Role of threat indicators in scoring

Threat indicators are observations about a file or archive that the

Cylance Engine

has analyzed. These indicators help analysts better understand why the

Cylance Engine

has identified a file as a risk. They provide insight into potential abuse in a quick and easy-to-use format.

It is important to note that there are legitimate uses for each of the identified indicators. The existence of an indicator is not proof positive that an object is acting in a malicious manner. For example, if the file is a process debugger, it may have legitimate use of SEDebugPriv or process injection. Software installers frequently bundle an executable inside.

It is also important to note that these are specific indicators that have a high prevalence in malware, but they do not represent the machine-learning models that we use for classifying a file as good or bad. These models measure millions of data points, and while some of these data points correspond to these specific indicators, the final score for a file is determined by a complex synthesis of all data points. This limited set of threat indicators exists specifically because machine-learning models are difficult for humans to reason about.

Each indicator defines an area that has been frequently seen in malicious software. Many indicators represent capabilities of the included binary; other indicators represent attempts at deception. Each indicator has been identified as a frequent and strongly indicative feature based on a deep analysis of over 100 million binaries.

Threat indicators are grouped into categories to aid in context. Categories help to identify certain potentially undesirable or malicious capabilities.

For a complete list of the threat indicators exposed and a brief description of each indicator, see Appendix: Threat indicators.