Skip to main content

Malware Scanning

Contextal Platform can gather information from malware scanners, but by default, it does not take direct action on infected objects. Instead, malware detection details are associated with the object in the form of symbols, enabling customized responses based on specific conditions.

info

Contextal Platform 1.0 includes integration with ClamAV. Future versions will provide support for more third-party solutions, including Yara and commercial malware scanners.

There are two types of malware-related symbols:

  • INFECTED: This is a generic symbol applied whenever at least one detection is made (only one such symbol may be set per object).
  • INFECTED-SCANNER_NAME-DETECTION_NAME: This detailed symbol provides specific information about the malware scanner used (SCANNER_NAME) and the detection name it reported (DETECTION_NAME).

The detailed symbols enable precise detections, allow the combination of multiple scanner results or the exclusion of specific ones. They can also be used alongside object metadata in ContexQL queries, offering granular control over how malware detections are processed and acted upon.

See our Known Malware example scenario on how to make the platform react to infected objects.

tip

Cross Object Signature Matching

Contextal Platform serves as an abstraction layer for malware scanning, offering capabilities far beyond standard detection systems. One of its unique features is the ability to combine multiple detections from different objects into a single actionable scenario. This allows for cross-file matching, where users can describe relationships between files - something usually not possible with traditional malware detection solutions.

For instance, if you’ve created two custom signatures for ClamAV, Signature_1 and Signature_2, and want to trigger an action only when two sibling objects (i.e., files at the same hierarchy level) match these signatures, you can achieve this with the following ContexQL query in your scenario:

@has_symbol("INFECTED-CLAM-Signature_1") &&
  @has_sibling(@has_symbol("INFECTED-CLAM-Signature_2"))