About Detection names
A quick guide to Detection names - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.
What is a Detection?
A detection is a unique string used by antivirus programs to identify a virus, worm or other malicious program.
Detections are important because they are integral to how an antivirus program functions. Whenever a user runs an antivirus program and scans their computer system for viruses, trojans and other malware, what the program is really doing is comparing all the files against its own database of detections; if any of the files match a detection in the database, the file is flagged as infected or suspicious.
To create a detection, a Malware Analyst must first examine a malware and identify its unique characteristics. The Analyst can then use these characteristics to create an algorithm that can identify that specific malware and no other. The algorithm is also known as the virus’s signature or definition.
Each antivirus program uses a slightly different naming convention to label their detections, which can sometimes lead to multiple names being used to identify a single malware. For example, the infamous worm that caused a media furor in 2008 is known as the Conficker worm to journalists, is referred to as Worm:W32/Downadup by F-Secure, and is identified as Kido or Downup and Conficker by various other antivirus programs. They are all however the exact same malware.
How to Read a Detection Name
On discovering an infection, an antivirus program will usually display the detection that identified the infection. Detections often contain a lot of information in their names, which can be helpful to the user.
As an example, let’s take the following detection name:
We can break this detection down to the following components:
Type Platform Family Variant
Worm W32 Mabezat B
The Type identifies the kind of threat the malware poses. In this example, the malware is a Worm, a type of program that can replicate independently across a network and cause damage to an infected computer. You can read more about the various types here.
The Platform is the operating system or application framework that a malware needs in order to run properly. In most cases, a malware will only be able to run in one specific platform. In this example, the worm is able to function on a computer that runs the Win32 Windows operating system. You can read about the various platforms malware can function on here.
The Family is the unique name given to a malware, in this case Mabezat. The term family is used because once a unique malware is created, the malware author (or other hackers) will often create newer, modified versions of the malware. These newer versions share the same characteristics as the parent program and they are all considered to be from one family.
The Variant identifies a specific version of the malware within the family. In this example, the B variant is a variation of the original Worm:W32/Mabezat malware. Variants are usually arranged in chronological order, incrementing each time a new variant appears.
What is a Generic Detection?
Before 2007, the amount of malware circulating online was still small enough - in the low thousands - that it was feasible for antivirus companies to create an individual detection for each malware discovered. At that time, almost all antivirus programs used the traditional single-file detections as a matter of course.
In recent years however, the volume of malware a user can be exposed to has increased exponentially, from thousands, to hundreds of thousands and now, into the millions. Malware has become so ubiquitous that depending on traditional single-file detections is no longer effective or efficient.
To combat the phenomenal growth in malware, antivirus programs are now increasingly turning to Generic Detections - a sophisticated type of detection that can identify broad characteristics of a whole swathe of malware, rather than the specific features of a single one. A single Generic Detection can potentially identify dozens, even hundreds of malware, making them far more effective in detecting potential threats efficiently.
How to Read a Generic Detection Name
Like traditional single-file detections, Generic Detections are named using varying naming conventions depending on the antivirus program. Our Generic Detections are named according to the following format:
Generic Detection Name
This can be broken down to the following components:
Type Platform Family Generic Set
Trojan W32 Daonol .gen! C
The Type, Platform and Family components of the Generic Detection name are identical to those in a single-file detection.
The Generic component of the name indicates that the detection does not identify a specific malware.
The Set indicates the specific Generic Detection that identified the malware being scanned. The set is roughly analogous to a variant in a normal Detection name, but instead of identifying the version of the malware being scanned, the set identifies the version of the Generic Detection that does the identification. In this case, it is the C set of the Daonol Generic Detections that successfully identifies the malware being scanned.