Usage
The File Inspection Engine starts in approximately 4 seconds, assuming that the static analysis engine initializes successfully and the license is valid. You can confirm that the application is ready by checking for the following log messages:
{"level":"info","component":"ticore","time":"2024-02-08T18:25:53.283352566Z","message":"Initialized"}
{"level":"info","component":"http.server","time":"2024-02-08T18:25:53.28392381Z","message":"Listening on :8000"}
{"level":"info","component":"licensing.Manager","time":"2024-02-08T18:25:53.395488411Z","message":"The license is valid"}
{"level":"info","component":"threatdata","time":"2024-02-08T18:25:53.470438606Z","message":"Reloaded with last update time: 2024-02-08T18:02:54Z"}
When starting for the first time, the application needs to download threat data. This process may take some time, and the application will only become fully usable once the threat data download is complete, regardless of the messages displayed.
If the static analysis engine fails to initialize, the application will exit. For all other errors, logs will be generated, and the application will continue to run.
File Submissions
To scan a file, make a POST request to http://host:port/scan, with the file contents as the raw request body.
- You don’t need to set the
Content-Typeheader. - It is recommended to set the
Content-Lengthheader to prevent files larger than the maximum upload size from partially uploading before getting rejected.
Example using curl
curl -X POST --upload-file example.docx http://<host>:<port>/scan
Example Response
200 OK
{
"classification": "OK",
"message": ""
}
Classification: The classification string will be either "OK" or "malicious". If suspicious files are treated as malicious, the classification could also be "suspicious".
If with-threat-details and add-file-type options are enabled, the response may look like:
{
"classification": "malicious",
"message": "",
"threat_details": {
"platform": "Script",
"type": "Trojan",
"threat_name": "Script-JS.Trojan.Redirector"
},
"file_type": "Text"
}
Response Status Codes
The message field may contain a soft error (e.g., failing to get detailed threat information from the cloud), but is often empty. Hard errors will be returned as HTTP status 500 Internal Server Error.
| Code | Description | Message |
|---|---|---|
| 200 | The request has succeeded. | N/A |
| 400 | File size error. | {"error": "Maximum upload file size in bytes is {configured_value}" } |
| 524 | A timeout occurred. | {"error": "The analysis could not be completed within the configured maximum analysis time"} |
Timeouts
If timeouts are configured for uploads, they apply to all processing after the upload is complete.
Analyses may fail due to one of two reasons:
-
Complex file: The file is too complex and it will never be analyzed within the configured time limit, even when the server is idle. Waiting and trying again will not help.
-
Server load: The file is a bit more complex relative to the current load on the server. If the server were less busy, it might be possible to process it within the configured time limit. Waiting and trying again might help.
Check Version
To check the File Inspection Engine version and the threat data timestamp, use the /version endpoint.
curl http://<host>:<port>/version
It returns the application version and the last successful threat data synchronization timestamp.
{
"application": "1.0.0",
"threat_data": "2024-09-17T12:07:30Z"
}