guy drawing formula

ICSG Malware Working Group

Sharing best practices and procedures in the fight against malware.


The Malware Working Group's aim is to solve some of the malware related issues the industry faces today.

The initial focus has been to establish more intelligent ways of sharing malware samples and the information associated with them in a way that makes the computer security industry more effective.

Current Projects
The current projects include SSL Man-in-the-Middle (MitM) and URL Brand Protection.

  • SSL MitM is designed to address the problems with security software monitoring encrypted communications.
  • URL Brand Protection seeks to increase the effectiveness of Anti-Phishing solutions while simultaneously reducing False Positives

Previous Projects
The working group's previous efforts focused on addressing the problem of obfuscated (packed) malware.

  • Documented best practices for the use of packers by legitimate software developers
  • Defined various properties of packers concentrating on properties that are often associated with malicious uses
  • Created a registry of packers and a common set of names for packers
  • Established a data sharing format to share packer information
  • Developed and implemented the "Taggant System" - embedding a cryptographically strong and performant hash into each packed object to recognize sources of packed files ("taggant" is a chemical marker added to explosives during the manufacturing process - it allows the tracking of samples of explosive back to their factory of manufacture)
  • Promoted, facilitated and is monitoring the deployment of the Taggant System within the industry (on both AV side and packer vendor side)

The working group also developed the Cleanfile Metadata eXchange (CMX) system.

  • This system allows 3rd parties to share metadata with security companies prior to that software being released
  • This provides a single point of contact between the 3rd party and all CMX subscribers
  • This helps reduce the chances of False Positives on end users’ machines

Working Group Participation
To participate in the Malware Working Group, the entity with which you are associated (company, organization, etc.) must become a member of ICSG.

Only entity members of the ICSG can have voting rights in the Working Group. Additionally, some individual subject experts may be invited to participate in the Working Group (without voting rights).

For further information and to request ICSG membership, email the ICSG.