Metadefender Cloud Threat Intelligence API v5 5.0 Terms of Service Apache 2.0

About This Guide

Welcome to the MetaDefender Cloud Threat Intelligence guide. This guide is intended to provide the information for:

Organizations that want to be on the lookout for the hottest malware
IT specialists that implement file blacklists based on hashes
Researchers analyzing trending malware on the market
Security products that leverage Threat Intelligence capabilities to harden security measures

WARNING

A commercial license is required to access the Threat Intelligence v5 API endpoints. Free users will not be able to access these endpoints. Please contact OPSWAT Sales to set up a time-limited evaluation license for your organization.

How to use MetaDefender Cloud Threat Intelligence Public APIs

Learn about new features, updated features, and bug fixes Learn about frequently asked questions and additional concepts through our library of knowledge base articles

Key Features of MetaDefender Cloud Threat Intelligence

AV File Reputation

File Analysis

Scan History

Expression Search

Similarity Search

Server

https://api.metadefender.com/v5

Av File Reputation

Returns AV file reputation status for a file hash by MD5, SHA1, or SHA256 The status can be: MALICIOUS, SUSPICIOUS, BENIGN, or UNKNOWN. This status depends on the confidence level:

when confidence_level = 0 then 'benign'
when confidence_level < 50 then 'suspicious'
when confidence_level >= 50 then 'malicious'
else 'unknown'

The confidence level is calculated using the AV detection percentage and the dynamic analysis result (if it exists).

More about file types

WARNING: This is an experimental endpoint, it may change in the future!.

GET

/threat-intel/av-file-reputation/{hash}

POST

/threat-intel/av-file-reputation/

AV file reputation status

Retrieve AV file reputation information by looking up a hash using MD5, SHA1 or SHA256

Auth

Headers

apikey

string

The apikey identifies and authenticates the user

extended

integer

Include additional metadata about the hash. By default, it is false (0). WARNING: When this flag is enabled (1), it results in DOUBLE credit consumption against the daily limit!

Allowed values

0 (get reputation only)
1 (get additional details)

Path Params

hash

string

A hash is used to identify a file (MD5, SHA1 or SHA256)

GET /threat-intel/av-file-reputation/{hash}

xxxxxxxxxx
 
curl --get \ --url 'https://api.metadefender.com/v5/threat-intel/av-file-reputation/0AA357C084039538022F812FF791681D' \ --header 'apikey: 4gg5f4123eg4gg7a58d502dfc3f2898g' \ --header 'extended: 1'
Copy

Responses

200

The request has succeeded

AV File Reputation	object
md5	string
sha1	string
sha256	string
reputation	string	Enum: `benign`,`suspicious`,`malicious`,`unknown`
reputation_i	int32

400

Bad request

Response

xxxxxxxxxx
 
{ "md5": "E15B36C2E394D599A8AB352159089DD2", "sha1": "28719979D7AC8038F24EE0C15114C4A463BE85FB", "sha256": "39D04828AB0BBA42A0E4CDD53FE1C04E4EEF6D7B26D0008BD0D88B06CC316A81", "reputation": "malicious", "reputation_i": 1, "first_seen": "2022-05-26T17:38:24.893Z", "last_seen": "2022-07-21T18:53:56.441Z", "update_timestamp": "2022-07-21T19:00:39.703Z", "file_info": {  "file_size": 1194496,  "file_type": "application/msword",  "file_type_category": "D",  "file_type_description": "Microsoft Word 97-2003 Document",  "file_type_extension": "doc" }, "total_avs": 24, "av_detection_count": 11, "av_detection_percentage": 45.83, "confidence_level": 53.22, "risk_level": "high", "standard_threat_name": "Document-DOC.Dropper.msword", "malware_families": [  "msword",  "script",  "eanuuw" ], "malware_threat_names": [  "W97M/Dropper",  "W97M.Downloader.ARV",  "Doc.Dropper.Agent-1625150",  "Malware",  "W97M.Downloader.ARV (B)",  "Trojan.Win32.Rootkit",  "Trojan-Dropper.MSWord.Agent.rj",  "W97M/Downloader.aul",  "Trojan.Script.Agent.eanuuw",  "W97M.Dropper.RO",  "W97M.DownLoader.BIC" ], "malware_types": [  "Dropper",  "Downloader",  "Agent",  "Trojan",  "Malware",  "Rootkit" ], "platforms": [  "Generic" ]}
Copy

Expand

AV file reputation status (Bulk lookup)

Retrieve AV file reputation information by looking up a list of hashes (MD5, SHA1 or SHA256)

Auth

Headers

apikey

string

The apikey identifies and authenticates the user

Content-Type

string

Specify the http content type

Allowed values - application/json

extended

integer

Include additional metadata about the hash. By default, it is false (0). WARNING: When this flag is enabled (1), it results in DOUBLE credit consumption against the daily limit!

Allowed values

0 (get reputation only)
1 (get additional details)

Request Body

List of hashes whose reputation you are interested in

JSON payload for bulk lookup	object
hash	array[string]

POST /threat-intel/av-file-reputation/

xxxxxxxxxx
 
curl --request POST \ --url 'https://api.metadefender.com/v5/threat-intel/av-file-reputation/' \ --header 'apikey: 4gg5f4123eg4gg7a58d502dfc3f2898g' \ --header 'Content-Type: application/json' \ --header 'extended: 1' \ --data '{  "hash": [    "4102F370AAF46629575DAFFBD5A0B3C9",    "E15B36C2E394D599A8AB352159089DD2"  ]}'
Copy

Responses

200

AV File Reputation (Bulk lookup)	object
data	array[object]
md5	string
sha1	string
sha256	string
reputation	string	Enum: `benign`,`suspicious`,`malicious`,`unknown`
reputation_i	int32

400

Bad request

Response

xxxxxxxxxx
 
{ "data": [  {   "md5": "0465AE2CBB2C04FF387B79E839CF97DE",   "sha1": "0B42850643FB4B3A50477763129C51502277D3E7",   "sha256": "F1873069DBA63285CEA912960D6EC6AFB77B4629FA5B9009DE8444126B2BF0FA",   "reputation": "benign",   "reputation_i": 0,   "first_seen": "2022-06-26T12:12:13.931Z",   "last_seen": "2022-07-31T02:34:10.870Z",   "update_timestamp": "2022-07-31T02:40:34.500Z",   "file_info": {    "file_size": 83809,    "file_type": "application/x-dosexec",    "file_type_category": "E",    "file_type_description": "Self-Extracting Executable File",    "file_type_extension": "exe"   },   "total_avs": 24,   "av_detection_count": 0,   "av_detection_percentage": 0,   "confidence_level": 0,   "risk_level": "unknown",   "malware_families": [],   "malware_threat_names": [],   "malware_types": [],   "platforms": [    "Win32",    "Win64"   ]  },  {   "md5": "4102F370AAF46629575DAFFBD5A0B3C9",   "sha1": "EFE9462BFA3564FE031B5FF0F2E4F8DB8EF22882",   "sha256": "004C99BE0C355E1265B783AAE557C198BCC92EE84ED49DF70DB927A726C842F3",   "reputation": "suspicious",   "reputation_i": 2,   "first_seen": "2022-05-26T17:34:02.673Z",   "last_seen": "2022-07-21T18:53:56.188Z",   "update_timestamp": "2022-07-21T19:00:39.703Z",   "file_info": {    "file_size": 251392,    "file_type": "application/x-dosexec",    "file_type_category": "E",    "file_type_description": "Dynamic Link Library",    "file_type_extension": "dll"   },   "total_avs": 24,   "av_detection_count": 15,   "av_detection_percentage": 62.5,   "confidence_level": 37.39,   "risk_level": "high",   "standard_threat_name": "Win32.Backdoor.havex",   "malware_families": [    "havex",    "abpd",    "havexopc",    "abqf",    "dovt",    "004db1f71",    "fccm",    "dftece",    "axhj"   ],   "malware_threat_names": [    "Win-Trojan/Havex.251392",    "TR/Agent.abqf",    "Backdoor.Agent.ABPD",    "Malware",    "W32/Havex.DOVT-1858",    "Backdoor.Agent.ABPD (B)",    "Backdoor.Win32.Havex",    "Trojan ( 004db1f71 )",    "Trojan-Spy.Win32.HavexOPC.a",    "BackDoor-FCCM!4102F370AAF4",    "Trojan.Win32.HavexOPC.dftece",    "Trojan/W32.Havex.251392",    "Backdoor.Win32.Agent.AXHJ",    "Backdoor.Havex.Win32.1"   ],   "malware_types": [    "Backdoor",    "Trojan",    "Agent",    "Malware"   ],   "platforms": [    "Win32",    "Win64"   ]  } ]}
Copy

Expand

File Analysis

Provides file analysis data on hashes (MD5, SHA1, or SHA256). Metadata can include relevant portions of static analysis, AV scan information, file sources and any related IP/domain information.

WARNING: This is an experimental endpoint, it may change in the future!.

GET

/threat-intel/file-analysis/{hash}

POST

/threat-intel/file-analysis/

File analysis data

Provides file analysis data on hashes (MD5, SHA1, or SHA256). Metadata can include relevant portions of static and dynamic analysis, AV scan information, file sources.

Auth

Headers

apikey

string

The apikey identifies and authenticates the user

Path Params

hash

string

A hash is used to identify a file (MD5, SHA1 or SHA256)

GET /threat-intel/file-analysis/{hash}

xxxxxxxxxx
 
curl --get \ --url 'https://api.metadefender.com/v5/threat-intel/file-analysis/0AA357C084039538022F812FF791681D' \ --header 'apikey: 4gg5f4123eg4gg7a58d502dfc3f2898g'
Copy

Responses

200

The request has succeeded

File Analysis	object
md5	string
sha1	string
sha256	string
first_seen	date-time
last_seen	date-time
update_timestamp	date-time
file_info	object
file_size	int32
file_type	string
file_type_category	string
file_type_description	string
file_type_extension	string
file_sources	array[string]	Enum: `partner`,`customer`
last_av_scan	object
malware_families	array[string]
malware_types	array[string]
platforms	array[string]	Enum: `Generic`,`MacOS`,`DOS`,`Win32`,`Win64`,`Android`,`Linux`
scan_all_result_i	int32
scan_details	object
scan engine	object
threat_found	string
scan_result_i	int32
standard_threat_name	string
start_time	date-time
sub_platform	string
total_avs	int32
total_detected_avs	int32
total_time	int32
trust_factor	int32

Expand

400

Bad request

Response

xxxxxxxxxx
 
{
 "md5": "212F54F19FDDA17FC5F49F0710365EC8", "sha1": "ABF8BCEC12DE872CBC92239B8C636624FEE555BC", "sha256": "01D02FED7C9FAF7E60A8239513E3DFAE9119B09F8F7837D2D5000B61992B9B33", "first_seen": "2022-06-22T17:27:06.695Z", "last_seen": "2022-06-22T17:27:06.695Z", "update_timestamp": "2022-06-22T17:31:09.735Z", "file_info": {...},
 "file_sources": [...],
 "last_av_scan": {...},
 "trust_factor": 25}
Copy

File analysis data (Bulk lookup)

Bulk lookup of file analysis data on hashes (MD5, SHA1, or SHA256). Metadata can include relevant portions of static and dynamic analysis, AV scan information, file sources.

Auth

Headers

apikey	string	The apikey identifies and authenticates the user
Content-Type	string	Specify the http content type Allowed values - application/json

Request Body

List of hashes whose analysis you are interested in

JSON payload for bulk lookup	object
hash	array[string]

POST /threat-intel/file-analysis/

xxxxxxxxxx
 
curl --request POST \ --url 'https://api.metadefender.com/v5/threat-intel/file-analysis/' \ --header 'apikey: 4gg5f4123eg4gg7a58d502dfc3f2898g' \ --header 'Content-Type: application/json' \ --data '{  "hash": [    "4102F370AAF46629575DAFFBD5A0B3C9",    "E15B36C2E394D599A8AB352159089DD2"  ]}'
Copy

Responses

200

object	object
data	array[object]
md5	string
sha1	string
sha256	string
first_seen	date-time
last_seen	date-time
update_timestamp	date-time
file_info	object
file_size	int32
file_type	string
file_type_category	string
file_type_description	string
file_type_extension	string
file_sources	array[string]	Enum: `partner`,`customer`
last_av_scan	object
malware_families	array[string]
malware_types	array[string]
platforms	array[string]	Enum: `Generic`,`MacOS`,`DOS`,`Win32`,`Win64`,`Android`,`Linux`
scan_all_result_i	int32
scan_details	object
scan engine	object
threat_found	string
scan_result_i	int32
standard_threat_name	string
start_time	date-time
sub_platform	string
total_avs	int32
total_detected_avs	int32
total_time	int32
trust_factor	int32

Expand

400

Bad request

Response

xxxxxxxxxx
 
{
 "data": [...]
}
Copy

Av Scan History

Provides up to 50 historic AV scan results (threat detections from over 24 AV scanners) based on the file hash (in MD5, SHA1 or SHA256 format).

WARNING: This is an experimental endpoint, it may change in the future!.

GET

/threat-intel/av-scan-history/{hash}

POST

/threat-intel/av-scan-history/

AV scan history results

Provides up to 50 historic AV scan results (threat detections from over 24 AV scanners) based on the file hash (in MD5, SHA1 or SHA256 format).

Auth

Headers

apikey

string

The apikey identifies and authenticates the user

Path Params

hash

string

A hash is used to identify a file (MD5, SHA1 or SHA256)

GET /threat-intel/av-scan-history/{hash}

xxxxxxxxxx
 
curl --get \ --url 'https://api.metadefender.com/v5/threat-intel/av-scan-history/0AA357C084039538022F812FF791681D' \ --header 'apikey: 4gg5f4123eg4gg7a58d502dfc3f2898g'
Copy

Responses

200

The request has succeeded

AV Scan History	object
md5	string
sha1	string
sha256	string
first_seen	date-time
last_seen	date-time
update_timestamp	date-time
av_scan_history	array[object]
av_detections	object
scan_all_result_i	int32
start_time	date-time
total_avs	int32
total_detected_avs	int32

400

Bad request

Response

xxxxxxxxxx
 
{ "md5": "4102F370AAF46629575DAFFBD5A0B3C9", "sha1": "EFE9462BFA3564FE031B5FF0F2E4F8DB8EF22882", "sha256": "004C99BE0C355E1265B783AAE557C198BCC92EE84ED49DF70DB927A726C842F3", "first_seen": "2022-05-26T17:34:02.673Z", "last_seen": "2022-07-21T18:53:56.188Z", "update_timestamp": "2022-07-21T19:00:39.703Z", "av_scan_history": [  {   "av_detections": {    "AhnLab": "Win-Trojan/Havex.251392",    "Avira": "TR/Agent.abqf",    "Bitdefender": "Backdoor.Agent.ABPD",    "Comodo": "Malware",    "Cyren": "W32/Havex.DOVT-1858",    "Emsisoft": "Backdoor.Agent.ABPD (B)",    "IKARUS": "Backdoor.Win32.Havex",    "K7": "Trojan ( 004db1f71 )",    "Kaspersky": "Trojan-Spy.Win32.HavexOPC.a",    "McAfee": "BackDoor-FCCM!4102F370AAF4",    "NANOAV": "Trojan.Win32.HavexOPC.dftece",    "TACHYON": "Trojan/W32.Havex.251392",    "Vir_IT eXplorer": "Backdoor.Win32.Agent.AXHJ",    "Zillya!": "Backdoor.Havex.Win32.1"   },   "scan_all_result_i": 1,   "start_time": "2022-07-21T18:53:56.188Z",   "total_avs": 24,   "total_detected_avs": 15  },  {   "av_detections": {    "AhnLab": "Win-Trojan/Havex.251392",    "Avira": "TR/Agent.abqf",    "Bitdefender": "Backdoor.Agent.ABPD",    "Comodo": "Malware",    "Cyren": "W32/Havex.DOVT-1858",    "Emsisoft": "Backdoor.Agent.ABPD (B)",    "IKARUS": "Backdoor.Win32.Havex",    "K7": "Trojan ( 004db1f71 )",    "Kaspersky": "Trojan-Spy.Win32.HavexOPC.a",    "McAfee": "BackDoor-FCCM!4102F370AAF4",    "NANOAV": "Trojan.Win32.HavexOPC.dftece",    "TACHYON": "Trojan/W32.Havex.251392",    "Vir_IT eXplorer": "Backdoor.Win32.Agent.AXHJ",    "Zillya!": "Backdoor.Havex.Win32.1"   },   "scan_all_result_i": 1,   "start_time": "2022-07-21T18:17:12.913Z",   "total_avs": 24,   "total_detected_avs": 15  } ]}
Copy

Expand

AV scan history results (Bulk lookup)

Bulk lookup of historic AV scan results for multiple files (using hashes in the MD5, SHA1 or SHA256 format). For a given hash, it is possible to retrieve up to 50 scan results (including threat detections from over 24 AV scanners).

Auth

Headers

apikey	string	The apikey identifies and authenticates the user
Content-Type	string	Specify the http content type Allowed values - application/json

Request Body

List of hashes whose scan history you are interested in

JSON payload for bulk lookup	object
hash	array[string]

POST /threat-intel/av-scan-history/

xxxxxxxxxx
 
curl --request POST \ --url 'https://api.metadefender.com/v5/threat-intel/av-scan-history/' \ --header 'apikey: 4gg5f4123eg4gg7a58d502dfc3f2898g' \ --header 'Content-Type: application/json' \ --data '{  "hash": [    "4102F370AAF46629575DAFFBD5A0B3C9",    "E15B36C2E394D599A8AB352159089DD2"  ]}'
Copy

Responses

200

object	object
data	array[object]
md5	string
sha1	string
sha256	string
first_seen	date-time
last_seen	date-time
update_timestamp	date-time
file_info	object
file_size	int32
file_type	string
file_type_category	string
file_type_description	string
file_type_extension	string
file_sources	array[string]	Enum: `partner`,`customer`
last_av_scan	object
malware_families	array[string]
malware_types	array[string]
platforms	array[string]	Enum: `Generic`,`MacOS`,`DOS`,`Win32`,`Win64`,`Android`,`Linux`
scan_all_result_i	int32
scan_details	object
scan engine	object
threat_found	string
scan_result_i	int32
standard_threat_name	string
start_time	date-time
sub_platform	string
total_avs	int32
total_detected_avs	int32
total_time	int32
trust_factor	int32

Expand

400

Bad request

Response

xxxxxxxxxx
 
{ "data": [  {   "md5": "E15B36C2E394D599A8AB352159089DD2",   "sha1": "28719979D7AC8038F24EE0C15114C4A463BE85FB",   "sha256": "39D04828AB0BBA42A0E4CDD53FE1C04E4EEF6D7B26D0008BD0D88B06CC316A81",   "first_seen": "2022-05-26T17:38:24.893Z",   "last_seen": "2022-07-21T18:53:56.441Z",   "update_timestamp": "2022-07-21T19:00:39.703Z",   "av_scan_history": [    {     "av_detections": {      "AhnLab": "W97M/Dropper",      "Bitdefender": "W97M.Downloader.ARV",      "ClamAV": "Doc.Dropper.Agent-1625150",      "Comodo": "Malware",      "Emsisoft": "W97M.Downloader.ARV (B)",      "IKARUS": "Trojan.Win32.Rootkit",      "Kaspersky": "Trojan-Dropper.MSWord.Agent.rj",      "McAfee": "W97M/Downloader.aul",      "NANOAV": "Trojan.Script.Agent.eanuuw",      "Quick Heal": "W97M.Dropper.RO",      "Vir_IT eXplorer": "W97M.DownLoader.BIC"     },     "scan_all_result_i": 1,     "start_time": "2022-07-21T18:53:56.441Z",     "total_avs": 24,     "total_detected_avs": 11    },    {     "av_detections": {      "AhnLab": "W97M/Dropper",      "Bitdefender": "W97M.Downloader.ARV",      "ClamAV": "Doc.Dropper.Agent-1625150",      "Comodo": "Malware",      "Emsisoft": "W97M.Downloader.ARV (B)",      "IKARUS": "Trojan.Win32.Rootkit",      "Kaspersky": "Trojan-Dropper.MSWord.Agent.rj",      "McAfee": "W97M/Downloader.aul",      "NANOAV": "Trojan.Script.Agent.eanuuw",      "Quick Heal": "W97M.Dropper.RO",      "Vir_IT eXplorer": "W97M.DownLoader.BIC"     },     "scan_all_result_i": 1,     "start_time": "2022-07-21T18:17:12.843Z",     "total_avs": 24,     "total_detected_avs": 11    }   ]  },  {   "md5": "4102F370AAF46629575DAFFBD5A0B3C9",   "sha1": "EFE9462BFA3564FE031B5FF0F2E4F8DB8EF22882",   "sha256": "004C99BE0C355E1265B783AAE557C198BCC92EE84ED49DF70DB927A726C842F3",   "first_seen": "2022-05-26T17:34:02.673Z",   "last_seen": "2022-07-21T18:53:56.188Z",   "update_timestamp": "2022-07-21T19:00:39.703Z",   "av_scan_history": [    {     "av_detections": {      "AhnLab": "Win-Trojan/Havex.251392",      "Avira": "TR/Agent.abqf",      "Bitdefender": "Backdoor.Agent.ABPD",      "Comodo": "Malware",      "Cyren": "W32/Havex.DOVT-1858",      "Emsisoft": "Backdoor.Agent.ABPD (B)",      "IKARUS": "Backdoor.Win32.Havex",      "K7": "Trojan ( 004db1f71 )",      "Kaspersky": "Trojan-Spy.Win32.HavexOPC.a",      "McAfee": "BackDoor-FCCM!4102F370AAF4",      "NANOAV": "Trojan.Win32.HavexOPC.dftece",      "TACHYON": "Trojan/W32.Havex.251392",      "Vir_IT eXplorer": "Backdoor.Win32.Agent.AXHJ",      "Zillya!": "Backdoor.Havex.Win32.1"     },     "scan_all_result_i": 1,     "start_time": "2022-07-21T18:53:56.188Z",     "total_avs": 24,     "total_detected_avs": 15    }   ]  } ]}
Copy

Expand

Expression Search

Search for hashes using multi-part search criteria. The available search fields and expressions are described in the “Body (payload)” section below.

POST

/threat-intel/search/

Search for hashes

Search for hashes using multi-part search criteria.

Auth

Headers

apikey	string	The apikey identifies and authenticates the user
Content-Type	string	Specify the http content type Allowed values - application/json

Request Body

The JSON payload specifies the search terms and expressions. The limit value specifies how many hashes should be returned per page. The default and maximum value is 1000. Lower limit values might result in faster query executions.

JSON payload for search	object	The supported wildcards match the behavior of * and ? on Unix-like systems: * matches any number of any characters including none ? matches any single character All search patterns are case-insensitive. The following search fields and expressions are allowed in the filters object: Text fields Possible formats: string (using wildcards) array of strings (using wildcards) : matches any element Field names: reputation risk_level file_info.file_type file_info.file_type_category file_info.file_type_extension platforms standard_threat_name malware_types malware_families malware_threat_names Numeric fields Possible formats: scalar number (integer or floating point) array of numbers: matches any element object including comparison operators (matches all conditions if multiple operators are given): “gt”: Greater than (>) “gte”: Greater than or equal (>=) “lt”: Less than (<) “lte”: Less than or equal (<=) “eq”: Equal (=) “ne”: Not equal (!=) Field names: reputation_i total_avs av_detection_count av_detection_percentage confidence_level file_info.file_size Timestamp fields Possible formats: single timestamp in the ISO 8601 format: YYYY-MM-DDTHH:mm:ss.sssZ (or a date in the YYYY-MM-DD format) array of timestamps: matches any element object including comparison operators (same as for numeric fields) Field names: first_seen last_seen update_timestamp
filters	object
reputation	string
risk_level	string
file_info.file_type	string
file_info.file_type_category	string
file_info.file_type_extension	string
platforms	string
standard_threat_name	string
malware_types	string
malware_families	string
malware_threat_names	string
reputation_i	int32
total_avs	int32
av_detection_count	int32
av_detection_percentage	number
confidence_level	number
file_info.file_size	int32
first_seen	date-time
last_seen	date-time
update_timestamp	date-time
limit	int32	maximum: 1000

Expand

POST /threat-intel/search/

xxxxxxxxxx
 
curl --request POST \ --url 'https://api.metadefender.com/v5/threat-intel/search/' \ --header 'apikey: 4gg5f4123eg4gg7a58d502dfc3f2898g' \ --header 'Content-Type: application/json' \ --data '{  "filters": {    "first_seen": {      "gt": "2022-06-16T00:00:00.000Z"    },    "file_info.file_size": {      "lt": 1000000    },    "file_info.file_type_extension": "EXE",    "standard_threat_name": "*.Trojan.*"  },  "limit": 10}'
Copy

Responses

200

Search response	object	The answer will include the fields that were included in the query.
items_on_current_page	int32
has_next_page	boolean
continuation_token	string
data	array[object]
md5	string
sha1	string
sha256	string
reputation	string	Enum: `benign`,`suspicious`,`malicious`,`unknown`
reputation_i	int32
first_seen	date-time
last_seen	date-time
update_timestamp	date-time
file_info	object
file_size	int32
file_type	string
file_type_category	string
file_type_description	string
file_type_extension	string
total_avs	int32
av_detection_count	int32
av_detection_percentage	number
confidence_level	number
risk_level	string	Enum: `low`,`medium`,`high`
standard_threat_name	string
malware_families	array[string]
malware_threat_names	array[string]
malware_types	array[string]
platforms	array[string]

Expand

400

Bad request

Response

xxxxxxxxxx
 
{
 "items_on_current_page": 10, "has_next_page": true, "continuation_token": "MTY1NjIyNTA1NDMyNjkzMjc3Mg==", "data": [...]
}
Copy

Similarity Search

Provides a list of similar files and similarity scores for SHA-256 hashes.

GET

/threat-intel/similarity-search/{hash}

Search for similar files and scores

Retrieves the list of similar files and scores that have been previously scanned using Filescan, using SHA256.

Auth

Headers

apikey	string	The apikey identifies and authenticates the user
verdict	string	Filescan verdict of a file. Allowed values MALICIOUS (Filescan's determination of a file's MALICIOUS verdict). LIKELY_MALICIOUS (Filescan's determination of a file's LIKELY_MALICIOUS verdict). INFORMATIONAL (Filescan's determination of a file's INFORMATIONAL verdict). SUSPICIOUS (Filescan's determination of a file's SUSPICIOUS verdict). BENIGN (Filescan's determination of a file's BENIGN verdict). UNKNOWN (Filescan's determination of a file's UNKNOWN verdict).
start_date	string	Only return samples that were scanned after the start_date (inclusive). Date format ISO 8601. Allowed values All valid ISO 8601 timestamps.
tags	string	Tags of a file. Allowed values The quantity of tags is continuously expanding. Example (peexe, greyware, overlay, packed, shell32.dll, xml, meterpreter, swrort, adware, anti-debug, anti-security, anti-vm, apt, backdoor, banker, botnet, crimeware, fingerprint, greyware, exploit, evasive, hacktool, installer, keylogger, macros, macros-on-change, macros-on-close, macros-on-open, masquerade, obfuscated, overlay, packed, phishing, pos, pup, ransomware, rat, shellcode, spyware, stealer, stripped, vbastomped, worm, xlm, autoit, delphi, embedequation.).
threshold	integer	Similarity threshold from 0% to 100%. Higher score means higher similarity. By default, it is (30). Allowed values 1 to 100 any integer
limit	integer	Number of returned items. By default, it is (100). Allowed values 1 to 100 any integer

Expand

Path Params

hash

string

A hash is used to identify a file (MD5, SHA1 or SHA256)

GET /threat-intel/similarity-search/{hash}

xxxxxxxxxx
 
curl --get \ --url 'https://api.metadefender.com/v5/threat-intel/similarity-search/0AA357C084039538022F812FF791681D' \ --header 'apikey: 4gg5f4123eg4gg7a58d502dfc3f2898g' \ --header 'verdict: MALICIOUS' \ --header 'start_date: 2020-01-17T12:17:20.000Z' \ --header 'tags: peexe' \ --header 'threshold: 30' \ --header 'limit: 10'
Copy

Responses

200

The request has succeeded

SimilaritySearch response	object
data	array[object]
sha256	string
overall_similarity	number
similarities	object
binary_metadata	number
version_info	number
pdb_guid	number
rich_header_compiler_ids	number
sections	number
resources	number
signal_ids	number
extracted	number
imports	number
certifications	number
weighted_numerics	number
details	object
start_date	date-time
tags	array[string]
items	string
is_dotnet	boolean
file_size	number
architecture	string
entropy	number
verdict	string

400

Bad request

Response

xxxxxxxxxx
 
{ "data": [  {   "sha256": "F37AC82BE444ADFEBCDDC1A2A0E1A5BA1EF90394067265F51A771A3896690C17",   "overall_similarity": 0.31463328501737187,   "similarities": {    "binary_metadata": 0.8,    "version_info": 1,    "pdb_guid": 0,    "rich_header_compiler_ids": 0.1111111111111111,    "sections": 0,    "resources": 0,    "signal_ids": 0.11764705882352941,    "extracted": 0,    "imports": 0.009615384615384616,    "certifications": 1,    "weighted_numerics": 0.3502605525636527   },   "details": {    "start_date": "2021-08-28T01:01:30.335Z",    "tags": [     "peexe",     "greyware",     "overlay",     "packed",     "shell32.dll"    ],    "is_dotnet": false,    "file_size": 2923520,    "architecture": "32Bitsbinary",    "verdict": "MALICIOUS"   }  },  {   "sha256": "F37AC82BE444ADFEBCDDC1A2A0E1A5BA1EF90394067265F51A771A3896690ASD",   "overall_similarity": 0.30463328501737186,   "similarities": {    "binary_metadata": 0.8,    "version_info": 1,    "pdb_guid": 0,    "rich_header_compiler_ids": 0.1111111111111111,    "sections": 0,    "resources": 0,    "signal_ids": 0.11764705882352941,    "extracted": 0,    "imports": 0.009615384615384616,    "certifications": 1,    "weighted_numerics": 0.3502605525636527   },   "details": {    "start_date": "2021-08-28T01:01:30.335Z",    "tags": [     "peexe",     "greyware",     "overlay",     "packed"    ],    "is_dotnet": false,    "file_size": 2923520,    "architecture": "32Bitsbinary",    "entropy": 7.23232323,    "verdict": "MALICIOUS"   }  } ]}
Copy

Expand

Metadefender Cloud Threat Intelligence API v5 5.0Terms of ServiceApache 2.0

About This Guide

WARNING

How to use MetaDefender Cloud Threat Intelligence Public APIs

Key Features of MetaDefender Cloud Threat Intelligence

Av File Reputation

AV file reputation status

AV file reputation status (Bulk lookup)

File Analysis

File analysis data

File analysis data (Bulk lookup)

Av Scan History

AV scan history results

AV scan history results (Bulk lookup)

Expression Search

Search for hashes

Similarity Search

Search for similar files and scores

Metadefender Cloud Threat Intelligence API v5 5.0 Terms of Service Apache 2.0