Netskope Help

Malware Severity Levels and Detection Types

There are three malware severity levels. Creating policies that block all three levels is recommended.











Password Stealers












The following table provides explanations for the detection types in the malware dashboard pages:




The object is an adware application. Adware is a class of malicious applications designed to display advertisements on the user's desktop, or in the web browser. Adware is also often used to monitor and report user browsing habits to the advertiser to bring more relevant ads. Some free applications available on the Web contain the adware payload, which is usually installed with user consent, while some other adware applications are installed without user consent. As with spyware, the adware application is not a legitimate infected file, and therefore it cannot be disinfected.


This type of malware opens up a secret entry point for the attackers to gain access to the target system. The malware can be used to install other malicious programs, monitoring system or user activities, etc.


This type of malware is web-based or online in nature that impacts the various browsers like Internet Explorer and Firefox. The browser-based threats include a range of malicious software programs that are designed to infect victims computers, like Exploit kits, malicious script redirections, phishing, etc.


This is a type of malware which uses the modem connected to the computers to dial premium-rate numbers, incurring expensive phone bills for the victim. The malware usually comes bundled with legitimate software downloaded from 3rd party and torrent sites.


This type of malware is responsible for downloading and executing additional content onto the infected machine. The downloaded content can be a second stage payload like malwares, adwares, key loggers etc. Downloader can also perform additional actions like enumerating the victim machine and receiving commands from the parent server.


This is a type of malware is triggered on encrypted files. The files could have been encrypted using software, such as TrueCrypt etc.


This type of malware takes advantage of a bug or vulnerability in order to get unauthorized access to the target system. Successful exploitation can be used to execute arbitrary code, download malwares, conduct denial of service etc.


This type of malware is used to identify tools and softwares that can be used by attackers to compromise systems and networks. Programs detected as Hacktools might not be malicious, but they are designed to perform certain actions that matches the characteristics of a malware. Hacktools can perform actions like port scanning, remote connectivity, vulnerability scanning, keygens, etc.


This type of malware is based on rules, patterns, or weighing methods, and is used to detect variants of existing malware and zero-day malware. This malware typically does not have signature or pattern match-based detection.


This type of malware is designed to capture keystrokes from the infected machine. the stolen information is then uploaded to its command and control server. Keyloggers can be used to capture information like credentials, email conversations, instant messages, etc.


This type of malware gathers confidential information, such as login credentials, credit card numbers, etc., from an infected system, and sends it to a pre-determined location.

Malicious App

This type of malware is used to refer an unknown or new family of malware. These apps are detected based on certain behavioral properties of the file that falls under malicious activities. This can include querying system information, detection of sandboxes or virtual machines, creating persistence, clearing traces, etc.


This is a generic type of malware for unknown or a new family of malware. The detection is made based on certain behavioral properties of the file that falls under malicious activities. This can include: querying system information, detection of sandboxes or virtual machines, creating persistence, clearing traces, etc.

Misleading Application

This is a type of application which itself may not be malicious but could be used for malicious activities. This includes web or socks proxies, remote administration software and more.

The object is an application which is often installed and used for malicious purposes by 3rd parties. While the application itself is not malicious, experience shows that it poses a higher risk (compared to others) of being used for malicious purposes and of being installed without user consent. This category includes web or socks proxies, remote administration software and other types of software. Usually, the detected application is easy to install without user consent, and once installed, it has an option to be almost or completely hidden from the user.

This object may not be malicious, and may be legitimately installed by a user, so it should not be quarantined or removed by default; the user should be asked instead. Obviously, since it's an application, it can only be removed, not disinfected.


This type of malware infection is capable of performing network-based attacks, like denial of service, flooding, and scanning. Network-based malware infections are also capable of flowing through the network to infect other systems connected within the same range of IP address.


This type of malware affects the files that are obfuscated using commercial or open file packers. This serves as a code obfuscation technique as packers compress the original binary code using its custom algorithm. Packers are usually legitimate programs, but they are often used by malware authors in packing their own binaries to avoid getting detected through security detection technologies.


This type of malware attempts to obtain sensitive information, such as password and credit card numbers, by disguising as a trustworthy entity.


This type of malware, Potentially unwanted applications (PUA), are programs that are unwanted and usually ships with freeware softwares and tools. PUAs are used to launch hoax advertisements, fake anti-virus scans, selling rogue products, and even launching Man-in-the-Browser attacks.


This is a type of malware that encrypts files so access is denied until a fee is paid. Netskope Threat Protection detects the potentially unauthorized encryption and permits the recovery of encrypted files to the last known usable version (tombstone file). This may be due to a Ransomware attack, or other data destruction attack. We recommend that action is first taken to contain the attack before initiating data recovery.


This is a type of malware impersonates itself as a legitimate software application and will create alert messages, like software updates, or fake anti-virus warnings. The \"updates\" or \"alerts\" in the pop-up windows call for you to take some sort of action, such as clicking to install the software, accept recommended updates, or remove unwanted viruses or spyware. When you click, the rogue security program downloads to your computer.


This is a type of malware is designed to infect systems, create persistence, and provide backdoor access without getting noticed. It can modify system and processing behavior in the background to display attack controlled information. Advanced rootkits can even intercept and modify kernel level instructions in the operating system.


This is a type of malware whose objective is to spy on user activities without the user’s consent. This may include keystroke logging, screenshots at regular intervals, data harvesting (login credentials, passwords) and more. The malware usually comes bundled with legitimate software downloaded from 3rd party and torrent sites.


This type of malware uses email activity to send unsolicited emails to a large number of users with the intent of advertising, phishing, or spreading malware.


This is a type of malware is often disguised as a legitimate software, but it has the capability to spy on the infected machine. Trojan malware might reach to the system through social engineering attacks where users are tricked into executing programs by claiming false capability.


This is a type of malware that infects other programs to spread itself. On execution, the malware replicates itself by inserting itself into legitimate programs in order to execute and infect other programs when a user launches the legitimate program. The malware can perform further activities on infected hosts, such as stealing data, log keystrokes, send spam emails, and more. The malware can infect programs, documents, scripts, and boot sector. The recovery will require disinfection using an anti-malware software or operating system reinstallation.


This type of malware is capable of replicating itself from one machine to the other either through the network, or through infected external storage devices. Typically malware have the worm functionality in order to self replicate itself and infect as many machines as possible.