Version: File Inspection Engine 1.1.1

Configuration

The --help flag output lists all available command-line options along with their default values.

docker run registry.reversinglabs.com/fie/file-inspection-engine:1.1.1 --help

Note that default values may be overridden by environment variables.

Boolean flags must include an equals sign (=) when explicitly set to true/1 or false/0 (e.g., --cloud-updates=true, --cloud-updates=false). Alternatively, to enable a boolean flag, use the shortcut by specifying the flag name alone (e.g., --cloud-updates for true). Non-boolean flags don't need an equals sign. Both --timeout 10s and --timeout=10s are fine.
Time Duration Options: For configuration options containing time durations, the supported suffixes are ms, s, m, and h (e.g., --timeout 10s or --cloud-update-interval 1m).

info

Environment variables: Command line flags can also be passed as environment variables, by using RL_ as the prefix and replacing the dashes in between the words with underscores. For example, --http-address becomes the environment variable RL_HTTP_ADDRESS.

When a default value is not mentioned in the help output, it is empty (either an empty string or false for boolean options).

Configuration options

`RL_LICENSE`

Description: Set the contents of your license file.
Default: N/A
Notes: This option is only available as an environment variable.

`RL_RETRY_COUNT`

Description: Configures the maximum number of retries for failed threat data segment downloads when using the threat-data command.
Default: 3
Possible Values: 0 to 100

`--add-file-type` / `RL_ADD_FILE_TYPE`

Description: Controls whether file_type information is returned in the /scan API response.
Default: disabled
Possible Values: disabled, enabled, force
Notes:
- When enabled, the correct file_type will only be returned if static analysis was performed.
- When force is set, static analysis is always performed.

`--concurrency-limit` / `RL_CONCURRENCY_LIMIT`

Description: Maximum concurrent requests when performing file analysis, across all HTTP endpoints.
Default: 20
Possible Values: From 0 (unlimited) to 100

`--proxy-address` / `RL_PROXY_ADDRESS`

Description: Specifies the address of a proxy server for contacting the cloud API.
Default: N/A
Possible Values:
- https://host:port
- http://host:port
- socks5://host:port
Notes: You can include credentials in the proxy URL, for example:
- http://user:password@localhost:8080

`--cloud-threat-data` / `RL_CLOUD_THREAT_DATA`

Description: Path to the directory for local threat data to avoid contacting the cloud API during file inspection.
Default: /rl/threat-data
Notes: Requires ~20 GB for malicious data and 1 GB for suspicious data, with additional space needed during updates (files are downloaded fully before replacement).

Threat data synchronization starts shortly after the application is up and running and continues at regular intervals, configurable via the --cloud-update-interval parameter.

Initial synchronization involves larger files, while subsequent updates use incremental changes (typically < 100 KB per segment). Data is divided into 256 segments per classification, and each segment may require multiple updates, which can increase the total download size to several megabytes, especially with less frequent updates.

`--cloud-update-interval` / `RL_CLOUD_UPDATE_INTERVAL`

Description: Sets how frequently the application checks for cloud threat data updates.
Default: 5m
Possible Values: From 1m to 24h (e.g., 45m, 6h)

`--cloud-updates` / `RL_CLOUD_UPDATES`

Description: Enables or disables automatic updates for threat data.
Default: true
Possible Values: true, false

`--http-address` / `RL_HTTP_ADDRESS`

Description: Defines the host and port for the HTTP server.
Default: :8000
Possible Values:
- Port only. Example: :9000
- Host and port. Example: 127.0.0.1:8080

`--log-json` / `RL_LOG_JSON`

Description: Defines the log output format as either JSON or colored plain text.
Default: true
Possible Values: true, false

`--tmp-dir` / `RL_TMP_DIR`

Description: Path to the temporary directory for uploaded files, unpacked files, and reports.
Default: /rl/tmp

`--max-decompression-factor` / `RL_MAX_DECOMPRESSION_FACTOR`

Description: Spectra Core has a set of mechanisms that protect the user from intentional or unintentional archive bombs, ranging from checks that prevent a file from making identical copies of itself during unpacking, to the maximum allowed decompression ratio for any given file.

These protection measures enable the engine to terminate the archive decompression if the size of unpacked content exceeds a set quota. The maximum decompression ratio is calculated as
```
MaximumDecompressionFactor * (1000 / ln(1 + InputFileSize * pow(10, -5)))
```
where InputFileSize must be in bytes. To calculate the maximum decompressed file size, multiply this ratio by the InputFileSize. In practice, this means that the unpacking will stop once the size of all extracted content exceeds the theoretical maximum of the best performing compression algorithm.
Default: 1.0
Notes: When a file exceeds the decompression ratio, the unpacking will stop and the partially unpacked content will be sent for analysis.

If set to a negative value, a warning is printed, and the value defaults to 1.0. Setting this to 0 disables decompression management, but this is strongly discouraged as it leaves the system vulnerable to resource exhaustion attacks.

`--max-upload-file-size` / `RL_MAX_UPLOAD_FILE_SIZE`

Description: Maximum file size (in MiB) the application will accept.
Default: 100

`--paranoid-mode` / `RL_PARANOID_MODE`

Description: Enables an additional classification for suspicious files, allowing them to be flagged as suspicious instead of OK. With this option, the possible response classifications are OK, malicious, and suspicious.
Default: false
Possible Values: true, false
Notes: Requires an additional 1 GB of cloud threat data.

`--with-threat-details` / `RL_WITH_THREAT_DETAILS`

Description: Determines whether detailed threat information is included in the JSON HTTP response for malware classification.
Default: false
Possible Values: true, false
Notes: Slows down the response as it contacts the cloud API. If no additional threat information is available, the threat_details property won't be present.

`--unpacking-depth` / `RL_UNPACKING_DEPTH`

Description: The maximum number of file layers to unpack when performing static analysis.
Default: 17
Possible values: From 0 (unlimited) to MaxInt32.

`--timeout` / `RL_TIMEOUT`

Description: The maximum analysis time, for example 10s (seconds) or 1m (minute). Timeouts apply to all processing after the file is uploaded.
Default: 0 (unlimited)

note

You do not need to change the default paths for --cloud-threat-data and --tmp-dir. However, it is important to mount the appropriate directories to these paths when starting the container.

Do not configure more than one container to use the same directories concurrently.

Examples

Example - Running with proxy and additional settings

docker run --rm -it \
-e RL_LICENSE="the content of the license file" \
-e RL_PROXY_ADDRESS=http://proxy.server.lan \
-e RL_MAX_UPLOAD_FILE_SIZE=200 \
-e RL_PARANOID_MODE=true \
-e RL_WITH_THREAT_DETAILS=true \
-p 127.0.0.1:8000:8000 \
-v /external/threat-data:/rl/threat-data \
-v /external/tmp:/rl/tmp \
file-inspection-engine:1.1.1

Configuration options​

RL_LICENSE​

RL_RETRY_COUNT​

--add-file-type / RL_ADD_FILE_TYPE​

--concurrency-limit / RL_CONCURRENCY_LIMIT​

--proxy-address / RL_PROXY_ADDRESS​

--cloud-threat-data / RL_CLOUD_THREAT_DATA​

--cloud-update-interval / RL_CLOUD_UPDATE_INTERVAL​

--cloud-updates / RL_CLOUD_UPDATES​

--http-address / RL_HTTP_ADDRESS​

--log-json / RL_LOG_JSON​

--tmp-dir / RL_TMP_DIR​

--max-decompression-factor / RL_MAX_DECOMPRESSION_FACTOR​

--max-upload-file-size / RL_MAX_UPLOAD_FILE_SIZE​

--paranoid-mode / RL_PARANOID_MODE​

--with-threat-details / RL_WITH_THREAT_DETAILS​

--unpacking-depth / RL_UNPACKING_DEPTH​

--timeout / RL_TIMEOUT​

Examples​