Block Known Malware
While Contextal Platform collects information from malware scanners, it does not, by default, take any direct actions on infected objects. Instead, it leaves the decision to users on how to handle detected malware. In this article, we will demonstrate an example scenario that can be deployed to block malicious objects.
Before proceeding, we recommend reviewing the Malware Scanning section of our documentation to familiarize yourself with the platform's capabilities in this matter.
The base of our scenario will be a simple ContexQL query, checking for existence of INFECTED symbol in the object:
@has_symbol("INFECTED")
If needed, this could be further extended and combined with additional metadata, for example:
@has_symbol(starts_with("INFECTED-CLAM-"))
&& (object_type == "LNK" || object_type == "PE")
If we used the above query in our scenario, it would only block objects (and their related works) if they were of LNK or PE types, and the detection was coming from ClamAV. One could construct other queries in a similar way, and even use them in scenarios to always allow specific objects to pass through.
In this case however, we will use the following basic scenario to trigger a BLOCK action in case there were any infections reported.
Click on the download button below to get the scenario and then upload it using Contextal Console or the ctx command line tool (when using the latter, don't forget to reload remote scenarios after adding a new one!)
{
"name": "Known Malware",
"min_ver": 1,
"max_ver": null,
"creator": "Contextal",
"description": "Block objects for which malware scanners reported infections.",
"local_query": "@has_symbol(\"INFECTED\")",
"context": null,
"action": "BLOCK"
}