Common Malware Enumeration (CME)
About > Frequently Asked Questions  

Frequently Asked Questions

A. Introduction to CME

A1.What is CME? Is it intended for public use?
A2.Why CME?
A3.What is "malware"?
A4.What is a "threat"?
A5.What is an "outbreak"?
A6.What is a "virus"? What is a "worm"? What is a "trojan"?
A7.Who discovers all this malware?
A8.How can my organization and I participate?
A9.Does CME participate in link exchange arrangements?

B. Using CME

B1.What is a CME identifier?
B2.How does a threat become a CME identifier? Is there a formal process in place?
B3.Are their any anti-virus products or services that use CME identifiers?
B4.I discovered a potential threat, how do I get it added to the CME List?
B5.I have a virus on my computer, can CME help me?
B6.Can I include CME identifiers and information in my product/alert/Web site/etc.?

C. CME Editorial Board / CME Sample Redistribution Group

C1.Who is the CME Editorial Board?
C2. What is the "CME Sample Redistribution Group"?

D. Project Oversight

D1.What is the relationship between CME and MITRE?

Back to top

A. Introduction to CME

A1. What is CME? Is it intended for public use?

The Common Malware Enumeration (CME) initiative aims to provide single, common identifiers to new virus threats (i.e., malware) and to the most prevalent virus threats in the wild for the benefit of the public. Managed and maintained by The MITRE Corporation, CME is not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware. Instead, it is an effort to facilitate the adoption of a shared, neutral indexing capability for malware.

Through the adoption of this neutral, shared identification method, the CME initiative seeks to:

  • Reduce the public's confusion in referencing threats during malware incidents.
  • Enhance communication between anti-virus vendors.
  • Improve communication and information sharing between anti-virus vendors and the rest of the information security community.

CME reduces confusion by assigning a single CME identifier to a particular threat so that anti-virus entities, as well as other security-related entities, can include it along with their proprietary information. In this way the public may cross-reference the disparate virus names through a common identifier. These common, CME identifiers are posted for public use on the CME List on the CME Web site.

A2. Why CME?

Before CME, anti-virus products used a variety of names and variant designations for the same outbreak. As a result, companies had an increasingly difficult time staying coordinated with names for all of the new viruses. The results were widespread confusion, with members of the public having to determine whether there is a single outbreak underway, multiple outbreaks, or a new outbreak altogether. Having to determine whether the protection they have in place is effective against current outbreak(s) also increases the public's burden further. This meant that during outbreaks, network administrators had difficulty determining if their networks and systems were protected because of the variety of virus names that all referred to the same threat(s).

CME solves this problem by assigning a single, common identifier to all elements associated with the threat, for example with Nimda the IIS buffer overflow byte stream, the file that is passed through TFTP, the mass-mailed email it creates that attacks via the audio/x-wav vulnerability, the appended html pages or any of its other forms are all referenced by a single CME identifier. Widespread use of CME's common identifiers will help the information security community, and the public, communicate more effectively about computer virus outbreaks, thereby severely reducing the extensive confusion that occurred in the past.

A3. What is "malware"?

CME defines malware as any computer code such as a virus, worm, etc., with the potential to damage a computer system or network. Spyware and adware will not receive CME identifiers.

A4. What is a "threat"?

CME defines a threat as a single entity encompassing any number of files that may be involved in a malware outbreak. This is different from the previous course of anti-virus procedure in detecting and naming singular virus-related files. For example, with CME all components of Nimda—the IIS buffer overflow byte stream, the file that is passed through TFTP, the mass-mailed email it creates that attacks via the audio/x-wav vulnerability, the appended html pages or any of its other forms—are referenced by a single CME identifier.

A5. What is a "virus"? What is a "worm"? What is a "trojan"?

CME defines a virus as a program that infects a computer by attaching itself to another program, and propagating itself when that program is executed.

CME defines a worm as a computer program that can make copies of itself and spread itself through connected systems and using up resources in affected computers or causing other damage.

CME defines a trojan as computer code that does something that is not expected by the executor of the code.

A6. What is an "outbreak"?

CME defines an outbreak as a high-visibility threat deemed significant enough by the CME Sample Redistribution Group and CME Editorial Board that they believe that all anti-virus vendors should offer an immediate defense for the threat for the public good.

A7. Who discovers all this malware?

For the purposes of the CME initiative, all malware threats and viruses are discovered by the organizations that are members of the CME Sample Redistribution Group and submitted to the CME Submission Server for the assignment of a CME identifier.

A8. How can my organization and I participate?

An integral component of the CME initiative is broad community participation. We strongly encourage users of anti-virus products to ask their preferred vendors to adopt CME identifiers. For anti-virus product vendors, supporting and participating in the CME initiative is a bold first step in announcing to your users that you want to help alleviate their confusion and further protect their systems and networks. Adopting the use of CME identifiers is a significant first step in establishing a consistent approach by anti-virus entities that will benefit users and the entire information security community.

Contact us at cme@mitre.org to discuss how you and your organization can help this growing anti-virus and information security initiative.

A9. Does CME participate in link exchange arrangements?

No, CME does not exchange links with other Web sites. Only authorized links are allowed on the CME Web site such as references for CME identifiers on the CME List, and those for Products and Services Including CME Identifiers, CME Editorial Board Members, and News about CME.

Back to top

B. Using CME

B1. What is a CME identifier?

CME identifiers are assigned in the format 'CME-N' where N is an integer between 1 and 999, for example, "CME-123". To accommodate space-deprived anti-virus products, CME identifiers can be abbreviated (e.g., M123 or M-123), but the official format (i.e., CME-123) should be used in places such as Web pages, alerts, encyclopedias, etc. Additional digits will be added when the remaining unused identifier space becomes too small. For the sake of successful text-based comparisons, leading zeros will always be omitted in an identifier, e.g., CME-00123 will always be written as CME-123.

Each CME identifier recorded on the CME Web site includes following information associated with it:

  • CME Identifier Number
  • Vendor aliases/urls
  • Description of the malware, and/or comments
  • Date assigned

See The CME Process for additional information.

B2. How does a threat become a CME identifier? Is there a formal process in place?

See The CME Process: Scope, Identifiers, and Guidelines for Deconfliction for a complete discussion of how a threat becomes a CME identifier.

B3. Are their any anti-virus products or services that use CME identifiers?

Yes, a number of organizations have begun using CME identifiers. See Products and Services Including CME Identifiers for the most recent list.

B4. I discovered a potential threat, how do I get it added to the CME List?

At this time, CME identifiers are only assigned via those organizations authorized by the CME Editorial Board and MITRE to request a CME identifier from the CME Submission Server. See the CME Sample Redistribution Group page for additional information.

B5. I have a virus on my computer, can CME help me?

Not directly. CME identifiers will let you know if your anti-virus products are referring to the same issue during, and after, an outbreak or infection. You must obtain all anti-virus updates, and any remediation information and instructions, from your anti-virus and information security vendors in order to address any problems with your system. Users should always keep their anti-virus signatures up-to-date.

B6. Can I include CME identifiers and information in my product/alert/Web site/etc.?

Yes. CME information is free to use.

Back to top

C. CME Editorial Board / CME Sample Redistribution Group

C1. Who is the CME Editorial Board?

The CME Editorial Board includes members from the international anti-virus community, including product vendors, testing organizations, and government. The Board approves which threats are assigned CME identifiers for publication on the CME Web site and oversees all content updates on the CME List. Many Board members also act as CME Sample Redistribution Group members, discovering and submitting possible threats for inclusion on the list. Other anti-virus and information security experts will be invited to participate on the Board on an as-needed basis based upon recommendations from Board members.

The MITRE Corporation created the CME Editorial Board, moderates Board discussions, and provides guidance throughout the process to ensure that CME serves the public interest.

C2. What is the "CME Sample Redistribution Group"?

Members of the CME Sample Redistribution Group are those organizations authorized by the CME Editorial Board and MITRE to request a CME identifier from MITRE'S CME Submission Server. Sample Redistribution Group members discover the potential problem and after determining that the issue is a high-visibility outbreak threat and significant enough that all anti-virus vendors should offer an immediate defense for the threat, provide a sample of the code they have identified as malware along with as much supporting information as possible, and submits the data to the secure CME Submission Server. Refer to the CME Sample Redistribution Group page for a list of the organizations currently participating.

Back to top

D. Project Oversight

D1. What is the relationship between CME and MITRE?

MITRE created the CME Editorial Board, maintains CME with assistance from the Board, and provides neutral guidance throughout the process to ensure that CME serves the public interest.

Back to top