Sandfly Linux File Entropy Scanner Updated

Malware Linux Security Linux Forensics

June 30, 2022
The Sandfly Security Team

Our entropy scanner sandfly-filescan has been updated and renamed to sandfly-entropyscan and now features Linux process scanning to help quickly spot packed and encrypted malware.

You can get it here:

Entropy scanning is a way to calculate if a file is packed or encrypted by seeing how random it appears. On Linux this is a particular concern as many pieces of malware pack or encrypt themselves to avoid detection from signature based file scanners. The more random the data in the file appears, the more likely it has been compressed or encrypted to make it harder to see what it is doing.

Sandfly's file entropy scanning tool was first released in 2019 and proved simple and highly effective at finding malicious files on Linux. Within two weeks of being released we saw malware in the wild making a very poor attempt to try to disable it that continues even to this day. The tactic didn't work well, but at least we knew we were hitting the right buttons by causing malware authors to respond.

Linux Process Entropy Scanning

This update builds on the original version but adds an important new one: We can now scan entropy of all running Linux processes.

This new feature means we can quickly find packed/encrypted binaries that may be running on your system which are likely malicious.

The measure of entropy will be between 0.0 (not random) and 8.0 (perfectly random). Any file above about 7.7 is likely packed or encrypted due to very high entropy. Here is an example of flagging a suspicious process packed with UPX and has a high entropy of 7.7 or above:

./sandfly-entropyscan -proc -entropy 7.7
path: /proc/3462702/exe
entropy: 7.72
elf: true
md5: 72324c2084be24413a726390a0f6f04a
sha1: f6279ee3dd1a95ad7cfb2df175117589e54bd35c
sha256: 7630bcd840f6cd42a33ee90f2ef5d5001a7578c313cdbb412cbcd219b1b70246
sha512: 0faea838854195223eac73c56ad1ab7977eaccea78c52db7dfb7aa03dfb9589acf4770490d159bdaa7485eeb4f832d3a923511475e70e61bc55b642f89dd4c25

Above we see PID 3462702 has a very suspicious high entropy and should be investigated.

As a bonus, this tool also includes "PID Busting" to detect processes that may be hidden by certain types of Loadable Kernel Module (LKM) stealth rootkits. Additionally just like before, this tool is not affected by LD_PRELOAD style rootkits trying to hide either.

Other Updates

This update also allows you to customize the delimiter for CSV output from the default "," to one of your choosing. We also updated the docs and fixed some minor bugs.

Entropy Scanning with a Free License

Our full agentless Linux security product features entropy scanning for suspicious processes and files along with thousands of other potential threats against your Linux systems. We can check your systems instantly without needing to deploy any endpoint agents. If our entropy scanner has helped you, take a look at our free license at the link below to see what else we can find:

Get Sandfly

Let Sandfly keep your Linux systems secure.

Learn More