Clone wiki

virusbattle-sdk / File Identifier and Formats


Currently VirusBattle uses SHA1 of a file as its identifier. However, the specific choice of the identifier is subect to change. In this discussion we use the term filehash or objID interchangabely to mean the object identifier used by VirusBattle.


VirusBattle currently analyzes Windows PE32 executables. Since most companies and people do not like to have malware executables on their machines or network, the system allows uploading password protected zip files as well. Besides zip, the system also accepts tar, tar.gz, and 7z formats. Other archive formats can be supported on request to the extent their decompressors are available on Ubuntu platform.

The system also supports nested archives: exe contained in zip, contained in tar, contained in of 7z, zip, etc. It can dig deep into such archives.

VirustBattle can also decrypt password protected archives, either with the default password infected or using a password provided by you. The only caveat is that for nested archives all password protected archives use the same password.

The design of the RESTful API is driven with the goal to support submission and querying of nested archives. VirusBattle treats nested archives simlar to nested directories, and provides mechanism to traverse the hierarchy until you reach the required binary and query its information. You may also directly access the necessary information using a binary's (or for that matter any file's) file identifier.