CIS Malware Naming Rules for Potentially dangerous applications/RiskWare

The purpose of this post is to answer the frequently asked question as to why certain programs are being detected by CIS even though they are known to be legitimate ones.

We use the following naming schemes under which certain types of applications are detected as explained,

ApplicUnwnt - Unwanted programs which the user may not have wanted to install, but inadvertantly installed. (Ex: Adware programs, Joke programs, Dialer applications etc)

ApplicUnsaf - Applications that are legitimate, but have a history of being used as part of malware (or) has the potential to be used by a malicious user to harm the user. (Ex: Fake av programs, fraud tools, some irc clients,keyloggers, etc.)

Application - Same as above, but whose severity is pretty low. (Ex: some server/client applications, commercial monitoring applications etc.)

The naming for example would be like, ApplicUnsaf.Win32.FraudTool.xXx.yYy. If you find that one of your known applications is being detected, it could be because it falls under one of the above mentioned categories. Such detections are primarily for the basic computer users, - so as to let them know about the presence of such applications on their computer and it is always possible to choose to add the programs to the exclusion list in case if they were installed intentionally with the knowledge of the user.

Regards,
Baskar.