Description of the HTTP API

In this section

General Information

User authentication and authorization

Managing Dr.Web for UNIX Mail Servers

Managing the list of threats

Managing Quarantine

Examples of using the HTTP API

1. General Information

The HTTP API is provided as a means to integrate Dr.Web for UNIX Mail Servers with third-party applications via the HTTP protocol (to ensure security, the HTTPS protocol is used).

Version 1.0 of the HTTP protocol is used to interact with the API. All requests use standard methods of the HTTP protocol: GET and POST. All data is transferred in the form of JSON objects, except as otherwise specified. If you are sending a JSON object in the body of your HTTP POST request, set the Content-Type: header to have the value of application/json.

The format of an HTTP response to an HTTP request

In response to all requests, except as otherwise specified, the API always returns a JSON object. If an error occurs, the API returns an Error JSON object.

If the JSON object sent as a response has a field of an Array type, but this array does not contain any elements, this field is omitted in the server response.

In all responses, except as otherwise specified, the Content-Type: header field has the application/json value.

If the client requests an endpoint that does not exist, the Error JSON object in which the code field with the EC_UNEXPECTED_MESSAGE value is returned.

If SCS (Secure Cookie Sessions for HTTP) is used, the responses contain a cookie proving the client authorization (hereinafter referred to as the SCS cookie).

Encoding of strings in JSON objects

The strings are transmitted in UTF-8 encoding (without BOM). Characters that are not part of the ASCII table are not escaped with sequences like \uXXXX, but are transmitted in UTF-8 encoding.

JSON objects can contain both UTF-8 encoded characters and escaped sequences like \uXXXX.

General restrictions on data transmission

In POST requests with JSON objects in their body any characters complying with RFC 7159 are allowed.

In GET requests any characters complying with RFC 1945 are allowed in the URI.

Characters complying with RFC 1945 can be used in any other part of the request (either in the headers or in the body).

2. User authentication and authorization

To start using the API, you should be authenticated by the server. Two methods of authorization are provided.

1.Using SCS in accordance with RFC 6896.

2.Using client SSL certificates attested by a trusted CA’s certificate on behalf of Dr.Web HTTPD. In this case the client is considered authorized as a superuser (X.509 client certificates are used).

If SCS is used, SCS cookies are transferred in the following HTTP headers: Cookie:—in the request and Set-Cookie:—in the response.
When authorizing with SSL certificates, SCS cookies are not required.

When authorizing with SCS, using the API starts with sending the login command. If this command is run successfully, the client receives an SCS cookie confirming the authorization.
When authorizing with a client certificate, you do not need to run the login command. If you try to run it, the Error JSON object is returned.

2.1. By specifying login and password (SCS)

User authentication and authorization commands:

API command

Description

login

Action: Authorize the client based on the specified user name and password to further use the HTTP API. If the authentication is successful, an SCS cookie will be returned.

URI: /api/10.2/login

HTTP method: POST

Input parameters: AuthOptions object

Result of successful execution: an empty object, SCS cookie

logout

Action: Revoke (deactivate) the SCS cookie provided earlier. The Error object with the EC_NOT_AUTHORIZED error code is returned in response to a request with the revoked SCS cookie.

URI: /api/10.2/logout

HTTP method: GET

Input parameters: SCS cookie

Result of successful execution: an empty object

whoami

Action: Get the name of the authorized user.

URI: /api/10.2/whoami

HTTP method: GET

Input parameters: (SCS cookie)*

Result of successful execution: whoami object, (SCS cookie)

*) Here and below the SCS cookie is put in parentheses, because it is required only when authorizing via SCS.

The login and logout commands are used only when authorizing via SCS.

Description of used objects

1) AuthOptions—an object which contains the user login and password:

{
"user": string, //User name
// "password": string //User password
}

You can specify any user who is a member of the admin group (sudoers in Debian and Ubuntu, wheel in CentOS and Fedora, astra-admin in Astra Linux, etc). If the user is not a member of the sudoers group, the EC_NOT_AUTHORIZED error is returned in the response.

2) whoami—an object which contains the name of the user who was authorized to use the HTTP API:

{
"whoami" :
{
"user": string //User name
}
}

3) Error—an object which contains information about the occurred error:

{
"error" :
{
"code" : string, //A string specifying an error code that looks like EC_XXX
*"what": string  //Description of the error
}
}

The parameter marked with * is optional.

The Error JSON object, that is returned in response to HTTP API commands if an error occurs while processing the requests, has the code field containing an internal string-type code used by the components of Dr.Web for UNIX Mail Servers rather than a numeric error code. This code is a string in the form of EC_XXX. To find out the numeric code and get detailed information about the error, refer to the Appendix F. Known Errors section.

2.2. Authorization using a personal certificate

This authorization method implies using a personal certificate signed by a certificate authority certificate specified as trusted in the Dr.Web HTTPD settings. If you have authorized with a certicate, all your requests are considered executed as root.

To authorize with a personal user certificate

1.Create a personal certificate signed by a certificate authority certificate.

2.In the Dr.Web HTTPD settings (the AdminSslCA parameter), specify a path to the certificate authority certificate used to sign your personal certificate.

3.Each time you connect to Dr.Web HTTPD, use a signed certificate.

If necessary, refer to the Appendix E. Generating SSL certificates section.

3. Dr.Web for UNIX Mail Servers Management

API commands for viewing and modifying the current values of configuration parameters:

API command

Description

Configuration management commands

get_lexmap

Action: Get the parameter values of the current configuration (a “lexical map” of parameters).

URI: /api/10.2/get_lexmap

HTTP method: GET

Input parameters: (SCS cookie)

Result of successful execution: LexMaps object, (SCS cookie)

set_lexmap

Action: Set or reset the specified parameter values of the current configuration (sent as a “lexical map” of parameters).

URI: /api/10.2/set_lexmap

HTTP method: POST

Input parameters: (SCS cookie), LexMap object

Result of successful execution: SetOptionResult object, (SCS cookie)

Updating commands

start_update

Action: Start updating.

URI: /api/10.2/start_update

HTTP method: POST

Input parameters: (SCS cookie)

Result of successful execution: the StartUpdate object, (SCS cookie)

stop_update

Action: Stop active updating process.

URI: /api/10.2/stop_update

HTTP method: POST

Input parameters: (SCS cookie)

Result of successful execution: an empty object, (SCS cookie)

baseinfo

Action: View the information about the downloaded viral bases

URI: /api/10.2/baseinfo

HTTP method: GET

Input parameters: (SCS cookie)

Result of successful execution: the BaseInfoResult object containing the VirusBaseInfo object (SCS cookie)

Licence management commands

install_license

Action: Install the specified key file.

URI: /api/10.2/install_license

HTTP method: POST

Input parameters: (SCS cookie), body of the key file (or of an archive with the key file)

Result of successful execution: an empty object, (SCS cookie)

Commands for connection to the centralized protection server

esconnect

Action: Enable the centralized protection mode.

URI: /api/10.2/esconnect

HTTP method: POST

Input parameters: (SCS cookie), the ESConnection object

Result of successful execution: an empty object, (SCS cookie)

esdisconnect

Action: Disable the centralized protection mode.

URI: /api/10.2/esdisconnect

HTTP method: POST

Input parameters: (SCS cookie)

Result of successful execution: an empty object, (SCS cookie)

Other

idpass

Action: Obtain password for the Dr.Web MailD repacked archive with threats.

URI: /api/10.2/idpass

HTTP method: POST

Input parameters: (SCS cookie), the IdpassRequest object

Result of successful execution: a string with a password, (SCS cookie)

Configuration of the product components is returned and set as the so-called lexical map, i.e. as a sequence of parameter-value pairs. A LexMaps object always contains three nested LexMap objects containing the following lexical maps:

active—active (valid) parameter values;

hardcoded—default values (automatically assigned to the parameters which values are not specified or invalid);

master—map of configuration parameter values specified by the client.

The get_lexmap command always returns all three sets of configuration parameter values for all the components that can be included in Dr.Web for UNIX Mail Servers, and not only for those that are installed and running.

Description of used JSON objects

1)LexMaps—an object containing an active, a predefined and a user-defined lexical maps of parameter values:

{
"active": LexMap, //Active values of configuration parameters
"hardcoded": LexMap, //Predefined values of configuration parameters
"master": LexMap //Configuration parameter values set by the user
}

Each of these fields is a LexMap object, which in turn contains an array of LexOption objects.

2)LexMap—an object containing a lexical map of parameters:

{
"option": LexOption[] //Array of configuration options
}

3)LexOption—an object containing a parameter or a configuration section (a group of parameters):

{
"key": string, //Name of an option (of a configuration parameter or a section)
*"value": LexValue, //If this option is a parameter
*"map": LexMap //If this option is a section
}

The parameters marked with * are optional.

The LexOption object represents a section or a parameter of the Dr.Web for UNIX Mail Servers configuration. It always has a key field corresponding to the name of the section or of the parameter, as well as a value field (if the object is a parameter), or a map field (in case it describes a section). A section is also an object of the LexMap type; whereas the parameter value is an object of the LexValue type containing an item field specifying the parameter value in the string format.

4)LexValue—an object containing an array of parameter values:

{
"item": string[] //Array of parameter values
}

The set_lexmap command accepts a LexMap object that must contain all the parameters which values you want to change to new ones or reset to their defaults. Those parameters that you want to reset to their default values must not contain the value field. Parameters that are not mentioned in the lexical map passed to the set_lexmap command will not be changed. As a result of its execution, the set_lexmap command returns a SetOptionResult object containing changed values of every parameter passed to the command.

5)SetOptionResult—an object with an item field containing an array of modified parameter values:

{
"item": SetOptionResultItem[] //Array of results
}

The object contains an array of SetOptionResultItem objects containing changed values of every parameter passed to the command.

6)SetOptionResultItem—an object containing information about a change of a parameter value:

{
"option": string, //Parameter name
"result": string, //Result of changing the value (error code)
*"lower_limit": string, //The lowest allowed value
*"upper_limit": string //The highest allowed value
}

The parameters marked with * are optional.

The option field contains the name of the parameter to which your action was applied, and the result field contains the result of an attempt to change the value of this parameter. If a new value was successfully assigned, the field has the EC_OK value. In case of an error, this object may contain a lower_limit field and an upper_limit field that store the maximum and the minimum allowed value for this parameter.

7)The StartUpdate object contains data on the started updating process:

{
"start_update":
 {
   "attempt_id" : number //Identifier of the started updating process
 }
}

8)The ESConnection object contains data on connection to a centralized protection server:

{
*"server": string, //<Host address>:<port>(without the http/https prefix)
"certificate": string, // Base64 server key
*"newbie": boolean, //false by default
*"login": string, //User name
*"password": string //Password
}

The parameters marked with * are optional.

The login and password parameters are only specified if newbie = true.
Before connecting, download the certificate file from the centralized protection server and run the command:

$ cat certificate.pem | base64

The string obtained from running this command is used as the certificate parameter value.

9)The BaseInfoResult object contains data on the downloaded virus bases:

{
"vdb_base_stamp" : number //Base timestamp
"vdb_bases" : VirusBaseInfo[] //Detailed information about the base
}

10)The VirusBaseInfo object containing the detailed information about the virus base:

{
 "path" : string //Path to the base file
 "virus_records" : number //Number of records in the base
 "version" : number //Base version
 "timestamp" : number //Base timestamp
 "md5" : string //Base MD5 hash
 "load_result" : string //The result of downloading the base (EC_OK if the base has been downloaded successfully)
 *"sha1" : string //Base SHA1 hash
}

The parameter marked with * is optional.

11)The IdpassRequest object contains information about the password-protected archive:

{
"id": string, //Email message identifier
*"secret": string //Secret word (optional field)
}

The parameter marked with * is optional.

If the secret field is not specified, the value of the MailD.RepackPassword configuration parameter is used if the password type is not Plain. If the password type is Plain, then the EC_INVALID_ARGUMENT error (the Error object) is returned.

4. Object Scanning

API commands for scanning objects:

API command

Description

Data scanning (calling the Dr.Web Network Checker component)

scan_request

Action: Request to create a connection (endpoint) to scan data with the necessary parameters.

URI: /api/10.2/scan_request

HTTP method: POST

Input parameters: (SCS cookie), the ScanOptions object

Result of successful execution: the ScanEndpoint object, (SCS cookie)

scan_endpoint

Action: Start data scanning (for instance, file body) at the created endpoint connection.

URI: /api/10.2/scan_endpoint/<endpoint>

HTTP method: POST

Input parameters: (SCS cookie), verifiable data

Result of successful execution: the ScanResult object, (SCS cookie)

scan_path

Action: Scan a file or a directory at the specified path.

URI: /api/10.2/scan_path

HTTP method: POST

Input parameters: (SCS cookie), ScanPathOptions object

Result of successful execution: the ScanPathResult object, (SCS cookie)

scan_stat

Action: Get scan statistics.

URI: /api/10.2/scan_stat

HTTP method: GET

Input parameters: (SCS cookie), statistics format (JSON or CSV)

Result of successful execution: the ScanStat object (if the JSON format is selected), (SCS cookie)

If the CSV format is selected, a table which columns correspond to the fields of the ScanStat object is returned.

Description of used JSON objects

1)ScanOptions is an object containing parameters used for creating endpoint for file scanning:

{
"scan_timeout_ms": number, //A time-out to scan one file, in ms
"cure": boolean, //Cure an infected file
"heuristic_analysis": boolean, //Use the heuristic analysis
"packer_max_level": number, //Maximum nesting level for packed objects
"archive_max_level": number, //Maximum nesting level for archives
"mail_max_level": number, //Maximum nesting level for email objects
"container_max_level": number, //Maximum nesting level for other compound objects (containters)
"max_compression_ratio": number //Maximum archive compression ratio
"min_size_to_scan" : number, //Minimal size of an object to be scanned
"max_size_to_scan" : number, //Maximal size of an object to be scanned
"threat_hash" : boolean //Get hashes of detected threats
}

2)ScanPathOptions is the object containing parameters for scanning a file or a directory at the specified path:

{
"path" : string //Absolute path to a file or a directory to be scanned
   *"exclude_path" : string[] //List of paths excluded from scanning (masks are allowed)
   *"scan_timeout_ms" : number //Timeout for scanning one object
   *"archive_max_level" : number //Maximum nesting level for archived objects
   *"packer_max_level" : number //Maximum nesting level for packed objects
   *"mail_max_level" : number //Maximum nesting level for email messages
   *"container_max_level" : number //Maximum nesting level for other compound objects (containters)
   *"max_compression_ratio" : number //Maximum archive compression ratio
   *"heuristic_analysis" : boolean //Use heuristic analysis (true by default)
   *"follow_symlinks" : boolean //Follow symbolic links
   *"min_size_to_scan" : number //Minimal size of an object to be scanned
   *"max_size_to_scan" : number //Maximal size of an object to be scanned
   *"timeout_ms" : number //Timeout for scanning all objects
   *"threat_hash" : boolean //Return SHA1 and SHA256 hashes of threats
}

The parameters marked with * are optional.

3)ScanPathResult is an object containing results of scanning a file or a directory at the specified path:

{
ScanPathResult:
   "results": ScanResult[] //Scan results
   *"error": string //Error if the scanning process has been terminated (for example, by timeout)
}

The parameter marked with * is optional.

If the scanning is successful, the error string will be absent in the response.

4)ScanResult is an object containing scan results:

{
ScanResult:
   "scan_report" : ScanReport //Scan report
   *"sha1" : string //SHA1 hash of a threat
   *"sha256" : string //SHA256 hash of a threat
}

The parameters marked with * are optional.

5)ScanReport is an object containing information about the file with a threat:

{
ScanReport:
"object" : string //String, the name of the scanned object
   For a file //An absolute path, the file name for a nested object
   Always refers to a temporary file when calling scan_endpoint
*"size" : number //Object size
*"compressed_size" : number //Compressed object size
*"core_fingerprint" : string //Engine fingerprint
*"packer" : string[] ////List of packers used to pack the object
*"compression_ratio" : number //Archive compression ratio
*"archive" : Archive //Information about the archive or container type, if the object was identified as such
*"virus" : Virus[] //Viruses detected in the object (if found)
*"item" : ScanReport[] //Reports on scanning the nested objects (if any)
*"error" : string  //Scanning error (if occurred)
*"heuristic_analysis" : boolean //Flag for using the heuristic analysis
*"cured" : boolean //Whether the object was cured (true - cured, false - not cured)
*"cured_by_deletion" : boolean //Whether the object was deleted while being cured (true - deleted, false - not deleted)
*"new_path" : string //New path to the object renamed while being cured
*"user_time" : number //Time spent for syscalls while scanning
*"system_time" : number //Time spent in the userspace
}

The parameters marked with * are optional.

The fields virus and error may be absent in the response if no threats were detected and no errors occurred during the scan. To call scan_endpoint, the scan_endpoint field always specifies a temporary file created by the Dr.Web Network Checker component in the server local file system and containing the data for scanning sent in the body of the scan_endpoint request).

6)ScanEndpoint is an object containing information about endpoint created for file scanning:

{
"endpoint": string //Unique identifier of the created endpoint
}

The endpoint identifier returned in the object body. The identifier is used to start file scanning with the scan_endpoint command (as part of URI).

7)VirusInfo is an object containing information about the detected threat:

{
"type": string, //Threat type
"name": string  //Name of the threat
}

The type field (threat type) is a string in the form of SE_XXX:

SE_KNOWN_VIRUS—a known virus;

SE_VIRUS_MODIFICATION—a modification of known malware;

SE_UNKNOWN_VIRUS—an unknown virus (suspicious object);

SE_ADWARE—adware;

SE_DIALER—a dialer program;

SE_JOKE—a joke program;

SE_RISKWARE—a potentially dangerous program;

SE_HACKTOOL—a hacktool.

8)Archive is an object containing information about an archive, packed objects, email messages and other containers:

{
"type" : string //Archive type, can be one of the follows:
       "SE_ARCHIVE" //Archive
       "SE_MAIL" //Email message
       "SE_CONTAINER" //Other container type
"name" : string //Archive format
}

9)ScanStat is an object containing scanning statistics:

{
"origin": string //Application by the request of which the scanning was performed
   #Counters for infected objects:
   "known_virus": number //Number of objects infected by known viruses
   "virus_modification": number //Number of objects infected by a modification of a known virus
   "unknown_virus": number //Number of objects infected by unknown viruses
   "adware": number //Number of objects with SE_ADWARE
   "dialer": number //Number of objects with SE_DIALER
   "joke": number  //Number of objects with SE_JOKE
   "riskware": number //Number of objects with SE_RISKWARE
   "hacktool" : number //Number of objects with SE_HACKTOOL
   "cured": number  //Number of cured threats
   "quarantined": number //Number of quarantined threats
   "deleted": number //Number of deleted threats
}

5. Managing the list of threats

To manage the list of threats that have been detected while scanning or by the SpIDer Guard file system monitor, the following commands are available in the HTTP API:

API command

Description

threats

Action: Get a list of identifiers of all detected threats.

URI: /api/10.2/threats/

HTTP method: GET

Input parameters: (SCS cookie)

Result of successful execution: Array of threat identifiers

threat_info

Action: Get information about a threat having the <threat ID> identifier.

URI: /api/10.2/threat_info/<threat ID>

HTTP method: GET

Input parameters: (SCS cookie)

Result of successful execution: (SCS cookie), FileThreat object

cure_threat

Action: Attempt to cure a threat having the <threat ID> identifier.

URI: /api/10.2/cure_threat/<threat ID>

HTTP method: POST

Input parameters: (SCS cookie)

Result of successful execution: (SCS cookie), an empty object

delete_threat

Action: Delete the file containing the threat having the <threat ID> identifier.

URI: /api/10.2/delete_threat/<threat ID>

HTTP method: POST

Input parameters: (SCS cookie)

Result of successful execution: (SCS cookie), an empty object

ignore_threat

Action: Ignore the threat having the <threat ID> identifier.

URI: /api/10.2/ignore_threat/<threat ID>

HTTP method: POST

Input parameters: (SCS cookie)

Result of successful execution: (SCS cookie), an empty object

quarantine_threat

Action: Quarantine a threat having the <threat ID> identifier.

URI: /api/10.2/quarantine_threat/<threat ID>

HTTP method: POST

Input parameters: (SCS cookie)

Result of successful execution: (SCS cookie), an empty object

Each found threat has a unique integer identifier <threat ID>. The list of identifiers for all detected threats is returned by the threats command. The threat_info, cure_threat, delete_threat, ignore_threat, and quarantine_threat commands allow the threat identifiers from this list only.

All information about a specific threat, including action history, can be obtained using the threat_info request. The information is returned as the FileThreat object.

Description of JSON objects

1)FileThreat is an object containing the following information:

{
"threat_id": number, //Threat identifier
"detection_time": UNIXTime, //Date and time of detecting the threat
"report": ScanReport, //File scan report
"stat": FileStat, //Information about the file
"origin": string, //Name of the component that detected the threat
"origin_pid": number, //PID of the component that detected the threat
"task_id": number, //Identifier of the scanning task of the scanning engine
"history": ActionResult[] //History of actions applied to the threat (an array)
}

The report field contains a ScanReport object; the stat field contains a FileStat object, and the history field contains an array of ActionResult objects (the history of actions applied to the file).

2)ScanReport is an object containing information about the file with a threat:

{
"object": string, //File system object containing the threat
"size": number, //Size (in bytes) of the file containing the threat
"virus": VirusInfo[], //List of details about the detectedthreats
*"error": string, //Error message
"heuristic_analysis": boolean //Flag for using the heuristic analysis
}

The parameter marked with * is optional.

The virus field is an array of VirusInfo objects containing information about all detected threats. The error field is only present if an error has occurred.

3)FileStat is an object containing file statistics:

{
"dev": number, //Device
"ino": number, //Inode
*"size": number, //File size
*"uid": User, //User/owner identifier
*"gid": Group, //Owner group identifier
*"mode": number, //File access mode
*"mtime": UNIXTime, //File modification time
*"ctime": UNIXTime //File creation time
*"rsrc_size": number, //
*"finder_info": string, //
*"ext_finder_info": string, //
*"uchg": string, //
*"volume_name": string, //Volume name
*"volume_root": string, //Volume root (mount point)
*"xattr": Xattr[] //Extended information about the file
}

The parameters marked with * are optional.

The xattr field contains an array of Xattr objects. This object contains two string-type fields: name and value. The uid and gid fields represent User and Group objects that store information about a user/owner and an owner group respectively. These objects contain two fields each:

uid (gid)—the numeric ID of the user (group);

username (groupname)—name of the user (group) as a string.

4)ActionResult is an object containing information about the action applied to the file and its result:

{
"action": string, //Applied action
"action_time": UNIXTime, //Date/time when the action was applied
"result": string, //Result of applying the action
"cure_report": ScanReport //Report about applying the action
}

The cure_threat, delete_threat, ignore_threat and quarantine_threat commands return an empty object when run successfully. If the requested action to be applied to the threat fails (for example, the threat cannot be neutralized), an Error object is returned instead of an empty object.

6. Managing Quarantine

To manage quarantined threats, HTTP API provides the following commands:

API command

Description

quarantine

Action: List identifiers of quarantined objects.

URI: /api/10.2/quarantine/

HTTP method: GET

Input parameters: (SCS cookie)

Result of successful execution: (SCS cookie), array of QuarantineId objects (quarantined objects)

qentry_info

Action: Get information about the quarantined object having the <entry ID> identifier.

URI: /api/10.2/qentry_info/<entry ID>

HTTP method: GET

Input parameters: (SCS cookie)

Result of successful execution: (SCS cookie), QEntry object

cure_qentry

Action: Attempt to cure the quarantined object with the <entry ID> identifier.

URI: /api/10.2/cure_qentry/<entry ID>

HTTP method: POST

Input parameters: (SCS cookie)

Result of successful execution: (SCS cookie), an empty object

delete_qentry

Action: Delete the quarantined object with the <entry ID> identifier.

URI: /api/10.2/delete_qentry/<entry ID>

HTTP method: POST

Input parameters: (SCS cookie)

Result of successful execution: (SCS cookie), an empty object

restore_qentry

Action: Restore the quarantined object with the <entry ID> identifier to its original location.

URI: /api/10.2/restore_qentry/<entry ID>

HTTP method: POST

Input parameters: (SCS cookie)

Result of successful execution: (SCS cookie), an empty object

The quarantine command returns the array of QuarantineId objects, each of which contains the identifier of a quarantined object. The identifier consists of two parts: chunk_id and entry_id.

Description of used JSON objects

1)QuarantineId is an object containing parts of the compound identifier of a quarantined object:

{
"chunk_id": string,
"entry_id": string
}

A combination of these two fields in the form of <entry_id>@<chunk_id> represents the identifier of a quarantined object. This identifier is provided in all requests for performing actions under any quarantined object using the qentry_info, cure_qentry, delete_qentry and restore_qentry commands. The qentry_info command allows to get the detailed information about a quarantined object with a specified identifier. This command returns a QEntry object.

2)QEntry is an object containing information about a quarantined object:

{
"entry_id": string, //Parts of the identifier of
*"chunk_id": string, //the quarantined object
*"quarantine_dir": string, //Quarantine directory
"restore_path": string, //Path to restore the object
"creation_time": number, //Date/time of putting into quarantine (UNIX time)
"report": ScanReport, //Object scan report (see ScanReport above)
"stat": FileStat, //Statistical information about the file (see FileStat above)
*"history": QEntryOperation[], //History of operations performed on the object
*"who": RemoteUser, //Remote owner of the file (if the file was quarantined from a file storage having a network access)
*"detection_time": number, //Date/time of detecting the threat
*"origin": string //Component that detected the threat
}

The parameters marked with * are optional.

The report field contains a ScanReport object, the stat field contains a FileStat object, and the history field contains the history of actions applied to the quarantined object. Each action record is described by a QEntryOperation object. The optional who field contains information about the remote user in the form of a RemoteUser object.

3)QEntryOperation is an object containing information about an operation applied to the quarantined object:

{
"action": string, //Action applied to the object (see designations below)
"action_time": number, //Date/time of applying the action (UNIX Time)
"result": string, //Error of applying the action (a code in the form of EC_XXX)
*"restore_path": string, //Path for restoring the quarantined object (in case of action = "QENTRY_ACTION_RESTORE")
*"rescan_report": ScanReport //Report on rescanning (if action = "QENTRY_ACTION_RESCAN")
}

The parameters marked with * are optional.

The action field can have the following values:

QENTRY_ACTION_DELETE—an attempt to remove the quarantined object;

QENTRY_ACTION_RESTORE—an attempt to restore the quarantined object;

QENTRY_ACTION_RESCAN—an attempt to rescan the quarantined object;

QENTRY_ACTION_CURE—an attempt to cure the quarantined object.

4)RemoteUser is an object containing information about the remote user who owns the file (if the file was relocated to quarantine from the server storage):

{
*"ip": string, //User IP address
*"user": string, //User name
*"domain": string //User domain
}

The parameters marked with * are optional.

The cure_qentry, delete_qentry and restore_qentry commands return an empty object if the command execution was successful. In case the command failed, an Error object will be returned in the response.

7. HTTP API Usage Examples

To test the HTTP API, you can use the curl utility. The structure and format of the request can be provided as follows:

$ curl https://<HTTPD.AdminListen>/<HTTP API URI> -k -X <HTTP method>
[-H 'Content-Type: application/json' --data-binary '@< JSON object file>']
[-c <cookie file> [-b <cookie file>]] [> <result file>]

the -k option indicates that curl does not have to verify the used SSL certificate;

the -X options specifies the HTTP method being used (GET or POST);

the -H option is used to add the Content-Type: application/json header;

the --data-binary (or -d) option is used to add a JSON object read from a text file to the body request;

if SCS is used for authorization, the files containing the sent and received SCS cookies must be specified in the -b and parameters respectively.

The detailed description of the curl utility options can be displayed using the curl --help and man curl commands.

1.Authorize a client by specifying a user name and a password (for SCS).

An AuthOptions object in the JSON format must be stored in advance in the user.json file. For example:

{"user":"<username>","password":"<passphrase>"}.

Request:

$ curl https://127.0.0.1:4443/api/10.2/login -k -X POST -H 'Content-Type: application/json' --data-binary '@user.json' -c cookie.file

Response:

HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 2
Set-Cookie: DWToken=6QXy4wn_JGov9A1GohWP_kvMK3dN6ccKegjNgKcmHpb_AqSrHg9cNX_yFJhxPDgr|MTQ2Mjg3Mzg4NQ==|cWd4Ow==|GywBUVOhU4w2LF_BKT5frg==|kR_rip5nrpxWjJ2dfZ7Xfmvi3rE=; Secure; HttpOnly; Max-Age: 900; Path=/
Pragma: no-cache
 
{}

The Set-Cookie header contains an SCS cookie to be used in all further requests to the HTTP API. If the authorization was successful, the body of the response will contain an empty object. If the user has not been authorized, the Error object is returned:

HTTP/1.0 403 Forbidden
Content-Type: application/json
Content-Length: 35
Pragma: no-cache
 
{"error":{"code":"EC_AUTH_FAILED"}}

2.Get information about the threat having the ID = 1 identifier:

Request:

$ curl https://127.0.0.1:4443/api/10.2/threat_info/1 -k -X GET -c cookie.file -b cookie.file

Response:

HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 574
Set-Cookie: DWToken=<...>;
Secure; HttpOnly; Max-Age: 900; Path=/
Pragma: no-cache
 
{"threat_id":1,"detection_time":1462881660,
"report":{"object":"/sites/site1/eicar.com.txt","size":68,"packer":[],
"virus":[{"type":"SE_KNOWN_VIRUS","name":"EICAR Test File (NOT a Virus!)"}],
"heuristic_analysis":true,"core_fingerprint":"0D2DD5A869DAB7AE354153A4D5F70F45",
"item":[],"log":[],"user_time":0,"system_time":0},"stat":{"dev":2049,"ino":898,
"size":68,"uid":{"uid":1000,"username":"user"},"gid":{"gid":1000,"groupname":"user"},
"mode":33204,"mtime":1441028214,"ctime":1460738554,"xattr":[]},
"origin":"APP_COMMAND_LINE_TOOL","origin_pid":2726,"task_id":1,"history":[]}

3.Quarantine the threat having the ID = 1 identifier:

Request:

$ curl -v -c cookie.jar -b cookie.jar -k -X POST -H 'Content-Type:application/json' https://127.0.0.1:4443/api/10.2/quarantine_threat/1

Response:

HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 2
Set-Cookie: DWToken=<...>; Secure; HttpOnly; Max-Age: 900; Path=/
Pragma: no-cache
 
{}

4.View the information about the quarantined object:

Request:

$ curl -v -k -X GET -c cookie.jar -b cookie.jar https://127.0.0.1:4443/api/10.2/qentry_info/3070d3ce-7b6e-4143-9d9f-89ba3473a781@801:2108d

Response:

HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 781
Set-Cookie: DWToken=<...>; Secure; HttpOnly; Max-Age: 900; Path=/
Pragma: no-cache
 
{"entry_id":"3070d3ce-7b6e-4143-9d9f-89ba3473a781","chunk_id":"3830313A3231303864",
"quarantine_dir":"2F686F6D652F757365722F2E636F6D2E64727765622E71756172616E74696E65",
"restore_path":"2E2E2F7473742F65696361722E636F6D2E747874","creation_time":1462888884,
"report":{"object":"/home/user/tst/eicar.com.txt","size":68,"packer":[],
"virus":[{"type":"SE_KNOWN_VIRUS","name":"EICAR Test File (NOT a Virus!)"}],
"heuristic_analysis":true,"core_fingerprint":"467CD4C6D423C55448B71CD5B8152776",
"item":[],"log":[],"user_time":0,"system_time":0},"stat":{"dev":2049,"ino":898,
"size":68,"uid":{"uid":1000,"username":"user"},"gid":{"gid":1000,"groupname":"user"},
"mode":33204,"mtime":1441028214,"ctime":1462888421,"xattr":[]},"history":[],
"detection_time":1462888667,"origin":"APP_COMMAND_LINE_TOOL"}

 

5.Change settings: disable Dr.Web CloudD.

A LexMap object in the JSON format must be stored in advance in the lexmap_ls_off.json file:

{"option":[{"key":"Root","map":{"option":[{"key":"UseCloud","value":{"item":["no"]}}]}}]}

Request:

$ curl -v -k -c cookie.jar -b cookie.jar -X POST -H 'Content-Type: application/json' --data-binary '@lexmap_ls_off.json' https://127.0.0.1:4443/api/10.2/set_lexmap

Response:

HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 58
Set-Cookie: DWToken=<...>; Secure; HttpOnly; Max-Age: 900; Path=/
Pragma: no-cache
 
{"item":[{"option":"Root.UseCloud","result":"EC_OK"}]}

6.Change settings: disable Dr.Web CloudD.

A LexMap object in the JSON format must be stored in advance in the lexmap_ls_on.json file:

{"option":[{"key":"Root","map":{"option":[{"key":"UseCloud","value":{"item":["yes"]}}]}}]}

Request:

$ curl -v -k -c cookie.jar -b cookie.jar -X POST -H 'Content-Type: application/json' --data-binary '@lexmap_ls_on.json' https://127.0.0.1:4443/api/10.2/set_lexmap

Response:

HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 58
Set-Cookie: DWToken=<...>; Secure; HttpOnly; Max-Age: 900; Path=/
Pragma: no-cache
 
{"item":[{"option":"Root.UseCloud","result":"EC_OK"}]}