Malware Scanner

Purpose

When a software supply chain attack occurs, the bad actors may infiltrate malicious code and unintended behaviour, open backdoors and change the software in a way that could be used as a vector for malware delivery.

Malicious Code Evidence comprises indicators of malicious software (malware) that are discovered analyzing statically the target software. Analyzing software for potential supply chain breach complement software security reviews with automation. And as the adversaries try to hide their changes from human review they use obfuscation techniques that in fact could serve as additional evidence of wrongdoing. See (Common types of Malware found in Open Source Packages)

From evidence collected, a maliciousness score for the software under analysis is computed. With enough evidence accumulated, the analyzed software could be classified as potentially malicious.

The Malware Scanner is a tool that checks the files of the software project under analysis, and reports "evidences" according to malware detectors currently active for the policy assigned to the project. Detected evidences could be uploaded to Xygeni platform for consolidation and for enabling response actions.

Malware evidences should not be treated individually, but as a whole. The maliciousness of the code depends on the number and severity of the different evidences.

Quick Start

For detecting malicious code evidences found in software project with sources in current directory, the command shown below uploads the results to Xygeni platform.

xygeni malware -n MyProject --upload

Malware scanner can be launched in two different ways:

1.- By its own specific command ( xygeni malware [options] )

2.- By the general command ( xygeni scan --run="malware" [options] )

For exporting the most important malware evidences to CSV for review or for importing the findings into another tool:

xygeni malware -n MyProject --detectors critical \
       --format csv --output MyProject.malware.csv

Usage

The Malware Scanner is launched using the xygeni malware [options] command.

For a full reference of all the available option, you can issue :

xygeni malware --help

The most important properties are:

  • Name of the project, -n or --name.

  • Input sources to analyze, either directory with -d or --dir or repository with --repo. Defaults to the current working directory.

  • Upload results to the service, --upload. By default, results are not uploaded.

  • Output file (-o or --output) and format (-f or --format). If not output file (or stdout / - are used), the standard output is used. Use --format=none for no output.

  • The detectors to run could be tailored with the --detectors / --skip-detectors options. A common use-case is to consider only issues with high or critical severity with --detectors=high.

  • The resource kinds to be scanned could also be tailored with the --kinds / --skip-kinds options

Configuration options:
      --custom-detectors-dir=<customDetectorsDir>
                             Directory with custom detectors.
      --detectors=<detectors>
                             Comma-separated list of IDs for detectors to run, PRIORITY or 'all'
      --skip-detectors=<skipDetectors>
                             Comma-separated list of IDs for detectors to ignore, or PRIORITY
      --kinds=<kinds>        Resource kinds to scan (execution, file, network, _package, registry,
                               sensitive_data, system, all).
      --skip-kinds=<skipKinds>
                             Resource kinds to ignore (execution, file, network, _package, registry,
                               sensitive_data, system, all).

Malware Detectors

Please read the documentation on Malware detectors available.

PreviousMalicious CodeNextMalware Scanner Configuration

Last updated