Skip to content

Proposal: Add Field to AVClassificationType to Indicate AV Tool Detection

Jump to bottom
Ivan Kirillov edited this page Sep 30, 2015 · 4 revisions

Status: CLOSED
Comment Period Closes: September 24th, 2015
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/MAECProject/schemas/issues/109

Background Information

Currently, there is not way to specify whether or not a particular AV tool actually detected a malware sample.

Related Proposals

This proposal is related to the following proposed changes to the schema: https://github.com/MAECProject/schemas/wiki/Allow-AV-Classifications-to-be-captured-for-any-CybOX-Object

Proposal

We propose the addition of a Boolean detected field to AVClassificationType:

Field Type Multiplicity Description
detected Boolean 0-1 The Detected field specifies whether or not the AV tool specified in AVClassificationType has detected the malware instance that is characterized by the Malware Subject.

While the presence of the Classification_Name field implies that the AV tool has detected the malware instance, the detected field will make the fact explicit. In addition, the field aligns well with the VirusTotal API output, which includes a detected flag.

Example

<Object>
    <Domain_Specific_Object_Properties xsi:type="maec:AVClassificationsType">
      <AV_Classification id="avclass-1" scan_date="2010-05-15T03:38:44" detected="false">
          <Name>Security Essentials</Name>
          <Vendor>Microsoft</Vendor>
          <Engine_Version>4.2.3</Engine_Version>
          <Definition_Version>032415-0011</Definition_Version>
        </AV_Classification>
      <AV_Classification id="avclass-2" scan_date="2012-02-11T08:36:14" detected="true">
          <Name>Security Essentials</Name>
          <Vendor>Microsoft</Vendor>
          <Engine_Version>5.1.0</Engine_Version>
          <Definition_Version>053514-0062</Definition_Version>
          <Classification_Name>Zeus.D.C</Classification_Name>
      </AV_Classification>
    </Domain_Specific_Object_Properties>
    <Properties xsi:type="FileObj:FileObjectType">
       <File_Name>kernal32.dll</File_Name>
    </Properties>
</Object>

Impact

The flag is optional, so there is no expected compatibility impact.

Requested Feedback

  1. Does it make sense to add an explicit detected field?
Clone this wiki locally