红帽全球峰会此内容没有您所选择的语言版本。
Chapter 1. Red Hat Lightspeed malware detection service overview
The Red Hat Lightspeed malware detection service is a monitoring and assessment tool that scans RHEL systems for the presence of malware. The malware detection service incorporates YARA pattern-matching software and malware detection signatures. Signatures are provided in partnership with the IBM X-Force threat intelligence team working closely with the Red Hat threat intelligence team.
In the malware detection service UI, User Access-authorized administrators and viewers can
- See the list of signatures against which their RHEL systems are scanned.
- See aggregate results for all RHEL systems with malware detection enabled in the Red Hat Lightspeed client.
- See results for individual systems.
- Know when a system shows evidence of the presence of malware.
These features give security threat assessors and IT incident-response teams valuable information to prepare a response.
The malware detection service does not recommend resolutions to resolve or remediate malware incidents.
The strategy to take in addressing a malware threat depends on a lot of criteria and considerations specific to each system and organization. Your organization’s security incident response team is best qualified to design and implement an effective mitigation and remediation strategy for each circumstance.
1.1. YARA malware signatures
YARA signature detection is the cornerstone of the Red Hat Lightspeed malware detection service. YARA signatures are descriptions of malware types expressed as patterns. Each description consists of a set of strings and a boolean expression that define a rule. When one or more of the conditions in a signature exist on a scanned RHEL system, YARA records a hit on that system.
1.2. IBM X-Force Threat Intelligence signatures
The Red Hat Lightspeed malware detection service includes predefined signatures developed by the IBM X-Force Threat Intelligence team to expose malware running on RHEL systems. Signatures compiled by the X-Force threat intelligence team are identifiable in the malware detection service by the XFTI- prefix, for example, XFTI_FritzFrog.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}