Performing a static scan of an archive file
The following example demonstrates how to perform a static scan on an archive file that contains nested archives and how to interpret the data for nested files. The ESET scanner supports a nesting level of up to ten for archives. Each file within the archive—including nested archives—is scanned individually, and a separate result is generated for each object.
Command:
scanner_agent -t 'example.com/load_balancer:50052' -s -a |
Default Scanner JSON response example:
Will scan these files: /samples/level/level_2/level_2.zip {"scanResults": [{"objectReference": "/samples/level/level_2/level_2.zip", "dataHashSha1": "BDE7D0FE506629101C1E38561D7540210784D3EF", "dataHashSha256": "4CCB462A66C8FC9F159F8FFF2E9EAA90A48791DD5310BC4F6BB366849F3FEB67", "dataSizeBytes": "308", "objectType": "OBJECT_TYPE_FILE", "objectDisplayName": "/samples/level/level_2/level_2.zip", "scanFinishTime": "2025-07-29T07:56:05Z", "deepScanStatus": "DEEP_SCAN_STATUS_SKIPPED", "behavior": [], "objectIsClean": false, "parentObjectReference": "", "threatCategory": "THREAT_CATEGORY_UNSPECIFIED", "threatName": ""}, {"objectReference": "/samples/level/level_2/level_2.zip \u00bb ZIP \u00bb eicar_com.zip", "dataHashSha256": "2546DCFFC5AD854D4DDC64FBF056871CD5A00F2471CB7A5BFD4AC23B6E9EEDAD", "dataSizeBytes": "184", "objectType": "OBJECT_TYPE_FILE", "objectDisplayName": "eicar_com.zip", "scanFinishTime": "2025-07-29T07:56:05Z", "parentObjectReference": "/samples/level/level_2/level_2.zip", "behavior": [], "dataHashSha1": "", "deepScanStatus": "DEEP_SCAN_STATUS_UNSPECIFIED", "objectIsClean": false, "threatCategory": "THREAT_CATEGORY_UNSPECIFIED", "threatName": ""}, {"objectReference": "/samples/level/level_2/level_2.zip \u00bb ZIP \u00bb eicar_com.zip \u00bb ZIP \u00bb eicar.com", "dataHashSha1": "3395856CE81F2B7382DEE72602F798B642F14140", "dataHashSha256": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F", "dataSizeBytes": "68", "threatName": "Eicar", "objectType": "OBJECT_TYPE_FILE", "objectDisplayName": "eicar.com", "scanFinishTime": "2025-07-29T07:56:05Z", "parentObjectReference": "/samples/level/level_2/level_2.zip \u00bb ZIP \u00bb eicar_com.zip", "behavior": [], "deepScanStatus": "DEEP_SCAN_STATUS_UNSPECIFIED", "objectIsClean": false, "threatCategory": "THREAT_CATEGORY_UNSPECIFIED"}]} |
Formatted JSON data (for easier readability)
Explanation of JSON Fields and nested scan result:
•Each objectReference; indicates the full path to the scanned file, including paths within nested archives (e.g., "/samples/level/level_2/level_2.zip » ZIP » eicar_com.zip » ZIP » eicar.com").
•parentObjectReference; field identifies the immediate container—such as a file or archive—that directly holds the scanned object. This field is particularly important for navigating and understanding the hierarchy of nested archives within the scan results, as it shows exactly which archive or parent file a given object was found inside. By following the parentObjectReference values, the nesting of files and archives within each other can be traced. If the field is empty, it means the object was scanned at the top level and is not contained within any other file.
•{ "objectReference": "/samples/level/level_2/level_2.zip » ZIP » eicar_com.zip » ZIP » eicar.com", ..., "parentObjectReference": "/samples/level/level_2/level_2.zip » ZIP » eicar_com.zip" };—this identifies eicar.com as being within eicar_com.zip, which itself is nested inside level_2.zip.
•The parentObjectReference; field points to the path of its immediate archive, showing that eicar.com was extracted from eicar_com.zip during the scan.
•All other JSON fields retain the same meaning as previously explained (see above).
|
The scanner will individually process archives up to ten levels deep. Each object—file or archive—will be listed with separate scan results. Review parentObjectReference and objectReference carefully to understand the relationship between archives and their contents in the scan report. |
