Classification
ReversingLabs uses a classification algorithm that places analyzed files into four different buckets:
- Unknown (unclassified)
- Known or "goodware"
- Suspicious
- Malicious
An "unknown" file does not have a classification, therefore it does not have a meaningful risk score.
Risk score
A risk score is a value representing the trustworthiness or malicious severity of a sample. At a glance:
| Classification | Trust factor | Threat level | Risk score | Severity | Comment |
|---|---|---|---|---|---|
| 0 (unknown) | N/A | N/A | N/A | ⬜ N/A | No threats found. Please submit the sample to Spectra Intelligence for classification. |
| 0 | N/A | 0 | 🟩 Clean | File comes from a very trustworthy domain or has a very trustworthy certificate. Examples: HP, IBM, Microsoft, Oracle, Intel, Dell, Sony, Google... | |
| 1 | N/A | 1 | 🟩 Clean | File comes from a trustworthy domain or has a trustworthy certificate. Examples: php.net, mit.edu, postgresql.org, redhat.de, opera.com, nasa.gov... | |
| 2 | N/A | 2 | 🟩 Clean | File comes from a usually trusted domain. Examples: softpedia.com, sourceforge.net, cnet.com... | |
| 3 | N/A | 3 | 🟩 Likely clean | File comes from another known site. | |
| 4 | N/A | 4 | 🟩 Possibly clean | Some valid but not very trusted certificates. | |
| 1 (known) | 5 | N/A | 5 | 🟩 Low | Low trust source, no whitelisted certificates. |
| N/A | 0 | 5 | 🟨 Low | More information about sample required for final classification. | |
| N/A | 1 | 6 | 🟨 Low | More information about sample required for final classification. | |
| N/A | 2 | 7 | 🟨 Low | More information about sample required for final classification. | |
| N/A | 3 | 8 | 🟨 Low | More information about sample required for final classification. | |
| N/A | 4 | 9 | 🟨 Low | More information about sample required for final classification. | |
| 2 (suspicious) | N/A | 5 | 10 | 🟨 Low | More information about sample required for final classification. |
| N/A | 0 | N/A | 🟧 Low | Low trust source, no whitelisted certificates. | |
| N/A | 1 | 6 | 🟧 Low | Adware, potentially unwanted apps, tools for masking malware (packers). | |
| N/A | 2 | 7 | 🟥 Medium | Spyware. | |
| N/A | 3 | 8 | 🟥 Medium | Tools used to introduce malware or to use infected machines for denial-of-service attacks. | |
| N/A | 4 | 9 | 🟥 High | Malicious browser extensions, fake antivirus software, rootkits. | |
| 3 (malicious) | N/A | 5 | 10 | 🟥 High | Virus, worm, trojan, keylogger, infostealer. Most dangerous threats. |
Risk score is expressed as a number from 0 to 10, with 0 indicating whitelisted samples from a reputable origin, and 10 indicating the most dangerous threats.
Values from 0 to 5 are reserved for samples classified as goodware ("known"), and take into account the source and structural metadata of the file, among other things. Since goodware samples do not have threat names associated with them, they receive a description based on their risk score.
Risk scores from 6 to 10 are reserved for suspicious/malicious samples, and express their severity. They are calculated by a ReversingLabs proprietary algorithm, and based on many factors such as file origin, threat type, how frequently it occurs in the wild, YARA rules, and more.
Unknown samples (samples with no classification) do not have a risk score.
Threat level and trust factor
The table above describes the relationship between the risk score, and the threat level and trust factor used by the File Reputation API.
The main difference is that the risk score maps all classifications onto one numerical scale (0-10), while the file reputation / malware presence API uses two different scales for different classifications.
Nomenclature
The following classifications are equivalent:
| File Reputation API | Spectra Analyze | Spectra Detect Worker |
|---|---|---|
| known | goodware | 1 (in the Worker report) |
In the Worker report, the risk score is called rca_factor.