Docker

Docker image

The File Inspection Engine Docker image can either be obtained from the ReversingLabs container registry or provided as a .tar file.

Pulling the Docker image

To pull the Docker image from the ReversingLabs container registry:

1. Log in to the Docker Registry

   Log in using your cloud username and password:

   docker login registry.reversinglabs.com

2. Pull the Docker image

   Pull the file-inspection-engine Docker image with the specified tag:

   docker pull registry.reversinglabs.com/fie/file-inspection-engine:1.1.1

Loading the Docker image from a .tar file

If you have received the Docker image as a .tar archive, load the image using the following command:

docker image load -i file-inspection-engine-1.1.1.tar.gz

Running the application

The File Inspection Engine (FIE) reads its license from an environment variable called RL_LICENSE. This license, provided by ReversingLabs, must be passed to the application at startup.

To start the application, use one of the following commands. If the image has been pulled from the registry, the full image name should include the registry.

Local Image

docker run --rm -it -e RL_LICENSE="contents of the license file" --net host file-inspection-engine:1.1.1

Registry Image

docker run --rm -it -e RL_LICENSE="contents of the license file" --net host registry.reversinglabs.com/fie/file-inspection-engine:1.1.1

In this example, the container runs on the host network, so no port mapping is needed.

If you’re not using the host network, you’ll need to map the container’s port to the host.

The HTTP server uses port 8000 by default, but you can change it:

• To map the port to a different host port:

  docker run --rm -it -p 127.0.0.1:80:8000 file-inspection-engine:1.1.1

• To change the HTTP port used by the container:

  docker run --rm -it -p 127.0.0.1:80:9000 file-inspection-engine:1.1.1 --http-address :9000

Manual threat data synchronization

The File Inspection engine retrieves updates automatically.

If you want to pre-download threat data so your customers can start using it immediately, or if you prefer to manually sync the data, use the threat-data command included in the image. This command is also used to download threat data in air-gapped environments.

If manual threat data updates occur less than once per week, incremental updates may take longer than a full database download. Performance depends on system resources, network bandwidth, and the deployment environment. Incremental updates are recommended by default, but if they are slow, consider these factors and opt for a full download if necessary.

Supported Options

The threat-data command supports the following options in addition to username and password:

• RL_PARANOID_MODE Download data collection for suspicious files.
• RL_PROXY_ADDRESS Specify a proxy server address if you need to connect to the cloud via a proxy.
• RL_RETRY_COUNT The number of retries if a segment fails to download during update.
• RL_LOG_JSON Defines the log output format as either JSON or colored plain text.

Sync Command

To manually sync the threat data, use the sync sub-command, which requires specifying the threat data directory:

./threat-data sync /threat/data/dir

To execute this via Docker, run:

docker run --rm -it \
-e RL_CLOUD_USERNAME=username \
-e RL_CLOUD_PASSWORD=password \
-e RL_PARANOID_MODE=true \
-v ./external/dir:/rl/threat-data:z \
--entrypoint ./threat-data \
registry.reversinglabs.com/fie/file-inspection-engine:1.1.1
sync /rl/threat-data

If you need to treat suspicious files as malicious, make sure to set the RL_PARANOID_MODE option to true in the command.

Important:

• The threat-data command only supports configuration via environment variables.
• We recommend pre-downloading the threat data once and including it in your distribution for multiple users, as a full threat data download is more resource-intensive compared to incremental updates.
• Do not run the threat-data command concurrently with the application if both are accessing the same directory.

Air-gapped manual threat data synchronization

For air-gapped environments, follow the process below to synchronize threat data. First, download the threat data on a machine with internet access, then transfer the data to the air-gapped instance.

1. Start a File Inspection Engine (FIE) instance on a machine with internet access. Once the data sync is complete, stop the FIE instance that was used for downloading, and then proceed to step 2.

   Alternatively, run the following command to manually sync the threat data:

   docker run --rm -it \
   -e RL_CLOUD_USERNAME=username \
   -e RL_CLOUD_PASSWORD=password \
   -v /external/dir:/rl/threat-data \
   --entrypoint ./threat-data \
   file-inspection-engine:1.1.1
   sync /rl/threat-data

   /external/dir represents the path on the host system where the threat data is stored. If the directory contains older threat data, it will be incrementally updated.

   note

   If using paranoid mode, set the environment variable RL_PARANOID_MODE=true.

   Upon successful synchronization, the log should show Threat data fully updated. In case of errors, rerun the command to retry. Proceed to step 2.

2. Stop a production FIE instance (or create a new one) in the air-gapped environment.

3. Copy the threat data from /external/dir on the internet-connected machine to the corresponding threat data directory used by the air-gapped FIE instance. Ensure that the transferred data is placed in the directory where the application would normally download it if it were online. For further assistance, contact ReversingLabs Support.

4. Restart or deploy the air-gapped FIE instance with the updated threat intelligence data.