Malware Scanning
Detect malware and malicious files across your endpoints using YARA-based signature scanning and on-demand threat analysis.
Overview
CastellanAI includes comprehensive malware detection with two integrated features:
- Detection Rules - Manage YARA-based detection rules for signature-based malware identification
- Threat Scanner - Run on-demand scans with real-time progress monitoring and detailed results
Both features work together with threat intelligence services (VirusTotal, MalwareBazaar, AlienVault OTX) to provide comprehensive malware detection coverage.
Accessing Malware Features
The malware scanning features are available from the sidebar navigation:
- Detection Rules - Click "Detection Rules" in the sidebar to manage YARA rules
- Malware Analysis - Click "Malware Analysis" in the sidebar for on-demand scanning
Detection Rules
Rules Dashboard
Navigate to Detection Rules in the sidebar to view and manage malware detection rules.
The dashboard displays:
- Statistics Cards - Total rules, Enabled, Disabled, Valid, Invalid counts
- Rule List - All detection rules with name, category, threat level, and status
- Filters - Search and filter rules by various criteria
Rule Categories
CastellanAI organizes detection rules into these categories:
| Category | Description |
|---|---|
| Malware | General malware signatures |
| Ransomware | File encryption and ransom-demanding malware |
| Trojan | Disguised malware with hidden malicious functions |
| Backdoor | Hidden access points for attackers |
| Suspicious | Potentially malicious patterns requiring investigation |
| PUA | Potentially Unwanted Applications (adware, toolbars) |
| Exploit | Known vulnerability exploits |
| Custom | User-created custom detection rules |
Filtering Rules
Use the filter options to find specific rules:
| Filter | Options |
|---|---|
| Search | Search by rule name or description |
| Category | Filter by malware category |
| Threat Level | Critical, High, Medium, Low |
| Status | Enabled or Disabled |
Managing Rules
Click any rule to open the detail panel showing:
- Rule Name - Unique identifier for the rule
- Category - Malware type classification
- Threat Level - Severity rating
- Description - What the rule detects
- YARA Pattern - The detection signature
- Status - Whether the rule is active
Actions available:
- Enable/Disable - Toggle rule activation
- Edit - Modify rule settings (Enterprise tier)
- Delete - Remove custom rules
Importing YARA Rules
To add new detection rules:
- Click Import Rules in the Detection Rules page
- Select YARA rule files to import (supported formats:
.yar,.yara,.txt) - Review the import preview showing rule names and categories
- Click Import to add the rules
CastellanAI includes 70+ built-in detection rules. Import additional rules from community sources like the YARA-Rules repository for expanded coverage.
Threat Scanner
Scanner Dashboard
Navigate to Malware Analysis in the sidebar to access the threat scanner.
The scanner provides:
- Quick Scan - Fast scan of common threat locations
- Full Scan - Comprehensive scan of all monitored paths
- Scan History - View past scans with detailed results
Running a Scan
- Click Quick Scan or Full Scan depending on your needs
- Watch the real-time progress bar and statistics
- View results when the scan completes
During scanning, you'll see:
- Progress - Percentage and files scanned
- Files Processed - Total files examined
- Threats Found - Detections as they're discovered
- Scan Duration - Elapsed time
Scans run in real-time via SignalR connection. Keep the dashboard open to monitor progress. You'll receive notifications when threats are detected.
Scan Types
| Scan Type | Coverage | Use When |
|---|---|---|
| Quick Scan | Common threat locations, running processes | Daily monitoring, quick checks |
| Full Scan | All monitored file systems | Weekly deep analysis, post-incident |
| Directory Scan | Specific folder and subfolders | Targeted investigation |
| File Scan | Individual file | Suspicious file analysis |
Understanding Scan Results
When a scan completes, the results show:
- Summary Statistics - Total files, threats found, scan duration
- Threat Breakdown - Count by severity (Critical, High, Medium, Low)
- Detection List - Each threat with name, path, and classification
- MITRE ATT&CK Mapping - Attack technique classifications
Scan History
View past scans and their results:
- Scroll down on the Malware Analysis page
- Use filters to find specific scans:
- Scan Type - QuickScan, FullScan, DirectoryScan, FileScan
- Status - Completed, Running, Failed
- Risk Level - Filter by highest severity found
- Click any scan to view full details
Responding to Detections
Threat Levels
| Threat Level | Risk | Recommended Action |
|---|---|---|
| Critical | Severe - Active threat | Isolate device immediately, escalate to security team |
| High | Significant risk | Quarantine file, investigate device, check for spread |
| Medium | Moderate concern | Review detection, quarantine if confirmed |
| Low | Minor risk | Monitor for recurrence, may be false positive |
Taking Action
When malware is detected:
- Review the detection - Check file details and threat description
- Assess the risk - Consider threat level and affected systems
- Quarantine if needed - Isolate suspicious files to prevent execution
- Investigate spread - Check if malware is present on other devices
- Remediate - Remove threats and close attack vectors
- Document - Record findings for compliance and learning
See Taking Action for detailed response procedures.
Threat Intelligence Integration
Malware scanning integrates with multiple threat intelligence sources:
| Source | Capability |
|---|---|
| VirusTotal | 70+ antivirus engine results for file hashes |
| MalwareBazaar | Known malware samples database |
| AlienVault OTX | Community threat intelligence and IOCs |
When threats are detected, CastellanAI automatically enriches findings with intelligence from these sources, providing:
- Multi-vendor detection consensus
- Known malware family identification
- Related indicators of compromise (IOCs)
- Historical detection data
Handling False Positives
If a legitimate file is incorrectly flagged:
- Review the detection details thoroughly
- Check the file against VirusTotal (linked in detection details)
- If confirmed safe:
- Mark as False Positive in the dashboard
- Optionally disable the specific rule
- Report to improve detection accuracy
See False Positives for detailed guidance.
Best Practices
- Run regular scans - Schedule full scans weekly, quick scans daily
- Keep rules updated - Enable automatic rule updates
- Don't ignore low severity - Low-rated threats may indicate larger issues
- Quarantine before deleting - Allows recovery if it's a false positive
- Check for lateral movement - Scan related systems when threats are found
- Use threat intelligence - Review enrichment data for context
What's Next?
- Threat Detection - Learn about all detection methods
- MITRE ATT&CK - Understanding threat classifications
- Taking Action - Response procedures for threats
- False Positives - Managing incorrect detections