Firewall Malware Insights

Data Refresh Frequency: Updated daily at around 14:05 UTC. New repository component data can take up to 24 hours to appear.

Displays Data for: Malware identified and processed by Sonatype Firewall across protected repositories within the selected date range.

Minimum Requirements: Requires Sonatype Firewall 202 or later. Repositories must have Firewall malware insights protection enabled and evaluated at least once.

The Firewall Malware Insights Dashboard provides visibility into malware that Sonatype Firewall detects and blocks. This dashboard highlights malware frequency, severity, classification, and where threats are entering your environment.

By providing clear visibility into detected and quarantined malware, the dashboard enables security, platform, and engineering teams to evaluate malware activity and the effectiveness of Firewall protection across repositories.

Use filters such as date range, repository, component, threat level, and policy name to refine your view and analyze malware activity across your environment.

Firewall Malware Insights surfaces information about malicious components identified during repository evaluation.

Malware detected by Firewall may include components designed to:

By surfacing this data, the dashboard provides visibility into threats that are identified and controlled before they are consumed by downstream applications.

Our dynamic dashboard lets you drill into malware activity with a comprehensive set of filters. Narrow your view by date range, component, repository, attack vector, policy threat level, status, policy name, threat type, release reason, and format.

Date Range: Defaults to a relative time selection. Adjustable to custom or predefined time periods (for example, on or after 12 months ago).

Component: Filter by specific component name.

Repository: Select one or more repositories.

Attack Vector: Filter by identified attack vector (for example, Trojan, Hijack, Brandjack, or No associated vector).

Policy Threat Level:

Status: Filter by the current malware processing status.

Policy Name: Select specific Firewall policies.

Threat Type: Filter by identified malware classification (for example, Data corruption, Backdoor, Potentially unwanted application, or Other).

Release Reason: Filter by the reason a quarantined component was released (for example, Unquarantine, Policy Change, Auto-release, Monitoring Enabled, or Waived).

Format: Filter by component format or ecosystem (for example, npm, Maven, PyPI, Docker, and others).

Use these controls to slice and analyze malware activity across your repositories.

Malware Blocked by Firewall (by Severity Level)

This chart shows the number of malware components blocked by Firewall over time, grouped by severity level.

Severity levels reflect the classification assigned to the malware detection and allow you to view trends across Critical, Severe, Moderate, and Low categories within the selected date range.

Malware Released from Quarantine:

This visualization shows components that were previously quarantined and later released.

Release scenarios may include auto-release, policy updates, monitoring changes, manual unquarantine actions, or waiver application.

Note

If no components meet the selected filter criteria, the visualization displays No results.

Quarantine Events

This visualization groups malware detections by component format.

Examples may include:

• npm

• Maven

• PyPI

Note

If no format is available for a component, it may appear under a general or unclassified grouping.

Malware Events

Threat classifications are associated with a malware identifier and severity level, which may include references such as CVE identifiers where applicable.

The Malware Events table provides detailed information about individual malware detections, including:

• Format

• Policy Name

• CVE (if applicable)

• Repository

• Component

• Attack Vector

• Threat Type

• Status

• Quarantine Date

• Release Reason

Note

• If a component does not have an associated CVE, the CVE field may appear blank.

• If a component was not quarantined, the Quarantine Date field may appear blank.

• Policy names are customizable and defined by the user. They are configured based on policy constraints such as Proprietary Name Conflict, Security Vulnerability Category, and Integrity Rating. Based on these constraints, policy names may include examples such as Security – Namespace Conflict, Security – Malicious, or Integrity Rating

Problem:

Clicking on the browser Refresh button may give you the following error:

Solution:

Click the Back button on your browser, from the page where you see this error, to go back to the Landing page Enterprise Reporting. Select the dashboard you want to view to reload the visualizations.

To refresh the page, click on the refresh icon on the top right instead of the Refresh button on your browser.

Problem:

No data visible on the dashboard or any other issues with the dashboard.

Solution:

Click on Copy to Support Info to Clipboard button and contact support with this information.