Part of the Shield Labs ecosystem.
An open-source, high-performance malware detection engine built in Go. Designed for transparency, depth, and layered defense.
Antivirus engines are often "black boxes" that quarantine files without explaining the why or how. Shield Engine is built in the open, allowing security researchers and developers to understand detection techniques ranging from simple signatures to advanced heuristics and entropy analysis.
Shield is designed for:
- Internal Malware Detection: Scanning infrastructure for known threats.
- Security Research: Analyzing techniques used by modern malware.
- Layered Defense: Providing a transparent alternative to proprietary solutions.
| Engine | Detection Technique | Status |
|---|---|---|
| Hash-Based | SHA-256, SHA-1, MD5 signatures | ✅ Production |
| YARA Rules | Advanced pattern matching (YARA-Lite) | ✅ Production |
| PE Heuristics | IAT analysis, section headers, static API checks | ✅ Production |
| Entropy | Detecting packed/encrypted malicious payloads | ✅ Production |
| Fuzzy Hashing | ssdeep/TLSH for detecting polymorphic variants | ✅ Production |
| Evasion Lab | Tools for testing engine bypass techniques | 🔜 Planned |
Shield utilizes a modular Detector Interface, allowing multiple engines to scan a file concurrently and return a combined risk assessment.
graph TD
CLI[Shield CLI] --> Orchestrator[Scanner Orchestrator]
Orchestrator --> Hash[Hash Engine]
Orchestrator --> YARA[YARA Engine]
Orchestrator --> PE[PE Heuristics]
Orchestrator --> Entropy[Entropy Engine]
Orchestrator --> Fuzzy[Fuzzy Engine]
Hash --> DB[(Signatures DB)]
YARA --> Rules[(YARA Rules)]
Shield/
├── main.go # CLI Entry Point & Orchestration
├── scanner/ # Core Detection Engines
│ ├── entropy.go # Entropy & Packing Detection
│ ├── fuzzy.go # Fuzzy Hashing (ssdeep/TLSH)
│ ├── pe.go # PE Heuristics & IAT Analysis
│ ├── scanner.go # Orchestration & Multi-thread Scanning
│ └── yara.go # YARA-Lite Rule Integration
├── rules/ # YARA Rule Collections (Core, ESET, etc.)
├── signatures/ # Known-bad Hash Databases
├── go.mod # Dependencies
└── README.md # Documentation
- Go 1.21+
- libyara (Required for YARA scanning support)
git clone https://github.com/Ross-ward/Shield-Engine.git
cd Shield-Engine
go build -o Shield main.goScan a single file:
./Shield scan --file suspicious.exeScan a directory recursively:
./Shield scan --dir ./downloadsAdd a new threat hash:
./Shield add-hash --hash <sha256> --name "Emotet Loader"The most fundamental method. Compares file hashes (SHA-256, SHA-1, MD5) against our signatures/signatures.txt database. While easily bypassed by changing a single byte, it remains the standard for identifying known samples.
Shield integrates a recursive YARA rule loader. It scans files against thousands of community rules (Elastic, ESET, Florian Roth) to identify specific malware families and attack techniques.
The PE engine parses the Windows executable structure to identify:
- Suspicious Imports (IAT): Detecting calls to
VirtualAlloc,WriteProcessMemory, etc. - Section Anomalies: Unusual section names or high-entropy code sections.
Malware often uses packers (UPX, VMProtect) to hide its code. Shield calculates the Shannon Entropy of file sections; high entropy across large blocks often indicates encrypted or compressed malicious payloads.
Polymorphic malware changes its hash but keeps its structure. Shield uses fuzzy hashing to detect "similarity" between files, catching variants that traditional hash checks miss.
Shield Engine is for educational and research purposes only. Do not use this tool on systems or files you do not own or have explicit permission to analyze. Handling malware should always be done in isolated, non-networked lab environments.
Shield Labs is an open project. We welcome contributions to the scanning engines, signature databases, and documentation.
- GitHub: Shield Project
- Organization: Part of the Shield Labs Security Hub.
© 2026 Shield Labs. Licensed under the MIT License.
