Artifacts Severity

Levels of Severity for Malware Samples in EVE

In the EVE platform, malware samples are classified according to five distinct levels of severity. These levels help to assess the potential impact of each sample on the environment where they are executed. Below is a description of each severity level:

LOW

Files that are detected by signature-based security tools are considered to have low severity. Their behavior does not suggest any significant impact on the host where they were executed.

MIDDLE

Files that may or may not be detected by signature-based security tools are classified as medium severity. These files may be detected by heuristics, and their behavior suggests a non-serious impact on the host. They may also exhibit obfuscation.

HIGH

Files that are not detected by signature-based security tools but can be detected by heuristics are considered high severity. These files often have obfuscation, and their execution may be partial or complete, resulting in a visible and significant impact on the host where they were executed.

CRITICAL

Customized or modified artifacts that are not detected by signature-based security tools or heuristics are classified as critical severity. These files typically have obfuscation, are fully executed, and have a considerable impact on the host, including the potential for callbacks and evasion of enforced network security.

ZERO-DAY

Artifacts created by EVE/REVEALD that are modified and can be obfuscated are classified as zero-day severity. These files are not detected by signature-based security tools or heuristics, are fully executed, and have a significant impact on the host. They may also include callbacks and enforce network security evasion.