SCMCarroll
commented
1 year ago Proposed draft definitions v0.01 for malware analysis of sample : Benign, Malicious, Suspicious, Unknown
Attribute Name | Definition/Description -- | -- Benign | The tool or human analysis determined that the sample has been confirmed to not demonstrate malicious behaviors and is not in and of itself associated with malware or malicious activity. Malicious | The tool or human analysis determined that the sample is designed to operate, execute or take place in a manner that is not expected by legitimate users, or performs 1 or more actions generally deemed harmful to a system, or the owners/legitimate users of a system. These can take the form of executables, source code, scripts or any other software\commands. Suspicious | The tool or human analysis determined that the sample does not operate as expected or is is usually present in conjunction with a malicious file. But does not itself demonstrate malicious behaviors. Examples may includes files not expected to be present or that support applications that have not been installed, files with an incorrect attribute (locations, version size) , or is accessed or loaded with unusual frequency or at unusual times. Other examples include are files dropped or created when malware runs. Unknown | The tool or human analysis was unable to determine whether the malware binary is malicious.
srrelitz2
10.13 Malware Result Vocabulary defines malicious, suspicious, benign, unknown but the definitions are not very descriptive. The STIX WG on Oct. 4, 2022 requested that we consider improve these definitions in the next version.