{"id":40831812,"url":"https://github.com/sandflysecurity/sandfly-entropyscan","last_synced_at":"2026-01-21T22:26:17.129Z","repository":{"id":41260415,"uuid":"223871335","full_name":"sandflysecurity/sandfly-entropyscan","owner":"sandflysecurity","description":"Entropy scanner for Linux to detect packed or encrypted binaries related to malware. Finds malicious files and Linux processes and gives output with cryptographic hashes.","archived":false,"fork":false,"pushed_at":"2024-06-11T03:01:42.000Z","size":57,"stargazers_count":134,"open_issues_count":3,"forks_count":20,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-06-20T12:08:04.006Z","etag":null,"topics":["blueteam","blueteamin","incident-response","incident-response-tooling","intrusion-detection","intrusion-detection-system","linux","malware","malware-analysis","malware-research","security"],"latest_commit_sha":null,"homepage":"https://www.sandflysecurity.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sandflysecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-25T05:50:12.000Z","updated_at":"2024-06-14T02:35:36.000Z","dependencies_parsed_at":"2024-06-18T22:58:52.482Z","dependency_job_id":null,"html_url":"https://github.com/sandflysecurity/sandfly-entropyscan","commit_stats":{"total_commits":11,"total_committers":5,"mean_commits":2.2,"dds":0.6363636363636364,"last_synced_commit":"f4daa7337c0bdff6065bb988a50ecf1dd976c923"},"previous_names":["sandflysecurity/sandfly-filescan"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/sandflysecurity/sandfly-entropyscan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandflysecurity%2Fsandfly-entropyscan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandflysecurity%2Fsandfly-entropyscan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandflysecurity%2Fsandfly-entropyscan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandflysecurity%2Fsandfly-entropyscan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sandflysecurity","download_url":"https://codeload.github.com/sandflysecurity/sandfly-entropyscan/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandflysecurity%2Fsandfly-entropyscan/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28645548,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-21T21:29:11.980Z","status":"ssl_error","status_checked_at":"2026-01-21T21:24:31.872Z","response_time":86,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blueteam","blueteamin","incident-response","incident-response-tooling","intrusion-detection","intrusion-detection-system","linux","malware","malware-analysis","malware-research","security"],"created_at":"2026-01-21T22:26:16.569Z","updated_at":"2026-01-21T22:26:17.110Z","avatar_url":"https://github.com/sandflysecurity.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# What is sandfly-entropyscan?\n\n`sandfly-entropyscan` is a utility to quickly scan files or running processes and report on their entropy (measure \nof randomness) and if they are a Linux/Unix ELF type executable. Some malware for Linux is packed or encrypted and \nshows very high entropy. This tool can quickly find high entropy executable files and processes which often are \nmalicious.\n\n# Features\n\n* Written in Golang and is portable across multiple architectures with no modifications.\n* Standalone binary requires no dependencies and can be used instanly without loading any libraries on suspect machines.\n* Not affected by LD_PRELOAD style rootkits that are cloaking files. \n* Built-in PID busting to find hidden/cloaked processes from certain types of Loadable Kernel Module (LKM) rootkits.\n* Generates entropy and also MD5, SHA1, SHA256 and SHA512 hash values of files.\n* Can be used in scanning scripts to find problems automatically.\n* Can be used by incident responders to quickly scan and zero in on potential malware on a Linux host. \n\n# Why Scan for Entropy?\n\nEntropy is a measure of randomness. For binary data 0.0 is not-random and 8.0 is perfectly random. Good crypto looks \nlike random white noise and will be near 8.0. Good compression removes redundant data making it appear more random \nthan if it was uncompressed and usually will be 7.7 or above.\n\nA lot of malware executables are packed to avoid detection and make reverse engineering harder. Most standard Linux \nbinaries are not packed because they aren't trying to hide what they are. Searching for high entropy files is a good \nway to find programs that could be malicious just by having these two attributes of high entropy and executable. \n\n# How Do I Use This?\n\nUsage of `sandfly-entropyscan`:\n\n`  -csv`\n    \toutput results in CSV format (filename, path, entropy, elf_file [true|false], MD5, SHA1, SHA256, SHA512)\n\n`  -delim`\n\t\tchange the default delimiter for CSV files of \",\" to one of your choosing (\"|\", etc.)\n    \t\n`  -dir string`\n    \tdirectory name to analyze\n    \t\n`  -file string`\n    \tfull path to a single file to analyze\n\n`  -proc`\n\t\tcheck running processes (defaults to ELF only check)\n\n`  -elf`\n    \tonly check ELF executables\n    \t\n`  -entropy float`\n    \tshow any file/process with entropy greater than or equal to this value (0.0 min - 8.0 max, defaults 0 to show all files)\n    \t\n`   -version`\n    \tshow version and exit\n\n# Examples\n\nSearch for any file that is executable under /tmp:\n\n`sandfly-entropyscan -dir /tmp -elf`\n\nSearch for high entropy (7.7 and higher) executables (often packed or encrypted) under /var/www:\n\n`sandfly-entropyscan -dir /var/www -elf -entropy 7.7`\n\nGenerates entropy and cryptographic hashes of all running processes in CSV format:\n\n`sandfly-entropyscan -proc -csv`\n\nSearch for any process with an entropy higher than 7.7 indicating it is likely packed or encrypted:\n\n`sandfly-entropyscan -proc -entropy 7.7`\n\nGenerate entropy and cryptographic hash values of all files under /bin and output to CSV format (for instance to save and compare hashes):\n\n`sandfly-entropyscan -dir /bin -csv`\n\nScan a directory for all files (ELF or not) with entropy greater than 7.7:\n(potentially large list of files that are compressed, png, jpg, object files, etc.)\n\n`sandfly-entropyscan -dir /path/to/dir -entropy 7.7`\n\nQuickly check a file and generate entropy, cryptographic hashes and show if it is executable:\n\n`sandfly-entropyscan -file /dev/shm/suspicious_file`\n\n# Use Cases\n\nDo spot checks on systems you think have a malware issue. Or you can automate the scan so you will get an output \nif we find something show up that is high entropy in a place you didn't expect. Or simply flag any executable ELF type \nfile that is somewhere strange (e.g. hanging out in /tmp or under a user's HTML directory). For instance:\n\nDid a high entropy binary show up under the system /var/www directory? Could be someone put a malware dropper\non your website:\n\n`sandfly-entropyscan -dir /var/www -elf -entropy 7.7`\n\nSetup a cron task to scan your /tmp, /var/tmp, and /dev/shm directories for any kind of executable file whether it's \nhigh entropy or not. Executable files under tmp directories can frequently be a malware dropper.\n\n`sandfly-entropyscan -dir /tmp -elf`\n\n`sandfly-entropyscan -dir /var/tmp -elf`\n\n`sandfly-entropyscan -dir /dev/shm -elf`\n\nSetup another cron or automated security sweep to spot check your systems for highly compressed or encrypted binaries that \nare running:\n\n`sandfly-entropyscan -proc -entropy 7.7`\n\n# Build\n\n* Install latest version of golang (www.golang.org)\n* Clone the repo:\n\n`git clone https://github.com/sandflysecurity/sandfly-entropyscan.git`\n\n* Go into the repo directory and build it:\n\n`go build`\n\n* Run the binary with your options:\n\n`./sandfly-entropyscan`\n\n## Build Scripts\n\nThere are a some basic build scripts that build for various platforms. You can use these to build or modify to suit.\nFor Incident Responders, it might be useful to keep pre-compiled binaries ready to go on your investigation box.\n\n`build.sh` - Build for current OS you're running on when you execute it.\n\n# ELF Detection\n\nWe use a simple method for seeing if a file may be an executable ELF type. We can spot ELF format files for \nmultiple platforms. Even if malware has Intel/AMD, MIPS and Arm dropper binaries we will still be able to spot all of \nthem.\n\n# False Positives\n\nIt's possible to flag a legitimate binary that has a high entropy because of how it was compiled, or because\nit was packed for legitimate reasons. Other files like .zip, .gz, .png, .jpg and such also have very high entropy \nbecause they are compressed formats. Compression removes redundancy in a file which makes it appear to be more \nrandom and has higher entropy.\n\nOn Linux, you may find some kinds of libraries (.so files) get flagged if you scan library directories.\n\nHowever, it is our experience that executable binaries that also have high entropy are often malicious. This is \nespecially true if you find them in areas where executables normally shouldn't be (such as again `tmp` or `html` \ndirectories).\n\n# Performance\n\nThe entropy calculation requires reading in all the bytes of the file and tallying them up to get a final number. It \ncan use a lot of CPU and disk I/O, especially on very large file systems or very large files. The program has an \ninternal limit where it won't calculate entropy on any file over 2GB, nor will it try to calculate entropy on any\nfile that is not a regular file type (e.g. won't try to calculate entropy on devices like `/dev/zero`).\n\nThen we calculate MD5, SHA1, SHA256 and SHA512 hashes. Each of these requires going over the file as well. It's \nreasonable speed on modern systems, but if you are crawling a very large file system it can take some time to\ncomplete.\n\nIf you tell the program to only look at ELF files, then the entropy/hash calculations won't happen unless it is an\nELF type and this will save a lot of time (e.g. it will ignore massive database files that aren't executable).\n\nIf you want to automate this program, it's best to not have it crawl the entire root file system unless you want\nthat specifically. A targeted approach will be faster and more useful for spot checks. Also, use the ELF flag as that\nwill drastically reduce search times by only processing executable file types.\n\n# Incident Response \n\nFor incident responders, running `sandfly-entropyscan` against the entire top-level \"/\" directory may be a good idea just \nto quickly get a list of likely packed candidates to investigate. This will spike CPU and disk I/O. However, you probably \ndon't care at that point since the box has been mining cryptocurrency for 598 hours anyway by the time the admins \nnoticed. \n\nAgain, use the ELF flag to get to the likely problem candidate executables and ignore the noise. \n\n# Testing\n\nThere is a script called `scripts/testfiles.sh` that will make two files. One will be full of random data and one will not be\nrandom at all. When you run the script it will make the files and run `sandfly-entropyscan` in executable detection mode.\nYou should see two files. One with very high entropy (at or near 8.0) and one full of non-random data that should\nbe at 0.00 for low entropy. Example:\n\n`./testfiles.sh`\n\nCreating high entropy random executable-like file in current directory.\n\nCreating low entropy executable-like file in current directory.\n\nhigh.entropy.test, entropy: 8.00, elf: true\n\nlow.entropy.test, entropy: 0.00, elf: true\n\nYou can also load up the `upx` utility and compress an executable and see what values it returns.\n\n# Agentless Linux Security\n\nSandfly Security produces an agentless endpoint detection and incident response platform (EDR) for Linux. Automated\nentropy checks are just one of thousands of things we search for to find intruders without loading any software \non your Linux endpoints.\n\nGet a free license and learn more below:\n\nhttps://www.sandflysecurity.com\n@SandflySecurity\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsandflysecurity%2Fsandfly-entropyscan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsandflysecurity%2Fsandfly-entropyscan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsandflysecurity%2Fsandfly-entropyscan/lists"}