Question 1

How do I install AVClass and process VirusTotal v3 reports?

Accepted Answer

Install via pip with 'pip install avclass-malicialab', then run 'avclass -f your_vt3_report.json' to output tags. The README provides examples using files like vtv3_sample.json for direct compatibility.

Question 2

AVClass vs Malpedia: which is better for malware family identification?

Accepted Answer

AVClass automates tagging from AV labels without manual curation, ideal for large datasets, while Malpedia offers manually verified family information but requires more effort. AVClass is faster for bulk analysis but depends on AV engine accuracy.

Question 3

Can AVClass handle labels from Android malware samples?

Accepted Answer

Yes, it's cross-platform and works with any AV labels, including those for Android, as stated in the README under 'Cross-platform support'. Just ensure input reports include relevant AV engine data.

Question 4

How to customize the taxonomy for new malware families in AVClass?

Accepted Answer

Use the update module with '-aliasdetect' to generate suggestions, then modify taxonomy, tagging, and expansion files manually or via 'avclass-update'. The README details this in the 'Customizing AVClass' section.

Question 5

What does SINGLETON output mean in AVClass?

Accepted Answer

SINGLETON indicates no family name was identified; it uses the sample hash as a placeholder to avoid clustering unlabeled samples together. This is explained in the examples to ensure each sample is treated uniquely.

Question 6

Does AVClass support other AV sources besides VirusTotal?

Accepted Answer

Yes, it supports OPSWAT MetaDefender reports and a simplified JSON format, allowing integration with various AV label sources. The README shows examples with opswat_md_sample.json and malheurReference_lb.json.

AVClass

What is AVClass?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions