How to validate Prisma Cloud Compute malware detection during file downloads and image scans.

How to validate Prisma Cloud Compute malware detection during file downloads and image scans.

993
Created On 12/16/22 04:17 AM - Last Modified 02/13/26 22:04 PM


Objective


This document provides step-by-step instructions for testing Prisma Cloud Compute's malware protection. It covers: 

  • Runtime malware interception during file acquisition/download. 
  • Malware detection during Image Scan.


Environment


  • Prisma Cloud Compute  (Enterprise and Self Hosted)
  • Image Scan
  • Malware Detection

 



Procedure


Malware Download testing

The best way to check if the runtime policy and vulnerability policy is properly configured to detect malware download is by following the steps below. This is also documented in the Detect Malware in Runtime section.

1. Login into the Linux container in which you want to download the test malware.

docker exec -it alphinetestcontainer sh

2. Download an elf test malware file using the below command

# wget https://cdn.twistlock.com/docs/attachments/evil

Or 

# curl -JO "https://cdn.twistlock.com/docs/attachments/evil"


3. This should generate an event in the Monitor > Events > Container Audits

eventsContainerAudit.png

4. It should also show up under Monitor > Runtime > Incident Explorer > Active Incidents

Runtimeincident.png
 

Malware in the Image Scan

Since we don’t have access to actual malware executables we are going to use zsh or sh which can be installed or pre-exists on the linux container.
One of these executables can be classified as malware and we can check the Vulnerability logs to see if they are being detected. 

1. Login into an existing container

docker exec -it alphinetestcontainer sh

2. Find the md5 checksum of the installed executable.
“sh” is the executable we are going to use in this example. 

# md5sum /bin/sh
914ec4a319862a28b836ceff711d27ca  /bin/sh

3. Configure this Hash value as a Malware Signature
Manage > System > Custom Feeds > Malware signatures > Add MD5

AddSignature.png

4. Now check Monitor > Vulnerability > Select the image > Compliance

VulnerabilityMalware.png
 



Additional Information




Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sa9vCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail