Using a websocket client to access the Content Analysis REST API
Last Updated August 22, 2018
As of Content Analysis (CA) 2.1 you now have the ability to send files for analysis directly to the CA device without the need to use the ICAP protocol. This essentially means you can access the features of the CA and the Malware Analysis device (MA), if configured, without the need to first have the data go through a ProxySG. This feature is typically used by security teams to test files.
This article assumes the following prerequisites are in place:
Client workstation running Windows or Linux OS (for this article we will use a linux client)
Python 2.7 or 3.x (this article will use Python 2.7.12)
Sandboxing solution (this article will use Symantecs Malware Analysis Appliance 184.108.40.206)
this will return the response back from the CA device whose contents will vary depending on what features are enabled (file reputation, antivirus, static analyses etc) and the processing done on the file ie was it sent to the MA device or not. The following example shows a file that was not sent to the MA device
Note: as nothing was sent to the MA device u'expected_sandbox':False, there will be no MA output sent to the websocket terminal
In the following example the file was sent by CA to the MA device (u'expected_sandbox':True) so we get two outputs, one from CA and one from MA.
The output from MA will take longer to show up in the escheat client terminal as it needs to run the file in the virtual environment and this can take two to 3 minutes
and eventually the websocket client terminal will return
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe