Malware Detection in Container Images

January 30, 2023

Detect Malware in Container Images 

As organizations continue to adopt containers and Kubernetes for their applications, the need to secure these containers becomes increasingly important. Many applications are built with third-party sourced components from public image registries. Attackers are privy to the growing use of these third-party image registries, and often target them with malware, thus requiring special attention.  

At VMware, we define malware as the broad category name for harmful code used in cyberattacks that affect laptops, desktops, servers, mobile devices, and, more recently, IoT devices. Some of the most common examples of malware include:

  • Viruses 
  • Bots
  • Ransomware 
  • Cryptomine

 When using malware, attackers typically have a set target and goal in mind, and use malware as a mechanism to gain access and/or information. 

As malware continues to pose a huge risk when developing new, modern applications, organizations must scan these images for these specific types of attacks from build to run to ensure the security and integrity of their application.  

Malware Scanning with VMware Carbon Black Container 

With VMware Carbon Black Container, customers can now scan all executable files in their containerized applications to detect malicious files and malware. Just like vulnerabilities and Kubernetes workload posture, users can now scan images for malware at runtime and in the build phase through CI/CD integration. 

Users can now: 

  • Detect suspicious files in all containerized applications
  • Alert or block containers and workloads with suspicious files during CI/CD pipeline 
  • Use the image scan log to review all scan activities, including file reputation scan information for all scan types 
  • Deny workload and images affected by malware through a policy 
  • Manage a list of customer-provided hash of known malware to utilize CBC enforcement capabilities 

Increased Visibility  


Figure 1 : Updated Widgets on the Image Scanning Dashboard 

With the updated image scanning dashboard, users can analyze and detect all relevant files in a given container for the first time. This newly added malware widget enables users to quickly identify suspicious files alongside critical vulnerabilities so they can be remediated as quickly as possible. This valuable and actionable data can be viewed across teams in the VMware Carbon Black dashboard, helping to increase visibility and reduce friction.  


Figure 2: New Suspicious Files Tab with Identified Malware 

The new malware scanning capabilities allow users to easily identify the origin of the file by identifying the layer and even the command(s) that contain malware for easy resolution. TextDescription automatically generatedAs we know, it is important to catch suspicious activity as soon as possible to remediate and reduce risk. Users are now able to use the cbctl to scan containers during the build phase to detect containers with suspected or banded files and to block risky containers early in the SDLC. 

Watch the Carbon Black Container Malware Scanning Video

Additional Resources 

For more information, check out our technical release notes and the VMware Carbon Black Container page. 

Filter Tags

Securing Modern Applications MDR Blog