Beginning on July 2, 2018, Trend Micro will begin to implement an updated Threat Detection Naming Scheme in the Virus Scan API (VSAPI) Scan Engine to better align with industry standards in regards to the naming convention for malware, threats and other malicious files.
This new naming scheme is designed to provide more relevant threat information to high impact malicious file detections and follows the naming convention recommended by the Computer Antivirus Research Organization (CARO):
<Threat Type>.<Platform>.<Malware Family>.<Variant>.<Other Info*>
Example and Breakdown of the New Format
Threat Type represents the main threat category that describes the main behavior or classification of the threat is:
- For malware: common threat types include Trojan, Worm, Virus, Ransomware, Coinminer and Backdoor
- For grayware: common threat types include Adware, Spyware and potentially unwanted applications (PUA).
Platform refers to the environment in which the threat is designed to execute and covers both software and hardware. This would include Operating Systems: Windows (Win32, Win64), Mac OS, Linux, and Android, as well as programming languages (scripting language) and file formats (Microsoft Word/Excel/PowerPoint).
Threats with similar behavior are grouped together and referred to as a Family. Each Family is named based on the behavior it manifests.
To identify different strains of malware under one family, letters are used in a sequential manner and referred to as the Variant.
Other (Optional) Information
This section may be used for other optional information that may provide additional insight for some complex threats. For example, the use of dldr would identify a downloader, which in the following example - Ransom.Win32.Locky.A.dldr - provides information that this threat is a downloader for the Locky Ransomware.
This change will apply to all products which utilize Trend Micro's Virus Scanning API (VSAPI) Scan Engine and the following detection patterns:
- Conventional Virus Scan Pattern
- Smart Scan Agent Pattern
- Smart Scan Cloud Query Pattern
This naming scheme change is planned to be launched in a phased approach. The initial focus will be on customer submitted samples and noteworthy threats, and eventually will encompass all channels including bulk submissions and other sourcing methods.
This change will only apply to new threats moving forward, and this new naming scheme will not be retroactively applied to older detections.
Note for SIEM Users
Although the change will be mostly transparent to users, customers who utilize security information and event management (SIEM) products may need to review, and adjust as necessary, rules or reports that may track and utilize threat names.
Trend Micro believes that the change will be beneficial for customers, especially those with mixed-vendor environments which require extensive cross-checking of threats. Customers who need more information on this upcoming change are encouraged to contact their authorized Trend Micro Technical Support representative.