Here is the initial feedback from Symantec on the 2.1 Malware Object. Malware needs to be two different objects, one for family and one for the instance. It is really confusing to think of these as the same object. Malware needs to track the build version and vanity name. Example 3rd generation of this malware. Need to be able to track which sub-phase of the kill chain it is in or provide some sort of nesting logic. Basically, this malware calls this other malware, which calls this other malware. Need to know the order in which they were called as this is critical information. There are often multiple phases that require understanding of the nesting. Maybe change the terms to be Static Events and Dynamic Events, this would reduce the overlap and the guessing of where thing are documented. Example is Mutexes (down below) Dynamic Analysis Needs to capture multiple passes based on the type of execution environment that it was run on (Windows 7, Windows 10 + Office 2016, Windows 10 + Chrome) Needs to track which type of sandbox it was run on and how that sandbox or virtual machine was configured / track the execution environment of where it was run, not just what it targets. How the information as collected. Where it was seen. Where it will probably run Need to track the platform that these run on, some things are not applicable to certain platforms. DLLs on Linux, Android MMS on Windows. Need ability to search across data to find similar file creates across various runs of dynamic analysis under different configurations Static Analysis Has a lot of events that are really dynamic events. This is what it would do if/when it were to run Mutex for example might be based on computer name or GUID. Information can be derived from the execution environment. Same with filenames. This makes these more “Dynamic Events” Need to make a Communications Analysis/Events section and pull out all of the communication pieces. HTTP / HTTPS N etwork Requests IRC Raw Sockets UDP Network Flow Contacted IPs, etc. Bret