The start date for this field data entry - the start date of the period over which the prevalence (commonality) and importance is measured.
Diagram
Type
xs:dateTime
Source
<xs:element name="startDate" type="xs:dateTime"><xs:annotation><xs:documentation xml:lang="en">The start date for this field data entry - the start date of the period over which the prevalence (commonality) and importance is measured.</xs:documentation></xs:annotation></xs:element>
The end date for this field data entry - the end date of the period over which the prevalence (commonality) and importance is measured.
Diagram
Type
xs:dateTime
Source
<xs:element name="endDate" type="xs:dateTime"><xs:annotation><xs:documentation xml:lang="en">The end date for this field data entry - the end date of the period over which the prevalence (commonality) and importance is measured.</xs:documentation></xs:annotation></xs:element>
The date that the object was first seen by the reporting entity.
Diagram
Type
xs:dateTime
Source
<xs:element name="firstSeenDate" type="xs:dateTime" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">The date that the object was first seen by the reporting entity.</xs:documentation></xs:annotation></xs:element>
user - Data originated from a user, normally meaning manual submissions from a user.
enumeration
desktop
desktop - Data originated from a computer, normally meaning automated submissions from a product running on a users computer.
enumeration
lan
network - Data originated from a local network.
enumeration
gateway
gateway - Data originated from measurements at a gateway.
enumeration
isp
isp - Data originated from measurements at an ISP.
enumeration
honeypot
honeypot - Data originated from internally gathered data using a honeypot or other collection device.
enumeration
collection
collection - Data from a malware collection.
enumeration
spam
spam - Data originated from spam (e.g. spam Email had a link to malware or the malware itself).
enumeration
wan
web - Data originated from the Internet.
enumeration
internal
internal - Internally generated object (e.g. replicants of a polymorphic malware) .
enumeration
partner
partner - Data originated from a partner.
enumeration
unknown
unknown - unknown.
Source
<xs:element name="origin" type="OriginTypeEnum"><xs:annotation><xs:documentation xml:lang="en">An enumeration of common sources or origins of data associated with the field data.</xs:documentation></xs:annotation></xs:element>
<xs:element name="importance" type="intBetween0and100" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Qualitative measurement of risk associated with the object.</xs:documentation></xs:annotation></xs:element>
<xs:element name="location" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Geolocation information for prevalence.</xs:documentation></xs:annotation><xs:complexType><xs:simpleContent><xs:extension base="xs:string"><xs:attribute name="type" type="LocationTypeEnum"/></xs:extension></xs:simpleContent></xs:complexType></xs:element>
Element malwareMetaData
Namespace
http://xml/metadataSharing.xsd
Annotations
This is the top level element for the xml document. Required attribute is version.Open issues:2. Right way to express commonality in field data so that it can be combined properly3. How to handle unicode in urlsChange list08/26/2011Clean-file attribute based changes1. added digitalSignature to objects2. added softwarePackage to objects3. added taggant to objects4. added numerous elements to fileObject11/12/20091. adding documentation across the schema2. added partner to OriginTypeEnum3. made sha1 in fileObject optional4. added isDamaged as a propertyType5. changed property name isNon-replicating to isNonReplicating6/11/20091. incremented version2.Rename parents/children in relationship to source/target3. Add generic relationship, ‘relatedTo’4. Make commonality element in fieldDataEntry optional5. Add unknown element to origintypeenum6. Remove ipv4 and ipv6 from locationenum7. Make id on ip object startaddress-endaddress even if startaddress == endaddress. Added IPRange type8. Add optional firstSeenDate to fieldDataEntry, for first time entity providing data saw the object6/4/20091. File - id should be a xs:hexBinary2. File - extraHash should be a xs:string3. Uri – add optional ipProtocol field, with enumeration of values tcp/udp/icmp etc.4. Uri – add documentation that protocol in uri needs to be either from well known list (from iana.org) or ‘unknown’5. Domain - need to fix documentation for domain – example is wrong6. registry – remove valuedata – it is in a property7. ip object – rename to ip, and give it a start address and end address. Share a single address by making start and end the same. Id will be address or startaddress-endaddress 8. service – delete – subsumed by uri with extra data elements in it9. classification – remove modifiers (attributes) on category and put in properties10. classification – add documentation that category is companyname:category11. objectProperty – move timestamp to be top level instead of on each property and make it required12. relationship – make timestamp required13. relationship – add doc on runs. removed 'exploits' - it refers to environment object that no longer exists14. added comment field to propertyenum15. made timeStamp -> timestamp for consistency16.incremented version5/31/20091. incremented version2. changed url to uri3. removed environment object and related enumerations4. added restriction on uri to not allow a question mark (?)5/15/20091. incremented version2. Added neutral classification type3. Added numberOfWebsitesHosting and numberOfWebsitesRedirecting to volume units enumeration4. added referrer, operatingSystem, userAgent and browser to properties5. made classification type attribute required5/8/20091. added new object type for asn2. moved domain information to properties, so that domains info can be timestamped3. added properties for geolocation of an ip address4. added property for location url for a file5. added VolumeUnitsEnum and volume tag in fieldData. This is to allow sharing of actual prevalence numbers, with various units.6. Added ipProtocol (tcp/udp) to service object. Also changed names of expectedProtocol and actualProtocol to be expectedApplicationProtocol and actualApplicationProtocol7. added 'references' surrounding tag to ref tag in fieldDataEntry and objectProperty, so that can assign multiple references if required8. made id on file back to hexBinary. Use length to figure out what hash it is.9. incremented version10. added properties for httpMethod and postData11. added relationship types 'contactedBy' and 'downloadedFrom'4/17/20091. Incremented version2. Added unwanted to ClassificationTypeEnum3. Added text about ids for files to documentation4. Removed filename from file object definition5. Relaxed requirement on id of file to be an xs:hexString to be an xs:string to allow e.g. md5:aaaaabbbbccc as an id. Not enormously happy about that…6. Made sha256 optional and sha1 required in files7. Added “open issues” section in documentation for top level element8. Category is now an xs:string; deleted CategoryTypeEnum9. Added comment to doc on fieldDataEntry about using standard time periods, but kept start date and end date10. Added objectProperties element, and example illustratingProperties.xml. Currently allowed properties are filename, filepath, registryValueData and urlParameterString. There is an optional timestamp on each property. I allowed objectProperty to have an id, so that it can be referenced elsewhere, although we might want to re-think that.11. Added some better documentation to relationships12. Added more documentation throughout
The version of the schema. This is currently fixed to be 1.1.
Source
<xs:element name="malwareMetaData"><xs:annotation><xs:documentation xml:lang="en">This is the top level element for the xml document. Required attribute is version. Open issues: 2. Right way to express commonality in field data so that it can be combined properly 3. How to handle unicode in urls Change list 08/26/2011 Clean-file attribute based changes 1. added digitalSignature to objects 2. added softwarePackage to objects 3. added taggant to objects 4. added numerous elements to fileObject 11/12/2009 1. adding documentation across the schema 2. added partner to OriginTypeEnum 3. made sha1 in fileObject optional 4. added isDamaged as a propertyType 5. changed property name isNon-replicating to isNonReplicating 6/11/2009 1. incremented version 2.Rename parents/children in relationship to source/target 3. Add generic relationship, ‘relatedTo’ 4. Make commonality element in fieldDataEntry optional 5. Add unknown element to origintypeenum 6. Remove ipv4 and ipv6 from locationenum 7. Make id on ip object startaddress-endaddress even if startaddress == endaddress. Added IPRange type 8. Add optional firstSeenDate to fieldDataEntry, for first time entity providing data saw the object 6/4/2009 1. File - id should be a xs:hexBinary 2. File - extraHash should be a xs:string 3. Uri – add optional ipProtocol field, with enumeration of values tcp/udp/icmp etc. 4. Uri – add documentation that protocol in uri needs to be either from well known list (from iana.org) or ‘unknown’ 5. Domain - need to fix documentation for domain – example is wrong 6. registry – remove valuedata – it is in a property 7. ip object – rename to ip, and give it a start address and end address. Share a single address by making start and end the same. Id will be address or startaddress-endaddress 8. service – delete – subsumed by uri with extra data elements in it 9. classification – remove modifiers (attributes) on category and put in properties 10. classification – add documentation that category is companyname:category 11. objectProperty – move timestamp to be top level instead of on each property and make it required 12. relationship – make timestamp required 13. relationship – add doc on runs. removed 'exploits' - it refers to environment object that no longer exists 14. added comment field to propertyenum 15. made timeStamp -> timestamp for consistency 16.incremented version 5/31/2009 1. incremented version 2. changed url to uri 3. removed environment object and related enumerations 4. added restriction on uri to not allow a question mark (?) 5/15/2009 1. incremented version 2. Added neutral classification type 3. Added numberOfWebsitesHosting and numberOfWebsitesRedirecting to volume units enumeration 4. added referrer, operatingSystem, userAgent and browser to properties 5. made classification type attribute required 5/8/2009 1. added new object type for asn 2. moved domain information to properties, so that domains info can be timestamped 3. added properties for geolocation of an ip address 4. added property for location url for a file 5. added VolumeUnitsEnum and volume tag in fieldData. This is to allow sharing of actual prevalence numbers, with various units. 6. Added ipProtocol (tcp/udp) to service object. Also changed names of expectedProtocol and actualProtocol to be expectedApplicationProtocol and actualApplicationProtocol 7. added 'references' surrounding tag to ref tag in fieldDataEntry and objectProperty, so that can assign multiple references if required 8. made id on file back to hexBinary. Use length to figure out what hash it is. 9. incremented version 10. added properties for httpMethod and postData 11. added relationship types 'contactedBy' and 'downloadedFrom' 4/17/2009 1. Incremented version 2. Added unwanted to ClassificationTypeEnum 3. Added text about ids for files to documentation 4. Removed filename from file object definition 5. Relaxed requirement on id of file to be an xs:hexString to be an xs:string to allow e.g. md5:aaaaabbbbccc as an id. Not enormously happy about that… 6. Made sha256 optional and sha1 required in files 7. Added “open issues” section in documentation for top level element 8. Category is now an xs:string; deleted CategoryTypeEnum 9. Added comment to doc on fieldDataEntry about using standard time periods, but kept start date and end date 10. Added objectProperties element, and example illustratingProperties.xml. Currently allowed properties are filename, filepath, registryValueData and urlParameterString. There is an optional timestamp on each property. I allowed objectProperty to have an id, so that it can be referenced elsewhere, although we might want to re-think that. 11. Added some better documentation to relationships 12. Added more documentation throughout</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="company" type="xs:string"><xs:annotation><xs:documentation xml:lang="en">The company name for the entity generating the xml document, for example "AVG Technologies".</xs:documentation></xs:annotation></xs:element><xs:element name="author" type="xs:string"><xs:annotation><xs:documentation xml:lang="en">The author of the document, for example "Matt Williamson" or "Igor Muttik".</xs:documentation></xs:annotation></xs:element><xs:element name="comment" type="xs:string"><xs:annotation><xs:documentation xml:lang="en">A human readable comment.</xs:documentation></xs:annotation></xs:element><xs:element name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation xml:lang="en">The time that the document was created.</xs:documentation></xs:annotation></xs:element><!-- objects is optional and contains and unbounded number of 'object' elements --><xs:element name="objects" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Objects are globally unique files, urls, domain, registry, ipAddress etc. The data within the object is supporting data for the globally unique object. For example, files have an id (by convention the hash, sha256 if available, else weaker ones), and the data for the file is the hashes, sizes etc. Urls have an id (the url itself), and data which is simply the url parts broken out. There are no dates, etc in the objects. These are first class, global objects.</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="file" type="fileObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Files or samples</xs:documentation></xs:annotation></xs:element><xs:element name="uri" type="uriObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">URI (Uniform Resource Identifier) objects.</xs:documentation></xs:annotation></xs:element><xs:element name="domain" type="domainObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Domain names as administered by ICANN.</xs:documentation></xs:annotation></xs:element><xs:element name="registry" type="registryObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Configuration information from the registry on Microsoft Windows operating systems.</xs:documentation></xs:annotation></xs:element><xs:element name="ip" type="IPObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Internet Protocol (IP) addresses, both ipv4 and ipv6.</xs:documentation></xs:annotation></xs:element><xs:element name="asn" type="ASNObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Autonomous System (AS).</xs:documentation></xs:annotation></xs:element><xs:element name="entity" type="entityObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">A corporation or other entity.</xs:documentation></xs:annotation></xs:element><xs:element name="classification" type="classificationObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Labels or names, for example detection names associated with malware samples.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="softwarePackage" type="softwarePackageObject"><xs:annotation><xs:documentation>Software packages, typically used for associating with the files that they install or create.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="digitalSignature" type="digitalSignatureObject"><xs:annotation><xs:documentation>Digital signatures, for use in assocating with >1 binaries that may have the same signature. If only one binary with a signature is wished to be profiled, then the digitalSignature element inside the fileObject should be utilized.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="taggant" type="taggantObject"><xs:annotation><xs:documentation>Digital signatures, for use in assocating with >1 binaries that may have the same signature. If only one binary with a taggant is wished to be profiled, then the taggant element inside the fileObject should be utilized.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType></xs:element><!-- properties are properties of objects that do not make sense as relationships, e.g. file names --><xs:element name="objectProperties" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Properties of objects that do not make sense as relationships. e.g. file names, url parameter strings, registry value data.</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="objectProperty" type="objectProperty" maxOccurs="unbounded"/></xs:sequence></xs:complexType></xs:element><!-- relationships contain an unbounded number of relationship elements --><xs:element name="relationships" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Relationships between objects.</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="relationship" type="relationship" maxOccurs="unbounded"/></xs:sequence></xs:complexType></xs:element><!-- fieldData is an unbounded number of fieldDataEntry elements --><xs:element name="fieldData" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Prevalence data.</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="fieldDataEntry" type="fieldDataEntry" maxOccurs="unbounded"/></xs:sequence></xs:complexType></xs:element></xs:sequence><!-- attributes on the top level element --><xs:attribute use="required" name="version" type="xs:decimal" fixed="1.2"><xs:annotation><xs:documentation xml:lang="en">The version of the schema. This is currently fixed to be 1.1.</xs:documentation></xs:annotation></xs:attribute><!-- globally unique identifier for the file --><xs:attribute use="required" name="id" type="xs:string"><xs:annotation><xs:documentation xml:lang="en">A required identifier for the document.</xs:documentation></xs:annotation></xs:attribute></xs:complexType></xs:element>
The company name for the entity generating the xml document, for example "AVG Technologies".
Diagram
Type
xs:string
Source
<xs:element name="company" type="xs:string"><xs:annotation><xs:documentation xml:lang="en">The company name for the entity generating the xml document, for example "AVG Technologies".</xs:documentation></xs:annotation></xs:element>
The author of the document, for example "Matt Williamson" or "Igor Muttik".
Diagram
Type
xs:string
Source
<xs:element name="author" type="xs:string"><xs:annotation><xs:documentation xml:lang="en">The author of the document, for example "Matt Williamson" or "Igor Muttik".</xs:documentation></xs:annotation></xs:element>
<xs:element name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation xml:lang="en">The time that the document was created.</xs:documentation></xs:annotation></xs:element>
Objects are globally unique files, urls, domain, registry, ipAddress etc. The data within the object is supporting data for the globally unique object. For example, files have an id (by convention the hash, sha256 if available, else weaker ones), and the data for the file is the hashes, sizes etc. Urls have an id (the url itself), and data which is simply the url parts broken out.There are no dates, etc in the objects. These are first class, global objects.
<xs:element name="objects" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Objects are globally unique files, urls, domain, registry, ipAddress etc. The data within the object is supporting data for the globally unique object. For example, files have an id (by convention the hash, sha256 if available, else weaker ones), and the data for the file is the hashes, sizes etc. Urls have an id (the url itself), and data which is simply the url parts broken out. There are no dates, etc in the objects. These are first class, global objects.</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="file" type="fileObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Files or samples</xs:documentation></xs:annotation></xs:element><xs:element name="uri" type="uriObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">URI (Uniform Resource Identifier) objects.</xs:documentation></xs:annotation></xs:element><xs:element name="domain" type="domainObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Domain names as administered by ICANN.</xs:documentation></xs:annotation></xs:element><xs:element name="registry" type="registryObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Configuration information from the registry on Microsoft Windows operating systems.</xs:documentation></xs:annotation></xs:element><xs:element name="ip" type="IPObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Internet Protocol (IP) addresses, both ipv4 and ipv6.</xs:documentation></xs:annotation></xs:element><xs:element name="asn" type="ASNObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Autonomous System (AS).</xs:documentation></xs:annotation></xs:element><xs:element name="entity" type="entityObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">A corporation or other entity.</xs:documentation></xs:annotation></xs:element><xs:element name="classification" type="classificationObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Labels or names, for example detection names associated with malware samples.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="softwarePackage" type="softwarePackageObject"><xs:annotation><xs:documentation>Software packages, typically used for associating with the files that they install or create.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="digitalSignature" type="digitalSignatureObject"><xs:annotation><xs:documentation>Digital signatures, for use in assocating with >1 binaries that may have the same signature. If only one binary with a signature is wished to be profiled, then the digitalSignature element inside the fileObject should be utilized.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="taggant" type="taggantObject"><xs:annotation><xs:documentation>Digital signatures, for use in assocating with >1 binaries that may have the same signature. If only one binary with a taggant is wished to be profiled, then the taggant element inside the fileObject should be utilized.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType></xs:element>
String describing the type of file, for example executable, script etc.
Diagram
Type
xs:string
Source
<xs:element name="fileType" type="xs:string" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">String describing the type of file, for example executable, script etc.</xs:documentation></xs:annotation></xs:element>
Element for inserting fuzzy hashes for example pehash, ssdeep. These are put in with this element, with a required attribute 'type' usedto hold the type of hash.
<xs:element name="extraHash" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Element for inserting fuzzy hashes for example pehash, ssdeep. These are put in with this element, with a required attribute 'type' used to hold the type of hash.</xs:documentation></xs:annotation><xs:complexType><xs:simpleContent><xs:extension base="xs:string"><xs:attribute name="type" use="required" type="xs:string"/></xs:extension></xs:simpleContent></xs:complexType></xs:element>
The normalized native path of the file, using standardized system path variables (for Windows see http://en.wikipedia.org/wiki/Environment_variable#System_path_variables) with prepended and appended percentage characters. E.g. %ProgramFiles%/Microsoft Visual Studio.
Diagram
Type
xs:string
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="normalizedNativePath" type="xs:string"><xs:annotation><xs:documentation>The normalized native path of the file, using standardized system path variables (for Windows see http://en.wikipedia.org/wiki/Environment_variable#System_path_variables) with prepended and appended percentage characters. E.g. %ProgramFiles%/Microsoft Visual Studio.</xs:documentation></xs:annotation></xs:element>
The name of the file within an installer or archive.
Diagram
Type
xs:string
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="filenameWithinInstaller" type="xs:string"><xs:annotation><xs:documentation>The name of the file within an installer or archive.</xs:documentation></xs:annotation></xs:element>
The folder the file resides in within an installer or archive.
Diagram
Type
xs:string
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="folderWithinInstaller" type="xs:string"><xs:annotation><xs:documentation>The folder the file resides in within an installer or archive.</xs:documentation></xs:annotation></xs:element>
The name of the vendor, if extractable from the file.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="vendor" type="xs:string"><xs:annotation><xs:documentation>The name of the vendor, if extractable from the file.</xs:documentation></xs:annotation></xs:element>
<xs:element maxOccurs="unbounded" minOccurs="0" name="language" type="xs:string"><xs:annotation><xs:documentation>The language(s) the file is in.</xs:documentation></xs:annotation></xs:element>
The name of the product the file belongs to, if applicable.
Diagram
Type
xs:string
Source
<xs:element maxOccurs="1" minOccurs="0" name="productName" type="xs:string"><xs:annotation><xs:documentation>The name of the product the file belongs to, if applicable.</xs:documentation></xs:annotation></xs:element>
The version of the product the file belongs to, if applicable.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="productVersion" type="xs:string"><xs:annotation><xs:documentation>The version of the product the file belongs to, if applicable.</xs:documentation></xs:annotation></xs:element>
The development environment used to build the file, if applicable.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="developmentEnvironment" type="xs:string"><xs:annotation><xs:documentation>The development environment used to build the file, if applicable.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="checksum" type="xs:hexBinary"><xs:annotation><xs:documentation>The checksum of the file, if applicable.</xs:documentation></xs:annotation></xs:element>
The processor architecture of the file, if applicable.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="architecture" type="xs:string"><xs:annotation><xs:documentation>The processor architecture of the file, if applicable.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="buildTimeDateStamp" type="xs:dateTime"><xs:annotation><xs:documentation>The build timestamp of the file, if applicable.</xs:documentation></xs:annotation></xs:element>
The version of the compiler used to compile the file, if applicable.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="compilerVersion" type="xs:string"><xs:annotation><xs:documentation>The version of the compiler used to compile the file, if applicable.</xs:documentation></xs:annotation></xs:element>
The version of the linker used to link the file, if applicable.
Diagram
Type
xs:float
Source
<xs:element minOccurs="0" name="linkerVersion" type="xs:float"><xs:annotation><xs:documentation>The version of the linker used to link the file, if applicable.</xs:documentation></xs:annotation></xs:element>
The minimum operating system version needed to run the file, specifeid as a CPE name. The Common Platform Enumeration, or CPE, name of the package if one exists. CPE is a structured naming scheme for IT systems, software, and packages. For more information on CPE see http://cpe.mitre.org. For the official CPE dictionary see http://nvd.nist.gov/cpe.cfm.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="minOSVersionCPE" type="xs:string"><xs:annotation><xs:documentation>The minimum operating system version needed to run the file, specifeid as a CPE name. The Common Platform Enumeration, or CPE, name of the package if one exists. CPE is a structured naming scheme for IT systems, software, and packages. For more information on CPE see http://cpe.mitre.org. For the official CPE dictionary see http://nvd.nist.gov/cpe.cfm.</xs:documentation></xs:annotation></xs:element>
The number of sections in the file, if applicable.
Diagram
Type
xs:int
Source
<xs:element maxOccurs="1" minOccurs="0" name="numberOfSections" type="xs:int"><xs:annotation><xs:documentation>The number of sections in the file, if applicable.</xs:documentation></xs:annotation></xs:element>
The minimum required to run the file, e.g. Administrator, if applicable.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="requiredPrivilege" type="xs:string"><xs:annotation><xs:documentation>The minimum required to run the file, e.g. Administrator, if applicable.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="digitalSignature" type="digitalSignatureObject"><xs:annotation><xs:documentation>Information on the digital signature of the file, if applicable.</xs:documentation></xs:annotation></xs:element>
<xs:element maxOccurs="1" minOccurs="0" name="taggant" type="taggantObject"><xs:annotation><xs:documentation>Information on the taggant used to tag the file, if applicable.</xs:documentation></xs:annotation></xs:element>
Protocol, for example http, ftp. value must match an element in the list hosted at http://www.iana.org/assignments/port-numbers.
Diagram
Type
xs:string
Source
<xs:element name="protocol" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Protocol, for example http, ftp. value must match an element in the list hosted at http://www.iana.org/assignments/port-numbers.</xs:documentation></xs:annotation></xs:element>
IP protocol, for example. tcp, udp. value must match an element in the list hosted at http://www.iana.org/assignments/protocol-numbers/.
Diagram
Type
xs:string
Source
<xs:element name="ipProtocol" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">IP protocol, for example. tcp, udp. value must match an element in the list hosted at http://www.iana.org/assignments/protocol-numbers/.</xs:documentation></xs:annotation></xs:element>
<xs:element name="registry" type="registryObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Configuration information from the registry on Microsoft Windows operating systems.</xs:documentation></xs:annotation></xs:element>
<xs:element name="entity" type="entityObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">A corporation or other entity.</xs:documentation></xs:annotation></xs:element>
<xs:element name="classification" type="classificationObject" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Labels or names, for example detection names associated with malware samples.</xs:documentation></xs:annotation></xs:element>
<xs:element maxOccurs="unbounded" minOccurs="0" name="softwarePackage" type="softwarePackageObject"><xs:annotation><xs:documentation>Software packages, typically used for associating with the files that they install or create.</xs:documentation></xs:annotation></xs:element>
The product group that the product belongs to, e.g. Microsoft Office.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="productgroup" type="xs:string"><xs:annotation><xs:documentation>The product group that the product belongs to, e.g. Microsoft Office.</xs:documentation></xs:annotation></xs:element>
The Common Platform Enumeration, or CPE, name of the package if one exists. CPE is a structured naming scheme for IT systems, software, and packages. For more information on CPE see http://cpe.mitre.org. For the official CPE dictionary see http://nvd.nist.gov/cpe.cfm.
The version of CPE that is used for the name in the CPEname element. As of 10/04/2011 this is 2.2.
Source
<xs:element minOccurs="0" name="CPEname"><xs:annotation><xs:documentation>The Common Platform Enumeration, or CPE, name of the package if one exists. CPE is a structured naming scheme for IT systems, software, and packages. For more information on CPE see http://cpe.mitre.org. For the official CPE dictionary see http://nvd.nist.gov/cpe.cfm.</xs:documentation></xs:annotation><xs:complexType><xs:simpleContent><xs:extension base="xs:string"><xs:attribute name="cpeVersion" type="xs:string"><xs:annotation><xs:documentation>The version of CPE that is used for the name in the CPEname element. As of 10/04/2011 this is 2.2.</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:simpleContent></xs:complexType></xs:element>
Digital signatures, for use in assocating with >1 binaries that may have the same signature. If only one binary with a signature is wished to be profiled, then the digitalSignature element inside the fileObject should be utilized.
<xs:element maxOccurs="unbounded" minOccurs="0" name="digitalSignature" type="digitalSignatureObject"><xs:annotation><xs:documentation>Digital signatures, for use in assocating with >1 binaries that may have the same signature. If only one binary with a signature is wished to be profiled, then the digitalSignature element inside the fileObject should be utilized.</xs:documentation></xs:annotation></xs:element>
Digital signatures, for use in assocating with >1 binaries that may have the same signature. If only one binary with a taggant is wished to be profiled, then the taggant element inside the fileObject should be utilized.
<xs:element maxOccurs="unbounded" minOccurs="0" name="taggant" type="taggantObject"><xs:annotation><xs:documentation>Digital signatures, for use in assocating with >1 binaries that may have the same signature. If only one binary with a taggant is wished to be profiled, then the taggant element inside the fileObject should be utilized.</xs:documentation></xs:annotation></xs:element>
<xs:element name="objectProperties" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Properties of objects that do not make sense as relationships. e.g. file names, url parameter strings, registry value data.</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="objectProperty" type="objectProperty" maxOccurs="unbounded"/></xs:sequence></xs:complexType></xs:element>
<xs:element name="source"><xs:annotation><xs:documentation xml:lang="en">References to objects at the parent end of the relationship.</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="ref" minOccurs="1" maxOccurs="unbounded" type="reference"/></xs:sequence></xs:complexType></xs:element>
<xs:element name="target"><xs:annotation><xs:documentation xml:lang="en">References to objects at the child end of the relationship.</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="ref" minOccurs="1" maxOccurs="unbounded" type="reference"/></xs:sequence></xs:complexType></xs:element>
Data structure to hold prevalence information. The data includes a reference to another object (which is an xpath expression pointing to an object inside the 'ref' element), together with a time period (startDate -> endDate), an origin - where the object came from, and various location tags. This allows rich information on prevalence to be recorded. By convention, time periods should be wherever possible standard time periods, e.g. minute, hour, 24 hours, week, month, quarter, year. This will facilitate combination of data from multiple sources. To represent a single entry, make startDate == endDate. Commonality is calculated from the sightings of malware objects (and so such calculation is easier to automate). Importance is reserved for cases when “commonality” is not available or if there is a need to communicate the importance when commonality is low. We define the commonality on a scale 0 to 100 (0 means “never found in the field” and 100 means “found very frequently”). Scaling commonality to 0..100 range instead of using actual sample counts is to avoid the effect of the user base size on the commonality. We derive commonality from the number of affected computers – not from the number of samples (for example, a hundred parasitic infections of the same virus on a single computer are to be counted as one). To calculate the commonality we use two-stage approach and logarithmic scale: - If the number of affected users exceeds 0.1% of your user base (more frequent than 1 in a 1000) set commonality to “100” - Otherwise, calculate the ratio of infected computers amongst your user base by dividing the real number of affected computers ‘n’ by the total number ‘N’ - Apply the following formula to get the commonality –( log2(1+n*1000/N) ) * 100 - Round to the closest integer Obviously, the calculation above can only be applied to counting of malware sightings on desktops. If telemetry is collected from a fraction of such desktops then an appropriate correction should be used. For all other cases (e.g. sighting on gateways, in some network security appliance, on an ISP level, etc.) please exercise your best judgment and apply provided desktop guideline as an example to make sure the commonality factor is as comparable as possible. For a URL object the commonality could reflect, for example, how widely it was spammed. “Importance” should not be used together with “commonality” (unless commonality=“0”) to avoid possible confusion. High “importance”, for example, can be assigned to samples that are over-hyped by media when their commonality is still “0”. Use the following guidelines for “importance” which is also defined on a scale 0..100: 100 – you’d expect your CEO and/or media to call you any second about this object 80 – you might get a call from your CEO and/or media 60 – you’d expect your boss to call you any second 40 – you might get a call from your boss 20 – someone is very likely to contact you about this object 10 – you might get contacted about this object 0 – you’d be surprised if anyone would ever contact you about this object
<xs:complexType name="fieldDataEntry"><xs:annotation><xs:documentation xml:lang="en">Data structure to hold prevalence information. The data includes a reference to another object (which is an xpath expression pointing to an object inside the 'ref' element), together with a time period (startDate -> endDate), an origin - where the object came from, and various location tags. This allows rich information on prevalence to be recorded. By convention, time periods should be wherever possible standard time periods, e.g. minute, hour, 24 hours, week, month, quarter, year. This will facilitate combination of data from multiple sources. To represent a single entry, make startDate == endDate. Commonality is calculated from the sightings of malware objects (and so such calculation is easier to automate). Importance is reserved for cases when “commonality” is not available or if there is a need to communicate the importance when commonality is low. We define the commonality on a scale 0 to 100 (0 means “never found in the field” and 100 means “found very frequently”). Scaling commonality to 0..100 range instead of using actual sample counts is to avoid the effect of the user base size on the commonality. We derive commonality from the number of affected computers – not from the number of samples (for example, a hundred parasitic infections of the same virus on a single computer are to be counted as one). To calculate the commonality we use two-stage approach and logarithmic scale: - If the number of affected users exceeds 0.1% of your user base (more frequent than 1 in a 1000) set commonality to “100” - Otherwise, calculate the ratio of infected computers amongst your user base by dividing the real number of affected computers ‘n’ by the total number ‘N’ - Apply the following formula to get the commonality –( log2(1+n*1000/N) ) * 100 - Round to the closest integer Obviously, the calculation above can only be applied to counting of malware sightings on desktops. If telemetry is collected from a fraction of such desktops then an appropriate correction should be used. For all other cases (e.g. sighting on gateways, in some network security appliance, on an ISP level, etc.) please exercise your best judgment and apply provided desktop guideline as an example to make sure the commonality factor is as comparable as possible. For a URL object the commonality could reflect, for example, how widely it was spammed. “Importance” should not be used together with “commonality” (unless commonality=“0”) to avoid possible confusion. High “importance”, for example, can be assigned to samples that are over-hyped by media when their commonality is still “0”. Use the following guidelines for “importance” which is also defined on a scale 0..100: 100 – you’d expect your CEO and/or media to call you any second about this object 80 – you might get a call from your CEO and/or media 60 – you’d expect your boss to call you any second 40 – you might get a call from your boss 20 – someone is very likely to contact you about this object 10 – you might get contacted about this object 0 – you’d be surprised if anyone would ever contact you about this object</xs:documentation></xs:annotation><xs:sequence><xs:element name="references"><xs:annotation><xs:documentation xml:lang="en">The objects the prevalence information pertains to.</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="ref" type="reference" minOccurs="1" maxOccurs="unbounded"/></xs:sequence></xs:complexType></xs:element><xs:element name="startDate" type="xs:dateTime"><xs:annotation><xs:documentation xml:lang="en">The start date for this field data entry - the start date of the period over which the prevalence (commonality) and importance is measured.</xs:documentation></xs:annotation></xs:element><xs:element name="endDate" type="xs:dateTime"><xs:annotation><xs:documentation xml:lang="en">The end date for this field data entry - the end date of the period over which the prevalence (commonality) and importance is measured.</xs:documentation></xs:annotation></xs:element><xs:element name="firstSeenDate" type="xs:dateTime" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">The date that the object was first seen by the reporting entity.</xs:documentation></xs:annotation></xs:element><xs:element name="origin" type="OriginTypeEnum"><xs:annotation><xs:documentation xml:lang="en">An enumeration of common sources or origins of data associated with the field data.</xs:documentation></xs:annotation></xs:element><xs:element name="commonality" type="intBetween0and100" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Qualitative measurements of prevalence.</xs:documentation></xs:annotation></xs:element><xs:element name="volume" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Quantitive measurements of prevalence.</xs:documentation></xs:annotation><xs:complexType><xs:simpleContent><xs:extension base="xs:int"><xs:attribute name="units" type="VolumeUnitsEnum" use="required"/></xs:extension></xs:simpleContent></xs:complexType></xs:element><xs:element name="importance" type="intBetween0and100" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Qualitative measurement of risk associated with the object.</xs:documentation></xs:annotation></xs:element><xs:element name="location" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Geolocation information for prevalence.</xs:documentation></xs:annotation><xs:complexType><xs:simpleContent><xs:extension base="xs:string"><xs:attribute name="type" type="LocationTypeEnum"/></xs:extension></xs:simpleContent></xs:complexType></xs:element></xs:sequence></xs:complexType>
Complex Type reference
Namespace
http://xml/metadataSharing.xsd
Annotations
Reference element used to hold xpath expressions to objects, for example file[@id="12345"].
<xs:complexType name="reference"><xs:annotation><xs:documentation xml:lang="en">Reference element used to hold xpath expressions to objects, for example file[@id="12345"].</xs:documentation></xs:annotation><xs:simpleContent><xs:extension base="xs:string"></xs:extension></xs:simpleContent></xs:complexType>
Simple Type OriginTypeEnum
Namespace
http://xml/metadataSharing.xsd
Annotations
A list of origins, used in fieldData, to show where objects originated.
Diagram
Type
restriction of xs:string
Facets
enumeration
user
user - Data originated from a user, normally meaning manual submissions from a user.
enumeration
desktop
desktop - Data originated from a computer, normally meaning automated submissions from a product running on a users computer.
enumeration
lan
network - Data originated from a local network.
enumeration
gateway
gateway - Data originated from measurements at a gateway.
enumeration
isp
isp - Data originated from measurements at an ISP.
enumeration
honeypot
honeypot - Data originated from internally gathered data using a honeypot or other collection device.
enumeration
collection
collection - Data from a malware collection.
enumeration
spam
spam - Data originated from spam (e.g. spam Email had a link to malware or the malware itself).
enumeration
wan
web - Data originated from the Internet.
enumeration
internal
internal - Internally generated object (e.g. replicants of a polymorphic malware) .
<xs:simpleType name="OriginTypeEnum"><xs:annotation><xs:documentation xml:lang="en">A list of origins, used in fieldData, to show where objects originated.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="user"><xs:annotation><xs:documentation xml:lang="en">user - Data originated from a user, normally meaning manual submissions from a user.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="desktop"><xs:annotation><xs:documentation xml:lang="en">desktop - Data originated from a computer, normally meaning automated submissions from a product running on a users computer.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="lan"><xs:annotation><xs:documentation xml:lang="en">network - Data originated from a local network.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="gateway"><xs:annotation><xs:documentation xml:lang="en">gateway - Data originated from measurements at a gateway.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="isp"><xs:annotation><xs:documentation xml:lang="en">isp - Data originated from measurements at an ISP.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="honeypot"><xs:annotation><xs:documentation xml:lang="en">honeypot - Data originated from internally gathered data using a honeypot or other collection device.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="collection"><xs:annotation><xs:documentation xml:lang="en">collection - Data from a malware collection.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="spam"><xs:annotation><xs:documentation xml:lang="en">spam - Data originated from spam (e.g. spam Email had a link to malware or the malware itself).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="wan"><xs:annotation><xs:documentation xml:lang="en">web - Data originated from the Internet.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="internal"><xs:annotation><xs:documentation xml:lang="en">internal - Internally generated object (e.g. replicants of a polymorphic malware) .</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="partner"><xs:annotation><xs:documentation xml:lang="en">partner - Data originated from a partner.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="unknown"><xs:annotation><xs:documentation xml:lang="en">unknown - unknown.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Simple Type intBetween0and100
Namespace
http://xml/metadataSharing.xsd
Annotations
Utility type for integers between 0 and 100. Used in field data for commonality and importance.
<xs:simpleType name="intBetween0and100"><xs:annotation><xs:documentation xml:lang="en">Utility type for integers between 0 and 100. Used in field data for commonality and importance.</xs:documentation></xs:annotation><xs:restriction base="xs:integer"><xs:minInclusive value="0"/><xs:maxInclusive value="100"/></xs:restriction></xs:simpleType>
Simple Type VolumeUnitsEnum
Namespace
http://xml/metadataSharing.xsd
Annotations
A list of the various units allowed to be used in volume tag in fieldDataEntry.
Diagram
Type
restriction of xs:string
Facets
enumeration
numberUsersAffected
numberUsersAffected - The count of users (humans) affected by the items referenced by the field data entry.
enumeration
numberMachinesAffected
numberMachinesAffected - The count of computers affected by the items referenced by the field data entry.
enumeration
numberSeenInSpam
numberSeenInSpam - The count of spam messages containing the items referenced by the field data entry. Most commonly used for uris.
enumeration
numberSeenInMalwareSamples
numberSeenInMalwareSamples - The count of malware samples containing the items referenced by the field data entry. Most commonly used for uris.
enumeration
numberOfWebsitesHosting
numberOfWebsitesHosting - The count of web sites hosting the items referenced by the field data entry. Most commonly used for uris.
enumeration
numberOfWebsitesRedirecting
numberOfWebsitesRedirecting - The count of web sites redirecting the items referenced by the field data entry. Most commonly used for uris.
<xs:simpleType name="VolumeUnitsEnum"><xs:annotation><xs:documentation xml:lang="en">A list of the various units allowed to be used in volume tag in fieldDataEntry.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="numberUsersAffected"><xs:annotation><xs:documentation xml:lang="en">numberUsersAffected - The count of users (humans) affected by the items referenced by the field data entry.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="numberMachinesAffected"><xs:annotation><xs:documentation xml:lang="en">numberMachinesAffected - The count of computers affected by the items referenced by the field data entry.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="numberSeenInSpam"><xs:annotation><xs:documentation xml:lang="en">numberSeenInSpam - The count of spam messages containing the items referenced by the field data entry. Most commonly used for uris.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="numberSeenInMalwareSamples"><xs:annotation><xs:documentation xml:lang="en">numberSeenInMalwareSamples - The count of malware samples containing the items referenced by the field data entry. Most commonly used for uris.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="numberOfWebsitesHosting"><xs:annotation><xs:documentation xml:lang="en">numberOfWebsitesHosting - The count of web sites hosting the items referenced by the field data entry. Most commonly used for uris.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="numberOfWebsitesRedirecting"><xs:annotation><xs:documentation xml:lang="en">numberOfWebsitesRedirecting - The count of web sites redirecting the items referenced by the field data entry. Most commonly used for uris.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Simple Type LocationTypeEnum
Namespace
http://xml/metadataSharing.xsd
Annotations
A list of the various ways that geographical location can be represented. The elements correspond to various levels of granularity of geographical data.
<xs:simpleType name="LocationTypeEnum"><xs:annotation><xs:documentation xml:lang="en">A list of the various ways that geographical location can be represented. The elements correspond to various levels of granularity of geographical data.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="countryCodeISO3166-2"/><xs:enumeration value="countryCodeISO3166-3"/><xs:enumeration value="countryCodeFIPS"/><xs:enumeration value="city"/><xs:enumeration value="region"/><xs:enumeration value="isp"/></xs:restriction></xs:simpleType>
Simple Type NoQuestionMark
Namespace
http://xml/metadataSharing.xsd
Annotations
Utility type for a string not including a question mark (?) for uri objects.
<xs:simpleType name="NoQuestionMark"><xs:annotation><xs:documentation xml:lang="en">Utility type for a string not including a question mark (?) for uri objects.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:pattern value="[^?]+"/></xs:restriction></xs:simpleType>
Simple Type IPRange
Namespace
http://xml/metadataSharing.xsd
Annotations
Utility type for ip ranges, for example 111.112.113.0-111.112.113.100.
<xs:simpleType name="IPRange"><xs:annotation><xs:documentation xml:lang="en">Utility type for ip ranges, for example 111.112.113.0-111.112.113.100.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:pattern value="[0-9\.]+-[0-9\.]+"/></xs:restriction></xs:simpleType>
Simple Type RelationshipTypeEnum
Namespace
http://xml/metadataSharing.xsd
Annotations
All the different types of relationship that are possible.
Diagram
Type
restriction of xs:string
Facets
enumeration
relatedTo
relatedTo - generic relationship.
enumeration
isClassifiedAs
isClassifiedAs - Used to match an object to a classification to provide a "name" for the object.
enumeration
hosts
hosts - Used when a web site hosts a file.
enumeration
installed
installed - Used to relate files that install one another.
enumeration
isParentOf
isParentOf - Used to relate files that creates another one.
enumeration
causesToInstall
causesToInstall - As in web site causes file to be installed.
enumeration
downloads
downloads - As in file retrieves data from a url, or file downloads file.
enumeration
runs
runs - File that a url with an exploit runs. Or a file (parent) that runs another file (child).
enumeration
usesCNC
usesCNC - As in classification/object uses command and control url/domain/ip.
enumeration
isNameServerOf
isNameServerOf - Maps name server ip to domain.
enumeration
resolvesTo
resolvesTo - Maps domain/url to ip address, could also use for ip address and asn.
enumeration
verifiedBy
verifiedBy - Mapping from object information (e.g. url) to entity, with date indicating verified time.
enumeration
isServerOfService
isServerOfService - Map from domain/ip to service object.
enumeration
hasAssociatedConfiguration
hasAssociatedConfiguration - Map from file to associated registry information.
enumeration
operatedByEntity
operatedByEntity - Map from object to operating entity.
<xs:simpleType name="RelationshipTypeEnum"><xs:annotation><xs:documentation xml:lang="en">All the different types of relationship that are possible.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="relatedTo"><xs:annotation><xs:documentation xml:lang="en">relatedTo - generic relationship.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="isClassifiedAs"><xs:annotation><xs:documentation xml:lang="en">isClassifiedAs - Used to match an object to a classification to provide a "name" for the object.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="hosts"><xs:annotation><xs:documentation xml:lang="en">hosts - Used when a web site hosts a file.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="installed"><xs:annotation><xs:documentation xml:lang="en">installed - Used to relate files that install one another.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="isParentOf"><xs:annotation><xs:documentation xml:lang="en">isParentOf - Used to relate files that creates another one.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="causesToInstall"><xs:annotation><xs:documentation xml:lang="en">causesToInstall - As in web site causes file to be installed.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="downloads"><xs:annotation><xs:documentation xml:lang="en">downloads - As in file retrieves data from a url, or file downloads file.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="runs"><xs:annotation><xs:documentation xml:lang="en">runs - File that a url with an exploit runs. Or a file (parent) that runs another file (child).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="usesCNC"><xs:annotation><xs:documentation xml:lang="en">usesCNC - As in classification/object uses command and control url/domain/ip.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="isNameServerOf"><xs:annotation><xs:documentation xml:lang="en">isNameServerOf - Maps name server ip to domain.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="resolvesTo"><xs:annotation><xs:documentation xml:lang="en">resolvesTo - Maps domain/url to ip address, could also use for ip address and asn.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="verifiedBy"><xs:annotation><xs:documentation xml:lang="en">verifiedBy - Mapping from object information (e.g. url) to entity, with date indicating verified time.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="isServerOfService"><xs:annotation><xs:documentation xml:lang="en">isServerOfService - Map from domain/ip to service object.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="hasAssociatedConfiguration"><xs:annotation><xs:documentation xml:lang="en">hasAssociatedConfiguration - Map from file to associated registry information.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="operatedByEntity"><xs:annotation><xs:documentation xml:lang="en">operatedByEntity - Map from object to operating entity.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="downloadedFrom"><xs:annotation><xs:documentation xml:lang="en">downloadedFrom - Map from file to url.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="contactedBy"><xs:annotation><xs:documentation xml:lang="en">contactedBy - Map from file to url.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="partOfPackage"/><xs:enumeration value="sourcedFrom"/><xs:enumeration value="createdBy"/><xs:enumeration value="hasSignature"/><xs:enumeration value="hasTaggant"/></xs:restriction></xs:simpleType>
Simple Type ClassificationTypeEnum
Namespace
http://xml/metadataSharing.xsd
Annotations
Top level types of classification. This is a high level type, not to be confused with the detailed category.
Diagram
Type
restriction of xs:string
Facets
enumeration
clean
clean - the object can be regarded as not malicious.
enumeration
dirty
dirty - the object can be regarded as malicious.
enumeration
unknown
unknown - the object classification type is unknown.
enumeration
unwanted
unwanted - the object can be regarded as potentially unwanted. This is intended to cover the well known case of "potentially unwanted programs".
enumeration
neutral
neutral - the object can be regarded as neutral, neither malicious nor legitimate.
<xs:simpleType name="ClassificationTypeEnum"><xs:annotation><xs:documentation xml:lang="en">Top level types of classification. This is a high level type, not to be confused with the detailed category.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="clean"><xs:annotation><xs:documentation xml:lang="en">clean - the object can be regarded as not malicious.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="dirty"><xs:annotation><xs:documentation xml:lang="en">dirty - the object can be regarded as malicious.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="unknown"><xs:annotation><xs:documentation xml:lang="en">unknown - the object classification type is unknown.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="unwanted"><xs:annotation><xs:documentation xml:lang="en">unwanted - the object can be regarded as potentially unwanted. This is intended to cover the well known case of "potentially unwanted programs".</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="neutral"><xs:annotation><xs:documentation xml:lang="en">neutral - the object can be regarded as neutral, neither malicious nor legitimate.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
<xs:simpleType name="IPTypeEnum"><xs:annotation><xs:documentation xml:lang="en">Types of IP addresses</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="ipv4"/><xs:enumeration value="ipv6"/></xs:restriction></xs:simpleType>
Simple Type RegionTypeEnum
Namespace
http://xml/metadataSharing.xsd
Annotations
A list of regions, currently not used, but encouraged as values for 'region' when describing location.
Diagram
Type
restriction of xs:string
Facets
enumeration
NorthAmerica
enumeration
SouthAmerica
enumeration
CentralAmerica
enumeration
Europe
enumeration
Africa
enumeration
APAC
Source
<xs:simpleType name="RegionTypeEnum"><xs:annotation><xs:documentation xml:lang="en">A list of regions, currently not used, but encouraged as values for 'region' when describing location.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="NorthAmerica"/><xs:enumeration value="SouthAmerica"/><xs:enumeration value="CentralAmerica"/><xs:enumeration value="Europe"/><xs:enumeration value="Africa"/><xs:enumeration value="APAC"/></xs:restriction></xs:simpleType>
Simple Type PropertyTypeEnum
Namespace
http://xml/metadataSharing.xsd
Annotations
Property types allowed in an objectProperty.
Diagram
Type
restriction of xs:string
Facets
enumeration
filename
filename - names of files, normally associated with file objects.
enumeration
filepath
filepath - directory path of files, normally associated with file objects.
enumeration
locationUrl
locationUrl - a url at which the file sample can be retrieved, associated with file objects.
enumeration
isKernel
isKernel - true/false if the malware has a kernel component. This can be applied either to a classificationor to a file object.
enumeration
isParasitic
isParasitic - true/false if the malware infects other files by attaching to them (if it also replicates then it is a parasitic virus). This can be applied either to a classification or to a file object.
enumeration
isStealth
isStealth - true/false if the malware uses rootkit style techniques to hide from users or security software. This can be applied either to a classification or to a file object.
enumeration
isPolymorphic
isPolymorphic - true/false if the malware is polymorphic, changing its appearance either through replication or server-side techniques.This can be applied either to a classification or to a file object.
enumeration
isVirus
isVirus - true/false if the malware is a virus (replicates and propagates recursively). This can be applied either to a classification or to a file object.
enumeration
isNonReplicating
isNonReplicating - true/false if the malware is non replicating. This can be applied either to a classification or to a file object.
enumeration
isDamaged
isDamaged - true/false if the malware sample is damaged. This can be applied to a file object.
enumeration
registryValueData
registryValueData - data from the registry from Microsoft operating systems. This is normally applied to a registry object. It could also be applied to a relationship between a malware sample (file object) and a registry object, to indicate the datathat was written by the malware.
enumeration
urlParameterString
urlParameterString - parameter string information associated with a GET http request. This is normally applied to a uri object.It could also be applied to a relationship between a malware sample (file object) and a uri object, indicating the parameters associated with the communication.
enumeration
postData
postData - parameter information associated with a POST http request. This is normally applied to a relationship between a malware sample (file object) and a uri object, indicating the data sent with the communication.
enumeration
registrant
registrant - the registrant of a domain name, used for domain objects.
enumeration
registrationDate
registrationDate - the registration date of a domain name, used for domain objects.
enumeration
ownerAddress
ownerAddress - the address associated with the owner of a domain name, used for domain objects.
enumeration
adminContact
adminContact - the administrative contact address associated with a domain name, used for domain objects.
enumeration
technicalContact
technicalContact - the technical contact address associated with a domain name, used for domain objects.
enumeration
nameServer
nameServer - the name server associated with a domain name, used for domain objects.
enumeration
countryCodeISO3166-2
countryCodeISO3166-2 - the ISO3166-2 code for country, usually associated with an ip address object, e.g. the country where that IP address is hosted.
enumeration
countryCodeISO3166-3
countryCodeISO3166-3 - the ISO3166-3 code for country, usually associated with an ip address object.e.g. the country where that IP address is hosted.
enumeration
countryCodeFIPS
countryCodeFIPS - theFIPS code for country, usually associated with an ip address object.e.g. the country where that IP address is hosted.
enumeration
city
city - the name of a city, usually associated with an ip address object, e.g. the city in which that IP address is hosted.
enumeration
region
region - the name of a region, usually associated with an ip address object, e.g. the region in which that IP address is hosted.
enumeration
isp
isp - the name of a Internet Service Provider, usually associated with an ip address object, e.g. the isp that hosts the IP address.
enumeration
httpMethod
httpMethod - the http method (e.g. GET/POST/etc.) associated with an http request. This is usually associated with arelationship between malware (file object), and a uri (uri object), to indicate the type of http request made.
enumeration
referrer
referrer - the referrer uri, used when accessing a uri, associated with a uri object, or applied to a relationship between an entity and a uri, for the user agent used when that entity visited that uri.
enumeration
operatingSystem
operatingSystem - environmental information of the operating system used. Normally used as a property of a relationship between malware (file object) and some other object.
enumeration
userAgent
userAgent - User agent used when accessing a uri, associated with a uri object, or applied to a relationship between an entity and a uri, for the user agent used when that entity visited that uri.
enumeration
browser
browser - browser used when accessing a uri, associated with a uri object, or applied to a relationship between an entity and a uri, for the browser used when that entity visited that uri
enumeration
comment
comment - a human readable comment that can be applied to any object or relationship.
<xs:simpleType name="PropertyTypeEnum"><xs:annotation><xs:documentation xml:lang="en">Property types allowed in an objectProperty.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><!-- file related --><xs:enumeration value="filename"><xs:annotation><xs:documentation xml:lang="en">filename - names of files, normally associated with file objects.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="filepath"><xs:annotation><xs:documentation xml:lang="en">filepath - directory path of files, normally associated with file objects.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="locationUrl"><xs:annotation><xs:documentation xml:lang="en">locationUrl - a url at which the file sample can be retrieved, associated with file objects.</xs:documentation></xs:annotation></xs:enumeration><!-- file related properties that used to be in category --><xs:enumeration value="isKernel"><xs:annotation><xs:documentation xml:lang="en">isKernel - true/false if the malware has a kernel component. This can be applied either to a classification or to a file object.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="isParasitic"><xs:annotation><xs:documentation xml:lang="en">isParasitic - true/false if the malware infects other files by attaching to them (if it also replicates then it is a parasitic virus). This can be applied either to a classification or to a file object.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="isStealth"><xs:annotation><xs:documentation xml:lang="en">isStealth - true/false if the malware uses rootkit style techniques to hide from users or security software. This can be applied either to a classification or to a file object.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="isPolymorphic"><xs:annotation><xs:documentation xml:lang="en">isPolymorphic - true/false if the malware is polymorphic, changing its appearance either through replication or server-side techniques. This can be applied either to a classification or to a file object.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="isVirus"><xs:annotation><xs:documentation xml:lang="en">isVirus - true/false if the malware is a virus (replicates and propagates recursively). This can be applied either to a classification or to a file object.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="isNonReplicating"><xs:annotation><xs:documentation xml:lang="en">isNonReplicating - true/false if the malware is non replicating. This can be applied either to a classification or to a file object.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="isDamaged"><xs:annotation><xs:documentation xml:lang="en">isDamaged - true/false if the malware sample is damaged. This can be applied to a file object.</xs:documentation></xs:annotation></xs:enumeration><!-- registry related --><xs:enumeration value="registryValueData"><xs:annotation><xs:documentation xml:lang="en">registryValueData - data from the registry from Microsoft operating systems. This is normally applied to a registry object. It could also be applied to a relationship between a malware sample (file object) and a registry object, to indicate the data that was written by the malware.</xs:documentation></xs:annotation></xs:enumeration><!-- url related --><xs:enumeration value="urlParameterString"><xs:annotation><xs:documentation xml:lang="en">urlParameterString - parameter string information associated with a GET http request. This is normally applied to a uri object. It could also be applied to a relationship between a malware sample (file object) and a uri object, indicating the parameters associated with the communication.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="postData"><xs:annotation><xs:documentation xml:lang="en">postData - parameter information associated with a POST http request. This is normally applied to a relationship between a malware sample (file object) and a uri object, indicating the data sent with the communication.</xs:documentation></xs:annotation></xs:enumeration><!-- domain related --><xs:enumeration value="registrant"><xs:annotation><xs:documentation xml:lang="en">registrant - the registrant of a domain name, used for domain objects.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="registrationDate"><xs:annotation><xs:documentation xml:lang="en">registrationDate - the registration date of a domain name, used for domain objects.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="ownerAddress"><xs:annotation><xs:documentation xml:lang="en">ownerAddress - the address associated with the owner of a domain name, used for domain objects.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="adminContact"><xs:annotation><xs:documentation xml:lang="en">adminContact - the administrative contact address associated with a domain name, used for domain objects.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="technicalContact"><xs:annotation><xs:documentation xml:lang="en">technicalContact - the technical contact address associated with a domain name, used for domain objects.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="nameServer"><xs:annotation><xs:documentation xml:lang="en">nameServer - the name server associated with a domain name, used for domain objects.</xs:documentation></xs:annotation></xs:enumeration><!-- ip related --><xs:enumeration value="countryCodeISO3166-2"><xs:annotation><xs:documentation xml:lang="en">countryCodeISO3166-2 - the ISO3166-2 code for country, usually associated with an ip address object, e.g. the country where that IP address is hosted.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="countryCodeISO3166-3"><xs:annotation><xs:documentation xml:lang="en">countryCodeISO3166-3 - the ISO3166-3 code for country, usually associated with an ip address object. e.g. the country where that IP address is hosted.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="countryCodeFIPS"><xs:annotation><xs:documentation xml:lang="en">countryCodeFIPS - theFIPS code for country, usually associated with an ip address object. e.g. the country where that IP address is hosted.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="city"><xs:annotation><xs:documentation xml:lang="en">city - the name of a city, usually associated with an ip address object, e.g. the city in which that IP address is hosted.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="region"><xs:annotation><xs:documentation xml:lang="en">region - the name of a region, usually associated with an ip address object, e.g. the region in which that IP address is hosted.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="isp"><xs:annotation><xs:documentation xml:lang="en">isp - the name of a Internet Service Provider, usually associated with an ip address object, e.g. the isp that hosts the IP address.</xs:documentation></xs:annotation></xs:enumeration><!-- other --><xs:enumeration value="httpMethod"><xs:annotation><xs:documentation xml:lang="en">httpMethod - the http method (e.g. GET/POST/etc.) associated with an http request. This is usually associated with a relationship between malware (file object), and a uri (uri object), to indicate the type of http request made.</xs:documentation></xs:annotation></xs:enumeration><!-- --><xs:enumeration value="referrer"><xs:annotation><xs:documentation xml:lang="en">referrer - the referrer uri, used when accessing a uri, associated with a uri object, or applied to a relationship between an entity and a uri, for the user agent used when that entity visited that uri.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="operatingSystem"><xs:annotation><xs:documentation xml:lang="en">operatingSystem - environmental information of the operating system used. Normally used as a property of a relationship between malware (file object) and some other object.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="userAgent"><xs:annotation><xs:documentation xml:lang="en">userAgent - User agent used when accessing a uri, associated with a uri object, or applied to a relationship between an entity and a uri, for the user agent used when that entity visited that uri.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="browser"><xs:annotation><xs:documentation xml:lang="en">browser - browser used when accessing a uri, associated with a uri object, or applied to a relationship between an entity and a uri, for the browser used when that entity visited that uri</xs:documentation></xs:annotation></xs:enumeration><!-- a comment field --><xs:enumeration value="comment"><xs:annotation><xs:documentation xml:lang="en">comment - a human readable comment that can be applied to any object or relationship.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type fileObject
Namespace
http://xml/metadataSharing.xsd
Annotations
Object definition for files. The required attribute is the id, which needs to be globally unique. By convention, the value used is a hash, the stronger the better. The choice should be: use sha256 if you have it, if not use sha1, if not use md5. Other hashes and file sizes are recorded in the elements. File names are put in as properties.
<xs:complexType name="fileObject"><xs:annotation><xs:documentation xml:lang="en">Object definition for files. The required attribute is the id, which needs to be globally unique. By convention, the value used is a hash, the stronger the better. The choice should be: use sha256 if you have it, if not use sha1, if not use md5. Other hashes and file sizes are recorded in the elements. File names are put in as properties.</xs:documentation></xs:annotation><xs:sequence><xs:element name="md5" type="xs:hexBinary" minOccurs="1"/><xs:element name="sha1" type="xs:hexBinary" minOccurs="0"/><xs:element name="sha256" type="xs:hexBinary" minOccurs="0"/><xs:element name="sha512" type="xs:hexBinary" minOccurs="0"/><xs:element name="size" type="xs:int" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">The file size in bytes.</xs:documentation></xs:annotation></xs:element><xs:element name="crc32" type="xs:string" minOccurs="0"/><xs:element name="fileType" type="xs:string" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">String describing the type of file, for example executable, script etc.</xs:documentation></xs:annotation></xs:element><xs:element name="extraHash" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation xml:lang="en">Element for inserting fuzzy hashes for example pehash, ssdeep. These are put in with this element, with a required attribute 'type' used to hold the type of hash.</xs:documentation></xs:annotation><xs:complexType><xs:simpleContent><xs:extension base="xs:string"><xs:attribute name="type" use="required" type="xs:string"/></xs:extension></xs:simpleContent></xs:complexType></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="filename" type="xs:string"/><xs:element maxOccurs="unbounded" minOccurs="0" name="normalizedNativePath" type="xs:string"><xs:annotation><xs:documentation>The normalized native path of the file, using standardized system path variables (for Windows see http://en.wikipedia.org/wiki/Environment_variable#System_path_variables) with prepended and appended percentage characters. E.g. %ProgramFiles%/Microsoft Visual Studio.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="filenameWithinInstaller" type="xs:string"><xs:annotation><xs:documentation>The name of the file within an installer or archive.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="folderWithinInstaller" type="xs:string"><xs:annotation><xs:documentation>The folder the file resides in within an installer or archive.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="vendor" type="xs:string"><xs:annotation><xs:documentation>The name of the vendor, if extractable from the file.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="internalName" type="xs:string"><xs:annotation><xs:documentation>The internal name(s) of hte file, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="language" type="xs:string"><xs:annotation><xs:documentation>The language(s) the file is in.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="1" minOccurs="0" name="productName" type="xs:string"><xs:annotation><xs:documentation>The name of the product the file belongs to, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="fileVersion" type="xs:string"/><xs:element minOccurs="0" name="productVersion" type="xs:string"><xs:annotation><xs:documentation>The version of the product the file belongs to, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="developmentEnvironment" type="xs:string"><xs:annotation><xs:documentation>The development environment used to build the file, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="checksum" type="xs:hexBinary"><xs:annotation><xs:documentation>The checksum of the file, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="architecture" type="xs:string"><xs:annotation><xs:documentation>The processor architecture of the file, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="buildTimeDateStamp" type="xs:dateTime"><xs:annotation><xs:documentation>The build timestamp of the file, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="compilerVersion" type="xs:string"><xs:annotation><xs:documentation>The version of the compiler used to compile the file, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="linkerVersion" type="xs:float"><xs:annotation><xs:documentation>The version of the linker used to link the file, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="minOSVersionCPE" type="xs:string"><xs:annotation><xs:documentation>The minimum operating system version needed to run the file, specifeid as a CPE name. The Common Platform Enumeration, or CPE, name of the package if one exists. CPE is a structured naming scheme for IT systems, software, and packages. For more information on CPE see http://cpe.mitre.org. For the official CPE dictionary see http://nvd.nist.gov/cpe.cfm.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="1" minOccurs="0" name="numberOfSections" type="xs:int"><xs:annotation><xs:documentation>The number of sections in the file, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="MIMEType" type="xs:string"/><xs:element minOccurs="0" name="requiredPrivilege" type="xs:string"><xs:annotation><xs:documentation>The minimum required to run the file, e.g. Administrator, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="digitalSignature" type="digitalSignatureObject"><xs:annotation><xs:documentation>Information on the digital signature of the file, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="1" minOccurs="0" name="taggant" type="taggantObject"><xs:annotation><xs:documentation>Information on the taggant used to tag the file, if applicable.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" use="required" type="xs:hexBinary"/></xs:complexType>
Complex Type digitalSignatureObject
Namespace
http://xml/metadataSharing.xsd
Annotations
Digital signature object, used to hold information about digitally signed binaries with regards to the certificate used and its validity.
<xs:complexType name="digitalSignatureObject"><xs:annotation><xs:documentation>Digital signature object, used to hold information about digitally signed binaries with regards to the certificate used and its validity.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="1" name="certificateIssuer" type="xs:string"/><xs:element minOccurs="0" name="certificateSubject" type="xs:string"/><xs:element minOccurs="1" name="certificateValidity" type="xs:boolean"/><xs:element minOccurs="0" name="certificateRevocationTimestamp" type="xs:dateTime"/><xs:element minOccurs="0" name="signingTimestamp"><xs:complexType><xs:simpleContent><xs:extension base="xs:dateTime"><xs:attribute name="valid" type="xs:boolean"/></xs:extension></xs:simpleContent></xs:complexType></xs:element></xs:sequence><xs:attribute name="id" type="xs:string" use="required"/><xs:attribute name="type"><xs:simpleType><xs:restriction base="xs:string"><xs:enumeration value="CatalogSigned"/><xs:enumeration value="CodeSigned"/></xs:restriction></xs:simpleType></xs:attribute></xs:complexType>
Complex Type taggantObject
Namespace
http://xml/metadataSharing.xsd
Annotations
Taggant object, for use in characterizing the software taggant that may be associated with a file or multiple files. For more information on the taggant system or the IEEE Malware Working Group that created it, please see http://standards.ieee.org/develop/indconn/icsg/malware.html.
<xs:complexType name="taggantObject"><xs:annotation><xs:documentation>Taggant object, for use in characterizing the software taggant that may be associated with a file or multiple files. For more information on the taggant system or the IEEE Malware Working Group that created it, please see http://standards.ieee.org/develop/indconn/icsg/malware.html.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="1" name="vendorID" type="xs:string"/><xs:element minOccurs="0" name="taggantValidity" type="xs:boolean"/><xs:element minOccurs="0" name="signingTimestamp"><xs:complexType><xs:simpleContent><xs:extension base="xs:dateTime"><xs:attribute name="valid" type="xs:boolean"/></xs:extension></xs:simpleContent></xs:complexType></xs:element></xs:sequence><xs:attribute name="id" type="xs:string" use="required"/></xs:complexType>
Complex Type uriObject
Namespace
http://xml/metadataSharing.xsd
Annotations
Uri object. Only required element is uri string itself. There are elements for each of the broken out elements.The protocol should be take from the list at http://www.iana.org/assignments/port-numbers, or if not in that list have the value 'unknown'.The ipProtocol should be taken from the list http://www.iana.org/assignments/protocol-numbers/.The elements correspond to the usual breakdown of a uri into its component domain, hostname, path, port etc, asdescribed at http://en.wikipedia.org/wiki/Uniform_Resource_Locator.
<xs:complexType name="uriObject"><xs:annotation><xs:documentation xml:lang="en">Uri object. Only required element is uri string itself. There are elements for each of the broken out elements. The protocol should be take from the list at http://www.iana.org/assignments/port-numbers, or if not in that list have the value 'unknown'. The ipProtocol should be taken from the list http://www.iana.org/assignments/protocol-numbers/. The elements correspond to the usual breakdown of a uri into its component domain, hostname, path, port etc, as described at http://en.wikipedia.org/wiki/Uniform_Resource_Locator.</xs:documentation></xs:annotation><xs:sequence><xs:element name="uriString" type="NoQuestionMark"/><xs:element name="protocol" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Protocol, for example http, ftp. value must match an element in the list hosted at http://www.iana.org/assignments/port-numbers.</xs:documentation></xs:annotation></xs:element><xs:element name="hostname" type="xs:string" minOccurs="0"/><xs:element name="domain" type="xs:string" minOccurs="0"/><xs:element name="port" type="xs:int" minOccurs="0"/><xs:element name="path" type="xs:string" minOccurs="0"/><xs:element name="ipProtocol" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">IP protocol, for example. tcp, udp. value must match an element in the list hosted at http://www.iana.org/assignments/protocol-numbers/.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" use="required" type="NoQuestionMark"/></xs:complexType>
Complex Type domainObject
Namespace
http://xml/metadataSharing.xsd
Annotations
Domain object, used to hold internet domains, e.g.yahoo.com. The globally unique identifier (id attribute) is the domain itself.whois information on domain is recorded using object properties.
<xs:complexType name="domainObject"><xs:annotation><xs:documentation xml:lang="en">Domain object, used to hold internet domains, e.g.yahoo.com. The globally unique identifier (id attribute) is the domain itself. whois information on domain is recorded using object properties.</xs:documentation></xs:annotation><xs:sequence><xs:element name="domain" type="xs:string"/></xs:sequence><xs:attribute name="id" use="required" type="xs:string"/></xs:complexType>
Complex Type registryObject
Namespace
http://xml/metadataSharing.xsd
Annotations
Registry object. The required attribute is 'id', which is taken to be key\\valueName. Keys end in a \, value names start with a \, so you have e.g.key = hklm\software\microsoft\currentversion\windows\run\value =\foomaking the id hklm\software\microsoft\currentversion\windows\run\\foo
<xs:complexType name="registryObject"><xs:annotation><xs:documentation xml:lang="en">Registry object. The required attribute is 'id', which is taken to be key\\valueName. Keys end in a \, value names start with a \, so you have e.g. key = hklm\software\microsoft\currentversion\windows\run\ value =\foo making the id hklm\software\microsoft\currentversion\windows\run\\foo</xs:documentation></xs:annotation><xs:sequence><xs:element name="key" type="xs:string"/><xs:element name="valueName" type="xs:string" minOccurs="0"/></xs:sequence><xs:attribute name="id" use="required" type="xs:string"/></xs:complexType>
Complex Type IPObject
Namespace
http://xml/metadataSharing.xsd
Annotations
IP object. Used to hold ipv4, ipv6 ip addresses and address ranges. The globally unique id is 'startAddress-endAddress'.There are two required elements, startAddress and endAddress, make these the same if you are specifying a single address.Thus for ip range id, would be e.g. 213.23.45.7-213.23.45.19For a single ip, id would be e.g. 12.34.56.1-12.34.56.1
<xs:complexType name="IPObject"><xs:annotation><xs:documentation xml:lang="en">IP object. Used to hold ipv4, ipv6 ip addresses and address ranges. The globally unique id is 'startAddress-endAddress'. There are two required elements, startAddress and endAddress, make these the same if you are specifying a single address. Thus for ip range id, would be e.g. 213.23.45.7-213.23.45.19 For a single ip, id would be e.g. 12.34.56.1-12.34.56.1</xs:documentation></xs:annotation><xs:sequence><xs:element name="startAddress" type="IPAddress"/><xs:element name="endAddress" type="IPAddress"/></xs:sequence><xs:attribute name="id" use="required" type="IPRange"/></xs:complexType>
Complex Type IPAddress
Namespace
http://xml/metadataSharing.xsd
Annotations
ip address - string for the actual address and attribute either ipv4, ipv6.
<xs:complexType name="IPAddress"><xs:annotation><xs:documentation xml:lang="en">ip address - string for the actual address and attribute either ipv4, ipv6.</xs:documentation></xs:annotation><xs:simpleContent><xs:extension base="xs:string"><xs:attribute name="type" type="IPTypeEnum" use="required"/></xs:extension></xs:simpleContent></xs:complexType>
Complex Type ASNObject
Namespace
http://xml/metadataSharing.xsd
Annotations
Object used to hold information on Autonomous System Numbers. An autonomous system (AS) is a collection of connectedInternet Protocol (IP) routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet.The id is the number, written as an integer for both 16 and 32 bit numbers.
<xs:complexType name="ASNObject"><xs:annotation><xs:documentation xml:lang="en">Object used to hold information on Autonomous System Numbers. An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet. The id is the number, written as an integer for both 16 and 32 bit numbers.</xs:documentation></xs:annotation><xs:sequence><xs:element name="as-number" type="xs:int"/></xs:sequence><xs:attribute name="id" use="required" type="xs:int"/></xs:complexType>
Complex Type entityObject
Namespace
http://xml/metadataSharing.xsd
Annotations
Entity Object. This is used to record groups, companies etc., and departments within organizations. The globally unique id (attribute) should be constructed from the company and department name, e.g. "Company name:Department name", "Mcafee:AVERT labs", or "Russian Business Network".
<xs:complexType name="entityObject"><xs:annotation><xs:documentation xml:lang="en">Entity Object. This is used to record groups, companies etc., and departments within organizations. The globally unique id (attribute) should be constructed from the company and department name, e.g. "Company name:Department name", "Mcafee:AVERT labs", or "Russian Business Network".</xs:documentation></xs:annotation><xs:sequence><xs:element name="name" type="xs:string"/></xs:sequence><xs:attribute name="id" use="required" type="xs:string"/></xs:complexType>
Complex Type classificationObject
Namespace
http://xml/metadataSharing.xsd
Annotations
Classification object, used to hold names or classifications of objects. The most common use case for this is detectionnames for files from av scanners. However, this object could be used for general classification. The globally unique id (attribute)should be created from "Company name:internal classification name", e.g. "Mcafee:Generic.DX". The other required attribute is thetype of classification, e.g. clean, dirty, unknown. There are elements to capture the category of the classification. The category should be entered in the same way to theclassification name, e.g. company name:category name, e..g Mcafee:Trojan.
<xs:complexType name="classificationObject"><xs:annotation><xs:documentation xml:lang="en">Classification object, used to hold names or classifications of objects. The most common use case for this is detection names for files from av scanners. However, this object could be used for general classification. The globally unique id (attribute) should be created from "Company name:internal classification name", e.g. "Mcafee:Generic.DX". The other required attribute is the type of classification, e.g. clean, dirty, unknown. There are elements to capture the category of the classification. The category should be entered in the same way to the classification name, e.g. company name:category name, e..g Mcafee:Trojan.</xs:documentation></xs:annotation><xs:sequence><xs:element name="classificationName" type="xs:string"></xs:element><xs:element name="companyName" type="xs:string"/><xs:element name="category" minOccurs="0" type="xs:string"><xs:annotation><xs:documentation xml:lang="en">Category is "companyname:category".</xs:documentation></xs:annotation></xs:element><xs:element name="classificationDetails" minOccurs="0"><xs:annotation><xs:documentation xml:lang="en">Details of the classification, giving product details, particularly useful for anti-virus scanner detections.</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="definitionVersion" type="xs:string" minOccurs="0"/><xs:element name="detectionAddedTimeStamp" type="xs:dateTime" minOccurs="0"/><xs:element name="detectionShippedTimeStamp" type="xs:dateTime" minOccurs="0"/><xs:element name="product" type="xs:string" minOccurs="0"/><xs:element name="productVersion" type="xs:string" minOccurs="0"/></xs:sequence></xs:complexType></xs:element></xs:sequence><!-- the id of the classification = companyName:classificationName --><xs:attribute name="id" type="xs:string" use="required"/><!-- classification type - can only have certain values --><xs:attribute name="type" type="ClassificationTypeEnum" use="required"/></xs:complexType>
Complex Type softwarePackageObject
Namespace
http://xml/metadataSharing.xsd
Annotations
Software package object, used to store information about a software package, such as the vendor and version. Intended primarily for the clean-file metadata sharing use case.
<xs:complexType name="softwarePackageObject"><xs:annotation><xs:documentation>Software package object, used to store information about a software package, such as the vendor and version. Intended primarily for the clean-file metadata sharing use case.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="1" name="vendor" type="xs:string"/><xs:element minOccurs="0" name="productgroup" type="xs:string"><xs:annotation><xs:documentation>The product group that the product belongs to, e.g. Microsoft Office.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="1" name="product" type="xs:string"/><xs:element minOccurs="0" name="version" type="xs:string"/><xs:element minOccurs="0" name="update" type="xs:string"/><xs:element minOccurs="0" name="edition" type="xs:string"/><xs:element minOccurs="0" name="language" type="xs:string"/><xs:element minOccurs="0" name="CPEname"><xs:annotation><xs:documentation>The Common Platform Enumeration, or CPE, name of the package if one exists. CPE is a structured naming scheme for IT systems, software, and packages. For more information on CPE see http://cpe.mitre.org. For the official CPE dictionary see http://nvd.nist.gov/cpe.cfm.</xs:documentation></xs:annotation><xs:complexType><xs:simpleContent><xs:extension base="xs:string"><xs:attribute name="cpeVersion" type="xs:string"><xs:annotation><xs:documentation>The version of CPE that is used for the name in the CPEname element. As of 10/04/2011 this is 2.2.</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:simpleContent></xs:complexType></xs:element></xs:sequence><xs:attribute name="id" type="xs:string" use="required"/></xs:complexType>
Complex Type objectProperty
Namespace
http://xml/metadataSharing.xsd
Annotations
Property; a reference to the object, a timestamp and an unbounded set of properties. This is used to describe extra information about an object. For example, to show the url parameter strings associated with a particular URI object. Or to show file names associated with a particular file. Properties can also be applied to relationships, by referencing the relationship by id. This allows use such as e.g. recording the post data sent in an http request between a malware (file object) and a uri (uri object).
<xs:complexType name="objectProperty"><xs:annotation><xs:documentation xml:lang="en">Property; a reference to the object, a timestamp and an unbounded set of properties. This is used to describe extra information about an object. For example, to show the url parameter strings associated with a particular URI object. Or to show file names associated with a particular file. Properties can also be applied to relationships, by referencing the relationship by id. This allows use such as e.g. recording the post data sent in an http request between a malware (file object) and a uri (uri object).</xs:documentation></xs:annotation><xs:sequence><xs:element name="references"><xs:annotation><xs:documentation xml:lang="en">The objects the properties pertain to.</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="ref" type="reference" minOccurs="1" maxOccurs="unbounded"/></xs:sequence></xs:complexType></xs:element><xs:element name="timestamp" type="xs:dateTime"/><xs:element name="property" type="property" maxOccurs="unbounded"/></xs:sequence><xs:attribute name="id" type="xs:anySimpleType" use="optional"/></xs:complexType>
Relationships are used to express relationships between objects, and dates. Relationships have a type (an attribute with a defined list of allowed relationships), source (a set of xpath references to the parent end of the relationship), target (xpath references to the other end of the relationship) and an optional date.The linking of objects with types is a powerful way of describing data. The dates can be used to provide context. For example, to assign a classification to an object, that can done with an "isClassifiedAs" relationship, with the date meaning that that was the data that that classification was assigned.To show urls and the last visited data, this can be expressed as a "verifiedBy" relationship between the urls and the entity doing the verification, with the date interpreted as the verification date.
<xs:complexType name="relationship"><xs:annotation><xs:documentation xml:lang="en">Relationships are used to express relationships between objects, and dates. Relationships have a type (an attribute with a defined list of allowed relationships), source (a set of xpath references to the parent end of the relationship), target (xpath references to the other end of the relationship) and an optional date. The linking of objects with types is a powerful way of describing data. The dates can be used to provide context. For example, to assign a classification to an object, that can done with an "isClassifiedAs" relationship, with the date meaning that that was the data that that classification was assigned. To show urls and the last visited data, this can be expressed as a "verifiedBy" relationship between the urls and the entity doing the verification, with the date interpreted as the verification date.</xs:documentation></xs:annotation><xs:sequence><!-- relationship is source section with multiple parent elements each of which contains xpath to it--><xs:element name="source"><xs:annotation><xs:documentation xml:lang="en">References to objects at the parent end of the relationship.</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="ref" minOccurs="1" maxOccurs="unbounded" type="reference"/></xs:sequence></xs:complexType></xs:element><!-- and target element with multiple child elements, each of which is xpath to id --><xs:element name="target"><xs:annotation><xs:documentation xml:lang="en">References to objects at the child end of the relationship.</xs:documentation></xs:annotation><xs:complexType><xs:sequence><xs:element name="ref" minOccurs="1" maxOccurs="unbounded" type="reference"/></xs:sequence></xs:complexType></xs:element><xs:element name="timestamp" type="xs:dateTime"/></xs:sequence><!-- attributes on relationship element relationships can have an optional id--><xs:attribute name="type" type="RelationshipTypeEnum" use="required"/><xs:attribute name="id" type="xs:anySimpleType" use="optional"/></xs:complexType>
<xs:attribute name="cpeVersion" type="xs:string"><xs:annotation><xs:documentation>The version of CPE that is used for the name in the CPEname element. As of 10/04/2011 this is 2.2.</xs:documentation></xs:annotation></xs:attribute>
filename - names of files, normally associated with file objects.
enumeration
filepath
filepath - directory path of files, normally associated with file objects.
enumeration
locationUrl
locationUrl - a url at which the file sample can be retrieved, associated with file objects.
enumeration
isKernel
isKernel - true/false if the malware has a kernel component. This can be applied either to a classificationor to a file object.
enumeration
isParasitic
isParasitic - true/false if the malware infects other files by attaching to them (if it also replicates then it is a parasitic virus). This can be applied either to a classification or to a file object.
enumeration
isStealth
isStealth - true/false if the malware uses rootkit style techniques to hide from users or security software. This can be applied either to a classification or to a file object.
enumeration
isPolymorphic
isPolymorphic - true/false if the malware is polymorphic, changing its appearance either through replication or server-side techniques.This can be applied either to a classification or to a file object.
enumeration
isVirus
isVirus - true/false if the malware is a virus (replicates and propagates recursively). This can be applied either to a classification or to a file object.
enumeration
isNonReplicating
isNonReplicating - true/false if the malware is non replicating. This can be applied either to a classification or to a file object.
enumeration
isDamaged
isDamaged - true/false if the malware sample is damaged. This can be applied to a file object.
enumeration
registryValueData
registryValueData - data from the registry from Microsoft operating systems. This is normally applied to a registry object. It could also be applied to a relationship between a malware sample (file object) and a registry object, to indicate the datathat was written by the malware.
enumeration
urlParameterString
urlParameterString - parameter string information associated with a GET http request. This is normally applied to a uri object.It could also be applied to a relationship between a malware sample (file object) and a uri object, indicating the parameters associated with the communication.
enumeration
postData
postData - parameter information associated with a POST http request. This is normally applied to a relationship between a malware sample (file object) and a uri object, indicating the data sent with the communication.
enumeration
registrant
registrant - the registrant of a domain name, used for domain objects.
enumeration
registrationDate
registrationDate - the registration date of a domain name, used for domain objects.
enumeration
ownerAddress
ownerAddress - the address associated with the owner of a domain name, used for domain objects.
enumeration
adminContact
adminContact - the administrative contact address associated with a domain name, used for domain objects.
enumeration
technicalContact
technicalContact - the technical contact address associated with a domain name, used for domain objects.
enumeration
nameServer
nameServer - the name server associated with a domain name, used for domain objects.
enumeration
countryCodeISO3166-2
countryCodeISO3166-2 - the ISO3166-2 code for country, usually associated with an ip address object, e.g. the country where that IP address is hosted.
enumeration
countryCodeISO3166-3
countryCodeISO3166-3 - the ISO3166-3 code for country, usually associated with an ip address object.e.g. the country where that IP address is hosted.
enumeration
countryCodeFIPS
countryCodeFIPS - theFIPS code for country, usually associated with an ip address object.e.g. the country where that IP address is hosted.
enumeration
city
city - the name of a city, usually associated with an ip address object, e.g. the city in which that IP address is hosted.
enumeration
region
region - the name of a region, usually associated with an ip address object, e.g. the region in which that IP address is hosted.
enumeration
isp
isp - the name of a Internet Service Provider, usually associated with an ip address object, e.g. the isp that hosts the IP address.
enumeration
httpMethod
httpMethod - the http method (e.g. GET/POST/etc.) associated with an http request. This is usually associated with arelationship between malware (file object), and a uri (uri object), to indicate the type of http request made.
enumeration
referrer
referrer - the referrer uri, used when accessing a uri, associated with a uri object, or applied to a relationship between an entity and a uri, for the user agent used when that entity visited that uri.
enumeration
operatingSystem
operatingSystem - environmental information of the operating system used. Normally used as a property of a relationship between malware (file object) and some other object.
enumeration
userAgent
userAgent - User agent used when accessing a uri, associated with a uri object, or applied to a relationship between an entity and a uri, for the user agent used when that entity visited that uri.
enumeration
browser
browser - browser used when accessing a uri, associated with a uri object, or applied to a relationship between an entity and a uri, for the browser used when that entity visited that uri
enumeration
comment
comment - a human readable comment that can be applied to any object or relationship.
<xs:attribute use="required" name="version" type="xs:decimal" fixed="1.2"><xs:annotation><xs:documentation xml:lang="en">The version of the schema. This is currently fixed to be 1.1.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute use="required" name="id" type="xs:string"><xs:annotation><xs:documentation xml:lang="en">A required identifier for the document.</xs:documentation></xs:annotation></xs:attribute>
