With so many different types of malware – and the vast range of malicious software programs within each type – it’s important that every malware item can be unambiguously classified and easily distinguished from other malicious programs.
Kaspersky Lab classifies the entire range of malicious software or potentially unwanted objects that are detected by Kaspersky’s antivirus engine – classifying the malware items according to their activity on users’ computers. The classification system used by Kaspersky is also used by a number of other antivirus vendors as the basis for their classifications.
The malware "classification tree"
Kaspersky’s classification system gives each detected object a clear description and a specific location in the ‘classification tree’ shown below. In the ‘classification tree’ diagram:
- The types of behaviour that pose the least threat are shown in the lower area of the diagram.
- The types of behaviour that pose a greater threat are displayed in the upper part of the diagram.
Malware types with multiple functions*
Individual malware programs often include several malicious functions and propagation routines – and, without some additional classification rules, this could lead to confusion.
For example, a specific malicious program may be capable of being spread via an email attachment and also as files via P2P networks. The program may also have the ability to harvest email addresses from an infected computer, without the consent of the user. With this range of functions, the program could be correctly classified as an Email-Worm, a P2P-Worm or a Trojan-Mailfinder. To avoid this confusion, Kaspersky applies a set of rules that can unambiguously categorise a malicious program as having a particular behaviour, regardless of the program functions:
- The ‘classification tree’ shows that each behaviour has been assigned its own threat level.
- In the ‘classification tree’ the behaviours that pose a higher risk outrank those behaviours that represent a lower risk.
- So… in our example, the Email-Worm behaviour represents a higher level of threat than either the P2P-Worm or Trojan-Mailfinder behaviour – and thus, our example malicious program would be classified as an Email-Worm.**
Multiple functions with equal threat levels
- If a malicious program has two or more functions that all have equal threat levels – such as Trojan-Ransom, Trojan-ArcBomb, Trojan-Clicker, Trojan-DDoS, Trojan-Downloader, Trojan-Dropper, Trojan-IM, Trojan-Notifier, Trojan-Proxy, Trojan-SMS, Trojan-Spy, Trojan-Mailfinder, Trojan-GameThief, Trojan-PSW or Trojan-Banker – the program is classified as a Trojan.
- If a malicious program has two or more functions with equal threat levels – such as IM-Worm, P2P-Worm or IRC-Worm – the program is classified as a Worm.
Protect your devices and data against all classes of malware
Discover more about the threats… and how Kaspersky can defend you against them:
Other articles and links related to malware
*These rules only apply to malware and do not concern adware, riskware, pornware or other objects detected using proactive defence (which take the PDM: prefix) or the heuristic analyser (which take the HEUR: prefix).
**The rule for choosing the highest ranking behaviour only applies to Trojans, viruses and worms. It does not apply to Malicious Tools.