5. Tagging objects
Tags are used for basic object classification, allowing to quickly search for interesting samples in a malware feed.
Warning
Tags can be added only if user has the adding_tags
capability turned on. Check your capabilities in Profile
view.
In mwdb.cert.pl you are allowed to add tags, but you can’t remove them (removing_tags
is required). If you see that malware family has not been correctly recognized by mwdb.cert.pl, you can left a comment or set maybe:<family> tag to help us track these issues.
Built-in tag conventions
Probably you have already noticed that tags are differently colored depending on the prefix. That’s because MWDB has few tag conventions built-in to highlight certain groups of tags.
Simple tags are red. In mwdb.cert.pl they’re mostly used for marking identified malware name.

Tags describing the source are blue (src:
, uploader:
, feed:
). feed:
tags are most special, because you can easily filter out all external feed by choosing built-in Exclude feed:*
option in Quick query bar.

Tags indicating matched malware are yellow (ripped:
, contains:
). In mwdb.cert.pl we mark the original sample with ripped:<family>
tag. Unpacked samples or dumps originating from ripped
samples are added as a child and tagged red with malware family name.

Note
If you want to get only samples that are marked as malicious with high confidence - use Only ripped:*
button in Quick query bar.
File types can be additionally classified with another group of gray tags (runnable:
, archive:
, dump:
, script:
).

Generic tags containing :
are cyan. We use them to add some secondary tags fetched from feed or indicating classification result by other systems (e.g. yara:
, et:
)
