Classifications

See the Classification of a threat in Incidents > Threats (previously Analyze) and also In the Incident details of a threat.

Tip: You can drag and drop the columns to change their order, as we did for this picture.

One detection can have different classifications. To make it simpler to analyze and respond, SW EDR shows the classification that is most important or most reliable.

Prioritization of Classifications by detection:

  • The Agent detecting engine gives the first classification
  • If the Deep File Inspection (DFI) of the Static AI can better define the threat, the classification is updated
  • If the detection is fileless or its behavior matches threat indicators, the classification is updated
  • If the detection is known to Cloud Intelligence Service, this is the most reliable classification and has the highest priority
  • If a detection fits a number of classifications, the Management Console shows only the highest priority classification
Priority Classification Static Indicators
0 Ransomware DFI indicators of ransomware, determined by SW EDR extensive machine learning
0 Interactive shell The detection creates or calls a process that creates a shell with unauthorized access
0 Lateral Movement DFI indicators of suspicious network or data access from the detection
1 Benign The detection is whitelisted in the Cloud Intelligence Service - You will see this classification if a detection was determined to be malicious by an engine or Static AI, or is part of a threat group, but its hash is known to be benign by EDR or by your users
2 OSX.Malware Blacklisted, reputation or signature, and arbiter are classified as malware on macOS endpoints
2 Linux.Malware All detections, including blacklisted, are classified as malware on Linux endpoints
2 Malware The detected file has abnormal section headers or high section entropy, uses stealth techniques (such as Anti-VM IDs, fake Microsoft certificates, XOR APIs), behaves as a debugger or system service without an explicit declaration.
3 Trojan The detection creates a service, is known dinkumware, has an abnormal entry point or image base, or calls DNS-CAT in a suspicious manner.
4 Virus The detection uses stealth techniques (such as hiding dot-net or high entropy), shows abnormalities (such as abnormal size, section counts, entry points, or stubs), or its general exceptions indicate it is a virus
5 Exploit DFI indicators of browser exploits, determined by SW EDR extensive machine learning
6 Worm The detection includes or calls a process to spread itself
7 Rootkit DFI indicators of unnecessary access enablement to system areas that should not be accessed
8 Infostealer DFI indicators of keylogging, or the detection runs MimiKatz
9 Downloader The detection downloads content without user requests
10 Backdoor The detection has a DOS header matching backdoor code
11 Hacktool The detection uses NirSoft or DFI indicates changes to system software
12 Browser DFI indicators of browser exploits, determined by SW EDR extensive machine learning
13 Dialer DFI indicators of unauthorized connection creation
14 Installer The detection installs processes or executables in suspicious locations
15 Packed The detection code has suspicious calls to MKBundle installations or packer commands, will install python and scripts, has an abnormal section with full permissions, runs VBA commands, or runs 7zip or RAR
16 Network The detection uses or calls Netcat without user authorization
17 Spyware DFI indicators of possible CLSID registry key highjacking to create scheduled tasks that run processes or DLLs
18 Adware DFI indicators of Adware, determined by SW EDR extensive machine learning
19 PUA (Potentially Unwanted Application) On Windows, Deep File Inspection matches risky code, such as an unknown Windows macro script or non-English characters without a declaration of a different source language - On macOS, the application is set by the user or SOC as a PUA or PUP