Skip to main content

New files (first scan) (TCF-0107)

This service provides a continuous list of hashes for samples collected from various sources and scanned with the multi-AV scanning system for the first time in the Spectra Intelligence system.

The feed stores records for the last 365 days.

Continuous First Scan Feed Query

This query returns hashes for samples collected from various sources and scanned with the multi-AV scanning system for the first time since the requested timestamp.

The feed returns up to 1000 records and any surplus records sharing the same timestamp. To fetch the next batch of records, use the timestamp from the response increased by 1.

If the requested timestamp is not within the last 365 days, the service will respond with the status code 400 Bad Request.

GET /api/feed/malware/first_scan/v1/query/{time_format}/{time_value}[?format=xml|json|tsv][&sample_available=false|true][&limit=N]
  • time_format
    • Format in which the time value will be specified. Supported values are: timestamp - number of seconds since 1970-01-01 00:00:00; utc - UTC date in the YYYY-MM-DDThh:mm:ss format
    • Required
  • time_value
    • Accepts values in the format set by time_format
    • Required
  • format
    • Specifies the format in which the resulting data will be returned. Supported values are: xml (default), json, tsv (Tab Separated Values, delimiter character t 0x09)
    • Optional
  • sample_available
    • Indicates whether the samples are present in the ReversingLabs storage and are available for download (true) or if they are not available (false). Supported values are false (default) and true.
    • Optional
  • limit
    • Number of records to return in the response. The maximum and default value is 1000. Note that the response may include a little more than the requested number of records to ensure that all the records with the same timestamp are returned.
    • Optional

Response format

For the requested timestamp, the response contains a list of records. Every item in the list includes SHA1, MD5, and SHA256 hashes associated with the sample, as well as the information about the sample's file type.

An empty response is returned if no records for the requested timestamp are available.

  • time_range
    • The from/to time range of results
  • entries
    • A list of records, each returned as a separate item, containing SHA1, MD5, SHA256, and sample_type
  • last_timestamp
    • The timestamp of the last result. Increase by 1 in the next query to retrieve the next batch of results. The format will be the same as the requested time format. rl > malware_first_scan_feed

Response Examples

{"rl": {
"malware_first_scan_feed": {
"time_range": {
"from": "YYYY-MM-DDTHH:MM:SS",
"to": "YYYY-MM-DDTHH:MM:SS"
},
"entries": [
{
"sha1" : "sha1_value",
"md5" : "md5_value",
"sha256" : "sha256_value",
"sample_type" : "sample_type_value"
},
{...},

],
"last_timestamp": "YYYY-MM-DDTHH:MM:SS_or_timestamp",
}
}
}

PULL Query

For a given point in time, this query returns a list of hashes for samples collected from various sources that are scanned with the multi-AV scanning system for the first time.

The starting point for this query is defined using the start_query. If the user has not previously requested this query, nor has the START query been called, it will return records starting with the current timestamp. Every subsequent call will continue from the timestamp where the previous call ended. In case that the timestamp of the previous call is older than 365 days, the subsequent call will autocorrect this timestamp to the oldest available (i.e. current - 365 days), and corresponding records will be returned.

Unless the limit parameter is specified, the feed returns up to 1000 records and any surplus records sharing the same timestamp. That ensures all the records with the same timestamp will be included in the recordset. The limit parameter must not be greater than 1000.

This endpoint is built to be queried by a single thread (single instance). Any concurrent requests will be blocked until the previous request is fulfilled.

GET /api/feed/malware/first_scan/v1/query/pull[?format=xml|json|tsv][&limit=N][&sample_available=false|true]
  • format
    • Specifies the response format. The following values are supported: xml - default; json; tsv (Tab Separated Values, delimiter character t 0x09)
    • Optional
  • sample_available
    • Indicates whether the samples are present in the ReversingLabs storage and are available for download (true) or if they are not available (false). Supported values are false (default) and true.
    • Optional
  • limit
    • Number of records to return in the response. The maximum and default value is 1000. Note that the response may include a little more than the requested number of records to ensure that all the records with the same timestamp are returned.
    • Optional

Response format

The response format is the same as in the feed_query.

START Query

This query sets the starting timestamp for the previously described pull_query.

The starting timestamp must be within the last 365 days, otherwise the service will respond with the status code 400 Bad Request.

PUT /api/feed/malware/first_scan/v1/query/start/[time_format]/[time_value]
  • time_format
    • Format in which the time value will be specified. Supported values are: timestamp - number of seconds since 1970-01-01 00:00:00; utc - UTC date in the YYYY-MM-DDThh:mm:ss format
    • Required
  • time_value
    • Accepts values in the format set by time_format
    • Required

Response format

A successful query returns an HTTP 200 OK message with an empty response body.

Examples

Retrieving all first-scanned samples from 2017-03-26 10:33:20:

/api/feed/malware/first_scan/v1/query/timestamp/1490517200
/api/feed/malware/first_scan/v1/query/utc/2017-03-26T10:33:20

Retrieving all first-scanned samples from 2017-03-26 10:33:20 that are present in the storage:

/api/feed/malware/first_scan/v1/query/timestamp/1490517200?sample_available=true
/api/feed/malware/first_scan/v1/query/timestamp/1490517200?sample_available=true&format=json

Retrieving all first-scanned samples from 2017-03-26 10:33:20 in JSON and XML format:

/api/feed/malware/first_scan/v1/query/timestamp/1490517200?format=json
/api/feed/malware/first_scan/v1/query/timestamp/1490517200?format=xml

Setting the initial timestamp for the PULL query to 2017-03-26 10:33:20:

/api/feed/malware/first_scan/v1/query/start/timestamp/1490517200

Pulling records since the latest state:

/api/feed/malware/first_scan/v1/query/pull

Empty response example

An empty response is returned if no records for the requested timestamp are available. To return the next batch of records, use the last_timestamp value incremented by 1.

JSON

{
"rl": {
"malware_first_scan_feed": {
"entries": [],
"last_timestamp": 1449745851,
"time_range": {
"from": "2017-03-26T10:33:20",
"to": "2017-03-26T10:34:20"

}
}
}
}