The IPQS Malware Scanning API

IPQualityScore is best known for its proxy and malicious bot protection, but we continuously strive to offer more robust security solutions to help fight fraud. With that goal in mind, IPQS launched the malware file scanning API in late 2023.

 

IPQualityScore hasn’t made a big fuss about the antivirus file scanner. Let’s face it: big names in the AV industry already offer web-based malware scanners, and those tools have been around for years. It’s not an innovative product.

 

However, IPQS is committed to doing what we do best: proactively fighting fraud. Protecting digital services from bot attacks, account takeovers, etc., by performing threat analysis in real-time is only one piece of the puzzle. Attack vectors come in all shapes and sizes.

 

Customers asked for additional solutions to build on top of IP, email, phone, and URL threat data to detect and eliminate fraudulent activities, especially for user-submitted content. While web-based malware scanning tools are a dime-a-dozen, offering a comprehensive solution that integrates directly with our existing products made sense. Thus, the IPQS malware scanning API was released.

 

Are you ready to try the virus scanning API yourself? Test drive the AV file-scanning API with our web dashboard.

 

 

The malware scanning API can be accessed through the API or web-based dashboard. Documentation for the malware scanning API can be found here, and the web-dashboard can be found here.

 

Using the malware scanning API is simple. Submit a POST request to the API endpoint that includes a file or a link to a file. We offer an API endpoint for a quick scan and a full scan.

 

 

curl --request POST \

--url https://www.ipqualityscore.com/api/json/malware/scan/IPQS_API_KEY \

--header 'Content-Type: multipart/form-data' \

--header 'User-Agent: insomnia/9.0.0' \

--form file=@/path/to/file/on/system.jpg

 

The example above submits a POST request using a multi-part form to send the data blob (the file itself) to IPQS. This example submits the request for a full virus scan. The malware scanning API will return a response that looks like this:

 

{

  "file_name": "logo.svg",

  "success": true,

  "message": "Success",

  "file_hash": "2be56562e98ebf6707cf0c7262259a0d5e4d13abc27dd0a004599f6b66375845",

  "type": "scan",

  "detected": false,

  "detected_scans": 0,

  "total_scans": 0,

  "status": "cached",

  "result": [],

  "file_size": 3399,

  "file_type": "image\/svg",

  "sha1": "60a7c92e5fc3a5083c59b7209c1f4ac43e0c1baa",

  "md5": "3644a1863360b6018e0ed4a4da763e0c",

  "update_url": "https:\/\/www.ipqualityscore.com\/api\/json\/postback\/IPQS_API_KEY?request_id=SomeID",

  "request_id": "SomeID"

}

 

The ‘update_url’ value in the response above is used to check the status and results of the malware scan as needed. A full antivirus scan takes some time, so an immediate response cannot be offered during the first API call. Use the ‘update_url’ to check the status of a malware scan later. Most antivirus scans are completed within a few minutes.

 

 

A quick scan checks the IPQS database to see if the same file has been scanned within the last 24 hours. If it has, the malware scanning API returns those results in the response.

 

The quick scan option is available for customers who want an immediate answer from the API. It’s not guaranteed to return a result, but if the same file was scanned within the past 24 hours, the quick scan option is a great way to progress through your logic tree without waiting for the antivirus results.

 

A full scan is a traditional malware check. The full scan option performs a deep dive against a file using multiple tools to check a file for malicious content.

 

Unfortunately, the full scan option does not return an immediate result. Scanning files for malware takes some time. Submitting a file to the malware scanning API using the full scan option returns a URL in the API response to check the status and results of the antivirus scan for future use.

 

An example of the initial API response is copied in the section above.

 

 

The IPQS malware scanning API has two endpoints for malware detection. Both are very similar. Changing the antivirus scan to a quick or full scan is as simple as changing a parameter in the API URL.

 

Quick scan: https://www.ipqualityscore.com/api/json/malware/lookup/API_KEY

 

Full scan: https://www.ipqualityscore.com/api/json/malware/scan/API_KEY

 

Calling the malware scanning API to perform a quick scan includes the ‘lookup’ parameter in the final subdirectory portion of the URL, while a full scan swaps ‘lookup’ for ‘scan. ' Otherwise, calling the IPQS malware scanning API is the same.

 

 

We’ve explained the malware scanning API, why IPQS added it to our product line, and how to use it. Now, let’s dig a bit deeper into how to combine the antivirus API with other IPQS products to enhance your fraud-fighting toolset. We will use the email validation API and URL scanner with the malware scanning API to offer a robust method for protecting user accounts and preventing phishing attacks through contact forms and emails.

 

The email validation API and URL scanner documentation can be found in our knowledge base.

 

This article won’t cover how to use the email validation API or URL scanner in depth. That’s beyond its scope. If you need help, send us a help ticket here. We’ll be happy to walk you through using both APIs.

 

Submitting malicious files via contact forms, emails, and user account registrations is a common attack vector. However, protecting digital services from malicious actors requires more than virus scanning tools. The IPQS API can be utilized to perform a more comprehensive threat analysis against various data points common in each of those scenarios.

 

 

The email validation API and URL scanner returns a ‘fraud score’ in the API response. The fraud score dictates how likely an email address or URL is to be malicious. A fraud score of 90 or above dictates that the email address or URL has been confirmed to be associated with recent abusive activities or is fake. Both return other data points, too.

 

The email validation API will state whether an email address is a known honeypot, associated with scammers, disposable, and more. The URL scanner will state what kind of content is associated with it, whether the URL has been used to host malware, whether it has been associated with phishing attacks, and other helpful information.

 

 

Let’s combine all three APIs to create what I prefer to call an ‘entity record.’

 

First, submit an email address to the IPQS email validation API. Then, split the email address at the ‘@’ symbol and submit the email domain to the URL scanner. Finally, send the user-submitted file to the malware scanning API and wait for the antivirus results.

 

Look for these response values:

 

- Fraud Score

- Recent Abuse

- Risky TLD

- SPF Record

- DMARC Record

- SMTP Score

- Overall Score

- User Activity

URL Scanner

Risk Score

Phishing

Malware

Short Link Redirect

Domain Age

Page Size

Domain Velocity

Malware Scanning API

Result

The goal is to mix and match those values to determine the user's overall threat rather than examine each data point in a vacuum. Determining the risk threshold for those values depends on your level of risk aversion.

Evaluating the Fraud Score

Generally, email addresses, URLs, IP addresses, etc., with a fraud score of 90 or greater should be rejected. As mentioned above, a high fraud score means the email address or URL has been confirmed to be associated with recent abuse or is fake. A fraud score of 80-89 indicates that an email address or URL is risky, but we aren’t 100% comfortable saying stay away from it.

Evaluating Email Validation Data

Check the ‘risky TLD,’ ‘SPF record,’ and ‘DMARC record’ values to determine if there’s a possibility that an email address is spoofed, stolen, or belongs to a domain with a known history of abuse.

The SMTP and overall score are used to determine the validity of an email address. If the SMTP score is 2 and the overall score is 3, there’s a good chance that the email address belongs to an email server configured to accept all emails sent to that domain (e.g., a catch-all email). There are legitimate uses for a catch-all email address, but not all businesses want to accept them.

Evaluating URL Scanner Data

The risk score is another term for the fraud score. The label ‘risk score’ is more appropriate for a URL. Treat the risk score in the same way as a fraud score.

The ‘malware’ and ‘phishing’ values in the URL scanner response are self-explanatory. However, the ‘redirect URL,’ ‘domain age,’ and ‘page size’ are not. The ‘redirect URL’ states whether the URL is passed through a link shortener service. The ‘domain age’ states how long the domain has been registered. The ‘page size’ is the payload size of the page served by the URL.

Combining these three data points is a good indicator of a malicious URL. Bad actors try to hide malicious URLs in link-shortening services like Bit.ly. They also try to use new domains that look official to trick people (e.g., social engineering). Another common tactic is to hydrate web pages from external sources with Javascript to hide malicious code. Typically, web pages that use this tactic have a tiny page size.

Combining the Email validation, URL scanner, and malware detection API to create an entity record

Examining an email address or URL in a vacuum can lead to red herrings. For instance, an email address may have an elevated fraud score and is a catch-all email address, but it is used for marketing purposes. This type of email address may be caught in filters by accident.

Likewise, a URL could look malicious on the surface and have a small page size, but it could be a legitimate URL with a well-optimized static website. You may not want to block this URL.

So, we combine all three API responses to form a more holistic view of the problem.

For example, a bad actor may utilize an aged domain with very little activity that hosts email. That bad actor could use a new email address created against the aged domain to create an account for an online community with the purpose of spreading malware.

Unfortunately, this is a common tactic used in the crypto-currency community to steal Bitcoin wallets.

In this scenario, the email address will likely return a low fraud score with a domain age of a year or more. However, the email address may pass email validation.

The email domain may return a low fraud score because it has had very little activity against it, but the URL page size may be abnormally small (e.g., 10 Kilobytes ). If the page size is that small and the domain is old, that’s an immediate red flag. That URL should be examined further.

Finally, the bad actor submits a file containing malware. The file should be blocked immediately. That much is obvious, but the question becomes whether:

the user that submitted the file should be blocked

put under further review

if the user account should remain active but the file itself is rejected

After all, the email address and domain passed validation, right? The user could have submitted a bad file accidentally.

We can look at other response values to make that determination. The URL's page size is abnormally small, and it has good DNS A records. That’s already suspicious. If the URL doesn’t have a content type associated with it (e.g., adult content, shopping, sports, etc.), it’s very likely the domain is hydrating the DOM from external sources.

If the email address has low or no user activity, that is another red flag. An aged domain with existing email addresses should have some activity against those email accounts, especially if the DMARC record is valid.

Depending on your level of risk aversion and given those response values, it may be a wise idea to investigate the user account further.

Get Started Today

There are many ways to use the IPQS malware scanning API. We’ll cover more scenarios in future articles. You can also contact us to learn more about the IPQS fraud prevention services.

Are you ready to learn how the IPQS API can proactively fight fraud for you? Schedule a meeting with our team today!