The need to classify detected objects arose with the advent of the first antivirus program. Despite the fact that viruses were few and far between at that time, they still needed to be distinguished from each other.
The pioneers of the antivirus industry used simple classification methods, comprising a unique name and the size of the detected file. However, a single virus could end up being called different names by different antivirus solutions, which led to confusion.
The first attempts to regulate the classification process were taken in the early 1990s by the CARO (Computer AntiVirus Researcher’s Organization) alliance of antivirus specialists. The alliance created the CARO malware naming scheme, which was used for a while as the industry standard.
Increasingly sophisticated malicious programs as well as the advent of new platforms and more antivirus vendors mean the scheme has virtually stopped being used (see the research paper ‘Current Status of the CARO Malware Naming Scheme’ by Vesselin Bontchev). But the main reason it fell out of favor was because the variety of detection technologies used by each vendor made it impossible to unify scanning results.
Attempts are occasionally made to come up with a new universal classification system for the objects detected by antivirus programs, but most are unsuccessful. The latest major project of this kind was the creation of Common Malware Enumeration (CME), an organization that provides single, common identifiers to new malware threats.
The classification system used by Kaspersky Lab is one of the most widespread in the industry and is used as the basis for classifications by a number of other antivirus vendors. Classification by Kaspersky Lab currently includes the whole range of malicious or potentially unwanted objects detected by Kaspersky Anti-Virus and differentiates objects according to their activity on users’ computers.