ActiveX: ActiveX is a set of technologies from Microsoft that enables interactive content for the World Wide Web. Before ActiveX, Web content was static, 2-dimensional text and graphics. With ActiveX, Web sites come alive using multimedia effects, interactive objects, and sophisticated applications that create a user experience comparable to that of high-quality CD-ROM titles. ActiveX provides the glue that ties together a wide assortment of technology building blocks to enable these "active" Web sites.
Antivirus: consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware). Anti-virus software typically uses two different techniques to accomplish this:
- Examining (scanning) files to look for known viruses matching definitions in a virus dictionary
- Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.
Attachment: Attachments are files added to an outgoing email. Such files may carry other software.
Boot Sector Virus: A boot sector virus is spread via infected floppy disks. This usually occurs when users inadvertently leave a floppy disk in drive A:\. When the system is next started, the pc will attempt to boot from the floppy. If the disk is infected with a boot sector virus, that virus will infect the boot sector of the user's local drive (C:\). Unless the floppy disk is a bootable system disk, the user will simply see a standard warning that the drive contains a "non-system disk or disk error" and the user will be prompted to "replace the disk and press any key when ready". Most users will realize a floppy has been left in the drive, remove it, and reboot the system, unaware they may have just infected their system with a boot sector virus. As with any virus, a boot sector virus can be fairly benign - simply taking room up in memory, or it can contain a malicious payload. The simplest method to preventing boot sector viruses is to change the CMOS settings to boot from the local C:\ drive first, rather than from floppy.
Buffer Overrun: A boot sector virus is spread via infected floppy disks. This usually occurs when users inadvertently leave a floppy disk in drive A:\. When the system is next started, the pc will attempt to boot from the floppy. If the disk is infected with a boot sector virus, that virus will infect the boot sector of the user's local drive (C:\). Unless the floppy disk is a bootable system disk, the user will simply see a standard warning that the drive contains a "non-system disk or disk error" and the user will be prompted to "replace the disk and press any key when ready". Most users will realize a floppy has been left in the drive, remove it, and reboot the system, unaware they may have just infected their system with a boot sector virus. As with any virus, a boot sector virus can be fairly benign - simply taking room up in memory, or it can contain a malicious payload. The simplest method to preventing boot sector viruses is to change the CMOS settings to boot from the local C:\ drive first, rather than from floppy.
Disinfection: Cleaning, deleting, or otherwise removing a virus infection is referred to as disinfection. In some instances, disinfection is always by deletion. For example, a Trojan would always be deleted as it has no legitmate purpose. Conversely, a document infected with a macro virus would be cleaned. That is, the offending macro(s) would be removed while the document, and any non-infected macros, would be left intact. While disinfection can generally be accomplished with no resulting file damage, there is no absolute guarantee that the file can be restored to its original state. For this reason, some antivirus experts recommend always restoring infected files from a known clean backup, and relying on antivirus software only to detect the virus. Other antivirus experts believe disinfection is the preferred method, rather than requiring the user to have (a) made a backup, and (b) to restore it. Some independent testing facilities certify antivirus software on its ability not just to detect viruses, but also their accuracy in disinfecting them.
False Positive: False positives occur when a small segment, or string of code, has qualities reminiscent of a virus. This can occur without reason, due to a faulty scanner, or it can occur after improper disinfection by the same or different antivirus scanner. False positives can be more than just annoying. Repeated warnings that are erroneous cause the same effect as the boy who cried wolf. If too many false positives occur, when a legitimate warning is presented, users may disregard it. For this reason, it is important to determine the reason for the false positive. This can usually be accomplished by sending the offending file to the antivirus vendor's virus laboratory for analysis. Some users claim that behavior blocking results in too many false positives. In fact, the very nature of behavioral analysis is to prevent - without authorization - any modifications to key system areas. In the case of behavior blocking, the prompting for user input is a desireable occurance. As with any product, users must determine the method(s) that best suit their individual needs. Other instances of false positives can occur when heuristics are employed. Some vendors provide configurable settings to reduce the chance of false positives in such a case.
File Viruses: File viruses infect executable files by inserting their code into some part of the original file so that it can be executed when the file is accessed or they may overwrite the file entirely. File infecting viruses have targeted a range of operating system, including Macintosh, UNIX, DOS, and Windows. Overwriting viruses cause irreversable damage to the files. Loveletter, which operated as an email worm, file virus, and Trojan downloader, is a notorious example of a file overwriting virus. Loveletter searched for certain file types and overwrote them with its own malicious code, permanently destroying the contents of those files. Files affected by an overwriting virus cannot be disinfected and instead must be deleted and restored from backup.
Heuristics: Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others simply scan the file more intensively, searching line by line for any offending sequences of code. Heuristics are designed to detect previously unknown viruses, that is to say, viruses that are newly released into the wild for which antivirus vendors have no specific definition files to address the threat. Unfortunately, heuristics are not very successful in catching newly released threats - mainly due to consumer demand for an unobtrusive scanner. To minimize the risks of false positives, some vendors have cut back on the level of heuristics employed, or given users configurable options to lessen or increase heuristics as desired. As a result, traditional antivirus scanners, even those with heuristics, are more adept at detecting and disinfecting known viruses only. As more users become infected by viruses, particularly those with damaging payloads, a greater degree of user involvement will be tolerated and the level of heuristics will likely increase.
Hoax: Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others simply scan the file more intensively, searching line by line for any offending sequences of code. Heuristics are designed to detect previously unknown viruses, that is to say, viruses that are newly released into the wild for which antivirus vendors have no specific definition files to address the threat. Unfortunately, heuristics are not very successful in catching newly released threats - mainly due to consumer demand for an unobtrusive scanner. To minimize the risks of false positives, some vendors have cut back on the level of heuristics employed, or given users configurable options to lessen or increase heuristics as desired. As a result, traditional antivirus scanners, even those with heuristics, are more adept at detecting and disinfecting known viruses only. As more users become infected by viruses, particularly those with damaging payloads, a greater degree of user involvement will be tolerated and the level of heuristics will likely increase.
In the Wild: Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others simply scan the file more intensively, searching line by line for any offending sequences of code. Heuristics are designed to detect previously unknown viruses, that is to say, viruses that are newly released into the wild for which antivirus vendors have no specific definition files to address the threat. Unfortunately, heuristics are not very successful in catching newly released threats - mainly due to consumer demand for an unobtrusive scanner. To minimize the risks of false positives, some vendors have cut back on the level of heuristics employed, or given users configurable options to lessen or increase heuristics as desired. As a result, traditional antivirus scanners, even those with heuristics, are more adept at detecting and disinfecting known viruses only. As more users become infected by viruses, particularly those with damaging payloads, a greater degree of user involvement will be tolerated and the level of heuristics will likely increase.
Integrity Checker: Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others simply scan the file more intensively, searching line by line for any offending sequences of code. Heuristics are designed to detect previously unknown viruses, that is to say, viruses that are newly released into the wild for which antivirus vendors have no specific definition files to address the threat. Unfortunately, heuristics are not very successful in catching newly released threats - mainly due to consumer demand for an unobtrusive scanner. To minimize the risks of false positives, some vendors have cut back on the level of heuristics employed, or given users configurable options to lessen or increase heuristics as desired. As a result, traditional antivirus scanners, even those with heuristics, are more adept at detecting and disinfecting known viruses only. As more users become infected by viruses, particularly those with damaging payloads, a greater degree of user involvement will be tolerated and the level of heuristics will likely increase.
Internet Worm: The Morris Worm is dubiously credited with bringing down the Internet in 1988. Unlike a virus, a worm does not infect other files. Instead, it creates copies of itself, sometimes over and over again until it depletes system resources. In the case of modern day Internet worms, also known as email worms, the worm sends itself out as an attachment to recipients in the users Outlook or Outlook Express address books. Thus, you are more likely to receive an infected attachment from someone you know. The rule of thumb to protect yourself is to never, ever open attachments received unexpectedly. One of the most infamous worms, Loveletter, was actually a combination threat: a mass-mailing Internet worm, an overwriting file virus, and a password-stealing Trojan.
ITW: In-The-Wild refers to viruses that have been reported by at least two separate reporting agencies to the Wildlist.org. The Wildlist is comprised of antivirus experts throughout the industry to maintain a snapshot of current infections. Published monthly, the Wildlist is also used as a benchmark by some antivirus certification agencies. The Wildlist, and its use as a testing benchmark, has been met with some criticism by antivirus experts who do not believe the reporting methods are scientific or controlled enough to guarantee an accurate representation. Others find it a useful reporting and reference mechanism. In any event, it is THE source of information
Macro Virus: Macro viruses are written in languages (i.e. Visual Basic) supported by some products, most notably Microsoft® Office suites and most commonly Word and Excel. Macros are actually mini-programs embedded in the document, and thus have many of the same rights and abilities as the user who is logged on to the system. Macro viruses are one of the more common forms of infection, replaced only recently by Internet worms in terms of prevalency. As with any virus, the effect can be a benign annoyance to loss of critical data. Though Microsoft® has made several improvements designed to hamper the spread of macro viruses, the threat continues to plague users. Macro viruses generally spread by first infecting the global template, (i.e. Normal.dot in Word), in turn infecting other documents as they are accessed. Exact methods can vary, with some macro viruses only infecting currently open documents.
Malware: Malicious code such as a virus, worm, or Trojan, is sometimes referred to as malware.
Payload: Viruses are designed to replicate, that is to infect as many users or files as possible. Some viruses, however, have an even more sinister intent. While the affects of any virus, i.e. displaying a dialog box with the words "Have a Good Day", are considered a payload, users are most concerned about viruses with a malicious payload. Such viruses usually generate much more attention in the media. The CIH virus wreaked havoc on systems in 1998. The payload was to overwrite the Flash BIOS of systems, rendering them unbootable. LoveLetter also deployed a malicious payload as part of its routine, overwriting certain media file types. Regardless of the payload rendered, however, all viruses constitute a drain on system resources and thus there is no such thing as a harmless virus. It should be noted that a virus does not have to have a malicious payload to be dangerous. Today's onslaught of combination malware, those consisting of virus, worm, and Trojan combined, can not only infect with or without a payload, they can allow backdoor access to your system, steal passwords, or mass-mail themselves to users listed in your address book.
Polymorphic Virus: Polymorphic viruses change their code in an attempt to avoid detection by antivirus scanners. Essentially, the polymorphic virus encrypts itself in a different manner each time it infects, meaning that specific signature codes must be developed to search for each variety.
Portable Executable: Portable Executable (PE EXE) file can best be described as self-sufficient. It is a program capable of running independently on any Windows operating system (Windows 95, 98, NT, 2000, XP, and ME). Examples of PE EXE files include calc.exe (the calculator program) and notepad.exe (Notepad). PE EXE files do not have to have an EXE extension. A screensaver (.scr) is also a Portable Executable.
Scanner: A scanner refers to the products and technology used by antivirus vendors to detect malicious code, prevent it from infecting your system, and remove malicious code that has infected the system. Typically, antivirus vendors share information and resources to ensure rapid response to malicious code outbreaks. Most antivirus vendors participate in independent testing which certifies their products to detect and/or disinfect viruses. Traditional antivirus software scanners scan files for malicious code either in realtime, automatically as they are introduced to the system, or as manually requested by the user. Other antivirus products rely on integrity checking and/or behavior blocking to respectively prevent files from modificaton or stop certain actions from taking place.
Stealth: Stealth viruses attempt to hide their presence to avoid detection. One method employed is to redirect calls made to the infected file. For example, the Brain, notorious for being the first pc virus in-the-wild, was also the first stealth virus. It infected boot sectors, hooking into INT13. If the virus were resident in memory, the boot sector would look normal.
Trojan: A Trojan is a program that appears to be legitimate, but in fact does something malicious. Trojans were responsible for the Distributed Denial of Service (DDoS) attacks suffered by Yahoo and EBay in the latter part of 1999. In fact, Trojans are often used to gain backdoor access - that is to say remote, surreptitious access, to a user's system. Trojans do not replicate as viruses do, nor make copies of themselves as worms do.
There are several different types of Trojans: Remote Access Trojans (RATs), Backdoor Trojans (backdoors), IRC Trojans (IRCbots), and Keyloggers. Many of these different types can be employed in one Trojan. For example, an Keylogger that also operates as a backdoor or RAT may commonly be hidden inside game hacks. IRC Trojans are often combined with Backdoors and RATs to create collections of infected computers known as botnets.
Virus: A virus is a program designed to replicate. Generally, spread is accomplished by infecting other files. In the case of boot sector viruses, it is the boot sector of the floppy disk or hard drive that is infected. While the primary purpose may be to replicate, some viruses also incorporate a payload - often malicious. The first pc virus was discovered in-the-wild in 1986. Today, over 54,000 viruses are known to exist. At any given time, approximately 200 are considered in-the-wild threats. Where once viruses reigned supreme, today combination threats are increasingly prevalent. These threats combine Internet worms, viruses, and Trojans in an infectious mass-emailer.
Worm: In contrast to viruses, computer worms are malicious programs that copy themselves from system to system, rather than infiltrating legitimate files. For example, a mass-mailing email worm is a worm that sends copies of itself via email. A network worm makes copies of itself throughout a network, an Internet worm sends copies of itself via vulnerable computers on the Internet, and so on.
Back to Antivirus Center
|
|
