IPQS Malware Scanning API: Scan Files & URLs for Malware
Use the IPQS malware scanning API to scan files and URLs for malware in real time. Includes request and response examples, quick vs. full scans, and best practices.
The IPQS Malware Scanning API: Scan Files and URLs for Threats
User-submitted content is one of the easiest ways for malicious files and links to reach your systems. The IPQS malware scanning API lets you scan files and URLs for malware in real time, before they ever touch your users or infrastructure. What sets it apart is integration: it works alongside the IPQS IP, email, phone, and URL threat data you may already use, so you can judge a file in the full context of who submitted it rather than in isolation.
This guide covers what the API does, how to call it, and how to combine it with other IPQS signals for a complete picture of risk.
What the malware scanning API does
The malware scanning API accepts a file, or a link to a file, and checks it for malicious content. You can call it two ways: a quick scan that returns cached results instantly, and a full scan that runs a deeper, multi-engine analysis. It is built for the moments where untrusted content enters your platform, such as contact forms, support tickets, account registrations, and user uploads. You can also try it through the file malware scanner dashboard before integrating.
Why scan files and URLs
Submitting malicious files and links through contact forms, emails, and registrations is a common and effective attack vector. A virus scan on its own is useful, but the strongest protection comes from analyzing the file together with the signals around it. The malware scanning API pairs naturally with the IPQS malicious URL scanner, which flags phishing and malware-hosting links, so you can cover both files and the URLs that accompany them.
How to use the malware scanning API
Integration is a single POST request that includes either a file or a link to a file. The full malware scanning API documentation covers every parameter, but the essentials are below.
Example request
Submit a file with a multipart form POST:
|
curl --request POST \ --url https://www.ipqualityscore.com/api/json/malware/scan/YOUR_API_KEY \ --header 'Content-Type: multipart/form-data' \ --form 'file=@/path/to/file/on/system.jpg' |
Example response
A scan returns a JSON response like this:
|
{ "success": true, "message": "Success", "file_name": "logo.svg", "file_hash": "2be56562e98ebf6707cf0c7262259a0d5e4d13ab...", "type": "scan", "detected": false, "detected_scans": 0, "total_scans": 0, "status": "cached", "result": [], "file_size": 3399, "file_type": "image/svg", "sha1": "60a7c92e5fc3a5083c59b7209c1f4ac43e0c1baa", "md5": "3644a1863360b6018e0ed4a4da763e0c", "update_url": "https://www.ipqualityscore.com/api/json/postback/YOUR_API_KEY?request_id=SomeID", "request_id": "SomeID" } |
Because a full scan runs multiple engines, it does not finish instantly. The response includes an update_url that you poll to retrieve the final verdict, which is usually ready within a few minutes.
Quick scan vs. full scan
The two endpoints differ only by a single path segment:
|
Quick scan: https://www.ipqualityscore.com/api/json/malware/lookup/YOUR_API_KEY Full scan: https://www.ipqualityscore.com/api/json/malware/scan/YOUR_API_KEY |
A quick scan checks whether the same file has been scanned in the last 24 hours and returns that cached result immediately. It is ideal when you need an instant answer and can tolerate an occasional no-result. A full scan performs a fresh, deep analysis against multiple tools and returns its verdict through the update_url once complete. A common pattern is to try the quick scan first and fall back to a full scan when there is no cached result.
Combining malware scanning with email and URL intelligence
Scanning a file in isolation can mislead you in both directions: a clean file from a clearly malicious sender is still a problem, and a flagged file from a trusted user may simply be an accident. The most reliable approach builds what we think of as an entity record, combining the file verdict with signals about the email address and domain behind it. In practice, you validate the submitter's email with the email validation API, run the email's domain through the URL scanning API, and submit the file to the malware scanning API, then read the results together.
The email and URL responses both return a fraud score from 0 to 100. As a rule of thumb, a score of 90 or above means the address or URL is confirmed abusive or fake and should be rejected, while 80 to 89 is risky enough to warrant extra scrutiny. Around that score, a handful of fields do most of the work:
• From email validation: recent abuse, risky TLD, SPF and DMARC records, and user activity, which together reveal spoofed, stolen, or dormant accounts.
• From the URL scanner: the malware and phishing flags, domain age, and page size, which expose newly registered lookalike domains and pages that pull malicious content in from elsewhere.
• From the malware scanning API: the file verdict itself.
A file flagged as malware is an easy block. The harder calls, such as whether to also block the user or simply reject the file, are where combining signals pays off. An aged domain with almost no email activity, an unusually small page size, and a missing content category are each minor on their own, but together they point to a staged attack rather than an honest mistake.
Best practices
• Use a quick scan when you need an immediate decision and a full scan when thoroughness matters. Many teams call the quick scan first and fall back to a full scan on a miss.
• Always poll the update_url for full-scan results rather than expecting them in the first response.
• Set your reject and review thresholds to match your risk tolerance, and lean on the combined signals rather than any single value.
• Scan at the point of submission, so malicious content is caught before it reaches storage, staff, or other users.
Frequently asked questions
What is the difference between a quick scan and a full scan?
A quick scan returns the cached result of a file scanned within the last 24 hours, instantly. A full scan runs a fresh, multi-engine analysis and returns its verdict asynchronously through the update_url.
Is the full malware scan synchronous?
No. A full scan runs multiple engines, so it does not return a verdict in the first response. You retrieve the result by polling the update_url, usually within a few minutes.
What can the malware scanning API scan?
It scans files, submitted directly or by link, for malicious content. Paired with the URL scanner, it also lets you evaluate the links that often accompany those files.
How do I integrate it?
Send a single POST request to the scan or lookup endpoint with your API key, as shown above. The full parameter list is in the documentation, and you can contact the IPQS team if you would like help mapping it to your use case.
Get started
Add malware scanning to your fraud stack in minutes. Start a free trial to get an API key, or schedule a demo for a guided walkthrough of how IPQS scores file, URL, email, and IP risk together.
Share this article