-
Notifications
You must be signed in to change notification settings - Fork 16
Proposal: Allow AV Classifications to be captured for any CybOX Object
Status: Open
Comment Period Closes:
Affects Backwards Compatibility: No
Relevant Issues: https://github.com/MAECProject/schemas/issues/99
Currently, AV Classifications can only be captured for a malware instance characterized by a Malware Subject or Bundle (via the Malware_Instance_Object_Attributes field). Unfortunately this means that AV Classifications cannot be captured for other CybOX Objects, such as those that result from Actions.
This proposal is related to the following proposed changes to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle-(as-output-format) https://github.com/MAECProject/schemas/wiki/Proposal:-Add-Field-to-Indicate-AV-Tool-Detection
We propose to make the AVClassificationType
an extension of the CybOX DomainSpecificAttributesType
, so that it can be used in the Domain_Specific_Object_Properties field on a CybOX Object.
The existing maecBundle:AVClassificationsType
will be deprecated.
We propose a new AVClassificationsType
, defined in the Package schema, to capture a set of one or more AV Classifications of CybOX Objects. This type extends the cybox:DomainSpecificAttributesType
base type with the following fields:
Field | Type | Multiplicity | Description |
---|---|---|---|
AV_Classification | AVClassificationType |
1-* | The AV_Classification field captures a single AV classification of a CybOX Object. |
Similar to before, the AVClassificationType
, defined in the MAEC Core (formerly MAEC Bundle) schema, extends the cyboxCommon:ToolInformationType
with the following fields:
Field | Type | Multiplicity | Description |
---|---|---|---|
@scan_date | xs:dateTime |
0-1 | The scan_date field specifies the date and time of the scan. This field can be used to capture how a scan changes over time. |
Engine_Version | xs:string |
0-1 | The Engine_Version field captures the version of the AV engine used by the AV scanner tool. |
Definition_Version | xs:string |
0-1 | The Definition_Version field captures the version of the AV definitions used by the AV scanner tool. |
Classification_Name | xs:string |
0-1 | The Classification_Name field captures the classification assigned to the CybOX Object by the AV scanner tool. |
Note that the only difference between this type and the previous (MAEC v4.1) version is the addition of the @scan_date
field.
<Object>
<Domain_Specific_Object_Properties xsi:type="maec:AVClassificationsType">
<AV_Classification id="avclass-1" scan_date="2010-05-15T03:38:44">
<Name>Security Essentials</Name>
<Vendor>Microsoft</Vendor>
<Engine_Version>4.2.3</Engine_Version>
<Definition_Version>032415-0011</Definition_Version>
<Classification_Name>Zeus.A.D</Classification_Name>
</AV_Classification>
<AV_Classification id="avclass-2" scan_date="2012-02-11T08:36:14">
<Name>Security Essentials</Name>
<Vendor>Microsoft</Vendor>
<Engine_Version>5.1.0</Engine_Version>
<Definition_Version>053514-0062</Definition_Version>
<Classification_Name>Zeus.D.C</Classification_Name>
</AV_Classification>
</Domain_Specific_Object_Properties>
<Properties xsi:type="FileObj:FileObjectType">
<File_Name>kernal32.dll</File_Name>
</Properties>
</Object>
This change will not be backward compatible and is one of several revisions planned in new major version.
- Is it important to capture AV classifications of CybOX Objects (and not just malware instances)?
- Would it be preferable to define AV Classifications as top level objects in a MAEC Package?
- Is there any issue with
AVClassificationType
duplicating the Name and Vendor fields in thecyboxCommon:ToolInformationType
? - Is the scan_date field sufficient for capturing changes in scans over time?
- Would it work well for an Analysis to reference an AV classification by its id field?