Overview MetaDefender Sandbox API Reference Release Notes
Getting Started
Deployment & Usage
Support
FAQ
2.5.1
Search this version
FAQ
FAQ
General
Title
Message
Create new category
What is the title of your new category?
Edit page index title
What is the title of the page index?
Edit category
What is the new title of your category?
Edit link
What is the new title and URL of your link?
How do you integrate the Sandbox IOC feed into the MetaDefender Cloud Reputation service?
Copy Markdown
Open in ChatGPT
Open in Claude
Introduction
It is important to mention the 2-way integration between MetaDefender Sandbox and the MetaDefender Reputation service in the Cloud:
- Sandbox uses the Cloud Reputation API to perform OSINT Lookups for supported IOC types (hashes, IPs, domains and URLs). This represents Layer 1 of the full analysis pipeline, and the reputation checks greatly improve the efficacy of the overall analysis.
- Sandbox generates an IOC feed based on the public samples submitted to the filescan.io and metadefender.com Community sites. This IOC feed is continuously ingested into the internal database of the MetaDefender Reputation service to enrich the results of the Reputation API.
Processing Pipeline
The IOC processing pipeline includes the following steps:
- Filescan.io aggregates scan reports and calculates individual verdicts for the IOCs included in these scan reports. Note that filescan.io might also ingest Sandbox scan results from metadefender.com (public scan reports are shared between the two Community sites).
- The filescan.io backend creates a continuous IOC feed based on the summary of scan reports: https://www.filescan.io/feed/reports
- The MetaDefender Reputation service periodically ingests the IOC feed data from filescan.io. All IOCs with a valid verdict are saved to the Reputation database with all metadata that is included in the IOC feed. Each IOC is indexed separately in the database to allow efficient lookup operations.
Example API Responses
Hash lookup API response example including scan results from MetaDefender Sandbox:
Hash lookup
{ "file_info": { "sha256": "D426DEFD9FC742C1E1524A7FBB93655C35735594F3C3E64B1F13280D7EDD24C9" }, "scan_results": { "scan_details": { "MetaDefender Sandbox": { "scan_result_i": 1, "verdict": "MALICIOUS", "parent_verdict": "MALICIOUS", "origin": "VBA_EMULATION", "flow_id": "6810b62e3be9346af4496cf5", "def_time": "2025-04-30T15:23:18.000Z", "first_seen": "2024-01-30T10:22:02.000Z", "last_seen": "2025-04-30T15:23:18.000Z", "scan_count": 10, "tags": [ "keylogger", "packed", "anti-vm", "anti-debug", "fingerprint", "expired-cert" ] } }, "scan_all_result_i": 1, "scan_all_result_a": "Infected", "total_detected_avs": 1, "total_avs": 1 }}URL lookup API response example including MetaDefender Sandbox as a reputation provider:
JSON
{ "address": "http://example.com.cn", "lookup_results": { "start_time": "2025-05-08T16:04:59.024Z", "detected_by": 2, "sources": [ { "provider": "MetaDefender Sandbox", "assessment": "high risk", "verdict": "MALICIOUS", "parent_verdict": "MALICIOUS", "origin": "INPUT_FILE", "flow_id": "6810b62e3be9346a54346476et7t7", "detect_time": "2025-04-30T15:23:18.000Z", "first_seen": "2025-02-30T10:22:02.000Z", "last_seen": "2025-04-30T15:23:18.000Z", "scan_count": 3, "tags": [ "peexe", "html", "javascript", "overlay", "packed", "microsoft_visual_cc" ], "update_time": "2025-05-08T16:07:28.306Z", "status": 1 }, { "provider": "webroot.com", "assessment": "high risk", "category": "Malware Sites", "detect_time": "", "update_time": "2025-05-08T16:07:28.306Z", "status": 1 }, { "provider": "www.team-cymru.org", "assessment": "", "detect_time": "", "update_time": "2025-05-08T16:04:59.041Z", "status": 5 }, { "provider": "blocklist.de", "assessment": "", "detect_time": "", "update_time": "2025-05-08T16:04:59.041Z", "status": 5 }, ... ] }}Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Last updated on
Was this page helpful?
Next to read:
What is the latest MetaDefender Sandbox version?See the "Technical Datasheet" for a complete list of features: https://docs.opswat.com/filescan/datasheet/technical-datasheet
Discard Changes
Do you want to discard your current changes and overwrite with the template?
Archive Synced Block
Message
Create new Template
What is this template's title?
Delete Template
Message
