Malware detection
Malware detection refers to the process of analyzing a computer system or network for the existence of malicious software and files. Security products can identify malware by checking for signatures of known malware. Security tools can also detect malicious activity by detecting suspicious behavior from software activity. When malware infects a system, it can modify it using various techniques to evade detection. ThreatLockDown uses a broad-spectrum approach to counter those techniques in order to detect malicious files and abnormal patterns that indicate the presence of malware.
The ThreatLockDown file integrity monitoring (FIM) module helps detecting malicious files on monitored endpoints. On its own, the FIM module cannot detect malicious files. However, you can detect malware by combining the FIM module with threat detection rules and threat intelligence sources. You can configure ThreatLockDown to use FIM events with threat intelligence sources like VirusTotal and CDB lists containing file hashes, and YARA scans to detect malware.
ThreatLockDown detects rootkit behavior on monitored endpoints using the Rootcheck module. Rootcheck continuously monitors endpoints and generates alerts when it detects any anomaly. Anomaly monitoring ensures ThreatLockDown detects malware that signature-based techniques might have missed. Rootcheck also uses known signatures of rootkits and trojans to detect their presence on monitored endpoints. Wazuh's flexibility ensures that users can update these rootkit signatures themselves.
ThreatLockDown log collection capability allows you to collect logs from third-party malware detection software. Using this capability, ThreatLockDown collects and analyzes logs from various malware detection software like Windows Defender and ClamAV.