Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ofer_Fichman
Employee
Employee

Best Practices for Threat Prevention API Calls to Appliance

Jump to solution

The Check Point Threat Prevention API lets you use Threat Prevention products through web services.   

Threat Prevention API calls can be used either to Threat-Cloud or to a local Appliance.

Here we focus on Threat Prevention API to Appliance.

We can use Threat Prevention API calls to an appliance, when we’d like to scan files and/or clean their suspicious parts, in an environment where these files don’t go through the gateway traffic, however there’s an appliance with Threat Emulation enabled and/or Threat Extraction enabled.

Using API calls to Threat Emulation and/or Anti Virus  on the appliance, we detect whether files are malicious. Threat Emulation includes detecting unknown malware and Zero-day attacks.

Using API calls to Threat Extraction on the appliance, we proactively block malware and we are enabled to deliver reconstructed files to avoid delays.

 

Utilities

Name Description Link
tp_api ALL IN ! Threat Emulation API, Threat Extraction API and Anti Virus API calls to an appliance.

https://github.com/CheckPointSW/appliance_tpapi/tree/master/tp_api

te_api

Threat Emulation API calls to an appliance

https://github.com/CheckPointSW/appliance_tpapi/tree/master/te_api

tex_api Threat Extraction API calls to an appliance

https://github.com/CheckPointSW/appliance_tpapi/tree/master/tex_api

av_api Anti Virus API calls to an appliance

https://github.com/CheckPointSW/appliance_tpapi/tree/master/av_api

 

Video

Demonstrating the use of Threat Emulation API calls to Appliance  via curl commands.

PhoneBoy_1-1587582234251.gif

PhoneBoy_0-1587582223457.gif

Documentation references

Description Link

Threat Prevention API reference guide.

Note: The guide is common to both Cloud API and Appliance API, except for  Threat Extraction API to appliance.
TPAPIRefGuide 

SK for using API to appliance that includes Threat Extraction.

sk137032 
Using the Threat Emulation early malicious verdict feature via API (te_eb feature). sk117168_chapter4 
Generating and retrieving the new Threat Emulation reports via API to appliance. sk120357_chapter5 

 

Enjoy

1 Solution

Accepted Solutions
Ofer_Fichman
Employee
Employee

Hi Jarvis Lin,

Yes, via API the only way to get the cleaned-file is by base64 encoding the file content and set it in "file_enc_data" field in the Request.

BR,

View solution in original post

5 Replies
_Val_
Admin
Admin

Very nice!

 

0 Kudos
Jarvis_Lin
Contributor

Hi,

 

Would you please demo how "extraction" in curl?

 

I run these command, but not working

curl --insecure -X POST \
https://x.x.x.x:18194/tecloud/api/v1/file/upload \
-H 'Content-Type: application/json' \
-F 'request={ "request": [{"file_name": "MyFile.docx", "file_type": "docx", "features": [ "extraction" ], "extraction": { "method": "clean" } } ] }' \
-F 'file=@/home/admin/MyFile.docx'

It shows

{
"response" : [
{
"features" : [ "extraction" ],
"file_name" : "MyFile.docx",
"file_type" : "docx",
"md5" : "98c85fd8326af531fc1b50d90d3479f3",
"sha1" : "9afd524f9874ebcc2968d82813645cc9984347ff",
"sha256" : "3debf5b8f820feef44b36c3353af050b09d5c5a06873a34f47b8db787c21d354",
"status" : {
"code" : 1004,
"label" : "NOT_FOUND",
"message" : "Couldn't find the requested file, please upload it"
}
}
]
}

0 Kudos
Ofer_Fichman
Employee
Employee

Hi,

Already noted that you can't use extraction by Cloud API type (see attached screenshot named API_note.PNG).

An example ("demo") of extraction API to Appliance via curl - please find in attached text file named: Threat_Extraction_Appliance_API_curl_example.txt   

Before running this curl command, make sure you replace :

  1.  The x.x.x.x with the appliance ip-address.
  2.  The nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn with the appliance api-key.

In this example I base64 encoded a small office excel file (I named it in the curl API call as "000102.xls").

Of course, before running the curl command, reminding required settings described in documentation for "extraction" in Appliance API calls :  sk113599 ,  sk137032 

BTW, please find up-to-date Threat Extraction to Appliance API python utility here 

Let me know if you have any further questions.

BR,

Ofer

 

 

 

Jarvis_Lin
Contributor

Hi Ofer,

Thank you for your example, I understand.

Another question:

Is this a only way to get cleaned-file from "file_enc_data" by decoded?

0 Kudos
Ofer_Fichman
Employee
Employee

Hi Jarvis Lin,

Yes, via API the only way to get the cleaned-file is by base64 encoding the file content and set it in "file_enc_data" field in the Request.

BR,

View solution in original post