InQuest Integrations

InQuest Sandboxapi is minimal, consistent API for building integrations with malware sandboxes. Now, it has an integration with MetaDefender Sandbox (previously known as OPSWAT Filescan Sandbox) .

Usage

Here is an example of how to use it. In order for this sample code to work, it is necessary to paste the API-key in the place of INSERT-YOUR-APIKEY-HERE, as well as a bad_file.exe in the same directory. The default host address is the community site.

import sys import time import pprint from sandboxapi import opswat # connect to the sandbox sandbox = opswat.MetaDefenderSandboxAPI("INSERT-YOUR-APIKEY-HERE") print("Does sandbox available?") print(sandbox.is_available()) # verify connectivity if not sandbox.is_available(): print("sandbox is down, exiting") sys.exit(1) # submit a file with open("bad_file.exe", "rb") as handle: file_id = sandbox.analyze(handle, "bad_file.exe") print("file {f} submitted for analysis, id {i}".format(f="bad_file.exe", i=file_id)) # wait for the analysis to complete while not sandbox.check(file_id): print("not done yet, sleeping 10 seconds...") time.sleep(10) # print the report print("analysis complete. fetching report...") report = sandbox.report(file_id) # pprint.pprint(report) for key, onereport in report.get("reports").items(): print( "Report verdict: {verdict}".format(verdict=onereport["finalVerdict"]["verdict"]) ) print("Report Score: {score}".format(score=sandbox.score(report)))

The output of the example code:

Does sandbox available? True file bad_file.exe submitted for analysis, id 668ff1c508c0fe0eb961b94c not done yet, sleeping 10 seconds... not done yet, sleeping 10 seconds... not done yet, sleeping 10 seconds... not done yet, sleeping 10 seconds... not done yet, sleeping 10 seconds... analysis complete. fetching report... Report verdict: MALICIOUS Report Score: 100

If you would like to use your own host address, modify the constructor:

sandbox = opswat.MetaDefenderSandboxAPI("INSERT-YOUR-APIKEY-HERE","INSERT-YOUR-HOST")

To scanning a zip file, call analyze in this way:

file_id = sandbox.analyze(handle, "bad_file.exe", password="mypassword")

If you would like to scan in a private way, use is_private option:

file_id = sandbox.analyze(handle, "bad_file.exe", is_private=True)

Compatibility

Tag

Sandbox 1.9.*

Sandbox 2..

v1.1.0 - v1.7.1

Yes

Yes


On This Page