Following the announcement of the beta of the Red Hat Insights malware detection service in August, we are pleased to announce that this service is now generally available. The malware detection service is a monitoring and assessment tool that scans Red Hat Enterprise Linux (RHEL) systems for the presence of malware, utilizing over 180 signatures of known Linux malware provided in partnership with the IBM X-Force Threat Intelligence team. The Insights analysis provides:
- The list of signatures scanned against your RHEL systems, with links to reference information and analysis reports
- Results for individual system scans and aggregated results for all of your RHEL systems
As part of Insights, malware detection is included in your RHEL subscription. Malware detection supports RHEL 8 and 9 hosts.
To scan your RHEL systems for potential malware, please follow our getting started guide. For RHEL 8 and 9 hosts that are already registered to Insights, you will need to install the YARA scanning tool, provided in RHEL 8 and 9 appstream repositories, and run your first scan:
$ sudo dnf install yara
$ sudo dnf insights-client --collector malware-detection
When the initial test scan completes successfully, you will be prompted to configure your system for a full scan and set options that control the parameters of that scan, such as which file directories are included or excluded. After your first full scan, you can view the results in Insights malware detection. Subsequent scans will need to be run manually, scheduled using a tool like cron, or automated with a Red Hat Ansible Automation Platform playbook.
Please note: Due to the potentially sensitive nature of this information, only Organizational Admins have default access to the results by default. All other users must first be given access to the service, as detailed in section 2.2. of the Insights malware detection guide.
Interpreting the results
In most cases, scans for potential malware threats on your secure RHEL hosts will result in no matches. In the event that potential malware signature matches are found on your systems, you will see a screen like the one below.
Clicking on a signature name will take you to a page that shows the details about the signature, the number of systems that were matched, and details about when and where the matches were found.
What you do next will depend on the capabilities and needs of your organization. For example, you might have an existing playbook or information security team to consult. If you do not have access to those resources and are uncertain on how to proceed, there are a number of vendors who can provide these services, including the IBM X-Force Incident Response team. Please note: Red Hat does not provide threat response services or consultation.
Additional malware signature information
Each of the over 180 signatures of known Linux malware in Insights malware detection includes additional information, such as the type, category and how it is used. Many of the signatures include links to IBM X-Force analysis reports and additional background information on how the malware was initially identified.
Any feedback about the new malware detection service can be sent to us using the Feedback button inside of Insights—you can see it in the above screenshot on the lower right hand side of the page. Please give the Insights malware detection service a try soon!