Trusted Malware Hash Matching
VersionGopher™ can compare collected SHA-256 file hashes against a local offline catalog of trusted malware hashes. Exact matches become Malware Hits in the dashboard, search results, file cards, Deep Search, and assessment reports without sending each scanned hash to a live reputation service.
VersionGopher matches the scanned file bytes by SHA-256. A matching hash means the catalog knows that exact byte sequence, not just a similar filename, version, publisher, or path.
Scan browsing, dashboard filtering, Deep Search, and file-card review use the local catalog. The networked operation is the scheduled or managed catalog refresh.
Malware Hits has its own badge, alert panel, filter chip, result-row indicators, and detail section so exact hash matches are not buried under ordinary CVE or package-risk review.
The catalog stores the hash verdict and source confidence. It does not automatically prove execution, exploitability, command-and-control, malware family, or security-vendor detection counts.
Where You See Malware Hash Matches
- Dashboard: the Malware Hits stat card and alert panel summarize visible file rows and top matching SHA-256 values.
- Filters: the Malware Hits filter shows file rows whose SHA-256 appears in the local offline malware hash catalog.
- File cards: the malware section explains why VersionGopher is calling the file malware, including verdict, SHA-256, confidence, known limits, recommended action, and scan provenance.
- Deep Search: SHA-256 searches can show malware context when a searched hash matches the local catalog.
- Assessments: scan assessments call out known malware presence alongside CVE, package advisory, private-key, wallet, AI prompt, archive, and provenance evidence.
Recommended Analyst Workflow
- Click the Malware Hits badge or alert item to drill into the matched file rows.
- Open the file card and read the malware explanation before deciding whether the file is an active threat, a staged sample, a package artifact, or a false-positive candidate.
- Check path, owner, organization, scan group, scan timestamp, file type, publisher, signature evidence, and nearby files.
- If the host or image is active, isolate or contain it according to your incident-response procedure while preserving the file and scan evidence.
- Verify catalog freshness before making a final customer-facing statement, especially when provenance suggests a legitimate package or installer context.
Catalog Refresh
VersionGopher maintains the shared offline malware hash catalog, the same data-refresh model used for vulnerability and package advisory catalogs. Scheduled feed jobs keep the catalog fresh, and out-of-band refreshes are handled by VersionGopher operations when the enclave needs current hash intelligence before a review.
- Catalog refreshes are the only routine networked malware-hash operation.
- Search, scan browsing, result filtering, assessments, and file-card review use local PostgreSQL state and do not call live reputation APIs.
- Future uploads with the same SHA-256 can short-circuit locally after a catalog hit is stored.
What This Is Not
- It is not dynamic sandboxing or behavior analysis.
- It is not a live reputation lookup for every file in a scan.
- It is not proof that the file executed on the host.
- It is not a replacement for preserving evidence and following incident-response containment procedures.