Skip to main content

Classification

ReversingLabs uses a classification algorithm that places analyzed files into four different buckets:

  1. No threats found (unclassified)
  2. Known or "goodware"
  3. Suspicious
  4. Malicious

Files with no threats found do not have a classification, and therefore do not have a meaningful risk score.

Risk score

A risk score is a value representing the trustworthiness or malicious severity of a sample. At a glance:

ClassificationTrust factorThreat levelRisk scoreSeverityComment
0 (no threats found)N/AN/AN/A⬜ N/ANo threats found. Please submit the sample to Spectra Intelligence for classification.
0N/A0🟩 CleanFile comes from a very trustworthy domain or has a very trustworthy certificate. Examples: HP, IBM, Microsoft, Oracle, Intel, Dell, Sony, Google...
1N/A1🟩 CleanFile comes from a trustworthy domain or has a trustworthy certificate. Examples: php.net, mit.edu, postgresql.org, redhat.de, opera.com, nasa.gov...
2N/A2🟩 CleanFile comes from a usually trusted domain. Examples: softpedia.com, sourceforge.net, cnet.com...
3N/A3🟩 Likely cleanFile comes from another known site.
4N/A4🟩 Possibly cleanSome valid but not very trusted certificates.
1 (known)5N/A5🟩 LowLow trust source, no whitelisted certificates.
N/A05🟨 LowMore information about sample required for final classification.
N/A16🟨 LowMore information about sample required for final classification.
N/A27🟨 LowMore information about sample required for final classification.
N/A38🟨 LowMore information about sample required for final classification.
N/A49🟨 LowMore information about sample required for final classification.
2 (suspicious)N/A510🟨 LowMore information about sample required for final classification.
N/A0N/A🟧 LowLow trust source, no whitelisted certificates.
N/A16🟧 LowAdware, potentially unwanted apps, tools for masking malware (packers).
N/A27🟥 MediumSpyware.
N/A38🟥 MediumTools used to introduce malware or to use infected machines for denial-of-service attacks.
N/A49🟥 HighMalicious browser extensions, fake antivirus software, rootkits.
3 (malicious)N/A510🟥 HighVirus, worm, trojan, keylogger, infostealer. Most dangerous threats.

Risk score is expressed as a number from 0 to 10, with 0 indicating whitelisted samples from a reputable origin, and 10 indicating the most dangerous threats.

Values from 0 to 5 are reserved for samples classified as goodware ("known"), and take into account the source and structural metadata of the file, among other things. Since goodware samples do not have threat names associated with them, they receive a description based on their risk score.

Risk scores from 6 to 10 are reserved for suspicious/malicious samples, and express their severity. They are calculated by a ReversingLabs proprietary algorithm, and based on many factors such as file origin, threat type, how frequently it occurs in the wild, YARA rules, and more.

Samples with no threats found (i.e., samples without classification) do not have a meaningful risk score.

Risk score cannot be interpreted on its own. The primary criterion in deciding a sample's priority is its classification.

Samples classified as suspicious can be a result of heuristics, or a possible early detection. A suspicious file may be declared malicious or known at a later time if new information is received that changes its threat profile, or if the user manually modifies its status.

The system will always consider a malicious sample with a risk score of 6 as a higher threat than a suspicious sample with a risk score of 10, meaning that samples classified as malicious always supersede suspicious samples, regardless of the calculated risk score.

The reason for this is certainty - a malicious sample is decidedly malicious, while suspicious samples need more data to confirm the detected threat. It is a constant effort by ReversingLabs to reduce the number of suspicious samples.

While a suspicious sample with a risk score of 10 does deserve user attention and shouldn't be ignored, a malicious sample with a risk score of 10 should be triaged as soon as possible.

Malware type and risk score

Risk scores are assigned by the severity of the detected threat. Lesser threats like Adware will get a risk score of 6 (scores from 0-5 are reserved for goodware), while ransomware and trojans always get a risk score of 10.

In cases where multiple threats are detected and there are no other factors (such as user overrides) involved, the final classification will always be the one that presents the biggest threat. If they belong to the same risk score group, malware types are prioritized in this order:

Risk scoreMalware types
10EXPLOIT > BACKDOOR > RANSOMWARE > INFOSTEALER > KEYLOGGER > WORM > VIRUS > CERTIFICATE > PHISHING > FORMAT > TROJAN
9ROOTKIT > COINMINER > ROGUE > BROWSER
8DOWNLOADER > DROPPER > DIALER > NETWORK
7SPYWARE > HYPERLINK > SPAM > MALWARE
6ADWARE > HACKTOOL > PUA > PACKED

Threat level and trust factor

The risk score table above describes the relationship between the risk score, and the threat level and trust factor used by the File Reputation API.

The main difference is that the risk score maps all classifications onto one numerical scale (0-10), while the file reputation / malware presence API uses two different scales for different classifications.

Nomenclature

The following classifications are equivalent:

File Reputation APISpectra AnalyzeSpectra Detect Worker
knowngoodware1 (in the Worker report)

In the Worker report, the risk score is called rca_factor.