From d723d7908afae595faab55bf3fca0ca3f10d6a63 Mon Sep 17 00:00:00 2001
From: Emily Ratliff <Emily.Ratliff@ibm.com>
Date: Tue, 20 Aug 2024 15:28:45 -0500
Subject: [PATCH 1/2] updated Malware Analysis vocabulary definitions suggested
 by Sean Carroll

---
 spec/drafts/v2.1.1/stix-v2.1.1.adoc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/spec/drafts/v2.1.1/stix-v2.1.1.adoc b/spec/drafts/v2.1.1/stix-v2.1.1.adoc
index 183dadd..1fc3840 100644
--- a/spec/drafts/v2.1.1/stix-v2.1.1.adoc
+++ b/spec/drafts/v2.1.1/stix-v2.1.1.adoc
@@ -10993,10 +10993,10 @@ This is a non-exhaustive, open vocabulary that captures common types of scanner
 |===
 |[stixtr]*Vocabulary Value* |[stixtr]*Description*
 
-|[stixliteral]#malicious# |The tool reported the malware binary as malicious.
-|[stixliteral]#suspicious# |The tool reported the malware binary as suspicious but not definitively malicious.
-|[stixliteral]#benign# |The tool reported the malware binary as benign.
-|[stixliteral]#unknown# |The tool was unable to determine whether the malware binary is malicious.
+|[stixliteral]#malicious# |The tool or human analysis determined that the sample is designed to operate, execute or take place in a manner that is not expected by legitimate users, or performs one or more actions generally deemed harmful to a system, or the legitimate users of a system. These can take the form of executables, source code, scripts or any other software or commands.
+|[stixliteral]#suspicious# |The tool or human analysis determined that the sample does not operate as expected or is is usually present in conjunction with a malicious file. But does not itself demonstrate malicious behaviors. Examples may includes files not expected to be present or that support applications that have not been installed, files with an incorrect attribute (locations, version, size), or is accessed or loaded with unusual frequency or at unusual times. Other examples include files dropped or created when malware runs.
+|[stixliteral]#benign# |The tool or human analysis determined that the sample has been confirmed to not demonstrate malicious behaviors and is not in and of itself associated with malware or malicious activity.
+|[stixliteral]#unknown# |The tool or human analysis was unable to determine whether the malware binary is malicious.
 |===
 
 === Malware Capabilities Vocabulary

From 23c75f773774cb862ba7ab07e10615ae5e39eaba Mon Sep 17 00:00:00 2001
From: Emily Ratliff <Emily.Ratliff@ibm.com>
Date: Tue, 20 Aug 2024 15:35:06 -0500
Subject: [PATCH 2/2] light edits for grammar

---
 spec/drafts/v2.1.1/stix-v2.1.1.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/drafts/v2.1.1/stix-v2.1.1.adoc b/spec/drafts/v2.1.1/stix-v2.1.1.adoc
index 1fc3840..c1bb82c 100644
--- a/spec/drafts/v2.1.1/stix-v2.1.1.adoc
+++ b/spec/drafts/v2.1.1/stix-v2.1.1.adoc
@@ -10994,7 +10994,7 @@ This is a non-exhaustive, open vocabulary that captures common types of scanner
 |[stixtr]*Vocabulary Value* |[stixtr]*Description*
 
 |[stixliteral]#malicious# |The tool or human analysis determined that the sample is designed to operate, execute or take place in a manner that is not expected by legitimate users, or performs one or more actions generally deemed harmful to a system, or the legitimate users of a system. These can take the form of executables, source code, scripts or any other software or commands.
-|[stixliteral]#suspicious# |The tool or human analysis determined that the sample does not operate as expected or is is usually present in conjunction with a malicious file. But does not itself demonstrate malicious behaviors. Examples may includes files not expected to be present or that support applications that have not been installed, files with an incorrect attribute (locations, version, size), or is accessed or loaded with unusual frequency or at unusual times. Other examples include files dropped or created when malware runs.
+|[stixliteral]#suspicious# |The tool or human analysis determined that the sample does not operate as expected or is is usually present in conjunction with a malicious file. But does not itself demonstrate malicious behaviors. Examples may include files not expected to be present or that support applications that have not been installed, files with an incorrect attribute (location, version, size), or which are accessed or loaded with unusual frequency or at unusual times. Other examples include files dropped or created when malware runs.
 |[stixliteral]#benign# |The tool or human analysis determined that the sample has been confirmed to not demonstrate malicious behaviors and is not in and of itself associated with malware or malicious activity.
 |[stixliteral]#unknown# |The tool or human analysis was unable to determine whether the malware binary is malicious.
 |===