Runtime Malware Scanning

Views:

Runtime Malware Scanning detects malware in containers running in your Kubernetes clusters. Unlike pre-deployment image scanning, Runtime Malware Scanning operates on the filesystem of running containers, enabling detection of malware that is downloaded at runtime or introduced through supply chain compromises after deployment.

Scan types
Enable scheduled scans
Scanning logic
Scan scope and excluded paths
Mitigation actions
View scan results
Test Runtime Malware Scanning
XDR integration
Architecture and resources

Scan types

Runtime Malware Scanning supports two complementary scan types.

Scheduled scan: Periodically scans all container images deployed in the cluster based on a configurable schedule (cron expression) set in the Container Security policy. Provides comprehensive coverage of all images against the latest malware patterns. Enable scheduled scans.
Real-time scan: Monitors file system activity in running containers and immediately scans newly written or modified files when a file write event is detected. Provides immediate detection of malware introduced after deployment, such as payloads fetched by a compromised process. You can enable real-time scans by deploying Helm chart with malwareScanning: enabled. See Enable Runtime Security and scanning features for more information.

Enable scheduled scans

The scheduled scans are configured through the Container Security policy assigned to the cluster. The scan manager creates a scan job for each unique image in the cluster, and each job extracts the image filesystem and sends files to the local malware scanner for analysis. Images are identified by their unique image ID. If the same image runs in multiple pods, it is scanned only once per cycle.

Go to Container Security → Configuration → Policy.
Select the policy assigned to your cluster.
In the malware scanning section, enable scheduled scanning and set the desired schedule.

Note

To distribute scan load evenly, the scan manager applies a random jitter (up to 90 seconds) before starting each scan job. This prevents all scan jobs from starting simultaneously and overwhelming the scanner.

Scanning logic

Automatic rescan: After a scan completes, the workload operator waits for a configurable rescan interval (default is 24 hours) before triggering the scan manager to create a new scan job. A rescan is also triggered when a scheduled scan fires or when the malware scanning policy is updated.
Image scan cache: To avoid redundant scans, the scan manager maintains an image scan cache with a 24 hour expiration. Images scanned within the past 24 hours are skipped.
Pattern updates: The malware scanner automatically downloads and applies new malware pattern updates from the TrendAI™ Active Update (AU) server. Updates are applied in-memory and do not require a scanner restart.

Scan scope and excluded paths

By default, the malware scanner scans all files in the container image filesystem, excluding the following paths:

/proc
/dev
/sys

You can configure additional excluded paths in the Container Security policy. Excluded paths are matched by prefix — any file whose path starts with an excluded path is skipped during scanning.

Mitigation actions

Configure an automatic mitigation action in the malware scanning section of your Container Security policy. The following actions are available.

Log: Records the detection event without taking further action. This is the default setting.
Terminate: Automatically terminates the affected pod.
Isolate: Automatically isolates the affected pod from all network traffic.

Important

The Isolate action requires a Kubernetes network policy plugin (for example, Calico) installed in the cluster.

You can also respond manually from the detection details in the console by isolating, terminating, or investigating the affected pod in Workbench. Learn more about Workbench.

View scan results

Malware detections are displayed in the Container Security console. Go to Log → Runtime Malware to view detections. Use the filter options to narrow results by cluster, namespace, severity, or time range.

Each detection includes the following information.

Field	Description
Malware Name	Name of the detected malware
File Name	Name of the detected file
Object File Name	Full path of the file within the container
File SHA-256	SHA-256 hash of the detected file
Container	Affected container name and ID
Pod	Pod name and namespace
Cluster	Cluster where the detection occurred
Detection Time	Timestamp of the detection

Test Runtime Malware Scanning

Test Runtime Malware Scanning in your cluster using the EICAR test file, a standard and safe anti-malware test signature.

Deploy a test pod that downloads the EICAR test file.

kubectl run malware-test --image=busybox --restart=Never -- \
  sh -c "wget -q -O /tmp/eicar.com 'https://secure.eicar.org/eicar.com' && sleep 3600"

Wait for the scan to trigger. If you have a scheduled scan configured, wait for the next scan cycle. The real-time scan detects the new file and triggers a scan automatically.
Go to Log → Runtime Malware. Look for a detection with the malware name Eicar_test_file and verify the file path shows /tmp/eicar.com in the malware-test container.
Clean up the test pod.
```
kubectl delete pod malware-test
```

XDR integration

When XDR Telemetry is enabled in the policy, malware detection events are sent to the TrendAI Vision One™ data lake, enabling cross-source correlation in Workbench and querying in the Search app.

Architecture and resources

Runtime Malware Scanning consists of the following components deployed within your cluster.

Component	Description
Workload Operator	Watches pod deployments and creates a custom resource for each unique container image in the cluster.
Scan Manager	Manages the scheduled scan schedule, creates malware scan jobs, monitors scan completion, and maintains the image scan cache.
Malware Scan Job	Short-lived job that extracts the container image filesystem and sends files to the scanner. One job is created per unique image and is used by scheduled scans.
Scout	Runs on each worker node as a DaemonSet. Monitors file system events in running containers in real-time and sends detected files to the malware scanner for immediate analysis.
Malware Scanner	The local scanner deployed within your cluster. Receives files from both scan jobs (scheduled scans) and Scout (real-time scans), performs malware analysis, and returns detection results. Files never leave your environment during scanning.

The malware scanner and scan jobs have the following default resource allocations.

Component	Requests	Limits
Malware Scanner	CPU: 100m, Memory: 1Gi	CPU: 1, Memory: 2Gi
Malware Scan Job	CPU: 50m, Memory: 64Mi	Memory: 512Mi

The malware scanner requires outbound HTTPS access to the following endpoints. No inbound network access is required.

FQDN	Port	Purpose
activeupdate.trendmicro.com	443	Malware pattern updates
TrendAI Vision One™ regional endpoint	443	Scan result reporting, policy sync, and XDR telemetry