Skip to main content

Symbols

Symbols are short strings assigned to objects by their dedicated backends or parent processors. They are used to record additional information about the objects, spotted problems, malware detections, and others, as an addition to the object's own metadata. The symbols can be also queried in a similar way as the object's metadata. The documentation of every data processor contains a section about the symbols in use.

Example Symbols Data

  "object_type": "Office",
  [...]
  "ok": {
    "symbols": [
      "DOCX",
      "INFECTED",
      "INFECTED-CLAM-Doc.Dropper.Agent-7004486-0",
      "RFC2397",
      "VBA"
    ],
    "object_metadata": {
      "_backend_version": "1.0.0",
      "properties": {
         "app_version": "14.0000",
         "application": "Microsoft Office Word",
    [...]

In the above example there are 5 symbols assigned to the object. The DOCX is set by the Office backend and informs about the data format, as well as VBA, which informs about the presence of macros in the document. The INFECTED symbol is a generic one set by the malware detection worker and informing that the object is considered malicious, and the other symbol provides information about the detecting engine and the malware's name (there can be multiple such symbols recorded for a single object). The symbol RFC2397 was set by the parent processor, in this case the HTML backend, and informs that the object was extracted from a "data" URL scheme (i.e. it was embedded inside an HTML content).