Kaspersky Scan Engine
1.0
Using Kaspersky Scan Engine in HTTP mode  >  Making requests in HTTP mode  >  Making requests in HTTP mode via KAV protocol version 3  >  Increasing the detection rate

Increasing the detection rate

When an HTTP request is made to scan a file or a block of memory, there are two ways to increase the detection rate by specifying an optional scan task context:

  • Provide the origin of the object to scan in the url field of the POST request body:
    • If the object to scan was received from the web, specify the web address of origin, including the protocol, for example:

      http://example.com

      The supported protocols are HTTP, HTTPS, and FTP.

      If the URL is unknown, we recommend that you use http://example.com as the scan task context.

    • If the object to scan was received by email, specify the sender's email address in the following format: [from:%sender_address%], for example:

      [from:example@example.com]

      If the sender's email address is unknown, we recommend that you use [from:test@relay.example] as the scan task context.

    Below is an example of an HTTP request to scan a local file received from the web. Note the use of the url field to specify the web address of origin:

    POST /api/v3.0/scanfile HTTP/1.0

    Content-Type: application/octet-stream

    Content-Length: 22

     

    {

    "timeout": "10000",

    "object": "\/home\/user\/eicar",

    "url": "http:\/\/example.com"

    }

    The response is the same as in section "Example of an HTTP request to scan a local file".

  • Provide request and response headers gathered from HTTP traffic related to the object to scan in the requestHeaders and responseHeaders fields of the POST request body.

    Note that you can combine the two types of scan task context to further boost the detection rate. In the example below, the request and response headers are specified along with the web address of origin.

    POST /api/v3.0/scanfile HTTP/1.0

    Content-Type: application/octet-stream

    Content-Length: 22

     

    {

    "object": "\/home\/user\/eicars.tar",

    "requestHeaders": ": authority: example.com\r\n: method: GET\r\n path:\/ \r\n:scheme: https\r\naccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8\r\naccept-encoding: gzip, deflate, br\r\naccept-language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7,mt;q=0.6\r\ncache-control: no-cache\r\npragma: no-cache\r\nupgrade-insecure-requests: 1\r\nuser-agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36",

    "responseHeaders": "accept-ranges: bytes\r\ncache-control: max-age=604800\r\ncontent-type: text\/html; charset=UTF-8\r\ndate: Thu, 31 Jan 2019 18:51:11 GMT\r\netag: \"1541025663\"\r\nexpires: Thu, 07 Feb 2019 18:51:11 GMT\r\nlast-modified: Fri, 09 Aug 2013 23:54:35 GMT\r\nserver: ECS (dca\/532C)\r\nstatus: 200\r\nvary: Accept-Encoding\r\nx-cache: HIT",

    "url": "http:\/\/example.com"

    }

    The successfully processed request will result in the following response:

    HTTP/1.0 200 Ok

    Connection: close

    Content-Type: text/plain

    Server: KAVHTTPD/1.0

    X-KAV-ProtocolVersion: 3

    Date: Wed, 30 Jan 2019 15:46:29 GMT

    Content-Length: 75

     

    {

    "object": \/home\/user\/eicars.tar",

    "scanResult": "DETECTED",

    "detectionName": "multiple",

    "subObjectsScanResults": [

    {

    "object": "\/home\/user\/eicars.tar\/\/eicar1",

    "scanResult": "DETECTED",

    "detectionName": "EICAR-Test-File"

    },

    {

    "object": "\/home\/user\/eicars.tar\/\/eicar2",

    "scanResult": "DETECTED",

    "detectionName": "EICAR-Test-File"

    }

    ]

    }

Article ID: 181065, Last review: Aug 28, 2024
Page top