Table of Contents

Malware scanning

Besides detecting software vulnerabilities (CVEs) and compliance issues (such as images configured to run as root), Prisma Cloud also detects malware in your container images. No special configuration is required to enable this feature.
To perform malware analysis, Prisma Cloud uses the inputs from:
  • Intelligence Stream—Searches the feed for a match against the hash for the executable.
  • Wildfire service—Queries the WildFire service for a match against the hash for the executable. If there is no match and upload is enabled, the file is uploaded for analysis.
    WildFire is only supported for image scanning when used in CI.
  • Custom feeds—Searches for a match for the executable hash against any custom malware data you import for image scanning.
Malware scanning and detection is supported for Linux container images only. Windows containers are not supported.

Detecting malware

The image scanner looks for malware in binaries in the image layers, including the base layer. When Prisma Cloud detects malware in an image, it includes the malware information as a compliance violation in the image scan report.
To review the results of an image scan:
  1. Open Console, then go to
    Monitor > Vulnerabilities > Images
  2. Click on an image to get a detailed report from the last image scan.
  3. In the detailed report, click on the
    Issues with vulnerability ID 422 means that your image contains a file with an md5 signature of known malware.

Recommended For You