Malware name policy

  • 2 November 2015
  • 2 replies

Userlevel 4
I've been looking for a description of the naming policy for malwares detected by Webroot.
I figured out that ".gen" means generic and have been blocked using heuristics. I also understand "pua" as "Potential unwanted application". There's a number of prefixes I could guess but it would be great to have a written description of post- and pre-fixes in the malware names. Is this avalible somewhere?

Best answer by DanP 2 November 2015, 20:00

View original

2 replies

Userlevel 7
Hello rikardz,
We have a pretty basic naming convention for our mac detections.  We try to just use the actual name of the threat, however there are cases where it will have a prefix and one of those is for PUA (Potentially Unwanted Applications).  We do however add post fixes on a lot of our traces.  These will either be ".r" or ".1.r"  this is to identify the remediation method being used.  If it ends in ".r" then WSA will do a full package removal if it is a ".1.r" WSA will only do a single file removal.  If there is no post fix then it is the same as ".1.r"  If you have anymore questions about our mac detection method or mac threats please feel free to reach out to me.
Best Regards,
Userlevel 7
Badge +35
Our focus is more on quickly detecting malware rather than focusing on names, which is why the most common detection you will see is W32.Malware.Gen which is simply a generic name for malicious files and the .gen suffix does not indicate a heuristic detection. 
In general our naming conventions follow the following format: Prefix.Category.Variant
The main prefixes you'll see are W32 for 32-bit windows malware and PUA for Potentially Unwanted Application. 
Some common categories are malware, trojan, worm, adware, etc.