Malware Scanning
Contextal Platform can gather information from malware scanners, but by default, it does not take direct action on infected objects. Instead, malware detection details are associated with the object in the form of symbols, enabling customized responses based on specific conditions.
Contextal Platform 1.0 includes integration with ClamAV. Future versions will provide support for more third-party solutions, including Yara and commercial malware scanners.
There are two types of malware-related symbols:
INFECTED: This is a generic symbol applied whenever at least one detection is made (only one such symbol may be set per object).INFECTED-SCANNER_NAME-DETECTION_NAME: This detailed symbol provides specific information about the malware scanner used (SCANNER_NAME) and the detection name it reported (DETECTION_NAME).
The detailed symbols enable precise detections, allow the combination of multiple scanner results or the exclusion of specific ones. They can also be used alongside object metadata in ContexQL queries, offering granular control over how malware detections are processed and acted upon.
See our Known Malware example scenario on how to make the platform react to infected objects, or Contextual Whitelisting on how to precisely disable specific detections in a given context.