Malcolm v26.01.0

[mmguero]

Malcolm v26.01.0 introduces a complete overhaul of its automatic file scanning capability, replacing its file scanning framework with Strelka, an open-source "real-time, container-based file scanning system used for threat hunting, threat detection, and incident response." This new framework offers more features and greater extensibility for developing future analytics. The release also includes several bug fixes and component version updates.

v25.12.1...v26.01.0

• ✨ Features and enhancements

  • Malcolm's automatic file scanning capability now runs on Strelka, an open-source "real-time, container-based file scanning system used for threat hunting, threat detection, and incident response," providing more features and improved extensibility for future analytics. Some settings, especially which scanners are enabled or disabled, may require manual configuration. See the documentation for details. (#485)
  • Enabled fuzzy hashing (SSDeep, TLSH), in addition to SHA256, for all Zeek-scanned files (#859)
  • Added additional health check data (Redis, etc.) to the /mapi/ready API
  • Major performance improvements to the Logstash parse pipeline:
    • Replaced the cidr filter with a custom Ruby filter
    • Changed "broadcast-and-drop" communication between pipelines to more targeted messaging
    • Reworked the "compact event" filter to remove empty/null values before indexing
  • Enabled MAC addresses in Suricata events (#866)
  • Enabled parsing of JA4D log generated by Zeek alongside dhcp.log (#870)
  • Strip out test PCAP from Zeek image (#872) to reduce image size and prevent image scanners from triggering false positives for the PCAPs' contents
  • Improvements to the IP Connections Tree dashboard

• ✅ Component version updates

  • Beats to v9.2.4
    • Migrated log inputs to filestream
  • codeql/upload-sarif action to v4
  • evtx to v0.11.0
  • Fluent Bit to v4.2.2
  • Keycloak to v26.5.0
  • Logstash to v9.2.4
  • NetBox to v4.4.10
  • OpenSearch Dashboards to v3.4.0
  • OpenSearch to v3.4.0
  • styfle/cancel-workflow-action to 0.13.0
  • supercronic to v0.2.41
  • Suricata to v8.0.3 (#873)
  • yq to v4.50.1
  • Zeek to v8.0.5
  • urllib3 Python library to v2.6.3 (addresses CVE-2026-21441)

• 🐛 Bug fixes

  • Malcolm API Loopback Monitor was being created multiple times (#856)
  • Disabled hardware NIC timestamping for capture (#851)
  • Fixed error in stun_nat log parsing with multiple WAN addresses (#849)
  • Fixed pruning of old log files (#855)
  • zeek_intel_setup.sh could leave an orphaned lock file if the container is killed, blocking future intel pulls (#843)
  • Fixed various parsing/templating issues for uploaded Windows Event (.evtx) files
  • Added text/php to "interesting" MIME types, and added application/html, application/ocsp-response, "application/x-pem-file, application/xhtml+xml, application/xml-sitemap, text/css, text/html, text/ini to "common/plain text" MIME types for extraction/scanning decisions
  • pcap-monitor container not honoring maximum PCAP file size (#864)

• ⚰️ Breaking changes and removed or deprecated functionality

  • The VirusTotal API key (VTOT_API2_KEY) environment variable for submitting extracted file SHA sums is not longer used. This functionality can now be achieved via the Google Threat Intelligence service (VirusTotal is now part of Google Threat Intelligence) or any supported intelligence feed.
  • Adding new a new log source parsing pipeline to Logstash no longer uses LOGSTASH_PARSE_PIPELINE_ADDRESSES. The new method uses a mapping file, described in the documentation.
  • EXTRACTED_FILE_ENABLE_CAPA, EXTRACTED_FILE_ENABLE_CLAMAV, and EXTRACTED_FILE_ENABLE_YARA are no longer used; scanners are now configured via the Strelka backend config file. See the documentation.
  • The definition of a file scanner "hit" is now more nuanced. quarantine/ and preserved/ subdirectories are no longer used in the Extracted Files web interface. Extracted files are more easily browsed and downloaded from the Files or File Scanning dashboards in OpenSearch Dashboards.
  • Malcolm's Zeek container image now places Zeek-related files under /usr/local/zeek instead of /opt/zeek. Update any custom volume mounts or references to /opt/zeek.

• 🧹 Code and project maintenance

  • Moved most scripts from ./shared/bin to their respective container folders. ./shared/bin/ now only contains scripts shared across multiple containers.
  • Updated Dockerfile syntax (ENV/ARG) to recommended format
  • Updated copyright year (2025 -> 2026)
  • Based the Malcolm Zeek image on the official Zeek image instead of building a custom image

• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.

  • Updated default NetBox-enriched datasets (LOGSTASH_NETBOX_ENRICHMENT_DATASETS in logstash.env): filescan.strelka, suricata.alert, zeek.conn, zeek.dce_rpc, zeek.dhcp, zeek.dns, zeek.known_hosts, zeek.known_routers, zeek.known_services, zeek.login, zeek.ntlm, zeek.notice, zeek.rdp, zeek.rfb, zeek.signatures, zeek.smb_cmd, zeek.smb_files, zeek.smb_mapping, zeek.software, zeek.ssh, zeek.weird
  • Added FILEBEAT_SCANNER_FINGERPRINT_OFFSET and FILEBEAT_SCANNER_FINGERPRINT_LENGTH in filebeat.env to customize FileBeat filestream .file_identity and .prospector.scanner.fingerprint. See here, here, and here. FILEBEAT_WATCHER_POLLING now controls native- vs. fingerprint-based file identification.
  • Added filescan.env, filescan-secret.env, and pipeline.env; added variables to redis.env for Strelka-based file scanning. zeek-secret.env has been removed, with its values now in filescan-secret.env. Many values from zeek.env are now in filescan.env or pipeline.env.
  • Added MALCOLM_INDEX_MAX_RESULT_WINDOW in opensearch.env (#871). If specified, this value overrides index.max_result_window which defines the maximum value of from + size for searches of the network and "other" data indexes, where from is the starting index to search from, and size is the number of results to return. CAUTION: increasing this value beyond its baked-in default (10000) may result may negatively impact performance.
  • Tweaked defaults for pipeline. variables and added pipeline.ordered=false in logstash.env to improve performance
  • Removed -Dlogstash.pipelinebus.implementation=v1 from LS_JAVA_OPTS in logstash.env

• ❌ Errata

  • Release testing identified a small number of low-severity issues that did not justify delaying the release:
    • The file scanning result logs (event.provider:filescan) contain the zeek.files.extracted_uri field which, when clicked on in Dashboards or followed via the context menu for the value in Arkime, will download the extracted file, if available. This works for files resident on the Malcolm server itself; however, for files on a remote Hedgehog Linux sensor the link is not built correctly and will result in a 404. A workaround is to filter on the FUID (the value beginning with F in the event.id field) and view the corresponding Zeek files log, where the download link is formatted correctly. (#877)
    • The Allow Arkime WISE Configuration option in the configure tool (mapped to ARKIME_ALLOW_WISE_GUI_CONFIG in arkime-offline.env) controls Arkime WISE's --webconfig behavior. Enabling this option makes the WISE UI read/write (the default is false, which keeps the UI read-only). When enabled, any user account that has not yet logged into the main Arkime UI (for example, service accounts) will receive a “User not found” error from WISE. As a result, accounts created solely to allow a Hedgehog sensor's Arkime capture process to connect to Malcolm will fail to connect to WISE, causing Arkime capture to fail to start on Hedgehog. (#878)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

---

This discussion was created from the release Malcolm v26.01.0.