To make multipart HTTP requests, use the KAV protocol version 2 by specifying it in the X-KAV-ProtocolVersion request header.
When making a multipart HTTP request, you can specify request and response headers that were gathered from HTTP traffic related to the object being scanned. This data improves the detection rate.
The body of a multipart HTTP request must contain no more than three parts. These parts contain the following data:
This part must begin with the "Request headers" string followed by \r\n characters. These characters must be followed by request headers from HTTP traffic related to the object that is being scanned.
This part must begin with the "Response headers" string followed by \r\n characters. These characters must be followed by response headers from HTTP traffic related to the object that is being scanned.
This part can contain the full path to the file to scan (if a request is made to /scanfile) or a string (if a request is made to /scanmemory).
The following example shows a multipart HTTP request to scan a block of memory:
POST /scanmemory HTTP/1.0 Content-Length: 753 X-KAV-ProtocolVersion: 2 X-KAV-Timeout: 10
Content-Type: multipart/mixed; boundary=gc0p4Jq0M2Yt08jU534c0p
--gc0p4Jq0M2Yt08jU534c0p Request headers GET /files/test.exe HTTP/1.1 Host: source.example.com Accept: application/octet-stream Referer: http://malicious.example.com/ Host: source.example.com Connection: Keep-Alive --gc0p4Jq0M2Yt08jU534c0p Response headers HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 21541 Date: Mon, 25 Sep 2017 11:01:54 GMT Last-Modified: Fri, 28 Sep 2017 03:15:02 GMT --gc0p4Jq0M2Yt08jU534c0p * Contents of the EICAR test file * --gc0p4Jq0M2Yt08jU534c0p-- |
The following example shows the corresponding response:
HTTP/1.0 200 OK Date: Fri, 28 Sep 2017 03:15:02 GMT Server: KAVHTTPD Content-Length: 64 Connection: close Content-Type: text/plain X-KAV-ProtocolVersion: 2
DETECTED EICAR-Test-File |