Find malware detection names for Microsoft Defender for Endpoint

Different sources use different names for the same malware. The name depends on who found it first, how the media refers to it, and the naming rules each company uses. This can make it hard to know how Defender for Endpoint detects a specific malware family.

Microsoft names malware according to the Computer Antivirus Research Organization (CARO). For example, Microsoft detects the Sunburst cyberattack as Trojan:MSIL/Solorigate.BR!dha.

To find how Microsoft Defender for Endpoint detects a malware family, follow the steps in Find the detection name for a malware family.

Find the detection name for a malware family

To find the detection name of a malware family, you need to search the internet for the malware name plus "hash".

1. Get the name of the malware family
2. Search the web for malware family + cyberattack + hash to find the hash
3. Look up the hash in VirusTotal
4. Find the Microsoft row and how we name the malware
5. Look up the malware name in the Microsoft Defender Security Intelligence website. You should see Microsoft information and guidance specific to that malware.

For example, search for the "Sunburst cyberattack hash". One of the websites returned in the search results should have the hash. In this example, the hash is a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc. Then, look up this hash in VirusTotal.

The results show the Microsoft row detects the Sunburst malware as Trojan:MSIL/Solorigate.BR!dha. When you look up Trojan:MSIL/Solorigate.BR!dha in the Microsoft Defender Security Intelligence website, you find information specific to that malware family, including technical details and mitigation steps.