Malware Scanning
Detect malware and malicious files across your endpoints using YARA-based signature scanning and on-demand threat analysis.
CastellanAI combines YARA signature scanning with threat intelligence from VirusTotal, MalwareBazaar, and AlienVault OTX.
Overview
CastellanAI includes comprehensive malware detection with two integrated features:
| Feature | Description |
|---|---|
| Detection Rules | YARA-based detection rules for signature matching |
| Threat Scanner | On-demand scans with real-time progress monitoring |
Detection Rules
Rules Dashboard
Navigate to Detection Rules in the sidebar to view and manage malware detection rules.
| Dashboard Element | Description |
|---|---|
| Statistics Cards | Total, Enabled, Disabled, Valid, Invalid counts |
| Rule List | All rules with name, category, threat level, status |
| Filters | Search and filter rules by various criteria |
Rule Categories
- 🦠 Malware
- ⚠️ Suspicious
Malware Categories
| Category | Description |
|---|---|
| Malware | General malware signatures |
| Ransomware | File encryption and ransom-demanding malware |
| Trojan | Disguised malware with hidden malicious functions |
| Backdoor | Hidden access points for attackers |
Ransomware detections are always marked as Critical and trigger immediate alerts.
Suspicious & PUA
| Category | Description |
|---|---|
| Suspicious | Potentially malicious patterns requiring investigation |
| PUA | Potentially Unwanted Applications (adware, toolbars) |
| Exploit | Known vulnerability exploits |
| Custom | User-created custom detection rules |
Filtering Rules
| Filter | Options |
|---|---|
| Search | Search by rule name or description |
| Category | Filter by malware category |
| Threat Level | Critical, High, Medium, Low |
| Status | Enabled or Disabled |
📥 Importing YARA Rules
- Click Import Rules in the Detection Rules page
- Select YARA rule files (
.yar,.yara,.txt) - Review the import preview
- Click Import to add the rules
CastellanAI includes 70+ built-in rules. Import additional rules from the YARA-Rules repository for expanded coverage.
Threat Scanner
Scanner Dashboard
Navigate to Malware Analysis in the sidebar to access the threat scanner.
Scan Types
- ⚡ Quick Scan
- 🔍 Full Scan
- 📁 Directory Scan
- 📄 File Scan
Quick Scan
Coverage: Common threat locations, running processes
Use When:
- Daily monitoring
- Quick security checks
- After suspicious activity
Full Scan
Coverage: All monitored file systems
Use When:
- Weekly deep analysis
- Post-incident investigation
- Compliance audits
Directory Scan
Coverage: Specific folder and subfolders
Use When:
- Targeted investigation
- Checking downloaded files
- Scanning specific paths
File Scan
Coverage: Individual file
Use When:
- Suspicious file analysis
- Verifying specific files
- Upload analysis
Running a Scan
- Click the appropriate scan type button
- Watch real-time progress:
| Metric | Description |
|---|---|
| Progress | Percentage and files scanned |
| Files Processed | Total files examined |
| Threats Found | Detections as discovered |
| Scan Duration | Elapsed time |
Scans run via SignalR connection. Keep the dashboard open to monitor progress and receive immediate threat notifications.
Understanding Scan Results
Results Summary
| Element | Description |
|---|---|
| Summary Statistics | Total files, threats found, scan duration |
| Threat Breakdown | Count by severity (Critical, High, Medium, Low) |
| Detection List | Each threat with name, path, classification |
| MITRE ATT&CK Mapping | Attack technique classifications |
Scan History
Filter past scans by:
- Scan Type - QuickScan, FullScan, DirectoryScan, FileScan
- Status - Completed, Running, Failed
- Risk Level - Filter by highest severity found
Responding to Detections
- 🔴 Critical
- 🟠 High
- 🟡 Medium
- 🟢 Low
Critical Threat Level
Risk: Severe - Active threat
Recommended Action:
- Isolate device immediately
- Escalate to security team
- Block network access
Critical threats indicate active malware that may be spreading or causing damage.
High Threat Level
Risk: Significant risk
Recommended Action:
- Quarantine file immediately
- Investigate device thoroughly
- Check for spread to other systems
Medium Threat Level
Risk: Moderate concern
Recommended Action:
- Review detection details
- Quarantine if confirmed malicious
- Monitor for related activity
Low Threat Level
Risk: Minor risk
Recommended Action:
- Monitor for recurrence
- May be false positive
- Review in context of other activity
Response Workflow
Threat Intelligence Integration
| Source | Capability |
|---|---|
| VirusTotal | 70+ antivirus engine results for file hashes |
| MalwareBazaar | Known malware samples database |
| AlienVault OTX | Community threat intelligence and IOCs |
When threats are detected, CastellanAI automatically enriches findings with:
- Multi-vendor detection consensus
- Known malware family identification
- Related indicators of compromise (IOCs)
- Historical detection data
Handling False Positives
🔧 False Positive Workflow
If a legitimate file is incorrectly flagged:
- Review the detection details thoroughly
- Check the file against VirusTotal (linked in detection details)
- If confirmed safe:
- Mark as False Positive in the dashboard
- Optionally disable the specific rule
- Report to improve detection accuracy
See False Positives for detailed guidance.
Best Practices
| Do | Don't |
|---|---|
| Run quick scans daily | Ignore low-severity detections |
| Run full scans weekly | Delete files without quarantine first |
| Keep rules updated | Skip checking related systems |
| Use threat intelligence context | Act without reviewing detection details |
| Quarantine before deleting | Disable rules without investigation |
What's Next?
| Guide | Description |
|---|---|
| Threat Detection | Learn about all detection methods |
| MITRE ATT&CK | Understanding threat classifications |
| Taking Action | Response procedures for threats |
| False Positives | Managing incorrect detections |