -p
'password' --deep_scan_result -v CF0E53240849E03EFD7F15CC67F8E541CE17AA7900ECB7DE805C31C9BE7BD796

Default Scanner JSON response example:

Will check these hashes:

CF0E53240849E03EFD7F15CC67F8E541CE17AA7900ECB7DE805C31C9BE7BD796

{"scanResult": {"objectReference": "app-release.apk", "dataHashSha1": "c7d047a60bc301f715b0b4106328a6c372fbabd5", "dataHashSha256": "cf0e53240849e03efd7f15cc67f8e541ce17aa7900ecb7de805c31c9be7bd796", "dataSizeBytes": "11219720", "threatName": "Android/AdDisplay.Mintegral.C potentially unwanted application", "threatCategory": "THREAT_CATEGORY_POTENTIALLY_UNWANTED_APPLICATION", "objectType": "OBJECT_TYPE_FILE", "objectDisplayName": "app-release.apk", "behavior": [{"type": "BEHAVIOR_TYPE_READ_FILES"}, {"type": "BEHAVIOR_TYPE_CHANGE_WALLPAPER"}], "objectDna": {"genes": [{"apkHasSignatureV1": false}, {"apkHasSignatureV2": true}, {"apkHasSignatureV3": false}, {"apkHasSignatureV31": false}, {"apkManifestAttributeCountMismatch": false}, {"apkManifestAttributeSizeMismatch": false}, {"apkManifestHasInvalidStringIndex": false}, {"apkManifestStringCountMismatch": false}, {"apkPermissionName": "ACCESS_ADSERVICES_AD_ID"}, {"apkPermissionName": "ACCESS_ADSERVICES_ATTRIBUTION"}, {"apkPermissionName": "ACCESS_ADSERVICES_TOPICS"}, {"apkPermissionName": "ACCESS_NETWORK_STATE"}, {"apkPermissionName": "ACCESS_WIFI_STATE"}, {"apkPermissionName": "FOREGROUND_SERVICE"}, {"apkPermissionName": "INTERNET"}, {"apkPermissionName": "POST_NOTIFICATIONS"}, {"apkPermissionName": "QUERY_ALL_PACKAGES"}, {"apkPermissionName": "READ_APP_BADGE"}, {"apkPermissionName": "READ_EXTERNAL_STORAGE"}, {"apkPermissionName": "READ_PHONE_STATE"}, {"apkPermissionName": "RECEIVE_BOOT_COMPLETED"}, {"apkPermissionName": "REQUEST_INSTALL_PACKAGES"}, {"apkPermissionName": "SET_WALLPAPER"}, {"apkPermissionName": "SET_WALLPAPER_HINTS"}, {"apkPermissionName": "VIBRATE"}, {"apkPermissionName": "WAKE_LOCK"}, {"apkPermissionName": "WRITE_EXTERNAL_STORAGE"}, {"apkResourceTableIntegrityViolated": false}, {"apkResourceTableTotalItemCount": 73127}, {"apkSdkLevel": 34}, {"appManifestIsInvalidXml": false}, {"appManifestStringsAreUtf16": true}, {"appResourceKeyMaxLength": 53}, {"appResourceValueMaxLength": 233}, {"appStringResourceTotalCount": 276}, {"appStringResourcesAreUtf16": false}, {"signingCertificateHashSha256": "37119A1248684AA41E6D0849856FAC3FF6868F4E5F8927722B67DF11B4A3AB07"}, {"signingCertificateIssuer": {"commonName": "my apps", "countryName": "", "emailAddress": "", "localityName": "", "organizationName": "", "organizationalUnitName": "", "stateOrProvinceName": ""}}, {"signingCertificateSerialNumber": "01"}, {"signingCertificateSubject": {"commonName": "my apps", "countryName": "", "emailAddress": "", "localityName": "", "organizationName": "", "organizationalUnitName": "", "stateOrProvinceName": ""}}, {"signingCertificateValidityEnd": {"time": "2048-11-28T04:48:10Z"}}, {"signingCertificateValidityStart": {"time": "2023-12-05T04:48:10Z"}}, {"signingCertificateVersionNumber": 1}]}, "scanFinishTime": "2025-07-29T10:21:08Z", "deepScanStatus": "DEEP_SCAN_STATUS_FINISHED", "objectIsClean": false, "parentObjectReference": ""}}

Formatted JSON data (for easier readability)

Explanation of the JSON scan result:

•objectReference: "app-release.apk"; This is the identifier or path for the scanned object, here the filename of the scanned APK package.

•dataHashSha1 and dataHashSha256:; These cryptographic hashes uniquely identify the scanned file, useful for tracking and reference.

•dataSizeBytes: "11219720"; The size of the file in bytes (about 11.2 MB).

•threatName: "Android/AdDisplay.Mintegral.C potentially unwanted application"; The name of the detected threat or issue. In this case, the file is identified as a Potentially Unwanted Application (PUA) related to Android ad display components.

•threatCategory: "THREAT_CATEGORY_POTENTIALLY_UNWANTED_APPLICATION"; The classification of the detected threat. Here it indicates the file is categorized as a PUA.

•objectType: "OBJECT_TYPE_FILE"; Specifies the scanned object is a file.

•objectDisplayName: "app-release.apk"; User-friendly display name of the scanned file.

•behavior:; An array describing observed behaviors during dynamic execution in the sandbox:

- "BEHAVIOR_TYPE_READ_FILES": The application accessed or read files on the device during analysis.

- "BEHAVIOR_TYPE_CHANGE_WALLPAPER": The application attempted to change the device wallpaper, indicating it performs actions affecting user experience or system settings.

•objectDna:; A detailed metadata section specific to application packages (APKs) providing technical attributes (referred to here as “genes”) that describe the APK’s composition and security characteristics. Some key elements are:

- apkHasSignatureV1, V2, V3, V31:; Indicates which APK signature schemes are used. Here, only V2 is true, implying the application is signed using APK Signature Scheme v2, which is more secure than v1.

- apkManifest:; Flags indicating whether discrepancies or inconsistencies are present in the APK manifest attributes (all false here suggesting consistent manifest data).

- apkPermissionName:; Lists all permissions requested by the app, such as access to network state, Wi-Fi state, internet, app badges, external storage, phone state, notifications, wallpaper settings, vibration, and more. This shows the app’s capabilities and access levels, which can be important for risk assessment.

- apkResourceTableIntegrityViolated: false; Indicates if the resource table is corrupted or tampered (false means it is intact).

- apkResourceTableTotalItemCount: "73127"; Total number of resource items in the APK package.

- apkSdkLevel: "34"; The targeted Android SDK version for the app.

- appManifestIsInvalidXml: false; Indicates the APK manifest file is valid XML.

- appManifestStringsAreUtf16: true; Shows the encoding of strings in the manifest.

- appResourceKeyMaxLength, appResourceValueMaxLength, appStringResourceTotalCount, appStringResourcesAreUtf16:; Various resource metadata informing about length limits and encoding for app resources and strings.

•signingCertificate details:

- Detailed information about the APK’s signing certificate:

- SHA256 hash of the certificate.

- Issuer’s common name (here: "my apps").

- Certificate serial number.

- Subject details matching the issuer (typical for self-signed certs).

- Validity period (start and end dates).

- Certificate version number.

•scanFinishTime: "2025-07-29T10:21:08Z"; Timestamp indicating when the dynamic scan was completed.

•deepScanStatus: "DEEP_SCAN_STATUS_FINISHED"; Signals that the dynamic (deep) scan has fully completed and final results are available.

•objectIsClean: false; The file was found to be not clean.

•parentObjectReference: ""; Empty, meaning this scanned file was not nested inside another archive or container.

Summary:

This JSON output provides a comprehensive profile of the scanned file (.apk file in our example), combining:

•The threat detection result (name, category, cleanliness).

•Observed runtime behaviors via sandbox dynamic analysis.

•Detailed application package metadata and integrity checks.

•Signature and certificate details are important for verifying app authenticity.

Such enriched information helps security analysts and automated systems understand not only whether a file is malicious or unwanted, but also how it behaves and its technical characteristics, enabling more informed remediation decisions.

˄˅