Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 3. Manage the malware detection service

After you set up the malware detection service, you can run and schedule scans, view signatures and scan results, and manage matches. You can also change configuration settings for the collector. Optionally, enable notifications in the Hybrid Cloud Console to receive alerts about events in the service.

3.1. Understand scanning, signatures, and scheduling
Copiar o link

Learn how malware detection scans work, manage signature rules, and schedule recurring scans to match your security policy.

3.1.1. System scan
Copiar o link

Malware detection administrators run the malware detection collector scan on-demand or through automation such as playbooks. Your security team sets how often to scan; long runs are common, so plan schedules accordingly.

Malware detection administrators must start the Red Hat Lightspeed malware detection service collector scan on-demand. Alternatively, administrators can run the collector command as a playbook or by using another automation method.

Note

The recommended frequency of scanning is up to your security team; however, because the scan can take significant time to run, the Red Hat Lightspeed malware detection service team recommends running the malware detection scan weekly.

3.1.2. Malware detection scan results
Copiar o link

Use the Signatures page of the malware detection service to see matched and unmatched IBM X-Force and CrowdStrike signatures for scans on your Red Hat Enterprise Linux systems.

You can use the Signatures page of the malware detection service to see the signatures used to scan your Red Hat Enterprise Linux systems. All matched and unmatched signatures for IBM X-Force appear by default. If you have installed CrowdStrike signatures and completed the prerequisites, you can see all matched and unmatched signatures as well.

Matched signatures indicate the YARA software detected a file on a system that corresponds to a known threat. Unmatched signatures indicate the service is actively monitoring for those threats, but no corresponding files were detected during the most recent scan.

To filter by provider, click the cards with the IBM and CrowdStrike logos at the top of the Signatures page. The IBM card is enabled by default, while the CrowdStrike card is active only if you installed CrowdStrike signatures.

3.1.3. About recurring malware detection uploads
Copiar o link

Set up the malware detection collector to scan on a schedule by using cron, systemd timers, or automation. Run insights-client --collector malware-detection on a schedule that matches your security policy.

For more information about scheduling, see the additional resources.

3.1.4. Disable malware signatures
Copiar o link

Disable malware signatures that are not relevant to your organization or cause false positives. This helps reduce noise from intentional configurations, test scans, or matches that do not align with your security priorities.

For example, the signatures XFTI_EICAR_AV_Test and XFTI_WICAR_Javascript_Test are used to detect the EICAR Anti Malware test file and WICAR Javascript Crypto Miner test malware. They are intentional test signatures but do not represent actual malware threats. Signatures such as these can be disabled so that matches against them are not reported in the Red Hat Hybrid Cloud Console.

After a signature is disabled, the malware detection service removes any existing matches against that signature from the Hybrid Cloud Console and ignores the signature in future scans. If the signature is re-enabled, the malware detection service again looks for the signature in future malware-detection scans and shows resulting matches.

Note

Disabling a signature does not erase the history of previous matches for that signature.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who is a member of a User Access group with at least one of the following roles:

    • Malware detection administrator
    • RHEL administrator

Procedure

  1. Navigate to Security Malware Signatures.

  2. Disable signatures by using one of the following methods:

    • Disable a single signature from the signatures list:

      1. Find the signature to disable.
      2. Click the options icon (⋮) at the end of the signature row.
      3. Select Disable signature from malware analysis.

    • Disable a single signature from the signature details page:

      1. Find the signature to disable.
      2. Click the signature name.
      3. On the signature details page, click the Actions drop-down.
      4. Select Disable signature from malware analysis.

    • Disable multiple signatures at the same time:

      1. Select the checkbox at the start of each row for every signature to disable.
      2. Click the options icon (⋮) next to the filter fields.

      3. Select Disable signatures from malware analysis.

        Note

        To re-enable a previously disabled signature, follow part of the process to disable the signature, then choose the option to include the signature in malware analysis again.

Verification

To confirm that the signature is now disabled, check the following:

  • Navigate to Security Malware Signatures. Confirm each signature you disabled shows as excluded from malware analysis.
  • On the same Signatures page, confirm matches for that signature no longer appear in active match lists.

3.1.5. View disabled malware signatures
Copiar o link

Users with access to the malware detection signatures view can see how many signatures are disabled and filter the list to show only disabled signatures.

All users who can open the signatures page can view disabled malware signatures.

Prerequisites

  • You are logged in to the Hybrid Cloud Console as a user who is a member of a User Access group with at least the Malware detection viewer or RHEL viewer role.

Procedure

  1. Navigate to Security Malware Signatures.
  2. View the number of disabled malware signatures in the dashboard at the top of the page.

  3. Set filters to show the disabled signatures:

    1. Set the primary filter to Signatures included in malware analysis.
    2. Set the secondary filter to Disabled signatures.
  4. Optional: Re-enable a previously disabled signature, by using the same pages and menus. Choose the option to include the signature in malware analysis again.

Verification

  • Navigate to Security Malware Signatures. Confirm the dashboard count for disabled signatures matches your expectation after the filter change.
  • On the same Signatures page, with the primary filter Signatures included in malware analysis and the secondary filter Disabled signatures, confirm the table lists only signatures that are disabled.

3.2. Interpret results and manage matches
Copiar o link

Understand malware detection results, review signature matches, and manage match status to track your security team’s investigation progress.

3.2.1. Interpret malware detection service results
Copiar o link

In most cases, malware detection scans result in no signature matches, meaning YARA found no matching strings or boolean expressions in the scanned files. You can view scan details and match results in the Red Hat Lightspeed malware detection service.

In the case that the malware detection scan with YARA does detect a match, it sends the results of that match to Red Hat Lightspeed. You can see details of the match in the malware detection service UI, including the file and date. System scan and signature match history is displayed for the last 14 days, so you can detect patterns and provide information to your security incident response team. For example, if a signature match was found in one scan, but not found in the next scan of the same system, that can indicate the presence of malware that is detectable only when a certain process is running.

Match status, acknowledgment, and match lists in the console are covered in the topics linked under Additional resources.

3.2.2. About malware match status and acknowledgment
Copiar o link

You can acknowledge malware signatures at the system and signature levels, set match status, and reduce noise so your team can focus on real risk.

The Status field on the Signatures page enables you to select a status for each system or signature that you review. You can change the status of each signature match while you continue investigating and managing malware matches to help your system users stay informed about the progress of remediations or evaluations of malware matches. You can also decide which matches pose low or no threats to your systems or are irrelevant. If you are a member of a group with at least Malware detection administrator or RHEL administrator permissions, you can delete irrelevant matches from your systems.

The Total Matches column on the Signatures page includes all matches for a signature on a system. You can use the list of matches to track and review the history of malware matches on individual systems in your environment. Red Hat Lightspeed retains malware matches indefinitely unless you delete them. Acknowledging malware matches and setting their status is one method of record-keeping. Note that if you delete a system from the malware service, the match records are discarded.

The New Matches column shows the number of new matches for a signature. A bell icon indicates each new match. A new match has a match date of up to 30 days from when the match was detected and has a Not Reviewed status. Matches older than 30 days, or those that have already been reviewed, become part of Total Matches.

3.2.3. Set the match status of a malware signature
Copiar o link

Assign match status values to malware signature matches as you review findings. Your decisions persist with each match, reducing repeat work when you review the same items in the future.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who is a member of a User Access group with the required role permissions for the use case, as follows:

    • To view and filter malware matches, you need at least the Malware detection viewer role.

    • To edit or delete matches, you must have at least one of the following roles:

      • Malware detection editor (edit only)
      • Malware detection administrator (edit and delete)
      • RHEL administrator (edit and delete)

Procedure

  1. Navigate to Security Malware Signatures. A list of signatures is displayed at the bottom of the page.
  2. Click a signature name. The information page for that signature displays. The page shows the list of systems affected by that malware signature. A bell icon indicates new matches for that signature.
  3. Use the filters at the top of the list of affected systems to filter by Status. (The default filter is Name.)
  4. Click the drop-down menu to the right of the Status filter and select Not Reviewed.
  5. Click the drop-down arrow next to the name of an affected system. The list of matches displays, with the most recent matches first.
  6. Select the checkbox next to the match that you want to review.

  7. To change the status of a match, select the new status from the Match status drop-down menu. Select from the following options:

    • Not reviewed
    • In review
    • On-hold
    • Benign
    • Malware detection test
    • No action
    • Resolved
  8. Optional: Add a note to include more information about the match status. The checkmark indicates that your note registered as saved.

Verification

  • The Match status value you selected stays on the Signatures page for the match after the page updates.
  • Optional: If you added a note, the saved state registers as a checkmark.

3.2.4. Delete a malware match from the signature view
Copiar o link

When a match is not relevant to your environment, you can delete it from the list of signatures so that all malware detection administrators and RHEL reviewers see an up-to-date set of open items.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as a user who is a member of a User Access group with at least one of the following roles:

    • Malware detection administrator
    • RHEL administrator

Procedure

  1. Navigate to Security Malware Signatures. A list of signatures is displayed on the lower part of the page.
  2. Click the drop-down arrow next to the signature you want to manage. A list of matches displays below the system, with the most recent match first.
  3. Click the options icon (⋮) at the far right side of the match you want to delete, and then select Delete match. The list of matches refreshes.

Verification

  • The deleted match is no longer displayed in the match list for that signature after the list refreshes.

3.2.5. View malware matches on systems
Copiar o link

From Security Malware Systems, you can open a system, expand a matched signature, and acknowledge matches so your team’s view stays current.

Prerequisites

  • You are logged in to the Hybrid Cloud Console as a user who is a member of a User Access group with at least the Malware detection viewer or RHEL viewer role.
  • To edit or delete matches, you need to be a member of a group with at least the Malware detection administrator or RHEL administrator role.
  • Only systems that have malware detection enabled appear in the list of affected systems. For more information about how to enable malware detection, see Set up the Red Hat Lightspeed malware detection service.

Procedure

  1. Navigate to Security Malware Systems. The list of systems displays. If a system has malware matches, you will see the Matched label next to the system name.
  2. Click a system name. The system details page displays, with the list of matched malware signatures at the bottom.
  3. Click the drop-down list next to a malware signature. A list of matches for the signature on the system displays.
  4. Acknowledge the matches in the list.

Verification

  • After you acknowledge, the UI reflects the acknowledgment for those matches.

3.3. Configure the collector and notifications
Copiar o link

Customize configuration settings for the collector to get the best results from scans of your systems or processes. In addition, enable notifications to receive alerts about malware detections to provide up-to-date information about threats to your systems.

3.3.1. Configuration options for the malware detection collector
Copiar o link

The malware-detection-config.yml file defines allowlists, denylists, timing, and related scan behavior for the malware detection collector on RHEL systems.

The /etc/insights-client/malware-detection-config.yml file configures the malware detection collector on each host. The file uses YAML keys for scan scope, exclusions, process scanning, and timing. You can set the same keys with environment variables when you run the client; when both are present, environment variables override the file.

3.3.2. Malware detection collector configuration reference
Copiar o link

The malware detection collector reads /etc/insights-client/malware-detection-config.yml to determine scan settings, exclusions, and process scanning options. Environment variables set before running the collector override the configuration file.

Expand
Table 3.1. Configuration options in malware-detection-config.yml
OptionDescription

filesystem_scan_only

Allowlist of files or directories to scan. Only listed items are scanned. Specify one item or a list (YAML list syntax). If empty, all files and directories are scanned (subject to other options).

filesystem_scan_exclude

Denylist of paths not to scan. Default exclusions include virtual filesystems (for example, /proc, /sys, /cgroup), common mount points (/mnt, /media), and paths such as /dev and /var/log/insights-client. If a path appears in both filesystem_scan_only and filesystem_scan_exclude, filesystem_scan_exclude wins. If a parent is in filesystem_scan_only but children are in filesystem_scan_exclude, only those children are scanned from the parent.

filesystem_scan_since

Limit file scanning to files modified within a time window. For example, filesystem_scan_since: 1 scans files created or modified in the past day. Use filesystem_scan_since: last for files changed since the last successful filesystem_scan of the malware-client.

exclude_network_filesystem_mountpoints

When true (default), the collector does not scan mount points of network filesystems, reducing traffic and load. Types treated as network filesystems are listed in network_filesystem_types. Excluded mount points are merged with filesystem_scan_exclude. Set to false to allow those mount points unless you exclude them explicitly.

network_filesystem_types

Filesystem types treated as network filesystems for the exclude_network_filesystem_mountpoints option.

scan_processes

When true, the collector includes running processes in the scan. Default is false to limit performance impact on large or busy systems. When false, process-scan options are ignored.

processes_scan_only

Allowlist for processes, analogous to filesystem_scan_only. Specify a PID, a range (for example, 1000..2000), or a substring of the process name (for example, Chrome).

processes_scan_exclude

Denylist for processes. If a process matches both processes_scan_only and processes_scan_exclude, processes_scan_exclude takes precedence.

processes_scan_since

Time window for process scanning, analogous to filesystem_scan_since. For example, processes_scan_since: 1 limits to processes started or modified in the past day; processes_scan_since: last uses the last successful process scan.

Expand
Table 3.2. Environment variables for collector options
VariableDescription

General rule

Every YAML option in /etc/insights-client/malware-detection-config.yml can be set with an environment variable of the same name in uppercase with underscores. The environment variable overrides the configuration file value when both are present. For example, YAML test_scan maps to TEST_SCAN.

FILESYSTEM_SCAN_ONLY, FILESYSTEM_SCAN_EXCLUDE, PROCESSES_SCAN_ONLY, PROCESSES_SCAN_EXCLUDE, NETWORK_FILESYSTEM_TYPES

For these list-valued settings, use a comma-separated list in the environment variable (no YAML list syntax). Example: FILESYSTEM_SCAN_ONLY=/etc,/tmp,/var/lib.

For an example of passing these variables when you run the collector from the command line, see Configure the malware collector with environment variables on the command line.

You can override /etc/insights-client/malware-detection-config.yml settings for a single run by exporting or prefixing environment variables when you run the insights-client collector.

Prerequisites

  • You have sudo access on the RHEL system.
  • The insights-client package is installed.

Procedure

  1. Set list-valued scan targets with a comma-separated list. For example, to scan only /etc, /tmp, and /var/lib, use the following pattern: 

    FILESYSTEM_SCAN_ONLY=/etc,/tmp,/var/lib

  2. Run the collector with those variables set and with TEST_SCAN disabled, for example: 

    $ sudo FILESYSTEM_SCAN_ONLY=/etc,/tmp,/var/lib TEST_SCAN=false insights-client --collector malware-detection

Verification

  • The collector command exits with status 0.
  • The scan results or logs reflect the overridden settings for this run (for example, scan scope limited to the directories you set in FILESYSTEM_SCAN_ONLY).

3.3.4. Enable notifications and integrations for malware events
Copiar o link

Enable the notifications service to receive alerts when the malware service detects signature matches on your systems. Notifications help you stay informed about possible threats when you cannot continuously monitor the Red Hat Lightspeed dashboard.

In addition to sending email messages, you can configure the notifications service to send event data in other ways:

  • Using an authenticated client to query Red Hat Lightspeed APIs for event data
  • Using webhooks to send events to third-party applications that accept inbound requests
  • Integrating notifications with applications such as Splunk to route malware events to the application dashboard

Notifications will trigger for Red Hat Lightspeed services based on service-specific criteria.

Malware service notifications include the following information:

  • The name of the affected system
  • The number of signature matches found during the system scan
  • A link to view the details from the Red Hat Hybrid Cloud Console

Enabling the notifications service requires three main steps:

  • First, an Organization Administrator creates a User Access group that includes at least the Notifications administrator or the RHEL administrator role, and then adds account members to the group.
  • Next, a user with the correct notifications administrator role permissions sets up behavior groups for events in the notifications service. Behavior groups specify the delivery method for each notification. For example, a behavior group can specify whether email notifications are sent to all users or just to Organization Administrators.
  • Finally, users who receive email notifications from events must set their user preferences to receive individual emails for each event.
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Legal Notice

Theme

© 2026 Red HatVoltar ao topo