About
Detection on DemandEndpoint SecurityHelix
Detection on DemandEndpoint SecurityHelix
Community

Frequently Asked Questions

Here are some questions that were recently asked by testers using the service. We will do our best to update the FAQs as common questions come in. Don't forget you can ask questions in our Developer Community

What Files Can I Submit?

You can upload any file as long as it meets the file size requirement, which is currently 100 MB. There are no limitations on file extensions (or lack thereof).

If you attempt to submit a file greater than 100 MB in size, then you will receive a 403 "Forbidden" response with a body that will look like this:

<html>
  <head>
	  <title>403 Forbidden</title>
  </head>
  <body bgcolor="white">
    <center>
      <h1>403 Forbidden</h1>
    </center>
  </body>
</html>

It is not advisable to try and truncate a large file to make it fit within the file size limit because FireEye cannot guarantee the file is not malicious, since malware can be embedded anywhere in a file.

How is Maliciousness Determined?

The FireEye Malware Protection System features dynamic, real-time analysis for advanced malware using our patent-pending, multi-flow Multi-Vector Virtual Execution (MVX) engine. The MVX engine captures and confirms zero-day and targeted APT attacks by detonating suspicious files, web objects, and email attachments within instrumented virtual machine environments.

The MVX engine performs multi-flow analysis to understand the full context of an advanced targeted attack. Stateful attack analysis is critical to trigger analysis of the entire attack lifecycle, from the initial exploit to data exfiltration. This is why point products that focus on a single attack object (such as malware executable (EXE), dynamic linked library (DLL), or portable document format (PDF) file types) will miss the vast majority of advanced attacks, because they are blind to the full attack lifecycle.

The Detection On Demand service is built on top of our MVX engine, and the results are returned to you via a report.

Can I See the Scan's Progress?

When you submit a file, you will receive a report_id value. Use this key to make a GET request to /reports/{report_id} to see the progress of your file submission. The current best practice with our API is to implement polling and request the report every 1-2 minutes. Webhooks will be implemented in future iterations.

What is the rate limit for the API?

Rate-limiting is a per-account (not per-API) basis. You are limited to 100 requests/minute for posting new files, 300 requests/minute for retrieving reports, and 200 requests/minute for retrieving hashes.

Is there an on-prem version of Detection On Demand, or is it cloud only?

At this point in time, Detection On Demand is cloud only and available globally, but efforts to make on-prem connectors to FX and NX are underway.

Should I cache file scan results locally to reduce the number of calls to the API?

Yes, local caching of file scan results helps to conserve your plan's quota. It is recommended to keep the cache for 24 hours, after which there might be updates to the detection engine that might give a different result for the same file.