Index »

Computer Security & Antivirus Terminology

#|A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z

Use CTRL-F To Search

#

• .dam
  Indicates a detection for files that have been corrupted by a threat or that may contain inactive remnants of a threat, causing the files to fail to properly execute or produce reliable results.
• .dr
  Refers to a file that is considered a dropper. This program drops the virus or worm onto the victim's computer.
• .enc
  Refers to a file that is encrypted or encoded. For example, a worm that creates a copy of itself with MIME encoding may be detected with the .enc suffix.
• @m
  Signifies that the virus or worm is a "mailer." An example: Happy99 (W32.Ska) only sends itself by email when you send mail.
• @mm
  Signifies that the virus or worm is a "mass-mailer." An example: W97M.Melissa.A sends messages to every email address in your mailbox.  

A

• ACS
  A communications server that manages a pool of modems. It directs outgoing messages to the next available modem and incoming messages to the appropriate workstation.
• Action
  A predefined response to an event or alert by a system or application.
• Active
  A status that indicates that a program, job, policy, or scan is running. For example, when a scheduled scan executes, it is considered active.
• Activity log
  A type of report in which all the recorded events are sequentially organized.
• Administrative domain
  An environment or context defined by a security policy, security model, or security architecture.
• Administrator
  An individual who:
  • Oversees the operation of a network.
  • Is responsible for installing programs on a network and configuring them for distribution to workstations.
  • May also update security settings on workstations.
• Adware
  Adware is a software package that facilitates the delivery of advertising content to the user. Learn more about different adware risks.
• Age
  A rating used to calculate the vulnerability based on the relative amount of time since the discovery of the vulnerability. According to experts, the potential for exploiting a vulnerability increases as the age of the vulnerability increases. The assumption that people are likely to be aware of the existence of the vulnerability supports this statement. The L-3 Network Security researchers assign lower ratings to the age factor of recently discovered vulnerabilities. Older vulnerabilities are rated higher.
• Alarm
  A sound or visual signal triggered by an error condition.
• Alert
  An automatic notification that an event or error has occurred.
• Alertable event
  Any event or member of an event set configured to trigger an alert.
• Also Known As (AKA):
  Names that other antivirus vendors use to identify a threat. Often Symantec's bloodhound heuristics will identify a potential threat before a specific detection is added. In such cases, the name of the bloodhound detection will appear in this field.
• Antivirus
  A subcategory of a security policy that pertains to computer viruses.
• Application server
  A software server that lets thin clients use applications and databases that are managed by the server. The application server handles all the application operations and connections for the clients.
• Asset
  A physical item, informational item, or capability required by an organization to maintain productivity. Examples include a computer system, a customer database, and an assembly line.
• Asset measure
  A quantitative measurement of an asset. The asset measure is the confidentiality, integrity, and availability of an asset in relation to other assets in an organization.
• Asset value
  The perceived or intrinsic worth of an asset.
• Attack signature
  The features of network traffic, either in the heading of a packet or in the pattern of a group of packets, which distinguish attacks from legitimate traffic.
• Attribute
  A property of an object, such as a file or display device.
• Authenticated, self-signed SSL
  A type of SSL that provides authentication and data encryption through a self-signed certificate.
• Authentication
  The assurance that a party to some computerized transaction is not an impostor. Authentication typically involves using a password, certificate, PIN, or other information that can be used to validate the identity over a computer network.
• AutoInstall package
  An executable created by AI Snapshot and AI Builder that contains one or more applications distributed to client computers using the Symantec Ghost Console.

B

• Backup regime
  A group of settings that determines which computer to include in a backup task, as well as other details such as scheduling.
• Banner grab
  A client receives this readable string immediately following a connection to a server. The type of received string usually identifies the operating systems and server types.
• Baseline risk
  The risk that exists before safeguards are considered.
• Benefit
  The effectiveness of a safeguard in terms of vulnerability measure. If the safeguard is applied by itself, it lowers the danger that the vulnerability poses by the amount specified.
• Bits per second (bps)
  A measure of the speed at which a device, such as a modem, can transfer bits of data.
• Blank
  To clear or not show an image on the computer screen. You can configure a pcAnywhere host to blank the host's screen once a connection has been made. This enhances the security of an unattended pcAnywhere host.
• Blended Threat
  Blended threats combine the characteristics of viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. By using multiple methods and techniques, blended threats can rapidly spread and cause widespread damage. Characteristics of blended threats include:
  • Causes harm: Launches a Denial of Service (DoS) attack at a target IP address, defaces Web servers, or plants Trojan Horse programs for later execution.
  • Propagates by multiple methods: Scans for vulnerabilities to compromise a system, such as embedding code in HTML files on a server, infecting visitors to a compromised Web site, or sending unauthorized email from compromised servers with a worm attachment.
  • Attacks from multiple points: Injects malicious code into the .exe files on a system, raises the privilege level of the guest account, creates world read and writeable network shares, makes numerous registry changes, and adds script code into HTML files.
  • Spreads without human intervention: Continuously scans the Internet for vulnerable servers to attack.
  • Exploits vulnerabilities: Takes advantage of known vulnerabilities, such as buffer overflows, HTTP input validation vulnerabilities, and known default passwords to gain unauthorized administrative access.
  • Effective protection from blended threats requires a comprehensive security solution that contains multiple layers of defense and response mechanisms.
• Boot package
  A file, bootable disk, Ghost image, or Preboot Execution Environment (PXE) image of a bootable disk that contains the Symantec Ghost executable and any drivers required to start a client computer and Symantec Ghost.
• Broadcast
  To simultaneously send the same message to all the users on a network.
• Broadcast alert action
  An AMS2 response to an alert in which a message is sent to all the computers logged onto the server that generates the alert.
• Bug
  A programming error in a software program that can have unwanted side effects. Some examples include Various web browser security problems and Y2K software problems.

C

• Callback
  A security feature that lets a host disconnect a remote caller after a successful connection and then recall the remote computer, either for security verification or financial responsibility.
• Canvas
  The window in which hosts and other drawing objects, which represent a network scheme, are placed.
• Capability
  The measure of a threat's technical expertise or knowledge of a system's connectivity.
• Capability Maturity Model for Software (CMM or SW-CMM)
  A model for judging the maturity of the software processes of an organization and for identifying the key practices that are required to increase the maturity of these processes.
• Captured attack sessions
  A record of any network session that contains an attack signature. You can configure NetProwler to capture a record of any type of attack. You can view these sessions in the Attack Sessions branch of either the NetProwler Console or the Agent Graphical User Interface (GUI).
• Case-sensitive
  The discrimination between lowercase and uppercase characters.
• Causes system instability
  This payload may cause the computer to crash or to behave in an unexpected fashion.
• Certificate
  Cryptographic systems use this file as proof of identity. It contains a user's name and public key.
• Certificate authority
  An office or bureau that issues security certificates.
• Certificate authority-signed SSL
  A type of SSL that provides authentication and data encryption through a certificate that is digitally signed by a certificate authority.
• Certificate store
  A database that contains security certificates.
• Channel
  In communications, a medium for transferring information, which is also called a line or circuit. Depending on its type, a communications channel can carry information in analog or digital form. A communications channel can be a physical link, such as a cable that connects two stations in a network, or it can consist of some electromagnetic transmission.
• Client
  A program that makes requests of, or transmits data to, a parent server program.
• Client computer
  A computer that runs a client program. In a network, the client computer interacts in a client/server relationship with another computer running a server program.
• Client/server program
  A program in which one portion of the program is installed on a computer that acts as a server for that particular program; and, another portion is installed on one or more client computers.
• Client/server relationship
  A relationship in which two computers, usually a server and client, communicate across a network. Usually one computer manages or supplies services to the other computer.
• Client-side reporting
  A method of reporting in which data is retrieved from the server and processed at the client.
• Clone
  To make a specified folder on the host or remote computer identical to a specified folder on another computer. Any files in the source folder are copied to the destination folder. Files that are in the destination folder and that are not in the source folder are deleted from the disk. Also see synchronize.
• Cluster server
  A group of two or more servers linked together to balance variable workloads or provide continued operation in the event that one server fails.
• CME initiative
  The CME initiative is an effort headed by the United States Computer Emergency Readiness Team (US-CERT), in collaboration with key organizations within the security community. Through the adoption of a neutral, shared identification method, the CME initiative seeks to: reduce the public's confusion in referencing threats during malware incidents; enhance communication between anti-virus vendors; and improve communication and information sharing between anti-virus vendors and the rest of the information security community.
• CME number
  A Common Malware Enumeration (CME) number is a unique, vendor-neutral identifier for a particular threat (see CME initiative above).
• Command-Line Interface (CLI)
  A utility providing an alternate way to execute the ESM commands in UNIX and Windows NT environments. The CLI supports most of the ESM commands available in the ESM Console. In addition, you can create Agent records, remove modules, or execute batch files that contain CLI commands from the Command Line Interface.
• Common Information Model (CIM)
  A common data model of an implementation-neutral schema for describing overall management information in a network/enterprise environment. A Specification and Schema comprise CIM. The Specification defines the details for integration with other management models (such as the SNMP MIBs or the DMTF MIFs), while the Schema provides the actual model descriptions.
• Communications
  The transfer of data between computers by a device such as a modem or cable.
• Communications device
  Also called the connection device. The communications device is a modem, network interface card, or other hardware component enabling remote communications and data transfer between computers.
• Communications link
  A connection between computers (and/or peripherals) enabling data transfer. A communications link can be a network, modem, or cable.
• Communications port (COM port)
  Also called a serial port. The COM port is a location for sending and receiving serial data transmissions. The ports are referred to as COM1, COM2, COM3, and COM4.
• Communications protocol
  A set of rules designed to enable computers to exchange data. A communications protocol defines issues such as transmission rate, interval type, and mode.
• Communications session
  The time during which two computers maintain a connection and are usually engaged in transferring information.
• Compile
  To convert a high-level script into a low-level set of commands that can be executed or run. Syntax errors are discovered when a script is being compiled.
• Compromises security settings
  This payload may attempt to gain access to passwords or other system-level security settings. It may also search for openings in the Internet-processing components of the computer to install a program on that particular system, which an individual could remotely control over the Internet.
• Connection
  The successful establishment of a communications link.
• Connection item
  An item representing a pcAnywhere file, which contains connection device information and security settings to be used during a session.
• Console
  1. A program interface for the management of software or networks.
  2. In a mainframe or UNIX environment, a terminal consisting of a monitor and keyboard.
• Content filtering
  A subcategory of a security policy that pertains to the semantic meaning of words in text (such as email messages). It can also include URL filtering.
• Crash recovery
  A file transfer option that directs pcAnywhere to continue transferring files where it left off when computers are reconnected after a broken connection, instead of restarting the transfer.
• Current risk
  The remaining risk after safeguards have been applied.
• Current vulnerability measure
  The danger posed by a vulnerability after accounting for the safeguards you use to secure it. If you use a valid safeguard, the current vulnerability measure is less than the default vulnerability measure.
• CVE References
  A list of standardized names for vulnerabilities and other information security exposures - CVE aims to standardize the names for all publicly known vulnerabilities and security exposures.  

D

• Damage
  The damage component measures the amount of harm that a given threat might inflict. This measurement includes triggered events, clogging email servers, deleting or modifying files, releasing confidential information, performance degradation, errors in the virus code, compromising security settings, and the ease with which the damage may be fixed.
• Data conversion
  To convert the configuration files (for example, connecting to a host computer) from an earlier version of pcAnywhere so that you can use them in the current version. You can also use data conversion to import or export configuration files to or from text files for record-keeping purposes.
• Data template
  A template that defines files or registry entries to be included in a backup.
• Data transfer
  The movement of information from one location to another. The transfer speed is called the data rate or data transfer rate.
• Data transmission
  The electronic transfer of information from a sending device to a receiving device.
• Default threat measure rating
  A rating based on the appropriate threat profile and the estimations of security experts. Expert estimations were obtained using the Delphi inquiry method.
• Default vulnerability measure
  The danger posed by a vulnerability before you account for the safeguards that you use to secure it. If you use a valid safeguard, the current vulnerability measure is less than the default vulnerability measure.
• Degrades performance
  This payload slows computer operations, which could involve allocating available memory, creating files that consume disk space, or causing programs to load or execute more slowly.
• Deletes files
  This payload deletes various files on the hard disk. The number and type of files that may be deleted vary among viruses.
• Deploy
  To perform a remote installation.
• Desktop computer
  1. A computer used primarily to perform work for individuals rather than to act as a server.
  2. A personal computer or workstation designed to reside on or under a desktop.
• Dial
  To initiate a connection via LAN, modem, or direct connection, regardless of whether actual dialing is involved.
• Dialers
  A dialer is any software package that changes the modem configuration to dial a high cost toll number, dials a high cost toll number, or requests payment for access to particular content.
• Direct connection
  A form of data communication in which one computer is directly connected to another, usually via a null modem cable.
• Disabled
  A status indicating that a program, job, policy, or scan is not available. For example, if scheduled scans are disabled, a scheduled scan does not execute when the date and time specified for the scan is reached.
• Discovery
  A process in which one computer attempts to locate another computer on the same network or domain.
• Distributed Management Task Force (DMTF)
  An industry organization that leads the development, adoption, and unification of management standards and initiatives for desktop, enterprise, and Internet environments. Working with key technology vendors and affiliated standards groups, the DMTF enables a more integrated, cost-effective, and less crisis-driven approach to management through interoperable management solutions.
• Distribution
  This component measures how quickly a threat is able to spread.
• Domain
  A group of computers or devices that shares a common directory database and is administered as a unit. On the Internet, domains organize network addresses into hierarchical subsets. For example, the .com domain identifies host systems used for commercial business.
• Domain Name System (DNS)
  A hierarchical system of host naming that groups TCP/IP hosts into categories. For example, in the Internet naming scheme, names with .com extensions identify hosts in commercial businesses.
• Download
  To transfer data from one computer to another, usually over a modem or network. Download usually refers to the act of transferring a file from the Internet, a Bulletin Board System (BBS), or an online service to an individual's computer.
• Download folder
  The folder in which files that are received during file transfer are stored.
• Driver
  A program that interprets commands for transferring to and from peripheral devices and the CPU.

E

• Electronic exposure
  A rating used to calculate the vulnerability based on whether a threat must have electronic access to your system to exploit a vulnerability.
• Enabled
  A status indicating that a program, job, policy, or scan is available. For example, if the scheduled scans are enabled, any scheduled scan will execute when the date and time specified for the scan are reached.
• Encrypted Virus
  A virus using encryption to hide itself from virus scanners. That is, the encrypted virus jumbles up its program code to make it difficult to detect.
• Encryption
  A method of scrambling or encoding data to prevent unauthorized users from reading or tampering with the data. Only individuals with access to a password or key can decrypt and use the data. The data can include messages, files, folders, or disks.
• Extended Partition Boot Record (EPBR)
  Each logical partition resembles a physical hard disk, and on each logical hard disk, an EPBR occupies the same position as the MBR of a physical hard disk.
• ESM Agent
  A software component that performs security assessment on a host system and returns the results to the ESM Manager. The ESM Agents also store snapshot files of system-specific and user-account information, make user-requested corrections to files, and update snapshots to match corrected files.
• ESM Enterprise Console
  A Graphical User Interface (GUI) used to administer managers and agents. It receives user input, sends requests to the ESM Manager, and formats the returned security assessment data for display. The ESM Enterprise Console is supported for ESM versions 5.0 and later. Older versions of ESM use the ESM GUI.
• ESM Manager
  A software component that coordinates the work of its assigned ESM Agents, provides communication between the Agents and the ESM user interfaces, and stores security data gathered by the Agents.
• Event
  A significant occurrence in a system or application that a program detects. Events typically trigger actions, such as sending a user notification or adding a log entry.
• Event class
  A predefined event category used for sorting reports and configuring alerts.
• Event normalization
  The process by which events from disparate sources are mapped to a consistent framework.
• Event viewer (ITA event viewer)
  A separate Windows NT or UNIX Graphical User Interface (GUI) for viewing event data captured by intruder alert agents.
• Exploit
  A program or technique that takes advantage of a vulnerability in software and that can be used for breaking security, or otherwise attacking a host over the network.
• Exposure
  An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either:
  • Allows an attacker to conduct information gathering activities
  • Allows an attacker to hide activities
  • Includes a capability that behaves as expected, but can be easily compromised
  • Is a primary point of entry that an attacker may attempt to use to gain access to the system or data
  • Is considered a problem according to some reasonable security policy
• Extended (partition)
  An extended partition is a primary partition that was originally developed in order to overcome the four-primary-partition limit. The extended partition is a container, or a place-holder, for logical partitions. The extended partition itself does not contain any data, nor does it receive a drive letter assignment. It can contain any number of logical partitions, and each logical partition receives a drive letter assignment, as long as the logical partition is recognized by the operating system.
• eXtensible Markup Language (XML)
  The common language of the Web used to exchange information.
• External Hostile Structured (EHS) threat
  An individual or group outside of an organization that is motivated to attack, exploit, or disrupt mission operations. This highly funded, extremely skilled threat has substantial resources and unique tools. Foreign intelligence services, criminal elements, and professional hackers involved in information warfare, criminal activities, or industrial intelligence often fall into the EHS threat category.
• External Hostile Unstructured (EHU) threat
  An individual outside of an organization who is motivated to attack, exploit, or disrupt mission operations. This individual has limited resources, tools, skills, and funding to accomplish a sophisticated attack. Many Internet hackers and most crackers and vandals fall into the EHU threat category.
• External Nonhostile Structured (ENS) threat
  An individual outside of an organization who has little or no motivation for attacking it. However, this threat has special resources, skills, tools, or funding to launch a sophisticated attack. System and network security professionals who use the Internet to obtain information or improve their skills usually fall into the ENS threat category.
• External Nonhostile Unstructured (ENU) threat
  An individual outside of an organization who has little or no motivation for attacking. This threat has limited resources, skills, tools, or funding to launch a sophisticated attack. Common Internet users fall into the ENU threat category.
• External threat
  A threat that originates outside of an organization.

F

• File Allocation Table (FAT)
  File Allocation Table. FAT can refer to three different types of partitions: FAT12, FAT16, and FAT16b. FAT16b is the most common type, and is used for partitions that are larger than 32 MB. FAT12 and FAT16 partitions were used with MS-DOS 5.0, and are still used with Windows 98 (depending on the partition size). The FAT file system format is used and recognized by DOS, Windows 3.x, Windows 95, Windows NT, OS/2, and nearly all other operating systems.
• FAT32
  32-bit File Allocation Table. File system format recognized by Windows 95 B (or later versions) and Windows NT 5(or later versions).
• FAT32x
  A FAT32 partition that crosses over the 1024th cylinder of a hard drive.
• File transfer
  The process of using communications to send a file from one computer to another. In communications, a protocol must be agreed upon by sending and receiving computers before a file transfer can occur.
• Firewall Rules
  A security system that uses rules to block or allow connections and data transmission between your computer and the Internet.
• Fully Qualified Domain Name (FQDN)
  A URL consisting of a host and domain name, including top-level domain. For example, the parsing of the FQDN, www.TigerDirect.com, is:
  • www is the host,
  • TigerDirect is the second-level domain, and
  • com is the top-level domain.
  • An FQDN always starts with a host name and continues to the top-level domain name, so www.sesa.symantec.com is also an FQDN.

G

• Geographic distribution
  This measures the range of separate geographic locations where infections have been reported. The measures are high (global threat), medium (threat present in a few geographic regions), and low (localized or non-wild threat).
• Group
  In Windows NT user manager, an account that contains other accounts, which are called members. Permissions and rights granted to a group are also provided to its members, making groups a convenient way to grant common capabilities to collections of user accounts.

H

• Hack tool
  Tools that can be used by a hacker or unauthorized user to attack, gain unwelcome access to or perform identification or fingerprinting of your computer. While some hack tools may also be valid for legitimate purposes, their ability to facilitate unwanted access makes them a risk. Hack tools also generally:
  • Attempt to gain information on or access hosts surreptitiously, utilizing methods that circumvent or bypass obvious security mechanisms inherent to the system it is installed on, and/or
  • Facilitate an attempt at disabling a target computer, preventing its normal use
  • One example of a hack tool is a keystroke logger -- a program that tracks and records individual keystrokes and can send this information back to the hacker. Also applies to programs that facilitate attacks on third-party computers as part of a direct or distributed denial-of-service attempt.
• Hardware setup
  A set of hardware parameters, such as modem type, port/device, and data rate, which is used as a singular named resource in launching a host or remote session.
• HLLC
  Refers to a virus compiled using a high-level language that adds itself to a location on the system from which it can be easily executed.
• HLLO
  Refers to a virus compiled using a high-level language that overwrites files.
• HLLP
  Refers to a virus compiled using a high-level language that is parasitic; that is, the virus infects files with itself.
• HLLW
  Refers to a worm that is compiled using a High-Level Language. (Note: This modifier may or may not be used as a prefix - it is only a prefix in the case of a DOS High-Level Language Worm. If the Worm is a Win32 file, the proper name is W32.HLLW.)
• Hoax
  Hoaxes usually arrive in the form of an email. Please disregard the hoax emails - they contain bogus warnings usually intent only on frightening or misleading users. The best course of action is to merely delete these hoax emails. Learn more about different hoaxes.
• Host
•  
  1. In a network environment, a computer that provides data and services to other computers. Services may include peripheral devices, such as printers, data storage, email, or World Wide Web access.
  2. In a remote control environment, a computer to which remote users connect to access or exchange data.
• Hypertext Transfer Protocol Secure (HTTPS)
  A variation of HTTP that is enhanced by a security mechanism, which is usually the Secure Sockets Layer (SSL).

I

• Ignore
  A condition that prevents an action from being executed on a rule.
• Image file
  A file that is created using Norton Ghost. An image file of a disk or partition is created and used to produce duplicates of the original disk or partition.
• Image file definition
  A description of the properties of an image file, including the image file name, location, and status
• Impact
  The effect, acceptable or unacceptable, of an incident on a system, operation, schedule, or cost. Unacceptable impact is impact deemed, by the system owner and as compared to the missions and goals of the U.S. Department of Defense (DOD), as severe enough to degrade an essential mission, capability, function, or system causing an unacceptable result. Like impact, unacceptable impact refers to the total system and all areas of operational concern, not only confidentiality.
• Inactive
  A status indicating that a program, job, policy, or scan is not currently running. For example, when a scheduled scan awaits for the specified date and time to execute, it is inactive.
• Incident
  The actualization of a risk. The event or result of a threat that exploits a system vulnerability.
• Incident response
  The ability to deliver the event or set of events to an incident management system or a HelpDesk system to resolve and track incidents.
• Incident response cycle
  The sequence of phases that a security event goes through from the time it is identified as a security compromise or incident to the time it is resolved and reported.
• Infection Length
  This is the size, in bytes, of the viral code that is inserted into a program by the virus. If this is a worm or Trojan Horse, the length represents the size of the file.
• Information
  A rating used to calculate a vulnerability, based on the relative availability of information that discloses a vulnerability. For example, if a vulnerability is disclosed in books or on the Internet, then the information factor is rated high. If a vulnerability is not well-known and little or no documentation on the vulnerability exists, then information is rated low.
• Initialize
  To prepare for use. In communications, initialize means to set a modem and software parameters at the start of a session.
• Integrated Services Digital Network (ISDN)
  A type of phone line used to enhance Wide Area Network (WAN) speeds. ISDN lines can transmit at speeds of 64 or 128 kilobits per second (Kbps), as opposed to standard phone lines, which transmit at only 9600 bps. The phone company installs an ISDN line at both the server and remote sites.
• Internal Hostile Structured (IHS) threat
  An individual or group within an organization that is motivated to disrupt mission operations or exploit assets. This threat has significant resources, tools, and skills to launch a sophisticated attack and potentially remove any evidence of the attack. An IHS threat is unlikely to act but has the greatest potential to cause damage. Highly skilled, disgruntled employees (such as system administrators or programmers) or technical users who could benefit from disrupting operations often fall into the IHS threat category.
• Internal Hostile Unstructured (IHU) threat
  An individual within an organization who has physical access to network components. This individual is motivated to disrupt the operations of the organization but lacks the resources, tools, or skills necessary to launch a sophisticated attack. It would not be unusual for this threat to attack the organization by deploying a common virus. Unskilled, disgruntled employees or users who could benefit from disrupting operations often fall into the IHU threat category.
• Internal Nonhostile Structured (INS) threat
  An individual within an organization who has physical access to network components. This individual is not motivated to disrupt mission operations but can do so by making common mistakes. Individuals executing INS threats are usually skilled and have tools to assist them in performing security-related functions. System administrators, network engineers, and programmers often fall into the INS threat category.
• Internal Nonhostile Unstructured (INU) threat
  An individual within an organization who has physical access to network components. This individual is not motivated to disrupt mission operations but can do so unknowingly. Individuals executing INU threats do not have any unusual skills or tools and are not interested in attacking. Usually, they are typical users who make mistakes that can impact mission operations. The INU threat category is typically the most likely to disrupt operations.
• Internal threat
  A threat that originates within an organization.
• Internet Engineering Task Force (IETF)
  An international community of network designers, operators, vendors, and researchers who are concerned with the evolution of Internet architecture and the smooth operation of the Internet. IETF is open to any interested individual. The technical work of the IETF is done in its working groups, which are organized by topic into several areas (such as routing, transport, security, and so on). Much of the work is handled via mailing lists.
• Internet Protocol (IP) address
  Identifies a workstation on a TCP/IP network and specifies routing information. Each workstation on a network must be assigned a unique IP address, which consists of the network ID, plus a unique host ID assigned by the network administrator. This address is usually represented in dot-decimal notation, with the decimal values separated by a period (for example 123.45.6.24).
• Internet Relay Chat (IRC)
  IRC is a multi-user chat system, where people meet on "channels" (rooms, virtual places, usually with a certain topic of conversation) to talk in groups, or privately. This system also allows for the distribution of executable content.
• Interrupt Requests (IRQ)
  Also called hardware interrupts. IRQ means that a connection device signals other hardware components that it needs attention. When you install new devices (such as serial ports, modems, and mouse devices), you may find that previous devices no longer work, because the new devices use the previously used IRQs.
• Intruder Alert agent
  In Intruder Alert, the agent monitors the hosts and responds to events, by performing defined actions based on applied security policies.
• Intruder Alert manager
  A software application that runs in the background mode as either a UNIX daemon or a Windows NT service.
  • Managers:
    • Maintain secure communications with all registered Agents,
    • Maintain the master list of domains and policies applied to each Agent,
    • Communicate domain and policy changes to Agents,
    • Receive and store event data from Agents, via the Record to Event Viewer action,
    • Serve as the communications link among the Intruder Alert Administrator, Intruder Alert Event Viewer, and Agents, and
    • Maintain the list of policies and the domains to which they are applied.
• Intrusion Detection
  A security service that monitors and analyzes system events to find and provide real-time or near real-time attempt warnings to access system resources in an unauthorized manner. This is the detection of break-ins or break-in attempts, by reviewing logs or other information available on a network.
• Intrusion Detection Exchange Format (IDEF)
  See Intrusion Detection Working Group (IDWG).
• Intrusion Detection Working Group (IDWG)
  A group that defines data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, as well as to management systems that may need to interact with them. The IDWG coordinates its efforts with other Internet Engineering Task Force work groups.

J

• Joke programs
  Programs that alter or interrupt the normal behavior of your computer, creating a general distraction or nuisance.

K

• Known Dependencies
  These programs have been known to install the security risk as a component, and will therefore not function as intended if the security risk is removed from the computer.

L

• Large scale e-mailing
  This type of payload involves sending emails to large numbers of people. This is usually done by accessing a local address book and sending emails to a certain number of people within that particular address book.
• Launch
  To start a program or application. In pcAnywhere, the host computer is launched so that a remote computer can call it and begin a remote control session.
• Leased line
  A telephone channel that is leased from a common carrier for private use. A leased line is faster and quieter than a switched line, but generally more expensive.
• Local Area Network (LAN)
  A group of computers and other devices in a relatively limited area (such as a single building) that are connected by a communications link, which enables any device to interact with any other device on the network.
• Log
  A record of actions and events that take place on a computer. Logging creates a record of actions and events that take place on a computer.
• Logical (partition)
  A logical partition is a partition that resides within an extended partition and receives a drive letter assignment (provided that the partition type is recognized by the operating system). Logical partitions are typically used to store data, although some operating systems can be installed on a logical partition.
• Logon procedures
  The process of identifying oneself to a computer after connecting to it over a communications line. During the logon procedure, the computer usually requests a user name and password. On a computer used by more than one person, the logon procedure identifies the authorized users, keeps track of their usage time, and maintains security by controlling access to sensitive files or actions.

M

• Macro
  A set of keystrokes and instructions that are recorded, saved, and assigned to a short key code. When the key code is typed, the recorded keystrokes and instructions execute (play back). Macros can simplify day-to-day operations, which otherwise become tedious. For example, a single macro keystroke can set up a connection using pcAnywhere.
• Macro keys
  Key codes assigned to sets of specific instructions. Also see macro.
• Macro virus
  A program or code segment written in the internal macro language of an application. Some macros replicate, while others infect documents.
• Malware
  Malware is a category of malicious code that includes viruses, worms, and Trojan horses. Destructive malware will utilize popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from web sites, and virus-infected files downloaded from peer-to-peer connections. Malware will also seek to exploit existing vulnerabilities on systems making their entry quiet and easy.
• Management Information Base (MIB)
  A database of objects that can be monitored by a network management system. Both SNMP and RMON use standardized MIB formats that allow any SNMP and RMON tool to monitor any device defined by an MIB.
• Master Boot Record (MBR)
  Master Boot Record. The Master Boot Record is contained in the first sector of the hard drive. It identifies where the active partition is, and then starts the boot program for the boot sector of that partition. The boot sector identifies where the operating system is located and enables the boot information to be loaded into the computer's main storage or RAM. The Master Boot Record includes a table that locates each partition that is present on the hard drive.
• MD5
  A hash function such as MD5 is a one-way operation that transforms a data string of any length into a shorter, fixed-length value. No two strings of data will produce the same hash value. An MD5 checksum verifies the data integrity by running a hash operation on the data after it is received. The resultant hash value is compared to the hash value that was sent with the data. If the two values match, this indicates that the data has not been altered or tampered with, and its integrity may be trusted.
• Microsoft Management Console (MMC)
  An extensible, common console framework for management applications. Management applications are composed of MMC snap-ins, which add management functionality to MMC. The Symantec System Center console and the Symantec AntiVirus Corporate Edition snap-ins add functionality to administer computers that run the Symantec AntiVirus Corporate Edition software.
• Middleware
  An application connecting two otherwise separate applications.
• Misleading applications
  Programs that report false or significantly misleading information on the presence of a security risk, threat or system issue on the computer being scanned.
• Mobile Code
  Code (software) that is transferred from a host to a client (or another host computer) to be executed (run). A worm is an example of malicious mobile code.
• Mode
  A system state in which a single action or a series of actions are performed. A mode has an On condition and an Off condition. For example, an Outbreak mode under Symantec Mail Security for MS Exchange might look like:
  • Mode On condition: More than 30 email messages with the same subject line are detected in a period of 10 minutes.
  • Action(s): Quarantine all emails with subject line , run LiveUpdate every 10 minutes.
  • Mode Off condition: Less than 10 email messages with the same subject line are detected in a period of 10 minutes.
• Modem
  A device that enables a computer to transmit information over a standard telephone line. Modems can transmit at different speeds or data transfer rates. See also baud rate, bps.
• Modifies files
  This payload changes the contents of files on the computer and may corrupt files.
• Module
  An executable that runs security checks on specific areas of the server or workstation security.
• Motivation
  The relative amount of incentive that a threat has to compromise or damage the assets of an organization.
• Multicast
  To simultaneously send the same message to a list of recipients on a network.

N

• Name of attachment
  Most worms are spread as attachments to emails. This field indicates the usual name or names that the attachment can be called.
• NetProwler agent
  A component that monitors the traffic on a network segment to detect, identify, and respond to intrusion attacks.
• NetProwler console
  The Graphical User Interface (GUI) provided for managing all the agents assigned to a NetProwler manager. From the console, you can assign agents, configure agents, monitor agent alerts, query the NetProwler manager for specific information, and generate or view security reports.
• NetProwler manager
  A component that coordinates the work of NetProwler agents, provides communication between the agents and the user interfaces, and stores security data gathered by the agents.
• Network
  A group of computers and associated devices connected by communications facilities (both hardware and software) to share information and peripheral devices, such as printers and modems. Also see LAN.
• Network resource
  Any device or node on a network that NetRecon can identify. Examples include computers, printers, routers, and hubs (certain types). Since devices can be known to a network in multiple ways (for example, one computer may have multiple IP addresses, a NetBIOS name, and a NetWare name), the number of network resources discovered by NetRecon is generally much greater than the number of physical devices connected to the network.
• Network station
  A computer connected to a LAN through a network adapter card and software.
• New Technology File System (NTFS)
  File system format recognized only by Windows NT.
• Node
  1. In a tree structure, a point where two or more lines meet.
  2. In a network, any addressable device attached to the network that can recognize, process, or forward data transmissions.
• Notification
  A predefined response triggered by a system condition, such as an event or error condition. Typical responses include sound or visual signals, such as displaying a message box, sending email, or paging an administrator. The administrator may be able to configure the response. Also see alert.
• N-Tier system
  A system with managed endpoints, middleware, stand-alone tools, and backend systems.
• Null modem cable
  A cable that enables two computers to communicate without using modems. A null modem cable accomplishes this by crossing the sending and receiving wires, so that the wire used for transmitting by one device is used for receiving by the other, and vice versa.
• Number of countries
  A measure of the number of countries where infections are known to have occurred.
• Number of infections
  Measures the number of computers known to be infected.
• Number of sites
  Measures the number of locations with infected computers. This normally refers to organizations, such as companies, government offices, and so on.

O

• Occurrence measure
  The likelihood that a threat will manifest itself within an organization.
• Organizational unit
  A group of associated systems whose hierarchy generally reflects the network topology. Organizational units can be nested and inherit their properties from parent units when they have not already been associated with a configuration.
• Overlapping safeguards
  Two or more assigned safeguards that secure the same vulnerability.

P

• Package
  An object that contains the files and instructions for distributing software.
• Package definition
  A link from the console to an AI package, either on an attached drive or on a Web server.
• Parameter
  A value that is assigned to a variable. In communications, a parameter is a means of customizing program (software) and hardware operation.
• Parent server
  A computer that runs the Symantec AntiVirus Corporate Edition Server software, as well as manages and communicates with computers that run the Symantec AntiVirus Corporate Edition Client software. The virus definition files and configuration updates are pushed from the parent server to its managed clients. Alerts are sent from the managed clients to the parent server.
• Parity
  The quality of an integer being odd or even. Also see parity bit, parity checking.
• Parity bit
  An extra bit (either 0 or 1) that is added to a group of bits to make it either even or odd, depending on whether even parity or odd parity is used. Parity bit is used to check for errors in data transfers between computers, usually over a modem or null modem cable.
• Parity checking
  The process of verifying the integrity of data transferred between computers, usually over a modem or null modem cable. The most common methods are even parity checking and odd parity checking. Depending on the parity checking method used, an extra bit, called a parity bit, is added to each group of bits to make the number of transmitted bytes either even or odd. Both computer systems must use the same method of parity checking.
• Password
  A unique string of characters that a user types as an identification code to restrict access to computers and sensitive files. The system compares the code against a stored list of authorized passwords and users. If the code is legitimate, the system allows access at the security level approved for the owner of the password.
• Payload
  This is the malicious activity that the virus performs. Not all viruses have payloads, but there are some that perform destructive actions.
• Payload trigger
  The condition that causes the virus to activate or drop its destructive payload. Some viruses trigger their payloads on a certain date. Others may trigger their payload based on the execution of certain programs or on the availability of an Internet connection.