Documentation available for CPM Spyware analysis?

(imported topic written by JA-CTI91)

All -

Is there any documentation available on the format used for the data returned in the Core Protection Module – Spyware/Grayware Information analysis? The analysis retrieves two properties: a Detected Spyware property, and a Detected Spyware Details property. Not all fields in these results are human-readable, however. For example, the Detected Spyware property returns a result that looks something like this:

03 Jun 2011 16:39:01 -0700, SPYCAR_TEST_FILE, 68, 1, 201106031639993919530_SPYCAR_TEST_FILE

In this case, what do the 68 and 1 mean in the third and fourth fields? Is there a document describing what those fields mean, and a list of all possible values for those fields with descriptions?

The same problem exists with the Detected Spyware Details properties. This property returns results that look like this:

[201106031639993919530_SPYCAR_TEST_FILE].ItemActionResult#0=258 [201106031639993919530_SPYCAR_TEST_FILE].ItemLocation#0=C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VA76HCE8\HKLM_Run[1].exe [201106031639993919530_SPYCAR_TEST_FILE].ItemRiskLevel#0=0 [201106031639993919530_SPYCAR_TEST_FILE].ItemScannerType#0=10 [201106031639993919530_SPYCAR_TEST_FILE].ItemThreatType#0=6

Now, this set of results provides some information as to the description of each field, but I can’t seem to find any documentation on the meaning of many of the codes, like ItemActionResult and ItemThreatType.

To give an example of the type of documentation I am looking for, I found this online: This document addresses (skip ahead to Page 6, table 3) this exact issue with regard to the CPM AV detection logfiles, which map nicely to the results returned in the AV analysis. I need the same information for the spyware detection analysis. Can someone help me find this documentation? This is needed so that I can write a custom Web Report.

Thanks in advance for any assistance!