Content

Glossary

Glossary of Terms

We know that technical terminology can be confusing. Use this glossary whenever you come across a term you don't understand.


A B C D E F G H I J K L M N O P Q  R S T U V W X Y Z

.dam
Part of the McAfee® convention naming viruses and Trojans. This is a suffix attached to the end of virus names to indicate that the sample is damaged and will not actually run. Detection for these non-viable samples is added at McAfee Avert® Labs' discretion, generally if they appear in large numbers and cause an issue for many customers. If  you detect a .dam file, you can safely delete it.

.dldr
See also Downloader.

.dll
Stands for "Dynamic Link Library." A DLL (.dll) file contains a library of functions and other information accessible by a Microsoft® Windows® program.

.dr
Part of the McAfee® convention naming viruses and Trojans. We attach this suffix to the end of virus names to indicate that it detected a "dropper," a file that installs or "drops" other malware.

@m
Part of the McAfee® convention naming viruses and Trojans. We attach this suffix to the end of virus names to indicate that this virus can transmit itself via e-mail. The single "m" indicates that this transmits low volumes of e-mail, generally one e-mail transmitted per e-mail that a user receives.

@mm
Part of the McAfee convention naming viruses and Trojans. This suffix at the end of virus names indicates that this virus can transmit itself via e-mail. The double "m" indicates that this threat transmits large volumes of e-mail, generally hundreds of e-mails per infected machine.

back to top
A
admin, administrator
A account on a computer that grants the user privileges to install software, delete files, and manage user accounts. If an administrator is logged onto a system when that system becomes infected, the virus can affect the same functions that the administrator can:. install new applications, delete files, and modify data.

adware
Software whose primary function is generating revenue by advertising targeted at the user of the computer on which the software resides. It earns revenue either by the vendor or vendors' partners. This does not imply that the adware captures or transmits any personal information as part of the software’s functions, although that may be the case.

alert
A message announcing a virus, intrusion detection or other computer activity. The message can be sent automatically by a predefined configuration to system administrators and users, via e-mail, pager, or phone.

Alert Manager
A McAfee® utility to configure alerts for various notification methods, such as a pager message or e-mail. You can select specific events (such as virus detection) to trigger alert messages.

alias
An assumed or alternate name for a virus or Trojan by another anti-virus vendor. Some viruses get multiple names, as there is no central organization naming computer viruses.

anti-virus policy
A organization's document outlining anti-virus policies. It lists the products, the configuration settings, the update schedule, and enforcement policies. The organization should review this policy document at least every six months to compare the company’s security posture with the current threat landscape.

application
Software that can be installed to a computer.  An application can be a complex combination of executable files (EXEs), DLLs, data files, registry settings, and install/uninstall files.

See also potentially unwanted program (PUP).

attack
An attempted system security breach. Successful attacks range in severity from someone viewing data on another system to destroying, stealing data or shutting down your system.

See also DoS, DdoS.

AutoUpdate
The program that automatically updates McAfee® software with the latest detection definition (DAT) files and scan engine. It upgrades all supported versions of McAfee VirusScan®.

McAfee® Avert® Labs
Our global security research centers with more than 100 experts in 14 countries that support customers and users by discovering and addressing breaking threats and vulnerabilities.

back to top
B
backdoor
Programs that give an attacker access to and remote control of another computer. Backdoors are largely Trojans dealt with by most anti-virus products. NIPS (Network Intrusion Prevention System) helps detect and block backdoor communications.

background scanning
A type of on-access scanning—made possible within Microsoft® Exchange by Microsoft VS API2—which does not scan all files on access, reducing the scanner's workload when it is busy. It scans databases on which it has been enabled—for example, Mailbox store and Public Folder store.

banner
Information that displays when you connect to a remote system.

banner ad
Advertisement at the top of a Web page.

batch file
A specific script file format (.bat) that runs on Microsoft®-compatible operating systems from DOS® to Win9x, WinNT, Win2000, Windows® XP.

beaming
The process of sharing data between wireless infrared-capable hand-held devices within a given distance (for example, within three feet). Information transferred through this method automatically stores in the proper application on the receiver’s hand-held device.

blacklist
The list of e-mail addresses from which you do not want to receive messages because you believe those messages will be spam, or unsolicited e-mail.

blended threat
A virus or worm using multiple infection techniques. This can include exploiting program vulnerabilities, Trojan behavior, infecting files, Internet propagation routines, network-share propagation routines, and spreading with no human intervention.

blocked host
A specific host from which the McAfee® Firewall allows you to block communication. The firewall attempts to trace the source of the packets you receive from the blocked host.

boot disk
A disk that contains special hidden start-up files and other programs to run a computer, usually specific to the operating system and version. Several types of boot disks are available to an average user, ranging from a standard floppy boot disk to an emergency boot disk or bootable CD. Since most anti-virus programs work best when they can gain complete access to the hard drive, it is important to use a boot disk when disinfecting a computer. In some cases, failure to use a boot disk prevents your anti-virus programs from detecting and removing certain viruses from the computer.

See also CleanBoot.

boot records
Those areas on diskettes or hard disks that contain some of the first instructions executed by a PC as it boots. Boot records load and execute to load the operating system. Viruses that infect boot records change the records to include a copy of themselves. When the PC boots, the virus program runs and typically installs itself in memory before loading the operating system.

boot sector infector
A virus that infects the original boot sector on a floppy diskette. These viruses are particularly serious because information in the boot sector is loaded into memory first, before executing virus protection code. A strict boot sector infector infects only the boot sector, regardless of whether the target is a hard disk or a floppy diskette. Some viruses always attack the first physical sector of the disk, regardless of the disk type.

bot
This term refers to a program that automatically searches for and retries information or generates generic traffic over the network. While bots are not always malicious, the most common are IRC Bots that can install other malware or PUPs, distribute compromised machine lists, and organize zombies for DDoS attacks.

botnet
A collection of zombie PCs is called a botnet (short for a “robot network”). A botnet can consist of tens or even hundreds of thousands of zombie computers. A single PC in a botnet can automatically send thousands of spam messages per day. The most common spam messages come from zombie computers

BHO
See also browser helper objects.

bps
Bits per second. This is a measure of the speed of a connection, normally used for modems or when downloading files from the Internet.

Bps
Bytes per second. The capital letter “B” indicates that this is a measure of 8-bits at a time.

broadcast address
The broadcast address is a standard TCP/IP address which transmits the message to all machines within a local subnet.

browser helper objects
Browser helper objects are a kind of .DLL file that Internet Explorer allows to alter its behavior. This can include adding new toolbars and menu items, viewing incoming and outgoing traffic, and modifying HTML data before it renders.

browser hijackers
Browser hijackers are programs that replace the browser home page, search page, search results, error message pages, or other browser content with unexpected or unwanted content.

brute force
A hacking method used to find passwords or encryption keys by trying every possible combination of characters until it breaks the code.

buffer overflow condition
Condition in an operating system or an application that sends more data input than the operating system or application can handle. Supplying the overly long data results in a buffer overflow and corrupts memory.

buffer overflow attack,
buffer overflow exploit
The method of overfilling a software buffer insert and execute the attacker's code. In a remote buffer overflow attack, the aim is to transfer the attacker's code to the attacked machine and subsequently run this code. In a local buffer overflow attack, the aim is elevating the attacker's privileges.

bug
A programming error in a software program that can have unwanted side effects. Some examples include various Web browser security issues and Y2K software problems.

back to top
C
camping out
A hacking technique of breaking into a system and finding an undetected place from which to monitor the system, store information, or re-enter the system at a later time.

CD-R, CD-RW Recordable CD
There are two competing recording formats for CDs which are the "R" (read only) and "RW" (read/write) notations. Once the disks are created, however, both can play back on a normal CD player.

See also DVD±R.

centralized alerting
Distributes alert notifications to multiple network users. An example of a centralized alerting system is McAfee Alert Manager. The anti-virus software such as McAfee® VirusScan® generates alert messages, which are saved to a shared folder on a server. Alert Manager sends alert notifications to users from that folder. When you update contents of the shared folder, Alert Manager sends new alert notifications using such user-configurable alert methods as e-mail messages to a pager. When you receive alerts from the network intrusion prevention systems, you can analyze correlation through drill-downs and then generate reports.

See also Alert Manager

certificate
A certificate is used to prove identity by many cryptographic systems. Also, many Web sites use certificates to authenticate that the site is genuine. It contains a user's name and public key.

certificate authority
An office, bureau, or service that issues security certificates.

certificate authority-signed SSL
A type of secure socket layer that authenticates and encrypts data through a certificate that is digitally signed by the certificate authority.
 
clean, cleaning (alternately called "repair")
An scanner's action after it detects a virus, Trojan horse, worm, or potentially unwanted program (PUP). The cleaning action can include removing malicious code from a file and restore the file to usability; removing references to the file from system files, system INI (.ini) files, and the registry; ending the process generated by the file; deleting a macro or a Microsoft® Visual Basic script that is infecting a file; deleting a file if it is a Trojan horse, worm, or belongs to a PUP; or renaming a file that it cannot clean.

CleanBoot disk
Anti-virus software that scans your system and optionally cleans (repairs) infected files. It comes on either floppy disks or a CD, and includes its own built-in operating system that loads as soon as you switch on your computer (with the CleanBoot media loaded in the appropriate drive).

COM File
Short for "command."  An executable file that contains instructions to do something on your computer. COM (.com) files are for DOS-based systems and tend to run faster than EXE (.exe) type programs. Viruses often infect COM files. When the COM file executes, the virus executes as well, often loading it into memory. Note: The Microsoft® Windows® operating system treats files with a COM extension the same as other executable type files. Some viruses and Trojans use a filename ending in COM (i.e., http://virus.com). Typically, these portable executable files are not real COM files.

command-line interface (CLI)
This is a text-based interface that launches and configures an application from the command line. An example is the McAfee® Command Line Scanner, scan.exe, which takes various parameters, including which files to scan.

command-line scanner
The McAfee® anti-virus scanner that runs from the command prompt.

COM port
Short for communications or serial port. The COM port is a location that sends and receives serial data transmissions. The ports are named COM1, COM2, COM3.

companion virus
A viral program that does not actually attach to another program, but uses a similar name and program precedence rules to associate itself with the regular program.

compile
To convert a high-level program into a machine language program. A "compiler" program helps accomplish this conversion and discovers syntax errors when a script is being compiled.

compressed files
An option in some McAfee® products that scans for files that have been packed.

See packed executable

cookies
Cookies are small text files that many Web sites use to store information about pages visited and other settings (temporary or persistent). For example, cookies might contain login or registration information, shopping cart information, or user preferences. When a server receives a browser request that includes a cookie, the server can use the information stored in the cookie to customize the Web site for the user.

common vulnerabilities and exposure references (CVE)
A standard reference system to identify vulnerabilities in software. This ensures consistency in naming types of vulnerability.

See http://cve.mitre.org for more detailed information.

Common Malware Enumeration
A standard reference system to identify viruses and other malware. This system is to reduce confusion caused when different security vendors give different names or aliases for the same threat.

See http://cme.mitre.org/ for more detailed information

back to top
D
daily DATs
DAT file updates released once a day.

DAT files
Detection definition files, also referred to as signature files, that identify the code anti-virus and/or anti-spyware software detects to repair viruses, Trojan horses and potentially unwanted programs (PUPs).

See also incremental DATs, daily DATs, SUPER.DAT, EXTRA.DAT.

DDoS; distributed denial of service
A DDoS attack is a form of denial-of-service (DoS) attack, where more than one traffic generator (a zombie) directs traffic to a targeted URL. Traffic-generating programs are called agents, and the controlling program is the master. DDoS agent programs receive instruction from a master program to carry out an attack, which is designed to disable or shut down the targeted URL.

defacement
Changing the home page or other key pages of a Web site by an unauthorized individual or process.

default process
In McAfee® VirusScan® Enterprise, any process that is not defined as a low-risk or high-risk process.

DoS: denial of service
A means of attack against a computer, server or network. The attack is either an intentional or an accidental by-product of instruction code that is either launched from a separate network or Internet-connected system, or directly from the host. The attack is designed to disable or shut down the target, and disrupts the system's ability to respond to legitimate connection requests. A denial-of-service attack overwhelms its target with false connection requests, so that the target ignores legitimate requests.

desktop computer
1. A computer used primarily to perform tasks for individuals rather acting as a service provider.
2. A personal computer or workstation designed to reside on or under a desktop.

desktop firewall
A program that acts as a filter between your computer and the network or Internet. It can scan all incoming and all outgoing traffic sent from your computer at the packet level, and decides to block or allow the traffic based on both default and custom rules.

dialers
Software that redirects Internet connections to a party other than the user's default ISP to run up additional connection charges for a content provider, vendor, or other third party.

DLL injector
An infection method by a malware author used to hide the author's presence, particularly from desktop firewalls. The malware author codes the threat to inject an additional DLL into an existing, already running application, making any requests to access to the disk or network appear as if the original application were making the request.

Domain Name System (DNS)
This is the Internet standard that matches names such as www.mcafee.com to the IP address that routes packets to an Internet-connected computer.

McAfee download site
The McAfee® Web site that holds product and DAT update files.

downloader
See also  .dldr.

dropper
An executable file that, when run, drops a virus or Trojan. A dropper file intends to create a virus or Trojan and then execute it on the user's system.

See also .dr

drive-by download
Installing malware or potentially unwanted programs merely by viewing an e-mail or Web page on an improperly patched system.

DVD+R
Recordable DVD. There are two competing recording formats for DVDs which are the "+" and "-" symbols. Once the disks are created, however, both play back on a normal DVD player.

back to top
E

EICAR: European Institute of Computer Anti-Virus Research.
EICAR has developed a string of characters used to test anti-virus software installation and operation. The EICAR test file is an important file for any serious anti-virus software user. See http://www.eicar.org/.

encryption
A change made to data, code, or a file so it must be processed (decrypted) before a system can read or access it. Viruses may use encryption to hide their viral code and thus attempt to escape detection. Viruses may also encrypt (change) code or data on a system as part of their payload. One of the most common forms of encryption in the "real world" today is password protection on ZIP (.zip) files.

end-user license agreement (EULA)
A legal contract between the producer of a piece of software and its user. The EULA may contain limitations on how you can use or remove the product, or disclose functionality of the product that may not be readily apparent.

engine
A software program used by anti-virus and anti-spyware programs to scan a user's systems for viruses and other malware using DAT files.

ePolicy Orchestrator® (ePO)
A McAfee® solution to manage security applications and suites from a central console. It helps organizations streamline their security process and enforce protection policies.

error reporting utility
A utility that tracks and logs failures in the McAfee® software on your system. You can use this information to help analyze problems.


.EXE file
An executable file is a program that launches a set of operations on your computer. For example, tank.exe may be a tank game. Files with different extensions, like .dll, are often support files for an .EXE program. Viruses commonly infect EXE files. After such an infection, the virus runs each time the program runs.

exit codes
Refers to the code the scan program produces after it completes a scan.  Exit codes identify any viruses or problems found during a scan operation. You can use exit codes in batch scripted operations to determine what happens next.

exploit
Using defects in software code or function on a system to elevate privileges, execute code remotely, cause denial of service, or other attacks.

See Buffer Overflow for an example of an exploit.

EXTRA.DAT file
A supplemental virus definition file created in response to an outbreak of a new virus or a new variant of an existing virus.

See also DAT files, incremental DAT files, and SUPER.DAT.

back to top

F
false alarm
Improper malware detection of a clean file. For example, heuristic and generic detection methods can protect users from threats that have not yet been discovered. However, these detection techniques can also lead to false detections, or false positives.

FAT
File Allocation Table. Describes both the area of a disk that stores the list of files and a formatting system for disk drives. Some malware deliberately overwrites the FAT on a disk to destroy data.

FAT32
File Allocation Table (32-bit). An extension to the FAT system to cater to larger disks and long file names.

file infector
A virus that attaches itself to or associates itself with a file. File infectors usually append or prepend themselves to regular program files or overwrite program code. The file-infector class also refers to programs that do not physically attach to files, but associate themselves with program file names.

firewall
A set of programs installed on a gateway server, designed to protect the network's resources from users on other networks. A firewall filters and routes incoming traffic and makes outgoing requests (to the Internet, for example) on behalf of local workstations.

See also Desktop Firewall.

flooder denial of service (FDoS)
Similar to DDoS only in the nature of the attack. FDoS programs are singular in form: there are no other components of the attack structure. FDoS attacks intend to disable or shut down the target.

FTP
File Transfer Protocol, used historically to transfer files between systems. The standard FTP control port is TCP Port 21 in IP networking terminology.

back to top
G
GTUBE
The acronym for "General Test mail for Unsolicited Bulk E-mail," a test to verify that anti-spam software is operating correctly.

back to top
H
hacker tools
Hacker tools are often security utilities that are as adept at helping administrators secure their environment as helping attackers gain entry to it.

ham
A term used to refer to non-spam messages.

See also spam

hand-held device
A small device, such as a pocket PC, personal digital assistant (PDA) or wireless phone, often with wireless capability.

heuristic analysis, heuristics
A scanning method of scanning that looks for virus-like behavior patterns or activities. Most leading packages have a heuristic scanning method to detect new or not-yet-known viruses in the field.

hex
Short for "hexadecimal." A numerical system with a base of 16. Because there are more than 10 digits, values 10 through 15 are represented by letters A through F respectively. This system is useful in computers because it maps easily from four bits to one hex digit.

high-risk process
In McAfee® VirusScan® Enterprise, processes that McAfee considers to have a higher possibility of being infected or accessing infected files. For example, processes that launch other processes, such as Microsoft® Windows Explorer or the command prompt; processes that execute macro or script code, such as WINWORD or CSCRIPT; processes to download from the Internet, such as browsers, instant messengers, and mail clients.

See also default process and low-risk process.

HIPS (Host Intrusion Prevention System)
Refers to McAfee® Host-based Intrusion Prevention System, which defends desktops and servers with combined signature, behavioral, and firewall protections.

See also NIPS, IPS.

hoax
Usually a fraudulent e-mail that gets sent in chain-letter fashion, describing some devastating, highly unlikely type of virus or any other large, usually negative event. Hoaxes are detectable because they have no file attachment, have no reference to a third party who can validate the claim, and by the overly dramatic tone of the message.

host, host computer
Any computer on the Internet that has full two-way access to other computers on the Internet.

host-based security system
A security application that functions by virtue of being installed on and protecting each node (host computer) in a network.

See also HIPS.

HotFix releases (now patches)
Intermediate releases of the product that repairs specific issues.

HTTP (Hyper-Text Transfer Protocol)
Used historically to transfer HTML documents. The standard port used is Port 80 in IP networking terminology, although port 443 is used for secure http. Many companies also use Port 8080.

back to top
I
incremental DAT files
New virus definitions that supplement the currently installed definitions, available for up to 15 days. Incremental DATs allow the update utility to download only the changes to the DAT files rather than the entire DAT file set.

See also DAT files, EXTRA.DAT file and SUPER.DAT.

infected
Files are said to be "infected" when malicious code has been inserted into them by a virus. Computer systems are "infected" if a virus or Trojan is installed and running on that system. Static malware (viruses and Trojans whose entire code is malicious) is also said to be "infected." If a potentially unwanted program is installed on a system, the system is NOT considered "infected," even though there may be other consequences.

infection length
This is the size, in bytes, of the viral code inserted into a program by the virus. If this is a worm or Trojan horse, the length represents the size of the file.

INI File
A place for programs to store instructions or settings that load when booting an operating system. Virus authors often use the WIN.INI, SYSTEM.INI, and WININIT.INI files.

integer overflow
Condition in an operating system or an application that allows data input that will manipulate an integer value in the application to corrupt memory.

See also Buffer Overflow Condition.

IPS Intrusion Prevention System
A preemptive approach to host and network security used to identify and quickly respond to potential threats. An intrusion prevention system (IPS) monitors individual host and network traffic. However, because an attacker might carry out an attack immediately after he/she gains access, intrusion prevention systems can also take immediate action as preset by the network administrator.

See also HIPS and NIPS.

Internet protocol (IP) address
Identifies a workstation on a TCP/IP network and specifies routing information. Each workstation on a network has a unique IP address, which consists of the network ID, plus a unique host ID assigned by the network administrator. This address is usually represented in dot-decimal notation, with the decimal values separated by a period (for example, 123.45.6.24 as in IPv4).

Internet relay chat (IRC)
IRC is a multi-user chat system, where people meet on "channels" (rooms, virtual places, usually with a certain topic of conversation) to talk in groups or privately. This system enables participants to distribute executable content. Note: many worms and Trojans utilize IRC as a communications channel to return data to the original malware author, who can then instruct the worm or virus execute commands from causing a DDoS to infecting other machines.

in the wild
When two independent researchers identify the same virus in circulation within a one-year period, that virus is defined as being "in the wild." About 450 viruses exist in the wild at any one time.
back to top
J
jokes, joke programs
Software that claims to harm a computer, but has no malicious payload or use, and does not impact security or privacy states, but that may alarm or annoy a user.

back to top
K
keylogger
Software that intercepts data between the user entering it and the intended recipient application. Trojan and PUP keyloggers which are functionally identical. McAfee® software detects both types of keyloggers to prevent privacy intrusions.

back to top
L
Layered service provider (LSPs)
Layered Service Providers are DLLs that use Winsock APIs to insert themselves into the TCP/IP stack. Once in the stack, layered service providers can intercept and modify inbound and outbound Internet traffic.

log file
An activity record of McAfee® anti-virus software. Log files record actions during installation, scanning, or updating.

logic bomb
A program that allows a Trojan horse to lie dormant and then attack when the conditions are just right.

low-risk process
In McAfee® VirusScan® Enterprise, processes that McAfee considers to have a lower possibility of being infected or accessing infected files, such as backing up software or code compiler/linker processes.

See also default process and low-risk process.

back to top
M

macro
A set of keystrokes and instructions that are recorded, saved, and assigned to a shortcut key. When the key code is typed, the recorded keystrokes and instructions execute. Macros can simplify otherwise tedious day-to-day operations.
Note: As with any programming language, these can be used maliciously. See Macro Virus

macro virus
A program or code segment written in the application's internal macro language. Some macros replicate or spread. Others simply modify documents or other files on the user's machine without spreading, such as a Trojan.


malware (malicious software)
A malicious program. Viruses and Trojans are examples of malware. Potentially unwanted programs (PUPs) are not considered malware.

master boot record (MBR)/boot sector infector (BSI)
A virus that infects the system's master boot record on hard drives and the boot sector on floppy diskettes. This type of virus takes control of the system at a low level by activating between the system hardware and the operating system. An MBR/boot sector virus loads into memory during boot-up, before virus-detection code executes.

MD5
A computer algorithm that calculates "hash value" or a unique number when passed a string of data, such as in a text file or an EXE file. Hash values prove that the original file is unmodified.

media
This is a catch-all term for all removable tapes, disks, or CD/DVDs that store code and data for use on a PC.

memory resident
A program that stays in the active RAM of the computer while other programs run, such as accessory software, activity monitoring, and resident scanning software. Viruses often attempt to "go resident." An activity monitor can check for memory-resident functions..

mobile code
Code or software that is transferred from a host to a client or to another host to be executed at the destination. A worm is an example of malicious mobile code.

multi-partite virus
A virus that infects master boot records, boot sectors, and files.

back to top

N

namespace providers (NSPs)
Namespace providers are DLLs that utilize Winsock APIs to insert themselves into the TCP/IP stack. Namespace providers can redirect traffic from one site to an intermediary.

network aware
A virus or worm can be considered network aware when one of its propagation methods is to search the network for open shares.

NIPS:Network Intrusion Prevention System 

Software or a device that monitors network traffic and prevents attacks on a network or system. McAfee® IntruShield® is a NIPS system.

See also HIPS, IPS.

NTFS (new technology file system)
The default formatting system for disk drives used by Windows® NT, Windows 2000, Windows XP, and Windows 2003. Microsoft has updated the NTFS specification to cope with such new features as larger hard disks and spanned drive support.

back to top

O
on-access scanning
Examining files every time they are opened, copied or saved to determine if they contain a virus or other potentially unwanted code
Compare to on-demand scanning.

on-demand scanning
A scheduled examination of selected files to find a virus or other potentially unwanted code. It can take place immediately on user request, at a scheduled future time, or at regularly-scheduled intervals.

Compare to on-access scanning.

OS (operating system)
The most important program that runs on a computer. Every general-purpose computer must have an operating system to run other programs. Operating systems perform such basic tasks as recognizing keyboard input, sending output to the display screen, keeping track of files and directories on the disk, and controlling peripheral devices, such as disk drives and printers. Examples of operating systems include DOS®, Windows®, Sun/®OS, Unix, Linux, FreeBSD, PalmOS, and MacOS.

OS identification
A series of algorithms to determine a remote host's operating system, architecture, platform, or device type. This process may involve TCP/IP stack fingerprinting as well as application-layer protocol tests.

See also Vulnerability Assessment.

overwriting virus
A virus that overwrites files with its own viral code. There is no way to recover the original data from such an infection except to retrieve the files from backups.

back to top
P

packer, packed executable
Executable files can be compressed with a packer that shrinks and possibly encrypts the original code. The packed executable will decompress and/or decrypt itself in memory while it is running, so that the file on disk is never similar to the memory image of the file. Packers are designed to avoid security software, prevent reverse engineering, or supply some level of copy protection.

parasitic infector
A virus that modifies existing files on a disk, injecting its code into the file where it resides. When the user runs the infected file, the virus runs too.

See also file infector.

password cracker
Software designed to enable a user or administrator to recover lost or forgotten passwords from accounts or data files. In the hands of an attacker, these tools open access to confidential information, so they can be a security and privacy threat.

password stealer (PWS)
A type of Trojan used specifically to steal users' passwords.

patch releases (previously HotFix release)
Intermediate releases of a product that address specific issues.

payload
The "cargo" code in a virus rather than the portions used to avoid detection or replicate. The payload code can display text or graphics on the screen, or it may corrupt or erase data. Not all viruses actually contain a deliberate payload. However, these affect CPU usage, hard-disk space, and the time it takes taken to clean them.

Payload can also refer to the data or packets sent during an attack.
See also shellcode.

PDA
Short for "Personal Digital Assistant." A hand-held device that combines computing, telephone/fax, Internet and networking features.

pharming
A method of redirecting Internet traffic to a fake Web site through domain spoofing. This involves creating a fake DNS record for a real Web site, typically that of a bank or other commercial enterprise. The fake DNS redirects traffic from the real Web site to the fraudulent site, intending to gather customers' personal information. For example, when a user types the URL of a bank into their browser, the browser does a DNS lookup to determine the IP address of the bank's Web site. DNS servers store a list of domains and their corresponding IP addresses. Hackers insert false information on the DNS server, so that browsers looking up bank's the IP address are redirected to the fake IP address. On the visitor's browser, the site appears legitimate.

phishing
A method of fraudulently obtaining personal information, such as passwords, social security numbers, and credit card details, by sending spoofed e-mails that look like they come from trusted sources, such as banks or legitimate companies. Typically, phishing e-mails request that recipients click on the link in the e-mail to verify or update contact details or credit card information. Like spam, phishing e-mail go to a large number of e-mail addresses expecting that someone will read the spam and disclose their personal information.

ping
A basic Internet program that lets you verify that a particular Internet address exists and can accept requests; also the act of using the ping utility or command. You can ping diagnostically make sure that a host computer that you are trying to reach is actually online.

ping attack
The method of overwhelming a network with ping commands.

ping of death
A hacking technique used to cause a denial-of-service attack by sending a large ICMP packet to a target. As the target tries to reassemble the packet, the packet size overflows the buffer and can cause the target to reboot or freeze.

See also buffer overflow

polymorphic/polymorphism
A virus that attempts to evade detection by changing its internal structure or its encryption techniques. Polymorphic viruses change form with each infection to avoid detection by anti-viral software scanning for signature forms. Less sophisticated systems are referred to as self-encrypting.

polymorphic virus
A virus that can change its byte pattern when it replicates, thereby avoiding detection by simple string-scanning techniques.

port
A hardware location for passing data in and out of a computing device. Personal computers have various types of ports, including internal ports for connecting disk drives, monitors, and keyboards, as well as external ports, for connecting modems, printers, mice, and other peripherals.
In TCP/IP and UDP networks, "port" is also the name of an endpoint to a logical connection. Port numbers identify types of ports. For example, both TCP and UDP use port 80 to transport HTTP data. A threat might attempt to enter using a particular TCP/IP port.

portable executable (PE)
A common file format utilized on Microsoft® NT-based platforms.

port scanning
A hacking technique used to check TCP/IP ports to reveal which services are available for exploitation, and to determine the operating system of a particular computer.

potentially unwanted program (PUP)
Software programs written by legitimate companies that may alter the security state or the privacy posture of the computer on which they are installed. This software can but does not necessarily include spyware, adware, and dialers, and could be downloaded in conjunction with a program that the user wants. Security-minded users know about such programs and, in some case, have them removed.

ProtectionPilot
This McAfee® product is a management tool that enables the anti-virus administrator in a smaller organization to configure the protection standards for all McAfee anti-virus products in the organization.

Larger organizations should use ePOTM  to manage more than 500 nodes.

protocol
A set of rules enabling computers or devices to exchange data with one another with as few errors as possible. The rules govern issues such as error checking and data compression.

Also see communications protocol.

proxy/proxies
Tools that redirect information bound to an IP address, domain name, or all Internet traffic to a third party PWS

See password stealer.

back to top

Q
quarantine
Isolating files suspected of containing a virus, spam, suspicious content, and potentially unwanted programs (PUPs), so that the files cannot be opened or executed.

quarantine folder
The location on a computer system that stores e-mail messages or files that could contain virus or other suspicious code. The system administrator reviews the messages or files to decide how to respond.

back to top
R
recursive scan
To scan everything in a folder, including subfolders.

registry
A database used to store instructions and other information. The database is broken down into keys, for which values are set. The alternative to using an INI file in many cases, this Microsoft® Windows® component is often used by virus authors as well as legitimate Windows programmers.

remote admin tool (RAT)
Software designed to give an administrator remote control of a system. Remote administration tools could be a large security threat when controlled by a party other than the legitimate owner or administrator.

risk assessment
A calculated measure of the likelihood and impact of a successful attack on an organization's data and assets. McAfee® Avert® Labs estimates risk for vulnerabilities and threats based the effect they expect it to have on the Internet community.

Additional Information: The McAfee Avert Labs Threat and Vulnerability Risk Assessment Program

back to top
S
scan, scanning
Examining files to find viruses and other potentially unwanted code.

See on-access scanning and on-demand scanning.

script
A type of program with instructions that a host application interprets and executes. Script instructions that are usually expressed using the application's rules and syntax combined with simple control structures. Examples are JavaScript™ and VBScript, which some Web browsers can execute.

self-encrypting viruses
A virus that uses self-encrypting techniques avoid detection.

self-extracting files
A file that, when run, extracts itself. Most files transferred across the Internet are compressed to save disk space and reduce transfer times. A self-extracting program can extract a virus or Trojan horse, which can be difficult to catch because scanning compressed files is a relatively new virus detection technique. You cannot get a virus by just downloading a self-extracting file, so always scan new files before you run them.

shellcode
Machine code, often written in assembly language, used as the payload to exploit a software bug enabling the hacker to communicate with the computer through the operating system command line.

See also exploit.

shell script
A specific type of script file in UNIX environment shells. Common variants include scripts for BASH and CShell, which are much like DOS batch files.

signature
A series of unique letters and numbers in virus code.

signature files
Data files containing detection and/or remediation code that McAfee® scanning products such as VirusScan® or IntruShield® use to identify malicious code.

See DAT files.

silent installation
Installing a software package onto a computer silently, without need for user intervention.

Smurf attack
A denial-of-service attack that floods its targets with replies to ICMP echo (ping) requests. A Smurf attack pings Internet broadcast addresses, which in turn forward the requests to as many as 255 hosts on a subnet. The return address of the ping request is actually the address of the attack target. All hosts receiving the ping requests reply to the attack target, flooding it with replies.

SNMP trap
A method of asynchronous event notification supported by the Simple Network Management Protocol.

spam
Unwanted e-mail, specifically unsolicited bulk e-mail. Typically, an e-mail message is sent to multiple recipients who did not ask to receive it. E-mail messages are not considered spam if a user has signed up to receive them.

spammer
An individual who sends spam messages.

spear phishing
Like phishing, the term refers to e-mail that appears to come from a legitimate source, such as a bank, a company's internal IT department, an internal employee, or someone your company does business with. While phishing uses mass e-mail, spear-phishing e-mails target a very small number of recipients. The e-mail sender information may be spoofed so the e-mail appears to originate from a trusted source. Messages typically request username and password details, provide a link to a Web site where visitors can enter personal information, or contain an attachment containing a virus, Trojan, or spyware.

splog
A term for spammers who create a large number of blogs with links to a spam site. Because the links are included in a large number of blogs, they have high search-engine rankings. Splogs are created to attract people to spam sites, primarily via Google.

spoofing
Forging an e-mail address or IP address to hide one's location and identity.

spyware
Software whose function includes transmitting personal information to a third party without the user's knowledge or consent. This usage is distinct from the common usage of spyware to represent commercial software that has security or privacy implications.

See PUPs.

stealth
A virus that tries to avoid detection. A stealth virus may redirect system pointers and information to infect a file without actually changing the infected program file. Another stealth technique is to conceal an increase in file length by displaying the original, uninfected file length.

SUPER.DAT
A utility that installs updated virus definition (SDAT*.EXE) files and, when necessary, upgrades the scanning engine.

It automatically shuts down any active scans, services, or other memory-resident components that could interfere with the upgrade, then copies new files to their proper locations so that your software can use them immediately.

See also DAT files, EXTRA.DAT file, and incremental DAT files.

supplemental virus definition file
See EXTRA.DAT file.

SYN flood
A hacking technique to cause a denial of service, where the attackers send a large number of TCP SYN packets to the target with spoofed source IP addresses. This results in many half-open TCP connections on the target, thus tying up the TCP state resources.

system hang
A complete failure of the operating system. When a program fails, it usually has an opportunity to display an error or diagnostic message. If the entire system fails, no such message appears and keystrokes and mouse clicks are ignored. In the worst cases, the system cannot restart without turning off the system.

back to top
T
terminate-and-stay resident
A program that remains active in memory while other programs run on the system. Examples of TSRs are VShield, a DOS-based mouse, or a CD-ROM driver.

trigger
An event that a malware author has programmed the threat to watch for, such as a date, the number of days since the infection occurred, or a sequence of keystrokes. When the trigger event occurs, it activates the virus, which then activates its payload.

Trojan, Trojan horse
A program that does not replicate, but causes damage or compromises the security of the computer. Typically, an individual e-mails a Trojan horse to you─it does not e-mail itself. You can also download the Trojan from a Web site or via peer-to-peer networking.

tunnelling
A virus that avoids standard interfaces to infect files. This allows the virus to infect files and go unnoticed by a behavior blocker. One evasion technique used by attackers is tunnelling malicious communications through the standard port of another application (e.g., port 80 for HTTP) to avoid firewalls.

back to top
U
USB (Universal Serial Bus)
This is an industry-standard connector on almost all modern computers. This connects multiple devices, ranging from keyboards and mice to Webcams, scanners, and printers.

Versions USB1 and USB2, differ in performance, but use identical physical connectors.

UTC time, Coordinated Universal Time (UTC)
This refers to time on the zero or Greenwich meridian.

back to top
V
variant, variants
New strains of viruses that are modifications of a previous virus. We identify variants by a letter-based extension after the virus family name: e.g., W32/Virus.a, W32/Virus.b, etc.

When there are more than 26 variants of a virus are identified in a single family, we use a two-letter extension, e.g., W32/Virus.aa, W32/Virus.ab, etc.

VBS
New method of spreading viruses by using Visual Basic Scripting. Not usually a problem, unless a user has either Internet Explorer 5 or Outlook 98 or higher.

virus
A program or code that replicates, that is, infects another program, boot sector, partition sector, or document that supports macros, by inserting itself or attaching itself to that medium. Most viruses only replicate, though many do a large amount of damage as well.

virus definition (DAT) files
See DAT files.

virus-scanning engine
The mechanism that drives the anti-virus scanning process.

vulnerability
Exploitable defect in a software application or operating system, allowing others to crash systems, access information on systems, or use systems for their own purposes.

Vulnerability Assessment (VA)
Vulnerability Assessment (VA) is the process in an enterprise analyzing the risk associated with vulnerability scan results.

See also Vulnerability Management (VM) and vulnerability scan, vulnerability scanning

Vulnerability Management (VM)
Vulnerability Management (VM) is a process in an enterprise measuring risk and organizational exposure to vulnerabilities, and tracking compliance over time.

See also Vulnerability Assessment (VA)

vulnerability scan, vulnerability scanning
Examining a host or network stream for vulnerabilities.

See also Vulnerability Assessment (VA)

back to top
W
Warhol worm
Based on Andy Warhol's idea of fifteen minutes of fame, the concept is that a computer virus could spread around the world in less than fifteen minutes.

white list
The list of e-mail addresses from trusted sources whose messages you do not consider spam, and want to receive.

wild
A term used interchangeably with "out in the field" that refers to how prevalent a virus has become. When we say a virus is "out in the wild" or "out in the field," we take into account how many computers or sites have been infected, the geographic areas where the virus has been found, the virus' complexity, and how anti-virus solutions respond.

worm
A virus that spreads by creating duplicates of itself on other drives, systems, or networks. A mass-mailing worm is one that requires a user's intervention to spread, e.g., opening an attachment or executing a downloaded file. Most of today's e-mail viruses are worms. A self-propagating worm has no need of user intervention to propagate. Examples of self-propagating worms include Blaster and Sasser.

back to top
Z
ZIP file
A ZIP (.zip) file is a compressed archive that can contain multiple files. Zipped files can contain viruses, so make sure your anti-virus program scans for viruses in archive files.

zoo virus
A virus found only in virus laboratories and has not moved into general circulation.

back to top