AMP Naming Conventions

Cisco's Advanced Malware Protection (AMP) solutions protect organizations before, during, and after an attack. AMP is built on an extensive collection of real-time threat intelligence and dynamic malware analytics supplied by Talos, and AMP Threat Grid intelligence feeds. The table below provides a sample of the naming convention patterns of threats collected in AMP to help with threat analysis. This list is not exhaustive and is subject to change at any time without notice.

Pattern Example Engine Description Notes
/^.*Clam.Heuristics.*/ ClamAV.Heuristics.SWF.SuspectImage.E ClamAV Heuristic Rules, often has file extension in alert name (For example SWF = Flash file)
/^.*.SPERO.*/ W32.SPERO.Sality.02.12 W32 Binary Header Features based classification engine
/^.*ETHOS.*/ W32.ETHOS.COHORS.MAR.E552D1 Fuzzy hash based classification of Win32 binary headers This example contains a partial hash of the SHA256 that matched. (For example E552D1 is the first 6 characters of the SHA)
/^.*vv/ W32.Generic:Enistery.b0a91.vv Third Party comparison engine This example contains a partial hash of the SHA256 that matched. (For example b0a91 is the first 5 characters of the SHA)
/^.*1201/ W32.Generic:Detection.1201 Third Party comparison engine This example may contain a partial hash of the SHA256 that matched.
/^.*tpd/ Conficker:ConfiDrv-tpd Third Party comparison engine
/^.*rc/ W32.agent.rc Aggressive machine learning engine performs research on unknown samples and compares their aggression with similar samples for one-to-one conviction.
/^.*SHEATH.*/ W32.SHEATH.COHORS.DEC.DCB1B0 Aggressive machine learning engine performs research on unknown samples and compares their aggression with similar samples for one-to-one conviction. This example may contain a partial hash of the SHA256 that matched.
/^.*tt/ W32.Gen:Suspicious_Gen5.15e0.tt Identifies files that are queried by other infected files to determine if the queried file can be marked malicious This example may contain a partial hash of the SHA256 that matched.
/^.hw/ W32.Downloader:Suspicious_Gen2.15fo.hw Big Data Analysis Engine for Whitelisting clean files. This example may contain a partial hash of the SHA256 that matched.
/^.dk/ w32.SirefefA.15gc.dk Parent/Child relationship based black and whitelisting engine This example may contain a partial hash of the SHA256 that matched.
/^.*IOC/ W32.Driveby.08.08.IOC Synthetic Event Engine that convicts binaries based upon actions of an Indicator of Compromise
/^.MASH.SBX.VIOC/ W32.Auto.B0D869.MASH.SBX.VIOC Synthetic Event Engine that convicts binaries based upon actions of an Indicator of Compromise in a Detonation environment. This example may contain a partial hash of the SHA256 that matched.
/^.*SBX.VIOC/ W32.45EFB1547A-100.SBX.VIOC Conviction from a Detonation Environment based binary, the number preceding “SBX” is the score of the binary when ran. This example may contain a partial hash of the SHA256 that matched.
/^.*VRT/ W32.BD0A0522.tht.VRT Conviction of hash based on analysis engines written by the Talos Team. This example may contain a partial hash of the SHA256 that matched.
/^.Talos/ W32.3cfdda.tht.Talos Conviction of hash based on analysis engines written by the Talos Team This example may contain a partial hash of the SHA256 that matched.
/^.RET/ W32.Downloader:Sisha.RET Conviction of hash based on analysis engines written by the Research and Efficacy Team
/^.*in01/ W32.Auto.4e5a83.18157.in01 Conviction of a file that takes place directly upon import (without Detonation) This example may contain a partial hash of the SHA256 that matched.
/^.*in02/ W32.Auto.4e5a83.18157.in02 Conviction of a file that takes place directly upon import (without Detonation) This example may contain a partial hash of the SHA256 that matched.
/^.*SBX.TG/ W32.B87EA8206E-95.SBX.TG Conviction from the ThreatGrid Detonation Environment. The number preceding the “SBX” is the score of the binary when ran.
/^.*in03.Talos/ W32.Auto:4e5a83.in03.Talos Conviction of a file that was compared against itself to see if a disposition (malicious or clean) has changed in other engines in 24 hours. This example may contain a partial hash of the SHA256 that matched.
/^.*in04.Talos/ W32.Auto:1a2b3c4d.in04.Talos Conviction of a file that was compared against itself to see if a disposition (malicious or clean) has changed in other engines in 7 days This example may contain a partial hash of the SHA256 that matched.
/^.*in05.Talos/ W32.Auto:1a2b3c4d.in05.Talos Conviction of a file that is attached to a known Spam or Phishing Campaign. May not necessarily be malicious. This example may contain a partial hash of the SHA256 that matched.
/^.*in10.tht.Talos/ Auto.1a2b3c4d.in10.tht.Talos Conviction of a file that takes place directly upon file import into Talos's infrastructure. This example may contain a partial hash of the SHA256 that matched.
/W32.Auto..*.EncrOff.MRT.TALOS W32.Auto.a2b3c4d.EncrOff.MRT.TALOS Encrypted office documents originating from SPAM
/PDF..*.Phishing.EE.e01.Talos PDF.a2b3c4d.Phishing.EE.e01.Talos Malicious PDFs with malicious URLs originating from SPAM