Symptoms:
VolatilityError: Volatility3 not found in PATH
Solutions:
-
Verify installation:
which vol pip show volatility3
-
Reinstall:
pip uninstall volatility3 -y pip install volatility3
-
Add to PATH (Linux/macOS):
export PATH="$HOME/.local/bin:$PATH"
-
Manual installation:
git clone https://github.com/volatilityfoundation/volatility3.git cd volatility3 pip install -e .
Symptoms:
ERROR: malhunt requires Python >=3.10
Solutions:
-
Check Python version:
python --version python3.10 --version
-
Use virtual environment:
python3.10 -m venv venv source venv/bin/activate pip install malhunt -
Use pyenv (recommended):
pyenv install 3.10.0 pyenv local 3.10.0
Symptoms:
ModuleNotFoundError: No module named 'volatility3'
Solutions:
# Install dependencies
pip install volatility3 yara-python requests pyclamd loguru
# Or install with extras
pip install 'malhunt[dev]'Symptoms:
Error: Memory dump not found: /path/to/dump.raw
Solutions:
-
Verify file exists:
ls -lh /path/to/dump.raw
-
Use absolute path:
malhunt /absolute/path/to/dump.raw # Instead of malhunt ./dump.raw -
Check permissions:
# Ensure readable chmod +r /path/to/dump.raw
Symptoms:
WARN: Volatility3 profile identification not implemented
Status: Feature is being improved
Workaround:
from malhunt import Malhunt
from pathlib import Path
mh = Malhunt(Path("memory.dump"))
# Skip profile detection, run scans directly
mh.run_scans()
# Or specify profile manually if known
mh.vol.pslist()Symptoms:
ERROR: Volatility command timed out after 300s
Solutions:
-
Increase timeout:
# Modify src/malhunt/volatility.py # Change timeout parameter (default 300s = 5 min) timeout: int = 600 # 10 minutes
-
Check system resources:
# Monitor RAM/CPU top # or htop
-
Run individual scans:
from malhunt import Malhunt mh = Malhunt(Path("memory.dump")) # Run only YARA if mh.rules_file.exists(): yara_results = mh.yara_scanner.scan()
-
Use simpler rules:
# Custom lightweight rules malhunt memory.dump --rules simple_rules.yar
Symptoms:
- System becomes unresponsive
- "Out of memory" errors
- Analysis stops unexpectedly
Solutions:
-
Check system specs:
# Linux free -h cat /proc/cpuinfo | grep processor | wc -l # macOS vm_stat system_profiler SPHardwareDataType
-
Close unnecessary programs:
- Close large applications
- Free up RAM
-
Use smaller YARA rule sets:
# Create subset of rules malhunt memory.dump --rules essential_rules.yar -
Analyze in stages:
mh = Malhunt(Path("memory.dump")) # YARA only yara_results = mh.yara_scanner.scan() print(f"YARA: {len(yara_results)} findings") # Malfind only (fresh instance) mh2 = Malhunt(Path("memory.dump")) malfind_results = mh2.malfind_scanner.scan()
Symptoms:
ERROR: Failed to download rules
Solutions:
-
Check internet connection:
ping github.com
-
Manual download: Instead of relying on the automatic ZIP fetch, you can manually place a merged YARA file:
mkdir -p ~/.malhunt # download the latest yara-rules-full.yar from # https://github.com/YARAHQ/yara-forge/releases/latest/ # and save it as ~/.malhunt/malware_rules.yar
-
Use local rules:
malhunt memory.dump --rules /path/to/local/rules.yar
Symptoms:
WARN: Skipping rule with incompatible imports
Note: This is expected and normal
Exclusions:
- Rules using
import "math" - Rules using
import "cuckoo" - Rules using
import "hash" - Rules using
imphash
These are filtered automatically.
Symptoms:
WARN: ClamAV (clamscan) not found in PATH
Status: Optional - analysis continues without it
To install:
# macOS
brew install clamav
# Linux (Debian/Ubuntu)
sudo apt-get install clamav
# Linux (Fedora/RHEL)
sudo dnf install clamav
# Verify
clamscan --versionSymptoms:
WARN: ClamAV signature database may be outdated
Solution:
# Update signature database
sudo freshclamSymptoms:
ERROR: Permission denied creating artifacts directory
Solutions:
-
Check output directory permissions:
# Run from writable directory cd ~/Desktop malhunt /path/to/memory.dump
-
Create output directory manually:
mkdir -p ~/malhunt_output cd ~/malhunt_output malhunt /path/to/memory.dump
-
Check disk space:
# Ensure ~10GB free for large dumps df -h
Symptoms:
WARN: Failed to dump process {pid}
Solutions:
-
Check memory dump validity:
vol -f memory.dump windows.pslist | head -
Ensure sufficient disk space:
# Artifacts dir needs 2-3x dump size du -sh memory.dump df -h .
-
Run with verbose logging:
malhunt memory.dump --verbose
Factors:
- Dump size (analysis time increases with size)
- YARA rule complexity
- System performance
- Network latency (for IP checks)
Optimization Tips:
-
Disable network checks:
from malhunt.scanner import NetworkScanner # Use dummy checker network_scanner = NetworkScanner(vol, ip_checker=lambda x: False)
-
Use faster YARA rules: Smaller, focused rule sets
-
Parallel processing (future feature): Currently sequential, would improve with parallelization
-
SSD storage: Use SSD for dump and artifacts
When reporting issues, include:
# System information
python --version
pip show malhunt volatility3 yara-python
which vol
vol --help | head -5
# Run analysis with debug output
malhunt memory.dump --verbose 2>&1 | tee malhunt_debug.logInclude:
- Command executed
- Error message (full output)
- Debug log (
malhunt --verbose) - System info (OS, Python, Volatility3 version)
- Memory dump size and approximate profile