Skip to content

Proposal: Allow AV Classifications to be captured for any CybOX Object

Ivan Kirillov edited this page Jul 20, 2015 · 9 revisions

Status: Open
Comment Period Closes:
Affects Backwards Compatibility: No
Relevant Issues: https://github.com/MAECProject/schemas/issues/99

Background Information

Currently, AV Classifications can only be captured for a malware instance characterized by a Malware Subject or Bundle (via the Malware_Instance_Object_Attributes field). Unfortunately this means that AV Classifications cannot be captured for other CybOX Objects, such as those that result from Actions.

Related Proposals

This proposal is related to the following proposed changes to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle-(as-output-format) https://github.com/MAECProject/schemas/wiki/Proposal:-Add-Field-to-Indicate-AV-Tool-Detection

Proposal

We propose to make the AVClassificationType an extension of the CybOX DomainSpecificAttributesType, so that it can be used in the Domain_Specific_Object_Properties field on a CybOX Object.


The existing maecBundle:AVClassificationsType will be deprecated.


We propose a new AVClassificationsType, defined in the Package schema, to capture a set of one or more AV Classifications of CybOX Objects. This type extends the cybox:DomainSpecificAttributesType base type with the following fields:

Field Type Multiplicity Description
AV_Classification AVClassificationType 1-* The AV_Classification field captures a single AV classification of a CybOX Object.

Similar to before, the AVClassificationType, defined in the MAEC Core (formerly MAEC Bundle) schema, extends the cyboxCommon:ToolInformationType with the following fields:

Field Type Multiplicity Description
@scan_date xs:dateTime 0-1 The scan_date field specifies the date and time of the scan. This field can be used to capture how a scan changes over time.
Engine_Version xs:string 0-1 The Engine_Version field captures the version of the AV engine used by the AV scanner tool.
Definition_Version xs:string 0-1 The Definition_Version field captures the version of the AV definitions used by the AV scanner tool.
Classification_Name xs:string 0-1 The Classification_Name field captures the classification assigned to the CybOX Object by the AV scanner tool.

Note that the only difference between this type and the previous (MAEC v4.1) version is the addition of the @scan_date field.

Example

<Object>
    <Domain_Specific_Object_Properties xsi:type="maec:AVClassificationsType">
      <AV_Classification id="avclass-1" scan_date="2010-05-15T03:38:44">
          <Name>Security Essentials</Name>
          <Vendor>Microsoft</Vendor>
          <Engine_Version>4.2.3</Engine_Version>
          <Definition_Version>032415-0011</Definition_Version>
          <Classification_Name>Zeus.A.D</Classification_Name>
      </AV_Classification>
      <AV_Classification id="avclass-2" scan_date="2012-02-11T08:36:14">
          <Name>Security Essentials</Name>
          <Vendor>Microsoft</Vendor>
          <Engine_Version>5.1.0</Engine_Version>
          <Definition_Version>053514-0062</Definition_Version>
          <Classification_Name>Zeus.D.C</Classification_Name>
      </AV_Classification>
    </Domain_Specific_Object_Properties>
    <Properties xsi:type="FileObj:FileObjectType">
       <File_Name>kernal32.dll</File_Name>
    </Properties>
</Object>

Impact

This change will not be backward compatible and is one of several revisions planned in new major version.

Requested Feedback

  1. Is it important to capture AV classifications of CybOX Objects (and not just malware instances)?
  2. Would it be preferable to define AV Classifications as top level objects in a MAEC Package?
  3. Is there any issue with AVClassificationType duplicating the Name and Vendor fields in the cyboxCommon:ToolInformationType?
  4. Is the scan_date field sufficient for capturing changes in scans over time?
  5. Would it work well for an Analysis to reference an AV classification by its id field?
Clone this wiki locally