Getting started
Once your Halo order has been processed, if you’ve opted to include the File Reputation feature, we will set up a new ReversingLabs account for you.
Note: you can also use an existing ReversingLabs account, provided you have the required credentials.
Please follow the steps below to configure Glasswall Halo with your ReversingLabs account.
Prerequisite
- Minimum Halo version: v2.4.15
Configure Glasswall Halo with ReversingLabs
Follow all the steps in the deployment section to deploy Halo according to your cloud provider. The cdrplatform-engine includes the configuration needed to connect to ReversingLabs. The username and password should be set up using an external secret manager.
For any additional modifications, refer to the Halo configuration changes. The relevant settings can be found under the Engine section:
ReversingLabs__EndpointReversingLabs__Timeout
Retrieve threat intelligence data for your files
Single files
In the Sync API
In this example, we process a single file on the CDR-file endpoint on the Sync API.
-
Make a POST request with a single file to the sync API, for example the CDR-file endpoint:
/api/v3/cdr-file. -
Observe the response headers. They should contain the following:
| Header | Description | Values |
|---|---|---|
x-filereputation-responsecode | HTTP response code from the file reputation service | 200 OK, 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 405 Method Not Allowed, 409 Conflict, 413 Request Too Large, 429 Too Many Requests, 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable, UnknownError, Timeout |
x-filereputation-status | Malware presence status | unknown, known, suspicious, malicious |
x-filereputation-threatname | Detected threat name for the requested sample | Example: win32.trojan.nsis |
x-filereputation-threatlevel | Threat severity calculated by a proprietary ReversingLabs algorithm | Value from 0 to 5, where 5 indicates the highest severity |
x-filereputation-trustlevel | Confidence that a known sample is goodware | Value from 0 to 5, where 0 represents the highest confidence |
Archives
In this example, we process a ZIP file on the CDR-file endpoint on the Sync API.
-
Make a POST request with a supported archive file to the Sync API, for example the CDR-file endpoint:
/api/v3/cdr-file. Ensure an analysis report will be generated. -
Download the composite archive result containing the
/cleanand/reportfolders. -
Open the report archive file under the
/reportdirectory. -
Observe the contents of the
manifest.cdr-jsonfile. The JSON should contain a newfileReputationsection:
{
"fileReputation": {
"response": "200",
"fileStatus": "SUSPICIOUS",
"threatName": "Win32.Trojan.Nsis",
"threatLevel": "4",
"trustLevel": "5"
}
}
### Compressed files
For compressed files (`.bz2`And`.gzip`), The file reputation data is returned via response headers (similar to single files).
**Note:** that the file reputation results are for the underlying file and not the parent compressed type.