Skip to main content
Version: File Inspection Engine 1.0.1

Usage

The File Inspection Engine starts in approximately 4 seconds, assuming that the static analysis engine initializes successfully and the license is valid. You can confirm that the application is ready by checking for the following log messages:

{"level":"info","component":"ticore","time":"2024-02-08T18:25:53.283352566Z","message":"Initialized"}
{"level":"info","component":"http.server","time":"2024-02-08T18:25:53.28392381Z","message":"Listening on :8000"}
{"level":"info","component":"licensing.Manager","time":"2024-02-08T18:25:53.395488411Z","message":"The license is valid"}
{"level":"info","component":"threatdata","time":"2024-02-08T18:25:53.470438606Z","message":"Reloaded with last update time: 2024-02-08T18:02:54Z"}
note

When starting for the first time, the application needs to download threat data. This process may take some time, and the application will only become fully usable once the threat data download is complete, regardless of the messages displayed.

If the static analysis engine fails to initialize, the application will exit. For all other errors, logs will be generated, and the application will continue to run.

File Submissions

To scan a file, make a POST request to http://host:port/scan, with the file contents as the raw request body.

  • You don’t need to set the Content-Type header.
  • It is recommended to set the Content-Length header to prevent files larger than the maximum upload size from partially uploading before getting rejected.

Example using curl

curl -X POST --upload-file example.docx http://<host>:<port>/scan

Example Response

200 OK

{
"classification": "OK",
"message": ""
}

Classification: The classification string will be either "OK" or "malicious". If suspicious files are treated as malicious, the classification could also be "suspicious".

If with-threat-details and add-file-type options are enabled, the response may look like:

{
"classification": "malicious",
"message": "",
"threat_details": {
"platform": "Script",
"type": "Trojan",
"threat_name": "Script-JS.Trojan.Redirector"
},
"file_type": "Text"
}

Response Status Codes

The message field may contain a soft error (e.g., failing to get detailed threat information from the cloud), but is often empty. Hard errors will be returned as HTTP status 500 Internal Server Error.

CodeDescriptionMessage
200The request has succeeded.N/A
400File size error.{"error": "Maximum upload file size in bytes is {configured_value}" }
524A timeout occurred.{"error": "The analysis could not be completed within the configured maximum analysis time"}

Timeouts

If timeouts are configured for uploads, they apply to all processing after the upload is complete.

Analyses may fail due to one of two reasons:

  • Complex file: The file is too complex and it will never be analyzed within the configured time limit, even when the server is idle. Waiting and trying again will not help.

  • Server load: The file is a bit more complex relative to the current load on the server. If the server were less busy, it might be possible to process it within the configured time limit. Waiting and trying again might help.

Check Version

To check the File Inspection Engine version and the threat data timestamp, use the /version endpoint.

curl http://<host>:<port>/version

It returns the application version and the last successful threat data synchronization timestamp.

{
"application": "1.0.0",
"threat_data": "2024-09-17T12:07:30Z"
}