Based on the principles of transparency, accessibility, usability, verifiability and perceptibility of security capabilities, Antiy releases weekly updates of the AVL SDK anti-virus engine and the full set of capabilities to the public every week.

1. Weekly Update

Statistical period: March 4, 2023 ~ March 10, 2023

Antiy AVL SDK anti-virus engine released a total of 84 virus database updates this week, with an average of 12 updates per day, adding 103 new detectable malicious code families, 7,668 new detectable malicious code variants, and 36,184 new detection rules.

The following table shows the TOP5 newly detectable malicious code families:

Number	Virus Name	Virus Description
1	Trojan/Win32.ESSR	This virus family is a type of Trojan program. After running, this family will establish remote access connections, capture keyboard inputs, collect system information, download/upload files, insert other malicious software into the infected system, execute denial-of-service (DoS) attacks, and run/terminate processes.
2	Trojan/Win32.MalgentMSR	This virus family is a Trojan family with espionage capabilities. The samples of this family will steal information such as usernames and passwords after execution, and communicate with the remote control end and accept subsequent control. The control end has complete control over the user’s machine.
3	Trojan[Rootkit]/Linux.Drovorub	This virus family is a type of Trojan program with Rootkit functionality. When this family of Trojans runs on a computer, it exploits vulnerabilities and defects to open a backdoor server. The Trojans’ operators control the user’s computer through the client side, thereby gaining control of the computer.
4	Trojan/Win32.Bullboka	This virus family is a type of Trojan program. After the family samples run, they will download malicious software locally and execute it. This family is often used to install Trojans and other malicious software on computers, while protecting malicious applications from being detected by anti-virus software.
5	Trojan/MSIL.UWS	This virus family is a type of Trojan program. This family is written in MSIL intermediate language. After running, it establishes remote access connections, captures keyboard input, collects system information, downloads/upload files, places other malicious software into the infected system, executes denial-of-service (DoS) attacks, and runs/terminates processes.
6	Trojan/JS.Pai	This virus family is a type of Trojan program written using JavaScript scripting. The majority of the samples of this family are in the form of scripts or web files. After running, they redirect to a URL address containing malicious code and use vulnerabilities to download other malicious codes to run on the local machine.
7	Trojan/Win64.BlackLotus	This virus family is a type of Trojan program. After execution, it establishes a remote access connection, captures keyboard input, collects system information, downloads/upload files, places other malicious software into the infected system, executes denial-of-service (DoS) attacks, and runs/terminates processes.
8	Trojan/Win32.SMALLTRO	For the Win32 platform, the SMALLTRO Trojan usually spreads by downloading other programs, deceiving users, or exploiting system vulnerabilities. It poses security risks to the infected computers and may steal users’ personal information, passwords and other sensitive data, or enable users to be remotely controlled, etc.
9	Trojan/Win32.Dotinstall	This virus family is a type of Trojan that infects files. The samples of this family can spread themselves by attaching their code to other programs or files after execution.
10	HackTool/PowerShell.DumpNTDS	This virus family is a type of hacking tool program. It is written in the PowerShell scripting language. After the sample runs, it will dump all the password hash values and other information of domain users into memory.

(According to the HASH number of family samples within the period)

2. Full Detection Capabilities

As of 24:00 on March 10, 2023, the AVL SDK anti-virus engine can detect 16,769,964 malicious code variants of 52,492 malicious code families distributed in 8 basic categories, with a total of 56,631,354 detection rules.

The detection capabilities and the number of rules classified by malicious code are as follows:

Type	Detectable Malicious Code (Types)	Detection rules (Items)
Infectious viruses	50,290	10,476,317
Worms	290,794	5,973,453
Trojans	11,969,911	32,863,013
Hacking tools	419,226	429,816
Risk tools	1,135,526	3,100,225
Rogue software	2,904,207	3,786,857
Junk files	9	1,660
Test programs (for self-test)	1	13
Total	16,769,964	56,631,354

Preprocessing Capabilities (partial) :

There are 31 types of unpackable executable packers and 121 types of recognizable or extractable packages (including self-extracting archives).

Supporting Knowledge Output Capabilities:

For malicious code payloads, the AVL SDK is used in conjunction with the malicious code knowledge base, which can output 533 types of key behavior mapping tags and 139 types of ATT&CK threat attack framework technical and tactical tags, with a coverage rate of 64.29%, basically covering all the statically detectable tags in the ATT&CK framework.

Appendix: Introduction to Antiy AVL SDK Anti-Virus Engine

Antiy AVL SDK anti-virus engine is a threat detection capability middleware developed by Antiy for all architectures and system platforms. By embedding the AVL SDK, Antiy products and ecosystem partners’ products can acquire virus and malicious code detection capabilities, and receive continuous updates through the virus database.

For eight malicious code categories including infectious viruses, worms, Trojans, hacking tools, gray software, risky software, junk files, and test files, it accurately identifies and detects over 50,000 families and 18 million malicious code variants. The detection capability fully covers all known malicious codes and strictly adheres to the CARO convention. The output is structured and named in sections by classification, environment, and family, and based on the behavioral capabilities of malicious samples, it outputs nearly a hundred types of malicious behavior tags for typical malicious behaviors such as encryption ransomware, data theft, remote control, botnet programs, and mining. Antiy Engine can recognize over 300 file formats and conduct in-depth preprocessing on compilable executable formats such as PE and ELF. It also performs recursive unpacking of various packages (including self-extracting archives), and conduct structural analysis of compound documents such as OFFICE and ACAD files that may contain embedded scripts or vulnerability-prone formats. This ensures high robustness against malicious code. Antiy Engine also comes with a trusted file signature library, supporting the product to implement security policies based on blacklist and whitelist controls, significantly enhancing the difficulty for attackers.

Antiy’s detection capabilities can be fully deployed locally. Antiy automatically analyzes and processes over 2 million new file objects on average every day and releases a virus database update every two hours. It also provides support services such as cloud detection, cloud analysis, and computer virus encyclopedia.

Antiy AVL SDK is available in various versions such as traditional PC hosts, smart terminals, network traffic, IT application innovation systems, industrial systems, and unmanned systems. It provides threat detection capabilities for scenarios including host system and workload security, network traffic security, business flow security, email and file service security, etc. It fully supports various architectures such as X86, ARM, MIPS (including Cavium), RISC, and PowerPC, supports a variety of mainstream operating systems including domestic operating systems, Linux, and Windows, as well as real-time industrial operating systems like Vxwork. It also supports high-speed detection in backbone network scenarios.

Antiy AVL SDK empowers over 100 industry partners. In addition to Antiy’s own product deployment, Antiy Engine has cumulatively covered more than 4 billion nodes (including mobile terminals, secure and controllable PC endpoints, cloud-native nodes, network devices, network security devices, etc.), providing inherent security detection capabilities for mobile phones and smart terminals. The main partners using Antiy Engine include mobile phone enterprises such as Huawei, Xiaomi, Honor, VIVO and OPPO, large Internet enterprises such as Ant Financial, and several listed cybersecurity companies. Partner products using Antiy Engine have won internationally renowned evaluation awards such as AV-TEST and NSS Labs. The “L Tomahawk” logo of AVL SDK has become a symbol of reliable anti-virus capabilities.

All of Antiy’s products, including but not limited to IEP security protection system product family, Unified Workload Protect, Persistent Threat Detection System (PTD), Persistent Threat Analysis System (PTA), Attack Capture System, Qingzhu Zhiyu WAF, etc., all use Antiy anti-virus engine.

The AVL SDK anti-virus engine has been under development since 2001 and has undergone significant version upgrades and iterations. It has successively received support from key national initiatives, including: the Ministry of Science and Technology’s Innovation Fund for Technology-based Firms (2004), the Ministry of Science and Technology’s National High-Tech R&D Program (863 Program) (2006), the National Development and Reform Commission’s Information Security Special Project (2008), and the Ministry of Industry and Information Technology’s Engineering Special Project (2019). The mobile version of AVL SDK won the 2014 AV-TEST Best Protection Award for Mobile Devices. Products powered by the AVL SDK, Antiy PTD and PTA, won first place in both the first and second National Cybersecurity Technology Challenge competitions hosted by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC).