Kaspersky Scan Engine and HTTP mode

Hypertext Transfer Protocol (HTTP) is the standard communication protocol in the client-server computer model. In HTTP mode, Kaspersky Scan Engine operates as a REST-like service that receives HTTP requests in JSON or plain text format from client applications. The service scans objects passed in these requests, and sends back HTTP responses with scan results in JSON or plain text format.

In addition, a sample HTTP client source code is shipped in the distribution package. This sample HTTP client demonstrates how to make requests to Kaspersky Scan Engine in HTTP mode. You can also use the compiled sample to scan files from the command line.

Connection types

Kaspersky Scan Engine supports two connection types:

• TCP connection
• UNIX socket connection

  For Linux systems only.

Scanning capabilities

Kaspersky Scan Engine supports the following scan modes:

• scanfile

  In this mode, the sample HTTP client passes file paths to Kaspersky Scan Engine, which reads the files and scans them.

• scanmemory

  In this mode, the sample HTTP client passes file contents to Kaspersky Scan Engine, which scans the contents. The maximum size of an object sent for scanning in scanmemory mode is limited by the system memory of the computer.

• checkurl

  In this mode, the sample HTTP client passes URLs to Kaspersky Scan Engine, which checks them for malicious and phishing addresses.

You can scan files and URLs by making HTTP requests via KAV protocols version 3 or KAV protocol versions 1 and 2.

API token authorization

Kaspersky Scan Engine supports API token authorization.

If API token authorization is enabled, HTTP clients must specify an API token in the request header when sending requests to Kaspersky Scan Engine. This request header field used for sending an API token has a custom name. The Kaspersky Scan Engine administrator can specify this name in the Authorization section of the Kaspersky Scan Engine GUI. The default name is Authorization.

If you have enabled API token authorization and the kavhttpd service is not running, starting klScanEngineUI will also initiate the start of the kavhttpd service.

The usual procedure for creating and using an API token is as follows:

1. The Kaspersky Scan Engine administrator creates a token in the Authorization section of the Kaspersky Scan Engine GUI.
2. The Kaspersky Scan Engine administrator provides the token to the users who can use it to get access to the kavhttpd service.
3. When making HTTP requests, the HTTP client sends the token as the value of the authorization field in the request header. The name of the authorization field in the request header must be the same as specified in the Kaspersky Scan Engine settings (see the description of the Authorization header field element of the Authorization section).
4. If authorization is successful, Kaspersky Scan Engine provides access to its functions.

To try API token authorization and understand how it works, you can use the HTTP client provided with Kaspersky Scan Engine: configure Kaspersky Scan Engine to authorize requests, create an API token, and then use the HTTP client to send a request containing the token. You can find the examples of such requests sent over the KAV protocol version 1 or 2 and version 3.

For security reasons, an HTTPS connection is required to send requests that need authorization.

Keep-Alive connections

By default, Kaspersky Scan Engine supports Keep-Alive connections, so it can process multiple objects one after another, by using the same connection.

To open a Keep-Alive connection, an HTTP client has to add the following header to the request:

To close the connection, an HTTP client has to add the following header to the request: