Decoding Anti-Virus Detection Names For Malware Analysts




AntiVirus products are some of the most widely used security protection systems. They are deployed as one of the lines of defense on PCs, tablets, and smartphone devices for home and business use. Antivirus software was originally developed to detect and remove computer viruses, hence the name. However, with the proliferation of other malware, antivirus software started to protect itself from other computer threats. In particular, modern antivirus software can protect users from malicious browser helper objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious LSPs, dialers, fraud tools, adware, and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity (privacy), online banking attacks, social engineering techniques, advanced persistent threat (APT), and botnet DDoS attacks.


AntiVirus products provide two major functionalities - detection (the main focus of many AntiVirus vendors, and labeling (a by-product of the function of malware detection). The labeling provided by AntiVirus vendors has many applications in cybersecurity such as guiding efforts of disinfection and countermeasures, intelligence gathering, and attack attribution, among others.  Furthermore, researchers rely on AV labels to establish a ground truth baseline to compare their detection and classification algorithms


Malware Detection Techniques

AntiVirus software uses multiple techniques to detect malware, each targeting different aspects of malicious behavior or characteristics. Some of these techniques are discussed in this section.


Signature-Based Detection

A signature refers to a string of data or algorithms that is used to uniquely identify malware. The antivirus program disassembles the code of the infected file and searches for the pattern that belongs to a malware family. Signatures of the malware are maintained in a database and then further used for comparison in the detection process. This kind of detection technique is also known as string or pattern scanning or matching. By checking a program or file against a list of malware signatures (or definitions), antivirus software can determine if the program or file contains malware. Most antivirus and Internet security programs reference a database of malware signatures when scanning files for malware. This is an effective way to detect known malware. However, when new malware is created, antivirus software may not recognize them. Therefore, most antivirus programs automatically update the virus signatures from an online database regularly (such as once a week).


Heuristics-Based Detection

This method aims at generic malware detection by statically examining files for suspicious characteristics without an exact signature match. Rather than relying on signatures or binary or code fingerprints, heuristic detection relies on complex algorithms that check for instructions, and specify actual patterns and behaviors within the application, which may indicate that it is malicious. This works because malicious programs inevitably attempt to perform actions in a context that legitimate applications do not. Examples of suspicious behavior would include attempting to drop files or disguise processes injecting or executing code in another process’s memory space. Because heuristic detection looks for behavioral characteristics rather than relying on simple pattern-matching, they can detect and block new and emerging threats for which a signature or fingerprint has yet to be released.


The majority of heuristic detections temporarily delay applications from starting while the code is executed in a virtual environment that is completely isolated – or sandboxed - from the endpoint. If no suspicious behavior is observed, the computer is instructed to start the application normally. If suspicious behavior is observed, the program execution is blocked. The entire process happens in milliseconds and so has practically no impact on either the user experience or perceived performance. However, this method can also generate false positive matches when antivirus software detects a program behaving similarly to a malicious program and incorrectly identifies it as a virus. This method is also known as an anomaly detection technique.


Machine Learning-Based Detection

This method uses Machine Learning Models trained on vast datasets of malware and legitimate files. These models can identify malicious files based on patterns in code, structure, and behavior that are too complex for traditional algorithms. Machine-learning algorithms significantly improve detection time for modern threats, as they can analyze large amounts of data significantly faster than any human would. When trained to accurately detect various types of malware behavior, machine-learning algorithms yield a high detection rate, both for known and unknown samples. Incorporating machine learning into both static (file-based) and dynamic (behavior-based) malware analysis significantly accelerates reactions against new malware samples, offering protection even from previously unknown threats – APTs, zero-day attacks, and ransomware.


Neural Networks are some of the most popular implementations of machine learning algorithms that are designed to increase malware detection rates using repeated training sessions on popular malware categories. Allowing these algorithms to extract features from existing malware samples or families enables them to learn to predict future malware based on shared similar features.


Cloud-Based Detection

This method identifies malware by collecting data from protected computers while analyzing it on the provider's infrastructure instead of performing the analysis locally. This is usually done by capturing relevant details about the application and the context of its execution on the endpoint and providing them to the cloud engine for processing. The local AntiVirus software only needs to perform minimal processing. The vendor's cloud engine can derive patterns related to malware characteristics and behavior by correlating data from multiple systems. Cloud-based detection offers up-to-the-minute protection and visibility across the global threat landscape. It provides global users with real-time protection as well as an additional layer of mitigation against false positives.


Anti-Virus Detection Names

An AntiVirus detection name is a label assigned by an antivirus agent to identify a specific piece of malware or suspicious code. These names are human-readable and map to certain detection signatures or technology. AntiVirus detection names are useful for the following:


Triage

Malware Triage refers to the initial process of analyzing and assessing a potential malware sample to determine its threat level, behavior, and priority for further investigation or action. It is the first look at a suspicious application or code to decide on immediate actions, such as containment, detailed analysis, or potential cleanup. The purpose of triage is to quickly identify high-risk threats that need immediate attention versus lower-risk ones that may not require in-depth investigation immediately. In other words, triage is a preliminary assessment of malware samples to determine the course of action and where scarce resources should be deployed. In malware analysis, a major scarce resource is time.


Indicator of Compromise Identifier

Detection names provide a shorthand for identifying the type and family of malware, helping analysts to quickly understand the nature of the threat. Detection names can inform whether a threat is, for example, ransomware (requiring immediate action) or adware (possibly less critical).


Initial Risk Assessment

Initial Risk Assessment evaluates the potential risk posed by a newly detected malware sample to an organization's assets, systems, and data. This assessment occurs at the beginning of the incident response process, usually right after malware detection or during malware triage. The goal is to quickly understand the severity and scope of the threat, which helps inform immediate actions and allocate resources effectively.


AntiVirus software uses specific naming conventions to label and identify various types of malware. Each part of a detection name provides details about the malware characteristics which helps security professionals and users understand the nature of the threat. All AntiVirus software vendors have their own detection name conventions but most use five similar components shown in the image below. It should be noted that some of these components are optional.





  • Type - This component classifies the nature of the threat from an observation of the behaviour of a malware sample. Common types specified by AntiVirus agents include Adware, Ransomware, Spyware, Backdoor, and so on.
  • Platform - This component specifies the execution environment the malware targets. Some of them are listed below. The Platform could also mean certain programming or scripting languages such as PowerShell, VBS, or certain frameworks such as .NET
    • Win32 - Indicates it targets a 32-bit Windows Operating system
    • Android - Indicates that it targets devices running Android OS
    • Linux - Indicates it targets GNU/Linux environments.
  • Family/Umbrella - This component identifies the specific group or lineage of malware to which a particular sample belongs. This component is crucial for categorizing malware based on shared characteristics, codebase, or behaviour patterns. The malware family name helps security professionals understand the origin, typical behaviour, and potential impact of a threat, often aiding in crafting more effective defenses.
  • Variant - This is mostly just a counter to distinguish different signatures from each other. The variant may consist of numbers, letters, or both. In automatically created detections, the variant portion may also be generated from the file itself, for example, via hashing. This portion is internal for the Antivirus software vendor. In the past, specifically during the CARO naming convention, the Variant portion used to mean the specific variant or strain of malware. But it is not so anymore.
  • Modifier - This is an optional component. It gives additional information about the malware type or signature characteristics. It could state some of the following.
    • [Gen]: - This indicates a generic detection, covering a range of similar malware.
    • [Heur]: - This refers to heuristic detection, where the malware was detected based on its behaviour rather than a known signature.
    • [PUP] - This refers to a Potentially Unwanted Program, which may not be malware but is undesirable.
  • Default Values - There are two default values that the reader should be cognizant of. Since a lot of the detection names are created by automatic systems, these systems provide some default names when they have no information about the malware family or type.
    • Trojan - This is the default name automatic systems generate when the malware type is unknown.
    • Agent - This is the default name provided when the malware family or umbrella is unknown.

The table below shows the detection names format for major AntiVirus Vendors with examples. Values in square brackets are optional values.


AV Vendor

Format

Example

Avast

Platform:Type1-Modifier \[Type2\]

VBS:Downloader-ARK [Trj]

AVG

Type Family.Variant 

Trojan horse Crypt8.BHV

Avira

Modifier/[Type.]Family.Variant

TR/AD.SodinoRansom.wcoir 

Bitdefender

[Modifier:[Platform.]]Type.Family[.Modifier].Variant 

Gen:Trojan.Mresmon.Gen.1 

ESET

[Modifier] Platform/[Type.]Family.Variant Type

a variant of MSIL/TrojanDropper.Agent.BPM trojan

Kaspersky

[Modifier:]Type.Platform.Family[.Variant] 

HEUR:Trojan.Win32.Nymaim.gen 

McAfee

Platform/Family Type Platform/Family.Variant.Modifier

RDN/Generic BackDoor W32/HLLP.11042.gen

Microsoft

Type:Platform/Family.Variant[!Modifier] 

Trojan:Win32/Reveton.T!lnk

Symantec

PlatformOrType.Family.Variant

Trojan.Gen.MBT 

W32.Downadup.B

Trellix

Type-Variant!Modifier

Trojan-FTSB!A3C061A4FBD1

Sophos

Type/Family-Variant[!Modifier]

Troj/Agent-AH

Malwarebytes

Category.Platform.Type.Family.Variant

Malware.Win.Ransom.Emotet.A

Panda Security

Type/Family.Variant

Trj/Agent.CKC

F-Secure

Type.Family.Variant

Trojan.TR/AD.Cript 

Comodo

Type@Family[Variant]

Trojan@Agent[11]

ClamAV

PlatformOrType.Family.Variant

Win.Trojan.Agent-12345

Fortinet

Platform/Family.Variant[!Modifier]

W32/Agent.ACXM!tr

Android/Spy.Agent.DX

Dr. Web

Type.Family.Variant

Trojan.DownLoader1.30281

Trend Micro 

Type_Family.Variant

Type.Platform.Family.Variant.Modifier 

TROJ_GEN.R002C0WGH19


Specific Vs Unspecific Detection Names

Specific names refer to exact, identifiable malware families. These detections typically occur when the AntiVirus agent recognizes a known signature, behaviour, or indicator within a specific variant of malware. They are more likely true positive. For example, a specific detection name like Wannacry.Ransomware directly identifies the malware or its family, allowing users or researchers to understand the threat and any known remediation steps.


Some medium-specific detection names just name some characteristics of the malware sample under investigation. For example, FakeAdobe. This means the malware is pretending to be legitimate Adobe software.


Unspecific detection names, on the other hand, identify potential threats based on general characteristics that match malware-like behaviours or patterns. Examples include generic labels such as Trojan.Generic or Malware.Heuristic. These names indicate that the AntiVirus agent detected suspicious activity or code patterns often associated with malware, but it does not know exactly what it is. 


Unspecific detection names are more false-positive prone. They are generated by automatic systems without specific knowledge of the underlying malware. They can be blocklist entries or created by Machine Learning or Heuristic detection technologies.


How To Identify Specific and Unspecific AV Detection Names

Here are some indications that an AV detection name might be specific or unspecific.


Specific

  • The detection name includes a known malware family or umbrella name. Examples include Emotet, Trickbot, QakBot, and CobaltStrike. They do not use Agent as a Family/Umbrella component.
  • They have a concrete or known type. They do not use Trojan as a type name.
  • Detection names include unique identifiers for specific variants of malware such as .v2, .B, or _GenX. They tend to have small variant components but may sometimes have long variant components too
    • small variant - MSIL.Trojan-Spy.Cyborg.C
    • long variant - MSIL.Trojan-Spy.Cyborg.LDJFSB - Typically created by automatic systems.
  • Detection names may include terms describing a unique behaviour. For example, Infostealer.Zeus suggests it is an information-stealing variant of the Zeus family.
  • Detection names may include date or year references indicating a version or variant identified in that year. This is often associated with major outbreaks. For example, Ransom.WannaCry.2017 would specify the 2017 outbreak of the WannaCry ransomware.

Unspecific

These tend to have terms indicative of general classification rather than specificity. They include


  • @gen, Gen, GEN, Generic - refer to general threat classifications rather than specific malware
  • @susp, Suspicious, a variant of
  • HEUR, Heuristic, Heur - Suggestive of detection based on behaviour patterns or heuristic analysis rather than specific malware traits.
  • Unsafe, Dangerous, Score, Malicious, Confidence
  • !ml, .ml, AI - Indicative of Artificial Intelligence/Machine learning-based detection
  • Agent - No known family name
  • Trojan - No known type name
  • Detection technologies such as Kazy, Razy, Zusy, Graftor, WisdomEyes, and Artemis - These are not specific malware families.


The actual identification of a malware family by an AntiVirus agent is suggestive of specificity, and specific names are preferred to unspecific ones by analysts. The image below shows the detection names of a packed Ursnif sample by different anti-virus vendors.


  • Green - denotes specific detection names, including family identification.
  • Blue - denotes specific detection names, descriptive without identification
  • Not marked - unspecific detection names, no information




There are certain keywords in the malware family/umbrella name that often lack specific meaning. These terms are often employed in AntiVirus malware detections for simplicity or broad categorization, but without specific, actionable information about the malware family or its inner workings. They may also represent detection technologies, or describe the protection mechanism put in place by the malware author or a third party.


Keyword

Meaning

Kryptik, Krypt, Cryptik, Crypt, Packed 

Refers to malware with cryptographic features (like encryption)

Injector, Inject

Used for malware that inserts code into processes; lacks specificity on injection method

Obfus

Indicates that the malware has been intentionally obscured to make its code harder to read or analyze. It is mostly used for malicious script files. It does not specify the malware's exact type or behaviour, only that it uses techniques to obscure its code.

AntiXY 

XY could represent various techniques like VM, Sandbox, AntiVirus, or Debug. This highlights the malware's resistance to specific analysis techniques or environments, making it more difficult for researchers and automated tools to fully inspect and classify the threat. However, it does not usually convey details about the core functionality of the malware beyond its evasion tactics. 

FakeXY, XYFake

XY could represent common software, services, or entities like AV, App, or Installer. This typically refers to malware that impersonates legitimate software or services to trick users into installing or interacting with it.

Corrupt, Corrupted, Malformed 

This refers to files that are damaged, incomplete, or intentionally altered in a way that makes them non-functional or unreadable by standard software. The presence of these terms in an AV detection name suggests that the file is suspicious but may not be functional in a traditional sense. This could mean that while the file is recognized as potentially harmful, it is incomplete or has been deliberately modified to obstruct analysis.

Patched

This refers to legitimate files compromised by added malicious code rather than a standalone malware file, potentially making it more challenging to detect and remove without affecting system functionality.

Agent

This is a generic label that refers to malware with no specific family or identifiable characteristics. It usually signifies that the malware's structure, origin, or behaviour is not distinct enough to categorize it under a known malware family/umbrella.

Razy, Kazy, Zusy, Graftor 

These are generic or coined labels used by the Antivirus vendor, Bitdefender Technology, to describe certain families or groups of malware that do not necessarily have defining characteristics. They often lack specific meaning related to the malware's behaviour or technical attributes.

WisdomEyes

This is a specific threat detection technology developed by Qihoo 360, a Chinese cybersecurity company. It is not a type of malware itself but rather a proprietary detection engine or algorithm used by Qihoo 360 to identify malicious software. When this term appears in a detection name, it typically means:

  • Detection technology tag
  • Heuristic or behavioural detection

Artemis

This is a generic threat detection technology used by McAfee to identify potential malware. It signals a detection by McAfee's cloud-based heuristic and real-time scanning system rather than a distinct malware family/umbrella


Caveat: Identical Antivirus Detection Names

A result, such as shown in the image below, might be obtained when a malware sample is analyzed in Virustotal. How should this be interpreted?.



Many Antivirus vendors use third-party engines for their scanning and detection. For example, smaller Antivirus vendors may license engines from larger well-established Antivirus companies. As a result, they may generate identical detection names when identifying malware. In the above image, the result stems from one and the same engine - Bitdefender's engine. A list of Antivirus vendors  and third party engines can be obtained here.


If a situation such as the above is encountered during analysis where several AV vendors have the exact same detection name, including the same variant, it is likely one and same scanner. The detection should therefore count as one (and not six as in the above example) while determining how useful and informative the results obtained are. A sample with multiple detections from the same engine is more likely to be false-positive prone than a sample with multiple detections from multiple engines.


Packed Vs Unpacked Malware Detection

A packed malware sample is compressed or encrypted in a way that conceals its true code from static analysis, making it harder for Antivirus engines to classify it precisely. As a result, Antivirus detections for packed samples may use generic terms like Packed.Generic, Trojan.Obfuscated, or simply Generic.Trojan.


When unpacked, the malware's actual code is exposed, making it easier for Antivirus engines to analyze it fully. This often results in a more specific detection name that identifies the exact family and behaviour (For example, Emotet.Backdoor). The scanners on VirusTotal do not utilize the full technological capacity that is available for the Antivirus agent like the actual product does. They mostly rely on detection signatures that hit on the file without executing it. In-memory scanning technologies are not involved. Identifying packed file is often impossible or difficult if they are not executed. Therefore, it is recommended to unpack the malware sample before scanning to obtain better results.




AntiVirus detection names can contain useful information. However, the reader must be aware that sometimes the information in them might be wrong. So, if you have a scan result listing of a service like Virustotal, how do you know which detection names can be trusted? Below is a rule of thumb:


The more specific detections from scanning engines that are consistent with one another, the more likely the information is correct.


Post a Comment

Previous Post Next Post