Package google.security.safebrowsing.v4

Index

SafeBrowsing

The Safe Browsing APIs enable clients to check web resources (most commonly URLs) against Google's constantly updated lists of unsafe web resources. The Safe Browsing APIs (v4) feature the Update API and the Lookup API.

The Update API is designed for our larger clients and includes the FindFullHashes and FetchThreatListUpdates methods . The Update API requires that clients maintain downloaded threat lists in a local database.

First, clients match against their local lists to determine the state (safe or unsafe) of a given web resource. Most commonly, lists are comprised of hash prefixes of blacklisted URL expressions. To check a URL, clients generate the hashes of a given URL and check for prefix collisions in their local lists; if a prefix match is found, the client obtains the full hashes associated with the matched hash prefix via the FindFullHashes method . The client then compares the local full hash with the returned full hashes; a match indicates that the URL is unsafe.

Second, clients obtain updates to their local databases via the FetchThreatListUpdates method , which takes the current state of the client and returns an updated client state along with the changes that the client should apply to their local threat lists.

The Lookup API is designed for our smaller clients and allows them to match resources directly against the Safe Browsing threat lists via the FindThreatMatches method.

Clients using either the Update API or the Lookup API can obtain a list of the Safe Browsing threat lists available for download via the ListThreatLists method.

{-- TRUSTED_THREAT_REPORTER: Trusted threat clients can submit reports to Google for analysis via the SubmitThreatReport method. --}

FetchThreatListUpdates

rpc FetchThreatListUpdates(FetchThreatListUpdatesRequest) returns (FetchThreatListUpdatesResponse)

Fetches the most recent threat list updates. A client can request updates for multiple lists at once.

FindFullHashes

rpc FindFullHashes(FindFullHashesRequest) returns (FindFullHashesResponse)

Finds the full hashes that match the requested hash prefixes.

FindThreatMatches

rpc FindThreatMatches(FindThreatMatchesRequest) returns (FindThreatMatchesResponse)

Finds the threat entries that match the Safe Browsing lists.

ListThreatLists

rpc ListThreatLists(Empty) returns (ListThreatListsResponse)

Lists the Safe Browsing threat lists available for download.

Checksum

The expected state of a client's local database.

Fields
sha256

bytes

The SHA256 hash of the client state; that is, of the sorted list of all hashes present in the database.

ClientInfo

The client metadata associated with Safe Browsing API requests.

Fields
client_id

string

A client ID that (hopefully) uniquely identifies the client implementation of the Safe Browsing API.

client_version

string

The version of the client implementation.

CompressionType

The ways in which threat entry sets can be compressed.

Enums
COMPRESSION_TYPE_UNSPECIFIED Unknown.
RAW Raw, uncompressed data.
RICE Rice-Golomb encoded data.

FetchThreatListUpdatesRequest

Describes a Safe Browsing API update request. Clients can request updates for multiple lists in a single request. The server may not respond to all requests, if the server has no updates for that list. NOTE: Field index 2 is unused. NEXT: 5

Fields
client

ClientInfo

The client metadata.

list_update_requests[]

ListUpdateRequest

The requested threat list updates.

ListUpdateRequest

A single list update request.

Fields
threat_type

ThreatType

The type of threat posed by entries present in the list.

platform_type

PlatformType

The type of platform at risk by entries present in the list.

threat_entry_type

ThreatEntryType

The types of entries present in the list.

state

bytes

The current state of the client for the requested list (the encrypted client state that was received from the last successful list update).

constraints

Constraints

The constraints associated with this request.

Constraints

The constraints for this update.

Fields
max_update_entries

int32

The maximum size in number of entries. The update will not contain more entries than this value. This should be a power of 2 between 2**10 and 2**20. If zero, no update size limit is set.

max_database_entries

int32

Sets the maximum number of entries that the client is willing to have in the local database for the specified list. This should be a power of 2 between 2**10 and 2**20. If zero, no database size limit is set.

region

string

Requests the list for a specific geographic location. If not set the server may pick that value based on the user's IP address. Expects ISO 3166-1 alpha-2 format.

supported_compressions[]

CompressionType

The compression types supported by the client.

language

string

Requests the lists for a specific language. Expects ISO 639 alpha-2 format.

device_location

string

A client's physical location, expressed as a ISO 31166-1 alpha-2 region code.

FetchThreatListUpdatesResponse

Fields
list_update_responses[]

ListUpdateResponse

The list updates requested by the clients. The number of responses here may be less than the number of requests sent by clients. This is the case, for example, if the server has no updates for a particular list.

minimum_wait_duration

Duration

The minimum duration the client must wait before issuing any update request. If this field is not set clients may update as soon as they want.

ListUpdateResponse

An update to an individual list.

Fields
threat_type

ThreatType

The threat type for which data is returned.

threat_entry_type

ThreatEntryType

The format of the threats.

platform_type

PlatformType

The platform type for which data is returned.

response_type

ResponseType

The type of response. This may indicate that an action is required by the client when the response is received.

additions[]

ThreatEntrySet

A set of entries to add to a local threat type's list. Repeated to allow for a combination of compressed and raw data to be sent in a single response.

removals[]

ThreatEntrySet

A set of entries to remove from a local threat type's list. In practice, this field is empty or contains exactly one ThreatEntrySet.

new_client_state

bytes

The new client state, in encrypted format. Opaque to clients.

checksum

Checksum

The expected SHA256 hash of the client state; that is, of the sorted list of all hashes present in the database after applying the provided update. If the client state doesn't match the expected state, the client must disregard this update and retry later.

ResponseType

The type of response sent to the client.

Enums
RESPONSE_TYPE_UNSPECIFIED Unknown.
PARTIAL_UPDATE Partial updates are applied to the client's existing local database.
FULL_UPDATE Full updates replace the client's entire local database. This means that either the client was seriously out-of-date or the client is believed to be corrupt.

FindFullHashesRequest

Request to return full hashes matched by the provided hash prefixes.

Fields
client

ClientInfo

The client metadata.

client_states[]

bytes

The current client states for each of the client's local threat lists.

threat_info

ThreatInfo

The lists and hashes to be checked.

api_client

ClientInfo

Client metadata associated with callers of higher-level APIs built on top of the client's implementation.

FindFullHashesResponse

Fields
matches[]

ThreatMatch

The full hashes that matched the requested prefixes.

minimum_wait_duration

Duration

The minimum duration the client must wait before issuing any find hashes request. If this field is not set, clients can issue a request as soon as they want.

negative_cache_duration

Duration

For requested entities that did not match the threat list, how long to cache the response.

FindThreatMatchesRequest

Request to check entries against lists.

Fields
client

ClientInfo

The client metadata.

threat_info

ThreatInfo

The lists and entries to be checked for matches.

FindThreatMatchesResponse

Fields
matches[]

ThreatMatch

The threat list matches.

ListThreatListsResponse

Fields
threat_lists[]

ThreatListDescriptor

The lists available for download by the client.

PlatformType

Types of platforms.

Enums
PLATFORM_TYPE_UNSPECIFIED Unknown platform.
WINDOWS Threat posed to Windows.
LINUX Threat posed to Linux.
ANDROID Threat posed to Android.
OSX Threat posed to OS X.
IOS Threat posed to iOS.
ANY_PLATFORM Threat posed to at least one of the defined platforms.
ALL_PLATFORMS Threat posed to all defined platforms.
CHROME Threat posed to Chrome.

RawHashes

The uncompressed threat entries in hash format of a particular prefix length. Hashes can be anywhere from 4 to 32 bytes in size. A large majority are 4 bytes, but some hashes are lengthened if they collide with the hash of a popular URL.

Used for sending ThreatEntrySet to clients that do not support compression, or when sending non-4-byte hashes to clients that do support compression.

Fields
prefix_size

int32

The number of bytes for each prefix encoded below. This field can be anywhere from 4 (shortest prefix) to 32 (full SHA256 hash).

raw_hashes

bytes

The hashes, in binary format, concatenated into one long string. Hashes are sorted in lexicographic order. For JSON API users, hashes are base64-encoded.

RawIndices

A set of raw indices to remove from a local list.

Fields
indices[]

int32

The indices to remove from a lexicographically-sorted local list.

RiceDeltaEncoding

The Rice-Golomb encoded data. Used for sending compressed 4-byte hashes or compressed removal indices.

Fields
first_value

int64

The offset of the first entry in the encoded data, or, if only a single integer was encoded, that single integer's value. If the field is empty or missing, assume zero.

rice_parameter

int32

The Golomb-Rice parameter, which is a number between 2 and 28. This field is missing (that is, zero) if num_entries is zero.

num_entries

int32

The number of entries that are delta encoded in the encoded data. If only a single integer was encoded, this will be zero and the single value will be stored in first_value.

encoded_data

bytes

The encoded deltas that are encoded using the Golomb-Rice coder.

ThreatEntry

An individual threat; for example, a malicious URL or its hash representation. Only one of these fields should be set.

Fields
hash

bytes

A hash prefix, consisting of the most significant 4-32 bytes of a SHA256 hash. This field is in binary format. For JSON requests, hashes are base64-encoded.

url

string

A URL.

digest

bytes

The digest of an executable in SHA256 format. The API supports both binary and hex digests. For JSON requests, digests are base64-encoded.

ThreatEntryMetadata

The metadata associated with a specific threat entry. The client is expected to know the metadata key/value pairs associated with each threat type.

Fields
entries[]

MetadataEntry

The metadata entries.

MetadataEntry

A single metadata entry.

Fields
key

bytes

The metadata entry key. For JSON requests, the key is base64-encoded.

value

bytes

The metadata entry value. For JSON requests, the value is base64-encoded.

ThreatEntrySet

A set of threats that should be added or removed from a client's local database.

Fields
compression_type

CompressionType

The compression type for the entries in this set.

raw_hashes

RawHashes

The raw SHA256-formatted entries.

raw_indices

RawIndices

The raw removal indices for a local list.

rice_hashes

RiceDeltaEncoding

The encoded 4-byte prefixes of SHA256-formatted entries, using a Golomb-Rice encoding. The hashes are converted to uint32, sorted in ascending order, then delta encoded and stored as encoded_data.

rice_indices

RiceDeltaEncoding

The encoded local, lexicographically-sorted list indices, using a Golomb-Rice encoding. Used for sending compressed removal indices. The removal indices (uint32) are sorted in ascending order, then delta encoded and stored as encoded_data.

ThreatEntryType

Types of entries that pose threats. Threat lists are collections of entries of a single type.

Enums
THREAT_ENTRY_TYPE_UNSPECIFIED Unspecified.
URL A URL.
EXECUTABLE An executable program.

ThreatInfo

The information regarding one or more threats that a client submits when checking for matches in threat lists.

Fields
threat_types[]

ThreatType

The threat types to be checked.

platform_types[]

PlatformType

The platform types to be checked.

threat_entry_types[]

ThreatEntryType

The entry types to be checked.

threat_entries[]

ThreatEntry

The threat entries to be checked.

ThreatListDescriptor

Describes an individual threat list. A list is defined by three parameters: the type of threat posed, the type of platform targeted by the threat, and the type of entries in the list.

Fields
threat_type

ThreatType

The threat type posed by the list's entries.

platform_type

PlatformType

The platform type targeted by the list's entries.

threat_entry_type

ThreatEntryType

The entry types contained in the list.

ThreatMatch

A match when checking a threat entry in the Safe Browsing threat lists.

Fields
threat_type

ThreatType

The threat type matching this threat.

platform_type

PlatformType

The platform type matching this threat.

threat_entry_type

ThreatEntryType

The threat entry type matching this threat.

threat

ThreatEntry

The threat matching this threat.

threat_entry_metadata

ThreatEntryMetadata

Optional metadata associated with this threat.

cache_duration

Duration

The cache lifetime for the returned match. Clients must not cache this response for more than this duration to avoid false positives.

ThreatType

Types of threats.

Enums
THREAT_TYPE_UNSPECIFIED Unknown.
MALWARE Malware threat type.
SOCIAL_ENGINEERING Social engineering threat type.
UNWANTED_SOFTWARE Unwanted software threat type.
POTENTIALLY_HARMFUL_APPLICATION Potentially harmful application threat type.