Malware detection refers to the process of analyzing a computer system or network for the existence of malicious software and files. Security products can identify malware by checking for signatures of known malware. Security tools can also detect malicious activity by detecting suspicious behavior from software activity. When malware infects a system, it can modify it using various techniques to evade detection. Wazuh uses a broad-spectrum approach to counter those techniques in order to detect malicious files and abnormal patterns that indicate the presence of malware.
The Wazuh file integrity monitoring (FIM) module helps detecting malicious files on monitored endpoints. On its own, the FIM module cannot detect malicious files. However, you can detect malware by combining the FIM module with threat detection rules and threat intelligence sources. You can configure Wazuh to use FIM events with threat intelligence sources like VirusTotal and CDB lists containing file hashes, and YARA scans to detect malware.
Wazuh detects rootkit behavior on monitored endpoints using the Rootcheck module. Rootcheck continuously monitors endpoints and generates alerts when it detects any anomaly. Anomaly monitoring ensures Wazuh detects malware that signature-based techniques might have missed. Rootcheck also uses known signatures of rootkits and trojans to detect their presence on monitored endpoints. Wazuh's flexibility ensures that users can update these rootkit signatures themselves.
Wazuh log collection capability allows you to collect logs from third-party malware detection software. Using this capability, Wazuh collects and analyzes logs from various malware detection software like Windows Defender and ClamAV.