Sandfly Linux File Entropy Scanner Updated
Our entropy scanner sandfly-filescan has been updated and renamed to sandfly-entropyscan and now features Linux process scanning to help quickly spot packed and encrypted malware.
You can get it here:
Entropy scanning is a way to calculate if a file is packed or encrypted by seeing how random it appears. On Linux this is a particular concern as many pieces of malware pack or encrypt themselves to avoid detection from signature based file scanners. The more random the data in the file appears, the more likely it has been compressed or encrypted to make it harder to see what it is doing.
Sandfly's file entropy scanning tool was first released in 2019 and proved simple and highly effective at finding malicious files on Linux. Within two weeks of being released we saw malware in the wild making a very poor attempt to try to disable it that continues even to this day. The tactic didn't work well, but at least we knew we were hitting the right buttons by causing malware authors to respond.
Linux Process Entropy Scanning
This update builds on the original version but adds an important new one: We can now scan entropy of all running Linux processes.
This new feature means we can quickly find packed/encrypted binaries that may be running on your system which are likely malicious.
The measure of entropy will be between 0.0 (not random) and 8.0 (perfectly random). Any file above about 7.7 is likely packed or encrypted due to very high entropy. Here is an example of flagging a suspicious process packed with UPX and has a high entropy of 7.7 or above:
./sandfly-entropyscan -proc -entropy 7.7
Above we see PID 3462702 has a very suspicious high entropy and should be investigated.
As a bonus, this tool also includes "PID Busting" to detect processes that may be hidden by certain types of Loadable Kernel Module (LKM) stealth rootkits. Additionally just like before, this tool is not affected by LD_PRELOAD style rootkits trying to hide either.
This update also allows you to customize the delimiter for CSV output from the default "," to one of your choosing. We also updated the docs and fixed some minor bugs.
Entropy Scanning with a Free License
Our full agentless Linux security product features entropy scanning for suspicious processes and files along with thousands of other potential threats against your Linux systems. We can check your systems instantly without needing to deploy any endpoint agents. If our entropy scanner has helped you, take a look at our free license at the link below to see what else we can find: