Skip to main content

How is the Verdict Calculated?

  • Updated

 

Intezer detects and classifies files based on various parameters, such as the genetic analysis of code and strings, as well as static metadata and other attributes.

 

Table of Contents

  1. List of Verdicts
    1. Malicious
    2. Trusted

    3. No Threats Detected

    4. Suspicious
    5. Unknown
    6. Not Supported
  2. List of Sub-Verdicts
    1. Trusted
    2. Malicious
    3. Suspicious
    4. Unknown
    5. Not Supported

 

List of Verdicts

The verdict indicates whether a file is malicious, suspicious, trusted or unknown.

The color of various entities displayed in the interface indicate the classification determined by Intezer Analyze, as follows:

 

Malicious

Color: Red

Based on the genetic analysis of the file, we have concluded that the file is a malware file. This verdict can result from a strong connection to a specific malware family (code reuse, string reuse) or because we have observed a malicious behavior pattern during dynamic execution.

mceclip0.png

 

Trusted

Color: Green

Based on the genetic analysis of the file, we have concluded that the file is legitimate trusted software. Examples include cases where the analyzed file is composed solely of code that was found in known legitimate files, or is digitally signed by a trusted source.

mceclip1.png

 

No Threats Detected

Color: Green

No malicious indicators were observed during the analysis of the file. This verdict is used for certain file types when which don’t undergo genetic analysis (e.g non-executable files)

 

Suspicious

Color: Orange

Our genetic analysis of the file revealed suspicious indicators that are worth further investigation. Examples include cases where we find genetic connections to known malware files that were not strong enough to classify as malicious, administration tools, packed files and obfuscated files.

mceclip0.png

 

Unknown

Color: Purple

It could not be reliably determined whether the file is malicious or not. Most commonly, this is because the file has no clear genetic connections to any known software, or has little to no genetic artifacts (code, strings, behavioral patterns) we could analyze.

mceclip1.png

 

Not Supported

Color: Purple

This type of file is not supported.

 

List of Sub-Verdicts

The sub-verdict indicates the reason for the calculated verdict. Each verdict has a few sub verdicts as specified here:

 

Trusted

  • Known Trusted: This file is a known trusted software and exists in Intezer's trusted files list.
  • Trusted: This file contains a significant amount of code from trusted software, therefore it's very unlikely that it's malicious.
  • Probably Trusted: The file contains some characteristics of trusted software.
  • Known Library: This file is a known library and can be used in both trusted and malicious software.
  • Library: This file contains a significant amount of code from known libraries and therefore is classified as a library.

 

Malicious

  • Known Malicious: This file is a known malware and exists in Intezer's blocklist and/or is recognized by other security vendors.
  • Malicious: This file is malicious based on our genetic analysis.

 

Suspicious

  • Administration Tool: Various tools are used for administration tasks by both malware and trusted software and may be legitimate, or part of malicious activity such as PuTTY and winSCP. It is recommended to understand the context of the file in order to determine whether the file is malicious or not.
  • Known Administration Tool: This file is a known administration tool and can be used for both legitimate IT administration purposes and also malicious activities
  • Packed: Based on code reuse and other parameters it is determined that this file is a packer.
  • Probably Packed: Based on code reuse analysis and other parameters, this file is probably packed. The file should be sent to dynamic analysis to reveal the true code ‘DNA’ of the file.
  • Script: The file contains a non-binary script that couldn’t be validated using genetic code analysis.

 

Unknown

  • Unique: This file contains a significant amount of unique code that has never been seen before in any trusted or malicious software. If you know whether or not this file is malicious, it is recommended to privately index it so that it is classified in your system and you will be able to immediately classify any future variant that reuses the same code..
  • No Genes: There were no genes extracted, as this file does not contain any significant fragments of code.
  • Almost No Genes: We managed to extract very few genes, although not enough to reliably determine the file’s origin.
  • Inconclusive: We could not reliably determine whether the file is trusted or malicious.
  • Installer: The file is an installer which can mask the true contents of the file beneath the installer’s code.
  • No Code: There are no executable sections in the file which usually means it’s a resource file, containing only data and no code.

 

Not Supported

  • File Type Not Supported: This file type or architecture is not supported.
  • Non-Native Code: The file’s code written in a non native, interpreted language not supported by intezer.
  • Corrupted File: This file is corrupted. Although the file could not be analyzed, such corruption is frequently seen in malware to avoid detection.
Return to top