Increasing the detection rate

When an HTTP request is made to scan a file or a block of memory, there are two ways to increase the detection rate by specifying an optional scan task context:

• Provide the origin of the object to scan in the url field of the POST request body:
  • If the object to scan was received from the web, specify the web address of origin, including the protocol, for example:

    http://example.com

    The supported protocols are HTTP, HTTPS, and FTP.

    If the URL is unknown, we recommend that you use http://example.com as the scan task context.

  • If the object to scan was received by email, specify the sender's email address in the following format: [from:%sender_address%], for example:

    [from:example@example.com]

    If the sender's email address is unknown, we recommend that you use [from:test@relay.example] as the scan task context.

  Below is an example of an HTTP request to scan a local file received from the web. Note the use of the url field to specify the web address of origin:

  POST /api/v3.0/scanfile HTTP/1.0 Content-Type: application/octet-stream Content-Length: 22   { "timeout": "10000", "object": "\/home\/user\/eicar", "url": "http:\/\/example.com" }

  The response is the same as in the example of an HTTP request to scan a local file.

• Provide request and response headers gathered from HTTP traffic related to the object to scan in the requestHeaders and responseHeaders fields of the POST request body.

  Note that you can combine the two types of scan task context to further boost the detection rate. In the example below, the request and response headers are specified along with the web address of origin.

  POST /api/v3.0/scanfile HTTP/1.0 Content-Type: application/octet-stream Content-Length: 22   { "object": "\/home\/user\/eicars.tar", "requestHeaders": ": authority: example.com\r\n: method: GET\r\n path:\/ \r\n:scheme: https\r\naccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8\r\naccept-encoding: gzip, deflate, br\r\naccept-language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7,mt;q=0.6\r\ncache-control: no-cache\r\npragma: no-cache\r\nupgrade-insecure-requests: 1\r\nuser-agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36", "responseHeaders": "accept-ranges: bytes\r\ncache-control: max-age=604800\r\ncontent-type: text\/html; charset=UTF-8\r\ndate: Thu, 31 Jan 2019 18:51:11 GMT\r\netag: \"1541025663\"\r\nexpires: Thu, 07 Feb 2019 18:51:11 GMT\r\nlast-modified: Fri, 09 Aug 2013 23:54:35 GMT\r\nserver: ECS (dca\/532C)\r\nstatus: 200\r\nvary: Accept-Encoding\r\nx-cache: HIT", "url": "http:\/\/example.com" }

  The successfully processed request will result in the following response:

  HTTP/1.0 200 Ok Connection: close Content-Type: text/plain Server: KAVHTTPD/1.0 X-KAV-ProtocolVersion: 3 Date: Wed, 30 Jan 2019 15:46:29 GMT Content-Length: 75   { "object": \/home\/user\/eicars.tar", "scanResult": "DETECT", "detectionName": "multiple", "subObjectsScanResults": [ { "object": "\/home\/user\/eicars.tar\/\/eicar1", "scanResult": "DETECT", "detectionName": "EICAR-Test-File" }, { "object": "\/home\/user\/eicars.tar\/\/eicar2", "scanResult": "DETECT", "detectionName": "EICAR-Test-File" } ] }