MetaDefender Cloud API v4 4.0 Terms of Service Apache 2.0

About This Guide

Welcome to the MetaDefender Cloud guide. This guide is intended to provide the information you need to:

Start analyzing files with 20+ anti-malware engines

How to use MetaDefender Cloud Public APIs

Learn about new features, updated features, and bug fixes Learn about frequently asked questions and additional concepts through our library of knowledge base articles

Key Features of MetaDefender Cloud

File Analysis - Analyzing binaries with 20+ anti-malware engines

Deep CDR (aka Content Disarm and Reconstruction) with support for 100+ file types

Sandbox dynamic analysis to detect more unknown and targeted attacks

Binary vulnerability data assessment

IP-Domain reputation

Threat Intelligence Feeds

Server

https://api.metadefender.com/v4

Apikey

The apikey and related limits can be found in the account page. It is generated automatically when the account is created.

The apikey is used for all API requests to MetaDefender Cloud service.

Endpoints

/apikey/limits/status

Apikey info

Retrieve information about your apikey such as (but not limited to): max file size, API limits, created date, expiration date, and account nickname.

Auth

Headers

apikey

string

The apikey identifies and authenticates the user.

GET /apikey/

xxxxxxxxxx
 
curl --get \ --url 'https://api.metadefender.com/v4/apikey/' \ --header 'apikey: 4gg5f4123eg4gg7a58d502dfc3f2898g'
Copy

Responses

200

The request has succeeded

Headers
X-Authenticated	string	Indicates the source of authentication.
X-Response-Time	string	Indicates the response time expressed in milliseconds.
Body
Account Information	object
max_file_download	int32	The maximum file size for downloading
max_upload_file_size	int32	The maximum upload size for files (expressed in MB)
max_archive_file_depth	int32	The maximum file depth for archives
max_archive_file_size	int32	The maximum upload size for archives (expressed in MB)
max_archive_file_number	int32	The maximum number of files contained in an archive
limit_prevention	int32	The daily limit of Prevention API calls. The daily limit is reset 24 hours after the first call on a given day.
limit_reputation	int32	The daily limit of Reputation API calls. The daily limit is reset 24 hours after the first call on a given day.
limit_threat_intel_search	int32	The daily limit of Threat Intel Search API calls. The daily limit is reset 24 hours after the first call on a given day.
limit_sandbox	int32	The daily limit of Sandbox API calls. The daily limit is reset 24 hours after the first call on a given day.
limit_feed	int32	The daily limit of Feed API calls. The daily limit is reset 24 hours after the first call on a given day.
mdc_license_type	string	The apikey's MetaDefender Cloud license type
qos_scan	string	The selected scan queue, based on the apikey type
userid	string	The userid corresponding to the apikey
sandbox_qos_scan	string	The selected sandbox scan queue, based on the apikey type
time_interval	string	The duration of time your apikey limit lasts for (daily for most)
expiration_date	string	The expiration date of the apikey. For paid apikey's this date is in the future.
workflow_rule	string	The flag specifies if an apikey is allowed to scan large files or archives (1GB+)
enforce_private_scan	boolean	The attribute that specifies if the apikey enforces private scans
is_enterprise	boolean	The attribute that specifies if the apikey is enterprise
throttling_limit	int32	The maximum number of requests for the duration of time your apikey lasts (one day for most)
mtls_only	boolean	The attribute that specifies if the apikey is MTLs only
portal_api_key	string	The apikey that has been queried
nickname	string	The nickname of the user correlated to the queried apikey
vulnerability_submissions	array[string]	The number of vulnerability submissions done by the user correlated to the queried apikey
created_at	string	The date when the apikey was created
updated_at	string	The last date when the apikey information was updated
scan_with	string	The service used by the apikey for scanning
paid_user	int32	Specifies the user's paid status. - 1: Paid user - 0: Not paid user
organization	object	The organization information
organization_id	string	The unique identifier of the organization
limit_prevention	int32	The organization's daily limit for Prevention API calls
limit_reputation	int32	The organization's daily limit for Reputation API calls
limit_threat_intel_search	int32	The organization's daily limit for Threat Intel Search API calls
limit_sandbox	int32	The organization's daily limit for Sandbox API calls
limit_feed	int32	The organization's daily limit for Feed API calls
throttling_limit	int32	The organization's request throttling limit
ip_whitelist	object
v4	array[string]	IPv4 whitelist
v6	array[string]	IPv6 whitelist
expiration_date	date-time	The organization's license expiration date
licenseLimitsTimeInterval	string	The duration of time your organization limit lasts for (daily for most)
mdc_license_type	string	The organization's MetaDefender Cloud license type
max_upload_file_size	int32	Maximum file upload size for the organization (MB)
max_archive_file_size	int32	Maximum archive file size for the organization (MB)
max_archive_file_number	int32	Maximum number of files in archives for the organization
max_archive_file_depth	int32	Maximum archive depth for the organization
qos_scan	string	The selected scan queue, based on the organization's license type
sandbox_qos_scan	string	The selected sandbox scan queue, based on the organization's license type

Expand

404

The requested page was not found

Response

xxxxxxxxxx
 
{ "max_file_download": 100, "max_upload_file_size": 140, "max_archive_file_depth": 5, "max_archive_file_size": 140, "max_archive_file_number": 50, "limit_prevention": 40, "limit_reputation": 4000, "limit_threat_intel_search": 0, "limit_sandbox": 1, "limit_feed": 1000, "qos_scan": "low", "userid": "userid1234567", "sandbox_qos_scan": "normal", "time_interval": "daily", "expiration_date": "1970-01-01T00:00:00.000Z", "workflow_rule": 0, "enforce_private_scan": false, "is_enterprise": false, "throttling_limit": 0, "mtls_only": false, "portal_api_key": "3d774dcf261286a3d7386ccddd83b2c8", "nickname": "white_brook_uauscbg2", "vulnerability_submissions": [], "created_at": "2022-04-21T12:09:35.699Z", "updated_at": "2022-08-04T06:49:59.495Z", "scan_with": "none", "paid_user": 0, "organization": {  "organization_id": "org_123456",  "limit_prevention": 30000,  "limit_reputation": 40000,  "limit_threat_intel_search": 1000,  "limit_sandbox": 1000,  "limit_feed": 500,  "throttling_limit": 1000,  "v4": [   "192.168.1.1",   "10.0.0.1"  ],  "v6": [   "2001:db8::1"  ],  "expiration_date": "1970-01-01T00:00:00.000Z",  "licenseLimitsTimeInterval": "daily",  "mdc_license_type": "enterprise",  "max_upload_file_size": 1500,  "max_archive_file_size": 2400,  "max_archive_file_number": 5000,  "max_archive_file_depth": 50,  "qos_scan": "high",  "sandbox_qos_scan": "high" }}
Copy

Expand

Apikey limits

Retrieve information about the consumed limits for an apikey. Every time a request is made to an endpoint that consumes a specific limit, it will be reflected in this endpoint. It is the equivalent of the X-RateLimit-Used from the response headers. Depending on your license, your rate limit will reset daily or monthly.

Auth

Headers

apikey

string

The apikey identifies and authenticates the user.

GET /apikey/limits

xxxxxxxxxx
 
curl --get \ --url 'https://api.metadefender.com/v4/apikey/limits' \ --header 'apikey: 4gg5f4123eg4gg7a58d502dfc3f2898g'
Copy

Responses

200

The request has succeeded

Headers
X-Authenticated	string	Indicates the source of authentication.
X-Response-Time	string	Indicates the response time expressed in milliseconds.
Body
Apikey usage	object
reputation_api	int32	The consumed Reputation API limits for the apikey
threat_intel_search_api	int32	The consumed Threat Intel Search API limits for the apikey
prevention_api	int32	The consumed Prevention API limits for the apikey
feed_api	int32	The consumed Feed API limits for the apikey
download_file	int32	The consumed limits for file downloads for the apikey
sandbox_api	int32	The consumed Dynamic Analysis API limits for the apikey

404

The requested page was not found

Response

xxxxxxxxxx
 
{ "reputation_api": 8, "threat_intel_search_api": 0, "prevention_api": 99, "download_file": 0, "sandbox_api": 0, "feed_api": 0}
Copy

Apikey scan history

Retrieve a paginated list of files uploaded by the user in reverse chronological order (newest to oldest). The pagination is controlled by the user (how many items per page and which page) by specifying the limit and offset query parameters in the request. The response only contains a summary of the files, with minimum information.

Auth

Headers

apikey

string

The apikey identifies and authenticates the user.

Query String

limit	integer	Pagination - how many entries you want to return.
offset	integer	Pagination - how many entries to skip (sorted chronologically).
cursor	string	Utilize a string-based cursor for efficient pagination in database queries. This approach enhances performance and should be used in place of the traditional offset parameter.
search	string	An optional search term used to filter results based on hash or file display name.

GET /apikey/scan-history

xxxxxxxxxx
 
curl --get \ --url 'https://api.metadefender.com/v4/apikey/scan-history' \ --header 'apikey: 4gg5f4123eg4gg7a58d502dfc3f2898g' \ --data limit={limit} \ --data offset={offset} \ --data cursor={cursor} \ --data search={search}
Copy

Responses

200

The request has succeeded

Scan history	object
data	array[object]	Scan History
data_id	string	The unique id received by the API for a submitted file
process_info	object	Information about the analysis process
progress_percentage	int32	The progress percentage of the analysis process
file_info	object	Information about the file
md5	string	The MD5 hash corresponding to the file scanned
sha1	string	The SHA1 hash corresponding to the file scanned
sha256	string	The SHA256 hash corresponding to the file scanned
display_name	string	The display name of the file
file_type_extension	string	The file extension
scan_results	object	Scan result
total_detected_avs	int32	The number of AVs that detected a threat
total_avs	int32	The number of AVs used by the API
scan_all_result_i	int32	The flag that specifies if the submitted file is infected
start_time	string	The date when the scan started
scan_with	string	The service used by the apikey for scanning
dlp_info	object	Contains the verdict from Proactive DLP
verdict	integer	The overall result for the scanned file. Possible values: 0 - Clean 1 - Found matched data 2 - Suspicious 3 - Failed 4 - Not scanned Enum: `0`,`1`,`2`,`3`,`4`
sanitized	object	Represents the sanitization information of an item.
reason	string	The reason or explanation for the sanitization.
result	string	The result or outcome of the sanitization process.
progress_percentage	integer	The progress percentage of the sanitized file.
failure_reasons	object	The object wrapping the list of files in the archive for which sanitization failed.
data_id	object	Sanitization failure reason for file
display_name	string	The name of the offending file.
file_path	string	Path to reach the file
reason	string	Description of the sanitization error
details	string	Additional details on the sanitization error
sandbox	object	Sandbox scan final verdict
verdict	string	The overall result for the scanned file.
threatLevel	integer	The infection score indicating the severity of the detected threats.
confidence	integer	The confidence score when determining the severity of the detected threats.
blocked	boolean	The indicator whether the file is blocked.
vulnerability	object	The highest vulnerability based on the CVEs associated with the file
severity_index	integer	A numerical representation of the severity of the vulnerability
severity	integer	A textual representation of the severity index of the vulnerability Enum: `LOW`,`MODERATE`,`IMPORTANT`,`CRITICAL`
nextCursor	string	A string-based cursor used to retrieve the next page of results, replacing the traditional offset parameter. This parameter is available only on the last element within the results array.

Expand

404

The requested page was not found

Response

xxxxxxxxxx
 
{ "data": [  {   "data_id": "bzIzMDUxNzZSangxTWRjdExtWHFrTFhMVTU",   "process_info": {    "progress_percentage": 0   },   "scan_results": {    "scan_all_result_i": 255,    "start_time": "2023-05-17T11:17:14.437Z",    "total_avs": 0,    "total_detected_avs": 0   },   "file_info": {    "sha1": "0C8C6A0277B4A6DB99778308E6038CD547AC61C6",    "display_name": "example.txt",    "file_type_extension": "txt"   },   "scan_with": "mdcore"  },  {   "data_id": "bzIzMDUxNm5WNXpvMmJVOGxqZU9pWFE1Yzk",   "process_info": {    "progress_percentage": 100   },   "scan_results": {    "scan_all_result_i": 0,    "start_time": "2023-05-16T02:35:06.559Z",    "total_avs": 32,    "total_detected_avs": 0   },   "file_info": {    "md5": "57284175F0F6653A2132DF45DC630D83",    "sha1": "4586636197B99E8984F8200810F32AED728C2E1B",    "sha256": "26D96BAE6D514FFE543353D2569E6AD4BEACC4C03DF096AC3AB93ED194E572AB",    "file_type_extension": "pdf",    "display_name": "Adobe Portable Document Format.pdf"   },   "scan_with": "mdcore",   "dlp_info": {    "verdict": 0   },   "sanitized": {    "reason": "Sanitization successful",    "progress_percentage": 100,    "result": "Sanitized"   },   "sandbox": {    "confidence": "1",    "verdict": "INFORMATIONAL",    "blocked": false,    "threatLevel": 0.10000000149011612   },   "vulnerability": {    "severity_index": 36,    "severity": "LOW"   },   "nextCursor": "NWZkZzMiN4JkNWA5ZGNiYzBhOTJjN2Pn"  },  {   "data_id": "bzIzMDLLvm5WNXpvMmoVOGXqZU9pWFE1Yzk",   "process_info": {    "progress_percentage": 100   },   "scan_results": {    "scan_all_result_i": 0,    "start_time": "2023-06-18T02:35:07.549Z",    "total_avs": 32,    "total_detected_avs": 0   },   "file_info": {    "md5": "87284175F0F6653A2132DD75RC630D83",    "sha1": "4586636197B99E8984F82AS910F32AED728C2E1B",    "sha256": "26D96BAE6D514FFE543353D2569ECCK24EACC4C03DF096AC3AB93ED194E572AB",    "file_type_extension": "dll",    "display_name": "steam_apirajas.dll"   },   "scan_with": "mdcore",   "sanitized": {    "reason": "Error",    "result": "Sanitization Failed",    "progress_percentage": 100   },   "failure_reasons": {    "YnpJME1ETXdNV3BWVFVsM1QwUnNOQWVxZnFzTjMtWHY": {     "display_name": "steam_apirajas-2.dll",     "file_path": "steam_apirajas.dll/steam_apirajas-2.dll",     "reason": "Unsupported version",     "details": "Version 5.1.2600.2180 is not supported"    }   },   "nextCursor": "NWZkZzMiN4JkNWA5ZGNiYzBhOTJjN2Pn"  } ]}
Copy

Expand

Apikey remaining limits

Retrieve information about the remaining limits for an apikey.

Auth

Headers

apikey

string

The apikey identifies and authenticates the user.

GET /apikey/limits/status

xxxxxxxxxx
 
curl --get \ --url 'https://api.metadefender.com/v4/apikey/limits/status' \ --header 'apikey: 4gg5f4123eg4gg7a58d502dfc3f2898g'
Copy

Responses

200

The request has succeeded

Apikey usage	object
reputation_api	int32	The remaining Reputation API limits for the apikey
threat_intel_search_api	int32	The remaining Threat Intel Search API limits for the apikey
prevention_api	int32	The remaining Prevention API limits for the apikey
feed_api	int32	The remaining Feed API limits for the apikey
download_file	int32	The remaining limits for file downloads for the apikey
sandbox_api	int32	The remaining Dynamic Analysis API limits for the apikey
throttling_limit	int32	The remaining Throttling limits for the apikey

404

The requested page was not found

Response

xxxxxxxxxx
 
{ "reputation_api": 3992, "threat_intel_search_api": 25, "prevention_api": 3901, "download_file": 100, "sandbox_api": 100, "feed_api": 4000, "throttling_limit": 8}
Copy

File Scanning

Scanning a file starts with uploading the file to MetaDefender Cloud to initiate the scan process. Although we are trying to keep scanning very fast, scanning with more than 30 engines might take from a few seconds to many minutes depending on file type, file size, and current traffic. Also, archives usually take longer when scanning all the files inside. Due to these variables, we are not able to guarantee scanning times.

Free API users are sent to different queues with a lower priority, and MetaDefender Cloud customers' scan requests are prioritized.

Scanning a file consists of the following steps:

Initiate scan request by uploading a file
Retrieve scan report using unique data_id returned from Scan File API

Notes:

When both the multiscan and sandbox functionalities are concurrently operational, and specific rate limits have been established for the sandbox, while none exist for multiscan, rather than generating an error, the sandbox process will be executed. Consequently, the associated data_id will return a status code of 253, denoting 'Not Scanned. Rate Limit Exceeded,' within the scan results.

Endpoints

/file/webhooks/{dataId}

Show

Hash Lookups

MetaDefender provides two basic ways of looking up scan results using data hashes, MD5, SHA1, and SHA256:

Single hash lookup
Multiple hash lookup

While single hash lookup provides full scan results related to the hash, if found, multiple hash lookup will return a list of condensed results with links (data_ids) to the full scan results.

Endpoints

/hash/{hash}/scanhistory

GET

/hash/{hash}/badge

Show

Reputation Service

MetaDefender Cloud allows users to check IP addresses, domains, and URLs for malicious behavior using multiple IP & URL reputation sources. This functionality makes it possible to identify threats like botnets that would not be found through scanning files when accessing content. By providing a standardized interface for leading IP & URL reputation sources, MetaDefender Cloud makes it possible to obtain aggregated data on whether an IP address, domain or URL should be trusted, enabling you to monitor your network for possible threats.

MetaDefender Cloud provides two basic ways of verifying reputation for each type:

Single scan (Scanning IP / Domain / URL)
Bulk scans (Scanning list of IPs / Domains / URLs)

Endpoints

/url/{observable_url}

POST

/url/

GET

/domain/{observable_domain}

POST

/domain/

Show

Application Information

MetaDefender Cloud allows users to leverage our threat intelligence platform by providing an extensive REST API. The unique data set shared through our platform is collected from millions of live machines. This data set offers you tremendous insights on the behavior of potential malware, in order of weeks, from endpoints used in live environments by real users. This real-time information is more valuable than information from a sandbox solution, where everything is running in a controlled and simulated environment for approximately 3 minutes.

Through our API, you will be able to retrieve all the applications that the searched hash belongs to, all the network connections made by those applications, and the other loaded components that are used by those applications. You will be able to identify, restrict, or grant access based on the correlations provided.

Endpoints

GET

/hash/{exif_hash}/exif

GET

/hash/{peinfo_hash}/peinfo

GET

/hash/{apk_hash}/apk-manifest

Show

Data Sanitization Cdr

MetaDefender Cloud allows users to leverage our Deep CDR (Content Disarm and Reconstruction) technology by providing an extensive REST API.

Through our API, you will be able to use data sanitization (CDR) to strip out embedded objects in document files. Some targeted attacks may not be detected by traditional anti-malware engines, which is why data sanitization should be performed on document files. The CDR process provides an extra level of insurance against zero-day attacks without affecting the usability of the files. MetaDefender Cloud leverages the MetaDefender Core Deep CDR engine.

Endpoints

GET

/file/converted/{dataId}

DELETE

/file/converted/{dataId}

Show

Threat Intelligence Feed

OPSWAT's threat intelligence feed enables developers to leverage data collected from thousands of MetaDefender Cloud community users and customers. Developers, IT administrators and organizations can easily integrate our up-to-date malware threat intelligence data into their existing tools or solutions to effectively protect their organization against threats.

Use cases for the feed include:

Organizations that want to be on the lookout for the hottest malware
IT specialists that implement file denylist based on hashes
Researchers analyzing trending malware on the market
Security products that leverage threat intelligence capabilities to harden security measures

Endpoints

GET

/feed/clean/latest

GET

/feed/infected/latest

Show