McAfee Threat Glossary

Definitions for common terms and phrases related to security threats, vulnerabilities, and technology.


admin, administrator
An account on a computer that grants the user privileges to install software, delete files, and manage user accounts. If an administrator is logged into a system when it becomes infected, the virus can affect the same functions that the administrator can control, such as installing new applications, deleting files, and modifying data.

Software that generates revenue by displaying advertisements targeted at the user. Adware earns revenue from either the vendor or the vendor’s partners. Certain types of adware have the capability to capture or transmit personal information.

A message announcing a virus, intrusion detection, or other computer activity. The message can be sent automatically by a predefined configuration to system administrators and users via email, pager, or phone.

Alert Manager
A McAfee utility that configures alerts for various notification methods, such as a pager message or email. Alert Manager allows you to select specific events, such as virus detection, to trigger alert messages.

This term represents an assumed or alternate name for a virus or Trojan. Some viruses are given multiple names because no central organization exists that is tasked with naming computer viruses.

A type of application that defends enterprises from the threats spam poses (viruses, phishing, directory harvest or DHA, denial-of-service attacks, and intrusions) and reduces unwanted network traffic that consumes bandwidth, storage, and email server processing capacity.

anti-virus policy
Includes a document that outlines an organization’s anti-virus policies. It lists products, configuration settings, update schedule, and anti-virus enforcement policies. The organization should review this policy document at least every six months to compare the company’s security posture with the current threat landscape.

anti-virus software
An application that scans a computer’s memory and disk drives for viruses. If it finds a virus, the application informs the user and may clean, delete, or quarantine any files, directories, or disks affected by the malicious code.

Refers to software that you can install on a computer. An application can be a complex combination of executable files (EXEs), DLLs, data files, registry settings, and install/uninstall files.

See also potentially unwanted program (PUP).

An attempted system security breach that may be active (altering or destroying data) or passive (intercepting or reading data without changing it). Successful attacks range in severity from viewing of sensitive data to disabling computer systems.

See also DoS and DDoS.

The program that automatically updates McAfee software with the latest detection definition (.DAT) files and scan engine. It upgrades all supported versions of McAfee VirusScan.


A feature of a program that gives an attacker access to and remote control of another computer. Programmers build this feature into applications so they can fix bugs. However, if hackers learn about backdoor access, it may pose a security risk. Backdoors, also known as trapdoors, are commonly utilized by Trojans, which can be detected by most anti-virus products and Network Intrusion Prevention Systems (NIPSs).

background scanning
A type of on-access scanning (made possible within Microsoft Exchange by Microsoft VS API2) that does not scan all files on access, reducing the scanner’s workload when it is busy. It scans databases where it was enabled, such as Mailbox store and Public Folder store. In addition, it automatically scans files and documents as they are created, opened, closed, or executed.

The maximum amount of information that can be transmitted over a channel (wired, wireless). For digital devices, bandwidth is measured in bits per second (bps). For analog devices, bandwidth is measured in Hertz (Hz).

Information that is displayed when a user connects to a remote system.

banner ad
This type of advertisement usually resides at the top of a web page.

batch file (.bat)
A specific script file format (.bat) containing one MS-DOS command on each line of the file. When run, each line executes in sequential order. Batch files run on Microsoft-compatible operating systems, such as DOS, OS/2, and Windows.

The standard measure of data speed or data transmission is bits per second (bps). It is calculated by how many bits of data are transmitted or received over a one-second period.

This process includes sharing data between wireless infrared-capable, handheld devices. Information transferred through this method automatically stores in the proper application on the receiver’s handheld device.

bimodal virus
A type of virus that infects both boot records and files and is also known as a bipartite virus.

The list of email addresses from which you do not want to receive messages because you believe they will be spam or unsolicited email.

blended threat
This threat includes a virus or worm using multiple infection techniques. This can include exploiting program vulnerabilities, Trojan behavior, infecting files, Internet propagation routines, network-share propagation routines, and spreading with no human intervention.

blocked host
A specific host from which a firewall allows you to block communication. The firewall attempts to trace the source of the packets you receive from the blocked host.

boot disk
A disk that contains special, hidden startup files and other programs to run a computer, usually specific to the operating system and version. Several types of boot disks are available to an average user, including a standard floppy boot disk, an emergency boot disk, and a bootable CD. Since most anti-virus programs work best when they can gain complete access to the hard drive, it is important to use a boot disk when disinfecting a computer. In some cases, failure to use a boot disk prevents your anti-virus programs from detecting and removing certain viruses from the computer.

See also CleanBoot disk.

boot records
Areas on diskettes or hard disks that contain some of the first instructions executed by a PC as it boots. Boot records load and execute to load the operating system. Once boot records are infected by a virus, the records will be changed to include a copy of the virus. When the PC boots, the virus program runs and typically installs itself in memory before loading the operating system.

boot sector infector (BSI)
A virus that infects the original boot sector on a floppy disk or hard disk. These viruses are particularly serious because information in the boot sector is loaded into memory first, before executing virus protection code. A “strict” boot sector infector affects only the boot sector, regardless of whether the target is a hard disk or a floppy disk. Some viruses always attack the first physical sector of the disk, regardless of the disk type.

This program automatically searches for information and performs repetitive tasks. A bot can also generate generic traffic over the network. While bots are not always malicious, the most common are Internet relay chat (IRC) bots that can install malware or potentially unwanted programs, distribute compromised machine lists, and organize zombies for distributed denial of service (DDoS) attacks.

A collection of zombie PCs. Botnet is short for robot network. A botnet can consist of tens or even hundreds of thousands of zombie computers. A single PC in a botnet can automatically send thousands of spam messages per day. The most common spam messages come from zombie computers.

bits per second (bps)
Bits per second is a measure of the speed of a connection, normally used for modems or when downloading files from the Internet.

Bytes per second(Bps)
The capital letter “B” in Bps indicates that this is a measure of 8 bits at a time, not to be confused with bits per second (bps).

broadcast address
A standard TCP/IP address that transmits a message to all machines within a local subnet.

browser helper object (BHO)
A type of .DLL file that Internet Explorer allows to alter its behavior. This can include adding new toolbars and menu items, viewing incoming and outgoing traffic, and modifying HTML data before it renders.

browser hijackers
Programs that replace the browser home page, search page, search results, error message pages, or other browser content with unexpected or unwanted content.

brute-force attack
A hacking method used to find passwords or encryption keys by trying every possible combination of characters until the correct one is found.

buffer overflow condition
A condition in an operating system or application that sends more data input than the operating system or application can handle. Supplying overly long data results in a buffer overflow and corrupts memory.

buffer overflow attack, buffer overflow exploit
A method of overfilling a software buffer insert and executing the attacker’s code. In a remote buffer overflow attack, the aim is to transfer the attacker’s code to the attacked machine and subsequently run this code. In a local buffer overflow attack, the aim is elevating the attacker’s privileges.

An unintentional fault in a software program that can have unwanted side effects. Examples include various web browser security issues and software problems.


camping out
A hacking technique of breaking into a system and finding an undetected place from which to monitor the system, store information, or re-enter the system at a later time.

The two competing recording formats for CDs. CD-R stands for read only.CD-RW stands for read/write. Once the disks are created, however, both can play back on a normal CD player.

See also DVD+R, DVD-R.

centralized alerting system
A system that distributes alert notifications to multiple network users. McAfee Alert Manager is one example. Anti-virus software (such as McAfee VirusScan) generates alert messages that are saved to a shared folder on a server. Alert Manager sends notifications to users from that folder. When users update the contents of the shared folder, Alert Manager sends new alert notifications using such user-configurable alert methods as email messages to handheld devices. When users receive alerts from the network intrusion prevention system, they can analyze correlation through drill-downs and then generate reports.

See also Alert Manager.

A verification method used to prove identity by many cryptographic systems. Also, many websites use certificates to authenticate that the site is genuine. It contains a user’s name and public key.

certificate authority
The issuance of security certificates through an office, bureau, or service.

certificate authority-signed SSL
This process uses a secure socket layer (SSL) to authenticate and encrypt data through a certificate that is digitally signed by the certificate authority.

clean, cleaning
A scanner’s action after it detects a virus, Trojan, worm, or potentially unwanted program (PUP). The cleaning action can include removing malicious code from a file and restoring the file to usability; removing references to the file from system files, system INI (.ini) files, and the registry; ending the process generated by the file; deleting a macro or a Microsoft Visual Basic script that is infecting a file; deleting a file if it is a Trojan, worm, or belongs to a PUP; or renaming a file that it cannot clean. Clean or cleaning is also known as repair.

CleanBoot disk
Anti-virus software that scans a system and optionally cleans or repairs infected files. It usually comes on a CD and includes its own built-in operating system that loads as soon as the user turns on a computer with the CleanBoot media loaded in the appropriate drive.

cluster virus
A type of virus that modifies directory table entries so the virus can start before any other program. The virus code only exists in one location, but running any program runs the cluster virus as well. Because they modify the directory, cluster viruses may appear to infect every program on a disk. Cluster viruses are also known as file system viruses.

COM file (.com)
Short for command. Executable files that contain instructions for a computer to perform an action, COM (.com) files are for DOS-based systems and tend to run faster than EXE (.exe) programs. Viruses often infect COM files. When the COM file executes, the virus executes as well, often loading it into memory. The Microsoft Windows operating system treats files with a COM extension the same way it treats other executable file types. Some viruses and Trojans use a filename ending in COM (e.g., Typically, these portable executable files are not real COM files.

command-line interface (CLI)
A text-based interface that launches and configures an application from the command line.

command-line scanner
Runs an anti-virus scan from the command prompt.

COM port
The COM port, short for communications or serial port, is a location that sends and receives serial data transmissions. The ports are named COM1, COM2, and COM3.

companion virus
This viral program uses a feature of DOS, allowing software programs with the same name but different extensions to operate with different priorities. It does not attach to other programs.

Converts a high-level program into a machine language program. A compiler program helps accomplish this conversion and discovers syntax errors when a script is being compiled.

compressed file
Reduces file size so it is easier to send and receive electronically. You can view compressed files normally after a computer’s operating system decompresses them. A ZIP file is one example.

See also packed executable.

Cookies are small text files placed on a computer’s hard disk that many websites use to store information about pages visited and other settings, either temporary or persistent. For example, cookies might contain login or registration information, shopping cart information, or user preferences. When a server receives a browser request that includes a cookie, the server can use the information stored in the cookie to customize the website for the user.

Common Vulnerabilities and Exposures (CVE)
This standard reference system identifies vulnerabilities in software, and ensures consistency in naming types of vulnerability. See for more detailed information.

Common Malware Enumeration (CME)
This standard reference system identifies viruses and other malware, and aims to reduce confusion caused when security vendors give different names or aliases for the same threat. See for more detailed information.


daily .DATs
.DAT file updates are released once per day.

This file is part of the McAfee convention for naming viruses and Trojans. This suffix is attached to the end of virus names to indicate that the sample is damaged and will not run. Detection for these non-viable samples is added at McAfee Labs’ discretion, typically only if they appear in large numbers and cause an issue for many customers. If you detect a .dam file, you can safely delete it.

.DAT files
The type of files that are used to determine anti-virus or anti-spyware program code to find malware. .DAT files are also known as detection definition files and signature.

See also incremental .DAT files, daily .DAT files, SUPER.DAT, EXTRA.DAT.

distributed denial of service (DDoS)
A type of denial-of-service (DoS) attack in which more than one traffic generator directs traffic to a targeted URL. Traffic-generating programs are called agents, and the controlling program is the master. DDoS agents receive instruction from a master to carry out an attack, which is designed to disable or shut down the targeted URL.

Defacement occurs when there is a change made to the home page or other key pages of a website by an unauthorized individual or process.

denial of service (DoS)
This attack targets a computer, server, or network and is either an intentional or accidental byproduct of instruction code that is either launched from a separate network or Internet-connected system, or directly from the host. A DoS attack is designed to disable or shut down the target, and disrupt the system’s ability to respond to legitimate connection requests. A denial-of-service attack overwhelms its target with false connection requests, so the target ignores legitimate requests.

desktop computer
A personal computer or workstation designed to reside on or under a desktop.

desktop firewall
This firewall acts as a filter between a computer and the network or Internet. It can scan all incoming and outgoing traffic sent from a computer at the packet level, and determines whether to block or allow the traffic based on both default and custom rules.

Include software programs that redirect Internet connections to a party other than the user’s default ISP and are designed to run up additional connection charges for a content provider, vendor, or other third party.

Part of the McAfee convention for naming viruses and Trojans. This suffix at the end of a detection name indicates the sample is the downloader component of the named sample.

See also downloader.

A Dynamic Link Library (.dll) file contains a library of functions and other information accessible by a Microsoft Windows program.

DLL injector
This infection method is used by a malware author to hide the author’s presence, particularly from desktop firewalls. The malware author codes the threat to inject an additional DLL into an existing, already-running application, making any requests to access the disk or network appear as if the original application were making the request.

Domain Name System (DNS)
The Internet standard that matches names such as to the IP address that routes packets to an Internet-connected computer.

When you download a file, you receive it from another computer.

downloader (.dldr)
A downloader is software whose main function is to download other files. Often the function is related to malware that downloads other malware and executes it on the victim system.

See also .dldr.

Part of the McAfee convention for naming viruses and Trojans. This suffix is attached to the end of virus names to indicate a “dropper,” a file that installs or drops other malware.

This executable file, when run, drops a virus or Trojan on a computer system. A dropper file intends to create a virus or Trojan and then execute it on the user’s system.

See also .dr.

drive-by download
Installs malware or potentially unwanted programs merely by viewing an email or webpage on an improperly patched system.

The two competing formats for recordable DVDs, distinguished by the “+” and “-” symbols. DVD+ disks are rewriteable, so users can record information on one and record over it at a later date. However, users can only record information once on a DVD- disk. Once the disks are created, both play back on a normal DVD player.


European Institute of Computer Antivirus Research (EICAR)
EICAR is the organization that developed a string of characters used to test anti-virus software installation and operation. See for more information.

A change made to data, code, or a file so it must be processed, or decrypted, before a system can read or access it. Viruses may use encryption to hide their viral code in an attempt to escape detection. Viruses may also encrypt or change code or data on a system as part of their payload. One of the most common forms of encryption is password protection on ZIP (.zip) files.

A computer or device that is the source or recipient of information exchanged with a network. Laptops, desktops, and personal digital assistants are examples of endpoints.

end-user license agreement (EULA)
A legal contract between the producer of a piece of software and its user. The EULA may contain limitations on how the user can use or remove the product, or disclose functionality of the product that may not be readily apparent.

Software used by anti-virus and anti-spyware programs to scan a user’s systems for viruses and other malware using .DAT files.

error reporting utility
A utility that tracks and logs failures in the software on your computer system. You can use this information to help analyze problems.

EXE file (.exe)
An executable file or program that launches a set of operations on a computer. Files with different extensions, like .dll, are often support files for EXE programs. Viruses commonly infect EXE files. After such an infection, the virus runs each time the program runs.

exit code
The code produced by a scan program after it completes a scan. Exit codes identify any viruses or problems found during a scan. You can use exit codes in batch scripted operations to determine what happens next.

To use the defects found in software code or function on a system to elevate privileges, execute code remotely, cause denial of service, or prompt other attacks. A buffer overflow is one example of an exploit.

A supplemental virus definition file created in response to an outbreak of a new virus or new variant of an existing virus.

See also .DAT files, incremental .DAT files, and SUPER.DAT.


A Trojan application designed to produce fake anti-virus or scan alerts intended to trick the user into believing the system is infected with malware. FakeAlert applications (sometimes referred to as “FakeAV” or “Fake Anti-Virus”) may offer to clean the system for a registration fee but usually only take the user’s credit card information without making any changes or fixing the damages they caused.

false alarm, false detection, false positive
Improper malware detection of a clean file. For example, heuristic and generic detection methods can protect users from threats that have not yet been discovered. However, these detection techniques can also lead to false detections.

false negative
A false negative error occurs when anti-virus software fails to indicate that an infected file is infected. False negatives are more serious than false positives, although both are undesirable. False negatives are more common with anti-virus software because the software may miss a new or heavily modified virus.

The File Allocation Table is the area of a disk that stores the list of files. Also, a formatting system for disk drives. Some malware deliberately overwrites the FAT on a disk to destroy data.

The 32-bit File Allocation Table is an extension to the FAT system and caters to large disks and long file names.

file infector, file virus
A virus that attaches or associates itself with a file. File infectors usually append or prepend themselves to regular program files or overwrite program code. File infectors can also be programs that associate themselves with program file names without attaching.

A set of programs installed on a gateway server. The programs are designed to protect the network’s resources from users on other networks. A firewall filters and routes incoming traffic and makes outgoing requests to the Internet, for example, on behalf of local workstations. Firewall software analyzes information passing between networks and external systems, and rejects it if it does not conform to preconfigured rules.

See also desktop firewall.

flooder denial of service (FDoS)
An attack in which the target is besieged with more traffic than it can handle, which usually results in disablement or a complete shutdown. FDoS programs are singular in form; there are no other components of the attack structure.

Spam forwarded by a family member, friend, or colleague. It is rarely appreciated and only serves to waste time and take up space. In a worst-case scenario, fram may contain viruses, spyware, or another form of malware.

Historically used to transfer files between systems, the standard File Transfer Protocol (FTP) control port is TCP Port 21 in IP networking terminology.


Gigabits (billions of bits) per second. This is a standard measure of bandwidth.

generic detection
This technique detects and removes multiple threats using a single virus signature definition, which can identify all threats in the same variant family.

Acronym for General Test Mail for Unsolicited Bulk Email, a test to verify that anti-spam software is operating correctly.


hacker tools
Security utilities that are as adept at helping administrators secure their environment as they are at helping attackers gain entry to it.

Non-spam messages.

See also spam.

handheld device
A small device with wireless capability, such as a pocket PC, personal digital assistant (PDA), or cell phone.

heuristic analysis
A method of scanning that looks for virus-like behavior patterns or activities. Most leading anti-virus packages have a heuristic scanning method to detect new or not-yet-known viruses in the field.

The hex (short for hexadecimal) numerical system has a base of 16. Because there are more than 10 digits, values 10 through 15 are represented by letters A through F, respectively. This system is useful in computers because it maps easily from four bits to one hex digit.

high-risk process
A type of process that is considered to have a higher possibility of being infected or accessing infected files. This includes processes that launch other processes, such as Microsoft Windows Explorer or the command prompt; processes that execute macro or script code, such as WINWORD or CSCRIPT; and processes to download from the Internet, such as browsers, instant messengers, and mail clients.

Host Intrusion Prevention System (HIPS)
A system that defends desktops and servers with combined signature, behavioral, and firewall protections.

See also NIPS and IPS.

A fraudulent email that is sent in chain-letter fashion, describing a devastating, highly unlikely type of virus or any other large, usually negative event. Hoaxes are detectable because they have no file attachment or reference to a third party who can validate the claim, and by the overly dramatic tone of the message.

host, host computer
Any computer that has full two-way access to other computers on the Internet.

host-based security system
This security application functions by being installed on and protecting each node, or host computer, in a network.

See also HIPS.

HotFix releases
Also known as patches, these releases include intermediate distribution of software or upgrades that repair specific issues.

Prefix for PUP detections of applications that are classified as Hacker Tools.

Hypertext Transfer Protocol (HTTP) is used to transfer HTML documents. The standard port used is Port 80 in IP networking terminology, although port 443 is used for secure HTTP. Many companies also use Port 8080


Internet Control Message Protocol (ICMP)
A type of protocol employed by a computer’s operating system to communicate information to the user or to other systems. It is commonly used to send error messages, but also delivers other types of messages.

incremental .DAT files
New virus definitions that supplement the currently installed definitions, available for up to 15 days. Incremental .DAT files allow the update utility to download only the changes to the .DAT files rather than the entire .DAT file set.

See also .DAT files, .EXTRA.DAT file and .SUPER.DAT.

This term refers to the condition of a file after a virus has inserted malicious code into it. Computer systems are infected if a virus or Trojan is installed and running on that system. Static malware, such as viruses and Trojans with entire code that is malicious, is also said to be infected. If a potentially unwanted program is installed on a system, the system is not considered infected, even though there may be other consequences.

infection length
The size, in bytes, of the viral code inserted into a program by the virus. If this is a worm or Trojan, the length represents the size of the file.

INI file
A location for programs to store instructions or settings that load when the user boots an operating system. Virus authors often use the WIN.INI, SYSTEM.INI, and WININIT.INI files.

in-the-cloud detection
This type of detection is derived by querying remote servers using the Internet.

integer overflow
A condition in an operating system or application that allows data input that will manipulate an integer value in the application to corrupt memory.

See also buffer overflow condition.

Internet protocol (IP) address
Identifies a workstation on a TCP/IP network and specifies routing information. Each workstation on a network has a unique IP address, which consists of the network ID plus a unique host ID assigned by the network administrator. This address is usually represented in dot or decimal notation, with the decimal values separated by a period (for example, as in IPv4).

Internet relay chat (IRC)
A multiuser chat system where people meet on channels, such as virtual rooms with a certain topic of conversation, to talk in groups or privately. IRC enables participants to distribute executable content. Many worms and Trojans utilize IRC as a communications channel to return data to the original malware author, who can then instruct the worm or virus to cause a DDoS or infect other machines.

in the wild
The state of a virus when two independent researchers identify it in circulation within a one-year period. Approximately 450 viruses exist in the wild at any given time.

Intrusion prevention system (IPS)
A preemptive approach to host and network security used to identify and quickly respond to potential threats. An IPS monitors individual host and network traffic. An attacker might carry out an attack immediately after gaining access, so an IPS can take immediate action as preset by the network administrator.

See also HIPS and NIPS.


jokes, joke programs
Software that claims to harm a computer, but has no malicious payload or use. It does not impact security or privacy, but may alarm or annoy a user.


Kilobits per second (thousands of bits per second). This is a common measure of bandwidth.

Prefix for PUP detections of applications that are classified as key logging technologies. Some Keylog detections may also be classified as Trojans.

This software intercepts data between the user entering it and the intended recipient application. Trojan and PUP keyloggers may be functionally identical. McAfee software detects both types of keyloggers to prevent privacy intrusions.

See also Keylog and Spyware.


Layered service providers (LSPs)
DLLs that use Winsock APIs to insert themselves into the TCP/IP stack. Once in the stack, LSPs can intercept and modify inbound and outbound Internet traffic.

log file
An activity record of anti-virus software. Log files record actions during installation, scanning, and updating.

logic bomb
Also known as time bomb, a program that allows a Trojan to lie dormant and then attack when the conditions are just right. Triggers for logic bombs include a change in a file, a particular series of keystrokes, or a specific time or date.

low-risk process
A type of process that is considered to have a lower possibility of being infected or accessing infected files. Examples include backing up software or code compiler and linker processes.


A set of keystrokes and instructions that are recorded, saved, and assigned to a shortcut key. When the key code is typed, the recorded keystrokes and instructions execute. Macros can simplify otherwise tedious day-to-day operations but as with any programming language, these can be used maliciously.

macro virus
A program or code segment written in the application’s internal macro language. Some macro viruses replicate or spread; others simply modify documents or other files on the user’s machine without spreading, such as Trojans.

malicious code
A piece of code designed to damage a system and the data it contains, or to prevent the system from being used in its normal manner.

A malicious software program, including viruses, spyware, and Trojans. PUPs are not considered malware.

master boot record (MBR)
Also known as the partition table, the 340-byte program located in the master boot sector. This program reads the partition table, determines what partition to boot, and transfers control to the program stored in the first sector of that partition. There is only one master boot record on each physical hard disk.

master boot sector virus
A virus that infects the system’s master boot record on hard drives and the boot sector on floppy disks. This type of virus takes control of the system at a low level by activating between the system hardware and the operating system. A master boot sector virus loads into memory during boot up, before virus-detection code executes.

McAfee Labs
McAfee’s global security research centers. McAfee Labs delivers the core technologies and threat intelligence that power McAfee’s suite of endpoint, web, email, and network security products. McAfee Labs is staffed with more than 350 experts in 30 countries who support customers and users by discovering and addressing breaking threats and vulnerabilities.

Millions of bits per second (Mbps) is a measure of bandwidth on mediums such as telephone lines, cable lines, or optical fibers.

Short for Message Digest 5. A computer algorithm that calculates a unique number, called a hash value, when it receives a string of data, as in a text or EXE file. When compared to the original file, a hash value shows if the file has been changed.

All removable tapes, disks, CDs, and DVDs that store code and data for use on a PC.

memory resident
A program that stays in the active RAM of a computer while other programs (such as accessory software, activity monitoring, and resident scanning software) run. An activity monitor can check for memory-resident functions. Viruses often attempt to “go resident.”

mobile code
Code or software that is transferred from a host to a client or to another host to be executed at the destination. A worm is one example of malicious mobile code.

multipartite virus
A type of virus that uses a combination of techniques, including infecting documents, executables, and boot sectors, to infect computers. Most multipartite viruses first become resident in memory and then infect the boot sector of the hard drive. Once in memory, multipartite viruses may infect the entire system. Removing multipartite viruses requires cleaning both the boot sectors and any infected files. Before you attempt the repair, you must have a clean, write-protected rescue disk.

mutating virus
Also known as polymorphic virus, a type of virus that changes, or mutates, as it progresses through its host files, making disinfection more difficult.


namespace providers (NSPs)
DLLs that utilize Winsock APIs to insert themselves into the TCP/IP stack. Namespace providers redirect traffic from one site to an intermediary site.

network aware
The state of a virus or worm when one of its propagation methods is to search the network for open shares.

Network intrusion prevention system, network IPS, NIPS
Software or a device that monitors network traffic and prevents attacks on a network or system. McAfee Network Security Platform (formerly McAfee IntruShield) is one example.

See also HIPS and IPS.

New technology file system is the default formatting system for disk drives used by Windows NT, Windows 2000, Windows XP, and Windows 2003. Microsoft has updated the NTFS specification to handle larger hard disks and spanned drive support.


on-access scanning
Examining files every time they are opened, copied, or saved to determine whether they contain a virus or other potentially unwanted code.

on-demand scanning
A scheduled examination of selected files to find a virus or other potentially unwanted code. Scans can take place immediately upon user request, at a scheduled future time, or at regularly scheduled intervals.

operating system (OS)
The most important program that runs on a computer. Every general-purpose computer must have an operating system to run other programs. Operating systems perform such basic tasks as recognizing keyboard input, sending output to the display screen, keeping track of files and directories on the disk, and controlling peripheral devices, such as disk drives and printers. Examples of operating systems include DOS, Windows, Sun/OS, UNIX, Linux, FreeBSD, PalmOS, and MacOS.

OS identification
A series of algorithms to determine a remote host’s operating system, architecture, platform, or device type. This process may involve TCP/IP stack fingerprinting and application-layer protocol tests.

See also vulnerability assessment.

overwriting virus
A virus that overwrites files with its own viral code, destroying the original. There is no way to recover the data from such an infection except to retrieve the files from backups.


packed executable, packer
Executable files can be compressed with a packer that shrinks and possibly encrypts the original code. The packed executable decompresses and/or decrypts itself in memory while it is running, so the file on disk is never similar to the memory image of the file. Packers are designed to prevent reverse engineering and supply some level of copy protection, although they can also be used to avoid security software.

parasitic infector
A virus that modifies existing files on a disk, injecting its code into the file where it resides. When the user runs the infected file, the virus runs, too.

See also file infector.

password cracker
Software designed to enable a user or administrator to recover lost or forgotten passwords from accounts or data files. In the hands of an attacker, these tools offer access to confidential information and are a security and privacy threat.

password stealer
Also known as PWS, a type of Trojan used specifically to steal a user’s password.

Patch Tuesday
The second Tuesday of each month, when Microsoft releases security patches.

patch releases (previously HotFix release)
Intermediate distribution of a product that addresses specific issues.

The “cargo” code in a virus rather than the portions used to avoid detection or replicate. The payload code can display text or graphics on the screen, or it may corrupt or erase data. Not all viruses contain a deliberate payload. However, these codes affect CPU usage, hard disk space, and the time it takes to clean viruses. Payload can also refer to the data or packets sent during an attack.

See also shellcode.

Personal digital assistant (PDA) is a handheld device that combines computing, telephone, fax, Internet, and networking features.

Personally Identifiable Information (PII)
Any information that, by itself or when combined with other information, can identify an individual.

A method of redirecting Internet traffic to a fake website through domain spoofing. This involves creating a fake DNS record for a real website, typically that of a bank or other commercial enterprise. The fake DNS redirects traffic from the real website to the fraudulent site, with the intention of gathering a customer’s personal data, including username, password, and account information. For example, when a user types the URL of a bank into a browser, the browser performs a DNS lookup to determine the IP address of the bank’s website. DNS servers store a list of domains and their corresponding IP addresses. Hackers insert false information on the DNS server so browsers looking up bank’s IP address are redirected to the fake IP address. On the user’s browser, the site appears legitimate.

A method of fraudulently obtaining personal information, such as passwords, Social Security numbers, and credit card details by sending spoofed emails that look like they are sent from trusted sources, such as banks or legitimate companies. Typically, phishing emails request that recipients click on the link in the email to verify or update contact details or credit card information. Like spam, phishing emails are sent to a large number of email addresses, with the expectation that someone will act on the information in the email and disclose their personal information.

A basic Internet program that verifies that a particular Internet address exists and can accept requests. “Ping” is also the act of using the ping utility or command. You can ping diagnostically to make sure a host computer that you are trying to reach is actually online. “Ping” is also a colloquial term for contacting a person quickly via IM, text message, or email.

ping attack
The method of overwhelming a network with ping commands.

ping of death
A hacking technique used to cause a denial-of-service attack by sending a large ICMP packet to a target. As the target tries to reassemble the packet, the packet size overflows the buffer and can cause the target to reboot or freeze.

See also buffer overflow attack.

polymorphic virus
Also know as mutating or self-encrypting virus, a virus that can change its byte pattern when it replicates, avoiding detection by simple string-scanning techniques. Some polymorphic viruses use different encryption schemes and require different decryption routines. Thus, the same virus may look completely different on each system or even within separate files. Other polymorphic viruses vary instruction sequences and use false commands in an attempt to thwart anti-virus software. One of the most advanced polymorphic viruses uses a mutation engine and random-number generators to change the virus code and its decryption routine.

A hardware location for passing data in and out of a computing device. Personal computers have various types of ports, including internal ports for connecting disk drives, monitors, and keyboards, as well as external ports (such as USB ports) for connecting modems, printers, mice, and other peripherals. In TCP/IP and UDP networks, a port is also an endpoint to a logical connection. Port numbers identify types of ports. For example, both TCP and UDP use port 80 to transport HTTP data. A threat might attempt to enter using a particular TCP/IP port.

portable executable (PE)
A common file format utilized on Microsoft NT-based platforms.

port scanning
A hacking technique used to check TCP/IP ports to reveal which services are available for exploitation, and to determine the operating system of a particular computer.

potentially unwanted program (PUP)
Often legitimate software (non-malware) that may alter the security state or the privacy posture of the system on which they are installed. This software can, but not necessarily, include spyware, adware, keyloggers, password crackers, hacker tools, and dialer applications and could be downloaded in conjunction with a program that the user wants. Security-minded users may want to know about such programs and, in some cases, have them removed.

Pretty Good Privacy (PGP)
A strong-type program that for encrypting data files and/or email messages on computers. PGP includes authentication to verify the sender of a message and non-repudiation to prevent the sender from denying they sent the message.

A set of rules enabling computers or devices to exchange data with one another with as few errors as possible. These rules govern issues such as error checking and data compression.

proxy, proxies
Tools that redirect information bound to an IP address, domain name, or all Internet traffic to a third party.

proxy server
By caching content, a proxy server acts as a go-between for clients and resources to improve security and speed up performance. For example, a client may connect to the proxy server, requesting a service (such as a file, connection, web page, or other resource) available from a different server. The proxy server evaluates the request according to its filtering rules. It may filter traffic by IP address or protocol. If the filter validates the request, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client.

Also known as password stealer, a type of Trojan used specifically to steal a user’s password.


The isolation of files that are suspected of containing a virus, spam, suspicious content, or PUPs. Quarantined files cannot be opened or executed.

quarantine folder
Includes the location on a computer system that stores email messages or files, containing viruses or other suspicious code. The system administrator reviews the messages or files to determine how to respond.


Malicious software created by a hacker that encrypts the hard drive of the PC it infects. The hacker then extorts money from the PC’s owner in exchange for decryption software to make the PC’s data usable again.

Prefix denoting the malware signature was authored by McAfee Automation system.

recursive scan
The process of scanning everything in a folder, including subfolders.

A database used to store instructions and other information. The registry is broken down into keys, for which values are set. An alternative to using an INI file in many cases, this Microsoft Windows component is often used by virus authors as well as legitimate Windows programmers.

Prefix for Potentially Unwanted Program detection of applications that are classified as remote admin tools.

See also remote admin tool.

remote admin tool (RAT)
Software designed to give an administrator remote control of a system. Remote administration tools can be a significant security threat when controlled by a party other than the legitimate owner or administrator.

reputation filtering
A type of filtering that scores Internet senders based on global messaging and communications behavior to block transmission of content to or from risky sources and sites.

resident virus
This type of virus loads into memory and remains inactive until a trigger event. When the event occurs, the virus activates, either infecting a file or disk, or causing other consequences. All boot viruses are resident viruses.

risk assessment
This evaluation calculates the likelihood and impact of a successful attack on an organization’s data and assets. McAfee Labs estimates risk for vulnerabilities and threats based on the expected effect on the Internet community. For additional Information, see McAfee Labs Threat and Vulnerability Risk Assessment Program.


scan, scanning
A scan will examine files to find viruses and other potentially unwanted code.

See also on-access scanning and on-demand scanning.

A type of program containing instructions that a host application interprets and executes. Script instructions are usually expressed using the application’s rules and syntax combined with simple control structures. Examples are JavaScript and VBScript, which some web browsers can execute.

security posture
A company’s approach to all of its security issues. The security posture should include both technical and nontechnical elements (such as policies, procedures, and controls) that address internal and external threats.

self-encrypting virus
Also known as an encrypted virus, a type of virus that attempts to conceal itself from anti-virus programs, most of which try to find viruses by looking for certain patterns of code (known as virus signatures) that are unique to each virus. To avoid detection, self-encrypting viruses encrypt these text strings differently with each infection.

self-extracting file
A type of compressed file capable of extract itself when run. Most large files transferred across the Internet are compressed to save disk space and reduce transfer times. A self-extracting program can extract a virus or Trojan.

Machine code (often written in assembly language) used as the payload to exploit a software bug. This method enables the hacker to communicate with the computer through the operating system command line.

See also exploit.

shell script
A specific type of script file in UNIX environment shells. Common variants include scripts for BASH and CShell, which are much like DOS batch files.

A search pattern — often a simple string of characters or bytes — expected to be found in every instance of a particular virus. Usually, different viruses have different signatures. Anti-virus scanners use signatures to locate specific viruses.

signature files
Data files containing detection and/or remediation code that scanning products (such as McAfee VirusScan) use to identify malicious code.

See also .DAT files.

silent installation
Installing a software package onto a computer without the need for user intervention.

Smurf attack
A denial-of-service attack that floods its targets with replies to ICMP echo or ping requests. A Smurf attack, named after its exploit program, pings Internet broadcast addresses which then forward the requests to as many as 255 hosts on a subnet. The return address of the ping request is actually the address of the attack target. All hosts receiving the ping requests reply to the attack target, flooding it with replies.

SNMP trap
A method of asynchronous event notification supported by the Simple Network Management Protocol (SNMP).

An unwanted electronic message, most commonly unsolicited bulk email. Typically, spam is sent to multiple recipients who did not ask to receive it. Types include email spam, instant messaging spam, Usenet newsgroup spam, web search-engine spam, spam in blogs, and mobile phone-messaging spam. Spam includes legitimate advertisements, misleading advertisements, and phishing messages designed to trick recipients into giving up personal and financial information. Email messages are not considered spam if a user has signed up to receive them.

Spam messages sent by an individual, organization, or system.

sparse infector virus
Also known as a sparse virus, a type of virus that only infects files when certain conditions are met. Examples include viruses that infect files only on their 10th execution or viruses that target files with a maximum size of 128 KB. These viruses use the conditions to infect less often and therefore avoid detection.

spear phishing
The act of sending an email that appears to come from a legitimate source, such as a bank, a company’s internal IT department, an internal employee, or a business partner. While phishing uses mass email, spear phishing targets a very small number of recipients. The email sender information may be spoofed so the email appears to originate from a trusted source. Messages typically request username and password details, provide a link to a website where visitors can enter personal information, or have an attachment containing a virus, Trojan, or spyware.

A type of spam specific to instant messaging. The messages can be simple unsolicited ads or fraudulent phishing mail.

A type of spam conveyed via VoIP.

A term for spammers who create a large number of blogs with links to a spam site. Because the links are included in a large number of blogs, they have high search-engine rankings. Splogs are created to attract people to spam sites, primarily via Google.

Forging an email or IP address to hide one’s location and identity. A spoofed website is one that mimics a real company’s site — mainly financial services sites — to steal private information (passwords, account numbers) from people who are tricked into visiting it.

A type of software that transmits personal information to a third party without the user’s knowledge or consent. Spyware seeks to exploit infected computers for commercial gain. It can deliver unsolicited pop-up advertisements, steal personal information (including financial information such as credit card numbers), monitor web-browsing activity for marketing purposes, and route HTTP requests to advertising sites.

See also PUPs.

stealth virus
Also know as interrupt interceptor, a type of virus that attempts to avoid detection from anti-virus software. Many stealth viruses intercept disk-access requests, so when an anti-virus application tries to read files or boot sectors to find the virus, the virus feeds the program a “clean” image of the requested item. Other viruses hide the actual size of an infected file and display the size of the file before infection. Stealth viruses must be running to exhibit their stealth qualities.

A string is a consecutive series of letters, numbers, and other characters. Examples include “afsH(*&@~” and “The Mad Hatter.” Anti-virus applications often use specific strings, called virus signatures, to detect viruses.

A group of computers and devices that share the same IP address prefix. As its name suggests, a subnet (short for subnetwork) is a section of the network.

A utility that installs updated virus definition (SDAT*.EXE) files and, when necessary, upgrades the scanning engine. It automatically shuts down any active scans, services, or other memory-resident components that could interfere with the upgrade, then copies new files to their proper locations so the software can use them immediately.

See also .DAT files, EXTRA.DAT file, and incremental DAT files.

supplemental virus definition file
See EXTRA.DAT file.

SYN flood
A hacking technique used to cause a denial of service, where the attackers send a large number of TCP SYN packets to the target with spoofed-source IP addresses. This results in many half-open TCP connections on the target, thus tying up the TCP state resources. SYN is short for synchronized, which designates the first packet that is sent across a TCP network.

system hang
A complete failure of the operating system. When a program fails, it usually has an opportunity to display an error or diagnostic message. If the entire system fails, no such message appears and keystrokes and mouse clicks are ignored. In the worst cases, the system cannot restart without the computer being rebooted.


terminate-and-stay resident (TSR)
Also known as a memory resident program, a program that remains active in memory while other programs run on the system. TSRs allow the user to quickly switch between programs in a non-multitasking environment. Examples of TSRs are VShield, a DOS-based mouse, and a CD-ROM driver. Some viruses are TSRs that stay in memory to infect other files and programs.

An event programmed by a malware author that activates a threat, such as a date, the number of days since an infection occurred, or a sequence of keystrokes. When the trigger event occurs, it activates the virus, which then activates its payload.

Trojan, Trojan horse
A malicious program that pretends to be a benign application. It does not replicate but causes damage or compromises the security of your computer. Typically, an individual emails a Trojan horse to you; it does not email itself. You can also download a Trojan from a website or via peer-to-peer networking. Trojans are not considered viruses because they do not replicate.

An evasion technique that allows a virus to avoid standard interfaces so it can infect files and go unnoticed by a behavior blocker. Tunneling viruses try to intercept the actions before the anti-virus software can detect the malicious code. One technique used by attackers is tunneling malicious communications through the standard port of another application (e.g., port 80 for HTTP) to avoid firewalls.


Universal Serial Bus (USB)
An industry-standard connector on almost all modern computers. This connects multiple devices, ranging from keyboards and mice to webcams, scanners, and printers. Versions USB1 and USB2 differ in performance, but use identical physical connectors.

Uploading a file is the process of sending a file to another computer.

unified threat management (UTM) appliance
A network security appliance that can run multiple security functions on a single device at the same time. A UTM appliance must be able to perform network firewalling, network intrusion detection and prevention, and gateway anti-virus detection. It may also host other security and networking features.

unknown threat
A new or newly varied threat for which a signature or mitigation is not yet available. Behavioral detection attempts to identify these threats based on patterns of suspicious activity.

UTC time, Coordinated Universal Time
Previously known as Greenwich Mean Time, UTC is an international, atomic time standard adopted as a means of civil timekeeping. UTC is based on International Atomic Time (TAI), but differs by the addition of leap seconds, which are added to make up for the slowing rotation of the earth.


variant, variants
A modified version of an existing virus. A variant is usually deliberately produced by the virus author or another person amending the virus code. If changes to the original are small, most anti-virus products will also detect variants. However, if the changes are large, the variant may go undetected by anti-virus software. McAfee identifies variants by a letter-based extension after the virus family name (e.g., W32/Virus.a, W32/Virus.b). When more than 26 variants of a virus are identified in a single family, a two-letter extension is used (e.g., W32/Virus.aa, W32/Virus.ab).

A computer program file capable of attaching to disks or other files and replicating itself repeatedly, typically without user knowledge or permission. Some viruses attach to files, so when the infected file executes, the virus also executes. Other viruses sit in a computer’s memory and infect files as the computer opens, modifies, or creates files. Some viruses display symptoms, others damage files and computer systems, but neither is essential in the definition of a virus; a non-damaging virus is still a virus.

virus definition (.DAT) files
See .DAT files.

virus-scanning engine
The mechanism that drives the anti-virus scanning process.

Visual Basic Scripting (VBS)
A new method of spreading viruses by using Visual Basic Scripting. It is a problem for users with either Microsoft Internet Explorer 5 or higher, or Microsoft Outlook 98 or higher.

An exploitable defect in a software application or operating system that allows hackers to crash systems, access information on systems, or use systems for their own purposes.

vulnerability assessment (VA)
The process of analyzing the risk associated with vulnerability scan results.

See also vulnerability management (VM) and vulnerability scan, vulnerability scanning.

vulnerability management (VM)
The process of measuring risk and organizational exposure to vulnerabilities, and tracking compliance over time.

vulnerability scan, vulnerability scanning
Examining a host or network stream for vulnerabilities.


Warhol worm
The concept that a computer virus could spread around the world in less than 15 minutes. It is based on Andy Warhol’s idea that every individual will have 15 minutes of fame in their life.

Web 2.0
A catchphrase for the latest generation of interactive web applications, including scripts, XML, and applets. These applications allow users to generate content, such as blogs, multimedia, and code.

Web 2.0 defenses
Advanced techniques that detect Web 2.0 threats with a cross-protocol reputation system, real-time assessment (without waiting for a signature), and intent-based anti-malware protection. Standard web defenses depend on category-based filtering and signatures to protect users. These worked with Web 1.0 threats launched from static websites that could easily be categorized and tracked. Because of the subtle vulnerabilities of Web 2.0 sites, the increased use of encryption, and the deliberate versioning of malware to avoid detection (see also polymorphic virus) [anchor/target link to this location], people using only Web 1.0-style technologies are not well protected today.

Web 2.0 vulnerabilities
The specific, exploitable defects to Web 2.0 sites and applications. The flexible ability of Web 2.0 sites to absorb new content (especially from unvetted users) combined with the vulnerabilities in browsers, protocols, and programming techniques make it easy for hackers to compromise legitimate sites. For example, invisible code could be planted within a web page to redirect viewers from a legitimate site to a malicious one.

web filter
A type of product that examines inbound and outbound web traffic for spyware, malware, viruses, data loss, and Internet misuse. Filters can also block web access or content — usually based on origin, reputation, intent, or policy — to prevent data loss, malware, and inappropriate use. Category-based filtering lets users block groups of sites based on standardized categories, such as pornographic content, games, or shopping.

A type of scam in which phishers find the name and email address of a company’s top executive or team of executives (information often freely available on the web), and craft an email specific to those people and their role at the company. The email attempts to lure the executives into clicking on a link that will take them to a website where malware is downloaded onto their machine that can copy keystrokes or ferret out sensitive information or corporate secrets.

A list of email addresses from trusted sources whose messages you want to receive and do not consider spam.

A term used interchangeably with “out in the field” that refers to how prevalent a virus has become. When McAfee announces that a virus is “out in the wild” or “out in the field,” our assessment includes how many computers or sites have been infected, the geographic areas where the virus has been found, the complexity of the virus, and how anti-virus solutions respond.

Short for Windows Socket, a type of application program interface (API) used to develop Windows applications, allowing a computer to communicate with other computers and applications (such as web browsers) via TCP/IP.

A virus that spreads by creating duplicates of itself on other drives, systems, or networks. A mass-mailing worm is one that requires a user’s intervention to spread, (e.g., opening an attachment or executing a downloaded file). Unlike viruses, worms do not infect other files. Most of today’s email viruses are worms. A self-propagating worm does not require user intervention to spread. Examples of self-propagating worms include Blaster, Sasser, and Conficker.


zero-day threats, zero-day vulnerabilities
Also known as zero-hour threats and vulnerabilities, they include threats that immediately exploit a newly discovered vulnerability.

ZIP file (.zip)
A compressed file that can contain multiple files. ZIP files are used to send multiple files without the associated disk space and download time issues. ZIP files can contain viruses, so you should make sure your anti-virus program scans for viruses in archive files.

A computer that is infected with a virus or Trojan horse that puts it under the remote control of an online hijacker. The hijacker uses a zombie to generate spam or launch denial of service attacks.

zoo virus
A virus found only in virus laboratories that has not moved into general circulation.


Part of the McAfee convention for naming viruses and Trojans. This suffix is attached to the end of virus names to indicate that the virus can transmit itself via email. The single “m” indicates that the virus is capable of generating low volumes of email, typically one email transmitted for each email a user receives.

Part of the McAfee convention for naming viruses and Trojans. This suffix is attached to the end of virus names to indicate that the virus can transmit itself via email. The double “m” indicates that the virus is capable of generating high volumes of email, typically hundreds of emails per infected machine.