Skip to main content

Overview

The Malware Detection module provides comprehensive capabilities for identifying and responding to malware infections and cyberattacks. It checks for indicators of compromise (IOCs) and generates alerts when malicious activity is detected, helping you protect your infrastructure from malware threats.

Key Features

Indicator of Compromise Detection

The module monitors for various types of malware indicators:
  • Rootkit Detection: Identify rootkit signatures and behaviors
  • Trojan Detection: Detect trojan horse malware
  • File-based Malware: Identify malicious files through signature matching
  • Behavioral Analysis: Detect suspicious behavior patterns
  • Command & Control Communication: Identify C2 server communications

Multi-Layer Detection

Malware detection operates at multiple levels:
  • File System Scanning: Regular scans of file systems for malware signatures
  • Process Monitoring: Detect malicious process execution
  • Network Activity: Identify suspicious network connections
  • Registry Monitoring: Track malicious registry modifications (Windows)
  • Memory Analysis: Detect in-memory malware execution

Interactive Dashboards

Dedicated dashboards for malware analysis and investigation:
  • Overview Dashboard: System-wide malware detection overview (Dashboard ID: malware-detection-overview-dashboard)
  • Agent Dashboard: Malware detections for specific agents (Dashboard ID: malware-detection-pinned-agent-dashboard)
  • Trend Analysis: Visual representation of malware detection trends

Event Data Structure

Malware detection events include comprehensive alert information:
FieldDescription
timestampWhen the malware was detected
wazuh.agent.nameName of the agent that detected the malware
data.titleTitle/name of the detected malware or threat
rule.descriptionDetailed description of the detection rule
rule.levelSeverity level of the alert
rule.idUnique identifier of the detection rule

Data Sources

The Malware Detection module utilizes:
  • Events Pattern: wazuh-events*
  • Repository: EventsDataSourceRepository
  • Sample Data Category: Auditing and Policy Monitoring

Detection Methods

Signature-based Detection

Identify known malware through signature databases:
  • Updated Signatures: Regular updates to malware signature databases
  • Hash Matching: Compare file hashes against known malware databases
  • Pattern Recognition: Identify malware patterns in files and memory

Behavioral Detection

Detect malware through suspicious behavior:
  • Anomaly Detection: Identify unusual system behavior
  • Process Analysis: Monitor suspicious process execution patterns
  • File Operations: Track suspicious file creation and modification
  • Network Behavior: Identify unusual network connections

Rootkit Detection

Specialized detection for rootkits:
  • System Call Monitoring: Detect hooked system calls
  • Hidden File Detection: Identify hidden files and directories
  • Hidden Process Detection: Find concealed processes
  • Kernel Module Analysis: Examine loaded kernel modules

Use Cases

Real-time Malware Response

Respond to malware infections as they occur:
  1. Receive immediate alerts when malware is detected
  2. View detailed information about the threat
  3. Identify affected systems and files
  4. Initiate incident response procedures
  5. Track remediation progress

Threat Hunting

Proactively search for malware in your environment:
  1. Review malware detection dashboards regularly
  2. Investigate suspicious alerts and patterns
  3. Correlate malware detections across agents
  4. Identify patient zero and infection vectors
  5. Document findings for future reference

Compliance Requirements

Meet regulatory requirements for malware protection:
  • PCI DSS 5.1: Deploy anti-malware solutions
  • HIPAA: Protect systems from malicious software
  • ISO 27001: Implement malware detection controls
  • NIST: Follow malware prevention guidelines

Forensic Investigation

Conduct malware forensic analysis:
  • Analyze malware infection timeline
  • Identify malware families and variants
  • Determine attack vectors and entry points
  • Assess scope and impact of infections
  • Support legal and compliance investigations

Integration with Other Modules

Malware Detection works seamlessly with:
  • File Integrity Monitoring: Detect malware-related file modifications
  • Threat Hunting: Investigate malware-related security events
  • Vulnerability Detection: Link malware to exploited vulnerabilities
  • System Auditing: Track malware-related system activities
  • MITRE ATT&CK: Map malware tactics and techniques

Alert Types

The module generates various types of malware alerts:

Critical Alerts

  • Active malware infection detected
  • Rootkit presence confirmed
  • Command and control communication
  • Ransomware encryption activity

High Severity Alerts

  • Suspicious file signatures
  • Trojan horse detection
  • Backdoor installation attempts
  • Keylogger activity

Medium Severity Alerts

  • Potentially unwanted programs (PUPs)
  • Adware detection
  • Suspicious process behavior
  • Unusual network connections

Configuration

Scan Settings

Configure malware scanning behavior: 
<rootcheck>
  <frequency>43200</frequency>
  <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
</rootcheck>

Detection Tuning

Customize detection parameters:
  • Scan Frequency: How often to perform malware scans
  • Scan Depth: Directories and files to include in scans
  • Sensitivity Levels: Balance between detection and false positives
  • Exclusions: Files or directories to exclude from scanning

Response Actions

When malware is detected:
  1. Alert Generation: Immediate alert to security team
  2. Agent Isolation: Option to isolate infected agents
  3. File Quarantine: Quarantine malicious files
  4. Active Response: Execute automated response scripts
  5. Incident Creation: Create incident tickets automatically

Best Practices

  1. Regular Updates: Keep malware signatures and detection rules updated
  2. Layered Defense: Combine with other security modules for comprehensive protection
  3. Quick Response: Establish procedures for rapid malware response
  4. Regular Scans: Schedule periodic full system scans
  5. Baseline Behavior: Establish normal behavior baselines for better detection
  6. Alert Review: Regularly review and tune malware alerts
  7. Incident Documentation: Document all malware incidents and responses
  8. User Education: Train users on malware prevention

Performance Optimization

  • Scheduled Scans: Run intensive scans during off-peak hours
  • Incremental Scanning: Focus on changed files for faster scans
  • Resource Management: Configure scan resource limits
  • Smart Scanning: Prioritize high-risk areas

Component Architecture

The Malware Detection module architecture: 
// Main dashboard component
DashboardMalwareDetection
  DataSource: MalwareDetectionDataSource
  Repository: EventsDataSourceRepository
  Dashboard ID: malware-detection-overview-dashboard
  Agent Dashboard ID: malware-detection-pinned-agent-dashboard
Location in codebase: /plugins/main/public/components/overview/malware-detection/

Reporting

Generate comprehensive malware reports:
  • Detection Summary: Overview of all malware detections
  • Trend Analysis: Malware detection trends over time
  • Agent Status: Malware status per agent
  • Remediation Tracking: Status of malware remediation efforts
  • Compliance Reports: Malware protection compliance status