Uploading Files

Upload a file to MAGIC for analysis.

The types of files MAGIC can analyze are described in File Formats Supported.

CLI Command

vbclient -a upload [-p password] [--norecursive]  [-f] [--lf listfile] arg ...

Options:
    -h, --help            show this help message and exit
    -f, --force           Force resubmission, if the file already exists
    -p PASSWORD, --password=PASSWORD
                          Password for Zip and 7z encrypted archives
    --norecursive         Do not recursively visit subdirectories.
    --lf=LISTFILE, --list-file=LISTFILE
                          File to keep list of filehashes that are
                          uploaded. Default is: UploadedHashes.txt

The CLI parameter -a upload selects the upload action. The -p, --norecursive, -f, and --lf arguments are optional. Their default values may be obtained by invoking vbclient using -h or --help.

For this command, arg may be a file or a directory. The program can take a list of arguments. At least one arg must be provided.

The meaning (or effect) of the optional arguments are as follows.

-f
By default, when a previously analyzed file is re-uploaded to MAGIC,no additional analysis is performed. If this option is set, the uploaded file will be re-analyzed. This option provided to compensate for potential errors that may terminate the processing prematurely. We advise that -f be used only if you have a reason to believe that the previous analysis was faulty.
-p PASSWORD
The password for unzipping .zip or .7z archive.
--norecursive
If arg is a directory, do not recurse into subdirectories. Default is to recurse.
--lf list-file
vbclient stores the file identifiers uploaded files in the LISTFILE. These file identifiers may then be used for querying MAGIC for its analysis. To override this capability please use --lf /dev/null. Default LISTFILE is UploadedHashes.txt

File Formats Supported

Currently, MAGIC only fully supports analysis of Windows PE32 executables.

Partial support is also provided for ELF files and .NET executables. Unpacking is not supported for ELF files and some genomic features are not extracted for .NET executables. Full support is planned for a future release.

In addition to executables, we support the upload of archive formats: zip, tar, tar.gz, and 7z. Archives of this format will be extracted and any supported file types analyzed. Unsupported file types in the archive, such as plain text files for example, will simply be ignored. Nested archives are handled automatically.

MAGIC can also decrypt password protected archives, either with the default password infected or using a password provided throught the HTTP API. The only caveat is that nested archives must all use the same password.

Examples

Upload single file

File can be either an EXE or an archive, such as zip file.

vbclient -a upload <filename>

If the archive is password protected, use the --password argument:

vbclient -a upload -p <password> <filename.zip>

The ID of the uploaded file will be stored in ./UploadedHashes.txt.

Upload directory

To upload all files found in the directory, including files in subdirectories:

vbclient -a upload <directoryname>

To upload without traversing sub-directories:

vbclient -a upload --norecursive <directoryname>

The ID of all uploaded files will be stored in ./UploadedHashes.txt.

Upload multiple files or directories

vbclient -a upload <file1> <dir2> <file3> <file4>

The ID of all uploaded files will be stored in ./UploadedHashes.txt.

Save file IDs to different location

To store the IDs of all uploaded files to file ./my-uploaded-files.txt:

vbclient -a upload --list-file ./my-uploaded-files.txt  <path1> <path2> ...

Re-analyze file

To re-analyze file with ID SHA1 without re-uploading:

vbclient -a reprocess SHA1

To upload the file and re-analyze it:

vbclient -a upload --force <file path>