Scanning is one of the primary functions of PolySwarm. When an Artifact is submitted, our network of microengines will analyze that artifact for maliciousness and provide threat intelligence based on that analysis.
On the Scan page on PolySwarm UI, we support scanning of multiple types of Artifacts, currently including: Files, URLs, domains, and IP addresses.
To scan a file, either drag and drop the file onto the Drag-and-Drop image, or click the Select File button to open a file chooser window that enables you to select a file from your local drive.
Once the file is submitted, the Scan Results page will show the processing status, scan results, and metadata information.
To scan a URL, domain, or IP address, enter it into the text box below the “Select File” button. Press the “Enter” key to submit that Artifact.
Once the Artifact is submitted, the Scan Results page will show the processing status, scan results, and metadata information.
The Scan Results page provides a summary of everything PolySwarm knows about an Artifact. The pane on the left shows a quick summary. And the pane on the right has multiple tabs with extensive details.
The summary pane provides a quick overview of the analysis. First, it provides a summary of detections by all engines, which tells you how many microengines chose to process the artifact and of those, how many found the artifact to be malicious. Below the detection summary is the name of the Artifact. If the Artifact is a file, it will be the file name. If the Artifact is a URL, domain, or IP address it will show that. In some cases the file name will be the SHA-256 hash. Below the Artifact name is the number of bytes in the Artifact. And below the bytes is the SHA-256 hash of the Artifact. In the case of a URL, domain, or IP address, the SHA-256 is a hash of the bytes of that string. Below the Summary Pane are 3 buttons:
- Rescan - Re-submit the Artifact to the marketplace for analysis. This can be useful if the last time it was analyzed was a long time in the past.
- Download - Download the Artifact to your locale host. In the case of a URL, domain, or IP address, this will download a text file with that string as the only content.
- Share - Share a link to these scan results on social media.
A list of all Microengines in the PolySwarm marketplace and their detection results. This list is sorted alphabetically in two groups.
The first set are the microengines that chose to process the Artifact and their detection results. Below the microengine name is the Bid value. This is the amount of NCT that they Bid with their assertion. To the right of the name is either a Green icon with a check mark or a Red icon with an “!” exclamation mark. Green indicates non-malicious and Red indicates malicious.
The second set are the microengines that chose NOT to process the Artifact. Next to those microengines we display a grey “?” questionmark to indicate they did not provide any information on this Artifact.
Clicking on the name of the microengine will display additional metadata about the microengine to include things like: ETH wallet address, architecture, operating system, and version information.
This tab is only available when scanning a file. This tab displays output from the collection of metadata analysis tools that PolySwarm uses to process each Artifact. The page is separated into sections, one section per tool. Some tools only have results for specific file types, so different file types will have more or less tool sections displayed.
This tab is only available when scanning a URL, domain, or IP address. This tab displays output from the collection of metadata analysis tools that PolySwarm uses to process each Artifact. Currently for URLs, domains, and IP addresses we only use the “Artifact Attributes” tool.