Secure Endpoint Naming Conventions

Cisco Secure’s Endpoint solutions protect organizations before, during, and after an attack. Secure Endpoint is built on an extensive collection of real-time threat intelligence and dynamic malware analytics supplied by Talos and Cisco Secure Malware Analytics intelligence feeds. The table below provides a sample of the naming convention patterns of threats collected in Secure Endpoint to help with threat analysis. This list is not exhaustive and is subject to change at any time without notice.

Pattern Example Engine Description Notes
/^.*?(\.1201)$/ W32.Trojan:TR.23m3.1201 Malicious file feed from VirusTotal
/^W32.*.ab.(VRT|Talos)$/ or /^W32.*.ab2$/ W32.BD0A0522.ab.tht.VRT or W32.BD0A0522.ab2 Malicious files related to other malicious files
/APK.[A-F0-9]{10}.agent.tht.Talos/ APK.B2AA59B140.agent.tht.Talos Malicious android applications
/.*\.amphr.hunt.talos/ Auto.AB6DE0.amphr.hunt.talos Malicious files based on in-field telemetry
W32.XXXXXXXXXX.auto.Talos W32.XXXXXXXXXX.auto.Talos Files marked malicious as a result of analysis by Cisco Secure researchers
/^.*.bck.(VRT|Talos)$/ W32.7DC9F0E149.bck.tht.VRT Malicious file feed
/^.*Clam\.Heuristics.*/i Clam.Heuristics.SWF.SuspectImage.E ClamAV heuristics engine
/^.*\.Dao\.MRT\.TALOS$/ Win.Dropper.Zbot.Dao.MRT.TALOS Files marked malicious as a result of tracking multiple malware families
/^\.dk$/ W32.SirefefA.15gc.dk Malicious files related to other malicious files
Auto\.[A-F0-9]{10}\.Docfile\.tht\.Talos Auto.040ADE11C9.Docfile.tht.Talos Malicious office documents
/^W32.*.Dridex.(VRT|Talos)$/ Doc.2436D135A6.Dridex.tht.Talos Files marked malicious as a result of tracking multiple malware families
/^W32.substr($sha256,0,9).Dyre.(VRT|Talos)/ W32.C975F49E5D.Dyre.tht.Talos Files marked malicious as a result of tracking multiple malware families
/.*\.Emotet\.hunt\.Talos/ Doc.Dropper.Emotet.hunt.Talos Files marked malicious as a result of tracking multiple malware families
W32\.Trojan\.Emotet::MxP::(Original Poke Name) / Doc\.Downloader\.Emotet::MxP::(Original Poke Name) W32.Trojan.Emotet::MxP::W32.Auto:bcd3208902.in03.Talos Files marked malicious as a result of tracking multiple malware families
W32.Auto.%s.EncrOff.MRT.TALOS W32.Auto.FEEDABBA.EncrOff.MRT.TALOS Encrypted office documents originating from SPAM
Win32.%s.EP.RET Win32.9E193268C9.EP.RET Malicious files based on in-field telemetry
*.tht.Talos JAR.ABBAFEED.malicious.tht.Talos Malicious file feed
/^Family::gravity::.*$/ TrickBot::gravity::Auto.3EF943A3A9.221767.in07.Talos Files marked malicious as a result of tracking multiple malware families
/^Family::MRTART::.*$/ Emotet::MRTART::Auto.4ED743A3A9.334789.Talos Files marked malicious as a result of tracking multiple malware families
/^W32.Auto.substr($sha256,0,10).FN.MRT.TALOS/ W32.Auto.1212121212.FN.MRT.VRT Files marked malicious as a result of tracking multiple malware families
/^.*.gba.(VRT|Talos)$/ W32.BD0A0522.gba.tht.VRT Malicious files related to other malicious files
/^.*\.gravity\.MRT\.TALOS$/ Auto.Coinminer.Generic.gravity.MRT.Talos Files marked malicious as a result of tracking multiple malware families
/^W32.substr($sha256,0,9).hide.(VRT|Talos)/ Auto.EE5E0A4141.hide.dropped.tht.Talos Malicious files based on in-field telemetry
/File..*\.HPS\.Talos/ File.2fd8fb4a4c.HPS.Talos Files marked malicious as a result of tracking multiple malware families
/^.*.Hunt.Talos$/ W32.3cfdda.Krypt.Hunt.Talos Files marked malicious as a result of analysis by Cisco Secure researchers
/^\.hw$/ W32.Downloader:Suspicious_Gen2.15fo.hw Clean files based on in-field telemetry
/^W32.Auto.substr($sha256,0,6).\d+.in01 W32.Auto.4e5a83.181857.in01 Malicious file feed
/^W32.Auto.substr($sha256,0,6).\d+.in02 W32.Auto.4e5a83.181857.in02 Malicious file feed
/.**\.in03\.talos/ W32.Auto:a07ae0f8e7.in03.Talos Malicious file feed
/\.*.in04\.Talos$/ Auto.17CC985B71.in04.Talos Malicious file feed
/.*.\in05\.Talos/ SPAM.ATCH:60337a9f4e.in05.Talos Malicious files based on email telemetry
*.in06.Talos Auto.A41DB2B4D4.in06.tht.Talos Malicious files based on email telemetry
*.in07.talos Auto.F07D7E1549.232539.in07.Talos Malicious file feed
Auto.%s.in10.tht.Talos Auto.F9C80D1C36.in10.tht.Talos Malicious file feed
*.in11.Talos Win32.BD0A0522.in11.Talos Malicious file feed
*.in12.Talos Win32.BD0A0522.in12.Talos Malicious file feed
/.*\.inPG\.Talos/ W32.Auto.456789ABCD.inPG.Talos Malicious file feed
/^.*\.SHEATH.*/ W32.SHEATH.COHORS.DEC.DCB1B0 Malicious files based on heuristics
/^.*.jtti.(VRT|Talos)$/ Zip.FC8BFFC169.jtti.tht.Talos Malicious file feed
/Dropper.%s.Locky.tht.Talos/ Dropper.2A4A09DDBA.Locky.tht.Talos Files marked malicious as a result of tracking multiple malware families
/^.*\.mAGIC\.MRT\.TALOS$/ Win.Dropper.Zbot.521a55ca65.mAGIC.MRT.TALOS Files marked malicious as a result of analysis by Cisco Secure researchers
Auto.B9F33CB5AC.MalJS.tht.Talos Auto.B9F33CB5AC.MalJS.tht.Talos Files marked malicious as a result of tracking multiple malware families
Auto.A18451F177.MalJSDrop.tht.Talos Auto.A18451F177.MalJSDrop.tht.Talos Files marked malicious as a result of tracking multiple malware families
Auto.A18451F177.MalJSDropped.tht.Talos Auto.A18451F177.MalJSDropped.tht.Talos Files marked malicious as a result of tracking multiple malware families
DOC\..*\.MalMacro\.tht\.Talos DOC.2B49340786.MalMacro.tht.Talos Files marked malicious as a result of tracking multiple malware families
PDF.%s.MalPDF.MRT.Talos PDF.ABBAFEED.MalPDF.MRT.Talos Malicious files based on email telemetry
W32.%s.Malspam.MRT.Talos W32.ABBAFEED.Malspam.MRT.Talos Malicious files based on email telemetry
/^.*\.MASH\.SBX.VIOC$/g W32.Auto.B0D869.MASH.SBX.VIOC Malicious files based on automated malware analysis
/W32\.Auto\..*\.MASH\.SR\.SBX\.VIOC$/ W32.Auto.ddea78.MASH.SR.SBX.VIOC Malicious files based on automated malware analysis
/^.*\.MRT\.VRT$/ W32.Auto.2FC12C.SNPE.MRT.VRT Malicious files based on email telemetry
!/^W32\./ Suspect.Adware.MWS Malicious files based on heuristics
PDF.%s.Phishing.EE.e01.Talos PDF.ABBAFEED.Phishing.EE.e01.Talos Malicious files based on email telemetry
PDF.%s.Phishing.MRT.Talos PDF.ABBAFEED.Phishing.MRT.Talos Malicious files based on email telemetry
/^*\.ETHOS*$/ W32.ETHOS.COHORS.MAR.E552D1 Malicious files based on heuristics
/^.*\.rc$/ W32.agent.rc Malicious files based on heuristics
*.ret W32.Downloader:Sisha.RET Files marked malicious as a result of tracking multiple malware families
/^W32.substr($sha256,0,9).(TPD1|TPD2|LP|MPOKE).RET.SBX.TG/ W32.E4AE2ECDB5-90.TPD1.RET.SBX.TG Malicious files based on automated malware analysis, and heuristics
/^Auto\.[A-F0-9]{10}\.RSU-\d+\.tht\.Talos Auto.058EEB5727.RSU-1202.tht.Talos Malicious file feed
*.sbmt.tht.talos Auto.13190D1051.Sbmt.tht.Talos Malicious file feed
/^W32.substr($sha256,0,9).SBX.TG/ W32.B87EA8206E-95.SBX.TG Malicious files based on automated malware analysis
/^.*\.IOC$/ W32.Driveby.08.08.IOC Malicious files based on in-field telemetry
/^.*\.SBX.VIOC$/g W32.45EFB1547A-100.SBX.VIOC Malicious files based on automated malware analysis
W32.%s.PTP.CAM W32.2B3A9A4200.PTP.CAM Malicious files based on heuristics
/^.*\.SPERO.*$/ W32.SPERO.Sality.02.12 Malicious files based on heuristics
/spmc.tht.Talos$/ W32.6799F51988.spmc.tht.Talos Malicious files based on email telemetry
/^.*\.SR\.(THR|MRT)\.TALOS$/ Win.Dropper.Zbot.521a55ca65.SR.MRT.TALOS Files marked malicious as a result of tracking multiple malware families
/SSO\.Talos$/ 1536252E40.spam.sso.Talos Files marked malicious as a result of analysis by Cisco
/.*\.TC/ W32.Generic.Malware.FWdld.9CEF586D.TC Malicious files based on heuristics
*.tdt.Talos PDF.ABBAFEED.malicious.tdt.Talos Files marked malicious as a result of analysis by Cisco Secure researchers
/.*\.tg\.talos/ PUA.Win.Dropper.Liuliangbao::tg.talos Malicious files based on automated malware analysis
/^.*\.tht\.(VRT|Talos)$/ Word.Trojan.Dropper.tht.VRT Malicious file feed
/^.*\d[1,2].(VRT|Talos) W32.ZoxPNG.72.tht.Talos Malicious files related to known threat actors
tht W32.BD0A0522.tht.VRT Files marked malicious as a result of analysis by Cisco Secure researchers
/^.*.TO.Talos$/ JS.10CE91BB1A.malicious.TO.Talos Files marked malicious as a result of analysis by Cisco Secure researchers
*.toc.talos DOC.Auto.A48C1F.TOC.Talos Malicious file feed
*.tpd TROJ_GEN:Artemis-tpd Malicious file feed
/^\.tt$/ W32.Gen:Suspicious_Gen5.15e0.tt Malicious file feed
/^W32.*.Upatre.(VRT|Talos)$/ W32.86A4C82E01.Upatre.tht.Talos Files marked malicious as a result of tracking multiple malware families
/^.*\.VIOC/ W32.VRT.Mashup.VIOC Malicious files based on automated malware analysis
/^.*\.VRT$/ Win.Trojan.Agent.vrt Files marked malicious as a result of analysis by Cisco Secure researchers
Doc.%s.xPhish.MRT.Talos Doc.ABBAFEED.xPhish.MRT.Talos Malicious files based on email telemetry
Simple_Custom_Detection Simple_Custom_Detection Customer developed AMP detection Customer developed AMP detection
W32\.MAP\..* W32.MAP.Ransomware.RWD Malicious Activity Protection (MAP)
/^.*?\.in14.Talos$/ Dacic:Backdoor.26dn.in14.Talos Files marked malicious as a result of multiple trusted AV vendors
/^\.afa\.Talos$/ Doc.ABBAFEED.AFA.Talos Malicious files based on email telemetry
HTML.%s.CUA.URL.Talos HTML.564e12beaa.CUA.URL.Talos Malicious files based on email telemetry
/.*?::MRTART$/ Archive.Trojan.Indra::MRTART Unknown
/.*?::TRML$/ Win.Malware.GoziISFB::TRML Unknown
/.*?.rlsync.Talos$/ Jaik:Artemis.26kf.rlsync.Talos Unknown
*.tii.Talos Win.Trojan.IcedID.tii.Talos Files marked malicious as a result of analysis by Talos Intelligence and Interdiction