Microsoft Malware 名词解释
作者:互联网
1.id
MachineIdentifier
2.电脑杀毒软件
-
ProductName - Defender state information e.g. win8defender
win8defender 8826520
mse 94873
mseprerelease 53
scep 22
windowsintune 8
fep 7
-
EngineVersion - Defender state information e.g. 1.1.12603.0
70 unique
-
AppVersion - Defender state information e.g. 4.9.10586.0
110 unique
-
AvSigVersion - Defender state information e.g. 1.217.1014.0
8,531 unique
-
IsBeta - Defender state information e.g. false
binary全0,基本没用
3.电脑系统配置
-
RtpStateBitfield (Realtime protection state)
7 unique and NaN 32318
-
IsSxsPassiveMode this a active/passive mode of operation for Windows Defender. If another third party primary antivirus exists on the system, the Defender enters Passive mode.
binary
-
DefaultBrowsersIdentifier
2017 unique
-
HasTpm - True if machine has tpm
可信平台模块(Trusted Platform Module) binary
4.自配杀毒软件
-
AVProductStatesIdentifier - ID for the specific configuration of a user's antivirus software
28,970 unique
-
AVProductsInstalled - NA
安装数量
-
AVProductsEnabled - NA
激活数量
-
IsProtected - This is a calculated field derived from the Spynet Report's AV Products field. Returns: a. TRUE if there is at least one active and up-to-date antivirus product running on this machine. b. FALSE if there is no active AV product on this machine, or if the AV is active, but is not receiving the latest updates. c. null if there are no Anti Virus Products in the report. Returns: Whether a machine is protected.
binary $ null
5.电脑位置
-
CountryIdentifier - ID for the country the machine is located in
This has 222 unique int64 IDs. Wikipedia cites 255+ countries and independent territories. If these are exact country codes, then Austria (43) has the highest number of rows in this data set, while USA(001) has just 2 %.
-
CityIdentifier - ID for the city the machine is located in
1,07,366 unique cities and huge number(~5%) of NaNs.
-
OrganizationIdentifier - ID for the organization the machine belongs in, organization ID is mapped to both specific companies and broad industries
There are 49 unique organisations, 50% of the computers being under one org, another 25% not-classified. Here's a breakup of the top 5 values
-
GeoNameIdentifier - ID for the geographic region a machine is located in
292 geographic regions, a machine is located in.
-
LocaleEnglishNameIdentifier - English name of Locale ID of the current user
276 locale int64 IDs. "A locale is neither a language nor a country, the same language may be spoken in multiple countries (often with subtle differences) and a single country may speak multiple languages. A locale is therefore an area where a particular language is spoken which may (or may not) align with geographical and/or political boundaries.
6.操作系统
-
Platform - Calculates platform name (of OS related properties and processor property)
windows10 8618715
windows8 194508
windows7 93889
windows2016 14371
-
Processor - This is the process architecture of the installed operating system
x64 8105435
x86 815702
arm64 346
-
OsVer - Version of the current operating system
10.0.0.0 8632545
6.3.0.0 194447
6.1.1.0 93268
6.1.0.0 582
10.0.3.0 225
10.0.1.0 141
-
OsBuild - Build of the current operating system
76 unique build numbers, of which ~5 form the majority
-
OsSuite - Product suite mask for the current operating system.
14 unique,This has a very skewed distribution.
-
OsPlatformSubRelease - Returns the OS Platform sub-release (Windows Vista, Windows 7, Windows 8, TH1, TH2)
rs4 3915526
rs3 2503681
rs2 780270
rs1 730819
th2 411606
th1 270192
windows8.1 194508
windows7 93889
prers5 20992
-
OsBuildLab - Build lab that generated the current OS. Example: 9600.17630.amd64fre.winblue_r7.150109-2022
-
SkuEdition - The goal of this feature is to use the Product Type defined in the MSDN to map to a 'SKU-Edition' name that is useful in population reporting. The valid Product Type are defined in %sdxroot%\data\windowseditions.xml. This API has been used since Vista and Server 2008, so there are many Product Types that do not apply to Windows 10. The 'SKU-Edition' is a string value that is in one of three classes of results. The design must hand each class.
Home 5514341
Pro 3224164
Invalid 78054
Education 40694
Enterprise 34357
Enterprise LTSB 20702
Cloud 5589
Server 3582
7.电脑环境2
-
AutoSampleOptIn - This is the SubmitSamplesConsent value passed in from the service, available on CAMP 9+
0 8921225
1 258
-
PuaMode - Pua Enabled mode from the service
这些应用程序不被视为病毒、恶意软件或其他类型的威胁,但可能会对影响其性能或使用的终结点执行操作。PUA也可以指信誉不佳的应用程序。
-
SMode - This field is set to true when the device is known to be in 'S Mode', as in, Windows 10 S mode, where only Microsoft Store apps can be installed
0.0 8379843
NaN 537759
1.0 3881
-
IeVerIdentifier - Retrieves which version of Internet Explorer is running on this device.sourceThis has 303 unique values. Here are the most frequent values, uptil a NaN.
-
SmartScreen - This is the SmartScreen enabled string value from registry. This is obtained by checking in order, HKLM\SOFTWARE\Policies\Microsoft\Windows\System\SmartScreenEnabled and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SmartScreenEnabled. If the value exists but is blank, the value "ExistsNotSet" is sent in telemetry.
Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. This only applies to Win 10 and Win 10 mobile.
-
Firewall - This attribute is true (1) for Windows 8.1 and above if windows firewall is enabled, as reported by the service.
1.0 8641014
0.0 189119
NaN 91350
-
UacLuaenable - This attribute reports whether or not the "administrator in Admin Approval Mode" user type is disabled or enabled in UAC. The value reported is obtained by reading the regkey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA.
用户帐户控制(User Account Control,简写作UAC)
8.Census
8.1Census_用途
-
Census_MDC2FormFactor - A grouping based on a combination of Device Census level hardware characteristics. The logic used to define Form Factor is rooted in business and industry standards and aligns with how people think about their device. (Examples: Smartphone, Small Tablet, All in One, Convertible...)
智能手机、小型平板电脑、多功能一体机
-
Census_DeviceFamily - AKA DeviceClass. Indicates the type of device that an edition of the OS is intended for. Example values: Windows.Desktop, Windows.Mobile, and iOS.Phone
8.2Census_OEM
-
Census_OEMNameIdentifier - NA
-
Census_OEMModelIdentifier - NA
8.3Census_Processor
-
Census_ProcessorCoreCount - Number of logical cores in the processor
cpu几个核心 45 unique
-
Census_ProcessorManufacturerIdentifier - NA
制造商
-
Census_ProcessorModelIdentifier - NA
3,428 unique values
-
Census_ProcessorClass - A classification of processors into high/medium/low. Initially used for Pricing Level SKU. No longer maintained and updated
This column is mostly empty.
8.4Census_PrimaryDisk
-
Census_PrimaryDiskTotalCapacity - Amount of disk space on primary disk of the machine in MB
Unique value count: 5,735.
-
Census_PrimaryDiskTypeName - Friendly name of Primary Disk Type - HDD or SSD
HDD 5806804
SSD 2466808
UNKNOWN 358251
Unspecified 276776
NaN 12844
-
Census_SystemVolumeTotalCapacity - The size of the partition that the System volume is installed on in MB
系统体积
-
Census_HasOpticalDiskDrive - True indicates that the machine has an optical disk drive (CD/DVD)
0.0 8921483
Name: Census_HasOpticalDiskDrive, dtype: int64
-
Census_TotalPhysicalRAM - Retrieves the physical RAM in MB
内存
8.6Census_InternalPrimaryDiagonalDisplaySize
-
Census_ChassisTypeName - Retrieves a numeric representation of what type of chassis the machine has. A value of 0 means xx
Notebook 5248812
Desktop 1872125
Laptop 685581
Portable 360903
AllinOne 204295
-
Census_InternalPrimaryDiagonalDisplaySizeInInches - Retrieves the physical diagonal length in inches of the primary display
2,180 unique
-
Census_InternalPrimaryDisplayResolutionHorizontal - Retrieves the number of pixels in the horizontal direction of the internal display.
1,560 unique
-
Census_InternalPrimaryDisplayResolutionVertical - Retrieves the number of pixels in the vertical direction of the internal display
8.7Census_Power
-
Census_PowerPlatformRoleName - Indicates the OEM preferred power management profile. This value helps identify the basic form factor of the device
-
Census_InternalBatteryType - Has a lot of inconsistent naming schemes. For example - '#', 'lion', '4cel', 'l&#TAB#'. Majority of the machines are still represented in less than 10 labels. Some of these seem similar, for example - lion, li-i and liio could possibly be placeholders for lithium-ion batteries.
-
Census_InternalBatteryNumberOfCharges - Assuming this to be the number of battery cycles. If battery cycles are set to zero, could it be that these devices were in the first cycle of battery charge / are VMs or desktops ? What makes it more interesting is that 56% of the machines are in their first cycle of battery charge OR are non-battery operated.
8.8Census_OSVersion
-
Census_OSVersion - Numeric OS version Example - 10.0.10130.0
469 unique
-
Census_OSArchitecture - Architecture on which the OS is based. Derived from OSVersionFull. Example - amd64
amd64 8105885
x86 815252
arm64 346
-
Census_OSBranch - Branch of the OS extracted from the OsVersionFull. Example - OsBranch = fbl_partner_eeap where OsVersion = 6.4.9813.0.amd64fre.fbl_partner_eeap.140810-0005
32 unique
-
Census_OSBuildNumber - OS Build number extracted from the OsVersionFull. Example - OsBuildNumber = 10512 or 10240
165 unique values
-
Census_OSBuildRevision - OS Build revision extracted from the OsVersionFull. Example - OsBuildRevision = 1000 or 16458
285 unique values.
-
Census_OSEdition - Edition of the current OS. Sourced from HKLM\Software\Microsoft\Windows NT\CurrentVersion@EditionID in registry. Example: Enterprise
33 unique values
Core 3469991
Professional 3130566
CoreSingleLanguage 1945461
CoreCountrySpecific 166100
ProfessionalEducation 56698
-
Census_OSSkuName - OS edition friendly name (currently Windows only)
30 unique
-
Census_OSInstallTypeName - Friendly description of what install was used on the machine i.e. clean
UUPUpgrade 2608037
IBSClean 1650733
Update 1593308
Upgrade 1251559
Other 840121
Reset 649201
Refresh 205842
Clean 69073
CleanPCRefresh 53609
8.8Census_OSLanguage&Locale
-
Census_OSInstallLanguageIdentifier - NA
39 unique values
-
Census_OSUILocaleIdentifier - NA
147 unique values
8.9Census_更新
-
Census_OSWUAutoUpdateOptionsName - Friendly name of the WindowsUpdate auto-update settings on the machine.
FullAuto 3954497
UNKNOWN 2519925
Notify 2034254
AutoInstallAndRebootAtMaintenanceTime 371475
Off 26961
DownloadNotify 14371
8.10usb_启动
-
Census_IsPortableOperatingSystem - Indicates whether OS is booted up and running via Windows-To-Go on a USB stick.
0 8916619
1 4864
8.11激活
-
Census_GenuineStateName - Friendly name of OSGenuineStateID. 0 = Genuine
IS_GENUINE 7877597
INVALID_LICENSE 801692
OFFLINE 228366
UNKNOWN 13826
TAMPERED 2
-
Census_ActivationChannel - Retail license key or Volume license key for a machine.
Retail 4727589
OEM:DM 3413350
Volume:GVLK 450954
OEM:NONSLP 317980
Volume:MAK 8028
Retail:TB:Eval 3582
8.12Census_IsFlight
-
Census_IsFlightingInternal - NA
NaN 7408759
0.0 1512703
1.0 21
-
Census_IsFlightsDisabled - Indicates if the machine is participating in flighting.
0.0 8760872
NaN 160523
1.0 88
-
Census_FlightRing - The ring that the device user would like to receive flights for. This might be different from the ring of the OS which is currently installed if the user changes the ring after getting a flight from a different ring.
Retail 8355679
NOT_SET 287803
Unknown 243438
WIS 10648 WIF 10322
RP 9860
Disabled 3722
OSG 7
Canary 3
Invalid 1
-
Census_ThresholdOptIn - NA
NaN 5667325
0.0 3253342
1.0 816
8.13Census_Firmware
-
Census_FirmwareManufacturerIdentifier - NA
712 unique values
-
Census_FirmwareVersionIdentifier - NA
50K unique values.
8.13Census_Boot
-
Census_IsSecureBootEnabled - Indicates if Secure Boot mode is enabled.
0 4585438
1 4336045
-
Census_IsWIMBootEnabled - NA
NaN 5659703 0.0 3261779 1.0 1
8.14Census_外置
-
Census_IsVirtualDevice - Identifies a Virtual Machine (machine learning model)
0.0 8842840
1.0 62690
NaN 15953
-
Census_IsTouchEnabled - Is this a touch device ?
0 7801452
1 1120031
-
Census_IsPenCapable - Is the device capable of pen input ?
0 8581834
1 339649
8.15Census_others
-
Census_IsAlwaysOnAlwaysConnectedCapable - Retreives information about whether the battery enables the device to be AlwaysOnAlwaysConnected .
Keep Wi-Fi on when the screen times out 0.0 8341972 1.0 508168 NaN 71343
Census_ThresholdOptIn - NA
NaN 5667325
0.0 3253342
1.0 816
9.Wdft
-
Wdft_IsGamer - Indicates whether the device is a gamer device or not based on its hardware combination.
0.0 6174143
1.0 2443889
NaN 303451
-
Wdft_RegionIdentifier - NA
15 unique
标签:Malware,Census,Windows,NA,machine,0.0,名词解释,unique,Microsoft 来源: https://blog.csdn.net/hzs4211819/article/details/113730328