Malware Classification

The Malware classification package analyzes Hashes and returns matching categories and corresponding category values. The classification result helps to define whether a given hash belongs to a malicious file or not.

Initialization

To use the Malware classification functions, the Malware classification package must first be initialized. To do this, create an instance of the dca_malware::MalwareClassification module using dca_malware::MalwareClassification::create().

Set up a connection to a Malware database using the database type dca_malware::DBT_Malware. Refer to Setting up a Database Connection for the steps required to do this.

Once a connection to the Malware database has been established, an instance of a dca_malware::MalwareDbClassifier must be created. Use dca_malware::MalwareClassification::createDbClassifier(), passing as parameter the newly created database connection object.

The MalwareClassifier takes a dca_malware::Hash as input and returns a dca_malware::MalwareClassificationResults object that contains all matching categories and corresponding values.

Classification

The Malware classification returns a set of matched categories and corresponding values. The following categories are currently supported:

• Malware
• Vendor Coverage

Example
A Malware classification result contains an entry dca_malware::MalwareClassificationResult::categoryId = 1, dca_malware::MalwareClassificationResult::value = 1 and also a second entry dca_malware::MalwareClassificationResult::categoryId = 2, dca_malware::MalwareClassificationResult::value = 40

CategoryId 1 denotes the Malware category (dca_malware::MALWARE_CATEGORY_MALWARE) and the value 1 indicates that the supplied hash belongs to a malicious file. If the category is missing in a malware classification result the hash does not belong to a malicious file.

CategoryId 2 denotes the Vendor Coverage category (dca_malware::MALWARE_CATEGORY_ID_VENDOR_COVERAGE) and the value 40 means that 40% of all vendors know something about the hash.

Enumeration

To enumerate all known categories and enums etc. you can use a dca_malware::MalwareCategoriesInfo object. This can be obtained from the dca_malware::MalwareClassification::getCategoriesInfo() function.

We provide the following class structures:

• Categories (dca_malware::MalwareCategories)
• Enums (dca_malware::MalwareEnums)
• Locales (dca_malware::MalwareLocales)

Categories (dca_malware::MalwareCategories)

This is a container for dca_malware::MalwareCategory objects. It lists all supported categories.

Enums (dca_malware::MalwareEnums)

This is a container for dca_malware::MalwareEnum objects.

Locales (dca_malware::MalwareLocales)

This is a container for dca_malware::MalwareLocale objects. It lists all supported locales. Locales are used to provide language specific names for the available categories and enum objects.

The default locale is "en_US". If you wish to use a different locale, the function name(), provided by the relevant objects, takes an optional parameter where the locale can be specified. If the locale does not exist, or a localization for the particular string is not available, the default locale will be used.

See also

dca_malware::MalwareCategory, dca_malware::MalwareEnum, dca_malware::MalwareLocale