Find malware detection names for Microsoft Defender for Endpoint

Applies to:

It might be confusing to understand how Defender for Endpoint detects specific malware families. This is because malware naming schemes vary depending on who is first to report it, how it's referred to in the media, and how some companies use specific naming conventions.

Microsoft is part of the Microsoft Virus Information Alliance (VIA) program. This effort is a public collaboration program to help fight cybercrime. Microsoft names specific malware according to the Computer Antivirus Research Organization (CARO). For example, Microsoft detects the Sunburst cyberattack as Trojan:MSIL/Solorigate.BR!dha.

To understand how Microsoft Defender for Endpoint detects specific malware families, you can follow the process outlined below.

Find the detection name for a malware family

To find the detection name of a malware family, you'll need to search the internet for the malware name plus "hash".

  1. Get the name of the malware family
  2. Search the web for malware family + cyberattack + hash to find the hash
  3. Look up the hash in Virus Total
  4. Find the Microsoft row and how we name the malware
  5. Look up the malware name in the [Microsoft Defender Security Intelligence website] ( You should see Microsoft information and guidance specific to that malware.

For example, search for the "Sunburst cyberattack hash". One of the websites returned in the search results should have the hash. In this example, the hash is a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc. Then, look up this hash in Virus Total.

You'll find the Microsoft row detects this malware as Trojan:MSIL/Solorigate.BR!dha. Searching in the Microsoft Defender Security Intelligence website, you'll find information specific to that malware, including technical details and mitigation steps.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.