How F-Secure classifies threats

F-Secure separates threats into four Categories based on the potential level of harm a program may pose to the user's device or data.

Threats in each Category are then identified by Type based on the kind of actions the suspect programs perform.


Programs categorized as Malware pose a significant security risk to the user's system and/or information.

Types of programs in the Malware category include viruses, worms and trojans, among other threats. These threats can perform harmful actions such as stealing personal or program data, secretly manipulating the device or installed programs, or completely blocking the user from using the device.

Malware is usually automatically disinfected by F-Secure Antivirus products.

Types of Malware

Virus Integrates its own code into program or data files and spreads by integrating itself into more files each time an affected file is run.

Uses computer or network resources to make complete copies of itself and distribute them to other victims. May include code or other malware to damage both the system and the network.

Worms can also be typed more specifically based on the kind of network they use to spread:

  • Net-Worm: over a local network or the Internet
  • Email-Worm: via emails, either contained in the email itself or as file attachments
  • P2P-Worm: in files sent over peer-to-peer (P2P0 networks
  • IM-Worm: over instant messaging (IM) networks
  • IRC-Worm: over Internet Relay Chat (IRC) channels
  • Bluetooth-Worm: via Bluetooth broadcasting
Rootkit Hides itself or other files from the device's security programs; can be used by remote users to manipulate the device.
Backdoor Allows remote users to manipulate a program, computer or network.

Uses misdirection, misinformation, omission or outright fraud to trick the user into installing or running it, so that it can perform potentially unwanted/harmful actions. It does not replicate.

Trojans can be typed more specifically based on the kind of actions they secretly perform:

  • Trojan-Spy: installs spying programs such as keyloggers
  • Trojan-PWS: steals passwords and other sensitive information
  • Trojan-Downloader: downloads programs from a remote server, then installs and launches them
  • Trojan-Dropper: carries at least one program, which it installs and launches
  • Trojan-Proxy: allows remote users to turn the infected system into a proxy server to anonymously
  • Trojan-Dialer: connects to the Internet via over premium-rate telephone lines. May also lead to unsolicited or inappropriate sites.
Rogue Uses high-pressure, or misleading messaging or outright fraud to pressure users into purchasing antivirus software that may not perform as claimed.
Exploit Takes advantage of a vulnerability in a program or operating system to gain access or perform actions beyond what is normally permitted.
Packed Compressed to a smaller size using a packer program known to be used by other malware.
Constructor A utility program used to construct malware.


Programs categorized as Spyware introduce a security risk that may affect the user's personal data.


Types of programs in the Spyware category include trackware and adware. These programs may offer a useful service in exchange for being allowed to gather information from or about the user.

The kind of information gathered by these programs varies, and may include items such as details of the system or installed programs; web browsing behavior and history; and most importantly, personal details. Legal implications may also arise based on where and how the program is used, and how the information is collected, transmitted and stored.

If a user is aware of and accepts the potential risk associated with a program classed as Spyware, they can configure the F-Secure security product to exclude it from being scanned.

Types of Spyware

Spyware Collects information about the user's web browsing behavior or preferred applications the data collected may be stored locally or sent out.
Trackware Allows a third party to identify the user or their device, usually with a unique identifier. The most common trackware is tracking cookies.
Adware Delivers advertising content, either in the web browser, on a PC's Desktop or within an application.


Programs categorized as Riskware are considered safe when used by an authorized person in an appropriate situation. If misused, or used by an attacker, the program may be a security risk.

Riskware programs are applications that may pose a security risk when used inappropriately, or by an attacker. For example, keyloggers are utilities that may be used by system administrators in the course of their authorized work, but may also be maliciously used to secretly monitor users.

If user is aware of and accepts the potential risk associated with a program classed as Riskware, they can configure the F-Secure security product to exclude it from being scanned.

Types of Riskware

Monitoring-Tool Monitors and records selected or all actions of a user on a device
Hack-Tool Bypasses access restrictions or security mechanisms to give users access or the ability to perform actions beyond what is normally permitted
Application Introduces a security risk if misused or maliciously used

Potentially Unwanted Application(PUA)

A Potentially Unwanted Application (PUA) is a program that has behaviors or aspects which are considered undesirable, unwanted or risky, but does not meet the stricter definition of malware.

If the user is aware of and accepts the potential risk associated with a program classed as PUA, they may elect to keep and use the application, or allow the F-Secure security product to remove it.

For more information about PUAs, see Classifying Potentially Unwanted Applications.

The term 'Threat Platform' is used to refer to the operating system or application on which a malicious program operates.

To indicate the platform a malware will operate on, F-Secure uses a platform designator in the detection name for the malware. For example, the detection for the notorious Downadup worm (also known as Conficker) is:


Where ''W32' is the platform designator, and indicates that the malicious program 'Downadup' is designed to work on machines running the 32-bit Windows operating system.


Most malicious programs are designed to function only on one platform, as they must target and exploit specific files or vulnerabilities unique to a particular operating system or application. Some malware are even more specific - they can only run if a specific application is installed on a specific operating system.

Occasionally, a malware is found that is sophisticated enough to operate on more than one platform, but these are still relatively rare.

Listed below are some of the most common platforms targeted by malware.

AM Macro malware for VBA in Access 97 or later
AndroidOS Malware that runs on the Android OS
ACAD Malware or exploits that uses AutoCAD
BAT Malware that requires DOS, Windows or NT command interpreter or clone (4DOS, 4NT)
Boot Malware that resides in the Master Boot Record or DOS Boot Sector
ChromeOS Malware that runs on Chrome OS
CM VBA macro malware for Corel Draw! v 9.0 or later
CS Malware for CorelScript interpreter in many Corel products
DOS Infects DOS COM, EXE (MZ) or SYS files and require some version of MS-DOS or clone
HLP Malware for WinHelp. Note, JS and VBS script malware embedded in HTML and CHM files should use JS or VBS platform
HTML For files that only contain a malicious iframe and cannot be classified as JS, PHP or other script
IDA Malware for IDA Pro
INF Malware that uses Windows INF files
INI Malware for mIRC INI files
iPhoneOS Malware that runs on the iPhone platform
MSIL Malware for .NET platform
Java Malware for Java runtime enviroment (standalone or browser-embedded)
JS Malware for Jscript or JavaScript interpreter. HTML and CHM embedded JS malware falls into this platform type
Linux Malware that runs on any Linux distribution
MaxOS Malware that runs on MacOS prior to OSX
MMS Malware that spreads via Multimedia Messaging System (MMS) messages
OM For malware that infects at least two applications within the Office 97 suite or later. Also includes related products (Visio, Projects)
OS/2 Malware that runs on OS/2
OSX Malware that runs on Mac OSX
PM Malware for VBA in Project 98 or later
PalmOS Malware for PalmOS
Perl Malware that requires a Perl interpreter incl those under WSH and HTML embedded Perl malware
PHP Malware for PHP script
PPM Macro malware for VBS in PowerPoint 97 or later
PUM Macro malware for VBS in Publisher 97 or later
REG Malware in Windows Registry file format
SH Malware that requires a Unix(-like) shell script interpreter. Hosting does not affect the platform name. Shell malware specific to Linux, Solaris, HP-UX or other Unices, or specific to csh, ksh, bash, tcsh or other interpreters all fall under this platform name.
SMS Malware that spreads via Short Messaging System (SMS) messages
Solaris Malware for Solaris
SymbOS Malware for Symbian OS
SVL Malware for Microsoft Silverlight
SWF Malware for Macromedia Flash
Unix Malware that runs on Unix, ELF file infectors etc
VBS Malware for the Visual Basic Script interpreter. Hosting does not affect the platform designator. Standalone VBS infectors that require VBS under WSH, HTML-embedded VBS malware, and malware embedded in Windows compiled HTML help files (CHM), all fall under this platform type
W16 Malware for 16-bit Windows (native executables)
W32 Malware for 32-bit Windows (native executables)
W64 Malware for 64-bit Windows (native executables)
W128 Malware for 128-bit Windows (native executables)
WM Macro malware for VBA in Word 97 or later
WinCE Malware for PocketPC (Windows CE)
WinHEX Malware for WinHex
WMA Windows Media Audio (WMA) usually disguised as mp3, that when loaded or played, will redirect to a site that tells the user to download and install a malicious codec to hear the audio
WMV Windows Media Video (WMV) usually disguised as avi, that when loaded or played, will redirect to a site that tells the user to download and install a malicious codec to view the video
XM Macro malware for VBA in Excel 97 or later