Home

AVClass

AVClass is a software tool designed to automatically assign a malware family label to a sample based on the labels provided by multiple antivirus products. It is used in security research to standardize family naming across diverse AV vendors, enabling scalable analysis and cross-study comparisons of malware samples.

The basic approach of AVClass is to collect antivirus labels for a sample (often from sources like

AVClass has influenced subsequent work in malware classification and has been extended by AVClass2 to handle

Limitations include dependence on the quality and consistency of vendor labels; mislabeled or generic entries can

VirusTotal),
extract
informative
tokens
from
those
labels,
and
collapse
synonymous
or
overlapping
names
into
a
single
canonical
family
label.
It
filters
out
non-informative
terms
such
as
generic
prefixes
or
Trojan
descriptors,
leaving
terms
that
more
clearly
indicate
a
family.
By
aggregating
evidence
across
multiple
vendors,
AVClass
derives
a
consensus
label
and
can
also
produce
a
set
of
aliases
or
synonyms
that
map
to
the
same
canonical
family.
A
confidence
score
may
accompany
the
label,
reflecting
agreement
among
vendors.
larger
datasets
and
improve
robustness
against
noisy
labeling.
These
tools
are
commonly
used
in
threat
intelligence
pipelines
to
organize
large
collections
of
samples,
track
campaigns,
and
study
lineage
and
evolution
of
malicious
families.
lead
to
incorrect
classifications,
especially
for
new
or
obscure
families.
The
method
also
relies
on
tokens
being
stable
over
time,
so
rapid
naming
changes
can
require
updates
to
dictionaries
and
heuristics.
Despite
these
challenges,
AVClass
provides
a
practical,
automated
means
to
harmonize
malware
family
names
across
heterogeneous
data
sources.