Classification
ReversingLabs uses a classification algorithm that places analyzed files into four different buckets:
- No threats found (unclassified)
- Known or "goodware"
- Suspicious
- Malicious
Files with no threats found do not have a classification, and therefore do not have a meaningful risk score.
Risk score
A risk score is a value representing the trustworthiness or malicious severity of a sample. At a glance:
| Classification | Trust factor | Threat level | Risk score | Severity | Comment |
|---|---|---|---|---|---|
| 0 (no threats found) | N/A | N/A | N/A | ⬜ N/A | No threats found. Please submit the sample to Spectra Intelligence for classification. |
| 0 | N/A | 0 | 🟩 Clean | File comes from a very trustworthy domain or has a very trustworthy certificate. Examples: HP, IBM, Microsoft, Oracle, Intel, Dell, Sony, Google... | |
| 1 | N/A | 1 | 🟩 Clean | File comes from a trustworthy domain or has a trustworthy certificate. Examples: php.net, mit.edu, postgresql.org, redhat.de, opera.com, nasa.gov... | |
| 2 | N/A | 2 | 🟩 Clean | File comes from a usually trusted domain. Examples: softpedia.com, sourceforge.net, cnet.com... | |
| 3 | N/A | 3 | 🟩 Likely clean | File comes from another known site. | |
| 4 | N/A | 4 | 🟩 Possibly clean | Some valid but not very trusted certificates. | |
| 1 (known) | 5 | N/A | 5 | 🟩 Low | Low trust source, no whitelisted certificates. |
| N/A | 0 | 5 | 🟨 Low | More information about sample required for final classification. | |
| N/A | 1 | 6 | 🟨 Low | More information about sample required for final classification. | |
| N/A | 2 | 7 | 🟨 Low | More information about sample required for final classification. | |
| N/A | 3 | 8 | 🟨 Low | More information about sample required for final classification. | |
| N/A | 4 | 9 | 🟨 Low | More information about sample required for final classification. | |
| 2 (suspicious) | N/A | 5 | 10 | 🟨 Low | More information about sample required for final classification. |
| N/A | 0 | N/A | 🟧 Low | Low trust source, no whitelisted certificates. | |
| N/A | 1 | 6 | 🟧 Low | Adware, potentially unwanted apps, tools for masking malware (packers). | |
| N/A | 2 | 7 | 🟥 Medium | Spyware. | |
| N/A | 3 | 8 | 🟥 Medium | Tools used to introduce malware or to use infected machines for denial-of-service attacks. | |
| N/A | 4 | 9 | 🟥 High | Malicious browser extensions, fake antivirus software, rootkits. | |
| 3 (malicious) | N/A | 5 | 10 | 🟥 High | Virus, worm, trojan, keylogger, infostealer. Most dangerous threats. |
Risk score is expressed as a number from 0 to 10, with 0 indicating whitelisted samples from a reputable origin, and 10 indicating the most dangerous threats.
Values from 0 to 5 are reserved for samples classified as goodware ("known"), and take into account the source and structural metadata of the file, among other things. Since goodware samples do not have threat names associated with them, they receive a description based on their risk score.
Risk scores from 6 to 10 are reserved for suspicious/malicious samples, and express their severity. They are calculated by a ReversingLabs proprietary algorithm, and based on many factors such as file origin, threat type, how frequently it occurs in the wild, YARA rules, and more.
Samples with no threats found (i.e., samples without classification) do not have a meaningful risk score.
Risk score cannot be interpreted on its own. The primary criterion in deciding a sample's priority is its classification.
Samples classified as suspicious can be a result of heuristics, or a possible early detection. A suspicious file may be declared malicious or known at a later time if new information is received that changes its threat profile, or if the user manually modifies its status.
The system will always consider a malicious sample with a risk score of 6 as a higher threat than a suspicious sample with a risk score of 10, meaning that samples classified as malicious always supersede suspicious samples, regardless of the calculated risk score.
The reason for this is certainty - a malicious sample is decidedly malicious, while suspicious samples need more data to confirm the detected threat. It is a constant effort by ReversingLabs to reduce the number of suspicious samples.
While a suspicious sample with a risk score of 10 does deserve user attention and shouldn't be ignored, a malicious sample with a risk score of 10 should be triaged as soon as possible.
Malware type and risk score
Risk scores are assigned by the severity of the detected threat. Lesser threats like Adware will get a risk score of 6 (scores from 0-5 are reserved for goodware), while ransomware and trojans always get a risk score of 10.
In cases where multiple threats are detected and there are no other factors (such as user overrides) involved, the final classification will always be the one that presents the biggest threat. If they belong to the same risk score group, malware types are prioritized in this order:
| Risk score | Malware types |
|---|---|
| 10 | EXPLOIT > BACKDOOR > RANSOMWARE > INFOSTEALER > KEYLOGGER > WORM > VIRUS > CERTIFICATE > PHISHING > FORMAT > TROJAN |
| 9 | ROOTKIT > COINMINER > ROGUE > BROWSER |
| 8 | DOWNLOADER > DROPPER > DIALER > NETWORK |
| 7 | SPYWARE > HYPERLINK > SPAM > MALWARE |
| 6 | ADWARE > HACKTOOL > PUA > PACKED |
Threat level and trust factor
The risk score table above describes the relationship between the risk score, and the threat level and trust factor used by the File Reputation API.
The main difference is that the risk score maps all classifications onto one numerical scale (0-10), while the file reputation / malware presence API uses two different scales for different classifications.
Nomenclature
The following classifications are equivalent:
| File Reputation API | Spectra Analyze | Spectra Detect Worker |
|---|---|---|
| known | goodware | 1 (in the Worker report) |
In the Worker report, the risk score is called rca_factor.