This document describes the terms used within McAfee help systems. Click on a term to see its definition.
#_A_B_C_D_E_F_G_H_I_J_K_L_M_N_O_P_Q_R_S_T_U_V_W_X_Y_Z
A means of separating logical networks on a single physical network layer.
A MIME transfer encoding method that is suitable for use with SMTP mail servers that support the 8BITMIME transport SMTP extension.
Up to 998 octets per line CR and LF (codes 10 and 13) only allowed to appear as part of a CRLF line ending.
See COM file.
Part of the McAfee convention naming viruses and Trojan horses. This is a suffix attached to the end of virus names to indicate that the sample is damaged and will not actually run. Detection for these non-viable samples is added at McAfee Labs' discretion, generally if they appear in large numbers and cause an issue for many customers. If you detect a .dam file, you can safely delete it.
See Downloader.
Part of the McAfee convention naming viruses and Trojan horses. We attach this suffix to the end of virus names to indicate that it detected a "dropper," a file that installs or "drops" other malware.
Part of the McAfee convention naming viruses and Trojan horses. We attach this suffix to the end of virus names to indicate that this virus can transmit itself via e-mail. The single "m" indicates that this transmits low volumes of e-mail, generally one e-mail transmitted per e-mail that a user receives.
Part of the McAfee convention naming viruses and Trojan horses. This suffix at the end of virus names indicates that this virus can transmit itself via e-mail. The double "m" indicates that this threat transmits large volumes of e-mail, generally hundreds of e-mails per infected machine.
For the Anti-Spam Module (formerly McAfee SpamKiller), a list of the anti-spam rules that are triggered by an email message, and their associated spam scores.
See also Detailed list.
Regulates the use of system resources according to a security policy.
A list of the services available on a server, each with a list of the hosts permitted to use the service.
Each computer process is allocated system memory to store and retrieve information. The process that requested the memory is the only one allowed to read or write information in the allocated location. An access violation occurs when a process attempts to read or write from memory allocated to another process, without having permission to do so.
When configuring a policy, you typically specify what happens (which actions are applied) when a specific item or condition is detected. The type of actions that are available depend on the product, but typical actions include clean, log, and quarantine.
The Microsoft Directory Service available with Microsoft Windows 2000 and Microsoft Windows 2003.
Changes made by an ICAP server to an HTTP request or HTTP response received from an ICAP client.
The retrofitting of protection mechanisms, implemented by hardware or software, after a system has become operational.
A collection of contact information. You can use the address book to look up and select names, email addresses, and distribution lists when you type a name in the To, Cc, or Bcc fields.
An account on a computer that grants the user privileges to install software, delete files, and manage user accounts. If an administrator is logged onto a system when that system becomes infected, the virus can affect the same functions that the administrator can: install new applications, delete files, and modify data.
Entercept protection setting that allows for stricter enforcement of rules. Deployment tuning is required.
Software whose primary function is generating revenue by advertising targeted at the user of the computer on which the software resides. It earns revenue either by the vendor or vendors' partners. This does not imply that the adware captures or transmits any personal information as part of the software's functions, although that may be the case.
Agents perform tasks on behalf of other programs.
Automatically upgrades the agent whenever a newer version is available on the ePolicy Orchestrator server.
A defined set of agents.
For ePolicy Orchestrator. An optional interface that appears on managed computers. It allows you to run tasks immediately that are normally initiated by the agent at predefined intervals.
For ePolicy Orchestrator. The ability to initiate agent-server communication from the server side.
For ePolicy Orchestrator. Any communication that occurs between ePolicy Orchestrator agents and the ePolicy Orchestrator server where agents and server exchange data. Typically, the agent initiates all communication with the server.
For ePolicy Orchestrator. The time between predefined agent-server communications.
For Entercept. A view of exceptions where identical exceptions can be grouped into a single aggregate.
A message announcing a virus, intrusion detection or other computer activity. The message can be sent automatically by a predefined configuration to system administrators and users.
Extra text that is added to the start of an alert message. For example, an alert header could contain information about the sender of the alert message.
A message that is sent to the user or administrator to notify them that a scanner has detected an issue with a scanned item.
A McAfee utility to configure alerts for various notification methods, such as a pager message or e-mail. You can select specific events (such as virus detection) to trigger alert messages.
An assumed or alternate name. Some viruses have multiple names since there is no single standard for naming computer viruses.
A network access mode in which computers are granted full access to the network.
An access control feature in many Internet hosts that enables users to gain access to general purpose or public services and resources on a host computer. For example, allowing a user to transfer data using File Transfer Protocol (FTP) without having a pre-established user-specific account.
Special anti-spam rules that define phish characteristics within email messages.
See also Phish.
Mail relaying is often used for malicious purposes, such as mail bombing and spamming. Anti-relay settings help prevent unscrupulous third parties relaying email messages through your mail system, by intercepting email messages that do not come from permitted domains.
Definition of anti-spam acceleration.
Software that uses anti-spam rules and extra rules to scan email messages for spam.
It also uses anti-phishing rules to scan email messages for phishing attacks.
McAfee produces an extensive set of rules that are used to determine if an email message contains potential spam. The engine applies the rules to each email message that is scanned. Each rule is associated with a score, and a positive score indicates spam-like characteristics and a negative score non-spam characteristics. When added together the scores give an overall spam score for the email message.
Definition of Anti-Spam Module.
The strategy that defines how spam is handled. For example, email messages can be marked as spam, or blocked.
The anti-spam software matches an extensive set of rules against every email message. Each rule is associated with a score - positive or negative. Rules that match for spam-like characteristics give a positive anti-spam score. Rules that match attributes of legitimate messages give a negative anti-spam score. When added together, the scores give each message an overall anti-spam score.
In a similar way, the anti-spam engine uses the anti-phishing rules to detect phish attacks. Rules that match anti-phishing characteristics add to the overall phish score, while rules that match non-phish characteristics reduce the overall phish score.
The anti-spam software examines the overall anti-spam score and overall anti-phish score to determine if the anti-spam or anti-phish policy should be applied to the email message. The email is categorized as spam or phish.
Software that uses anti-virus rules and extra rules to scan email messages for viruses and other potentially unwanted programs.
A organization's document outlining anti-virus policies. It lists the products, the configuration settings, the update schedule, and enforcement policies. The organization should review this policy document at least every six months to compare the company's security posture with the current threat landscape.
There are a number of appliances for different McAfee products. An appliance is a purpose-built system that can be installed at key points in your network to carry out various tasks.
Software that can be installed to a computer. An application can be a complex combination of executable files (.EXEs), .DLLs, data files, registry settings, and install/uninstall files.
For Entercept. Allows you to monitor the applications that are being used and either allow or block them. Two types of application monitoring are available: application creation and application hooking.
The interface by which an application program accesses the operating system and other services.
A collection of data that is stored for historical and other purposes, such as to support audits, availability, or system integrity.
The process in which the compliance status of computers is determined by running the checks in the compliance policy.
An attempted system security breach. Successful attacks range in severity from someone viewing data on another system, to someone destroying data, stealing data, or shutting down your system.
Entercept protection setting that permits exceptions and rules to be learned and added automatically. This mode is applicable to IPS exceptions, firewall rules, and application monitoring rules.
Service internal to the appliance that can authenticate a user against an external service, such as a Microsoft Active Directory Domain Controller or a Lightweight Directory Access Protocol (LDAP) directory interface.
A configuration item selecting one or more Authentication Services to use. Multiple authentication services will be tried in priority order to authenticate a given user.
Service external to the appliance that can authenticate a user. A Microsoft Active Directory Domain Controller or a Lightweight Directory Access Protocol (LDAP) directory interface.
Definition of authentication token.
Each email message is analyzed, broken down into individual words and phrases, and then logged into a database on the computer. Over time, the engine learns the characteristics of the messages that your company receives and uses that information to adjust the spam score it applies to each message.
An automated procedure that enables two systems on the same Ethernet network to agree the transmission rate and duplex modes they will use when communicating with each other.
The program that automatically updates McAfee software with the latest detection definition (DAT) files and scan engine.
A group of identities that you can specify. An identity might be a department, a management level, a domain, or some other distinction used by the product. This grouping of identities provides a convenient means of creating a specific policy for more than one identity.
McAfee's global security research centers that support customers and users by discovering and addressing breaking threats and vulnerabilities.
Programs that give an attacker access to and remote control of another computer. Backdoors are largely Trojan horses dealt with by most anti-virus products. Network Intrusion Prevention System (NIPS ) helps detect and block backdoor communications.
A hole in the security of a system deliberately left in place by designers or maintainers. The motivation for such holes is not always sinister; some operating systems, for example, have privileged accounts intended for use by field service technicians or maintenance programmers.
A remote administration tool that can provide unwanted access to, and control of, a computer by way of its Internet link.
A type of on-access scanning made possible within Microsoft (R) Exchange by Microsoft VS API2 which does not scan all files on access, reducing the scanner's workload when it is busy. It scans databases on which it has been enabled for example, Mailbox store and Public Folder store.
The antivirus software not only performs virus scanning, but also manages file attachment policies. Certain types of file attachments are prone to viruses. The ability to block attachments by file extension is another layer of security for your mail system.
Select the file extensions that you wish to ban from going through your mail system. Both internal and external mail are checked for banned content.
Information that displays when you connect to a remote system.
Advertisement at the top of a Web page.
A MIME transfer encoding method that is used to encode 8-bit formats so that they can be transferred over 7-bit transfer protocols, such as SMTP.
Base64 has a fixed overhead and is best suited for non-text data and for messages that do not have a lot of ASCII text.
A specific script file format (.bat) that runs on Microsoft (R) -compatible operating systems from DOS (R) to Win9x, WinNT, Win2000, Windows (R) XP.
Bayesian learning is a process whereby anti-spam software "learns" what is considered spam and non-spam by analyzing the spam and non-spam email samples submitted by users.
If a user receives an email message that has been incorrectly identified as spam, they can submit that email message for non-spam learning.
If a user receives an email message that been incorrectly identified as non-spam, they can submit that email message for spam-learning.
The more e-mail messages that are correctly submitted and used for training, the greater the chance that spam will be correctly identified in the future.
A database that is used to calculate the probability that an email message contains spam or phish.
Users help "train" the database to recognize spam by sending email samples to an email administrator who then decides if they should be submitted to the database for "learning".
For example, if users receive spam that has been incorrectly identified as non-spam, they can submit those email messages for spam learning. If they receive email messages that have been incorrectly identified as spam, they can submit those email messages for non-spam learning.
The success of bayesian learning depends on a large and accurate database of email samples. If the email samples are incorrectly categorized, they will "poison" the database and reduce the likelihood that spam and phish will be correctly identified in the future.
A method spammers use to avoid detection and reduce the effectiveness of Bayesian learning-based spam scanning. The spammer includes a large amount of legitimate text in their spam messages, usually some paragraphs from a book or a legitimate email, so that it appears the content is legitimate as there are a lot of non-spam words, and only a few spam words.
The process of sharing data between wireless infrared-capable hand-held devices within a given distance (for example, within three feet). Information transferred through this method automatically stores in the proper application on the receiver's hand-held device.
See also Personal Digital Assistant (PDA).
See Browser Help Objects.
Bits per second. This is a measure of the speed of a connection, normally used for modems or when downloading files from the Internet.
Definition of black and white signatures.
A list containing email addresses or domains. Messages from these addresses or domains are always treated as spam.
Compare to whitelist. See also spam.
A virus or worm using multiple infection techniques. This can include exploiting program vulnerabilities, Trojan horse behavior, infecting files, Internet propagation routines, network-share propagation routines, and spreading with no human intervention.
For Entercept, rules that indicate which local exceptions, created automatically through the audit mode or explicitly by a client, are not allowed.
A specific host from which Desktop firewall allows you to block communication; the firewall attempts to trace the source of the packets you receive from the blocked host.
Blocking is the act of stopping some kind of communication or connection. For example, a security product could stop an unwanted email message from reaching its destination, or a user accessing a specific web page.
The blue screen of death is the screen displayed by the Microsoft Windows operating system when it cannot recover from a system error. The computer freezes and requires rebooting.
A disk that contains special hidden start-up files and other programs to run a computer, usually specific to the operating system and version. Several types of boot disks are available to an average user, ranging from a standard floppy boot disk to an emergency boot disk or bootable CD. Since most anti-virus programs work best when they can gain complete access to the hard drive, it is important to use a boot disk when disinfecting a computer. In some cases, failure to use a boot disk prevents your anti-virus programs from detecting and removing certain viruses from the computer.
Those areas on diskettes or hard disks that contain some of the first instructions executed by a PC as it boots. Boot records load and execute to load the operating system. Viruses that infect boot records change the records to include a copy of themselves. When the PC boots, the virus program runs and typically installs itself in memory before loading the operating system.
A virus that infects the original boot sector on a floppy diskette. These viruses are particularly serious because information in the boot sector is loaded into memory first, before executing virus protection code. A strict boot sector infector infects only the boot sector, regardless of whether the target is a hard disk or a floppy diskette. Some viruses always attack the first physical sector of the disk, regardless of the disk type.
This term refers to a program that automatically searches for and retries information or generates generic traffic over the network. While bots are not always malicious, the most common are IRC Bots that can install other malware or PUPs, distribute compromised machine lists, and organize zombies for DDoS attacks.
A collection of zombie PCs is called a botnet (short for a robot network). A botnet can consist of tens or even hundreds of thousands of zombie computers. A single PC in a botnet can automatically send thousands of spam messages per day. The most common spam messages come from zombie computers.
For ePolicy Orchestrator, locations on the master repository that allow you to store and distribute different versions of selected updates. These versions are Current, Previous and Evaluation.
See also selective updating.
Definition of branding.
A computer that is a gateway between two networks (usually two LANs) at OSI layer 2.
The broadcast address is a standard TCP/IP address which transmits the message to all machines within a local subnet.
A type of detection where the sensor monitors broadcast packets to identify systems as they request access to the network.
See also DHCP detection.
Browser helper objects are a kind of .DLL file that Internet Explorer allows to alter its behavior. This can include adding new toolbars and menu items, viewing incoming and outgoing traffic, and modifying HTML data before it renders.
An application program that provides ways to look at, and interact with, the world wide web (www). Netscape and Microsoft Internet Explorer are examples of browsers.
Browser hijackers are programs that replace the browser home page, search page, search results, error message pages, or other browser content with unexpected or unwanted content.
A method used to find passwords or encryption keys by trying every possible combination of characters until the code is broken.
Definition of buddy name mapping.
Definition of bypass.
A programming error in a software program that can have unwanted side effects. Some examples include various Web browser security issues and Y2K software problems.
Bytes per second. The capital letter B indicates that this is a measure of 8-bits at a time.
A hacking technique of breaking into a system and finding an undetected place from which to monitor the system, store information, or re-enter the system at a later time.
Stealing credit card numbers online, to be resold or used to charge merchandise against victims' accounts.
See also phish.
A division of an Entercept feature to which you can assign a policy. The IPS feature includes Status and Mode, Protection Level, and IPS Profiles categories.e resold or used to charge merchandise against victims' accounts.
There are two competing recording formats for CDs which are the "R" (read only) and "RW" (read/write) notations. Once the disks are created, however, both can play back on a normal CD player.
See also DVD±R.
Distributes alert notifications to multiple network users. An example of a centralized alerting system is McAfee Alert Manager. The anti-virus software such as McAfee VirusScan generates alert messages, which are saved to a shared folder on a server. Alert Manager sends alert notifications to users from that folder. When you update contents of the shared folder, Alert Manager sends new alert notifications using such user-configurable alert methods as e-mail messages to a pager. When you receive alerts from the network intrusion prevention systems, you can analyze correlation through drill-downs and then generate reports.
See also Alert Manager.
A certificate is used to prove identity by many cryptographic systems. Also, many Web sites use certificates to authenticate that the site is genuine. It contains a user's name and public key.
An office, bureau, or service that issues security certificates.
A type of secure socket layer that authenticates and encrypts data through a certificate that is digitally signed by the certificate authority.
Definition of change log.
Definition of channel filter.
Definition of channel setting.
A script that detects the presence of security products, security patches, or viruses.
A collection of related checks.
See Checking in.
The result of a check is said to be true if the condition specified for the check category is present; for example, the result of a security bulletin check is true if the vulnerability described in the bulletin is present (that is, if the security patch is not installed), and the result of a virus infection check is true if the specified virus is present and active.
For ePolicy Orchestrator; adding files to the master repository.
A method used to transfer HTTP body data as a series of data chunks.
If an item is described as "clean", the item being scanned has not triggered one of the scanning rules. For example, if an email message has been scanned for viruses, no viruses were detected. If it was being scanned for potential spam, spam was not detected.
Alternatively, it describes an item that has been cleaned.
See also Cleaning.
Anti-virus software that scans your system and optionally cleans infected files. It includes its own built-in operating system that loads as soon as you switch on your computer (with the CleanBoot media loaded in the appropriate drive).
See also Cleaning.
Anti-virus software that scans your system and optionally cleans (repairs) infected files. It comes on either floppy disks or a CD, and includes its own built-in operating system that loads as soon as you switch on your computer (with the CleanBoot media loaded in the appropriate drive).
A utility that allows you to create a customized version of CleanBoot. You can configure the software to a variety of scanning options, including how extensively it scans, whether it cleans infected files, and whether it produces a log file.
See also Cleaning.
An scanner's action after it detects a virus, Trojan horse, worm, or Potentially Unwanted Program (PUP). The cleaning action can include removing malicious code from a file and restoring the file to usability; removing references to the file from system files, system INI (.ini) files, and the registry; ending the process generated by the file; deleting a macro or a Microsoft (R) Visual Basic script that is infecting a file; deleting a file if it is a Trojan horse, worm, or belongs to a PUP; or renaming a file that it cannot clean.
A computer system or process that requests a service of another computer system or process (a server) using a protocol and accepts the server's responses. A client is part of a client-server software architecture. For example, a workstation that requests the contents of a file from a file-server is a client of the file-server.
Short for "command." An executable file that contains instructions to do something on your computer. COM (.com) files are for DOS-based systems and tend to run faster than EXE (.exe) type programs. Viruses often infect COM files. When the COM file executes, the virus executes as well, often loading it into memory. Note: The Microsoft (R) Windows (R) operating system treats files with a COM extension the same as other executable type files. Some viruses and Trojan horses use a filename ending in COM (i.e., http://virus.com). Typically, these portable executable files are not real COM files.
This is a text-based interface that launches and configures an application from the command line. An example is the McAfee Command Line Scanner, scan.exe, which takes various parameters, including which files to scan.
The McAfee (R) anti-virus scanner that runs from the command prompt.
A standard reference system to identify vulnerabilities in software. This ensures consistency in naming types of vulnerability.
See http://cve.mitre.org for more detailed information.
A standard reference system to identify viruses and other malware. This system is to reduce confusion caused when different security vendors give different names or aliases for the same threat.
See http://cme.mitre.org/ for more detailed information.
A viral program that does not actually attach to another program, but uses a similar name and program precedence rules to associate itself with the regular program.
To convert a high-level program into a machine language program. A "compiler" program helps accomplish this conversion and discovers syntax errors when a script is being compiled.
Short for communications or serial port. The COM port is a location that sends and receives serial data transmissions. The ports are named COM1, COM2, COM3.
An option in some McAfee (R) products that scans for files that have been packed.
See packed executable.
A rule that defines unacceptable content, such as a specific swear word in an email message. Content rules can be applied through the use of content policies, and specific actions taken when those rules are broken.
Cookies are small text files that many Web sites use to store information about pages visited and other settings (temporary or persistent). For example, cookies might contain login or registration information, shopping cart information, or user preferences. When a server receives a browser request that includes a cookie, the server can use the information stored in the cookie to customize the Web site for the user.
The content of some email messages can become corrupt, which means that the content of the email message cannot be scanned.
Corrupt content policies specify how email messages with corrupt content are handled when detected.
DAT file updates released once a day.
Database optimization recovers disk space taken up by deleted database records.
Detection definition files, also referred to as signature files, that identify the code anti-virus and/or anti-spyware software detects to repair viruses, Trojan horses and Potentially Unwanted Programs (PUPs).
See also Incremental DATs, Daily DATs, SUPER.DAT, EXTRA.DAT.
See Distributed Denial of Service (DDOS).
Changing the home page or other key pages of a Web site by an unauthorized individual or process.
In McAfee (R) VirusScan (R) Enterprise, any process that is not defined as a low-risk or high-risk process.
A means of attack against a computer, server or network. The attack is either an intentional or an accidental by-product of instruction code that is either launched from a separate network or Internet-connected system, or directly from the host. he attack is designed to disable or shut down the target, and disrupts the system's ability to respond to legitimate connection requests. A denial-of-service attack overwhelms its target with false connection requests, so that the target ignores legitimate requests.
1. A computer used primarily to perform tasks for individuals rather acting as a service provider.
2. A personal computer or workstation designed to reside on or under a desktop.
A program that acts as a filter between your computer and the network or Internet. It can scan all incoming and all outgoing traffic sent from your computer at the packet level, and decides to block or allow the traffic based on both default and custom rules.
An accent symbol above or below a letter, which changes how that letter should be pronounced.
Software that redirects Internet connections to a party other than the user's default ISP to run up additional connection charges for a content provider, vendor, or other third party.
An attempt by spammers to increase their mailing lists. During a DHA, spammers try to deliver messages to several similar addresses such as network_user@example.com, network.user@example.com, and networkuser@example.com. Any addresses that the mail server does not reject are considered to be valid. These addresses are collected and sold to other spammers.
A disclaimer is a piece of text - typically a legal statement - that is added to an email message.
An infection method by a malware author used to hide the author's presence, particularly from desktop firewalls. The malware author codes the threat to inject an additional DLL into an existing, already running application, making any requests to access to the disk or network appear as if the original application were making the request.
A DNSBL is a list of IP addresses through which spam can be relayed.
This is the Internet standard that matches names such as www.mcafee.com to the IP address that routes packets to an Internet-connected computer.
A computer program designed to download files from the Internet.
See also Trojan horse.
See McAfee download site.
Installing malware or potentially unwanted programs merely by viewing an e-mail or Web page on an improperly patched system.
An executable file that, when run, "drops" a virus or trojan horse. A 'Dropper' file's intention is to create a virus or trojan horse and then execute it on the user's system.
Recordable DVD. There are two competing recording formats for DVDs which are the "+" and "-" symbols. Once the disks are created, however, both play back on a normal DVD player.
The European Institute of Computer Anti-Virus Research has developed a string of characters used to test anti-virus software installation and operation. The EICAR test file is an important file for any serious anti-virus software user. See http://www.eicar.org/.
Contained within the body of another message.
For example, an HTTP message that is contained within the body of an ICAP message is said to be encapsulated in the ICAP message body.
Some email messages can be encrypted, which means that the content of those email messages cannot be scanned.
Encrypted content policies specify how encrypted email messages are handled when detected.
See also Encryption.
A change made to data, code, or a file so it must be processed (decrypted) before a system can read or access it. Viruses may use encryption to hide their viral code and thus attempt to escape detection. Viruses may also encrypt (change) code or data on a system as part of their payload. One of the most common forms of encryption in the "real world" today is password protection on ZIP (.zip) files.
A legal contract between the producer of a piece of software and its user. The EULA may contain limitations on how you can use or remove the product, or disclose functionality of the product that may not be readily apparent.
A software program used by anti-virus and anti-spyware programs to scan a user's systems for viruses and other malware using DAT files.
A McAfee (R) solution to manage security applications and suites from a central console. It helps organizations streamline their security process and enforce protection policies.
A utility that tracks and logs failures in the McAfee (R) software on your system. You can use this information to help analyze problems.
An executable file is a program that launches a set of operations on your computer. For example, tank.exe may be a tank game. Files with different extensions, like .dll, are often support files for an .EXE program. Viruses commonly infect EXE files. After such an infection, the virus runs each time the program runs.
Refers to the code the scan program produces after it completes a scan. Exit codes identify any viruses or problems found during a scan operation. You can use exit codes in batch scripted operations to determine what happens next.
Using defects in software code or function on a system to elevate privileges, execute code remotely, cause denial of service, or other attacks.
Instead of containing data in the body of a MIME message, the body can contain a reference to the content.
The MIME message body or body part has a content type of Message/External-Body.
A supplemental virus definition file created in response to an outbreak of a new virus or a new variant of an existing virus.
See also DAT files, incremental DAT files, and SUPER.DAT.
Improper detection of a clean file. Heuristic and generic detection methods can protect users from threats, which have not even been discovered yet. However, these detection techniques can also lead to false detections, called false alarms or false positives.
File Allocation Table. Describes both the area of a disk that stores the list of files and a formatting system for disk drives. Some malware deliberately overwrites the FAT on a disk to destroy data.
File Allocation Table (32-bit). An extension to the FAT system to cater to larger disks and long file names.
A virus that attaches itself to or associates itself with a file. File infectors usually append or prepend themselves to regular program files or overwrite program code. The file-infector class also refers to programs that do not physically attach to files, but associate themselves with program file names.
A set of programs installed on a gateway server, designed to protect the network's resources from users on other networks. A firewall filters and routes incoming traffic and makes outgoing requests (to the Internet, for example) on behalf of local workstations.
See also Desktop Firewall.
Similar to DDOS only in the nature of the attack. FDOS programs are singular in form in that there are no other components of the attack structure. FDOS programs can carry out an attack, which is generally designed to disable or shutdown the target of the attack.
Similar to DDoS only in the nature of the attack. FDoS programs are singular in form: there are no other components of the attack structure. FDoS attacks intend to disable or shut down the target.
File Transfer Protocol, used historically to transfer files between systems. The standard FTP control port is TCP Port 21 in IP networking terminology.
The acronym for "General Test mail for Unsolicited Bulk Email," a test to verify that anti-spam software is operating correctly.
Hacker tools are often security utilities that are as adept at helping administrators secure their environment as helping attackers gain entry to it.
A term used to refer to non-spam messages.
See also Spam.
A small device, such as a pocket PC, personal digital assistant (PDA) or wireless phone, often with wireless capability.
A scanning method of scanning that looks for virus-like behavior patterns or activities. Most leading packages have a heuristic scanning method to detect new or not-yet-known viruses in the field.
Short for "hexadecimal." A numerical system with a base of 16. Because there are more than 10 digits, values 10 through 15 are represented by letters A through F respectively. This system is useful in computers because it maps easily from four bits to one hex digit.
In McAfee (R) VirusScan (R) Enterprise, processes that McAfee considers to have a higher possibility of being infected or accessing infected files. For example, processes that launch other processes, such as Microsoft (R) Windows Explorer or the command prompt; processes that execute macro or script code, such as WINWORD or CSCRIPT; processes to download from the Internet, such as browsers, instant messengers, and mail clients.
See also default process and low-risk process.
McAfee (R) Host-based Intrusion Prevention System, which defends desktops and servers with combined signature, behavioral, and firewall protections.
See also Network Intrusion Prevention System (NIPS) and Intrusion Prevention System (IPS).
Usually a fraudulent e-mail that gets sent in chain-letter fashion, describing some devastating, highly unlikely type of virus or any other large, usually negative event. Hoaxes are detectable because they have no file attachment, have no reference to a third party who can validate the claim, and by the overly dramatic tone of the message.
Any computer on the Internet that has full two-way access to other computers on the Internet.
A security application that functions by virtue of being installed on and protecting each node (host computer) in a network.
See also Host IPS.
Intermediate releases of the product that repairs specific issues.
Used historically to transfer HTML documents. The standard port used is Port 80 in IP networking terminology, although port 443 is used for secure http. Many companies also use Port 8080.
The Internet Content Adaptation Protocol (ICAP) allows ICAP clients to pass HTTP messages to ICAP servers for some kind of processing or transformation (known as adaptation).
Software that sends ICAP requests to the ICAP server for processing, and receives ICAP responses from the ICAP server.
A device, such as a web cache, that intercepts HTTP messages and uses its ICAP client capabilities to redirect those messages to an ICAP server for processing.
A request made by an ICAP client to an ICAP server for an ICAP service.
Information contained in an ICAP request that tells the ICAP server what type of service is required and controls certain aspects of the ICAP transaction.
A response made by an ICAP server to an ICAP request from an ICAP client.
Information contained in an ICAP response that tells the ICAP client about the ICAP response and controls certain aspects of the ICAP transaction.
A device that provides ICAP services to ICAP clients.
Services offered by ICAP servers to ICAP clients.
For example, the ICAP REQMOD request modification service and the RESPMOD response modification service.
New virus definitions that supplement the currently installed definitions, available for up to 15 days. Incremental DATs allow the update utility to download only the changes to the DAT files rather than the entire DAT file set.
See also DAT files, EXTRA.DAT file and SUPER.DAT.
Files are said to be "infected" when malicious code has been inserted into them by a virus. Computer systems are "infected" if a virus or Trojan horse is installed and running on that system. Static malware (viruses and Trojan horses whose entire code is malicious) is also said to be "infected." If a potentially unwanted program is installed on a system, the system is NOT considered "infected," even though there may be other consequences.
This is the size, in bytes, of the viral code inserted into a program by the virus. If this is a worm or Trojan horse, the length represents the size of the file.
A place for programs to store instructions or settings that load when booting an operating system. Virus authors often use the WIN.INI, SYSTEM.INI, and WININIT.INI files.
Condition in an operating system or an application that allows data input that will manipulate an integer value in the application to corrupt memory.
A preemptive approach to host and network security used to identify and quickly respond to potential threats. An intrusion prevention system (IPS) monitors individual ho t and network traffic. However, because an attacker might carry out an attack immediately after he/she gains access, intrusion prevention systems can also take immediate action as preset by the network administrator.
See also Host IPS and Network Intrusion Prevention System (NIPS).
Identifies a workstation on a TCP/IP network and specifies routing information. Each workstation on a network has a unique IP address, which consists of the network ID, plus a unique host ID assigned by the network administrator. This address is usually represented in dot-decimal notation, with the decimal values separated by a period (for example, 123.45.6.24 as in IPv4).
IRC is a multi-user chat system, where people meet on "channels" (rooms, virtual places, usually with a certain topic of conversation) to talk in groups or privately. This system enables participants to distribute executable content. Note: many worms and Trojan horses utilize IRC as a communications channel to return data to the original malware author, who can then instruct the worm or virus execute commands from causing a DDoS to infecting other machines.
When two independent researchers identify the same virus in circulation within a one-year period, that virus is defined as being "in the wild." About 450 viruses exist in the wild at any one time.
Software that claims to harm a computer, but has no malicious payload or use, and does not impact security or privacy states, but that may alarm or annoy a user.
Software that intercepts data between the user entering it and the intended recipient application. Trojan and PUP key loggers which are functionally identical. McAfee (R) software detects both types of key loggers to prevent privacy intrusions.
Layered Service Providers are DLLs that use Winsock APIs to insert themselves into the TCP/IP stack. Once in the stack, layered service providers can intercept and modify inbound and outbound Internet traffic.
An activity record of McAfee (R) anti-virus software. Log files record actions during installation, scanning, or updating.
A program that allows a Trojan horse to lie dormant and then attack when the conditions are just right.
In McAfee (R) VirusScan (R) Enterprise, processes that McAfee considers to have a lower possibility of being infected or accessing infected files, such as backing up software or code compiler/linker processes.
See also default process and high-risk process.
A macro is a saved set of instructions that users may create or edit to automate tasks within certain applications or systems.
A macro virus is a malicious macros that a user may execute inadvertently and that may cause damage or replicate itself.
A program or code segment written in the application's internal macro language. Some macros replicate or spread. Others simply modify documents or other files on the user's machine without spreading, such as a Trojan horse.
A malicious program. Viruses and Trojan horses are examples of malware. Potentially unwanted programs (PUPs) are not considered malware.
A virus that infects the system's master boot record on hard drives and the boot sector on floppy diskettes. This type of virus takes control of the system at a low level by activating between the system hardware and the operating system. An MBR/boot sector virus loads into memory during boot-up, before virus-detection code executes.
The McAfee (R) Web site that holds product and DAT update files.
A computer algorithm that calculates "hash value" or a unique number when passed a string of data, such as in a text file or an EXE file. Hash values prove that the original file is unmodified.
This is a catch-all term for all removable tapes, disks, or CD/DVDs that store code and data for use on a PC.
A program that stays in the active RAM of the computer while other programs run, such as accessory software, activity monitoring, and resident scanning software. Viruses often attempt to "go resident." An activity monitor can check for memory-resident functions.
Multipurpose Internet Mail Extensions (MIME) is a communications standard that enables the transfer of non-ASCII formats over protocols, like SMTP, that only support 7-bit ASCII characters.
MIME defines different ways of encoding the non-ASCII formats so that they can be represented using characters in the 7-bit ASCII character set.
MIME also defines additional email and file headers that contain information about:
The resulting MIME message can be "decoded" or "re-encoded" after transmission. We say "re-encoded", because the MIME messages can be converted into a different character set from the original message.
MIME supports additional email headers that contain information about the MIME message. For example, the headers provide information about the content of the file, the encryption method used, and the MIME version number.
A MIME header can contain information about the type of content contained in a MIME message. For example, the header could specify that the file contains text/plain, where text is the type, and plain is the sub-type. The combination of type and subtype are known as the MIME type or Internet media type.
See MIME; MIME Header; Multi-part MIME message and Partial MIME message.
A MIME message can contain more than one MIME type. For example, a multi-part MIME message could contain both plain text (type text/plain) and HTML text (type text/HTML).
See MIME; MIME Header; MIME Type, and Partial MIME message.
Code or software that is transferred from a host to a client or to another host to be executed at the destination. A worm is an example of malicious mobile code.
A virus that infects master boot records, boot sectors, and files.
Namespace providers are DLLs that utilize Winsock APIs to insert themselves into the TCP/IP stack. Namespace providers can redirect traffic from one site to an intermediary.
Nesting is the term used when one file contains another file. For example, a compressed file such as a .ZIP file could contain another .ZIP file, which in turn contains another .ZIP file, and so on, creating several layers of nesting.
It can take some time to scan large and complex file structures that contain many levels of nesting. To prevent denial-of-service attacks that exploit nesting, you can restrict a scanner, so that it only scans to a predefined depth of nesting.
A virus or worm can be considered network aware when one of its propagation methods is to search the network for open shares.
Software or a device that monitors network traffic and prevents attacks on a network or system. McAfee (R) IntruShield (R) is a NIPS system.
See also Host IPS, Intrusion Prevention System (IPS).
The default formatting system for disk drives used by Microsoft Windows (R) NT, Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows 2003. Microsoft has updated the NTFS specification to cope with such new features as larger hard disks and spanned drive support.
Examining files every time they are opened, copied or saved to determine if they contain a virus or other potentially unwanted code.
Compare to On-demand scanning.
A scheduled examination of selected files to find a virus or other potentially unwanted code. It can take place immediately on user request, at a scheduled future time, or at regularly-scheduled intervals.
Compare to On-access scanning.
The most important program that runs on a computer. Every general-purpose computer must have an operating system to run other programs. Operating systems perform such basic tasks as recognizing keyboard input, sending output to the display screen, keeping track of files and directories on the disk, and controlling peripheral devices, such as disk drives and printers. Examples of operating systems include DOS (R), Microsoft Windows (R), Sun (R) OS, Unix, Linux, FreeBSD, PalmOS, and MacOS.
The OSI reference model defines a layered framework for network communication. The purpose of the model is to help vendors create products that can communicate with each other, despite differences in their underlying implementation.
The OSI model defines 7 functional layers. Each layer has its own protocol and standards that define communication at that level. The layers are: Physical, Data-link, Network, Transport, Session, Presentation, and Application.
Control is passed from one layer to the next. For example, control on the sending devices passes from the application layer through the other layers to the physical layer. It then passes across the network to the receiving device, where it travels from the physical layer up the protocol stack to the application layer.
Although the intention was to create a system open to all, alternative organizations have created their own protocol stacks. For example, there is an Internet suite, which includes TCP/IP, and Apple's AppleTalk.Also see Protocol and Protocol stack.
A request made by a client to a server for information about that server's configuration.
See Operating System (OS).
A series of algorithms to determine a remote host's operating system, architecture, platform, or device type. This process may involve TCP/IP stack fingerprinting as well as application-layer protocol tests.
See also Vulnerability Assessment.
A virus that overwrites files with its own viral code. There is no way to recover the original data from such an infection except to retrieve the files from backups.
Executable files can be compressed with a packer that shrinks and possibly encrypts the original code. The packed executable will decompress and/or decrypt itself in memory while it is running, so that the file on disk is never similar to the memory image of the file. Packers are designed to avoid security software, prevent reverse engineering, or supply some level of copy protection.
A virus that modifies existing files on a disk, injecting its code into the file where it resides. When the user runs the infected file, the virus runs too.
See also File infector.
If the content in the body of a MIME message is too large to pass through the mail transfer system, the body can be passed as a number of smaller MIME messages. These MIME messages are known as "partial MIME messages", because each MIME message contains only a fragment of the total message that needs to be transmitted.
See MIME, MIME Header; MIME Type, and Multi-part MIME message.
Software designed to enable a user or administrator to recover lost or forgotten passwords from accounts or data files. In the hands of an attacker, these tools open access to confidential information, so they can be a security and privacy threat.
It is possible to password protect a file that is send by email. Password-protected files cannot be scanned.
Password-protected file policies specify how email messages that contain a password-protected file are handled.
A type of Trojan horse used specifically to steal users' passwords.
Intermediate releases of a product that address specific issues.
The "cargo" code in a virus rather than the portions used to avoid detection or replicate. The payload code can display text or graphics on the screen, or it may corrupt or erase data. Not all viruses actually contain a deliberate payload. However, these affect CPU usage, hard-disk space, and the time it takes taken to clean them.
Payload can also refer to the data or packets sent during an attack.
See also Shellcode.
Short for "Personal Digital Assistant." A hand-held device that combines computing, telephone/fax, Internet and networking features.
A method of redirecting Internet traffic to a fake Web site through domain spoofing. This involves creating a fake DNS record for a real Web site, typically that of a bank or other commercial enterprise. The fake DNS redirects traffic from the real Web site to the fraudulent site, intending to gather customers' personal information. For example, when a user types the URL of a bank into their browser, the browser does a DNS lookup to determine the IP address of the bank's Web site. DNS servers store a list of domains and their corresponding IP addresses. Hackers insert false information on the DNS server, so that browsers looking up bank's the IP address are redirected to the fake IP address. On the visitor's browser, the site appears legitimate.
A method of fraudulently obtaining personal information, such as passwords, social security numbers, and credit card details, by sending spoofed email messages that look like they come from trusted sources, such as banks or legitimate companies. Typically, phishing email messages request that recipients click on the link in the email to verify or update contact details or credit card information. Like spam, phishing email messages go to a large number of email addresses expecting that someone will read the spam and disclose their personal information.
Indicates that the email message could be phishing for personal financial information.
A basic Internet program that lets you verify that a particular Internet address exists and can accept requests; also the act of using the ping utility or command. You can ping diagnostically to make sure that a host computer that you are trying to reach is actually online.
The method of overwhelming a network with ping commands.
A hacking technique used to cause a denial-of-service attack by sending a large ICMP packet to a target. As the target tries to reassemble the packet, the packet size overflows the buffer and can cause the target to reboot or freeze.
A virus that attempts to evade detection by changing its internal structure or its encryption techniques. Polymorphic viruses change form with each infection to avoid detection by anti-viral software scanning for signature forms. Less sophisticated systems are referred to as self-encrypting.
A virus that can change its byte pattern when it replicates, thereby avoiding detection by simple string-scanning techniques.
A hardware location for passing data in and out of a computing device. Personal computers have various types of ports, including internal ports for connecting disk drives, monitors, and keyboards, as well as external ports, for connecting modems, printers, mice, and other peripherals.
In TCP/IP and UDP networks, port is also the name of an endpoint to a logical connection. Port numbers identify types of ports. For example, both TCP and UDP use port 80 to transport HTTP data. A threat might attempt to enter using a particular TCP/IP port.
A common file format utilized on Microsoft (R) NT-based platforms.
A hacking technique used to check TCP/IP ports to reveal which services are available for exploitation, and to determine the operating system of a particular computer.
Software programs written by legitimate companies that may alter the security state or the privacy posture of the computer on which they are installed. This software can but does not necessarily include spyware, adware, and dialers, and could be downloaded in conjunction with a program that the user wants. Security-minded users know about such programs and, in some cases, have them removed.
The content of some email messages is protected, which means that the content of the email message cannot be scanned.
Protected content policies specify how email messages with protected content are handled when detected.
This McAfee (R) product is a management tool that enables the anti-virus administrator in a smaller organization to configure the protection standards for all McAfee anti-virus products in the organization.
Larger organizations should use ePolicy Orchestrator (TM) to manage more than 500 nodes.
Protocols are rules that define how communicating devices or sub-systems interact.
Communication protocols are defined within a layered network architecture, which is known as the Open Systems Interconnection (OSI) model. Each layer in the OSI model has its own protocols that specify how communication takes place at that level.
See also Open Systems Interconnection (OSI).
Protocols are rules that define how communicating devices or sub-systems interact.
Protocol stacks are a group of related protocols. Typically protocol stacks have 7 layers, such as ISO's Open System Interconnection (OSI) reference model. Control passes down the stack on the sending device, across the network and up the stack on the receiving device.
See also Open Systems Interconnection (OSI).
Tools that redirect information bound to an IP address, domain name, or all Internet traffic to a third party PWS.
See also password stealer.
Isolating files suspected of containing a virus, spam, suspicious content, and potentially unwanted programs (PUPs), so that the files cannot be opened or executed.
The location on a computer system that stores email messages or files that could contain virus or other suspicious code. The system administrator reviews the messages or files to decide how to respond.
A request for information from a database.
A MIME transfer encoding method that encodes 8-bit formats so that they can be transferred over 7-bit transfer protocols, such as SMTP.
Best suited for messages that contain mainly ASCII characters, but which also contain some byte values outside that range.
Real-time Blackhole List (RBL) is a propriety example of a DNS-based blackhole list (DNSBL). A DNSBL is a list of IP addresses through which spam can be relayed.
To scan everything in a folder, including subfolders.
To scan everything in a folder, including subfolders.
Software designed to give an administrator remote control of a system. Remote administration tools could be a large security threat when controlled by a party other than the legitimate owner or administrator.
A request modification service offered by an ICAP server. The use of the REQMOD verb in an ICAP client request tells an ICAP server that it is the HTTP request that might requires modification.
A response modification service offered by an ICAP server. The use of the RESPMOD verb in an ICAP client request tells an ICAP server that it is the HTTP response that might require modification.
A calculated measure of the likelihood and impact of a successful attack on an organization's data and assets. McAfee (R) Labs estimates risk for vulnerabilities and threats based the effect they expect it to have on the Internet community.
For additional information refer to the McAfee Labs Threat and Vulnerability Risk Assessment Program.
Examining files to find viruses and other potentially unwanted code.
A type of program with instructions that a host application interprets and executes. Script instructions that are usually expressed using the application's rules and syntax combined with simple control structures. Examples are JavaScript (TM) and VBScript, which some Web browsers can execute.
A file that, when run, extracts itself. Most files transferred across the Internet are compressed to save disk space and reduce transfer times. A self-extracting program can extract a virus or Trojan horse, which can be difficult to catch because scanning compressed files is a relatively new virus detection technique. You cannot get a virus by just downloading a self-extracting file, so always scan new files before you run them.
An intermediate release of product that contains one or more fixes, which may or may not eventually be incorporated permanently into the product.
Machine code, often written in assembly language, used as the payload to exploit a software bug enabling the hacker to communicate with the computer through the operating system command line.
See also exploit.
A specific type of script file in UNIX environment shells. Common variants include scripts for BASH and CShell, which are much like DOS batch files.
Whenever information is sent electronically, it can be being accidentally or willfully altered. To overcome this, some e-mail software uses a digital signature — the electronic form of a handwritten signature.
A digital signature is extra information added to a sender’s message, that identifies and authenticates the sender and the information in the message. It is encrypted and acts like a unique summary of the data. Typically, a long string of letters and numbers appears at the end of a received e-mail message. The e-mail software then re-examines the information in the sender’s message, and creates a digital signature. If that signature is identical to the original, the data has not been altered.
If the email message contains a virus, bad content, or is too large, the software might clean or remove some part of the message. The email message is still valid, and can be read, but the original digital signature is ‘broken’. The recipient cannot rely on the contents of the email message because the contents might also have been altered in other ways.
Signed content policies specify how email messages with digital signatures are handled.
A series of unique letters and numbers in virus code.
Data files containing detection and/or remediation code that McAfee (R) scanning products such as VirusScan (R) or IntruShield (R) use to identify malicious code.
See DAT files.
Installing a software package onto a computer without the need for user intervention.
Specifies the location from where the latest automatic updates, including DAT file and scanning engine, can be downloaded.
The default site list points to McAfee sites (a primary FTP site and backup HTTP site), but you can also create an alternative site list that points to an alternative location, such as a local repository where you have copied the automatic update files.
SMTP stands for "Simple Mail Transfer Protocol". The Internet standard protocol for transferring electronic mail messages from one computer to another. SMTP specifies how two mail systems interact and the format of control messages they exchange to transfer mail.
A denial-of-service attack that floods its targets with replies to ICMP echo (ping) requests. A Smurf attack pings Internet broadcast addresses, which in turn forward the requests to as many as 255 hosts on a subnet. The return address of the ping request is actually the address of the attack target. All hosts receiving the ping requests reply to the attack target, flooding it with replies.
Simple Network Management Protocol.
A method of asynchronous event notification supported by the Simple Network Management Protocol.
Unwanted email messages, specifically unsolicited bulk email messages. Typically, an email message is sent to multiple recipients who did not ask to receive it. Email messages are not considered spam if a user has signed up to receive them.
An individual who sends spam messages.
A spam profile is a set of characteristics that identify a category of spam. To enable the anti-spam software to better detect spam, users can submit examples of spam, which enables the software to learn to recognize further spam. The anti-spam software builds a spam profile - a view of what the users regard as spam.
However, an email message that advertises products from a similar company might be regarded as useful reference material by one department. Another department might regard such email as spam. In this example, each department will need a separate spam profile to block spam most effectively.
A number that indicates the amount of potential spam contained within an email message.
The engine applies anti-spam rules to each email messages it scans. Each rule is associated with a score. To assess the risk that an email message contains spam, these scores are added together to give an overall spam score for that email message. The higher the overall spam score, the higher the risk that the email messages contains spam.
A symbol that is used in the spam report, that is added to the email message's Internet headers, to indicate the amount of potential spam contained in an email message.
For example, if the symbol used is an asterisk (*), the spam score indicator for a spam score of 5.6 has five asterisks, and six asterisks for a spam score of 6.2. The spam score indicator is rounded down and decimal fraction is ignored.
This feature is used for gathering information during initial testing and should be disabled once you have gathered the information you need.
Like phishing, the term refers to e-mail that appears to come from a legitimate source, such as a bank, a company's internal IT department, an internal employee, or someone your company does business with. While phishing uses mass e-mail, spear-phishing e-mails target a very small number of recipients.
The e-mail sender information may be spoofed so the e-mail appears to originate from a trusted source.
Messages typically request user name and password details, provide a link to a Web site where visitors can enter personal information, or contain an attachment containing a virus, Trojan horse, or spyware.
A term for spammers who create a large number of blogs with links to a spam site. Because the links are included in a large number of blogs, they have high search-engine rankings. Splogs are created to attract people to spam sites, primarily via Google.
Forging an e-mail address or IP address to hide one's location and identity.
Software whose function includes transmitting personal information to a third party without the user's knowledge or consent. This usage is distinct from the common usage of spyware to represent commercial software that has security or privacy implications.
See PUPs.
A virus that tries to avoid detection. A stealth virus may redirect system pointers and information to infect a file without actually changing the infected program file. Another stealth technique is to conceal an increase in file length by displaying the original, uninfected file length.
See Tokens.
A utility that installs updated virus definition (SDAT*.EXE) files and, when necessary, upgrades the scanning engine.
It automatically shuts down any active scans, services, or other memory-resident components that could interfere with the upgrade, then copies new files to their proper locations so that your software can use them immediately.
See also DAT files, EXTRA.DAT file, and incremental DAT files.
See EXTRA.DAT file.
A hacking technique to cause a denial of service, where the attackers send a large number of TCP SYN packets to the target with spoofed source IP addresses. This results in many half-open TCP connections on the target, thus tying up the TCP state resources.
A complete failure of the operating system. When a program fails, it usually has an opportunity to display an error or diagnostic message. If the entire system fails, no such message appears and keystrokes and mouse clicks are ignored. In the worst cases, the system cannot restart without turning off the system.
A program that remains active in memory while other programs run on the system. Examples of TSRs are VShield, a DOS-based mouse, or a CD-ROM driver.
Is the acronym for Transmission Control Protocol/Internet Protocol and is a suite of protocols that are used to connect communicating devices over the Internet.
A ticket number is a 16-digit alpha-numeric entry which is auto-generated by the software for every detection.
Tokens are text strings that act as holding places for the real values that will be substituted at a later time.
For example, you can include the token %ATTACHMENTNAME% in an alert template. Whenever the alert message is generated, the software substitutes the token %ATTACHMENTNAME% with the name of the attachment file that triggered the detection.
Tokens are typically shown in capital letters and start and end with a % sign.
The encoding of one character set for another, so that data which would otherwise be incompatible with a transfer protocol can use that transfer protocol.
For example, 8-bit data can be represented using the 7-bit ASCII character set so that it can be transferred over the 7-bit SMTP email protocol.
See also 8-bit transfer encoding, Base64 transfer encoding, Quoted printable transfer encoding, and UTF-8.
Transport scanning allows you to scan SMTP traffic before it enters the Exchange information store. SMTP Transport scanning can perform scanning of routed email messages that are not destined for the local server and can stop the delivery of messages.
An event that a malware author has programmed the threat to watch for, such as a date, the number of days since the infection occurred, or a sequence of keystrokes. When the trigger event occurs, it activates the virus, which then activates its payload.
A program that does not replicate, but causes damage or compromises the security of the computer. Typically, an individual e-mails a Trojan horse to you─it does not e-mail itself. You can also download the Trojan horse from a Web site or via peer-to-peer networking.
A virus that avoids standard interfaces to infect files. This allows the virus to infect files and go unnoticed by a behavior blocker. One evasion technique used by attackers is tunneling malicious communications through the standard port of another application (e.g., port 80 for HTTP) to avoid firewalls.
This is an industry-standard connector on almost all modern computers. This connects multiple devices, ranging from keyboards and mice to Webcams, scanners, and printers.
Versions USB1 and USB2, differ in performance, but use identical physical connectors.
This is any content that triggers a content scanning rule.
See Universal Serial Bus.
This refers to time on the zero or Greenwich meridian.
Is an 8-bit Unicode Transformation Format (UTF) character encoding method that can represent any universal Unicode character, but is also backwardly compatible with ASCII.
New strains of viruses that are modifications of a previous virus.
We identify variants by a letter-based extension after the virus family name: e.g., W32/Virus.a, W32/Virus.b, etc.
New method of spreading viruses by using Visual Basic Scripting. Not usually a problem, unless a user has either Internet Explorer 5 or Outlook 98 or higher.
A program or code that replicates, that is, infects another program, boot sector, partition sector, or document that supports macros, by inserting itself or attaching itself to that medium. Most viruses only replicate, though many do a large amount of damage as well.
See DAT files.
See Anti-Virus Engine.
Exploitable defect in a software application or operating system, allowing others to crash systems, access information on systems, or use systems for their own purposes.
Vulnerability Assessment (VA) is the process in an enterprise analyzing the risk associated with vulnerability scan results.
See also Vulnerability Management (VM) and vulnerability scan, vulnerability scanning.
Vulnerability Management (VM) is a process in an enterprise measuring risk and organizational exposure to vulnerabilities, and tracking compliance over time.
See also Vulnerability Assessment (VA).
Examining a host or network stream for vulnerabilities.
See also Vulnerability Assessment (VA)
Based on Andy Warhol's idea of fifteen minutes of fame, the concept is that a computer virus could spread around the world in less than fifteen minutes.
A list of e-mail addresses from trusted sources whose messages you do not consider spam, and want to receive.
A term used interchangeably with "out in the field" that refers to how prevalent a virus has become. When we say a virus is "out in the wild" or "out in the field," we take into account how many computers or sites have been infected, the geographic areas where the virus has been found, the virus' complexity, and how anti-virus solutions respond.
A symbol that may be substituted by one or more characters. Wildcards are typically used to search for variations of a text string when content filtering.
The symbol ? is used to match a single character. For example, d?g matches dog, dig, and dug.
The symbol * is used to match no characters, one character, or several characters. For example, s*ing matches, sing, sting, singing.
A virus that spreads by creating duplicates of itself on other drives, systems, or networks. A mass-mailing worm is one that requires a user's intervention to spread, e.g., opening an attachment or executing a downloaded file. Most of today's e-mail viruses are worms. A self-propagating worm has no need of user intervention to propagate. Examples of self-propagating worms include Blaster and Sasser.
Is the acronym for "What you see is what you get", and is pronounced WIZ-ee-wig. In desktop publishing terms, it is used to indicate that what you see online is exactly the same as you see when the document is printed.
In terms of HTML, it is used to indicate that the underlying html code is hidden and the user only sees the content of the HTML file.
A protocol for controlling the flow of data between networked devices using an asynchronous serial connection.
For example, a printer can use the X-on and X-off signals to prevent a computer sending data to the printer faster than the printer can handle that data. The X-off signal stops the data flow and the X-on restarts it.
Specification for CD-ROM.
A ZIP (.zip) file is a compressed archive that can contain multiple files. Zipped files can contain viruses, so make sure your anti-virus program scans for viruses in archive files.
A virus found only in virus laboratories and has not moved into general circulation.