Metadefender provides asynchronous API calls (stateless) and data_id is used for identifying a specific process job. It is obtained from initial data (e.g., file) upload and can be used any time as long as scan history is preserved on the server side. It is generated randomly from the server and guaranteed to be unique so it can be used without worrying about having duplicate data_id. Not applicable for hash look up.

scan result from each engines along with other metadata for scanning job.

static file information and analyzed file type based on contents

overall process status and information including applied workflow and action results such as sanitization.

list of files inside of an archive file. If file is not an archive file or not extracted, this block will not be present.

Process node

Only applied if user scanned with user_agent

Percentage of processing completed

Scale of 0-100

A string which identifies the user. This is used for mapping to a specific workflow.

The profile name. This is what the user_agent mapped to.

The final result of processing the file

Possible values:

Possible Process Results (COM)

"Not processed": default value set in REST before the file is processed by Core

The reason for a file being blocked

Possible list values:

• Failed to request a process: "Process Failed"

• Possible Blocked Reasons (COM)

"null": default value set in REST before the file is processed by Core

Indicates if the input file's detected type was configured to skip scanning

JSON Boolean type

Post processing node

Exists only if post processing was configured

List of post processing actions ran

Delimited by " | "

Possible list values: "Sanitized | Copied | Moved | Quarantined | Deleted | Ran Script"

*Copied and Moved will never exist together
*Quarantined and Deleted will never exist together
*(Copied/Moved) and (Quarantined/Deleted) will never exist together

List of post processing actions that failed

Delimited by " | "

Possible list values: "Sanitization Failed | Copy Failed | Move Failed | Quarantine Failed | Delete Failed | Ran Script Failed"

*Copy Failed and Move Failed will never exist together
*Quarantine Failed and Delete Failed will never exist together
*(Copy/Move Failed) and (Quarantine/Delete Failed) will never exist together

Extension the file was converted to

If the string contains a file type, the converted file can be downloaded

Destination to where the file was copied/moved

Location where the converted file exists

Populated only when files are configured to be stored. Not applicable for hash look up. This is unique per file so if same file is scanned twice, file_id would be identifical.

Global scan results, meta data, and scan reports from all engines.

File metadata, hash value, analyzed file types

Array of scan results for engines

See table below for descriptions

Name of threat if detected by engine. Non ASCII characters removed.

Definition time of engine at the time of scan

Elapsed scan time in mili-seconds per engine

This value will be set to true

• if engine definition has changed.

• any engine is missing scan results such as "failed to scan", "not scanned"

See table below for descriptions

Elapsed scan time in milli-seconds from when scan is initiated with the first engine until the last engine has completed.

Number of engines used for scanning

Indicator if scan is in progress

How many files are in queue before this scan request: 0 means it is being scanned or finished scanning.

First time file is uploaded to the server (even if file is rescanned this value will be preserved)

High level categorization of file type see reference for descriptions

Basic information and reference to the data_id of the original file (actual archive file, not the extracted contents)

Basic information about the included files in the archive can be found in the files_in_archive property.

• Files_in_archive only contains maximum 50000 results.

• Entries with a non-zero scan_result_i always appear first.

• More information about individual entries can be queried with the data_id

The data_id under extracted_files is the reference to the engines summary or consolidated result for the archive.

When the scan result for a file within an archive is queried, this refer to the containing archive file.

No Threats Found

No threat detection or the file is empty

Infected/Known

Threat is found

Suspicious

Classified as possible threat but not identified as specific threat.

Failed To Scan

Scanning is not fully performed (For example, invalid file or no read permission). If no engine is included and scan is enabled, this will be the final result.

Cleaned / Deleted

Threat is found and file is cleaned (repaired or deleted): repair is not supported yet

Unknown

Unknown signature. NOTE: this is only used in multiple hash lookup. For single hash lookup, scan_result_* are not returned as response. see Retrieve scan report by hash (duplicate) for more details.

Quarantined

File is quarantined

Skipped Clean

Scan is skipped because this file type is in white-list*

Skipped Infected

Scan is skipped because this file type is in black-list*

Exceeded Archive Depth

Threat is not found but there are more archive levels which were not extracted.

Not Scanned / No scan results

Scan is skipped by the engine either due to update or other engine specific reason. If scan is disabled, this will be the final result.

Aborted

All ongoing scans are purged

Encrypted

File/buffer is not scanned because the file type is detected as encrypted (password-protected). If the Internal Archive Library is ON encrypted return type is not going to be returned through Metascan scan progress callbacks since the engines do not perform any scan operations. If the Internal Archive Library is OFF Metascan will pass the encrypted files to the engines directly, bypassing the detection.

Exceeded Archive Size

The extracted archive is too large to scan

Exceeded Archive File Number

There are more files in the archive than configured on the server

Password Protected Document

Document that is protected by a password [e.g. Office documents or PDFs that require a password to view its contents]

Exceeded Archive Timeout

The archive process reached the given timeout value. This result is supported from Core version 4.4.0.

"E"

Executable (EXE, DLL, …)

"D"

Document (MS Office word document, MS Office excel sheet)

"A"

Archive (Zip, Rar, Tar, …)

"G"

Graphical format (Jpeg, GIF, TIFF, BM P, …)

"T"

Text

"P"

PDF format

"M"

audio or video format

"Z"

mail messages (MSG, …)

"I"

Disk image

"O"

Other (anything that is not recognize d as one of the above)