Trend Micro's new VSAPI Threat Detection naming conventions starting July 2018

Product / Version includes:

Apex One as a ServiceAll , Cloud App SecurityAll , Deep Security As A ServiceAll , Deep SecurityAll , Worry-Free Business Security AdvancedAll

Last updated: 2024/03/20

Solution ID: KA-0008260

Category: Remove a Malware / Virus

Summary

Beginning on July 2, 2018, Trend Micro will begin to implement an updated Threat Detection Naming Scheme in the Virus Scan API (VSAPI) Scan Engine to better align with industry standards in regards to the naming convention for malware, threats and other malicious files.

This new naming scheme is designed to provide more relevant threat information to high impact malicious file detections and follows the naming convention recommended by the Computer Antivirus Research Organization (CARO):

<Threat Type>.<Platform>.<Malware Family>.<Variant>.<Other Info*>

Example and Breakdown of the New Format

New Malware Naming

Threat Type

Threat Type represents the main threat category that describes the main behavior or classification of the threat is:

For malware: common threat types include Trojan, Worm, Virus, Ransomware, Coinminer and Backdoor
For grayware: common threat types include Adware, Spyware and potentially unwanted applications (PUA).

Platform

Platform refers to the environment in which the threat is designed to execute and covers both software and hardware. This would include Operating Systems: Windows (Win32, Win64), Mac OS, Linux, and Android, as well as programming languages (scripting language) and file formats (Microsoft Word/Excel/PowerPoint).

Family

Threats with similar behavior are grouped together and referred to as a Family. Each Family is named based on the behavior it manifests.

Variant

To identify different strains of malware under one family, letters are used in a sequential manner and referred to as the Variant.

Other (Optional) Information

This section may be used for other optional information that may provide additional insight for some complex threats. For example, the use of dldr would identify a downloader, which in the following example - Ransom.Win32.Locky.A.dldr - provides information that this threat is a downloader for the Locky Ransomware.

Affected Products

This change will apply to all products which utilize Trend Micro's Virus Scanning API (VSAPI) Scan Engine and the following detection patterns:

Conventional Virus Scan Pattern
Smart Scan Agent Pattern
Smart Scan Cloud Query Pattern

Phased Implementation

This naming scheme change is planned to be launched in a phased approach. The initial focus will be on customer submitted samples and noteworthy threats, and eventually will encompass all channels including bulk submissions and other sourcing methods.

This change will only apply to new threats moving forward, and this new naming scheme will not be retroactively applied to older detections.

Note for SIEM Users

Although the change will be mostly transparent to users, customers who utilize security information and event management (SIEM) products may need to review, and adjust as necessary, rules or reports that may track and utilize threat names.

Further Information

Trend Micro believes that the change will be beneficial for customers, especially those with mixed-vendor environments which require extensive cross-checking of threats. Customers who need more information on this upcoming change are encouraged to contact their authorized Trend Micro Technical Support representative.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Trend Micro's new VSAPI Threat Detection naming conventions starting July 2018

Trend Micro's new VSAPI Threat Detection naming conventions starting July 2018

Product / Version includes:

Summary