README
¶
_ _ _. . _ _ _ . ___ _. _ . ___
( | ) (_| |_ (_ (_) ( \_) | (/_ ( \_) |
overtly paranoid open-source malware scanner
malcontent is a malware scanner and analysis tool for high-risk environments such as CI/CD pipelines. It's goal is to reveal hitherto undiscovered malware, so it is overtly paranoid and highly prone to false positives.
malcontent offers 3 modes of operation depending on your use case:
analyze: deep analysis of a programs capabilitiesdiff: show the capability differences between two versions of a programscan: basic malware scanner
WARNING: This tool is in early development and raises more false-positives than even we would like. We're working on it :)
Features
- 15,300+ open-source YARA rules
- Analyzes binaries from almost any architecture (arm64, amd64, riscv, ppc64, sparc64), format (ELF, machO, PE),
- Analyzes programs for almost any operating system (Linux, macOS, OpenBSD, FreeBSD, Solaris, Windows)
- Analyzes scripts in almost any language (PERL, Python, shell, Javascript, Typescript, PHP)
- Transparent archive support (
.apk,.gem,.gz,.jar,.tar.gz,.tar.xz,.tar,.tgz, and.zip) and OCI archives - Multiple output formats (JSON, YAML, Markdown, Terminal)
- Includes 3rd party YARA rules from esteemed organizations such as Avast, Elastic, FireEye, Google, JP-CERT, Nextron, and others
Modes
Analyze
To analyze a program, pass the path as an argument to mal analyze. For example:
The analyze mode emits a list of capabilities that are often seen in malware, categorized by risk level. In general, CRITICAL findings should be considered malicious.
Diff
To detect unexpected capability changes, we have a diff mode. Using the 3CX Compromise as an example:
Each of the lines that beginsl with a "+" represent a newly added capability. For use in CI/CD pipelines, you may find the following flags useful:
It's worth noting that none of the "CRITICAL" findings, except for the evasnion/xor/user_agent, would have been found pre-3CX compromise. The diff mode is designed to surface subtle unexpected changes that you might not have an explatanion for, such as "why does libffmpeg.dylib need access to chown?
--format=markdown: output in markdown for use in GitHub Actions--min-file-risk=critical: only show diffs for critical-level changes--quantity-increases-risk=false: disable the heuristics that increase file criticality due to result frequency
Scan
Like other commands, you can even point this tool at a container image: mal scan --i cgr.dev/chainguard/nginx
Useful flags:
--include-data-files: Include files that are detected as non-program (binary or source) files
Installation
Container
docker pull cgr.dev/chainguard/malcontent:latest
Local
Requirements:
- go - the programming language
- pkg-config - for dependency handling, included in many UNIX distributions
- yara - the rule language
For example, to install the YARA library on Linux or macOS:
brew install yara || sudo apt install libyara-dev \
|| sudo dnf install yara-devel || sudo pacman -S yara
Install malcontent:
go install github.com/chainguard-dev/malcontent/cmd/mal@latest
Help Wanted
malcontent is an honest-to-goodness open-source project: if you are interested in contributing, check out DEVELOPMENT.md
Directories