Glossary
Products
| Term | Definition |
|---|---|
| Spectra Analyze | Malware analysis platform for individual analysts and small teams, powered by Spectra Core |
| Spectra Detect | Automated, high-throughput malware detection solution for enterprise file analysis |
| Spectra Intelligence | Cloud-based threat intelligence service providing file reputation, malware analysis, and threat feeds via APIs |
| Spectra Core | ReversingLabs proprietary file analysis engine that powers static analysis across all Spectra products |
| File Inspection Engine (FIE) | High-throughput file analysis solution for inspecting network traffic |
| T1000 | Network appliance for real-time file inspection and threat detection |
Analysis & Classification
| Term | Definition |
|---|---|
| Classification | ReversingLabs algorithm that determines the security status of files as malicious, suspicious, goodware, or unknown |
| Risk score | Numeric value (0-10) indicating the likelihood that a file is malicious |
| Threat level | The classification category assigned to a file after analysis: Unknown, Goodware, Suspicious, or Malicious. Corresponds to the risk score ranges on the Spectra Analyze risk score scale (0–10). |
| Trust factor | Confidence level in the classification result |
| Static analysis | Examination of file properties without executing the file |
| Dynamic analysis | Analysis of file behavior by executing it in a sandboxed environment |
| APT (Advanced Persistent Threat) | A prolonged, targeted cyberattack in which an adversary gains and maintains unauthorized access to a network while remaining undetected. APTs often use sophisticated techniques including zero-day exploits, social engineering, and lateral movement. |
| False positive | A benign file or activity incorrectly classified as malicious by a security tool. In ReversingLabs products, false positives can be corrected using classification overrides on Spectra Analyze or through Spectra Intelligence reclassification requests. |
| False negative | A malicious file or activity that is not detected by a security tool and is incorrectly classified as benign. False negatives can occur when malware uses novel techniques not yet covered by existing signatures or analysis heuristics. |
| Heuristic analysis | A detection method that uses rules and algorithms to identify suspicious characteristics in files without relying on exact signature matches. Heuristic analysis can detect previously unknown malware variants by evaluating behavioral patterns and structural anomalies. |
| Packer | Software that compresses or encrypts executable files to reduce their size or obfuscate their contents. Malware authors frequently use packers to evade signature-based detection. Spectra Core supports unpacking of over 400 packer formats during static analysis. |
| PE (Portable Executable) | The standard file format for executables, DLLs, and other binary files on Windows operating systems. PE analysis is a core capability of Spectra Core, which extracts detailed header information, imports, exports, and section data from PE files. |
| Obfuscation | Techniques used to make code or data difficult to understand or analyze. Common obfuscation methods include string encryption, control flow flattening, and dead code insertion. Spectra Core detects many obfuscation techniques as indicators during static analysis. |
| Sandbox | An isolated environment used to execute and observe suspicious files without risk to production systems. Spectra Analyze supports integration with dynamic analysis sandboxes for behavioral analysis of samples. |
| Threat propagation | The process by which a parent file inherits the classification of its extracted child files. In ReversingLabs products, if a malicious executable is found inside a ZIP archive, the archive also receives a malicious classification through upward propagation. |
| Goodware override | A classification mechanism where a trusted parent sample's benign classification is propagated to its extracted child files. This is used when a known-good installer contains files that might otherwise trigger false positive detections. |
Malware Types
| Term | Definition |
|---|---|
| Backdoor | Malware that provides an attacker with unauthorized remote access to a compromised system, bypassing normal authentication. Backdoors are often installed by other malware or through exploited vulnerabilities. |
| Botnet | A network of compromised computers (bots) controlled by an attacker through a command-and-control (C2) server. Botnets are used for distributed denial-of-service attacks, spam distribution, and credential theft. |
| Fileless malware | Malware that operates entirely in memory without writing files to disk, making it harder to detect with traditional file-based scanning. Fileless malware often leverages legitimate system tools like PowerShell or WMI. |
| Keylogger | Malware that records keystrokes on a compromised system to capture sensitive information such as passwords, credit card numbers, and personal data. Keyloggers may operate at the hardware, kernel, or application level. |
| Polymorphic malware | Malware that changes its code structure with each infection while maintaining the same malicious functionality. Polymorphic techniques include encrypting the payload with a different key each time, making signature-based detection less effective. |
| Ransomware | Malware that encrypts files on a victim's system and demands payment for the decryption key. Ransomware typically receives a risk score of 10 (maximum severity) in ReversingLabs classification. |
| Rootkit | Malware designed to hide its presence and the presence of other malicious software on a compromised system. Rootkits can operate at the user level, kernel level, or firmware level, making detection and removal challenging. |
| Trojan | Malware disguised as legitimate software to trick users into executing it. Unlike viruses and worms, Trojans do not self-replicate. They are commonly used to deliver other malware payloads, steal data, or provide backdoor access. |
| Worm | Self-replicating malware that spreads across networks without requiring user interaction. Worms exploit vulnerabilities in network services or operating systems to propagate and can cause significant network disruption. |
Security Frameworks and Standards
| Term | Definition |
|---|---|
| CVE (Common Vulnerabilities and Exposures) | A standardized identifier for publicly known cybersecurity vulnerabilities, maintained by MITRE Corporation. Each CVE entry includes a unique ID (e.g., CVE-2024-1234), a description, and references. |
| CWE (Common Weakness Enumeration) | A community-developed list of common software and hardware security weaknesses, maintained by MITRE. CWE entries categorize vulnerability types to help developers and analysts understand root causes. See the CWE list. |
| MITRE ATT&CK | A globally recognized knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. ReversingLabs maps static analysis indicators to ATT&CK techniques in Spectra Analyze and Spectra Intelligence. |
| NIST (National Institute of Standards and Technology) | A U.S. federal agency that develops cybersecurity standards and guidelines, including the NIST Cybersecurity Framework and SP 800 series. NIST frameworks are widely adopted for enterprise security program management. |
Security Operations
| Term | Definition |
|---|---|
| C2/C&C (Command and Control) | Infrastructure used by attackers to communicate with and control compromised systems. C2 channels can use HTTP, DNS, or custom protocols. Spectra Core extracts C2 indicators from malware configurations during analysis. |
| DLP (Data Loss Prevention) | Security technology designed to detect and prevent unauthorized data exfiltration from an organization. DLP solutions can integrate with ReversingLabs products to scan files for malicious content before allowing transfers. |
| EDR (Endpoint Detection and Response) | Security technology that monitors endpoints for suspicious activity and provides investigation and response capabilities. EDR solutions can integrate with ReversingLabs threat intelligence for enhanced file reputation checks. |
| IDS/IPS (Intrusion Detection/Prevention System) | Network security systems that monitor traffic for malicious activity. IDS detects and alerts on threats; IPS actively blocks them. File Inspection Engine can complement IDS/IPS by providing deep file analysis for network traffic. |
| NDR (Network Detection and Response) | Security technology that monitors network traffic to detect threats and anomalous behavior. NDR solutions benefit from integration with ReversingLabs file analysis for inspecting files extracted from network flows. |
| Reverse engineering | The process of analyzing software or malware to understand its functionality, behavior, and purpose. Spectra Core performs automated reverse engineering through static decomposition, extracting indicators, metadata, and structural information from binary files. |
| SIEM (Security Information and Event Management) | A platform that aggregates and analyzes security event logs from across an organization's infrastructure. ReversingLabs integrates with SIEM platforms like Splunk and IBM QRadar. See Integrations. |
| SOAR (Security Orchestration, Automation and Response) | A platform that automates security operations workflows, including incident response and threat investigation. ReversingLabs provides integrations with SOAR platforms including Splunk SOAR and Palo Alto XSOAR. See Integrations. |
| SOC (Security Operations Center) | A centralized team responsible for monitoring, detecting, analyzing, and responding to cybersecurity incidents. SOC analysts use ReversingLabs products for malware triage, threat hunting, and incident investigation. |
| Supply chain attack | A cyberattack that targets an organization by compromising a trusted third-party vendor, software library, or update mechanism. ReversingLabs products help detect supply chain threats by analyzing software packages and their dependencies. |
| XDR (Extended Detection and Response) | An integrated security approach that correlates data across endpoints, networks, cloud, and email to provide unified threat detection and response. XDR platforms can leverage ReversingLabs threat intelligence for file-level analysis. |
| Zero-day | A previously unknown vulnerability that has no existing patch or signature. Zero-day exploits are particularly dangerous because traditional signature-based detection cannot identify them. Heuristic and behavioral analysis methods provide better coverage against zero-day threats. |
Threat Intelligence
| Term | Definition |
|---|---|
| IOC (Indicator of Compromise) | Observable artifact such as a hash, IP address, or domain that indicates a security breach |
| YARA | Pattern-matching tool used to identify and classify malware based on textual or binary patterns |
| MISP | Open-source threat intelligence sharing platform |
| STIX | Structured Threat Information Expression — standard language for sharing cyber threat intelligence |
| TAXII | Trusted Automated Exchange of Intelligence Information — transport protocol for sharing STIX data |
| TCA | API endpoint code prefix used in Spectra Intelligence API documentation (e.g., TCA-0101) |
| TCF | Feed endpoint code prefix used in Spectra Intelligence Feed documentation (e.g., TCF-0101) |
Infrastructure
| Term | Definition |
|---|---|
| Helm chart | Kubernetes package used to deploy Spectra Detect and File Inspection Engine |
| OVA | Open Virtual Appliance format used for deploying Spectra Analyze and T1000 as virtual machines |
| ICAP (Internet Content Adaptation Protocol) | A protocol for offloading content scanning from web proxies and load balancers to external services. Spectra Detect Hub and Spectra Analyze support ICAP integration for inline file scanning. See ICAP Integration. |
| Kubernetes | An open-source container orchestration platform used for deploying and scaling containerized applications. Both Spectra Detect and File Inspection Engine support Kubernetes deployment via Helm charts. |
| OCI (Open Container Initiative) | A set of industry standards for container image formats and runtimes. File Inspection Engine is distributed as an OCI-compliant container image that runs on Docker, Kubernetes, or any compatible runtime. |