How to validate Prisma Cloud Compute malware detection during file downloads and image scans.
Objective
This document provides step-by-step instructions for testing Prisma Cloud Compute's malware protection. It covers:
- Runtime malware interception during file acquisition/download.
- Malware detection during Image Scan.
Environment
- Prisma Cloud Compute (Enterprise and Self Hosted)
- Image Scan
- Malware Detection
Procedure
Malware Download testing
The best way to check if the runtime policy and vulnerability policy is properly configured to detect malware download is by following the steps below. This is also documented in the Detect Malware in Runtime section.
1. Login into the Linux container in which you want to download the test malware.
docker exec -it alphinetestcontainer sh
2. Download an elf test malware file using the below command
# wget https://cdn.twistlock.com/docs/attachments/evil
Or
# curl -JO "https://cdn.twistlock.com/docs/attachments/evil"
3. This should generate an event in the Monitor > Events > Container Audits
4. It should also show up under Monitor > Runtime > Incident Explorer > Active Incidents
Malware in the Image Scan
Since we don’t have access to actual malware executables we are going to use zsh or sh which can be installed or pre-exists on the linux container.
One of these executables can be classified as malware and we can check the Vulnerability logs to see if they are being detected.
1. Login into an existing container
docker exec -it alphinetestcontainer sh
2. Find the md5 checksum of the installed executable.
“sh” is the executable we are going to use in this example.
# md5sum /bin/sh
914ec4a319862a28b836ceff711d27ca /bin/sh
3. Configure this Hash value as a Malware Signature
Manage > System > Custom Feeds > Malware signatures > Add MD5
4. Now check Monitor > Vulnerability > Select the image > Compliance