Skip to main content

Malware Scanning

Contextal Platform can gather information from third-party malware scanners and use it in scenarios, what allows for more flexible control over the detections.

info

Contextal Platform includes integration with ClamAV and can be also connected with other third-party solutions through a dedicated interface.

There are two types of malware-related symbols:

  • INFECTED: This is a generic symbol applied whenever at least one detection is made (only one such symbol may be set per object).
  • INFECTED-SCANNER_NAME-DETECTION_NAME: This detailed symbol provides specific information about the malware scanner used (SCANNER_NAME) and the detection name it reported (DETECTION_NAME).

The detailed symbols enable precise detections, allow the combination of multiple scanner results or the exclusion of specific ones. They can also be used alongside object metadata in ContexQL queries, offering granular control over how malware detections are processed and acted upon.

tip

The ClamAV engine used within Contextal Platform has been specially configured, with many of its default internal data processors disabled and replaced by the platform's own advanced equivalents. This enhances security significantly, as Contextal Platform's processors are primarily written in Rust. Additionally, all of them are isolated within dedicated containers, adding an extra layer of protection against potential vulnerabilities.

By integrating ClamAV in this modular way, performance is also improved: unlike traditional single-process antivirus scanners, Contextal's containerized data processors can scale horizontally in high-load environments, ensuring fast and efficient analysis even under pressure.