10.2 Sandbox lookup

Request

Value

Method

GET

URL

https://api.metadefender.com/v4/sandbox/:sandboxId

Summary

Retrieve the sandbox entry for the :sandboxId. Can be polled to get the result of the sandbox scan. The scan is finished when "scan_results.progress_percentage" is 100.

We recommend setting a timeout after uploading the file equal to the "sandbox_timeout" value, and after that polling to get the results. The "scan_results.progress_percentage" is directly related to the time spent on the virtual machine, and will be incremented as time goes.

Request

URL Parameters

 

Description

Example

:sandboxId

the "_id" field received when scanning a file with the sandbox

606d69618104a46c24cc44e6

Header Parameters

 

Description

Allowed Values

Required

apikey

Identifies and authorizes the user (API Authentication Mechanisms)

apikey

YES

Response

HTTP Status Codes

Please refer to Status Codes for more information.

Body

Example of a successful request:

Full sandbox analysis entry

{
"md5": "CD1DA8C0332DD43BCB4DA69033B4624D",
"sha1": "AAA1C1CF2E78F64C0894EBC568B145039BB06DC3",
"sha256": "A4512C42AAC49E253F7F1F2BF44759704F98F5ADE4F13AA664D71AF4B830DB1D",
"scan_results": {
"scan_all_result_i": 0,
"scan_all_result_a": "No threat detected"
},
"data_id": "bzE5MDIwN3J5N0pOZHVZVkVIMVZKVmRkSzRW",
"analysis": {
"infection_score": 4,
"signatures": [
{
"score": "2",
"family": "Ransomware",
"id": "0"
},
{
"score": "0",
"family": "Spreading",
"id": "1"
},
{
"score": "0",
"family": "Phishing",
"id": "2"
}
],
"network": {},
"processes": [
{
"section": {
"loaded": [
{
"return": "774B371E",
"symbol": "LdrInitializeThunk",
"threadid": 304,
"path": "\\KnownDlls\\WSOCK32.dll"
},
{
"return": "774B371E",
"symbol": "LdrInitializeThunk",
"threadid": 304,
"path": "\\KnownDlls\\kernel32.dll"
},
{
"return": "774B371E",
"symbol": "LdrInitializeThunk",
"threadid": 304,
"path": "\\KnownDlls\\KERNELBASE.dll"
}
]
},
"start_time": null,
"size": 593480,
"is_admin": true,
"cmd": "'C:\\Users\\user\\Desktop\\TeamCityAgentService-windows-x86-64.exe' ",
"path": "C:\\Users\\user\\Desktop\\TeamCityAgentService-windows-x86-64.exe",
"parent_pid": 2772,
"pid": 2404,
"filesystem": {
"file_opened": [
{
"path": "C:\\Users\\user\\Desktop\\TeamCityAgentService-windows-x86-64.conf",
"symbol": "CreateFileA",
"status": "object name not found",
"value": null,
"threadid": 304,
"pid": null
},
{
"path": "C:\\Users\\user\\Desktop\\",
"symbol": "LdrInitializeThunk",
"status": "success or wait",
"value": null,
"threadid": 304,
"pid": null
},
{
"path": "C:\\Windows\\system32\\WSOCK32.dll",
"symbol": "LdrInitializeThunk",
"status": "success or wait",
"value": null,
"threadid": 304,
"pid": null
}
]
},
"registrykey": {
"read": [
{
"status": "success or wait",
"symbol": "LdrInitializeThunk",
"threadid": 304,
"path": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"
},
{
"status": "success or wait",
"symbol": "LdrInitializeThunk",
"threadid": 304,
"path": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager"
},
{
"status": "object name not found",
"symbol": "LdrInitializeThunk",
"threadid": 304,
"path": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option"
}
]
},
"memory": {
"allocation": [
{
"symbol": "LdrInitializeThunk",
"length": 2359296,
"base": "1F0000",
"value": null,
"threadid": 304,
"pid": 2404
},
{
"symbol": "LdrInitializeThunk",
"length": 8192,
"base": 330000,
"value": null,
"threadid": 304,
"pid": 2404
},
{
"symbol": "LdrInitializeThunk",
"length": 4096,
"base": 332000,
"value": null,
"threadid": 304,
"pid": 2404
}
]
}
}
],
"description": "Windows 7 x64 with Office 2016, Java 8 Update 201, Acrobat Reader DC 19, Flash ActiveX 32, Internet Explorer 11, Chrome 71",
"start_time": "2019-02-19T12:28:52.000Z"
},
"sandbox_id": "5c6be85931fa55001e5e194d",
"rescan_available": true
}

Example of a failed request:

{
"error": {
"code": 404001,
"messages": [
"Entity was not found"
]
}
}

Response description:

See 10.3 Hash lookup with sandbox

Errors

Please refer to Errors for more information.

Sample code (Node.js)

var http = require("https");
 
var options = {
"method": "GET",
"hostname": [
"api",
"metadefender",
"com"
],
"path": [
"v4",
"sandbox",
"5c6be85931fa55001e5e194d"
],
"headers": {
"apikey": process.env.APIKEY
}
};
 
var req = http.request(options, function (res) {
var chunks = [];
 
res.on("data", function (chunk) {
chunks.push(chunk);
});
 
res.on("end", function () {
var body = Buffer.concat(chunks);
console.log(body.toString());
});
});
 
req.end();

Sample code (cURL)

curl -X GET \
https://api.metadefender.com/v4/sandbox/5c6be85931fa55001e5e194d \
-H "apikey: ${APIKEY}"