Nightwatch
Real-time Malware Detection Agent
A lightweight agent installed on your server that monitors file changes in real-time, scans with YARA rules and hash databases, and escalates suspicious files to cloud AI for deep analysis.
Installation
One-line Install
curl -sL https://install.aientrophy.com/agent | sudo bash -s -- --key YOUR_API_KEY
Or via pip
pip install aientrophy-nightwatch
Multi-layer Scan Pipeline
Hash DB (instant) → Extension mismatch → YARA rules → Cloud AI escalation. Fast local checks first, heavy analysis offloaded.
YARA Rule Engine
Compiled rule matching with auto-update from cloud. Detects webshells, backdoors, ransomware patterns.
Extension Disguise Detection
Detects executables and scripts masquerading as images or documents using magic byte analysis.
Cloud AI Analysis
Suspicious files are escalated to AI for deep content inspection, obfuscation detection, and verdict.
Automatic Quarantine
Malicious files are instantly isolated with chmod 400, moved to quarantine, and metadata JSON recorded.
Auto-updating Rules
YARA rules and hash databases sync from cloud hourly. AI-confirmed threats are auto-registered for instant future detection.
Architecture
Agent (Customer Server)
Watches filesystem, runs local scans, quarantines threats
Cloud API
Receives suspicious files, AI analysis, rule distribution
Scan Pipeline
Configuration
YAML-based configuration with environment variable overrides.
watch:
paths:
- /var/www
- /tmp
exclude: ["*.log", "node_modules/*"]
recursive: true
scan:
yara_rules_dir: /var/lib/aientrophy/yara-rules
hash_db_path: /var/lib/aientrophy/hash-db/malware_hashes.txt
yara_rules_auto_update: true
action:
on_detect: quarantine # quarantine | alert | block
quarantine_dir: /var/lib/aientrophy/quarantine
cloud:
server: https://malware.aientrophy.com
# api_key: set via NIGHTWATCH_API_KEY env varCloud API Endpoints
| Method | Endpoint |
|---|---|
| POST | /api/v1/scan |
| GET | /api/v1/hash/{sha256} |
| POST | /api/v1/events |
| GET | /api/v1/rules/yara/manifest |
| GET | /api/v1/stats |
| GET | /api/v1/health |
Requirements
- Python 3.10+
- Linux (recommended) or Windows
- ~50MB RAM footprint