> For the complete documentation index, see [llms.txt](https://docs.talsec.app/freerasp/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.talsec.app/freerasp/freemalwaredetection/detection-layers.md).

# Detection Layers

The freeMalwareDetection SDK utilizes a **Defense-in-Depth** architecture. Because no single scanning methodology can identify every type of threat without generating excessive false positives, the device environment is evaluated across multiple distinct analytical layers. This section documents the specific mechanisms the engine uses to evaluate installed applications.

***

## Multi-Layered Security Model

The detection pipeline operates through two consecutive stages, scaling from fast, deterministic checks to complex, behavioral intelligence:

{% stepper %}
{% step %}

### Static Identification

Fast matching of installed applications against your defined lists of forbidden package names and SHA-256 hashes.
{% endstep %}

{% step %}

### Behavioral & Contextual Analysis

Deep inspection of an app's characteristics — such as whether it was side-loaded from an unofficial source and if it requests dangerous permissions — to catch zero-day malware.
{% endstep %}
{% endstepper %}

<div data-with-frame="true"><figure><img src="/files/TWh4UJq9CtVTpvCgeeAn" alt=""><figcaption></figcaption></figure></div>

{% hint style="info" %}
**Looking for an additional layer?** \
\
[Premium Malware Detection](https://docs.talsec.app/premium-products/product/malware-detection) extends this pipeline with real-time cloud verification against a continuously updated global threat database.
{% endhint %}

***

## Exploring the Layers

The following sections detail the exact evaluation logic, the required configuration, and the resulting incident flags. Review each layer to understand how to construct a comprehensive threat model for your application:

<table data-card-size="large" data-view="cards"><thead><tr><th></th><th></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><strong>App Blocklists</strong></td><td>Static identification mechanisms using package names and cryptographic hashes.</td><td><a href="/pages/9KbpbD7AAfs1wr0nYSbL">/pages/9KbpbD7AAfs1wr0nYSbL</a></td></tr><tr><td><strong>Behavioral Heuristics</strong></td><td>Contextual analysis, installation source verification, and heuristic evaluation logic.</td><td><a href="/pages/jOp2VS3MO6gSeY4UgP7g">/pages/jOp2VS3MO6gSeY4UgP7g</a></td></tr></tbody></table>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.talsec.app/freerasp/freemalwaredetection/detection-layers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.