Malware Severity Levels and Detection Types

Malware Severity Levels and Detection Types

There are three malware severity levels. Creating policies that block all three levels is recommended.








Password Stealers









The following table provides explanations for the detection types in the malware dashboard pages:

AdwareThis type of malware displays advertisements on the user’s desktop, or in the web browser. Adware is also often used to monitor and report user browsing habits to the advertiser to bring more relevant ads. Some free applications available on the web contain the adware payload, which is usually installed with user consent, while some other adware applications are installed without user consent. As with spyware, the adware application is not a legitimate infected file, and therefore it can’t be disinfected.
BackdoorThis type of malware opens up a secret entry point for the attackers to gain access to the target system. The malware can be used to install other malicious programs, monitor the system or user activities, transfer files, acquire passwords, execute arbitrary commands, etc.
BrowserThis type of malware is web-based or online in nature that impacts the various browsers like Internet Explorer and Firefox. The browser-based threats include a range of malicious software programs that are designed to infect victims computers, like Exploit kits, malicious script redirections, phishing, etc.
Custom Profile HitThis type of malware matches an entry you added in the file hash list of a File Profile. The file profile name is appended to the malware name (e.g., Custom Blocklist Hit:File_Profile_Name).
DialerThis is a type of malware which uses the modem connected to the computers to dial premium-rate numbers, incurring expensive phone bills for the victim. The malware usually comes bundled with legitimate software downloaded from 3rd party and torrent sites.
Downloader/DropperThis type of malware is responsible for downloading and executing additional content onto the infected machine. It’s often the first stage infection of attacks from an exploit kit or a malicious email attachment. The downloaded content can be a second stage payload like malwares, adwares, key loggers etc. Downloader (i.e., dropper) can also perform additional actions like enumerating the victim machine and receiving commands from the parent server.
Encrypted/UnscannableThis is a type of malware is triggered on encrypted files. The files could have been encrypted using software, such as TrueCrypt etc.
ExploitThis type of malware takes advantage of a bug or vulnerability in order to get unauthorized access to the target system. Successful exploitation can be used to execute arbitrary code, download malwares, conduct denial of service, etc.
HacktoolThis type of malware is used to identify tools and software that can be used by attackers to compromise systems and networks. Programs detected as Hacktools might not be malicious, but they are designed to perform certain actions that matches the characteristics of a malware. Hacktools can perform actions like port scanning, remote connectivity, vulnerability scanning, keygens, etc.
HeuristicThis type of malware is based on rules, patterns, or weighing methods, and is used to detect variants of existing malware and zero-day malware. This malware typically does not have signature or pattern match-based detection.
KeyloggerThis type of malware is designed to capture keystrokes from the infected machine. the stolen information is then uploaded to its command and control server. Keyloggers can be used to capture information like credentials, email conversations, instant messages, etc.
InfostealerThis type of malware gathers confidential information, such as login credentials, credit card numbers, etc., from an infected system, and sends it to a pre-determined location.
Malicious AppThis type of malware is used to refer an unknown or new family of malware. These apps are detected based on certain behavioral properties of the file that falls under malicious activities. This can include querying system information, detection of sandboxes or virtual machines, creating persistence, clearing traces, etc.
MalwareThis is a generic type of malware for unknown or a new family of malware. The detection is made based on certain behavioral properties of the file that falls under malicious activities. This can include: querying system information, detection of sandboxes or virtual machines, creating persistence, clearing traces, etc.
Misleading AppThis is a type of application which itself may not be malicious but could be used for malicious activities. This includes web or socks proxies, remote administration software, and more.

The object is an application which is often installed and used for malicious purposes by 3rd parties. While the application itself is not malicious, experience shows that it poses a higher risk (compared to others) of being used for malicious purposes and of being installed without user consent. This category includes web or socks proxies, remote administration software and other types of software. Usually, the detected application is easy to install without user consent, and once installed, it has an option to be almost or completely hidden from the user.

This object may not be malicious, and may be legitimately installed by a user, so it should not be quarantined or removed by default; the user should be asked instead. Obviously, since it’s an application, it can only be removed, not disinfected.

NetworkThis type of malware infection is capable of performing network-based attacks, like denial of service, flooding, and scanning. Network-based malware infections are also capable of flowing through the network to infect other systems connected within the same range of IP address.
PackedThis type of malware affects the files that are obfuscated using commercial or open file packers. This serves as a code obfuscation technique as packers compress the original binary code using its custom algorithm. Packers are usually legitimate programs, but they are often used by malware authors in packing their own binaries to avoid getting detected through security detection technologies.
PhishingThis type of malware attempts to obtain sensitive information, such as password and credit card numbers, by disguising as a trustworthy entity.
PUAThis type of malware, Potentially unwanted applications (PUA), are programs that are unwanted and usually ships with freeware softwares and tools. PUAs are used to launch hoax advertisements, fake anti-virus scans, selling rogue products, and even launching man-in-the-browser (MitB) attacks.
RansomwareThis is a type of malware that encrypts files so access is denied until a fee is paid. Netskope Threat Protection detects the potentially unauthorized encryption and permits the recovery of encrypted files to the last known usable version (tombstone file). This may be due to a Ransomware attack, or other data destruction attack. We recommend that action is first taken to contain the attack before initiating data recovery.
RogueThis is a type of malware impersonates itself as a legitimate software application and will create alert messages, like software updates, or fake anti-virus warnings. The “updates” or “alerts” in the pop-up windows call for you to take some sort of action, such as clicking to install the software, accept recommended updates, or remove unwanted viruses or spyware. When you click, the rogue security program downloads to your computer.
RootkitThis is a type of malware is designed to infect systems, create persistence, and provide backdoor access without getting noticed. It can modify system and processing behavior in the background to display attack controlled information. Advanced rootkits can operate at multiple levels:
  • From the application level by replacing or adjusting the settings of system software to prevent the display of certain information.
  • Through hooking certain functions, or intercepting and modifying kernel level instructions in the operating system.
  • From the deeper level of firmware or virtualization rootkits, which are activated before the operating system and thus even harder to detect while the system is running.
SpywareThis is a type of malware whose objective is to spy on user activities without the user’s consent. This may include keystroke logging, screenshots at regular intervals, data harvesting (login credentials, credit card information, and passwords), etc. The malware usually comes bundled with legitimate software downloaded from third-party and torrent sites.
SpamThis type of malware uses email activity to send unsolicited emails to a large number of users with the intent of advertising, phishing, or spreading malware.
TrojanThis is a type of malware is often disguised as a legitimate software, but it has the capability to spy on the infected machine. Trojan malware might reach to the system through social engineering attacks where users are tricked into executing programs by claiming false capability.
VirusThis is a type of malware that infects other programs to spread itself. On execution, the malware replicates itself by inserting itself into legitimate programs in order to execute and infect other programs when a user launches the legitimate program. The malware can perform further activities on infected hosts, such as stealing data, log keystrokes, send spam emails, and more. The malware can infect programs, documents, scripts, and boot sector. The recovery will require disinfection using an anti-malware software or operating system reinstallation.
WormThis type of malware is capable of replicating itself from one machine to the other either through the network, or through infected external storage devices. Typically malware have the worm functionality in order to self replicate itself and infect as many machines as possible.
Share this Doc

Malware Severity Levels and Detection Types

Or copy link

In this topic ...