ESET Agent usage with ESET PRIVATE Dynamic Scanning Engine

In case your ESET PRIVATE Scanning Solution includes ESET PRIVATE Dynamic Scanning Engine, the scanner’s response now supplements static scanning with dynamic analysis — often referred to as a deep scan. Dynamic (deep) scanning executes potentially suspicious files within a secure, isolated cloud sandbox environment to observe their runtime behavior. This process complements static scanning by detecting threats that static signatures or heuristics might miss, effectively identifying evasive malware. Additionally, the scanner response includes detailed information such as deep scan status, estimated completion time, and observed behaviors.

Explanation of the command-line parameters related to a dynamic scan:

1. deepScanStatus

The deepScanStatus field in the scanner JSON response indicates the current state of the dynamic scan. This status helps users and automated systems understand whether dynamic analysis was performed and the stage it is in. The possible values are:

•DEEP_SCAN_STATUS_UNSPECIFIED

This state indicates that the deep scan status is not specified or unknown. It may occur if the scanner has not performed a dynamic scan or if the scan information is not available, or not necessary to provide (e.g., archive scan and nested files)

•DEEP_SCAN_STATUS_SKIPPED

The dynamic scan was not performed. This can happen if:

The dynamic scan and analyses was explicitly requested to be skipped (by forcing a static using the --skip_cloud_reputation flag), or the  static scan already identified the file as malicious, making a dynamic scan unnecessary.

•DEEP_SCAN_STATUS_PENDING

The static scan did not detect a malware infection and therefore the dynamic scan was initiated, but the results are not yet available. In this state, the scanner reports that the dynamic analysis is pending. Clients or systems using the scanner may poll or wait until the dynamic scan completes to get the final verdict.

•DEEP_SCAN_STATUS_FINISHED

The dynamic scan has completed, and the results are available. The scanner response will reflect any additional detections or behavioral data found during this advanced analysis.

2. deepScanExpectedEndTime

The deepScanExpectedEndTime field indicates the expected completion time for the dynamic scan. When deepScanStatus is DEEP_SCAN_STATUS_PENDING, this timestamp can be used by clients to estimate how long the analysis may take before final results are available. This helps in planning polling intervals or timeouts in automated systems using the scanner.

3. behavior

The behavior field in the JSON response can provide additional information about the actions or behaviors observed during the dynamic scan of the file. This may include:

•Execution activities such as process creation, file modifications, or network connections.

•Indicators of suspicious or malicious behavior observed during runtime.

•Specific behavioral rules triggered by the file’s actions.