Malware Scanning
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
- Deploy Defender with Declarative Object Management
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Configure Agentless Scanning for AWS
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and Restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan Images in Alibaba Cloud Container Registry
- Scan Images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan Images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan Images in Google Container Registry (GCR)
- Scan Images in Harbor Registry
- Scan Images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger Registry Scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Malware Scanning
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert Mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
Malware Scanning
Prisma Cloud agentless scanning uses Palo Alto Networks Advanced WildFire to scan your container images and hosts for malware.
Malware scanning is supported for container images and hosts in the following cloud service providers.
- AWS
- Azure
- GCP
- OCI
Windows and Linux hosts and images are supported.
Advanced WildFire provides verdicts for the scanned container images and hosts to identify samples as malicious, unwanted (Grayware is considered obtrusive but not malicious), phishing, or benign.
Malware scanning uses the MD5 signatures of binaries and shared libraries to identify the verdict.
Malware scanning doesn’t show Grayware results by default.
Go to
Compute > Manage > System > WildFire
and enable the toggle to include Grayware verdicts in the malware scanning results in Prisma Cloud.Once an agentless scan is complete, go to
Compute > Monitor > Compliance > Images
or to Compute > Monitor > Compliance > Host
to see the results for a deployed image or a host.
Go to Compute > Monitor > Compliance
to find the malware scanning results in the Prisma Cloud Compliance Explorer after an agentless scan was completed successfully.
Use the following compliance check IDs in the compliance explorer to identify malware scanning results.- ID #454- Host file is flagged as malware by WildFire.
- ID #455- Image file is flagged as malware by WildFire.
You can filter the results by
Category: Prisma Cloud Labs
to show both image and host file results.
It can take some time for the Malware status
to appear in the Host
and Image details
and the status shows as Pending until Advanced WildFire reports the verdicts.
The malware scanning happens asynchronously from the vulnerability and compliance scanning.
You can see the results of a completed agentless scan for vulnerability and compliance issues in your deployment before the Malware status
is resolved.On Linux, malware scanning checks the ELF binaries in your hosts and container images.
On Windows, malware scanning checks the binary files and shared libraries in your hosts and container images.
Given the large number of binaries found in Windows systems, malware scanning results take longer to appear than for Linux systems.
Agent-based scanning also checks your workloads for malware.
This check uses a different malware engine, and you can view the results it produces in the compliance explorer too.
Use the following compliance check ID in compliance explorer to identify malware scanning results produced by your Defenders.
- ID #422- Image contains malware
You can filter the results by
Category: Twistlock Labs
to show the detected images containing malware.