Threat classifications
In the management console, there exists classification information for threats reported in your organization.
The following is a list of possible file status entries that may appear under classification for each threat, along with a brief description of each entry.
File Unavailable: Due to an upload constraint (example: file is too large to upload), the file is unavailable for analysis. If classification is necessary, contact Arctic Wolf Support for an alternate method to transfer the file for analysis.
Unknown (blank entry): The file has not been analyzed by the Arctic Wolf Research team. Once the file is analyzed, the classification will be updated with a new status.
Trusted - Local: The file has been analyzed by the Arctic Wolf Research team and has been deemed safe (not malicious, not a PUP). A file identified as Trusted - Local can be globally safe listed so that the file will be allowed to execute and not generate any additional alerts if found on other devices within your organization. The reason for the "Local" designation is due to the fact that the file did not come from a trusted source (such as Microsoft or other trusted installers) and therefore cannot be added to our trusted cloud repository.
PUP: The file has been identified as a Potentially Unwanted Program (PUP). This indicates that the program may be unwanted, despite the possibility that users consented to download it. Some PUP's may be permitted to run on a limited set of systems in your organization (example: a VNC application allowed to run on Domain Admin devices). A console administrator can choose to waive or block PUP's on a per device basis or globally quarantine or safe list the file based on company policies. Depending on how much analysis can be performed against a PUP, further subclassification may be possible. Those subclasses are shown below and will aid an administrator in determining whether a particular PUP should be blocked or allowed to run.
| Subclass |
Definition |
Examples |
|---|---|---|
|
Adware |
Adware is a technology that provides advertisements (example: pop-ups) or provide bundled third-party add-ons when installing an application. This usually occurs without adequate notification to the user about the nature or presence of the add-on, control over installation, control over use, or the ability to fully uninstall the add-on. |
Gator, Adware Info |
|
Corrupt |
This is any executable that is malformed and unable to run. |
|
|
Game |
These are technologies that create an interactive environment with which a player can play. |
Steam Games, League of Legends |
|
Generic |
This is any PUP that does not fit into an existing category. |
|
|
HackingTool |
These are technologies that are designed to assist hacking attempts. |
Cobalt Strike, MetaSpl0it |
|
Portable Application |
This is a program designed to run on a computer independently, without needing installation. |
Turbo |
|
Scripting Tool |
This is any script that is able to run as if it were an executable. |
AutoIT, py2exe |
|
Toolbar |
These are technologies that place additional buttons or input boxes on-screen within a UI. |
Nasdaq Toolbar, Bring Me Sports |
|
Other |
This is a category for things that don't fit anything else, but are still PUP's. There are a lot of different PUP's, most of which are not malicious but serveral that should still be brought to the attention of the System Administrators through our product. Usually because they have potentially negative uses or negatively impact a system or network. |
Dual Use: Dual Use indicates the file can be used for malicious and non-malicious purposes. Caution should be used when allowing the use of these files in your organization.
| Subclass |
Definition |
Examples |
|---|---|---|
|
Crack |
These are technologies that can alter (or crack) another application in order to bypass licensing limitations or Digital Rights Management (DRM) protection. |
|
|
Generic |
This is any Dual Use tool that does not fit into an existing sublcass. |
|
|
KeyGen |
These are technologies which can generate or recover/reveal product keys that can be used to bypass Digital Rights Management (DRM) or licensing protection of software and other digital media. |
|
|
MonitoringTool |
These are technologies that track a user's online activities without awareness of the user by logging and possibly transmitting logs of one or more of the following:
|
Veriato 360, Refog Keylogger |
|
Pass Crack |
These are technologies that can reveal a password or other sensitive user credentials either by cryptographically reversing passwords or by revealing stored passwords. |
I0phtcrack, Cain & Abel |
|
RemoteAccess |
These are technologies that can access another system remotely and administer commands on the remote system, or monitor user activities without user notification or consent. |
Putty, PsExec, TeamViewer |
|
Tool |
These are programs that offer administrative features but can be used to facilitate attacks or intrusions. |
Nmap, Nessus, P0f |
Malware: The Arctic Wolf Research team has definitively identified the file as a piece of malware; the file should be removed or quarantined as soon as possible. Verified malware can be further subclassified.
| Subclass |
Definition |
Examples |
|---|---|---|
|
Backdoor |
This is malware that provides unauthorized access to a system, bypassing security measures. |
Back Orifice, Eleanor |
|
Bot |
This is malware that connects to a central Command and Control (C&C) botnet server. |
QBot, Koobface |
|
Downloader |
This is malware that downloads data to the host system. |
Staged-Downloader |
|
Dropper |
This is malware that installs other malware on a system. |
— |
|
Exploit |
This is malware that attacks a specific vulnerability on the system. |
— |
|
FakeAlert |
This is malware that masquerades as legitimate security software to trick the user into fixing fake security problems at a price. |
Fake AV White Paper |
|
Generic |
This is any malware that does not fit into an existing category. |
— |
|
InfoStealer |
This is malware that records login credentials and/or other sensitive information. |
Snifula |
|
Parasitic |
These are parasitic viruses, also known as file viruses, spread by attaching themselves to programs. Typically when you start a program infected with a parasitic virus, the virus code is run. To hide itself, the virus then passes control back to the original program. |
— |
|
Ransom |
This is malware that restricts access to system or files and demands payment for removal of restriction, thereby holding the system for ransom. |
CryptoLocker, CryptoWall |
|
Remnant |
This is any file that has malware remnants after removal attempts. |
— |
|
Rootkit |
This is malware that enables access to a computer while shielding itself or other files to avoid detection and/or removal by administrators or security technologies. |
TDL, Zero Access Rootkit |
|
Trojan |
This is malware that disguises itself as a legitimate program or file. |
Zeus |
|
Virus |
This is malware that propogates by inserting or appending itself to other files. |
Sality, Virut |
|
Worm |
This is malware that propagates by copying itself to another device. |
Code Red, Stuxnet |