Validating suspicious files

You are here:
Estimated reading time: 1 min

Our Defense Robot module is proactively looking for backdoors and malware on the server.
However, the file signatures generated by the Defense Robot are in validating state by default. Meaning that the files matching these signatures are only logged but not quarantined to avoid false positive catches.

With the signature validating feature you can transition these signatures to the published state.
All files matching the published signatures will be quarantined on all of your servers under your account.

How to validate file signatures?

  1. You can reach the signature validating feature from the Dashboard under the Anti-Malware menu point at the Overview section.
  2. Click on the “Validate suspicious signatures” button
  3. Decide if the file is malware based on its content.
  4. With the buttons under the view panel, you can
    1. Publish the signature with the “This is a Malware” button
    2. Skipp the file with the “Not sure” button
    3. Allow list the file with the “Not a malware” button
Under the view panel, you can see how many files match the signature generated from the file displayed above.

The name of the signature is visible above the file’s source code:

  • File./home/domain/malware.php: Manually generated signature
  • DefenseRobot./home/domain/malware.php: The Malware signature was created by the Defense Robot module.
  • CaptchaHttp./home/domain/malware.php: The file was uploaded to our captcha page by some bot.

You can also reach this feature from the Anti-malware/Local malware signatures menu point by clicking the “Start validation process” button.

Upload malware

You can also upload files from the Dashboard to generate a malware signature. You just need to click on the + Add new Malware button at the top right of the Local malware signatures menu. The signature will be in a validating state and the signature ID and the number of matching files on your servers will be displayed within 5 minutes in the Table of malware signatures.

In case of accidental validation or discarding

You can also discard the accidentally validated signatures from the Local malware signatures menu point by clicking on the trash bin icon on the left after finding the signature. To find the signature you can filter by status for “published”.

If you accidentally clicked on the “Not a malware” button you can recycle the signature so it can be validated afterward. Just filter by status for “discarded”.

In case of accidental validation or discarding (CLI)

If you have mistakenly clicked on the “This is a malware” button you can restore and Allow list the files matching the signature from the BitNinja CLI with the following command:
bitninjacli –restore=/patht/to/file
If you don’t know the original location of the filet, you can list all published signatures with this command including their original location:
bitninjacli --module=MalwareDetection --list-signatures --state=published


You can also use the file’s signature to discard the published signature:
bitninjacli --module=MalwareDetection --discard-signature --id=

If you have clicked the “Not a malware” button by accident you will need to find the file’s signature id from the BitNinja CLI and change the signature’s status.
bitninjacli –module=MalwareDetection –list-signatures –list=white
From here you will need the ID of the signature.
Then issue this command with the signature ID included.
bitninjacli –module=MalwareDetection –publish-signature –id=

In case of accidental validation or discarding (CLI)

If you have mistakenly clicked on the “This is a malware” button you can restore and allow list the files matching the signature from the BitNinja CLI with the following command:
bitninjacli –restore=/patht/to/file
The quarantined files that you can restore by default are located in BitNinja quarantine folder /var/lib/bitninja/quarantine.
If you don’t know the original location of the filet, you can list all published signatures with this command including their original location:
bitninjacli –module=MalwareDetection –list-signatures –state=published
You can also use the file’s signature to discard the published signature:
bitninjacli –module=MalwareDetection –discard-signature –id=<signature ID>

If you have clicked the “Not a malware” button by accident you will need to find the file’s signature id from the BitNinja CLI and change the signature’s status.
bitninjacli –module=MalwareDetection –list-signatures –list=white
From here you will need the ID of the signature.
Then issue this command with the signature ID included.
bitninjacli –module=MalwareDetection –publish-signature –id= <signature ID>

Was this article helpful?
It was not helpful
Views: 649