Scan modes
Full scan
This is the default mode, the most heavy execution. It executes all configured scan tasks based on the workflow configuration and gives a detailed result.
Triage scan
This is an experimental execution mode which will be continuously improved
The fastest execution mode with limited capability. It’s able to tell if a submitted file is surely benign or malicious, but not always produces a final verdict. The goal of this scan type is to produce a verdict as soon as possible with the execution of a limited set of scan tasks.
Smart scan
This is an experimental execution mode which will be continuously improved
Optimal if execution time is important but a final verdict is also required. A triage scan is executed first, if it results a final verdict, that’s the final result. Otherwise additional scan tasks are executed until a final verdict is produced.
Feature comparison
| Scan task | Triage scan | Full and Smart scan |
|---|---|---|
| File certificate validation | Yes | Yes |
| Allow-listing | Yes | Yes |
| OPSWAT reputation lookup | Yes | Yes |
| Embedded file, script, macro and data extraction | Yes | Yes |
| Support MITRE ATT&CK framework | Yes | Yes |
| File downloads | No | Yes |
| Image text analysis (OCR) | No | Yes |
| Microsoft Office file emulation | No | Yes |
| Powershell script emulation | No | Yes |
| URL emulation (ML based phishing detection) | No | Yes |
| Fuzzy hash lookup | No | Yes |
| Integrate with other open-source intelligence vendors (e.g., VirusTotal) | No | Yes |
| YARA pattern matching | No | Yes |
