Malware detection

Wazuh offers several capabilities that support malware detection. The following methods achieve these detections:

• Finding patterns in the endpoint that do not match expected behavior

• Integrating with VirusTotal to detect and remove malware

• Integrating with YARA to detect malware

• Using constant database (CDB) lists to detect and remove malicious files

These components of Wazuh help to comply with the following HIPAA sections:

• Security Awareness and Training §164.308(a)(5)(i) - Protection from Malicious Software: “Procedures for guarding against, detecting, and reporting malicious software.”

  This section of the HIPAA standard requires you to have procedures to detect and remove malicious software. The Wazuh malware detection capability implements this HIPAA section with the aid of out-of-the-box rules, VirusTotal and YARA integration, and the use of CDB lists. The rootcheck component of Wazuh also detects abnormal behavior in monitored endpoints. These capabilities help support this HIPAA section.

  We show a use case of how to detect a rootkit.