The McAfee Threat Assessment evaluates the level of risk posed by the electronic threats we encounter at McAfee Labs. Our team of global threat experts strives to inform you about each threat, its risks and consequences, and recommended actions. We have established a methodology for establishing threat risk to ensure consistency and transparency in our processes. Note that our threat assessments are supplied only for malicious threats, such as viruses, worms, and Trojans, at this time. Potentially unwanted programs (PUPs) are not rated.
Learn about McAfee Vulnerability Assessment methodology.
Risk of a threat to any individual or corporation can be determined by answering the following questions:
Note that this is a statement of probability. While it may be true for a hypothetical user and a hypothetical threat, for any individual user or corporation with a real threat, the answer is that you either will or will not be infected. Whether that occurs depends on your particular security posture, countermeasures you have in place, response speed, effectiveness of your countermeasures, and even pure luck. When determining the risk of a threat, McAfee Labs attempts to gauge the average probability for our customers globally. This does not mean that some customers will not be affected by low-risk threats, or that many users will be unscathed by high-risk threats.
In theory, measuring exposure should be fairly straightforward. If a threat is email-borne, and one in 10 emails contains the threat, then the risk of exposure is 10%. In practice, the situation is seldom this straightforward. Some factors that may alter true exposure levels include:
The single most reliable measure of exposure is prevalence to date. Prevalence can be thought of as actual, verified customer reports of successful attacks over time. However, measuring this can be complicated as well for these reasons:
As a result, it is difficult to determine a numeric or absolute standard for different prevalence levels. The following guidelines work with some threats, but McAfee Labs may revise them on a case-by-case basis based on our decade of experience fighting malware. In some cases, higher exposure risks may be assigned:
Like exposure, damage can be difficult to measure in an absolute fashion. Generally, damage that is visible and obvious is considered less severe than damage that is difficult to see or quantify. Examples of more complex damage include:
Based on these considerations McAfee Labs uses the following guidelines for determining potential damage caused by threats:
McAfee Labs reports risk levels for threats in order of severity: The risk level assigned to a threat changes as its prevalence changes. Each level is defined below. Recommended actions for customers and actions taken by McAfee Labs with each risk level are listed in a table following the risk level descriptions. The recommended action should be modified to meet your specific needs.
These threats are detected by our researchers on most continents within a very short period of time. They are almost always spread via mass mailings or via remote vulnerability exploitation, so they often have a global impact in a matter of hours.
Threats in this category are discovered in the field and have a payload that can cause serious damage. They usually spread rapidly on common platforms with widely used operating systems. If it causes serious or catastrophic damage, it may be classified as high risk even if its prevalence is low.
This rating applies to threats that appear to be low risk but warrant additional monitoring because they have attracted media interest. They may not yet have been discovered in the field and may not have a dangerous payload. We may also classify a threat as a Low/Profiled if it is a variant of a threat with high prevalence and potential to spread.
This classification is for threats that may not yet have been reported in the field and may not have a dangerous payload. These threats typically target obscure or rarely used applications, though at times, they may run on common platforms.
Not Applicable (N/A)
The Not Applicable (N/A) risk assessment is used on descriptions for threats or apparent threats that do not warrant an assessment. For example, email hoax descriptions have a risk assessment of N/A as they are not Trojans or infectious like viruses. Trojan and virus family descriptions and heuristic detection descriptions have a risk assessment of N/A because they are general descriptions and do not describe specific threats.
The risk level for a threat can move from lower to higher over a period of time. For example, a virus may start out with an assessment of Low, but is later elevated to a Medium or Medium/On Watch level as its prevalence increases. In most instances where a threat is classified as Medium/On Watch, we frequently raise the threat assessment to High. The level is lowered when the prevalence of the threat decreases. When a threat is no longer classified as a High risk, it often stays in the Medium risk category for a period of time.
Examples of threats that have had their risk assessments raised:
|Threat Risk Level||Recommended Customer Actions||McAfee Labs Actions|
|Update All Systems (.DATs or EXTRADAT)||Update Critical Systems||Assess Risk||Deploy Patch||Update HIPS or NIPS Signatures||Post Description||ExtraDAT Created||Emergency .DAT Release||Press Release||Stinger||Virus Alert|
|High/Outbreak||ASAP||ASAP||Recommended||ASAP||Where applicable||Yes||If necessary||Yes||Yes||Yes||Alert|
|High||ASAP||ASAP||Recommended||ASAP||Where applicable||Yes||If necessary||Yes||Yes||Yes||Alert|
|Medium/On watch||Recom-mended||ASAP||Recommended||Recommended||Where applicable||Yes||If necessary||Yes||Yes||Yes||Advisory|
|Medium||Recom-mended||Recom-mended||Recommended||Recommended||Where applicable||Yes||If necessary||Yes||Yes||Yes||Advisory|
|Low/Profiled||Next regular update||Next regular update||Yes||If necessary||Next Regular Update||Notice|
|Low||As required||On demand||Next regular update|
|N/A||As required||On demand||Next regular update|
ASAP: Deploy patches (if necessary to prevent the exploitation of a vulnerability), EXTRA DATs, or full .DATs as soon as available.
Recommended: McAfee Labs recommends that you perform these additional steps as soon as possible.
Where Applicable: McAfee Intrusion Prevention System and Network Security Platform signatures will be released on Medium and above threats when those technologies are capable of protection.
If Necessary: EXTRA DAT files will only be created if the latest full .DAT release does not contain detection for the threat.
Next Regular Update: Low/Profiled and below threats will be included in the next regular .DAT release unless they increase in risk.