This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ofer_Fichman
Employee Alumnus
Employee Alumnus
‎2020-04-22 11:07 AM

Best Practices for Threat Prevention API Calls to Appliance

Jump to solution

The Check Point Threat Prevention API lets you use Threat Prevention products through web services.   

Threat Prevention API calls can be used either to Threat-Cloud or to a local Appliance.

Here we focus on Threat Prevention API to Appliance.

We can use Threat Prevention API calls to an appliance, when we’d like to scan files and/or clean their suspicious parts, in an environment where these files don’t go through the gateway traffic, however there’s an appliance with Threat Emulation enabled and/or Threat Extraction enabled.

Using API calls to Threat Emulation and/or Anti Virus  on the appliance, we detect whether files are malicious. Threat Emulation includes detecting unknown malware and Zero-day attacks.

Using API calls to Threat Extraction on the appliance, we proactively block malware and we are enabled to deliver reconstructed files to avoid delays.

 

Utilities

Name Description Link
tp_api ALL IN ! Threat Emulation API, Threat Extraction API and Anti Virus API calls to an appliance.

https://github.com/CheckPointSW/appliance_tpapi/tree/master/tp_api

te_api

Threat Emulation API calls to an appliance

https://github.com/CheckPointSW/appliance_tpapi/tree/master/te_api
tex_api Threat Extraction API calls to an appliance

https://github.com/CheckPointSW/appliance_tpapi/tree/master/tex_api
av_api Anti Virus API calls to an appliance

https://github.com/CheckPointSW/appliance_tpapi/tree/master/av_api

 

Video

Demonstrating the use of Threat Emulation API calls to Appliance  via curl commands.

PhoneBoy_1-1587582234251.gif

(view in My Videos)

PhoneBoy_0-1587582223457.gif

Documentation references

Description Link

Threat Prevention API reference guide.

Note: The guide is common to both Cloud API and Appliance API, except for  Threat Extraction API to appliance.		 TPAPIRefGuide 

SK for using API to appliance that includes Threat Extraction.

 sk137032 
Using the Threat Emulation early malicious verdict feature via API (te_eb feature). sk117168_chapter4 
Generating and retrieving the new Threat Emulation reports via API to appliance. sk120357_chapter5 

 

Enjoy

1 Solution

Accepted Solutions
Ofer_Fichman
Employee Alumnus
Employee Alumnus
‎2021-03-20 11:22 PM
In response to Jarvis_Lin

Jump to solution

Hi Jarvis Lin,

Yes, via API the only way to get the cleaned-file is by base64 encoding the file content and set it in "file_enc_data" field in the Request.

BR,

View solution in original post

5 Replies
_Val_
Admin
Admin
‎2020-04-25 01:10 PM

Jump to solution

Very nice!

 

0 Kudos
Jarvis_Lin
Contributor
‎2021-03-20 01:24 AM

Jump to solution

Hi,

 

Would you please demo how "extraction" in curl?

 

I run these command, but not working

curl --insecure -X POST \
https://x.x.x.x:18194/tecloud/api/v1/file/upload \
-H 'Content-Type: application/json' \
-F 'request={ "request": [{"file_name": "MyFile.docx", "file_type": "docx", "features": [ "extraction" ], "extraction": { "method": "clean" } } ] }' \
-F 'file=@/home/admin/MyFile.docx'

It shows

{
"response" : [
{
"features" : [ "extraction" ],
"file_name" : "MyFile.docx",
"file_type" : "docx",
"md5" : "98c85fd8326af531fc1b50d90d3479f3",
"sha1" : "9afd524f9874ebcc2968d82813645cc9984347ff",
"sha256" : "3debf5b8f820feef44b36c3353af050b09d5c5a06873a34f47b8db787c21d354",
"status" : {
"code" : 1004,
"label" : "NOT_FOUND",
"message" : "Couldn't find the requested file, please upload it"
}
}
]
}

0 Kudos
Ofer_Fichman
Employee Alumnus
Employee Alumnus
‎2021-03-20 11:03 AM
In response to Jarvis_Lin

Jump to solution

Hi,

Already noted that you can't use extraction by Cloud API type (see attached screenshot named API_note.PNG).

An example ("demo") of extraction API to Appliance via curl - please find in attached text file named: Threat_Extraction_Appliance_API_curl_example.txt   

Before running this curl command, make sure you replace :

  1.  The x.x.x.x with the appliance ip-address.
  2.  The nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn with the appliance api-key.

In this example I base64 encoded a small office excel file (I named it in the curl API call as "000102.xls").

Of course, before running the curl command, reminding required settings described in documentation for "extraction" in Appliance API calls :  sk113599 ,  sk137032 

BTW, please find up-to-date Threat Extraction to Appliance API python utility here 

Let me know if you have any further questions.

BR,

Ofer

 

 

 

Preview file
154 KB
Preview file
34 KB
Jarvis_Lin
Contributor
‎2021-03-20 11:05 PM
In response to Ofer_Fichman

Jump to solution

Hi Ofer,

Thank you for your example, I understand.

Another question:

Is this a only way to get cleaned-file from "file_enc_data" by decoded?

0 Kudos
Ofer_Fichman
Employee Alumnus
Employee Alumnus
‎2021-03-20 11:22 PM
In response to Jarvis_Lin

Jump to solution

Hi Jarvis Lin,

Yes, via API the only way to get the cleaned-file is by base64 encoding the file content and set it in "file_enc_data" field in the Request.

BR,