T4InitS uses "init_config", T4ScanS uses "scan_config". { "init_config" : { "vdb": "C:\\vdb\\T3Sigs.vdb", // path to the Virus Definition Database. Can be false to try to load the engine without VDB. "vdb_linux": "", // if set, specifies the path to the Virus Definition Database for Linux. This allows to use the same config wit absolute paths on windows and *nix "vdb_type": "default", // it can be 'default', 'android', 'common', or 'any'. Default is ["default"] "tmp_path": "$auto", // Sets the Temp Path. It can be '$auto', '$none', or a directory. Default: "$none" "no-tmp-crc": false, // Disables checksum verification for already scanned files. Default [false] "no-cache-invalid-password": false, // Don't cache password-protected files as clean when no valid password is provided. Default [false] "no-cache-mailbomb": false, // Don't cach mailbombs as clean. Default [false] "no-cache-multivol": false, // Don't cach parts of multivolume archives as clean. Default [false] "cache-leaves-only": false, // Enables cache only on leaves of the scan tree. The use of "no-tmp-crc" overrules this. Default [false] "no-init-threads": false, // Disables thread creation on T4Init. No threaded loading of the VDB. Requires explicit call to T4InitThreads() before T4ScanS() is used. Default [false] "crashdump_path": "crashdir", // directory to store crash dumps. Available only on windows "time-factor": 1.0, // scales all returned scan times by the factor value. Default is [1.0] "sigqa": { "enabled": true, // if SigQA shall be activated //"proxy": "proxy_url", "max_files": 0, // 0 means default, which is 20 "timeout": 0, // 0 means default, which is 20 minutes }, "fastdiff": // optional: fastdiff config { "enabled": false // to activate the real-time signature updates from our backend }, }, "scan_config" : { "max_file_size": 128000000, // maximal filesize to scan (in bytes). Default [infinite] "stream_timeout": 5, // The timeout, in seconds, for the scan of a single item. Default [infinite] "global_timeout": 60, // The global timeout, in seconds, for the scan. Default [infinite] "kill_timeout": 0, // If not 0, casues the application to crash, if the scan doesn't terminate after the given amount of seconds despite setting the timeout. // It can be useful to restart the service during unexpected hangs (caused for example by faulty IO). Default [not set] "max_extract_size": 2000000000, // Abort the scan after this amount of extracted data is reached (approximately). If the limit is hit, returns T4_ERR_EXTRACT_LIMIT. Default [not set] "aggressive_memory_control": false, // Enable aggressive checking for memory exhaustion (useful when scanning large files, which might exhaust RAM/swap/HDD temp space). Default [false] "options": { "verbose_item_info": true, // outputs verbose information about each scanned item. Default [false] "filetype_names": true, // additionally, output filetypes as names. Default [false] "filetype_parents": true, // output all parents of the filetype (only for items). Default [false] "filetype_only": false, // only detect filetype, don't scan - can be used in conjunction with option "filetype_names" and "filetype_parents". Default [false] "report_all_sigs": true, // all signatures will be reported. Default [false] "disable_adware_scan": false, // disable PUA/Adware signatures. Default [false] "skip_sig_name": false, // output only sigid, not the name. Default [false] "report_item": false, // output infected item name. Default [false] "report_passwords": true, // save found passwords. Default [false] "disable_boot_simulation": false, // Default [false] "disable_exe32_simulation": false, // Default [false] "disable_exe64_simulation": false, // Default [false] "disable_js_simulation": false, // Default [false] "disable_pcode_simulation": false, // Default [false] "force_js_simulation": false, // always invoke the JS Simulator, don't use the heuristic to decide if the script needs to be simulated "disable_unpacking": false, // disable scanning of archives. Default [false] "disable_exception_handler": false, // disables any exception catching. Default [false] "disable_sigqa": false, // disables SigQA for this scan. Default [false] }, "passwords": ["infected", "test"], // list of passwords to try. Raises an error if T4SetPwdListCallback has been called! Default: empty. "pseudosigs": // configures which pseudosigs to fire. Default all to [false] { "as_mail_item": false, "mz_is_suspicious": false, "enc_archive_bad": false, "enc_archive_bad_name": false, "damaged_mz": false, "autoopen_macros": false, "EncDocIsBad": false }, "output": // result parameters { "pretty": true, // if the JSON shall be pretty-printed. Default[false] "disabled": false // disables the output completely. Useful if you are only interested in calling T4IsInfected(). Default [false] }, "input": // can optionally provide the input { "filename": "C:\\work\\code_in_pe_header\\263224063.dll", // utf-8 encoded filename. Default [not set] "fn_base64": "L3RtcC9G9vY=", // base64-encoded filename. Can be used to provide a filename with invalid characters. Overrides "filename". Default [not set] "filetype": 3261, // it can be set to skip the filetype identification. Default [not set] }, "items": // allows to dump extracted items. Default: not set { "dump_items": [], // it can be an array of filetypes or "all" "folder": "C:\\work\\items\\", // where to save the items }, }, } Output: { "file": "filename", // utf-8 encoded filename "fn_base64": "", // if fn_base64 is provided in input optoins, the base64-encoded filename is returned here "result": { "crc64": filehash, // internal hash of the scanned file "filetype": filetype_id, // the integer detected filetype "filetype_name": "filetype_name", // in case filetype_names is true, set to the description of the filetype "status": "infected"/"adware"/"pseudosig"/"clean", "sigid": found_signature_id, // in case a signautre has been found, the signature id is set "signame": "signature name", // in case a signautre has been found and skip_sig_name is false, the signature name is written "infected_item": "path1==>path2==>...==>name", // in case a signautre has been found and report_item is true, the path to the infected_item is dumped // in case a negative indicator has been found, the details are output "neg_type": "whitelisted"/"known_header"/"certificate"/"cached", "neg_header_id": negative_header_id, "neg_cert": neg_cert_sha, "num_items": total_number_of_items_scanned, // number of subitems contained in the scanned file "time": used_time, // total scan time "error_code": error_code_on_error, // on error, set to T4_ERR_*. The most important are: // 4 = File I/O read error. // 7 = A timeout occurred in an item. // 21 = An item is password protected or the given password is invalid. // 23 = The file exceeds the max file size parameter. // 24 = This is a multi volume archive. // 25 = This is a mail bomb archive. // 28 = A global timeout occurred. "errors": ["error1", "error2", ...] // text description of some errors occured during scanning }, "items": // present if // 1) verbose_item_info is true // 2) a password has been used to decrypt the item and report_passwords is true // 3) dump_items is set, and the item has been dumped to disc [ { "id": item_id, "name": "item name", "dump": "saved_dump_file_path", //in case the item has been dumped, the file path is stored here "crc": item_crc64, "filesize": filesize, "runtime": execution_time, //scan time of the item "filetype": filetype_id, "filetype_desc": "filetype name", // if filetype_names is true, has the description of the filetype "ft_parents": [filetype1, filetype2, ...], //if filetype_parents is true, shows all parents of the detected filetype "ft_parents_desc": ["filetype1", "filetype2", ...], "status": "infected"/"adware"/"pseudosig"/"clean", // scan result for the item "statistics": { "sigids": [ sigid1, sigid2, ... ], // found signatures "passwords": [ "pwd1", "pwd2", ... ], // passwords which were used for decryption "valid_certs": [ "sha1", ...], // valid whitelisted certificates found "invalid_certs": [ "sha1", ...], // invalid whitelisted certificates found "known": true/false, // set to true if the item is whitelisted } }, ... ], "signatures": [ //in case report_all_sigs is specified, contains all found signatures during scan { "item": item_id, // the item id, where the signature has been found` "id": sigid, // the signature id "name": "signame", // the signature name, unless skip_sig_name is true "type": signum/"crc"/"pseudosig", // either the signature type as number, or "crc" in case of blacklist, or "pseudosig" in case it is a pseudosig "adware": true/false, // set to true for adware sigs. Default: [false] }, ... ], "whitelisted_certs": // if report_all_sigs is set, contains the set of items which were detected to have a valid whitelisted certificate [ { "crc": item_crc, "item": item_id, "sha": "cert_hash", "has_overlay": false/true // if set to true, the item has a non-signed part, which has been scanned }, ... ], }