Edit

Share via

Find malware detection names for Microsoft Defender for Endpoint

  • Article

Applies to:

As malware naming schemes vary depending on who is first to report it, how it's referred to in the media, and how some companies use specific naming conventions, it can be confusing to understand how Defender for Endpoint detects specific malware families.

Microsoft names specific malware according to the Computer Antivirus Research Organization (CARO). For example, Microsoft detects the Sunburst cyberattack as Trojan:MSIL/Solorigate.BR!dha.

To understand how Microsoft Defender for Endpoint detects specific malware families, you can follow the steps in Find the detection name for a malware family.

Find the detection name for a malware family

To find the detection name of a malware family, you need to search the internet for the malware name plus "hash".

  1. Get the name of the malware family
  2. Search the web for malware family + cyberattack + hash to find the hash
  3. Look up the hash in Virus Total
  4. Find the Microsoft row and how we name the malware
  5. Look up the malware name in the [Microsoft Defender Security Intelligence website] (https://www.microsoft.com/en-us/wdsi/threats). You should see Microsoft information and guidance specific to that malware.

For example, search for the "Sunburst cyberattack hash". One of the websites returned in the search results should have the hash. In this example, the hash is a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc. Then, look up this hash in Virus Total.

The results show the Microsoft row detects this malware as Trojan:MSIL/Solorigate.BR!dha. When you look up this malware name in the Microsoft Defender Security Intelligence website, you find information specific to that malware, including technical details and mitigation steps.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.