Usage
The File Inspection Engine starts in approximately 4 seconds, assuming that the static analysis engine initializes successfully and the license is valid. You can confirm that the application is ready by checking for the following log messages:
{"level":"info","component":"ticore","time":"2024-02-08T18:25:53.283352566Z","message":"Initialized"}
{"level":"info","component":"http.server","time":"2024-02-08T18:25:53.28392381Z","message":"Listening on :8000"}
{"level":"info","component":"licensing.Manager","time":"2024-02-08T18:25:53.395488411Z","message":"The license is valid"}
{"level":"info","component":"threatdata","time":"2024-02-08T18:25:53.470438606Z","message":"Reloaded with last update time: 2024-02-08T18:02:54Z"}
When starting for the first time, the application needs to download threat data. This process may take some time, and the application will only become fully usable once the threat data download is complete, regardless of the messages displayed.
If the static analysis engine fails to initialize, the application will exit. For all other errors, logs will be generated, and the application will continue to run.
File Submissions
To scan a file, make a POST request to http://host:port/scan, with the file contents as the raw request body.
- You don’t need to set the
Content-Typeheader. If set, it will be included alongside every log message related to that submission. - It is recommended to set the
Content-Lengthheader to prevent files larger than the maximum upload size from partially uploading before getting rejected. - Optionally, you can provide an
external_idquery string parameter that will also be included alongside log messages related to the submission. This parameter can contain any value meaningful to the client application, such as a file name, database ID, or other identifying information.
Examples using curl
Example request:
curl -X POST --upload-file example.docx http://<host>:<port>/scan
Example response:
200 OK
{
"classification": "OK",
"message": ""
}
Classification: The classification string will be either "OK" or "malicious". If suspicious files are treated as malicious, the classification could also be "suspicious".
If with-threat-details and add-file-type options are enabled, the response may look like:
{
"classification": "malicious",
"message": "",
"threat_details": {
"platform": "Script",
"type": "Trojan",
"threat_name": "Script-JS.Trojan.Redirector"
},
"file_type": "Text"
}
Logging:
The following example provides Content-Type and a custom external ID in the request, both of which can be visible in application logs:
curl -v -X POST -H 'Content-Type: application/x-tar' --upload-file archive.tar 'http://localhost:8000/scan?external_id=my%20external%20id'
Log example:
This request would create the following log entry, including the external ID:
{
"level": "info",
"request_id": "21e7262b-28a0-43a0-be4e-a6f0a5d897a3",
"external_id": "my external id",
"content_type": "application/x-tar",
"component": "http.api",
"request_path": "/scan",
"content_length": 244244480,
"active_concurrency": 1,
"time": "2024-11-27T13:41:52.593520919+01:00",
"message": "Upload started"
}
Response Status Codes
The message field may contain a soft error (e.g., failing to get detailed threat information from the cloud), but is often empty. Hard errors will be returned as HTTP status 500 Internal Server Error.
| Code | Description | Message |
|---|---|---|
| 200 | The request has succeeded. | N/A |
| 400 | File size error. | {"error": "Maximum upload file size in bytes is {configured_value}" } |
| 429 | Concurrency limit reached. | {"error": "The concurrent analysis limit has been reached"} |
| 524 | A timeout occurred. | {"error": "The analysis could not be completed within the configured maximum analysis time"} |
Timeouts
If timeouts are configured for uploads, they apply to all processing after the upload is complete.
Analyses may fail due to one of two reasons:
-
Complex file: The file is too complex and it will never be analyzed within the configured time limit, even when the server is idle. Waiting and trying again will not help.
-
Server load: The file is a bit more complex relative to the current load on the server. If the server were less busy, it might be possible to process it within the configured time limit. Waiting and trying again might help.
Check Version
To check the File Inspection Engine version and the threat data timestamp, use the /version endpoint.
curl http://<host>:<port>/version
It returns the application version and the last successful threat data synchronization timestamp.
{
"application": "1.0.2",
"threat_data": "2024-09-17T12:07:30Z"
}