Skip to main content

Overview

Read about the basics of File Intel

Quick View

What it doesRetrieves intelligence data for submitted file hashes
Supported Languages
Capabilities
  • Look up the reputation score of a file hash
  • Retrieve a detailed intelligence report for a file hash
Supported Providers

About File Intel service

The File Intel service enables you to submit a file or an array of files' hashes (up to 100 using the File Intel bulk API) to see what is known about the file (its reputation). Different security providers specialize in collecting file intelligence that provides a file's disposition, ranging from malicious (malware, ransomware, trojan horses, spyware, adware) to known good files (operating system files, known third-party software packages).

Benefits of using File Intel service

Pangea serves intelligence data from third-party providers, normalizing response data, to help you quickly identify malicious files. All of this happens through a unified API and SDK - with no contracts or direct integrations to the provider required.

For example, if you set ReversingLabs as the provider, you’ll receive a standard verdict that can be easily interpreted in the API response. Armed with this information, you might choose to immediately delete or quarantine a file, send it to your security team, and/or search for any other instances of the file in your environment.

Use Cases

The File Intel API can be embedded directly into your cloud app to determine if file objects are known to be malicious. Common use cases include:

  • Determining if a file uploaded by a customer is known to be malicious before it’s opened or shared with others
  • Integrating File Intel into your SOAR or threat intelligence platform
  • Scanning third-party objects in your software build pipeline to identify malicious objects
  • Discovering malicious objects in third-party software before installing

File Intel (Reputation) vs. File Scan (Malware Analysis)

The File Intel service provides reputation data on files that have been seen, analyzed, and whose reputation has been determined by the file intelligence provider community. Files that have not been previously seen or analyzed do not have a reputation and the File Intel API will return a status of "unknown" for such files. When File Intel determines that a file's reputation is unknown, you can use the File Scan Service to upload the file for detailed malware analysis by one of our File Scan providers.

Doing a File Intel reputation lookup requires only a hash of a file (32 bytes), whereas a File Scan API call requires submission of the entire file for deep analysis (up to 500MBs). A reasonable strategy is to perform File Intel reputation checks on most files, and to use File Scan when reputation is unknown, when the File Intel verdicts and scores are below your threshold, or when your security posture demands.

Was this article helpful?

Contact us