Introduction
This document provides a comprehensive understanding of the differences between Disk Scan and Malware Scan in Uptycs. Both scans serve different purposes and operate using distinct methodologies.
Malware Scan
Overview
A Malware Scan focuses exclusively on scanning ELF (Executable and Linkable Format) files within the disk. It is a targeted scan designed to detect malware based on predefined YARA rules. These rules help in identifying potential threats by matching patterns within ELF files.
What is an ELF File?
An ELF file is a standard executable file format used in Unix-based operating systems like Linux. Unlike normal files, ELF files contain sections for executable code, symbol tables, and linking information. Malware often disguises itself as ELF binaries, making them a prime target for security scans.
How Malware Scan Works
- The scan only examines ELF files present on the disk.
- Predefined YARA rules identify malware within ELF files.
- If a match is found, an alert is triggered in the malware_scan_events table.
- Users can configure various scan parameters, including specific file paths and duration limits.
- The results of the scan are logged and can be viewed for further analysis.
Configurable Flags
Users can configure the malware scan using the following flags:
--auto_flags_update=false
--dump_scan_progress=true
--verbose_level=5
--upt_asset_malware_scan_runs=true
Setting these flags provides visibility into the ELF files where malware scans were performed and their respective statuses.
- Faster Execution: Since the scan is limited to ELF files, it completes significantly faster than a full disk scan.
- Customizable Scope: Users can specify paths to narrow the scan focus.
- Version Support: Malware Scan is available for hosts and Kubernetes nodes running Sensor version 5.12.2.6 and higher.
- Timeout Configuration: Users can specify a duration after which the scan will be stopped.
Disk Scan
Overview
A Disk Scan is a broader scan mechanism that utilizes regular expressions (regex) to locate specific files across the entire disk. Unlike the targeted ELF-only approach of a Malware Scan, a Disk Scan inspects all file types on a system.
How Disk Scan Works
- Regex patterns are used to locate specific files.
- Identified files are sent to the osquery tables for processing.
- Results are transmitted to the Uptycs Cloud for storage and further analysis.
Results and Data Storage
- disk_scan table: Logs the status and progress of the scan.
- disk_scan_events table: Stores detailed query results, including discovered files.
Key Considerations
- Single Configuration Active: Only one Disk Scan configuration can be active at a time.
- Timeout Handling: If a scan exceeds a set timeout, the system automatically terminates it.
- Concurrency Restriction: Initiating a new scan while another is running results in rejection of the new scan request.
Prerequisites
Malware Scan
- Ensure that the endpoint is running Sensor version 5.12.2.6 or higher.
- Configure necessary scan parameters and duration settings.
Disk Scan
- Enable the --enable_disk_scan flag for relevant endpoints.
- macOS Users: Grant full disk access to Uptycs by navigating to:
- System Preferences > Security & Privacy > Full Disk Access, then add Uptycs to the list.
Conclusion
| | |
| | |
| | |
| | | disk_scan, disk_scan_events |
|
| | |
| | Can specify paths & duration |
| | Regex-based file search(Can specify paths & duration) |
|
| | |
| | | Requires --enable_disk_scan |
|
Understanding these differences helps users choose the right scan type for their security needs.