Support

Support for business applications

Kaspersky Scan Engine

Using Kaspersky Scan Engine in HTTP mode

Making requests in HTTP mode

Making requests in HTTP mode via KAV protocol versions 1 and 2

Example of a multipart HTTP request to scan a block of memory
Kaspersky Scan Engine
Нет результатов
Knowledge Base Online Help
FAQ System requirements Forum Contact support Recovery tools Product videos

Example of a multipart HTTP request to scan a block of memory

March 5, 2024

ID 181078

In Kaspersky Scan Engine, a multipart HTTP request is an HTTP request that contains request or response headers that were gathered from HTTP traffic related to the object being scanned. You can send multipart HTTP requests to improve the detection rate.

Kaspersky Scan Engine does not support multipart HTTP requests, as defined in RFC 1341.

To make multipart HTTP requests, use the KAV protocol version 2 by specifying it in the X-KAV-ProtocolVersion request header.

The body of a multipart HTTP request must contain no more than three parts. These parts contain the following data:

  • Request headers (optional)

    This part must begin with the "Request headers" string followed by \r\n characters. These characters must be followed by request headers from HTTP traffic related to the object that is being scanned.

  • Response headers (optional)

    This part must begin with the "Response headers" string followed by \r\n characters. These characters must be followed by response headers from HTTP traffic related to the object that is being scanned.

  • Object for scanning.

    This part can contain the full path to the file to scan (if a request is made to /scanfile) or a string (if a request is made to /scanmemory).

The following example shows a multipart HTTP request to scan a block of memory:

POST /scanmemory HTTP/1.0

Content-Length: 753

X-KAV-ProtocolVersion: 2

X-KAV-Timeout: 10

X-KAV-ObjectURL: http://example.com

Content-Type: multipart/mixed; boundary=gc0p4Jq0M2Yt08jU534c0p

 

--gc0p4Jq0M2Yt08jU534c0p

Request headers

GET /files/test.exe HTTP/1.1

Host: source.example.com

Accept: application/octet-stream

Referer: http://malicious.example.com/

Host: source.example.com

Connection: Keep-Alive

--gc0p4Jq0M2Yt08jU534c0p

Response headers

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 21541

Date: Mon, 25 Sep 2017 11:01:54 GMT

Last-Modified: Fri, 28 Sep 2017 03:15:02 GMT

--gc0p4Jq0M2Yt08jU534c0p

* Contents of the EICAR test file *

--gc0p4Jq0M2Yt08jU534c0p--

The following example shows the corresponding response:

HTTP/1.0 200 OK

Date: Fri, 28 Sep 2017 03:15:02 GMT

Server: KAVHTTPD

Content-Length: 64

Connection: close

Content-Type: text/plain

X-KAV-ProtocolVersion: 2

 

DETECT EICAR-Test-File

Kaspersky Professional Services
Implementation services. Health check and security system configuration. Contact us if you need expert help.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.