Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Assessing and reporting malware signatures on RHEL systems

Red Hat Lightspeed 1-latest

Know when systems in your Red Hat Enterprise Linux infrastructure are exposed to malware risks

Red Hat Customer Content Services

Abstract

Use the Red Hat Lightspeed malware detection service with hundreds of IBM X-Force threat intelligence and thousands of CrowdStrike signatures (requires a CrowdStrike Falcon Adversary Intelligence Premium license) to know when a system in your infrastructure is the victim of a malware attack.

The Red Hat Lightspeed malware detection service is a monitoring and assessment tool that scans Red Hat Enterprise Linux systems for the presence of malware. The malware detection service incorporates YARA pattern-matching software and malware detection signatures. Signatures are provided in partnership with IBM X-Force threat intelligence and CrowdStrike (requires a CrowdStrike Falcon Adversary Intelligence Premium license), working closely with the Red Hat threat intelligence team.

Depending on your user access permissions as an administrator or viewer in the Red Hat Hybrid Cloud Console, you can perform the following actions within the malware detection service:

  • Review the list of IBM and CrowdStrike signatures that the service uses to scan your Red Hat Enterprise Linux systems.
  • Review the overall results for all RHEL systems with malware detection enabled in the insights-client.
  • Review the scan results for individual RHEL systems.
  • Identify RHEL systems showing evidence of the presence of malware.

The malware detection service gives you valuable information to prepare a response against threats to RHEL systems within your organization.

Important

The malware detection service does not provide recommendations to resolve or remediate malware incidents.

1.1. Malware signature sources
Copy link

YARA signature detection is the cornerstone of the Red Hat Lightspeed malware detection service. A YARA signature describes a malware type as a pattern: a set of strings and a boolean expression that form a rule. When a scan on a Red Hat Enterprise Linux system matches that rule, YARA records a hit on that system.

The malware detection service includes predefined signatures from the IBM X-Force Threat Intelligence team and evaluates your systems against hundreds of those default rules to help detect malware on Red Hat Enterprise Linux systems. The service also supports the manual addition of thousands of CrowdStrike signatures. Knowing whether a rule comes from IBM X-Force or from CrowdStrike helps you interpret default coverage and any optional rules you add.

Learn how to set up the Red Hat Lightspeed malware detection service on RHEL systems by installing and configuring the insights-client, assigning User Access roles for malware detection administrators and viewers, running an on-demand malware detection scan, and reviewing scan results in the Hybrid Cloud Console.

Note

While some procedures require root privileges on the system, others require an administrator who is a member of a User Access group with at least one of the following roles:

  • Malware detection administrator
  • RHEL administrator

Set up the malware detection service by learning which access and privileges you need to make changes to your Red Hat Enterprise Linux systems. The following table lists the main actions, what each step involves, and the access you need.

Expand
ActionDescriptionRequired privileges

Install YARA

Install the YARA application.

Root privileges

Configure the insights-client

Configure the insights-client to use the malware detection service; enable the collector for the malware detection service.

Root privileges

Configure User Access in the Red Hat Hybrid Cloud Console

In the Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Groups, create malware detection groups and then add the appropriate roles and members to the groups.

Organization Administrator role on the Red Hat account

Optional: Download CrowdStrike signatures

  1. Create a target directory, (/etc/insights-client/signatures), for downloading the signatures using the insights-client command.
  2. Download CrowdStrike YARA signatures to the YARA application or use the CrowdStrike Automate a CrowdStrike playbook workflow to download the signatures. For more information, see Guides in CrowdStrike Falcon® Counter Adversary Operations Elite Data Sheet. The CrowdStrike integration is supported only on systems that run Red Hat Enterprise Linux 9 or 10 and have YARA 4.5.2 or later installed.

Root privileges; CrowdStrike Falcon Adversary Intelligence Premium license

Optional: Enable process scanning

Optionally enable process scanning in /etc/insights-client/malware-detection-config.yml by setting scan_processes to true and running the malware detection collector.

Root privileges

Scan your Red Hat Enterprise Linux systems

Run the malware detection collector scan on your Red Hat Enterprise Linux systems.

Root privileges

View results

See the results of system scans in the Hybrid Cloud Console.

Membership in a User Access group with the Malware detection viewer role

To start running malware detection scans and reporting data to the Red Hat Lightspeed application, install YARA and the malware detection collector on the RHEL system.

Prerequisites

  • You are installing YARA and the malware detection collector on a RHEL 8 or later system.
  • You have root privileges on the system.

Procedure

  1. Install YARA. (Yara RPMs for RHEL 8 and later are available on the Red Hat Customer Portal.) 

    $ sudo dnf install yara
    Note

    Red Hat Lightspeed malware detection is not supported on RHEL 7.

  2. Register the system with Red Hat Lightspeed.

    Important

    Using the malware detection service requires that you have the insights-client package installed on the system and the system registered with Red Hat Lightspeed.

    1. Install the insights-client RPM. 

      $ sudo yum install insights-client

    2. Test the connection to Red Hat Lightspeed. 

      $ sudo insights-client --test-connection

    3. Register the system with Red Hat Lightspeed. 

      $ sudo insights-client --register

  3. Run the insights-client malware detection collector to create a malware detection configuration file in /etc/insights-client/malware-detection-config.yml, perform a test scan and upload the results to Red Hat Lightspeed. 

    $ sudo insights-client --collector malware-detection
    Note

    This is a very minimal scan of your system that helps verify the malware detection service is working correctly. By design, the scan detects some matches to show you that the service is functioning. Results from the test scan will not appear in the malware detection service.

  4. Perform a full filesystem scan.

    1. Edit /etc/insights-client/malware-detection-config.yml and set the test_scan option to false. 

      test_scan: false

      Consider setting the following options to minimize scan time:

      • filesystem_scan_only - to only scan certain directories on the system
      • filesystem_scan_exclude - to exclude certain directories from being scanned
      • filesystem_scan_since - to scan only recently modified files

    2. Run the insights-client --collector again: 

      $ sudo insights-client --collector malware-detection

      To optionally scan processes after a full filesystem scan, see Enable process scanning for malware detection.

Verification

  • To confirm that YARA installed, from the command line, run: 

    $ yara --version

    If YARA is installed, the command will display the version information.

  • From the command line, run: 

    $ sudo insights-client --test-connection

    If the system is properly registered with Red Hat Lightspeed, the command will complete successfully and display a message that the connection test was successful.

  • To confirm that you created the YAML configuration file, locate the /etc/insights-client/malware-detection-config.yml file and confirm that it contains test_scan: false after your edit.
  • To confirm that malware detection run completed without errors, and the Red Hat Lightspeed malware detection service shows the scan results, navigate to Security > Malware > Signatures. For a test scan, you should see only a few matches that are designed to be detected in a test scan.

2.3. Enable process scanning for malware detection
Copy link

You can extend detection of threats on your RHEL systems by enabling the malware detection collector to scan processes in addition to files. By default, scanning processes is disabled. Process scanning is optional, but with it enabled, the collector still runs a filesystem scan first, then scans processes to find malware. Results appear in Security > Malware.

Prerequisites

  • You have root privileges on the system.
  • You have a /etc/insights-client/malware-detection-config.yml file (created when you first run the malware collector) and have set test_scan to false which allows a full filesystem scan.

Procedure

  1. Edit /etc/insights-client/malware-detection-config.yml and set scan_processes to true. 

    scan_processes: true
    Note

    Consider setting these related options while you are changing the configuration for process scanning. These options can help you manage performance when scanning processes, but they are not required to be set to enable process scanning:

    • processes_scan_only - to only scan certain processes on the system
    • processes_scan_exclude - to exclude certain processes from being scanned
    • processes_scan_since - to scan only recently started processes

  2. Run the collector again which performs a filesystem scan first, followed by a process scan when scan_processes is enabled. When the run completes, view results at Security > Malware. 

    $ sudo insights-client --collector malware-detection

Verification

  • From the command line, locate the /etc/insights-client/malware-detection-config.yml to confirm that scan_processes value is true.
  • The collector run completes without errors.
  • In Security > Malware, the latest scan shows the signatures that affect systems and processes.

To detect threats on RHEL systems, you can integrate CrowdStrike YARA signatures with the malware detection service. This process involves downloading signature rules from the CrowdStrike Falcon console and installing them locally on your RHEL systems.

Note

This workflow supports only the official CrowdStrike integration. You cannot upload custom YARA rules to the malware detection service.

Prerequisites

  • The CrowdStrike integration is supported only on systems that run Red Hat Enterprise Linux 9 or 10 and have YARA 4.5.2 or later installed.
  • You have installed the YARA tool and the insights-client.
  • You have membership in a User Access group with at least the Malware detection viewer or RHEL viewer role.
  • You have a CrowdStrike user account with permissions to access CrowdStrike Falcon Adversary Intelligence Premium and an active license enabled. For more information, see CrowdStrike Falcon® Counter Adversary Operations Elite documentation, and the Red Hat Knowledgebase article, Integrating Red Hat Lightspeed with CrowdStrike for enhanced malware detection coverage.
  • You have access to the latest CrowdStrike documentation for up-to-date procedures and YARA signature export and automation tools, such as the crowdstrike.falcon Ansible collection.

Procedure

  1. From the command line, create a target directory to store your CrowdStrike signatures. 

    $ sudo mkdir -p /etc/insights-client/signatures

  2. Download CrowdStrike signatures by using one of the following methods:

    1. Using a manual method:

      1. In the CrowdStrike Falcon console, navigate to Counter Adversary Operations > Intelligence Operations > Hunting guides.
      2. Select Hunting queries and rules.
      3. Filter by Language: YARA.
      4. Filter by Environment: Any and Linux.
      5. Click Apply.
      6. Click Export to open the drop-down list that contains options to choose the file format of the download.
      7. Select YARA (tar.gz) from the list.
      8. Extract the contents of the downloaded .tar.gz file into /etc/insights-client/signatures.

    2. Using an Ansible Playbook:

      1. Download signatures by using the CrowdStrike Ansible Playbook. For more information, see Obtaining signatures with Ansible in the Red Hat Knowledgebase article, Integrating Red Hat Lightspeed with CrowdStrike for enhanced malware detection coverage.

Verification

To confirm that the CrowdStrike signatures are extending protection for your RHEL systems, run a scan of your RHEL system and review the scan results in the malware detection service.

  • From the command line, run a full scan of your system: 

    $ sudo insights-client --collector malware-detection
  • Navigate to Security > Malware in the Hybrid Cloud Console.

  • Confirm that the Source column displays CrowdStrike. The default view is for all matched and unmatched signatures to display.

    Note

    On first use, the default view shows CrowdStrike and IBM signatures, but you can select the cards with the IBM or CrowdStrike logos to see the IBM signatures or the CrowdStrike signatures.

Manage user permissions to control access to Red Hat Lightspeed applications. Use the User Access feature to apply role-based access control (RBAC). Red Hat provides predefined groups and a set of predefined roles to make it easier for Organization Administrators to assign, restrict, and remove user permissions to Red Hat Lightspeed.

2.5.1. User Access overview
Copy link

Understand how the role-based access control (RBAC) User Access feature of the Red Hat Hybrid Cloud Console manages user permissions through roles instead of individual user assignments. User Access simplifies permission management by assigning specific permissions to roles, which can then be assigned to user groups.

You can also create custom groups and roles to provide more fine-tuned control over specific features of Red Hat Lightspeed to suit the needs of your organization.

If you are an Organization Administrator, you can use the User Access feature under Identity & Access Management in the Hybrid Cloud Console to:

  • Control user permissions and organize roles.
  • Create groups that include roles and their corresponding permissions.
  • Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.

2.5.2. Predefined groups in User Access
Copy link

Understand the two predefined groups available in User Access: Default access and Default admin access. Create custom groups to align permissions with specific personas, job functions, or teams in your organization.

The Default access group
By default, the Default access group is assigned many granular predefined roles, such as Remediations viewer and Inventory Hosts viewer, so that group members have basic visibility. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group. The Default access group is automatically updated by Red Hat.
Important

If your Organization Administrator modifies the Default access group, for example, by removing roles to restrict access to specific applications or to use the consolidated roles, the group is automatically renamed to Custom default access. Once converted, this group is no longer automatically updated by Red Hat.

The Default admin access group
The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained, and users and roles in this group cannot be changed.

The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their names.

2.5.3. Predefined roles assigned to groups
Copy link

Understand how predefined roles in Red Hat Hybrid Cloud Console bundle permissions across multiple Red Hat Lightspeed applications to align with common user personas. Use predefined roles to reduce administrative effort, or create custom roles for more fine-tuned control over specific features.

The predefined roles are a starting point to help you to control and manage user permissions. You can then use these roles to create custom roles that are tailored to your specific use cases and organization. For example, you can use the predefined granular roles to create custom roles that provide more fine-tuned control over specific features of Red Hat Lightspeed.

By default, Red Hat provides a set of consolidated roles and a set of granular roles in the Red Hat Hybrid Cloud Console User Access UI. The consolidated roles significantly reduce the administrative effort required to manage user permissions, while the granular roles provide more fine-tuned control over specific features of Red Hat Lightspeed.

You can use the predefined consolidated and granular roles in User Access simultaneously, but using consolidated roles can significantly reduce the administrative effort.

Select from the predefined consolidated roles library

The Red Hat Hybrid Cloud Console provides three predefined, consolidated User Access roles to help you manage user permissions to Red Hat Lightspeed applications and services that run on registered Red Hat Enterprise Linux systems. These roles help simplify how the Organization Administrator creates groups and permissions for various levels of access to the Red Hat Lightspeed services. If you want to reduce the administrative effort required to manage user permissions and your use case aligns with the permissions included in these roles, select from the consolidated roles library.

The consolidated roles are as follows:

RHEL viewer: The RHEL viewer role provides users visibility without the ability to make changes. It allows read-only access to Red Hat Lightspeed. You can view system configurations, compliance reports, inventory data, patch information, vulnerabilities, and overall resource states and activities. The only action permitted with this role is to generate activation keys.

RHEL operator: The RHEL operator role allows active management of your Red Hat Lightspeed environment. With this role, you can edit system configurations, inventory details, policies, and notification/integration settings. The RHEL operator role allows many of the RHEL administrator role functions, but it is restricted from editing compliance policies, content source templates, policies, or tasks. In addition, the RHEL operator role cannot execute remediation plans.

RHEL administrator: The RHEL administrator role provides comprehensive administrative privileges across your RHEL systems and Red Hat Lightspeed. With this role, you can manage system configurations, inventory, compliance policies, notifications, patch management, remediations, malware detection, and advisor recommendations. The role can also view and modify all vulnerability settings.

Important

To use the consolidated roles effectively, you might need to remove the granular RHEL roles from the Default access group to prevent permission conflicts. This action automatically changes the name of the predefined Default access group to Custom default access group, after which, it is no longer automatically updated by Red Hat.

See Predefined User Access roles for a list of the roles included in the Default admin access group and a reference table that lists most of the predefined groups and roles that are available in the Red Hat Hybrid Cloud Console and the permissions included in each role.

Granular roles
The granular roles are specific roles for individual services that allow for fine-tuned control over specific features of Red Hat Lightspeed, for example, Inventory Hosts administrator or Compliance viewer. If you want to have more control over specific features of Red Hat Lightspeed and your use case does not align with the permissions included in the consolidated roles, use the granular predefined roles.
Tip

Across the Red Hat Lightspeed product documentation, the Prerequisites section for each procedure lists which predefined roles provide the permissions needed to use the features in that procedure. For example, if a procedure requires permissions to view and manage remediations, the Prerequisites section for that procedure lists the Remediations administrator or other valid role as a recommended predefined role to use for that procedure.

2.5.4. Check your permissions
Copy link

Verify your current permissions and the roles or groups assigned to you in the Red Hat Hybrid Cloud Console. Check your permissions to troubleshoot access issues or understand your level of access to Red Hat Lightspeed applications.

Note

Only users with the Organization Administrator role can view the permissions of other users in the User Access settings and manage user permissions to Red Hat Lightspeed services. For more information, see the Configure user permissions section.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console.

Procedure

  1. In the Hybrid Cloud Console, click the Settings icon (⚙), then navigate to My User Access.
  2. Optional: If you require additional permissions, use the Red Hat Hybrid Cloud Console Virtual Assistant to ask "Contact my Organization Administrator". The assistant sends an email to the Organization Administrator on your behalf.

Results

All of the applications that you have permissions to access are listed on this page and are grouped by product, for example, RHEL, OpenShift Container Platform, and Ansible Automation Platform.

You can also filter your permissions by application, for example, by advisor, cost management, inventory, and remediations.

2.5.5. Configure user permissions
Copy link

If you are an Organization Administrator, you can view and manage user permissions for all users in your organization. Control access to Red Hat Lightspeed and other Red Hat Hybrid Cloud Console services through the User Access interface.

Important

If you are not an Organization Administrator, you will be unable to complete this task. However, you can check your own permissions for different applications by navigating to My User Access. Contact your Organization Administrator to request more permissions.

Prerequisites

  • You have logged in to the Red Hat Hybrid Cloud Console as an Organization Administrator, or you have the required administrator User Access role permissions.

Procedure

Results

From here, you can create and manage:

  • Roles to determine permissions to Red Hat Lightspeed services and features
  • Groups to include one or more roles to align with a specific persona, job function, or team in your organization
  • Users and their assignment to groups to inherit permissions from the roles assigned to those groups

Understand the predefined roles that control access to malware detection features in Red Hat Lightspeed. Use these role definitions to assign appropriate permissions to users based on their responsibilities.

Important

There is no "default-group" role for malware detection service users.

To view data or control settings in the malware detection service, users must be members of the User Access group with one of the following roles:

Expand
Table 2.1. Permissions provided by the User Access roles
User Access roleGrants permissions to …​

Malware detection administrator

  • Read all malware detection data
  • Set user acknowledgment
  • Delete hits
  • Disable signature permissions

Malware detection editor

  • Read All
  • Set user acknowledgment

Malware detection viewer

  • Read All

RHEL administrator

  • Do everything that a RHEL operator can do.
  • Administer RHEL system configs, inventory, compliance, notifications, patch management, execute remediation plans, malware detection, and advisor.
  • View and modify vulnerability settings.

RHEL operator

  • Do everything that a RHEL viewer can do.
  • Edit system configs, inventory, policies, notifications, and integrations.
  • View compliance reports, patch info, malware detections, and recommendations.
  • Create remediation plans, manage stale data, and change vulnerability settings.
Note

The RHEL operator role is restricted from editing compliance policies, content source templates, policies, or tasks. Also, the RHEL operator role cannot execute remediation plans.

RHEL viewer

  • Read all available data across Red Hat Lightspeed services and features.

    • View system configs, compliance reports, inventory data, patch info, vulnerabilities, and more to observe the state of resources or activities.
Note

Cannot perform actions other than generating activation keys.

2.6. Run a malware detection scan
Copy link

Run the malware detection collector on a registered RHEL host when you need an on-demand scan. After the scan completes, review the results in the Red Hat Lightspeed malware detection service. Scan time depends on configuration, how much of the system is scanned, and processes included in the scan.

Prerequisites

  • You have sudo access on the system when you run the insights-client command.

Procedure

  1. To scan a system, run 

    $ sudo insights-client --collector malware-detection

  2. View results at Security > Malware.

    Note

    You can configure a cron job to run malware detection scans at scheduled intervals. For steps and examples, see Setting up recurring scans for Red Hat Lightspeed services.

Verification

You can confirm that the scan ran successfully and results are in the malware detection service by checking the following:

  • The sudo insights-client --collector malware-detection command exits successfully.
  • Security > Malware shows a new or updated scan for the host.

View results of system scans on the Red Hat Hybrid Cloud Console to see threats that are a risk to your systems.

Prerequisites

  • YARA and the insights-client are installed and configured on the RHEL system.
  • Optional: You have installed CrowdStrike signatures and completed the prerequisites for CrowdStrike.
  • You have logged in to the Hybrid Cloud Console as a user who is a member of a User Access group with at least the Malware detection viewer or RHEL viewer role.

Procedure

  1. Navigate to Security > Malware > Systems.
  2. View the dashboard to get a quick summary of all of your RHEL systems that have malware detection enabled and are reporting results.
  3. To view results for a specific system, use Filter by name in the search box.
  4. Click the name of a system to view its specific match details.

Verification

You can confirm that you are viewing the correct results for your system by checking the following:

  • After you filter by name in Security > Malware > Systems, the selected system’s detail view matches the system you intended.
  • After you click a system name, the malware detection service shows specific match details for that system.

After you set up the malware detection service, run and schedule scans, work with signatures and scan results in the service, manage matches, configure collector configuration on RHEL systems, and optionally, enable notifications in the Hybrid Cloud Console.

Learn how malware detection scans work, manage signature rules, and schedule recurring scans to match your security policy.

3.1.1. System scan
Copy link

Malware detection administrators run the malware detection collector scan on-demand or through automation such as playbooks. Your security team sets how often to scan; long runs are common, so plan schedules accordingly.

Malware detection administrators must start the Red Hat Lightspeed malware detection service collector scan on-demand. Alternatively, administrators can run the collector command as a playbook or by using another automation method.

Note

The recommended frequency of scanning is up to your security team; however, because the scan can take significant time to run, the Red Hat Lightspeed malware detection service team recommends running the malware detection scan weekly.

3.1.2. Malware detection scan results
Copy link

Use the Signatures page of the malware detection service to see matched and unmatched IBM X-Force and CrowdStrike signatures for scans on your Red Hat Enterprise Linux systems.

You can use the Signatures page of the malware detection service to see the signatures used to scan your Red Hat Enterprise Linux systems. All matched and unmatched signatures for IBM X-Force appear by default. If you have installed CrowdStrike signatures and completed the prerequisites, you can see all matched and unmatched signatures as well.

Matched signatures indicate the YARA software detected a file on a system that corresponds to a known threat. Unmatched signatures indicate the service is actively monitoring for those threats, but no corresponding files were detected during the most recent scan.

To filter by provider, click the cards with the IBM and CrowdStrike logos at the top of the Signatures page. The IBM card is enabled by default, while the CrowdStrike card is active only if you installed CrowdStrike signatures.

3.1.3. About recurring malware detection uploads
Copy link

You can run either the on-demand collector or set up the malware detection collector to scan on a schedule that you control. To control your own schedule on RHEL, use cron, systemd timers, or your automation to run the insights-client --collector malware-detection command on a schedule that matches your security policy.

For more information about scheduling, see the additional resources.

3.1.4. Disable malware signatures
Copy link

You can disable certain malware signatures that are not relevant to your organization’s needs or are causing false positives. These results might be due to an intentional configuration, a test scan, or a high-noise situation in which the malware detection service reports matches that are not applicable to your security priorities.

For example, the signatures XFTI_EICAR_AV_Test and XFTI_WICAR_Javascript_Test are used to detect the EICAR Anti Malware Testfile and WICAR Javascript Crypto Miner test malware. They are intentional test signatures but do not represent actual malware threats. Signatures such as these can be disabled so that matches against them are not reported in the Red Hat Hybrid Cloud Console.

Once a signature is disabled, the malware detection service removes any existing matches against that signature from the Hybrid Cloud Console and ignores the signature in future scans. If the signature is re-enabled, the malware detection service again looks for the signature in future malware-detection scans and shows resulting matches.

Note

Disabling a signature does not erase the history of previous matches for that signature.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who is a member of a User Access group with at least one of the following roles:

    • Malware detection administrator

    • RHEL administrator

      Note

      Only users with at least one of these roles can disable and re-enable signatures.

Procedure

  1. Navigate to Security > Malware > Signatures.

  2. Disable one signature by using one of the following methods:

    1. From the signatures list:

      1. Find the signature to disable.
      2. Click the options icon (⋮) at the end of the signature row.
      3. Select Disable signature from malware analysis.

    2. From the signature details page:

      1. Find the signature to disable in the list.
      2. Click the signature name.
      3. On the signature details page, click the Actions drop-down.
      4. Select Disable signature from malware analysis.

  3. Optional: To disable several signatures at the same time:

    1. Select the checkbox at the start of each row for every signature to disable.
    2. Click the options icon (⋮) next to the filter fields.

    3. Select Disable signatures from malware analysis.

      Note

      To re-enable a previously disabled signature, follow part of the process to disable the signature, then choose the option to include the signature in malware analysis again.

Verification

To confirm that the signature is now disabled, check the following:

  • Navigate to Security > Malware > Signatures. Confirm each signature you disabled shows as excluded from malware analysis.
  • On the same Signatures page, confirm matches for that signature no longer appear in active match lists.

3.1.5. View disabled malware signatures
Copy link

Users with access to the malware detection signatures view can see how many signatures are disabled and filter the list to show only disabled signatures.

All users who can open the signatures page can view disabled malware signatures.

Prerequisites

  • You are logged in to the Hybrid Cloud Console as a user who is a member of a User Access group with at least the Malware detection viewer or RHEL viewer role.

Procedure

  1. Navigate to Security > Malware > Signatures.
  2. View the number of disabled malware signatures in the dashboard at the top of the page.

  3. Set filters to show the disabled signatures:

    1. Set the primary filter to Signatures included in malware analysis.

    2. Set the secondary filter to Disabled signatures.

      Note

      To re-enable a previously disabled signature, use the same pages and menus and choose the option to include the signature in malware analysis again.

Verification

  • Navigate to Security > Malware > Signatures. Confirm the dashboard count for disabled signatures matches your expectation after the filter change.
  • On the same Signatures page, with the primary filter Signatures included in malware analysis and the secondary filter Disabled signatures, confirm the table lists only signatures that are disabled.

3.2. Interpret results and manage matches
Copy link

Understand malware detection results, review signature matches, and manage match status to track your security team’s investigation progress.

3.2.1. Interpret malware detection service results
Copy link

In most cases, running a malware detection scan with YARA results in no signature matches. This means that YARA did not find any matching strings or boolean expressions when comparing a known set of malware signatures to the files included in the scan. The malware detection service will send these results to Red Hat Lightspeed. You can see the details of the system scan and lack of matches in the Red Hat Lightspeed malware detection service UI.

In the case that the malware detection scan with YARA does detect a match, it sends the results of that match to Red Hat Lightspeed. You can see details of the match in the malware detection service UI, including the file and date. System scan and signature match history is displayed for the last 14 days, so you can detect patterns and provide information to your security incident response team. For example, if a signature match was found in one scan, but not found in the next scan of the same system, that can indicate the presence of malware that is detectable only when a certain process is running.

Match status, acknowledgment, and match lists in the console are covered in the topics linked under Additional resources.

You can acknowledge malware signatures at the system and signature levels, set match status, and reduce noise so your team can focus on real risk.

The Status field on the Signatures page enables you to select a status for each system or signature that you review. You can change the status of each signature match while you continue investigating and managing malware matches to help your system users stay informed about the progress of remediations or evaluations of malware matches. You can also decide which matches pose low or no threats to your systems or are irrelevant. If you are a member of a group with at least Malware detection administrator or RHEL administrator permissions, you can delete irrelevant matches from your systems.

The Total Matches column on the Signatures page includes all matches for a signature on a system. You can use the list of matches to track and review the history of malware matches on individual systems in your environment. Red Hat Lightspeed retains malware matches indefinitely, unless you delete them. Acknowledging malware matches and setting their status is one method of record-keeping. Note that if you delete a system from the malware service, the match records are discarded.

The New Matches column shows the number of new matches for a signature. A bell icon indicates each new match. A new match has a match date of up to 30 days from when the match was detected and has a Not Reviewed status. Matches older than 30 days, or those that have already been reviewed, become part of Total Matches.

Use the following to review and set match status on a signature, delete a single match from the list, or view matches grouped by system.

3.2.3. Set the match status of a malware signature
Copy link

Assign Match status to malware signature matches in the malware detection service as you review each finding. The decisions for the match status value stay in the service with the match, helping to reduce repeat decisions and work. When you return to review the same items, you see your decision instead of starting from scratch on the same items.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who is a member of a User Access group with the required role permissions for the use case, as follows:

    • To view and filter malware matches, you need at least the Malware detection viewer role.

    • To edit or delete matches, you must have at least one of the following roles:

      • Malware detection editor (edit only)
      • Malware detection administrator (edit and delete)
      • RHEL administrator (edit and delete)

Procedure

  1. Navigate to Security > Malware > Signatures. A list of signatures is displayed at the bottom of the page.
  2. Click a signature name. The information page for that signature displays. The page shows the list of systems affected by that malware signature. A bell icon indicates new matches for that signature.
  3. Use the filters at the top of the list of affected systems to filter by Status. (The default filter is Name.)
  4. Click the drop-down menu to the right of the Status filter and select Not Reviewed.
  5. Click the drop-down arrow next to the name of an affected system. The list of matches displays, with the most recent matches first.
  6. Select the checkbox next to the match that you want to review.

  7. To change the status of a match, select the new status from the Match status drop-down menu. Select from the following options:

    • Not reviewed
    • In review
    • On-hold
    • Benign
    • Malware detection test
    • No action
    • Resolved
  8. Optional: Add a note to include more information about the match status. The checkmark indicates that your note registered as saved.

Verification

  • The Match status value you selected stays on the Signatures page for the match after the page updates.
  • Optional: If you added a note, the saved state registers as a checkmark.

When a match is not relevant to your environment, you can delete it from the list of signatures so that all malware detection administrators and RHEL reviewers see an up-to-date set of open items.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who is a member of a User Access group with at least one of the following roles:

    • Malware detection administrator
    • RHEL administrator

Procedure

  1. Navigate to Security > Malware > Signatures. A list of signatures is displayed on the lower part of the page.
  2. Click the drop-down arrow next to the signature you want to manage. A list of matches displays below the system, with the most recent match first.
  3. Click the options icon (⋮) at the far right side of the match you want to delete, and then select Delete match. The list of matches refreshes.

Verification

  • The deleted match is no longer displayed in the match list for that signature after the list refreshes.

3.2.5. View malware matches on systems
Copy link

From Security > Malware > Systems, you can open a system, expand a matched signature, and acknowledge matches so your team’s view stays current.

Prerequisites

  • You are logged in to the Hybrid Cloud Console as a user who is a member of a User Access group with at least the Malware detection viewer or RHEL viewer role.
  • To edit or delete matches, you need to be a member of a group with at least the Malware detection administrator or RHEL administrator role.
  • Only systems that have malware detection enabled appear in the list of affected systems. For more information about how to enable malware detection, see Set up the Red Hat Lightspeed malware detection service.

Procedure

  1. Navigate to Security > Malware > Systems. The list of systems displays. If a system has malware matches, you will see the Matched label next to the system name.
  2. Click a system name. The system details page displays, with the list of matched malware signatures at the bottom.
  3. Click the drop-down list next to a malware signature. A list of matches for the signature on the system displays.
  4. Acknowledge the matches in the list.

Verification

  • After you acknowledge, the UI reflects the acknowledgment for those matches.

3.3. Configure the collector and notifications
Copy link

Customize collector configuration to optimize scanning for your environment and enable notifications to stay informed about malware detections.

The malware-detection-config.yml file defines allowlists, denylists, timing, and related scan behavior for the malware detection collector on RHEL systems.

The /etc/insights-client/malware-detection-config.yml file configures the malware detection collector on each host. The file uses YAML keys for scan scope, exclusions, process scanning, and timing. You can set the same keys with environment variables when you run the client; when both are present, environment variables override the file.

Your malware detection collector on each RHEL host reads /etc/insights-client/malware-detection-config.yml to decide what to scan, what to exclude, and whether to include processes. The tables describe each YAML option. When you want different values for a single run, you can set the same options as environment variables before you start the collector. If both are present, the environment variables override the file.

Expand
Table 3.1. Configuration options in malware-detection-config.yml
OptionDescription

filesystem_scan_only

Allowlist of files or directories to scan. Only listed items are scanned. Specify one item or a list (YAML list syntax). If empty, all files and directories are scanned (subject to other options).

filesystem_scan_exclude

Denylist of paths not to scan. Default exclusions include virtual filesystems (for example, /proc, /sys, /cgroup), common mount points (/mnt, /media), and paths such as /dev and /var/log/insights-client. If a path appears in both filesystem_scan_only and filesystem_scan_exclude, filesystem_scan_exclude wins. If a parent is in filesystem_scan_only but children are in filesystem_scan_exclude, only those children are scanned from the parent.

filesystem_scan_since

Limit file scanning to files modified within a time window. For example, filesystem_scan_since: 1 scans files created or modified in the past day. Use filesystem_scan_since: last for files changed since the last successful filesystem_scan of the malware-client.

exclude_network_filesystem_mountpoints

When true (default), the collector does not scan mount points of network filesystems, reducing traffic and load. Types treated as network filesystems are listed in network_filesystem_types. Excluded mount points are merged with filesystem_scan_exclude. Set to false to allow those mount points unless you exclude them explicitly.

network_filesystem_types

Filesystem types treated as network filesystems for the exclude_network_filesystem_mountpoints option.

scan_processes

When true, the collector includes running processes in the scan. Default is false to limit performance impact on large or busy systems. When false, process-scan options are ignored.

processes_scan_only

Allowlist for processes, analogous to filesystem_scan_only. Specify a PID, a range (for example, 1000..2000), or a substring of the process name (for example, Chrome).

processes_scan_exclude

Denylist for processes. If a process matches both processes_scan_only and processes_scan_exclude, processes_scan_exclude takes precedence.

processes_scan_since

Time window for process scanning, analogous to filesystem_scan_since. For example, processes_scan_since: 1 limits to processes started or modified in the past day; processes_scan_since: last uses the last successful process scan.

Expand
Table 3.2. Environment variables for collector options
VariableDescription

General rule

Every YAML option in /etc/insights-client/malware-detection-config.yml can be set with an environment variable of the same name in uppercase with underscores. The environment variable overrides the configuration file value when both are present. For example, YAML test_scan maps to TEST_SCAN.

FILESYSTEM_SCAN_ONLY, FILESYSTEM_SCAN_EXCLUDE, PROCESSES_SCAN_ONLY, PROCESSES_SCAN_EXCLUDE, NETWORK_FILESYSTEM_TYPES

For these list-valued settings, use a comma-separated list in the environment variable (no YAML list syntax). Example: FILESYSTEM_SCAN_ONLY=/etc,/tmp,/var/lib.

For an example of passing these variables when you run the collector from the command line, see Configure the malware collector with environment variables on the command line.

You can override /etc/insights-client/malware-detection-config.yml settings for a single run by exporting or prefixing environment variables when you run the insights-client collector.

Prerequisites

  • You have sudo access on the RHEL system.
  • The insights-client package is installed.

Procedure

  1. Set list-valued scan targets with a comma-separated list. For example, to scan only /etc, /tmp, and /var/lib, use the following pattern: 

    FILESYSTEM_SCAN_ONLY=/etc,/tmp,/var/lib

  2. Run the collector with those variables set and with TEST_SCAN disabled, for example: 

    $ sudo FILESYSTEM_SCAN_ONLY=/etc,/tmp,/var/lib TEST_SCAN=false insights-client --collector malware-detection

Verification

  • The collector command exits with status 0.
  • The scan results or logs reflect the overridden settings for this run (for example, scan scope limited to the directories you set in FILESYSTEM_SCAN_ONLY).

You can enable the notifications service on Red Hat Hybrid Cloud Console to send notifications whenever the malware service detects a signature match on at least one system scan and generates an alert. Using the notifications service frees you from having to continually check the Red Hat Lightspeed dashboard for alerts. For example, you can configure the notifications service to automatically send an email message whenever the malware service detects a possible threat to your systems, or to send an email digest of all the alerts that the malware service generates each day.

In addition to sending email messages, you can configure the notifications service to send event data in other ways:

  • Using an authenticated client to query Red Hat Lightspeed APIs for event data
  • Using webhooks to send events to third-party applications that accept inbound requests
  • Integrating notifications with applications such as Splunk to route malware events to the application dashboard

Notifications will trigger for Red Hat Lightspeed services based on service-specific criteria.

Malware service notifications include the following information:

  • The name of the affected system
  • The number of signature matches found during the system scan
  • A link to view the details from the Red Hat Hybrid Cloud Console

Enabling the notifications service requires three main steps:

  • First, an Organization Administrator creates a User Access group that includes at least the Notifications administrator or the RHEL administrator role, and then adds account members to the group.
  • Next, a user with the correct notifications administrator role permissions sets up behavior groups for events in the notifications service. Behavior groups specify the delivery method for each notification. For example, a behavior group can specify whether email notifications are sent to all users or just to Organization Administrators.
  • Finally, users who receive email notifications from events must set their user preferences to receive individual emails for each event.

Providing feedback on Red Hat documentation
Copy link

Provide feedback on Red Hat documentation to report issues or request enhancements. Submit detailed feedback through the Red Hat Customer Portal to help improve documentation quality.

Prerequisites

  • You are logged in to the Red Hat Customer Portal.

Procedure

  1. Click the following link: Create Issue
  2. Describe the issue or enhancement in the Summary text box.
  3. Provide details about the issue or requested enhancement in the Description text box.
  4. Type your name in the Reporter text box.
  5. Click the Create button.

Results

This action creates a documentation ticket and routes it to the appropriate documentation team. Thank you for taking the time to give feedback.

Legal Notice
Copy link

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top