Skip Navigation

Threat classifications

In the
Cylance
console, there exists classification information for threats reported in your organization.
The following is a list of possible file status entries that may appear under classification for each threat, along with a brief description of each entry.
File Unavailable: Due to an upload constraint (example: file is too large to upload), the file is unavailable for analysis. If classification is necessary, contact
BlackBerry
Support for an alternate method to transfer the file for analysis.
Unknown (blank entry): The file has not been analyzed by the
BlackBerry
Research team. Once the file is analyzed, the classification will be updated with a new status.
Trusted - Local: The file has been analyzed by the
BlackBerry
Research team and has been deemed safe (not malicious, not a PUP). A file identified as Trusted - Local can be globally safe listed so that the file will be allowed to execute and not generate any additional alerts if found on other devices within your organization. The reason for the "Local" designation is due to the fact that the file did not come from a trusted source (such as Microsoft or other trusted installers) and therefore cannot be added to our trusted cloud repository.
PUP: The file has been identified as a Potentially Unwanted Program (PUP). This indicates that the program may be unwanted, despite the possibility that users consented to download it. Some PUP's may be permitted to run on a limited set of systems in your organization (example: a VNC application allowed to run on Domain Admin devices). A
Cylance
console administrator can choose to waive or block PUP's on a per device basis or globally quarantine or safe list the file based on company policies. Depending on how much analysis can be performed against a PUP, further subclassification may be possible. Those subclasses are shown below and will aid an administrator in determining whether a particular PUP should be blocked or allowed to run.
Subclass
Definition
Examples
Adware
Adware is a technology that provides advertisements (example: pop-ups) or provide bundled third-party add-ons when installing an application. This usually occurs without adequate notification to the user about the nature or presence of the add-on, control over installation, control over use, or the ability to fully uninstall the add-on.
Gator, Adware Info
Corrupt
This is any executable that is malformed and unable to run.
Game
These are technologies that create an interactive environment with which a player can play.
Steam Games, League of Legends
Generic
This is any PUP that does not fit into an existing category.
HackingTool
These are technologies that are designed to assist hacking attempts.
Cobalt Strike, MetaSpl0it
Portable Application
This is a program designed to run on a computer independently, without needing installation.
Turbo
Scripting Tool
This is any script that is able to run as if it were an executable.
AutoIT, py2exe
Toolbar
These are technologies that place additional buttons or input boxes on-screen within a UI.
Nasdaq Toolbar, Bring Me Sports
Other
This is a category for things that don't fit anything else, but are still PUP's. There are a lot of different PUP's, most of which are not malicious but serveral that should still be brought to the attention of the System Administrators through our product. Usually because they have potentially negative uses or negatively impact a system or network.
Dual Use: Dual Use indicates the file can be used for malicious and non-malicious purposes. Caution should be used when allowing the use of these files in your organization.
Subclass
Definition
Examples
Crack
These are technologies that can alter (or crack) another application in order to bypass licensing limitations or Digital Rights Management (DRM) protection.
Generic
This is any Dual Use tool that does not fit into an existing sublcass.
KeyGen
These are technologies which can generate or recover/reveal product keys that can be used to bypass Digital Rights Management (DRM) or licensing protection of software and other digital media.
MonitoringTool
These are technologies that track a user's online activities without awareness of the user by logging and possibly transmitting logs of one or more of the following:
  • User keystrokes
  • Email messages
  • Chat and instant messaging
  • Web browsing activity
  • Screenshot captures
  • Application usage
Veriato 360, Refog Keylogger
Pass Crack
These are technologies that can reveal a password or other sensitive user credentials either by cryptographically reversing passwords or by revealing stored passwords.
I0phtcrack, Cain & Abel
RemoteAccess
These are technologies that can access another system remotely and administer commands on the remote system, or monitor user activities without user notification or consent.
Putty, PsExec, TeamViewer
Tool
These are programs that offer administrative features but can be used to facilitate attacks or intrusions.
Nmap, Nessus, P0f
Malware: The
BlackBerry
Research team has definitively identified the file as a piece of malware; the file should be removed or quarantined as soon as possible. Verified malware can be further subclassified.
Subclass
Definition
Examples
Backdoor
This is malware that provides unauthorized access to a system, bypassing security measures.
Back Orifice, Eleanor
Bot
This is malware that connects to a central Command and Control (C&C) botnet server.
QBot, Koobface
Downloader
This is malware that downloads data to the host system.
Staged-Downloader
Dropper
This is malware that installs other malware on a system.
Exploit
This is malware that attacks a specific vulnerability on the system.
FakeAlert
This is malware that masquerades as legitimate security software to trick the user into fixing fake security problems at a price.
Fake AV White Paper
Generic
This is any malware that does not fit into an existing category.
InfoStealer
This is malware that records login credentials and/or other sensitive information.
Snifula
Parasitic
These are parasitic viruses, also known as file viruses, spread by attaching themselves to programs. Typically when you start a program infected with a parasitic virus, the virus code is run. To hide itself, the virus then passes control back to the original program.
Ransom
This is malware that restricts access to system or files and demands payment for removal of restriction, thereby holding the system for ransom.
CryptoLocker, CryptoWall
Remnant
This is any file that has malware remnants after removal attempts.
Rootkit
This is malware that enables access to a computer while shielding itself or other files to avoid detection and/or removal by administrators or security technologies.
TDL, Zero Access Rootkit
Trojan
This is malware that disguises itself as a legitimate program or file.
Zeus
Virus
This is malware that propogates by inserting or appending itself to other files.
Sality, Virut
Worm
This is malware that propagates by copying itself to another device.
Code Red, Stuxnet