A collection of standalone Python scripts demonstrating common workflows on the OPSWAT MetaDefender Cloud API v4. Each script targets a single feature (multi-scan, sandbox, CDR, DLP, hash lookup) and is designed to be easy to read, copy, and adapt.
Runs on Windows, macOS, and Linux — no platform-specific dependencies.
- Python 3.8 or later (Windows, macOS, or Linux)
- A MetaDefender Cloud API key — get one free at metadefender.opswat.com
- The
requestslibrary:
pip install requests
| Script | Feature | Endpoint(s) | What it does |
|---|---|---|---|
multi-scan-file.py |
Multi-scanning | POST /v4/file, GET /v4/file/{data_id} |
Uploads a file and reports the multi-engine AV verdict. |
cdr-file.py |
Deep CDR | POST /v4/file with rule: cdr |
Sanitizes a file and downloads the reconstructed clean version. |
dlp-file.py |
Proactive DLP | POST /v4/file with rule: dlp |
Scans a file for sensitive content (SSNs, credit card numbers, PII). |
aether-file.py |
Sandbox (file) | POST /v4/file + GET /v4/sandbox/{id} |
Detonates a file in the MetaDefender Aether sandbox and saves the full behavioral report. |
aether-url.py |
Sandbox (URL) | POST /v4/sandbox + GET /v4/sandbox/{id} |
Detonates a URL in the sandbox and saves the full behavioral report. |
aether-hash.py |
Sandbox lookup | GET /v4/hash/{hash}/sandbox |
Retrieves the last sandbox report for a file by its MD5/SHA1/SHA256. Hashes the file locally if given a path. |
All scripts share the same authentication and polling patterns.
Authentication. Every request sends apikey: <your key> as an HTTP header.
Workflow selection. The MetaDefender Cloud API uses a rule header on POST /v4/file to pick which workflow to run. Valid values on Cloud are multiscan, cdr, dlp, sanitize, unarchive, or combinations like multiscan_sanitize_unarchive. Note that sandbox analysis is not a rule — it is controlled by a separate sandbox header.
Asynchronous scans. File scans return a data_id immediately; the actual analysis happens asynchronously. Clients poll GET /v4/file/{data_id} and watch scan_results.progress_percentage until it reaches 100. Sandbox runs work the same way via GET /v4/sandbox/{sandbox_id}, but completion is signaled by the presence of verdict fields like final_verdict, scan_results, or full_report rather than a progress counter.
Caching. MetaDefender Cloud caches results by file hash. If a previously-scanned hash is uploaded again, you may receive the cached result rather than a fresh scan.
Every script accepts the API key as its first positional argument. Full usage with -h / --help on any individual script.
python multi-scan-file.py <api_key> <file>
Returns the AV verdict (engines queried, engines that flagged the file, overall result).
python cdr-file.py <api_key> <file>
python cdr-file.py <api_key> <file> --dump
Sanitizes the file. If CDR produces a cleaned version, the script downloads it to sanitized_<original_name> in the current directory. The sanitized file is retained by OPSWAT for 24 hours only — grab it in the same run.
python dlp-file.py <api_key> <file>
python dlp-file.py <api_key> <file> --dump
Reports sensitive-data findings (SSNs, credit card numbers, regex matches, etc.). Detection-only — DLP does not modify the file.
python aether-file.py <api_key> <file>
python aether-file.py <api_key> <file> --sandbox linux
python aether-file.py <api_key> <file> --dump
Submits a file for dynamic analysis. Waits for the sandbox run to finish (typically 1–5 minutes), then downloads the full behavioral report and saves it as Aether_result_<basename>.json.
python aether-url.py <api_key> <url>
Submits a URL for dynamic analysis. Saves the full behavioral report as Aether_result_<safe-url-name>.json.
python aether-hash.py <api_key> <file> # hashes the file, looks it up
python aether-hash.py <api_key> <sha256_hash> # uses the hash directly
python aether-hash.py <api_key> <file> --fetch-full # also downloads the full report
Retrieves the last sandbox report for a file without needing to re-scan it. If a file path is provided, the script computes its SHA256 locally before looking it up.
--dump— prints the full JSON response from the API in addition to the summary. Useful for debugging or discovering fields that the summary doesn't surface.--fetch-full(aether-hash.pyonly) — downloads the complete behavioral report from thefull_report.json/store_atURL.--sandbox(aether-file.pyonly) — selects the sandbox image (windows10,windows7,linux). Defaults towindows10.
Scripts that save files to disk do so in the current working directory:
sanitized_<original_name>— the CDR-reconstructed clean fileAether_result_<n>.json— the full sandbox behavioral report
Each API key has separate daily limits for multi-scanning, Deep CDR, DLP, sandbox runs, and hash lookups. Check your current limits on the account page.
Sandbox analysis is a paid/entitled feature on most tiers. If you submit a file with the sandbox header and the response comes back without a sandbox_id, your key likely doesn't have a sandbox entitlement. aether-file.py includes a diagnostic routine that prints likely causes when this happens.
HTTP 400 "Invalid Content-Type" — the file endpoint requires either application/octet-stream (binary upload) or multipart/form-data. These samples use application/octet-stream.
HTTP 400 "Header is not valid. 'rule' can't be 'X'" — rule only accepts workflow names (multiscan, cdr, dlp, sanitize, unarchive, or combinations). There is no rule: sandbox.
HTTP 429 — daily rate limit hit. Wait for the reset (24 hours from your first request of the day) or upgrade your plan.
Empty sandbox object in file scan response — your API key does not have a sandbox entitlement, the file type isn't supported by the sandbox, or your daily sandbox quota is exhausted.
HTTP 404 on hash lookup — no sandbox report exists for that hash. Submit the file fresh via aether-file.py to generate one.
If you're building file security into a commercial product or service, OPSWAT offers OEM licensing for MetaDefender Cloud and a broader OEM SDK covering advanced threat detection, vulnerability assessment, and endpoint security. Reach out to oem@opswat.com to discuss integration, licensing, and commercial terms.
For more on OPSWAT OEM solutions, see OEM SDK — Advanced Threat Detection & Endpoint Security.
Chris Seiler
Copyright (c) 2026 OPSWAT, Inc. All rights reserved.
These samples are provided as-is for demonstration and integration reference purposes.