3

I am new to SophosLabs Intelix. I am trying to build a sample in my ASP .Net Application(webforms/MVC) in which I want to run an Antivirus Scan on the uploaded file by the User. If the Uploaded file is clean I want to upload it to the server else I want to cancel the operation. I want to specifically use SophosLabs Intelix for the functionality. It would be great if someone can guide me regarding this functionality. A code sample in C# would be appreciated a lot. Thanks in advance for your help.

Sample:

if(file.HasFile)
{
     //run an antivirus scan
     //result
     if(result == NoThreat){
         //Uploaded Successfully
     }
     else{
         //File contains a virus. Upload failed!
     }
}
else{
     //Please select a file to upload!
}
Jimesh
  • 479
  • 5
  • 17
  • Refer to the given link for SophosLabs Intelix References: https://aws.amazon.com/marketplace/pp/Sophos-Limited-SophosLabs-Intelix/B07SLZPMCS – Jimesh Jul 31 '20 at 09:12
  • Did you check the [API documentation](https://api.labs.sophos.com/doc/analysis/file/static.html)? For sure you have to make some http calls to these APIs. – Alessandro R Jul 31 '20 at 09:47
  • Yes, @Alessandro R. I went through the yml and the API documentation provided in the reference. It is confirmed that the solution can be done using static file analysis API. I am not aware how to integrate it in my code. I shall be grateful to you if you can guide me regarding the implementation. – Jimesh Jul 31 '20 at 09:52

1 Answers1

1

I suggest to start with the implementation of OAUTH 2 authentication request. You can find some ideas here: How do I get an OAuth 2.0 authentication token in C#

As soon as you have the access_token you can use if for /reports/?sha256=... query. It may return the report immediately. If it does not return any data (404) this request was free and you can POST the file to the root endpoint "/" for analysis. It can take a few seconds/minutes, during that you should poll the report from /reports/{job_id} endpoint as long as you get it.

If you cannot wait minutes for decision data, you may use the File Hash Lookup API as well that returns immediately. It may give a reputationScore between 30..69 so cannot decide how dangerous the file is, but in this case you can still perform a static or dynamic analysis on it.

László Katona
  • 111
  • 3
  • So according to you which might be the best option for the functionality? 1)File Hash Lookup API 2)Static File Analysis API – Jimesh Jul 31 '20 at 11:31
  • 1
    Static File Analysis API analyze the submitted individual file, good for any case. File Hash Lookup API is only good for filtering already known (malicious) files. I just pointed out you may mix them if you want some optimization. – László Katona Jul 31 '20 at 12:09
  • Can you mention the steps for getting an authorisation token to check the API through Swagger online? – Jimesh Jul 31 '20 at 12:15
  • You have to POST your client_id & client_secret to the /oauth2​/token Authentication endpoint to get the access_token according to the docs: https://api.labs.sophos.com/doc/authentication.html - You can also try it out using the Authorize button (with lock icon) in the docs: https://api.labs.sophos.com/doc/analysis/file/static.html – László Katona Jul 31 '20 at 12:19
  • Okay, so to get the client credentials which type of flow should I follow? I mean will subscribing SophosLabs Intelix on AWS Market Place will be okay or there is any specific regestration flow? – Jimesh Jul 31 '20 at 12:23
  • This awesome video about Intelix on Sophos' website will help you a lot: https://www.sophos.com/en-us/labs/intelix.aspx It is more than a marketing video, a good tutorial. – László Katona Jul 31 '20 at 12:28
  • Hi Jimesh, just to answer your last question. Best to follow the AWS Marketplace subscription, this will give you instant access to the system and you can try for yourself. As mentioned in a couple of comments above the video's give some great demo's if you have more questions please reach out. – James Wilson Aug 05 '20 at 12:36
  • @LászlóKatona ' If it does not return any data (404)' - why isn't this listed in the documentation (https://api.labs.sophos.com/doc/lookup/files.html)? The static file endpoint has all of the types of responses listed: https://api.labs.sophos.com/doc/analysis/file/static.html – c_Reg_c_Lark Oct 12 '20 at 17:22
  • 1
    @c_Reg_c_Lark if I open your first link I see a '404 The requested URL does not exist (Not Found).' response just below the 200, 400 and 401. Is it what you were looking for? – László Katona Oct 13 '20 at 20:45
  • @LászlóKatona Yep that's it. I didn't expand the "Get" section. – c_Reg_c_Lark Oct 14 '20 at 13:53