Example and Breakdown of the New Format
The Threat Type represents the main threat category that describes the main behavior or classification of the threat is.
For malware: common threat types include Trojan, Worm, Virus, Ransomware, Coinminer and Backdoor.
For grayware: common threat types include Adware, Spyware and potentially unwanted applications (PUA).
Platform refers to the environment in which the threat is designed to execute and covers both software and hardware. This would include Operating Systems: Windows (Win32, Win64), Mac OS, Linux, and Android, as well as programming languages (scripting language) and file formats (Microsoft Word/Excel/PowerPoint).
Threats with similar behavior are grouped together and referred to as a Family. Each Family is named based on the behavior it manifests.
To identify different strains of malware under one family, letters are used in a sequential manner and referred to as the Variant.
*Other (Optional) Information
This section may be used for other optional information that may provide additional insight for some complex threats. For example, the use of dldr would identify a downloader, which in the following example - Ransom.Win32.Locky.A.dldr - provides information that this threat is a downloader for the Locky Ransomware.
This change will apply to all products which utilize Trend Micro's Virus Scanning API (VSAPI) Scan Engine and the following detection patterns:
- Conventional Virus Scan Pattern
- Smart Scan Agent Pattern
- Smart Scan Cloud Query Pattern
This naming scheme change is planned to be launched in a phased approach. The initial focus will be on customer submitted samples and noteworthy threats, and eventually will encompass all channels including bulk submissions and other sourcing methods.
This change will only apply to new threats moving forward, and this new naming scheme will not be retroactively applied to older detections.
Note for SIEM Users
Although the change will be mostly transparent to users, customers who utilize security information and event management (SIEM) products may need to review, and adjust as necessary, rules or reports that may track and utilize threat names.
Trend Micro believes that the change will be beneficial for customers, especially those with mixed-vendor environments which require extensive cross-checking of threats. Customers who need more information on this upcoming change are encouraged to contact their authorized Trend Micro technical support representative.