|
A | B | C |
D | E | F |
G | H | I |
J | K | L |
M | N | O |
P | Q | R |
S | T | U |
V | W | X |
Y | Z
.dam
Indicates a detection for files that have been corrupted by a threat or that
may contain inactive remnants of a threat, causing the files to fail to properly
execute or produce reliable results.
.dr
Refers to a file that is considered a dropper. This program drops the virus
or worm onto the victim's computer.
.enc
Refers to a file that is encrypted or encoded. For example, a worm that creates
a copy of itself with MIME encoding may be detected with the .enc suffix.
@m
Signifies that the virus or worm is a "mailer." An example:
Happy99 (W32.Ska) only
sends itself by email when you send mail.
@mm
Signifies that the virus or worm is a "mass-mailer." An example:
Melissa sends messages to
every email address in your mailbox.
ACS
A communications server that manages a pool of modems. It directs outgoing
messages to the next available modem and incoming messages to the appropriate
workstation.
Action
A predefined response to an event or alert by a system or application.
Active
A status that indicates that a program, job, policy, or scan is running.
For example, when a scheduled scan executes, it is considered active.
Activity log
A type of report in which all the recorded events are sequentially organized.
Administrative domain
An environment or context defined by a security policy, security model, or
security architecture.
Administrator
An individual who:
Age
A rating used to calculate the vulnerability based on the relative amount
of time since the discovery of the vulnerability. According to experts, the
potential for exploiting a vulnerability increases as the age of the
vulnerability increases. The assumption that people are likely to be aware
of the existence of the vulnerability supports this statement. The L-3 Network
Security researchers assign lower ratings to the age factor of recently
discovered vulnerabilities. Older vulnerabilities are rated higher.
Alarm
A sound or visual signal triggered by an error condition.
Alert
An automatic notification that an event or error has occurred.
Alertable event
Any event or member of an event set configured to trigger an alert.
Also Known As
Names that other antivirus vendors use to identify a threat. Often Symantec's
bloodhound heuristics will identify a potential threat before a specific
detection is added. In such cases, the name of the bloodhound detection will
appear in this field.
Antivirus
A subcategory of a security policy that pertains to computer viruses.
Application server
A software server that lets thin clients use applications and databases that
are managed by the server. The application server handles all the application
operations and connections for the clients.
Asset
A physical item, informational item, or capability required by an organization
to maintain productivity. Examples include a computer system, a customer
database, and an assembly line.
Asset measure
A quantitative measurement of an asset. The asset measure is the confidentiality,
integrity, and availability of an asset in relation to other assets in an
organization.
Asset value
The perceived or intrinsic worth of an asset.
Attack signature
The features of network traffic, either in the heading of a packet or in
the pattern of a group of packets, which distinguish attacks from legitimate
traffic.
Attribute
A property of an object, such as a file or display device.
Authenticated, self-signed SSL
A type of SSL that provides authentication and data encryption through a
self-signed certificate.
Authentication
The assurance that a party to some computerized transaction is not an impostor.
Authentication typically involves using a password, certificate, PIN, or
other information that can be used to validate the identity over a computer
network.
AutoInstall package
An executable created by AI Snapshot and AI Builder that contains one or
more applications distributed to client computers using the Symantec Ghost
Console.
Backup regime
A group of settings that determines which computer to include in a backup
task, as well as other details such as scheduling.
Banner grab
A client receives this readable string immediately following a connection
to a server. The type of received string usually identifies the operating
systems and server types.
Baseline risk
The risk that exists before safeguards are considered.
Benefit
The effectiveness of a safeguard in terms of vulnerability measure. If the
safeguard is applied by itself, it lowers the danger that the vulnerability
poses by the amount specified.
Beta Virus Definitions
Symantec Security Response has not assured the quality of beta virus definitions.
While Symantec Security Response makes every effort to ensure that all the
virus definitions correctly function, beta-quality virus definitions do pose
additional risks. Beta virus definitions are most valuable during a high-level
virus outbreak when users are unable to wait for virus definitions to undergo
full quality assurance testing. Beta virus definitions are available
here.
Bits per second (bps)
A measure of the speed at which a device, such as a modem, can transfer bits
of data.
Blank
To clear or not show an image on the computer screen. You can configure a
pcAnywhere host to blank the host's screen once a connection has been made.
This enhances the security of an unattended pcAnywhere host.
Blended Threat
Blended threats combine the characteristics of viruses, worms, Trojan Horses,
and malicious code with server and Internet vulnerabilities to initiate,
transmit, and spread an attack. By using multiple methods and techniques,
blended threats can rapidly spread and cause widespread damage. Characteristics
of blended threats include:
-
Causes harm: Launches a Denial of Service (DoS) attack at a
target IP address, defaces Web servers, or plants Trojan Horse programs for
later execution.
-
Propagates by multiple methods: Scans for vulnerabilities to
compromise a system, such as embedding code in HTML files on a server, infecting
visitors to a compromised Web site, or sending unauthorized email from
compromised servers with a worm attachment.
-
Attacks from multiple points: Injects malicious code into the
.exe files on a system, raises the privilege level of the guest account,
creates world read and writeable network shares, makes numerous registry
changes, and adds script code into HTML files.
-
Spreads without human intervention: Continuously scans the
Internet for vulnerable servers to attack.
-
Exploits vulnerabilities: Takes advantage of known vulnerabilities,
such as buffer overflows, HTTP input validation vulnerabilities, and known
default passwords to gain unauthorized administrative access.
Effective protection from blended threats requires a comprehensive
security solution that contains multiple layers of defense and response
mechanisms.
Boot package
A file, bootable disk, Ghost image, or Preboot Execution Environment (PXE)
image of a bootable disk that contains the Symantec Ghost executable and
any drivers required to start a client computer and Symantec Ghost.
Broadcast
To simultaneously send the same message to all the users on a network.
Broadcast alert action
An AMS2 response to an alert in which a message is sent to all the computers
logged onto the server that generates the alert.
Bug
A programming error in a software program that can have unwanted side effects.
Some examples include Various web browser security problems and Y2K software
problems.
Callback
A security feature that lets a host disconnect a remote caller after a successful
connection and then recall the remote computer, either for security verification
or financial responsibility.
Canvas
The window in which hosts and other drawing objects, which represent a network
scheme, are placed.
Capability
The measure of a threat's technical expertise or knowledge of a system's
connectivity.
Capability Maturity Model for Software (CMM or SW-CMM)
A model for judging the maturity of the software processes of an organization
and for identifying the key practices that are required to increase the maturity
of these processes.
Captured attack sessions
A record of any network session that contains an attack signature. You can
configure NetProwler to capture a record of any type of attack. You can view
these sessions in the Attack Sessions branch of either the NetProwler Console
or the Agent Graphical User Interface (GUI).
Case-sensitive
The discrimination between lowercase and uppercase characters.
Causes system instability
This payload may cause the computer to crash or to behave in an unexpected
fashion.
Certificate
Cryptographic systems use this file as proof of identity. It contains a user's
name and public key.
Certificate authority
An office or bureau that issues security certificates.
Certificate authority-signed SSL
A type of SSL that provides authentication and data encryption through a
certificate that is digitally signed by a certificate authority.
Certificate store
A database that contains security certificates.
Channel
In communications, a medium for transferring information, which is also called
a line or circuit. Depending on its type, a communications channel can carry
information in analog or digital form. A communications channel can be a
physical link, such as a cable that connects two stations in a network, or
it can consist of some electromagnetic transmission.
Client
A program that makes requests of, or transmits data to, a parent server program.
Client computer
A computer that runs a client program. In a network, the client computer
interacts in a client/server relationship with another computer running a
server program.
Client/server program
A program in which one portion of the program is installed on a computer
that acts as a server for that particular program; and, another portion is
installed on one or more client computers.
Client/server relationship
A relationship in which two computers, usually a server and client, communicate
across a network. Usually one computer manages or supplies services to the
other computer.
Client-side reporting
A method of reporting in which data is retrieved from the server and processed
at the client.
Clone
To make a specified folder on the host or remote computer identical to a
specified folder on another computer. Any files in the source folder are
copied to the destination folder. Files that are in the destination folder
and that are not in the source folder are deleted from the disk. Also see
synchronize.
Cluster server
A group of two or more servers linked together to balance variable workloads
or provide continued operation in the event that one server fails.
Command-Line Interface (CLI)
A utility providing an alternate way to execute the ESM commands in UNIX
and Windows NT environments. The CLI supports most of the ESM commands available
in the ESM Console. In addition, you can create Agent records, remove modules,
or execute batch files that contain CLI commands from the Command Line Interface.
Common Information Model (CIM)
A common data model of an implementation-neutral schema for describing overall
management information in a network/enterprise environment. A Specification
and Schema comprise CIM. The Specification defines the details for integration
with other management models (such as the SNMP MIBs or the DMTF MIFs), while
the Schema provides the actual model descriptions.
Communications
The transfer of data between computers by a device such as a modem or cable.
Communications device
Also called the connection device. The communications device is a modem,
network interface card, or other hardware component enabling remote
communications and data transfer between computers.
Communications link
A connection between computers (and/or peripherals) enabling data transfer.
A communications link can be a network, modem, or cable.
Communications port (COM port)
Also called a serial port. The COM port is a location for sending and receiving
serial data transmissions. The ports are referred to as COM1, COM2, COM3,
and COM4.
Communications protocol
A set of rules designed to enable computers to exchange data. A communications
protocol defines issues such as transmission rate, interval type, and mode.
Communications session
The time during which two computers maintain a connection and are usually
engaged in transferring information.
Compile
To convert a high-level script into a low-level set of commands that can
be executed or run. Syntax errors are discovered when a script is being compiled.
Compromises security settings
This payload may attempt to gain access to passwords or other system-level
security settings. It may also search for openings in the Internet-processing
components of the computer to install a program on that particular system,
which an individual could remotely control over the Internet.
Connection
The successful establishment of a communications link.
Connection item
An item representing a pcAnywhere file, which contains connection device
information and security settings to be used during a session.
Console
1. A program interface for the management of software or networks. 2. In
a mainframe or UNIX environment, a terminal consisting of a monitor and keyboard.
Content filtering
A subcategory of a security policy that pertains to the semantic meaning
of words in text (such as email messages). It can also include URL filtering.
Crash recovery
A file transfer option that directs pcAnywhere to continue transferring files
where it left off when computers are reconnected after a broken connection,
instead of restarting the transfer.
Current risk
The remaining risk after safeguards have been applied.
Current vulnerability measure
The danger posed by a vulnerability after accounting for the safeguards you
use to secure it. If you use a valid safeguard, the current vulnerability
measure is less than the default vulnerability measure.
CVE References
A list of standardized names for vulnerabilities and other information security
exposures - CVE aims to standardize the names for all publicly known
vulnerabilities and security exposures. (Source:
CVE Web site)
Click here to read more about Symantec
and CVE compatibility.
Damage
The damage component measures the amount of harm that a given threat might
inflict. This measurement includes triggered events, clogging email servers,
deleting or modifying files, releasing confidential information, performance
degradation, errors in the virus code, compromising security settings, and
the ease with which the damage may be fixed.
Data conversion
To convert the configuration files (for example, connecting to a host computer)
from an earlier version of pcAnywhere so that you can use them in the current
version. You can also use data conversion to import or export configuration
files to or from text files for record-keeping purposes.
Data template
A template that defines files or registry entries to be included in a backup.
Data transfer
The movement of information from one location to another. The transfer speed
is called the data rate or data transfer rate.
Data transmission
The electronic transfer of information from a sending device to a receiving
device.
Default threat measure rating
A rating based on the appropriate threat profile and the estimations of security
experts. Expert estimations were obtained using the Delphi inquiry method.
Default vulnerability measure
The danger posed by a vulnerability before you account for the safeguards
that you use to secure it. If you use a valid safeguard, the current
vulnerability measure is less than the default vulnerability measure.
Degrades performance
This payload slows computer operations, which could involve allocating available
memory, creating files that consume disk space, or causing programs to load
or execute more slowly.
Deletes files
This payload deletes various files on the hard disk. The number and type
of files that may be deleted vary among viruses.
Deploy
To perform a remote installation.
Desktop computer
1. A computer used primarily to perform work for individuals rather than
to act as a server. 2. A personal computer or workstation designed to reside
on or under a desktop.
Dial
To initiate a connection via LAN, modem, or direct connection, regardless
of whether actual dialing is involved.
Direct connection
A form of data communication in which one computer is directly connected
to another, usually via a null modem cable.
Disabled
A status indicating that a program, job, policy, or scan is not available.
For example, if scheduled scans are disabled, a scheduled scan does not execute
when the date and time specified for the scan is reached.
Discovery
A process in which one computer attempts to locate another computer on the
same network or domain.
Distributed Management Task Force (DMTF)
An industry organization that leads the development, adoption, and unification
of management standards and initiatives for desktop, enterprise, and Internet
environments. Working with key technology vendors and affiliated standards
groups, the DMTF enables a more integrated, cost-effective, and less
crisis-driven approach to management through interoperable management solutions.
Distribution
This component measures how quickly a threat is able to spread.
Domain
A group of computers or devices that shares a common directory database and
is administered as a unit. On the Internet, domains organize network addresses
into hierarchical subsets. For example, the .com domain identifies host systems
used for commercial business.
Domain Name System (DNS)
A hierarchical system of host naming that groups TCP/IP hosts into categories.
For example, in the Internet naming scheme, names with .com extensions identify
hosts in commercial businesses.
Download
To transfer data from one computer to another, usually over a modem or network.
Download usually refers to the act of transferring a file from the Internet,
a Bulletin Board System (BBS), or an online service to an individual's computer.
Download folder
The folder in which files that are received during file transfer are stored.
Driver
A program that interprets commands for transferring to and from peripheral
devices and the CPU.
Electronic exposure
A rating used to calculate the vulnerability based on whether a threat must
have electronic access to your system to exploit a vulnerability.
Enabled
A status indicating that a program, job, policy, or scan is available. For
example, if the scheduled scans are enabled, any scheduled scan will execute
when the date and time specified for the scan are reached.
Encrypted Virus
A virus using encryption to hide itself from virus scanners. That is, the
encrypted virus jumbles up its program code to make it difficult to detect.
Encryption
A method of scrambling or encoding data to prevent unauthorized users from
reading or tampering with the data. Only individuals with access to a password
or key can decrypt and use the data. The data can include messages, files,
folders, or disks.
ESM Agent
A software component that performs security assessment on a host system and
returns the results to the ESM Manager. The ESM Agents also store snapshot
files of system-specific and user-account information, make user-requested
corrections to files, and update snapshots to match corrected files.
ESM Enterprise Console
A Graphical User Interface (GUI) used to administer managers and agents.
It receives user input, sends requests to the ESM Manager, and formats the
returned security assessment data for display. The ESM Enterprise Console
is supported for ESM versions 5.0 and later. Older versions of ESM use the
ESM GUI.
ESM Manager
A software component that coordinates the work of its assigned ESM Agents,
provides communication between the Agents and the ESM user interfaces, and
stores security data gathered by the Agents.
Event
A significant occurrence in a system or application that a program detects.
Events typically trigger actions, such as sending a user notification or
adding a log entry.
Event class
A predefined event category used for sorting reports and configuring alerts.
Event normalization
The process by which events from disparate sources are mapped to a consistent
framework.
Event viewer (ITA event viewer)
A separate Windows NT or UNIX Graphical User Interface (GUI) for viewing
event data captured by intruder alert agents.
Exploit
A program or technique that takes advantage of a vulnerability in software
and that can be used for breaking security, or otherwise attacking a host
over the network.
eXtensible Markup Language (XML)
The common language of the Web used to exchange information.
External Hostile Structured (EHS) threat
An individual or group outside of an organization that is motivated to attack,
exploit, or disrupt mission operations. This highly funded, extremely skilled
threat has substantial resources and unique tools. Foreign intelligence services,
criminal elements, and professional hackers involved in information warfare,
criminal activities, or industrial intelligence often fall into the EHS threat
category.
External Hostile Unstructured (EHU) threat
An individual outside of an organization who is motivated to attack, exploit,
or disrupt mission operations. This individual has limited resources, tools,
skills, and funding to accomplish a sophisticated attack. Many Internet hackers
and most crackers and vandals fall into the EHU threat category.
External Nonhostile Structured (ENS) threat
An individual outside of an organization who has little or no motivation
for attacking it. However, this threat has special resources, skills, tools,
or funding to launch a sophisticated attack. System and network security
professionals who use the Internet to obtain information or improve their
skills usually fall into the ENS threat category.
External Nonhostile Unstructured (ENU) threat
An individual outside of an organization who has little or no motivation
for attacking. This threat has limited resources, skills, tools, or funding
to launch a sophisticated attack. Common Internet users fall into the ENU
threat category.
External threat
A threat that originates outside of an organization.
File transfer
The process of using communications to send a file from one computer to another.
In communications, a protocol must be agreed upon by sending and receiving
computers before a file transfer can occur.
Firewall Rules
A security system that uses rules to block or allow connections and data
transmission between your computer and the Internet.
Fully Qualified Domain Name (FQDN)
A URL consisting of a host and domain name, including top-level domain. For
example, the parsing of the FQDN, www.symantec.com, is:
An FQDN always starts with a host name and continues to
the top-level domain name, so www.sesa.symantec.com is also an FQDN.
Geographic distribution
This measures the range of separate geographic locations where infections
have been reported. The measures are high (global threat), medium (threat
present in a few geographic regions), and low (localized or non-wild threat).
Group
In Windows NT user manager, an account that contains other accounts, which
are called members. Permissions and rights granted to a group are also provided
to its members, making groups a convenient way to grant common capabilities
to collections of user accounts.
Hardware setup
A set of hardware parameters, such as modem type, port/device, and data rate,
which is used as a singular named resource in launching a host or remote
session.
HLLW
Refers to a worm that is compiled using a High-Level Language. (Note:
This modifier may or may not be used as a prefix - it is only a prefix in
the case of a DOS High-Level Language Worm. If the Worm is a Win32 file,
the proper name is W32.HLLW.)
Host
1. In a network environment, a computer that provides data and services to
other computers. Services may include peripheral devices, such as printers,
data storage, email, or World Wide Web access. 2. In a remote control
environment, a computer to which remote users connect to access or exchange
data.
Hypertext Transfer Protocol Secure (HTTPS)
A variation of HTTP that is enhanced by a security mechanism, which is usually
the Secure Sockets Layer (SSL).
Ignore
A condition that prevents an action from being executed on a rule.
Image file
A file that is created using Symantec Ghost. An image file of a disk or partition
is created and used to produce duplicates of the original disk or partition.
Image file definition
A description of the properties of an image file, including the image file
name, location, and status.
Impact
The effect, acceptable or unacceptable, of an incident on a system, operation,
schedule, or cost. Unacceptable impact is impact deemed, by the system owner
and as compared to the missions and goals of the U.S. Department of Defense
(DOD), as severe enough to degrade an essential mission, capability, function,
or system causing an unacceptable result. Like impact, unacceptable impact
refers to the total system and all areas of operational concern, not only
confidentiality.
Inactive
A status indicating that a program, job, policy, or scan is not currently
running. For example, when a scheduled scan awaits for the specified date
and time to execute, it is inactive.
Incident
The actualization of a risk. The event or result of a threat that exploits
a system vulnerability.
Incident response
The ability to deliver the event or set of events to an incident management
system or a HelpDesk system to resolve and track incidents.
Incident response cycle
The sequence of phases that a security event goes through from the time it
is identified as a security compromise or incident to the time it is resolved
and reported.
Infection Length
This is the size, in bytes, of the viral code that is inserted into a program
by the virus. If this is a worm or Trojan Horse, the length represents the
size of the file.
Information
A rating used to calculate a vulnerability, based on the relative availability
of information that discloses a vulnerability. For example, if a vulnerability
is disclosed in books or on the Internet, then the information factor is
rated high. If a vulnerability is not well-known and little or no documentation
on the vulnerability exists, then information is rated low.
Initialize
To prepare for use. In communications, initialize means to set a modem and
software parameters at the start of a session.
Integrated Services Digital Network (ISDN)
A type of phone line used to enhance Wide Area Network (WAN) speeds. ISDN
lines can transmit at speeds of 64 or 128 kilobits per second (Kbps), as
opposed to standard phone lines, which transmit at only 9600 bps. The phone
company installs an ISDN line at both the server and remote sites.
Internal Hostile Structured (IHS) threat
An individual or group within an organization that is motivated to disrupt
mission operations or exploit assets. This threat has significant resources,
tools, and skills to launch a sophisticated attack and potentially remove
any evidence of the attack. An IHS threat is unlikely to act but has the
greatest potential to cause damage. Highly skilled, disgruntled employees
(such as system administrators or programmers) or technical users who could
benefit from disrupting operations often fall into the IHS threat category.
Internal Hostile Unstructured (IHU) threat
An individual within an organization who has physical access to network
components. This individual is motivated to disrupt the operations of the
organization but lacks the resources, tools, or skills necessary to launch
a sophisticated attack. It would not be unusual for this threat to attack
the organization by deploying a common virus. Unskilled, disgruntled employees
or users who could benefit from disrupting operations often fall into the
IHU threat category.
Internal Nonhostile Structured (INS) threat
An individual within an organization who has physical access to network
components. This individual is not motivated to disrupt mission operations
but can do so by making common mistakes. Individuals executing INS threats
are usually skilled and have tools to assist them in performing security-related
functions. System administrators, network engineers, and programmers often
fall into the INS threat category.
Internal Nonhostile Unstructured (INU) threat
An individual within an organization who has physical access to network
components. This individual is not motivated to disrupt mission operations
but can do so unknowingly. Individuals executing INU threats do not have
any unusual skills or tools and are not interested in attacking. Usually,
they are typical users who make mistakes that can impact mission operations.
The INU threat category is typically the most likely to disrupt operations.
Internal threat
A threat that originates within an organization.
Internet Engineering Task Force (IETF)
An international community of network designers, operators, vendors, and
researchers who are concerned with the evolution of Internet architecture
and the smooth operation of the Internet. IETF is open to any interested
individual. The technical work of the IETF is done in its working groups,
which are organized by topic into several areas (such as routing, transport,
security, and so on). Much of the work is handled via mailing lists.
Internet Protocol (IP) address
Identifies a workstation on a TCP/IP network and specifies routing information.
Each workstation on a network must be assigned a unique IP address, which
consists of the network ID, plus a unique host ID assigned by the network
administrator. This address is usually represented in dot-decimal notation,
with the decimal values separated by a period (for example 123.45.6.24).
Interrupt Requests (IRQ)
Also called hardware interrupts. IRQ means that a connection device signals
other hardware components that it needs attention. When you install new devices
(such as serial ports, modems, and mouse devices), you may find that previous
devices no longer work, because the new devices use the previously used IRQs.
Intruder Alert agent
In Intruder Alert, the agent monitors the hosts and responds to events, by
performing defined actions based on applied security policies.
Intruder Alert manager
A software application that runs in the background mode as either a UNIX
daemon or a Windows NT service.
Managers:
Intrusion Detection
A security service that monitors and analyzes system events to find and provide
real-time or near real-time attempt warnings to access system resources in
an unauthorized manner. This is the detection of break-ins or break-in attempts,
by reviewing logs or other information available on a network.
Intrusion Detection Exchange Format (IDEF)
See Intrusion Detection Working Group (IDWG).
Intrusion Detection Working Group (IDWG)
A group that defines data formats and exchange procedures for sharing information
of interest to intrusion detection and response systems, as well as to management
systems that may need to interact with them. The IDWG coordinates its efforts
with other Internet Engineering Task Force work groups.
Large scale e-mailing
This type of payload involves sending emails to large numbers of people.
This is usually done by accessing a local address book and sending emails
to a certain number of people within that particular address book.
Launch
To start a program or application. In pcAnywhere, the host computer is launched
so that a remote computer can call it and begin a remote control session.
Leased line
A telephone channel that is leased from a common carrier for private use.
A leased line is faster and quieter than a switched line, but generally more
expensive.
Local Area Network (LAN)
A group of computers and other devices in a relatively limited area (such
as a single building) that are connected by a communications link, which
enables any device to interact with any other device on the network.
Log
A record of actions and events that take place on a computer. Logging creates
a record of actions and events that take place on a computer.
Logon procedures
The process of identifying oneself to a computer after connecting to it over
a communications line. During the logon procedure, the computer usually requests
a user name and password. On a computer used by more than one person, the
logon procedure identifies the authorized users, keeps track of their usage
time, and maintains security by controlling access to sensitive files or
actions.
Macro
A set of keystrokes and instructions that are recorded, saved, and assigned
to a short key code. When the key code is typed, the recorded keystrokes
and instructions execute (play back). Macros can simplify day-to-day operations,
which otherwise become tedious. For example, a single macro keystroke can
set up a connection using pcAnywhere.
Macro keys
Key codes assigned to sets of specific instructions. Also see macro.
Macro virus
A program or code segment written in the internal macro language of an
application. Some macros replicate, while others infect documents.
Management Information Base (MIB)
A database of objects that can be monitored by a network management system.
Both SNMP and RMON use standardized MIB formats that allow any SNMP and RMON
tool to monitor any device defined by an MIB.
MD5
A hash function such as MD5 is a one-way operation that transforms a data
string of any length into a shorter, fixed-length value. No two strings of
data will produce the same hash value.
An MD5 checksum verifies the data integrity by running a hash operation on
the data after it is received. The resultant hash value is compared to the
hash value that was sent with the data. If the two values match, this indicates
that the data has not been altered or tampered with, and its integrity may
be trusted.
Click here to
learn more about MD5 and to download an MD5 checksum utility.
Click here for a list of MD5
hashes for all available Virus Definitions Intelligent Updater downloads.
Microsoft Management Console (MMC)
An extensible, common console framework for management applications. Management
applications are composed of MMC snap-ins, which add management functionality
to MMC. The Symantec System Center console and the Symantec AntiVirus Corporate
Edition snap-ins add functionality to administer computers that run the Symantec
AntiVirus Corporate Edition software.
Middleware
An application connecting two otherwise separate applications.
Mobile Code
Code (software) that is transferred from a host to a client (or another host
computer) to be executed (run). A worm is an example of malicious mobile
code.
Mode
A system state in which a single action or a series of actions are performed.
A mode has an On condition and an Off condition.
For example, an Outbreak mode under Symantec Mail Security for MS Exchange
might look like:
Modem
A device that enables a computer to transmit information over a standard
telephone line. Modems can transmit at different speeds or data transfer
rates. See also baud rate, bps.
Modifies files
This payload changes the contents of files on the computer and may corrupt
files.
Module
An executable that runs security checks on specific areas of the server or
workstation security.
Motivation
The relative amount of incentive that a threat has to compromise or damage
the assets of an organization.
Multicast
To simultaneously send the same message to a list of recipients on a network.
Name of attachment
Most worms are spread as attachments to emails. This field indicates the
usual name or names that the attachment can be called.
NetProwler agent
A component that monitors the traffic on a network segment to detect, identify,
and respond to intrusion attacks.
NetProwler console
The Graphical User Interface (GUI) provided for managing all the agents assigned
to a NetProwler manager. From the console, you can assign agents, configure
agents, monitor agent alerts, query the NetProwler manager for specific
information, and generate or view security reports.
NetProwler manager
A component that coordinates the work of NetProwler agents, provides
communication between the agents and the user interfaces, and stores security
data gathered by the agents.
Network
A group of computers and associated devices connected by communications
facilities (both hardware and software) to share information and peripheral
devices, such as printers and modems. Also see LAN.
Network resource
Any device or node on a network that NetRecon can identify. Examples include
computers, printers, routers, and hubs (certain types). Since devices can
be known to a network in multiple ways (for example, one computer may have
multiple IP addresses, a NetBIOS name, and a NetWare name), the number of
network resources discovered by NetRecon is generally much greater than the
number of physical devices connected to the network.
Network station
A computer connected to a LAN through a network adapter card and software.
Node
1. In a tree structure, a point where two or more lines meet. 2. In a network,
any addressable device attached to the network that can recognize, process,
or forward data transmissions.
Notification
A predefined response triggered by a system condition, such as an event or
error condition. Typical responses include sound or visual signals, such
as displaying a message box, sending email, or paging an administrator. The
administrator may be able to configure the response. Also see alert.
N-Tier system
A system with managed endpoints, middleware, stand-alone tools, and backend
systems.
Null modem cable
A cable that enables two computers to communicate without using modems. A
null modem cable accomplishes this by crossing the sending and receiving
wires, so that the wire used for transmitting by one device is used for receiving
by the other, and vice versa.
Number of countries
A measure of the number of countries where infections are known to have occurred.
Number of infections
Measures the number of computers known to be infected.
Number of sites
Measures the number of locations with infected computers. This normally refers
to organizations, such as companies, government offices, and so on.
Occurrence measure
The likelihood that a threat will manifest itself within an organization.
Organizational unit
A group of associated systems whose hierarchy generally reflects the network
topology. Organizational units can be nested and inherit their properties
from parent units when they have not already been associated with a
configuration.
Overlapping safeguards
Two or more assigned safeguards that secure the same vulnerability.
Package
An object that contains the files and instructions for distributing software.
Package definition
A link from the console to an AI package, either on an attached drive or
on a Web server.
Parameter
A value that is assigned to a variable. In communications, a parameter is
a means of customizing program (software) and hardware operation.
Parent server
A computer that runs the Symantec AntiVirus Corporate Edition Server software,
as well as manages and communicates with computers that run the Symantec
AntiVirus Corporate Edition Client software. The virus definition files and
configuration updates are pushed from the parent server to its managed clients.
Alerts are sent from the managed clients to the parent server.
Parity
The quality of an integer being odd or even. Also see parity bit, parity
checking.
Parity bit
An extra bit (either 0 or 1) that is added to a group of bits to make it
either even or odd, depending on whether even parity or odd parity is used.
Parity bit is used to check for errors in data transfers between computers,
usually over a modem or null modem cable.
Parity checking
The process of verifying the integrity of data transferred between computers,
usually over a modem or null modem cable. The most common methods are even
parity checking and odd parity checking. Depending on the parity checking
method used, an extra bit, called a parity bit, is added to each group of
bits to make the number of transmitted bytes either even or odd. Both computer
systems must use the same method of parity checking.
Password
A unique string of characters that a user types as an identification code
to restrict access to computers and sensitive files. The system compares
the code against a stored list of authorized passwords and users. If the
code is legitimate, the system allows access at the security level approved
for the owner of the password.
Payload
This is the malicious activity that the virus performs. Not all viruses have
payloads, but there are some that perform destructive actions.
Payload trigger
The condition that causes the virus to activate or drop its destructive payload.
Some viruses trigger their payloads on a certain date. Others may trigger
their payload based on the execution of certain programs or on the availability
of an Internet connection.
Peripheral device
A piece of equipment (usually attached to one of the computer's ports) that
lets users send and receive data to and from a computer. Printers, modems,
mouse devices, and keyboards are all peripheral devices.
Physical exposure
A rating used to calculate the vulnerability, based on whether a threat must
have physical access to your system to exploit a vulnerability.
Ping
A basic Internet program that lets you verify that a particular Internet
address exists and can accept requests. The act of using the ping utility
or command. Pinging is diagnostically used to ensure that a host computer,
which you are trying to reach, actually operates.
Policy
The method of action selected from alternatives, given specific conditions
to guide and determine present and future decisions.
Policy library
A repository of all of the policies (preconfigured and user-defined) in ITA.
Polymorphic Virus
A virus that can change its byte pattern when it replicates; thereby, avoiding
detection by simple string-scanning techniques.
Port
A hardware location for passing data in and out of a computing device. Personal
computers have various types of ports, including internal ports for connecting
disk drives, monitors, and keyboards, as well as external ports, for connecting
modems, printers, mouse devices, and other peripheral devices.
In TCP/IP and UDP networks, port is the name given to an endpoint of a logical
connection. Port numbers identify types of ports. For example, both TCP and
UDP use port 80 for transporting HTTP data. A threat may attempt to use a
particular TCP/IP port.
Potential damage
A rating used to calculate a vulnerability, based on the relative damage
incurred if a threat exploits a vulnerability. For example, if a threat can
obtain root privileges by exploiting a vulnerability, the potential damage
is rated high. If a vulnerability only lets the threat browse a portion of
a file system, and this type of activity causes little or no damage to the
network, the potential damage is rated low.
Predictive risk assessment
A process that consists of risk assessment, business objectives, business
objective risk, business task, business task risk, and Business Impact Assessment
(BIA).
Predictive vulnerability assessment
A process consisting of vulnerability assessment, safeguards, safeguard
assessment, assets, asset value, asset measure, risk, risk measure, and residual
risk.
Primary server
A computer that runs the Symantec AntiVirus Corporate Edition Server software,
which is responsible for configuration and virus definition file update functions
in a server group. When you perform a task at the server group level in the
Symantec System Center, the task runs on the primary server. The primary
server forwards the task to its secondary servers. If the primary server
runs Alert Management System2, it processes all the alerts.
Probe
Any effort, such as a request, transaction, or program, which is used to
gather information about a computer or the network state. For example, sending
an empty message to see whether a destination actually exists.
Ping is a common utility for sending such a probe. Some probes are inserted
near key junctures in a network for monitoring or collecting data about network
activity.
Profiler
An automated configuration tool that scans a network for live systems and
guides you through the process of defining systems that you want to monitor,
as well as attack signatures that you want associated with each system.
Profiling
The process of scanning a network for live systems to monitor and of associating
attack signatures with those particular systems. Also see profiler.
Property filtering
A subcategory of a security policy that pertains to the properties of email
messages, such as attachment size, number of recipients, or whether an attachment
is encrypted.
Protocol
A set of rules enabling computers or devices to exchange data with one another
with as little error as possible. The rules govern issues, such as error
checking and data compression methods. Also see communications protocol.
Proxy
A software agent, often a firewall mechanism, which performs a function or
operation on behalf of another application or system while hiding the details
involved.
Quarantine
To isolate files suspected to contain a virus, so that the files cannot be
opened or executed. The Symantec AntiVirus Corporate Edition heuristically
detects suspect files and virus-infected files that cannot be repaired with
the current set of virus definitions. From the Quarantine on the local computer,
quarantined files can be forwarded to a central network quarantine and submitted
to Symantec Security Response for analysis. If a new virus is discovered,
the updated virus definitions are automatically returned.
Record
To capture and store a set of data that consists of a series of actions and
events.
Region
The part of a network administrated by an ESM Console user. An ESM region
can contain managers, domains, agents, security policies, and a summary database
that contains the results of the ESM policy runs.
Releases confidential information
This payload may attempt to gain access to important data stored on the computer,
such as credit card numbers.
Remote
A computer that connects with a host computer and takes control of it in
a remote control session.
Remote communication
The interaction with a host by a remote computer through a telephone connection
or another communications line, such as a network or a direct serial cable
connection.
Remote control session
A process in which a remote computer calls and connects with a host computer.
Then, the remote computer operates the host while the host's video display
is transmitted to the remote computer's monitor. CPU activity takes place
on the host.
Remote networking
A connection in which a computer calls a network device, and then operates
as a node on that particular network. Remote networking is also referred
to as Dial-Up Networking or remote access. Also see remote control session.
Removal
Measures the skill level required to remove the threat from a given computer.
Removal sometimes involves deleting files and modifying registry entries.
The three levels are Difficult (requires an experienced technician), Moderate
(requires some expertise), and Easy (requires little or no expertise).
Replication
The process of duplicating data from one database to another.
Report
A set of data that is organized and formatted according to specific criteria.
Residual risk
The risk that remains after the application of selected safeguards.
Response actions
Actions that you can configure NetProwler to perform when it detects an attack.
Response actions include capturing the attacker's session, resetting the
session, emailing an administrator, or paging an administrator.
Retrovirus
A computer virus that actively attacks an antivirus program or programs in
an effort to prevent detection.
Risk
A threat that exploits a vulnerability that may cause harm to one or more
assets.
Risk assessment
The computation of risk. Risk is a threat that exploits some vulnerability
that could cause harm to an asset. The risk algorithm computes the risk as
a function of the assets, threats, and vulnerabilities. One instance of a
risk within a system is represented by the formula (Asset * Threat *
Vulnerability). Total risk for a network equates to the sum of all the risk
instances.
Risk management team
A group of people who hold varying views of a network: the people who use
the network, and those who define the purpose of the network. The team should
include end users, system administrators, system security officers, system
engineers, and the owners of the data, residing on the network.
Risk measure
A quantitative measurement of risk. The product of the asset measure, threat
measure, and vulnerability measure, based on proven algorithms.
RS-232-C standard
An industry standard for serial communication connections. Specific lines
and signal characteristics control the transmission of serial data between
devices.
Rule
A logical statement that lets you respond to an event, based on predetermined
criteria.
Run
To execute a program or script.
Safeguard
A process, procedure, technique, or feature intended to mitigate the effects
of risk. Safeguards rarely, if ever, eliminate risk-they reduce it to an
acceptable level.
Safeguard assessment
A process identifying the safeguards that best support the risk-reduction
strategy formed during the risk assessment phase.
Script
A type of program that consists of a set of instructions for an application.
A script usually consists of instructions that are expressed using the
application's rules and syntax, combined with simple control structures.
The pcAnywhere source scripts have a .scr extension; compiled, executable
pcAnywhere scripts have a .scx extension.
Secondary server
A computer running the Symantec AntiVirus Corporate Edition Server software,
which is a child of a primary server. In a server group, all the secondary
servers retrieve information from the same primary server. If the secondary
server is a parent server, it in turn passes information to its managed clients.
Secure Sockets Layer (SSL)
A protocol that allows mutual authentication between a client and server
and the establishment of an authenticated and encrypted connection.
Security architecture
A plan and set of principles that describe the security services that a system
is required to provide to meet the needs of its users, the system elements
required to implement the services, and the performance levels required in
the elements to deal with the threat environment.
Security life cycle
A method of initiating and maintaining a security plan. It involves assessing
the risk to your business, planning ways to reduce the risk to your business,
implementing the plan, and monitoring your business to verify that the plan
reduced the risk.
Security response
The process of research, creation, delivery, and notification of responses
to viral and malicious code threats, as well as operating system, application,
and network infrastructure vulnerabilities. Also see notification.
Security services
The security management, monitoring, and response services that let organizations
leverage the knowledge of Internet security experts to protect the value
of their networked assets and infrastructure.
Sequence number
Only the Norton AntiVirus Corporate products use the sequence numbers, which
are an alternate method of representing the date of the latest definitions
or required definitions. Sequence numbers are sequentially assigned to signature
sets, and they are always cumulative. A signature set with a higher sequence
number supersedes a signature set with a lower sequence number.
Serial communication
The transmission of information between computers, or between computers and
peripheral devices, one bit at a time over a single line (or a data path
that is one-bit wide). Serial communications can be either synchronous or
asynchronous. The sender and receiver must use the same data transfer rate,
parity, and flow control information. Most modems automatically synchronize
to the highest data transfer rate that both modems can support.
pcAnywhere uses the asynchronous communications standard for personal computer
serial communications.
Serial interface
A data transmission scheme in which data and control bits are sequentially
sent in a one-bit-wide data path over a single transmission line. Also see
the RS-232-C standard.
Serial port
Also known as a communications port or COM port. The serial port is a location
for sending and receiving serial data transmissions. DOS references these
ports by the names COM1, COM2, COM3, and COM4.
Serial transmission
The transmission of discrete signals one after the other. In communications
and data transfer, serial transmission involves sending information over
a single wire, one bit at a time. This is the method used in modem-to-modem
communications over telephone lines.
Server group
A container of Symantec AntiVirus Corporate Edition servers and clients that
share communication channels. Server group members can be managed as a unit.
Server groups are independent of Windows NT/2000 domains.
Servlet
A Java applet that runs within a Web server environment.
Session
In communications, the time during which two computers maintain a connection
and are usually engaged in transferring information.
Severity
A level assigned to an incident. See incident.
Shared drives
This field indicates whether the threat will attempt to replicate itself
through mapped drives or other server volumes to which the user might be
authenticated.
Size of attachment
This field indicates the size of the file attached to the infected email.
Source computer
A computer (with drivers and applications installed) that is used as a template.
An image file of this computer is created and cloned onto other client computers.
SpeedSend
An option that enhances file transfer performance when sending files with
duplicate file names, by comparing the two files and transferring only the
data that is different in the source file.
Subject of email
Some worms spread by sending themselves to other people through email. This
field indicates the subject of the email that the worm sends.
Stateful dynamic signature inspection
An intrusion detection method used to detect attacks. Stateful refers to
the virtual processor that lets NetProwler build a context around a monitored
network session, enabling efficient analysis and recording of complex events.
Dynamic refers to the ability to create and activate new attack signatures
without taking the system offline. Signature Inspection is a method of detection
that compares an attack signature with a cache of attack signatures on
NetProwler.
Structured external threat
An individual outside of your organization who may be a threat. This person
is technically skilled, may collaborate with others, and may use automated
tools.
Structured internal threat
An individual inside your organization who may be a threat. This person is
technically skilled, may collaborate with others, and may use automated tools.
Structured threat
An individual who may be a threat to your organization. This person is
technically skilled, may collaborate with others, and may use automated tools.
Switched line
A standard dial-up telephone connection; the type of line that is established
when a call is routed through a switching station. Also see leased line.
Symantec System Center (SSC) console
A type of software used to monitor and control computers that run supported
Symantec client or server software. The SSC console is a snap-in to the Microsoft
Management Center management tool. Additional snap-ins, such as the Norton
AntiVirus Corporate Edition snap-in, add product-specific management capabilities
to the SSC console.
Synchronize
To copy files between two folders on host and remote computers to make the
folders identical to one another. (Copying occurs in both directions.) If
there are two files with the same name, the file with the most current date
and time is copied. Files are never deleted during the synchronization process.
See also clone.
Synchronous transmission
A form of data transmission in which information is sent in blocks of bits
separated by equal time intervals. The sending and receiving devices must
first be set to interact with one another at precise intervals, then data
is sent in a steady stream. Also see asynchronous transmission.
Syntax error
An error made by an author when creating a script, such as not enclosing
a string in quotes or specifying the wrong number of parameters. Syntax errors
are detected during the script compilation and are written to a file with
the same source file name and the .err extension. You can use the pcAnywhere
Editor to view the .err file, make corrections to the script, and re-attempt
compilation.
Systems Security Engineering-Capability Maturity Model
(SSE-CMM)
A system for describing the essential characteristics of an organization's
security engineering process, which must exist to ensure good security
engineering. Engineering organizations can use the model to evaluate and
refine security engineering practices; customers, to evaluate a provider's
security engineering capability; and security engineering evaluation
organizations, to establish organizational, capability-based confidences.
System
A set of related elements that work together to accomplish a task or provide
a service. For example, a computer system includes both hardware and software.
Systems Affected
Refers to operating systems or applications that are vulnerable to a threat.
Systems Not Affected
Refers to operating systems or applications that are not vulnerable to a
threat. The list of systems may change as more information about a given
threat becomes available.
Technical description
This section describes the specific details of the infection, such as registry
entry modifications and files that are manipulated by the virus.
Telephony Application Programming Interface (TAPI)
Microsoft Windows operating systems use this standard to connect a computer
to telephone services. Windows uses TAPI to automatically detect and configure
communication hardware, such as modems, which are installed on a computer.
Template
In Enterprise Security Manager (ESM), a file that includes module control
directives and definitions of objects, and their expected states.
Terminal services
A Microsoft technology that lets users remotely execute Windows-based
applications on a terminal server. Applications run entirely on the server.
The server transfers only the user interface, keystrokes, and mouse movements
between the server and client.
Threat
A circumstance, event, or person with the potential to cause harm to a system
in the form of destruction, disclosure, data modification, and/or Denial
of Service (DoS).
Threat assessment
The severity rating of the virus, worm, or Trojan horse. The threat assessment
includes the damage that this threat causes, how quickly it can spread to
other computers (distribution), and how widespread the infections are known
to be (wild).
Threat containment
A measure of how well current antivirus technology can keep this threat from
spreading. As a general rule, older virus techniques are generally
well-contained; new threat types or highly complex viruses can be more difficult
to contain, and are correspondingly more a threat to the user community.
The measures are Easy (the threat is well-contained), Moderate (the threat
is partially contained), and Difficult (the threat is currently uncontainable).
Threat measure
A quantitative measurement of a threat. A threat's physical access, electronic
access, capability, motivation, and occurrence measure determine the threat
measure.
Threat safeguard
A process, procedure, technique, or feature that deters one or more threats
to the network, by reducing the risk linked to a system's threat measure.
Threshold
The number of events that satisfy certain criteria. Administrators define
threshold rules to determine how notifications are to be delivered.
Time stamp of attachment
This field indicates the date and time of the file attachment.
Time-out
A predetermined period of time during which a given task must be completed.
If the time-out value is reached before or during task execution, the task
is canceled. You can configure a pcAnywhere host to disconnect from a remote
computer after a certain amount of time has passed without activity.
Transmission Control Protocol/Internet Protocol (TCP/IP)
A common set of protocols used on the Internet to link dissimilar computers
across many kinds of networks.
Tune-up pack
An executable that installs software enhancements to a specific version of
ESM.
Types of threat
-
Hoax
Usually an email that gets mailed in chain letter fashion describing some
devastating, highly unlikely type of virus. Hoaxes are detectable as having
no file attachment, no reference to a third party who can validate the claim,
and by the general tone of the message.
-
Joke
A harmless program that causes various benign activities to display on your
computer (for example, an unexpected screen saver).
-
Trojan Horse
A program that neither replicates nor copies itself, but causes damage or
compromises the security of the computer. Typically, an individual emails
a Trojan Horse to you-it does not email itself-and it may arrive in the form
of a joke program or software of some sort.
-
Virus
A program or code that replicates; that is, infects another program, boot
sector, partition sector, or document that supports macros, by inserting
itself or attaching itself to that medium. Most viruses only replicate, though,
many do a large amount of damage as well.
-
Worm
A program that makes copies of itself; for example, from one disk drive to
another, or by copying itself using email or another transport mechanism.
The worm may do damage and compromise the security of the computer. It may
arrive in the form of a joke program or software of some sort.
Unstructured external threat
An individual outside your organization who may be a threat. This person
is technically unskilled or unsophisticated.
Unstructured internal threat
An individual inside your organization who may be a threat. This person is
technically unskilled or unsophisticated.
Unstructured threat
A threat that tends to be technically unskilled or unsophisticated.
Upload
To send a file from one computer to another via modem, network, or serial
cable. With a modem-based communications link, the process generally involves
the requesting computer instructing the remote computer to prepare to receive
the file on its disk and wait for the transmission to begin. Also see download.
User account
A Windows NT file that contains information that identifies a user to Windows
NT. This includes the user name and password, groups in which the user account
has membership, and the rights and permissions that the user has for using
the system and accessing its resources.
User manager
A Windows NT utility that enables users with administrative privileges to
edit and define individual user accounts and privileges for the local
workstation.
Variants
New strains of viruses that borrow code, to varying degrees, directly from
other known viruses. The variants are usually identified by a letter, or
letters, following the virus family name; for example, VBS.LoveLetter.B.,
VBS.LoveLetter.C, and so on.
Virus Definitions (Intelligent
UpdaterTM)
Symantec Security Response fully tests the Intelligent
UpdaterTM virus definitions for quality
assurance. The virus definitions are posted on U.S. business days (Monday
through Friday) and can be downloaded from the Symantec Security Response
Web site and manually installed.
Corporate network administrators, as well as end users who practice potentially
risky Internet behavior (for example, clicking on email attachments from
unknown senders or attachments included in unexpected emails, downloading
files from newsgroups or suspicious Web sites, and so on) benefit the most
from downloading and installing the Intelligent
UpdaterTM virus definitions on a daily
basis. Intelligent UpdaterTM virus definitions
are available here.
Home users: While it is possible, it is not absolutely necessary for
you to download and install the Intelligent Updater definitions daily. Symantec
receives samples of new viruses every day and we proceed to build new definitions
for these viruses daily. However, in many cases these viruses are not in
the wild, or if in the wild, they have a very low incidence of infection.
In any event, if we detect that a virus in the wild is rapidly spreading,
we immediately release LiveUpdate packages to fully protect our customers.
Additionally, if you suspect that a virus has infected your computer, take
advantage of the Scan and Deliver functionality to submit the potentially
infected file for analysis by Symantec Security Response. As part of our
response we will send you the necessary Intelligent Updater packages to deal
with the infection.
For detailed instructions on how to download and install the Intelligent
UpdaterTM virus definitions from the Symantec
Security Response Web site, click
here.
Virus Definitions
(LiveUpdateTM)
LiveUpdateTM is the easiest way to obtain
virus definitions and product updates. Symantec Security Response fully tests
all the virus definitions for quality assurance before they are posted to
the LiveUpdateTM servers. The virus
definitions are tested once each week (usually Wednesdays), unless there
is a major virus outbreak.
LiveUpdateTM:
-
Downloads a list of available updates, matches them to the
programs that you have installed, determines whether any updates apply to
those programs, and presents a list of available updates for you to apply.
-
Downloads the updates that you se
| 
