Twistlock Advanced Threat Protection (TATP) is a service that is included in your license subscription. Twistlock provides malware and 0-day threat information from commercial sources we have a partnership with and leverages that information to defend your estate against containers reaching out to known malware sites or writing the malware signatures.
As you can imagine, we protect cloud native environments in a way that reflects the threat models and performance requirements of our customers. We’re keen on doing this right and, for reasons we’ll explore, this makes EICAR (see below) a poor test.
A Note About EICAR
Recently, a member of our community asked about EICAR (European Institute for Computer Antivirus Research) which provides an example malware file so that anyone testing the capabilities of an anti-malware program has something safe to work with. Twistlock scanning is finely tuned for both performance and to address realistic threat models for containerized environments, while EICAR is a tool for testing comprehensive anti-malware solutions intended for deployment in desktop environments where the threat model is very different.
Effective scanning for EICAR requires byte-level scanning of files in a way that would introduce a serious performance penalty in cloud native environments without meaningfully increasing protection. The EICAR test file is an effective way to test desktop antimalware engines because it’s routinely detected but it’s effectively inert; thus, you can test malware detection without exposing your systems to the risk of using real malware.
How to Prevent Malware with Twistlock
Malware scanning, along with any vulnerability scanning or threat alerting, is a balancing act of getting the largest coverage, minimizing false positives, and being efficient.
To avoid users having to repeat scans and ensure that we are able to respond immediately in the event new malware is discovered or a vulnerability is found, Twistlock builds a bill of materials for code we scan.
We check for various things — for malware we scan the filesystem and open up archives to find files that have the appropriate magic executable bit in the header. I’m a *nix user so the detailed information I’d give is included under Wikipedia for Executable and Linkable Format.
How to Test for Malware: An Example
OK, so we’ve established that you will want to test for malware in an image or a container. Hopefully you’ve seen why EICAR isn’t a great fit for this in the container estate. Crucially, you also don’t want to expose your estate to real malware. What to do?
I’ll assume you’ve got a working Twistlock deployment with at least one Console and one Defender running. You may want to ask for a demo if you’ve not got that!
Get a shell on your Twistlock defended host and let’s fake it till we make it!
We could do this with an existing image or a myriad of other ways, but as I’m paid by the length of these blog posts, let’s create an image specially for this.
Here’s a dockerfile:
Now we can build it:
Great! Now we have an image, with Zsh on it. Let’s run that image and get an md5sum of the zsh binary (why did I pick zsh? Only because it’s something that wasn’t installed by default… other shells are available and I ain’t picking on zsh!).
OK! Let’s first check that Twistlock has scanned that image. Spoiler: it has.
There’s my image and the only compliance issue is that I didn’t create a user for it – Bad Ashley!
Let’s now identify Zsh as malware. I navigate to System >> Custom Feeds >> Malware and add that md5 in:
Immediately when we head back to Monitor >> Compliance >> Images, we can tell something isn’t right. There’s our image with some dark red on it:
Let’s click on the image and get the low down on what’s going on…
Not only do I still not have a user for that image (Bad Ashley again), but I now have another, more serious, compliance problem.
Yes! I have malware! Woo hoo! OK, so usually that would be a bad thing but it for this example it’s great news!
Yes, I’m sorry we don’t have EICAR (I’m not actually that sorry) and, frankly, it isn’t in our plans to have it in our feeds.
The above should show you how easily it is to test our malware scanning and have confidence in what we’re doing!
Twistlock Advanced Threat Protection is there for your images at build, your images at rest and your running containers. Just like everything that Twistlock does – it just works, it’s part of your subscription, and it’s easy to see in action.
Go try it! Why not pick one of these Totally_Chosen_At_Random editors?
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.