Contents x
Getting Started
    • PDF
    Contents

    Getting Started

      • PDF
      Article summary

      Once your Halo order has been processed, if you’ve opted to include the File Reputation feature, we will set up a new ReversingLabs account for you.

      Note: you can also use an existing ReversingLabs account, provided you have the required credentials.

      Please follow the steps below to configure Glasswall Halo with your ReversingLabs account.

      Prerequisite

      Configure Glasswall Halo with ReversingLabs

      Follow all the steps in the Deployment section to deploy Halo according to your cloud provider. The cdrplatform-engine includes the configuration needed to connect to ReversingLabs. The username and password should be set up using an external secret manager.

      For any additional modifications, refer to the Halo Configuration Changes. The relevant settings can be found under the Engine section:

      • ReversingLabs__Endpoint
      • ReversingLabs__Timeout

      Retrieve threat intelligence data for your files

      Single files

      In the Sync API

      In this example, we process a single file on the cdr-file endpoint on the Sync API.

      1. Make a POST request with a single file to the Sync API, for example the cdr-file endpoint: /api/v3/cdr-file.

      2. Observe the response headers, they should contain the following:

      HeaderDescriptionValues
      X-FileReputation-ResponseCodeThe HTTP response code from the File Reputation service.
      • 200 OK
      • 400 Bad Request
      • 401 Unauthorizedt
      • 403 Forbidden
      • 404 Not Found
      • 405 Method Not Allowed
      • 409 Conflict
      • 413 Request Too Large
      • 429 Too Many Requests
      • 500 Internal Server Error
      • 502 Bad Gateway
      • 503 Service Unavailable
      • UnknownError
      • Timeout
      X-FileReputation-StatusMalware Presence Status
      • UNKNOWN
      • KNOWN
      • SUSPICIOUS
      • MALICIOUS
      X-FileReputation-ThreatNameDetected threat name for the requested sample(Example) Win32.Trojan.Nsis
      X-FileReputation-ThreatLevelThreat level is calculated by a proprietary ReversingLabs algorithm. It is a measure of how malicious a malware sample is.A sample’s Threat Level is expressed as a number from 0 to 5, with 5 indicating the most dangerous threats (highest severity).
      X-FileReputation-TrustLevelIn samples classified as “known”, the trust level represents how confident we are that the sample is goodware.It is computed by a proprietary ReversingLabs algorithm and expressed as a number from 0 to 5, where zero represents the highest confidence that a sample is goodware.

      Archives

      In this example,we process a ZIP file on the cdr-file endpoint on the Sync API.

      1. Make a POST request with a supported archive file to the Sync API, for example the cdr-file endpoint: /api/v3/cdr-file. Ensure an Analysis report will be generated.

      2. Download the composite archive result containing the /clean and /report folders.

      3. Open the report archive file under the /report directory.

      4. Observe the contents of the manifest.cdr-json file. The JSON should contain a new section FileReputation.

      {
    "fileReputation": {
        "response": "200",
        "fileStatus": "SUSPICIOUS",
        "threatName": "Win32.Trojan.Nsis",
        "threatLevel": "4",
        "trustLevel": "5"
    }
}

      Compressed files

      For compressed files (.bz2 and .gzip), the file reputation data is returned via response headers (similar to single files).

      Note: that the File Reputation results are for the underlying file and not the parent compressed type.

      Was this article helpful?
      What's Next