Focus
Focus
Table of Contents

Malware Scanning

Prisma Cloud agentless scanning uses Palo Alto Networks Advanced WildFire to scan your container images and hosts for malware.
Malware scanning is supported for container images and hosts in the following cloud service providers.
  • AWS
  • Azure
  • GCP
  • OCI
Windows and Linux hosts and images are supported.
Advanced WildFire provides verdicts for the scanned container images and hosts to identify samples as malicious, unwanted (Grayware is considered obtrusive but not malicious), phishing, or benign. Malware scanning uses the MD5 signatures of binaries and shared libraries to identify the verdict. Malware scanning doesn’t show Grayware results by default. Go to
Compute > Manage > System > WildFire
and enable the toggle to include Grayware verdicts in the malware scanning results in Prisma Cloud.
Once an agentless scan is complete, go to
Compute > Monitor > Compliance > Images
or to
Compute > Monitor > Compliance > Host
to see the results for a deployed image or a host. Go to
Compute > Monitor > Compliance
to find the malware scanning results in the Prisma Cloud Compliance Explorer after an agentless scan was completed successfully. Use the following compliance check IDs in the compliance explorer to identify malware scanning results.
  • ID #454
    - Host file is flagged as malware by WildFire.
  • ID #455
    - Image file is flagged as malware by WildFire.
You can filter the results by
Category: Prisma Cloud Labs
to show both image and host file results. It can take some time for the
Malware status
to appear in the
Host
and
Image details
and the status shows as Pending until Advanced WildFire reports the verdicts. The malware scanning happens asynchronously from the vulnerability and compliance scanning. You can see the results of a completed agentless scan for vulnerability and compliance issues in your deployment before the
Malware status
is resolved.
On Linux, malware scanning checks the ELF binaries in your hosts and container images. On Windows, malware scanning checks the binary files and shared libraries in your hosts and container images. Given the large number of binaries found in Windows systems, malware scanning results take longer to appear than for Linux systems.
Agent-based scanning also checks your workloads for malware. This check uses a different malware engine, and you can view the results it produces in the compliance explorer too. Use the following compliance check ID in compliance explorer to identify malware scanning results produced by your Defenders.
  • ID #422
    - Image contains malware
You can filter the results by
Category: Twistlock Labs
to show the detected images containing malware.

Recommended For You