Secure Endpoint Naming Conventions

Cisco Secure’s Endpoint solutions protect organizations before, during, and after an attack. Secure Endpoint is built on an extensive collection of real-time threat intelligence and dynamic malware analytics supplied by Talos and Cisco Secure Malware Analytics intelligence feeds. The table below provides a sample of the naming convention patterns of threats collected in Secure Endpoint to help with threat analysis. This list is not exhaustive and is subject to change at any time without notice.

Pattern	Example	Engine Description	Notes
/^.*?(\.1201)$/	W32.Trojan:TR.23m3.1201	Malicious file feed from VirusTotal
/^W32..ab.(VRT\|Talos)$/ or /^W32..ab2$/	W32.BD0A0522.ab.tht.VRT or W32.BD0A0522.ab2	Malicious files related to other malicious files
/APK.[A-F0-9]{10}.agent.tht.Talos/	APK.B2AA59B140.agent.tht.Talos	Malicious android applications
/.*\.amphr.hunt.talos/	Auto.AB6DE0.amphr.hunt.talos	Malicious files based on in-field telemetry
W32.XXXXXXXXXX.auto.Talos	W32.XXXXXXXXXX.auto.Talos	Files marked malicious as a result of analysis by Cisco Secure researchers
/^.*.bck.(VRT\|Talos)$/	W32.7DC9F0E149.bck.tht.VRT	Malicious file feed
/^.Clam\.Heuristics./i	Clam.Heuristics.SWF.SuspectImage.E	ClamAV heuristics engine
/^.*\.Dao\.MRT\.TALOS$/	Win.Dropper.Zbot.Dao.MRT.TALOS	Files marked malicious as a result of tracking multiple malware families
/^\.dk$/	W32.SirefefA.15gc.dk	Malicious files related to other malicious files
Auto\.[A-F0-9]{10}\.Docfile\.tht\.Talos	Auto.040ADE11C9.Docfile.tht.Talos	Malicious office documents
/^W32.*.Dridex.(VRT\|Talos)$/	Doc.2436D135A6.Dridex.tht.Talos	Files marked malicious as a result of tracking multiple malware families
/^W32.substr($sha256,0,9).Dyre.(VRT\|Talos)/	W32.C975F49E5D.Dyre.tht.Talos	Files marked malicious as a result of tracking multiple malware families
/.*\.Emotet\.hunt\.Talos/	Doc.Dropper.Emotet.hunt.Talos	Files marked malicious as a result of tracking multiple malware families
W32\.Trojan\.Emotet::MxP::(Original Poke Name) / Doc\.Downloader\.Emotet::MxP::(Original Poke Name)	W32.Trojan.Emotet::MxP::W32.Auto:bcd3208902.in03.Talos	Files marked malicious as a result of tracking multiple malware families
W32.Auto.%s.EncrOff.MRT.TALOS	W32.Auto.FEEDABBA.EncrOff.MRT.TALOS	Encrypted office documents originating from SPAM
Win32.%s.EP.RET	Win32.9E193268C9.EP.RET	Malicious files based on in-field telemetry
*.tht.Talos	JAR.ABBAFEED.malicious.tht.Talos	Malicious file feed
/^Family::gravity::.*$/	TrickBot::gravity::Auto.3EF943A3A9.221767.in07.Talos	Files marked malicious as a result of tracking multiple malware families
/^Family::MRTART::.*$/	Emotet::MRTART::Auto.4ED743A3A9.334789.Talos	Files marked malicious as a result of tracking multiple malware families
/^W32.Auto.substr($sha256,0,10).FN.MRT.TALOS/	W32.Auto.1212121212.FN.MRT.VRT	Files marked malicious as a result of tracking multiple malware families
/^.*.gba.(VRT\|Talos)$/	W32.BD0A0522.gba.tht.VRT	Malicious files related to other malicious files
/^.*\.gravity\.MRT\.TALOS$/	Auto.Coinminer.Generic.gravity.MRT.Talos	Files marked malicious as a result of tracking multiple malware families
/^W32.substr($sha256,0,9).hide.(VRT\|Talos)/	Auto.EE5E0A4141.hide.dropped.tht.Talos	Malicious files based on in-field telemetry
/File..*\.HPS\.Talos/	File.2fd8fb4a4c.HPS.Talos	Files marked malicious as a result of tracking multiple malware families
/^.*.Hunt.Talos$/	W32.3cfdda.Krypt.Hunt.Talos	Files marked malicious as a result of analysis by Cisco Secure researchers
/^\.hw$/	W32.Downloader:Suspicious_Gen2.15fo.hw	Clean files based on in-field telemetry
/^W32.Auto.substr($sha256,0,6).\d+.in01	W32.Auto.4e5a83.181857.in01	Malicious file feed
/^W32.Auto.substr($sha256,0,6).\d+.in02	W32.Auto.4e5a83.181857.in02	Malicious file feed
/.**\.in03\.talos/	W32.Auto:a07ae0f8e7.in03.Talos	Malicious file feed
/\.*.in04\.Talos$/	Auto.17CC985B71.in04.Talos	Malicious file feed
/.*.\in05\.Talos/	SPAM.ATCH:60337a9f4e.in05.Talos	Malicious files based on email telemetry
*.in06.Talos	Auto.A41DB2B4D4.in06.tht.Talos	Malicious files based on email telemetry
*.in07.talos	Auto.F07D7E1549.232539.in07.Talos	Malicious file feed
Auto.%s.in10.tht.Talos	Auto.F9C80D1C36.in10.tht.Talos	Malicious file feed
*.in11.Talos	Win32.BD0A0522.in11.Talos	Malicious file feed
*.in12.Talos	Win32.BD0A0522.in12.Talos	Malicious file feed
/.*\.inPG\.Talos/	W32.Auto.456789ABCD.inPG.Talos	Malicious file feed
/^.\.SHEATH./	W32.SHEATH.COHORS.DEC.DCB1B0	Malicious files based on heuristics
/^.*.jtti.(VRT\|Talos)$/	Zip.FC8BFFC169.jtti.tht.Talos	Malicious file feed
/Dropper.%s.Locky.tht.Talos/	Dropper.2A4A09DDBA.Locky.tht.Talos	Files marked malicious as a result of tracking multiple malware families
/^.*\.mAGIC\.MRT\.TALOS$/	Win.Dropper.Zbot.521a55ca65.mAGIC.MRT.TALOS	Files marked malicious as a result of analysis by Cisco Secure researchers
Auto.B9F33CB5AC.MalJS.tht.Talos	Auto.B9F33CB5AC.MalJS.tht.Talos	Files marked malicious as a result of tracking multiple malware families
Auto.A18451F177.MalJSDrop.tht.Talos	Auto.A18451F177.MalJSDrop.tht.Talos	Files marked malicious as a result of tracking multiple malware families
Auto.A18451F177.MalJSDropped.tht.Talos	Auto.A18451F177.MalJSDropped.tht.Talos	Files marked malicious as a result of tracking multiple malware families
DOC\..*\.MalMacro\.tht\.Talos	DOC.2B49340786.MalMacro.tht.Talos	Files marked malicious as a result of tracking multiple malware families
PDF.%s.MalPDF.MRT.Talos	PDF.ABBAFEED.MalPDF.MRT.Talos	Malicious files based on email telemetry
W32.%s.Malspam.MRT.Talos	W32.ABBAFEED.Malspam.MRT.Talos	Malicious files based on email telemetry
/^.*\.MASH\.SBX.VIOC$/g	W32.Auto.B0D869.MASH.SBX.VIOC	Malicious files based on automated malware analysis
/W32\.Auto\..*\.MASH\.SR\.SBX\.VIOC$/	W32.Auto.ddea78.MASH.SR.SBX.VIOC	Malicious files based on automated malware analysis
/^.*\.MRT\.VRT$/	W32.Auto.2FC12C.SNPE.MRT.VRT	Malicious files based on email telemetry
!/^W32\./	Suspect.Adware.MWS	Malicious files based on heuristics
PDF.%s.Phishing.EE.e01.Talos	PDF.ABBAFEED.Phishing.EE.e01.Talos	Malicious files based on email telemetry
PDF.%s.Phishing.MRT.Talos	PDF.ABBAFEED.Phishing.MRT.Talos	Malicious files based on email telemetry
/^\.ETHOS$/	W32.ETHOS.COHORS.MAR.E552D1	Malicious files based on heuristics
/^.*\.rc$/	W32.agent.rc	Malicious files based on heuristics
*.ret	W32.Downloader:Sisha.RET	Files marked malicious as a result of tracking multiple malware families
/^W32.substr($sha256,0,9).(TPD1\|TPD2\|LP\|MPOKE).RET.SBX.TG/	W32.E4AE2ECDB5-90.TPD1.RET.SBX.TG	Malicious files based on automated malware analysis, and heuristics
/^Auto\.[A-F0-9]{10}\.RSU-\d+\.tht\.Talos	Auto.058EEB5727.RSU-1202.tht.Talos	Malicious file feed
*.sbmt.tht.talos	Auto.13190D1051.Sbmt.tht.Talos	Malicious file feed
/^W32.substr($sha256,0,9).SBX.TG/	W32.B87EA8206E-95.SBX.TG	Malicious files based on automated malware analysis
/^.*\.IOC$/	W32.Driveby.08.08.IOC	Malicious files based on in-field telemetry
/^.*\.SBX.VIOC$/g	W32.45EFB1547A-100.SBX.VIOC	Malicious files based on automated malware analysis
W32.%s.PTP.CAM	W32.2B3A9A4200.PTP.CAM	Malicious files based on heuristics
/^.\.SPERO.$/	W32.SPERO.Sality.02.12	Malicious files based on heuristics
/spmc.tht.Talos$/	W32.6799F51988.spmc.tht.Talos	Malicious files based on email telemetry
/^.*\.SR\.(THR\|MRT)\.TALOS$/	Win.Dropper.Zbot.521a55ca65.SR.MRT.TALOS	Files marked malicious as a result of tracking multiple malware families
/SSO\.Talos$/	1536252E40.spam.sso.Talos	Files marked malicious as a result of analysis by Cisco
/.*\.TC/	W32.Generic.Malware.FWdld.9CEF586D.TC	Malicious files based on heuristics
*.tdt.Talos	PDF.ABBAFEED.malicious.tdt.Talos	Files marked malicious as a result of analysis by Cisco Secure researchers
/.*\.tg\.talos/	PUA.Win.Dropper.Liuliangbao::tg.talos	Malicious files based on automated malware analysis
/^.*\.tht\.(VRT\|Talos)$/	Word.Trojan.Dropper.tht.VRT	Malicious file feed
/^.*\d[1,2].(VRT\|Talos)	W32.ZoxPNG.72.tht.Talos	Malicious files related to known threat actors
tht	W32.BD0A0522.tht.VRT	Files marked malicious as a result of analysis by Cisco Secure researchers
/^.*.TO.Talos$/	JS.10CE91BB1A.malicious.TO.Talos	Files marked malicious as a result of analysis by Cisco Secure researchers
*.toc.talos	DOC.Auto.A48C1F.TOC.Talos	Malicious file feed
*.tpd	TROJ_GEN:Artemis-tpd	Malicious file feed
/^\.tt$/	W32.Gen:Suspicious_Gen5.15e0.tt	Malicious file feed
/^W32.*.Upatre.(VRT\|Talos)$/	W32.86A4C82E01.Upatre.tht.Talos	Files marked malicious as a result of tracking multiple malware families
/^.*\.VIOC/	W32.VRT.Mashup.VIOC	Malicious files based on automated malware analysis
/^.*\.VRT$/	Win.Trojan.Agent.vrt	Files marked malicious as a result of analysis by Cisco Secure researchers
Doc.%s.xPhish.MRT.Talos	Doc.ABBAFEED.xPhish.MRT.Talos	Malicious files based on email telemetry
Simple_Custom_Detection	Simple_Custom_Detection	Customer developed AMP detection	Customer developed AMP detection
W32\.MAP\..*	W32.MAP.Ransomware.RWD	Malicious Activity Protection (MAP)
/^.*?\.in14.Talos$/	Dacic:Backdoor.26dn.in14.Talos	Files marked malicious as a result of multiple trusted AV vendors
/^\.afa\.Talos$/	Doc.ABBAFEED.AFA.Talos	Malicious files based on email telemetry
HTML.%s.CUA.URL.Talos	HTML.564e12beaa.CUA.URL.Talos	Malicious files based on email telemetry
/.*?::MRTART$/	Archive.Trojan.Indra::MRTART	Unknown
/.*?::TRML$/	Win.Malware.GoziISFB::TRML	Unknown
/.*?.rlsync.Talos$/	Jaik:Artemis.26kf.rlsync.Talos	Unknown
*.tii.Talos	Win.Trojan.IcedID.tii.Talos	Files marked malicious as a result of analysis by Talos Intelligence and Interdiction

Intelligence Center

Vulnerability Research

Security Resources

Media

Company

Secure Endpoint Naming Conventions

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Support

Company