Getting Started

Prev Next

Once your Halo order has been processed, if youโ€™ve opted to include the File Reputation feature, we will set up a new ReversingLabs account for you.

Note: you can also use an existing ReversingLabs account, provided you have the required credentials.

Please follow the steps below to configure Glasswall Halo with your ReversingLabs account.

Prerequisite

Configure Glasswall Halo with ReversingLabs

Follow all the steps in the Deployment section to deploy Halo according to your cloud provider. The cdrplatform-engine includes the configuration needed to connect to ReversingLabs. The username and password should be set up using an external secret manager.

For any additional modifications, refer to the Halo Configuration Changes. The relevant settings can be found under the Engine section:

  • ReversingLabs__Endpoint
  • ReversingLabs__Timeout

Retrieve threat intelligence data for your files

Single files

In the Sync API

In this example, we process a single file on the cdr-file endpoint on the Sync API.

  1. Make a POST request with a single file to the Sync API, for example the cdr-file endpoint: /api/v3/cdr-file.

  2. Observe the response headers, they should contain the following:

Header Description Values
X-FileReputation-ResponseCode The HTTP response code from the File Reputation service.
  • 200 OK
  • 400 Bad Request
  • 401 Unauthorizedt
  • 403 Forbidden
  • 404 Not Found
  • 405 Method Not Allowed
  • 409 Conflict
  • 413 Request Too Large
  • 429 Too Many Requests
  • 500 Internal Server Error
  • 502 Bad Gateway
  • 503 Service Unavailable
  • UnknownError
  • Timeout
X-FileReputation-Status Malware Presence Status
  • UNKNOWN
  • KNOWN
  • SUSPICIOUS
  • MALICIOUS
X-FileReputation-ThreatName Detected threat name for the requested sample (Example) Win32.Trojan.Nsis
X-FileReputation-ThreatLevel Threat level is calculated by a proprietary ReversingLabs algorithm. It is a measure of how malicious a malware sample is. A sampleโ€™s Threat Level is expressed as a number from 0 to 5, with 5 indicating the most dangerous threats (highest severity).
X-FileReputation-TrustLevel In samples classified as โ€œknownโ€, the trust level represents how confident we are that the sample is goodware. It is computed by a proprietary ReversingLabs algorithm and expressed as a number from 0 to 5, where zero represents the highest confidence that a sample is goodware.

Archives

In this example,we process a ZIP file on the cdr-file endpoint on the Sync API.

  1. Make a POST request with a supported archive file to the Sync API, for example the cdr-file endpoint: /api/v3/cdr-file. Ensure an Analysis report will be generated.

  2. Download the composite archive result containing the /clean and /report folders.

  3. Open the report archive file under the /report directory.

  4. Observe the contents of the manifest.cdr-json file. The JSON should contain a new section FileReputation.

{
    "fileReputation": {
        "response": "200",
        "fileStatus": "SUSPICIOUS",
        "threatName": "Win32.Trojan.Nsis",
        "threatLevel": "4",
        "trustLevel": "5"
    }
}

Compressed files

For compressed files (.bz2 and .gzip), the file reputation data is returned via response headers (similar to single files).

Note: that the File Reputation results are for the underlying file and not the parent compressed type.