Skip to content
Docs

PRX-SD

PRX-SD is an open-source antivirus engine built as an 11-crate Rust workspace. It combines traditional signature-based detection with heuristic analysis and machine learning to identify malware on endpoints across Linux, macOS, and Windows.

Architecture

Section titled “Architecture”
CrateRole
prx-sd-coreShared types, configuration, scoring, error handling
prx-sd-scannerOrchestrates the 5-stage detection pipeline
prx-sd-signaturesHash database (LMDB) and signature management
prx-sd-yaraYARA rule compilation and matching
prx-sd-heuristicsEntropy analysis, packer detection, suspicious API/behavior patterns
prx-sd-mlML inference via ONNX Runtime / tract
prx-sd-quarantineAES-256-GCM encrypted vault for isolated threats
prx-sd-sandboxProcess sandboxing (ptrace, seccomp, namespaces, Landlock)
prx-sd-monitorReal-time filesystem monitoring
prx-sd-cliCommand-line interface (sd)
prx-sd-guiDesktop GUI (Tauri + Vue 3)

5-Stage Detection Pipeline

Section titled “5-Stage Detection Pipeline”

Every scanned file passes through these stages. Detection at any stage can short-circuit with a final verdict.

File input
  
  
1. Hash Matching ──match──▶ MALICIOUS (instant)
  │ no match
  
2. File-Type Detection (magic bytes)
  
  
3. Format Parsing (PE / ELF / MachO / PDF / Office)
  
  
4. Parallel Analysis
  
  ├── YARA Rule Scan ──match──▶ MALICIOUS
  ├── Heuristic Engine ──score──▶ scored
  └── ML Inference (ONNX/tract) ──score──▶ scored
  
  
5. VirusTotal Cloud Lookup (optional)
  
  
Aggregate → Final Verdict

Stage 1: Hash Matching

Section titled “Stage 1: Hash Matching”

The fastest detection method. File SHA-256 (and optionally MD5) is looked up in an LMDB database with O(1) access time.

Signature sources:

SourceTypeContent
abuse.ch MalwareBazaarSHA-256Malware samples from the last 48 hours
abuse.ch URLhausSHA-256File hashes from malicious URLs
abuse.ch Feodo TrackerSHA-256Banking trojans (Emotet, Dridex, TrickBot)
VirusShareMD520M+ malware hashes (full mode)
ClamAVMultiple.cvd/.ndb signatures (parser included)
Built-in blocklistSHA-256EICAR, WannaCry, NotPetya, Emotet, and others

Stage 2: File-Type Detection

Section titled “Stage 2: File-Type Detection”

Magic byte identification determines the true file type regardless of extension: PE, ELF, MachO, PDF, ZIP, Office (OLE/OOXML).

Stage 3: Format Parsing

Section titled “Stage 3: Format Parsing”

Deep parsing of recognized formats extracts structural metadata used by the heuristic engine:

FormatExtracted Data
PE (Windows)Sections, imports, exports, resources, timestamps, digital signatures
ELF (Linux)Sections, symbols, dynamic linking, interpreter path
MachO (macOS)Load commands, dylib dependencies, entitlements, code signatures
PDFJavaScript, embedded files, launch actions, URI actions
OfficeMacros (VBA), OLE streams, DDE links, embedded objects

Stage 4: Parallel Analysis

Section titled “Stage 4: Parallel Analysis”

Three analysis engines run concurrently on the parsed file:

YARA Rules — Pattern matching against 38,800+ rules from multiple sources (built-in, Yara-Rules, Neo23x0/signature-base, ReversingLabs, ESET, InQuest).

Heuristic Engine — Scores files based on structural anomalies:

CheckApplies toWhat it detects
Section entropyPE, ELF, MachOPacked or encrypted sections (high entropy)
Packer detectionPEKnown packers (UPX, Themida, VMProtect)
Suspicious API importsPEProcess injection, keylogging, crypto, anti-debug
LD_PRELOAD hooksELFShared library injection
cron/systemd persistenceELFPersistence mechanisms
SSH backdoor indicatorsELFUnauthorized SSH key injection
dylib injectionMachODynamic library hijacking
LaunchAgent/DaemonMachOmacOS persistence mechanisms
Keychain accessMachOCredential theft indicators
Timestamp anomaliesPEForged compilation timestamps

ML Inference — Machine learning classification via ONNX Runtime or tract. Models score files based on features extracted during parsing.

Stage 5: VirusTotal Cloud Lookup (Optional)

Section titled “Stage 5: VirusTotal Cloud Lookup (Optional)”

If enabled, the file hash is checked against VirusTotal’s database for additional vendor verdicts.

Scoring

Section titled “Scoring”

All analysis results are aggregated into a single numeric score:

Score RangeVerdictMeaning
0—29CleanNo threats detected
30—69SuspiciousSome indicators present, manual review recommended
70—100MaliciousHigh-confidence threat, automatic action recommended

The final verdict uses the highest severity from any detection stage.

Real-Time Monitoring

Section titled “Real-Time Monitoring”

PRX-SD monitors filesystem changes in real time using platform-native APIs:

PlatformAPI
Linuxfanotify
macOSFSEvents
WindowsReadDirectoryChangesW

When a new or modified file is detected, it is automatically scanned through the full pipeline.

Ransomware Detection

Section titled “Ransomware Detection”

The monitor includes specialized ransomware detection: rapid file rename/encrypt patterns, known ransomware extensions, and high-entropy bulk writes trigger immediate alerts.

Quarantine

Section titled “Quarantine”

Detected threats are moved to an AES-256-GCM encrypted vault:

  • Files are encrypted before storage to prevent accidental execution
  • Original path and metadata are preserved for restoration
  • Quarantined files can be listed, inspected, or restored via CLI
Terminal window
# List quarantined files
sd quarantine list


# Restore a quarantined file
sd quarantine restore <ID>


# Permanently delete quarantined file
sd quarantine delete <ID>

Remediation

Section titled “Remediation”

Beyond quarantine, PRX-SD can take active remediation steps:

ActionDescription
Kill processTerminate the process that created or is using the malicious file
Clean persistenceRemove cron jobs, systemd units, LaunchAgents, or registry entries associated with the threat
Network isolationBlock outbound connections from the compromised process or host

Sandbox

Section titled “Sandbox”

PRX-SD can execute suspicious files in a restricted sandbox for behavioral analysis:

MechanismPlatformPurpose
ptraceLinuxSystem call tracing
seccompLinuxSystem call filtering
namespacesLinuxFilesystem and network isolation
LandlockLinux 5.13+Filesystem access restrictions

Behavior Rules

Section titled “Behavior Rules”

The sandbox monitors for 10 categories of suspicious behavior:

  1. File encryption (bulk write with high entropy)
  2. Process injection (ptrace attach, /proc/*/mem writes)
  3. Credential access (reading /etc/shadow, keychain, browser storage)
  4. Network beaconing (periodic outbound connections to unknown hosts)
  5. Persistence installation (cron, systemd, LaunchAgent, registry)
  6. Privilege escalation (setuid, sudo, capability manipulation)
  7. Anti-analysis (debugger detection, VM detection, sleep evasion)
  8. Data exfiltration (large outbound transfers, DNS tunneling)
  9. Lateral movement (SSH, SMB, WMI activity)
  10. Defense evasion (log deletion, timestomping, binary packing)

CLI Commands

Section titled “CLI Commands”
Terminal window
# Scan a single file
sd scan /path/to/file


# Scan a directory recursively
sd scan /home --recursive


# Scan with auto-quarantine
sd scan /tmp --auto-quarantine


# JSON output for programmatic use
sd scan /path --json


# Real-time directory monitoring
sd monitor /home /tmp


# Update signature databases
sd update


# Import custom hashes
sd import my_hashes.txt


# Show database and engine info
sd info

Webhook Alerts

Section titled “Webhook Alerts”

PRX-SD sends detection alerts via webhook to external services:

FormatEndpoint
SlackIncoming webhook URL
DiscordWebhook URL
Generic JSONAny HTTP endpoint

Alert payloads include: file path, SHA-256 hash, matched rules/signatures, score, verdict, and remediation action taken.

Signature Updates

Section titled “Signature Updates”
Terminal window
# Standard update (hashes + YARA rules)
./tools/update-signatures.sh


# Full update including VirusShare 20M+ MD5 hashes
./tools/update-signatures.sh --full


# Update only hash databases
./tools/update-signatures.sh --source hashes


# Update only YARA rules
./tools/update-signatures.sh --source yara