Skip Navigation
  1. BlackBerry Docs
  2. Cylance Engine
  3. Cylance Engine Integration Guide
  4. Appendix: CylanceTcpService Protocol
  5. Multiple scores for a file

Multiple scores for a file

Because this technology is model based, it is important to apply the correct model to a given file. If the wrong model were used to determine the score, then a file might escape the level of scrutiny that is appropriate for that file. To address this,
Cylance
TcpService checks the file against all model types that have been loaded. As a result, the client must be prepared to receive multiple JSON objects for a given file when using these commands. Each of these objects indicates the model that was used to provide the score found in that object.
Client code should determine what action to take when the service returns more than one score. Depending on the application and workflow, the client application might take into consideration the declared file type (that is, the file extension or the MIME-type). For example, for a given file, if the file extension indicates a PDF file, but the service reports a negative score when analyzing it as a PE file, it is quite possible that it has been purposely disguised as a PDF file to avoid detection.
The
p
 command supported by the Infinity Daemon Protocol can return a maximum of 255 results. If a given Score request produces more than 255 results, the list will be truncated. Because a file can be scored with multiple models, this guide recommends no more than 100 files per archive, especially when scoring with two or more models loaded into the service.