Hi,
I've been looking for a description of the naming policy for malwares detected by Webroot.
I figured out that ".gen" means generic and have been blocked using heuristics. I also understand "pua" as "Potential unwanted application". There's a number of prefixes I could guess but it would be great to have a written description of post- and pre-fixes in the malware names. Is this avalible somewhere?
Answer
Malware name policy
Best answer by DanP
Hello,
Our focus is more on quickly detecting malware rather than focusing on names, which is why the most common detection you will see is W32.Malware.Gen which is simply a generic name for malicious files and the .gen suffix does not indicate a heuristic detection.
In general our naming conventions follow the following format: Prefix.Category.Variant
The main prefixes you'll see are W32 for 32-bit windows malware and PUA for Potentially Unwanted Application.
Some common categories are malware, trojan, worm, adware, etc.
-Dan
Our focus is more on quickly detecting malware rather than focusing on names, which is why the most common detection you will see is W32.Malware.Gen which is simply a generic name for malicious files and the .gen suffix does not indicate a heuristic detection.
In general our naming conventions follow the following format: Prefix.Category.Variant
The main prefixes you'll see are W32 for 32-bit windows malware and PUA for Potentially Unwanted Application.
Some common categories are malware, trojan, worm, adware, etc.
-Dan
Hello rikardz,
We have a pretty basic naming convention for our mac detections. We try to just use the actual name of the threat, however there are cases where it will have a prefix and one of those is for PUA (Potentially Unwanted Applications). We do however add post fixes on a lot of our traces. These will either be ".r" or ".1.r" this is to identify the remediation method being used. If it ends in ".r" then WSA will do a full package removal if it is a ".1.r" WSA will only do a single file removal. If there is no post fix then it is the same as ".1.r" If you have anymore questions about our mac detection method or mac threats please feel free to reach out to me.
Best Regards,
We have a pretty basic naming convention for our mac detections. We try to just use the actual name of the threat, however there are cases where it will have a prefix and one of those is for PUA (Potentially Unwanted Applications). We do however add post fixes on a lot of our traces. These will either be ".r" or ".1.r" this is to identify the remediation method being used. If it ends in ".r" then WSA will do a full package removal if it is a ".1.r" WSA will only do a single file removal. If there is no post fix then it is the same as ".1.r" If you have anymore questions about our mac detection method or mac threats please feel free to reach out to me.
Best Regards,
Devin T Byrd Former Mac Threat Research Analyst
+35- OpenText Employee
- Answer
Hello,
Our focus is more on quickly detecting malware rather than focusing on names, which is why the most common detection you will see is W32.Malware.Gen which is simply a generic name for malicious files and the .gen suffix does not indicate a heuristic detection.
In general our naming conventions follow the following format: Prefix.Category.Variant
The main prefixes you'll see are W32 for 32-bit windows malware and PUA for Potentially Unwanted Application.
Some common categories are malware, trojan, worm, adware, etc.
-Dan
Our focus is more on quickly detecting malware rather than focusing on names, which is why the most common detection you will see is W32.Malware.Gen which is simply a generic name for malicious files and the .gen suffix does not indicate a heuristic detection.
In general our naming conventions follow the following format: Prefix.Category.Variant
The main prefixes you'll see are W32 for 32-bit windows malware and PUA for Potentially Unwanted Application.
Some common categories are malware, trojan, worm, adware, etc.
-Dan
Webroot Threat Research
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.