Encryption Detection Module

Overview

The Encryption Detection Module searches for files that could be encrypted using an entropy calculation.

Running the module

The module's settings can be configured at runtime.

Minimum entropy can be set higher or lower, depending on how many false hits are being produced. There is also an option to only run the test on files whose size is a multiple of 512, which is useful for finding certain encryption algorithms.

Viewing results

Files that pass the test are shown in the Results tree under "Encryption Suspected".

Each hit also generates an inbox message. These are viewed through the warning triangle near the top of the screen.

Selecting one of the encryption detection hits displays the calculated entropy of the file.