malware-triage

Malware Triage

Deliberately on-demand, not resident — the community consensus is that resident third-party AV on macOS adds privileged attack surface for little gain. This skill is for triaging a specific suspect: a download, an unsigned binary, an app you don't recognize, or files you're relaying to Windows users.

Preflight

bash ${CLAUDE_PLUGIN_ROOT}/bin/install-tools.sh   # confirms clamav, yara, capa, vt
freshclam        # update ClamAV signatures (first run)
vt init          # store free VirusTotal key (one-time)

Run

bash ${CLAUDE_PLUGIN_ROOT}/skills/malware-triage/scripts/triage.sh <path> [yara_rules_dir]

Runs all layers below against one target, static-only (never executes it). Or run the individual commands for finer control.

Procedure (layer the tools; cheap → deep)

1. Code signature + Gatekeeper (built-in, instant, no install):

   codesign -dvvv --verbose=4 "$TARGET" 2>&1
   spctl -a -vv "$TARGET" 2>&1            # Gatekeeper assessment
   xattr -l "$TARGET"                     # quarantine / provenance
   

   Unsigned + quarantined + unknown developer = elevate scrutiny.
2. Reputation by hash (fast, authoritative):

   shasum -a 256 "$TARGET"
   vt file <sha256> --format json         # VirusTotal detection ratio
   

3. Signature scan:

   clamscan -r -i "$TARGET"               # exit 0 clean / 1 found / 2 error
   

4. IOC / family rules (point at a macOS YARA rule set):

   yara -r "$RULES_DIR" "$TARGET"
   

5. Capability analysis (what it can do) — format-aware; triage.sh picks the path:
   • Mach-O (capa does NOT support Mach-O): native signals —

     codesign -d --entitlements - "$TARGET"   # declared capabilities
     otool -L "$TARGET"                        # linked frameworks (AVFoundation, IOKit…)
     nm -u "$TARGET"                           # imported symbols vs watchlist (CGEventTap, AVCapture, task_for_pid…)
     

     Caveat: dlsym-based dynamic lookup hides imports — absence of watchlist symbols ≠ absence of capability.
   • PE / ELF (files relayed to other platforms):

     capa -j "$TARGET"                         # ATT&CK-mapped: persistence, networking, injection
     

Verdict

Synthesize into one call: clean / suspicious / malicious, with the evidence per layer. State confidence. A clean signature scan does NOT mean safe (signatures miss fresh infostealers like AMOS/Atomic Stealer) — weight VT reputation + capa capabilities + provenance (where did this file come from) over ClamAV alone.

Guardrails

• Never executes the target. Static analysis only — capa and friends parse, they don't run the binary.
• On-demand only. This skill does not install clamd or any resident/on-access scanner.
• VirusTotal uploads file hashes by default. Do NOT vt scan file (which uploads the file itself) on anything containing secrets or confidential data — hash lookup only.

Files

• YARA rules: bash ${CLAUDE_PLUGIN_ROOT}/bin/get-yara-rules.sh fetches Elastic's maintained macOS rule set to ~/.mac-security-suite/yara-rules/elastic-macos — triage.sh's default rules dir. Re-run to refresh.