AntiVirus products are some of the most widely used security protection systems. They are deployed as one of the lines of defense on PCs, tablets, and smartphone devices for home and business use. Antivirus software was originally developed to detect and remove computer viruses, hence the name. However, with the proliferation of other malware, antivirus software started to protect itself from other computer threats. In particular, modern antivirus software can protect users from malicious browser helper objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious LSPs, dialers, fraud tools, adware, and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity (privacy), online banking attacks, social engineering techniques, advanced persistent threat (APT), and botnet DDoS attacks.
AntiVirus products provide two major functionalities - detection (the main focus of many AntiVirus vendors, and labeling (a by-product of the function of malware detection). The labeling provided by AntiVirus vendors has many applications in cybersecurity such as guiding efforts of disinfection and countermeasures, intelligence gathering, and attack attribution, among others. Furthermore, researchers rely on AV labels to establish a ground truth baseline to compare their detection and classification algorithms.
Malware Detection Techniques
AntiVirus software uses multiple techniques to detect malware, each targeting different aspects of malicious behavior or characteristics. Some of these techniques are discussed in this section.
Signature-Based Detection
A signature refers to a string of data or algorithms that is used to uniquely identify malware. The antivirus program disassembles the code of the infected file and searches for the pattern that belongs to a malware family. Signatures of the malware are maintained in a database and then further used for comparison in the detection process. This kind of detection technique is also known as string or pattern scanning or matching. By checking a program or file against a list of malware signatures (or definitions), antivirus software can determine if the program or file contains malware. Most antivirus and Internet security programs reference a database of malware signatures when scanning files for malware. This is an effective way to detect known malware. However, when new malware is created, antivirus software may not recognize them. Therefore, most antivirus programs automatically update the virus signatures from an online database regularly (such as once a week).
Heuristics-Based Detection
This method aims at generic malware detection by statically examining files for suspicious characteristics without an exact signature match. Rather than relying on signatures or binary or code fingerprints, heuristic detection relies on complex algorithms that check for instructions, and specify actual patterns and behaviors within the application, which may indicate that it is malicious. This works because malicious programs inevitably attempt to perform actions in a context that legitimate applications do not. Examples of suspicious behavior would include attempting to drop files or disguise processes injecting or executing code in another process’s memory space. Because heuristic detection looks for behavioral characteristics rather than relying on simple pattern-matching, they can detect and block new and emerging threats for which a signature or fingerprint has yet to be released.
The majority of heuristic detections temporarily delay applications from starting while the code is executed in a virtual environment that is completely isolated – or sandboxed - from the endpoint. If no suspicious behavior is observed, the computer is instructed to start the application normally. If suspicious behavior is observed, the program execution is blocked. The entire process happens in milliseconds and so has practically no impact on either the user experience or perceived performance. However, this method can also generate false positive matches when antivirus software detects a program behaving similarly to a malicious program and incorrectly identifies it as a virus. This method is also known as an anomaly detection technique.
Machine Learning-Based Detection
This method uses Machine Learning Models trained on vast datasets of malware and legitimate files. These models can identify malicious files based on patterns in code, structure, and behavior that are too complex for traditional algorithms. Machine-learning algorithms significantly improve detection time for modern threats, as they can analyze large amounts of data significantly faster than any human would. When trained to accurately detect various types of malware behavior, machine-learning algorithms yield a high detection rate, both for known and unknown samples. Incorporating machine learning into both static (file-based) and dynamic (behavior-based) malware analysis significantly accelerates reactions against new malware samples, offering protection even from previously unknown threats – APTs, zero-day attacks, and ransomware.
Neural Networks are some of the most popular implementations of machine learning algorithms that are designed to increase malware detection rates using repeated training sessions on popular malware categories. Allowing these algorithms to extract features from existing malware samples or families enables them to learn to predict future malware based on shared similar features.
Cloud-Based Detection
This method identifies malware by collecting data from protected computers while analyzing it on the provider's infrastructure instead of performing the analysis locally. This is usually done by capturing relevant details about the application and the context of its execution on the endpoint and providing them to the cloud engine for processing. The local AntiVirus software only needs to perform minimal processing. The vendor's cloud engine can derive patterns related to malware characteristics and behavior by correlating data from multiple systems. Cloud-based detection offers up-to-the-minute protection and visibility across the global threat landscape. It provides global users with real-time protection as well as an additional layer of mitigation against false positives.
Anti-Virus Detection Names
An AntiVirus detection name is a label assigned by an antivirus agent to identify a specific piece of malware or suspicious code. These names are human-readable and map to certain detection signatures or technology. AntiVirus detection names are useful for the following:
Triage
Malware Triage refers to the initial process of analyzing and assessing a potential malware sample to determine its threat level, behavior, and priority for further investigation or action. It is the first look at a suspicious application or code to decide on immediate actions, such as containment, detailed analysis, or potential cleanup. The purpose of triage is to quickly identify high-risk threats that need immediate attention versus lower-risk ones that may not require in-depth investigation immediately. In other words, triage is a preliminary assessment of malware samples to determine the course of action and where scarce resources should be deployed. In malware analysis, a major scarce resource is time.
Indicator of Compromise Identifier
Detection names provide a shorthand for identifying the type and family of malware, helping analysts to quickly understand the nature of the threat. Detection names can inform whether a threat is, for example, ransomware (requiring immediate action) or adware (possibly less critical).
Initial Risk Assessment
Initial Risk Assessment evaluates the potential risk posed by a newly detected malware sample to an organization's assets, systems, and data. This assessment occurs at the beginning of the incident response process, usually right after malware detection or during malware triage. The goal is to quickly understand the severity and scope of the threat, which helps inform immediate actions and allocate resources effectively.
AntiVirus software uses specific naming conventions to label and identify various types of malware. Each part of a detection name provides details about the malware characteristics which helps security professionals and users understand the nature of the threat. All AntiVirus software vendors have their own detection name conventions but most use five similar components shown in the image below. It should be noted that some of these components are optional.
- Type - This component classifies the nature of the threat from an observation of the behaviour of a malware sample. Common types specified by AntiVirus agents include Adware, Ransomware, Spyware, Backdoor, and so on.
- Platform - This component specifies the execution environment the malware targets. Some of them are listed below. The Platform could also mean certain programming or scripting languages such as PowerShell, VBS, or certain frameworks such as .NET
- Win32 - Indicates it targets a 32-bit Windows Operating system
- Android - Indicates that it targets devices running Android OS
- Linux - Indicates it targets GNU/Linux environments.
- Family/Umbrella - This component identifies the specific group or lineage of malware to which a particular sample belongs. This component is crucial for categorizing malware based on shared characteristics, codebase, or behaviour patterns. The malware family name helps security professionals understand the origin, typical behaviour, and potential impact of a threat, often aiding in crafting more effective defenses.
- Variant - This is mostly just a counter to distinguish different signatures from each other. The variant may consist of numbers, letters, or both. In automatically created detections, the variant portion may also be generated from the file itself, for example, via hashing. This portion is internal for the Antivirus software vendor. In the past, specifically during the CARO naming convention, the Variant portion used to mean the specific variant or strain of malware. But it is not so anymore.
- Modifier - This is an optional component. It gives additional information about the malware type or signature characteristics. It could state some of the following.
- [Gen]: - This indicates a generic detection, covering a range of similar malware.
- [Heur]: - This refers to heuristic detection, where the malware was detected based on its behaviour rather than a known signature.
- [PUP] - This refers to a Potentially Unwanted Program, which may not be malware but is undesirable.
- Default Values - There are two default values that the reader should be cognizant of. Since a lot of the detection names are created by automatic systems, these systems provide some default names when they have no information about the malware family or type.
- Trojan - This is the default name automatic systems generate when the malware type is unknown.
- Agent - This is the default name provided when the malware family or umbrella is unknown.
The table below shows the detection names format for major AntiVirus Vendors with examples. Values in square brackets are optional values.
|
AV Vendor |
Format |
Example |
|
Avast |
Platform:Type1-Modifier \[Type2\] |
VBS:Downloader-ARK [Trj] |
|
AVG |
Type Family.Variant |
Trojan horse Crypt8.BHV |
|
Avira |
Modifier/[Type.]Family.Variant |
TR/AD.SodinoRansom.wcoir |
|
Bitdefender |
[Modifier:[Platform.]]Type.Family[.Modifier].Variant |
Gen:Trojan.Mresmon.Gen.1 |
|
ESET |
[Modifier] Platform/[Type.]Family.Variant Type |
a variant of MSIL/TrojanDropper.Agent.BPM trojan |
|
Kaspersky |
[Modifier:]Type.Platform.Family[.Variant] |
HEUR:Trojan.Win32.Nymaim.gen |
|
McAfee |
Platform/Family Type Platform/Family.Variant.Modifier |
RDN/Generic BackDoor W32/HLLP.11042.gen |
|
Microsoft |
Type:Platform/Family.Variant[!Modifier] |
Trojan:Win32/Reveton.T!lnk |
|
Symantec |
PlatformOrType.Family.Variant |
Trojan.Gen.MBT W32.Downadup.B |
|
Trellix |
Type-Variant!Modifier |
Trojan-FTSB!A3C061A4FBD1 |
|
Sophos |
Type/Family-Variant[!Modifier] |
Troj/Agent-AH |
|
Malwarebytes |
Category.Platform.Type.Family.Variant |
Malware.Win.Ransom.Emotet.A |
|
Panda Security |
Type/Family.Variant |
Trj/Agent.CKC |
|
F-Secure |
Type.Family.Variant |
Trojan.TR/AD.Cript |
|
Comodo |
Type@Family[Variant] |
Trojan@Agent[11] |
|
ClamAV |
PlatformOrType.Family.Variant |
Win.Trojan.Agent-12345 |
|
Fortinet |
Platform/Family.Variant[!Modifier] |
W32/Agent.ACXM!tr Android/Spy.Agent.DX |
|
|
|
|
Trend Micro |
Type_Family.Variant Type.Platform.Family.Variant.Modifier |
TROJ_GEN.R002C0WGH19 |
Specific Vs Unspecific Detection Names
Specific names refer to exact, identifiable malware families. These detections typically occur when the AntiVirus agent recognizes a known signature, behaviour, or indicator within a specific variant of malware. They are more likely true positive. For example, a specific detection name like Wannacry.Ransomware directly identifies the malware or its family, allowing users or researchers to understand the threat and any known remediation steps.
Some medium-specific detection names just name some characteristics of the malware sample under investigation. For example, FakeAdobe. This means the malware is pretending to be legitimate Adobe software.
Unspecific detection names, on the other hand, identify potential threats based on general characteristics that match malware-like behaviours or patterns. Examples include generic labels such as Trojan.Generic or Malware.Heuristic. These names indicate that the AntiVirus agent detected suspicious activity or code patterns often associated with malware, but it does not know exactly what it is.
Unspecific detection names are more false-positive prone. They are generated by automatic systems without specific knowledge of the underlying malware. They can be blocklist entries or created by Machine Learning or Heuristic detection technologies.
How To Identify Specific and Unspecific AV Detection Names
Here are some indications that an AV detection name might be specific or unspecific.
Specific
- The detection name includes a known malware family or umbrella name. Examples include Emotet, Trickbot, QakBot, and CobaltStrike. They do not use Agent as a Family/Umbrella component.
- They have a concrete or known type. They do not use Trojan as a type name.
- Detection names include unique identifiers for specific variants of malware such as .v2, .B, or _GenX. They tend to have small variant components but may sometimes have long variant components too
- small variant - MSIL.Trojan-Spy.Cyborg.C
- long variant - MSIL.Trojan-Spy.Cyborg.LDJFSB - Typically created by automatic systems.
- Detection names may include terms describing a unique behaviour. For example, Infostealer.Zeus suggests it is an information-stealing variant of the Zeus family.
- Detection names may include date or year references indicating a version or variant identified in that year. This is often associated with major outbreaks. For example, Ransom.WannaCry.2017 would specify the 2017 outbreak of the WannaCry ransomware.
Unspecific
These tend to have terms indicative of general classification rather than specificity. They include:
- @gen, Gen, GEN, Generic - refer to general threat classifications rather than specific malware
- @susp, Suspicious, a variant of
- HEUR, Heuristic, Heur - Suggestive of detection based on behaviour patterns or heuristic analysis rather than specific malware traits.
- Unsafe, Dangerous, Score, Malicious, Confidence
- !ml, .ml, AI - Indicative of Artificial Intelligence/Machine learning-based detection
- Agent - No known family name
- Trojan - No known type name
- Detection technologies such as Kazy, Razy, Zusy, Graftor, WisdomEyes, and Artemis - These are not specific malware families.
The actual identification of a malware family by an AntiVirus agent is suggestive of specificity, and specific names are preferred to unspecific ones by analysts. The image below shows the detection names of a packed Ursnif sample by different anti-virus vendors.
- Green - denotes specific detection names, including family identification.
- Blue - denotes specific detection names, descriptive without identification
- Not marked - unspecific detection names, no information
.png)
There are certain keywords in the malware family/umbrella name that often lack specific meaning. These terms are often employed in AntiVirus malware detections for simplicity or broad categorization, but without specific, actionable information about the malware family or its inner workings. They may also represent detection technologies, or describe the protection mechanism put in place by the malware author or a third party.
|
Keyword |
Meaning |
|
Kryptik, Krypt, Cryptik, Crypt, Packed |
Refers to malware with cryptographic features (like encryption) |
|
Injector, Inject |
Used for malware that inserts code into processes; lacks specificity on injection method |
|
Obfus |
Indicates that the malware has been intentionally obscured to make its code harder to read or analyze. It is mostly used for malicious script files. It does not specify the malware's exact type or behaviour, only that it uses techniques to obscure its code. |
|
AntiXY |
XY could represent various techniques like VM, Sandbox, AntiVirus, or Debug. This highlights the malware's resistance to specific analysis techniques or environments, making it more difficult for researchers and automated tools to fully inspect and classify the threat. However, it does not usually convey details about the core functionality of the malware beyond its evasion tactics. |
|
FakeXY, XYFake |
XY could represent common software, services, or entities like AV, App, or Installer. This typically refers to malware that impersonates legitimate software or services to trick users into installing or interacting with it. |
|
Corrupt, Corrupted, Malformed |
This refers to files that are damaged, incomplete, or intentionally altered in a way that makes them non-functional or unreadable by standard software. The presence of these terms in an AV detection name suggests that the file is suspicious but may not be functional in a traditional sense. This could mean that while the file is recognized as potentially harmful, it is incomplete or has been deliberately modified to obstruct analysis. |
|
Patched |
This refers to legitimate files compromised by added malicious code rather than a standalone malware file, potentially making it more challenging to detect and remove without affecting system functionality. |
|
Agent |
This is a generic label that refers to malware with no specific family or identifiable characteristics. It usually signifies that the malware's structure, origin, or behaviour is not distinct enough to categorize it under a known malware family/umbrella. |
|
Razy, Kazy, Zusy, Graftor |
These are generic or coined labels used by the Antivirus vendor, Bitdefender Technology, to describe certain families or groups of malware that do not necessarily have defining characteristics. They often lack specific meaning related to the malware's behaviour or technical attributes. |
|
WisdomEyes |
This is a specific threat detection technology developed by Qihoo 360, a Chinese cybersecurity company. It is not a type of malware itself but rather a proprietary detection engine or algorithm used by Qihoo 360 to identify malicious software. When this term appears in a detection name, it typically means:
|
|
Artemis |
This is a generic threat detection technology used by McAfee to identify potential malware. It signals a detection by McAfee's cloud-based heuristic and real-time scanning system rather than a distinct malware family/umbrella |
Caveat: Identical Antivirus Detection Names
A result, such as shown in the image below, might be obtained when a malware sample is analyzed in Virustotal. How should this be interpreted?.
Many Antivirus vendors use third-party engines for their scanning and detection. For example, smaller Antivirus vendors may license engines from larger well-established Antivirus companies. As a result, they may generate identical detection names when identifying malware. In the above image, the result stems from one and the same engine - Bitdefender's engine. A list of Antivirus vendors and third party engines can be obtained here.
If a situation such as the above is encountered during analysis where several AV vendors have the exact same detection name, including the same variant, it is likely one and same scanner. The detection should therefore count as one (and not six as in the above example) while determining how useful and informative the results obtained are. A sample with multiple detections from the same engine is more likely to be false-positive prone than a sample with multiple detections from multiple engines.
Packed Vs Unpacked Malware Detection
A packed malware sample is compressed or encrypted in a way that conceals its true code from static analysis, making it harder for Antivirus engines to classify it precisely. As a result, Antivirus detections for packed samples may use generic terms like Packed.Generic, Trojan.Obfuscated, or simply Generic.Trojan.
When unpacked, the malware's actual code is exposed, making it easier for Antivirus engines to analyze it fully. This often results in a more specific detection name that identifies the exact family and behaviour (For example, Emotet.Backdoor). The scanners on VirusTotal do not utilize the full technological capacity that is available for the Antivirus agent like the actual product does. They mostly rely on detection signatures that hit on the file without executing it. In-memory scanning technologies are not involved. Identifying packed file is often impossible or difficult if they are not executed. Therefore, it is recommended to unpack the malware sample before scanning to obtain better results.
AntiVirus detection names can contain useful information. However, the reader must be aware that sometimes the information in them might be wrong. So, if you have a scan result listing of a service like Virustotal, how do you know which detection names can be trusted? Below is a rule of thumb:
The more specific detections from scanning engines that are consistent with one another, the more likely the information is correct.
Post a Comment