5. Tagging objects¶
Tags are used for basic object classification, allowing to quickly search for interesting samples in a malware feed.
Tags can be added only if user has the
adding_tags capability turned on. Check your capabilities in
In mwdb.cert.pl you are allowed to add tags, but you can’t remove them (
removing_tags is required). If you see that malware family has not been correctly recognized by mwdb.cert.pl, you can left a comment or set maybe:<family> tag to help us track these issues.
Built-in tag conventions¶
Probably you have already noticed that tags are differently colored depending on the prefix. That’s because MWDB has few tag conventions built-in to highlight certain groups of tags.
Simple tags are red. In mwdb.cert.pl they’re mostly used for marking identified malware name.
Tags describing the source are blue (
feed: tags are most special, because you can easily filter out all external feed by choosing built-in
Exclude feed:* option in Quick query bar.
Tags indicating matched malware are yellow (
contains:). In mwdb.cert.pl we mark the original sample with
ripped:<family> tag. Unpacked samples or dumps originating from
ripped samples are added as a child and tagged red with malware family name.
If you want to get only samples that are marked as malicious with high confidence - use
Only ripped:* button in Quick query bar.
File types can be additionally classified with another group of gray tags (
Generic tags containing
: are cyan. We use them to add some secondary tags fetched from feed or indicating classification result by other systems (e.g.