threat detection naming schema

Threat Detection Naming Scheme – Trend

In order to alignment with the Computer Antivirus Research Organization (CARO) Scheme, follows the format as described below:

<Threat Type>.<Platform>.< Family>.<Variant>.<Other info*>

Below is a more detailed breakdown of the new format:

threat detection naming schema


Threat Type

The Threat Type represents the main threat category that describes what the main behavior of the threat is.

  • For malware: Trojan, Worm, Virus, Ransomware, Coinminer and Backdoor are the most common threat types that we use.
  • For grayware: Adware, Spyware, and PUA are the most common threat types.


Platform refers to the environment in which the threat is designed to execute and covers both software and hardware. This would include Operating Systems: Windows (Win32, Win64), Mac OS, Linux, and Android, as well as programming languages (scripting language) and file formats (Microsoft Word/Excel/PowerPoint).


Threats with similar behavior are grouped together and referred to as a family. Each family is named based on the behavior it manifests.


To identify different strains of under one family, letters are used in a sequential manner and referred to as the Variant.

Other Information (Optional)

Information deemed useful in providing further insight for some complex threats can make use of this optional section of the scheme. For example, dldr means downloader. Therefore, the detection name Ransom.Win32.Locky.A.dldr provides information that this threat is a downloader for the Locky Ransomware.