Skip to main content

New files (first and rescan) (TCF-0108)

This service provides a continuous list of samples in the Spectra Intelligence system which have been scanned for the first time or rescanned with the multi-AV scanner system.

The feed stores records for the last 365 days.

Continuous Malware Scan Feed Query

This query returns a list of samples that have been scanned for the first time or rescanned since the requested time. The feed returns up to 1000 records and any surplus records sharing the same timestamp.

To fetch the next batch of records, use the timestamp from the response increased by 1.

If the requested timestamp is not within the last 365 days, the service will respond with the status code 400 Bad Request.

GET /api/feed/malware/scan/v1/query/{time_format}/{time_value}[?format=xml|json|tsv][&sample_available=false|true][&limit=N]
  • time_format
    • Format in which the time value will be specified. Supported values are: timestamp - number of seconds since 1970-01-01 00:00:00; utc - UTC date in the YYYY-MM-DDThh:mm:ss format
    • Required
  • time_value
    • Accepts values in the format set by time_format
    • Required
  • format
    • Specifies the format in which the resulting data will be returned. Supported values are: xml (default), json, tsv (Tab Separated Values, delimiter character t 0x09)
    • Optional
  • sample_available
    • Indicates whether the samples are present in the ReversingLabs storage and are available for download (true) or if they are not available (false). Supported values are false (default) and true.
    • Optional
  • limit
    • Number of records to return in the response. The maximum and default value is 1000. Note that the response may include a little more than the requested number of records to ensure that all the records with the same timestamp are returned.
    • Optional

Response format

For the requested timestamp, the response contains a list of records. Every item in the list includes SHA1, MD5, and SHA256 hashes associated with the malware sample, as well as the information about the sample's file type.

An empty response is returned if no records for the requested timestamp are available.

  • time_range
    • The from/to time range of results
  • entries
    • A list of records, each returned as a separate item, containing SHA1, MD5, SHA256, sample_type and the record_on field, indicating the date and time when the sample record was updated in the feed. The single field value indicates if the sample was scanned for the first time (True), or if it was rescanned (False).
  • last_timestamp
    • The timestamp of the last result. Increase by 1 in the next query to retrieve the next batch of results. The format will be the same as the requested time format.
{"rl": {
"malware_scan_feed": {
"time_range": {
"from": "YYYY-MM-DDTHH:MM:SS",
"to": "YYYY-MM-DDTHH:MM:SS"
},
"entries": [
{
"sha1" : "sha1_value",
"md5" : "md5_value",
"sha256" : "sha256_value",
"record_on": "YYYY-MM-DDTHH:MM:SS",
"sample_type": "file_type_description",
"single": true|false},
},
{...},

],
"last_timestamp": "YYYY-MM-DDTHH:MM:SS_or_timestamp",
}
}
}

PULL Query

This query returns a list of first-time scanned or rescanned samples from a particular point in time. The starting point for this query is defined using the start_query. If the user has not previously requested this query, nor has the START query been called, it will return records starting with the current timestamp. Every subsequent call will continue from the timestamp where the previous call ended. In case that the timestamp of the previous call is older than 365 days, the subsequent call will autocorrect this timestamp to the oldest available (i.e. current - 365 days), and corresponding records will be returned.

Unless the limit parameter is specified, the feed returns up to 1000 records and any surplus records sharing the same timestamp. That ensures all the records with the same timestamp will be included in the recordset. The limit parameter must not be greater than 1000.

This endpoint is built to be queried by single thread (single instance). Any concurrent requests will be blocked until the previous one is fulfilled.

GET /api/feed/malware/scan/v1/query/pull[?format=xml|json|tsv][&limit=N][&sample_available=false|true]
  • format
    • Specifies the response format. The following values are supported: xml - default; json; tsv (Tab Separated Values, delimiter character t 0x09)
    • Optional
  • sample_available
    • Indicates whether the samples are present in the ReversingLabs storage and are available for download (true) or if they are not available (false). Supported values are false (default) and true.
    • Optional
  • limit
    • Number of records to return in the response. The maximum and default value is 1000. Note that the response may include a little more than the requested number of records to ensure that all the records with the same timestamp are returned.
    • Optional

Response format

The response format is the same as in the feed_query.

START Query

This query sets the starting timestamp for the previously described pull_query.

The starting timestamp must be within the last 365 days, otherwise the service will respond with the status code 400 Bad Request.

PUT /api/feed/malware/scan/v1/query/start/[time_format]/[time_value]
  • time_format
    • Format in which the time value will be specified. Supported values are: timestamp - number of seconds since 1970-01-01 00:00:00; utc - UTC date in the YYYY-MM-DDThh:mm:ss format
    • Required
  • time_value
    • Accepts values in the format set by time_format
    • Required

Response format

A successful query returns an HTTP 200 OK message with an empty response body.

Examples

Format query field

Fetching all new samples from 2017-03-26 10:33:20

/api/feed/malware/scan/v1/query/timestamp/1490517200
/api/feed/malware/scan/v1/query/utc/2017-03-26T10:33:20

Fetching all new samples from 2017-03-26 10:33:20 that are present in storage

/api/feed/malware/scan/v1/query/timestamp/1490517200?sample_available=true
/api/feed/malware/scan/v1/query/timestamp/1490517200?sample_available=true&format=json

Fetching all new samples from 2017-03-26 10:33:20 in JSON and XML format

/api/feed/malware/scan/v1/query/timestamp/1490517200?format=json
/api/feed/malware/scan/v1/query/timestamp/1490517200?format=xml