GLOSSARY

The glossary below contains many of the terms you will find in common use throughout the Symantec Security Response Web site. Please refer to this list or the Frequently Asked Questions (FAQ) page to find definition of terms and answers to other Internet security-related questions.

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

.dam
Indicates a detection for files that have been corrupted by a threat or that may contain inactive remnants of a threat, causing the files to fail to properly execute or produce reliable results.

.dr
Refers to a file that is considered a dropper. This program drops the virus or worm onto the victim's computer.

.enc
Refers to a file that is encrypted or encoded. For example, a worm that creates a copy of itself with MIME encoding may be detected with the .enc suffix.

@m
Signifies that the virus or worm is a "mailer." An example: Happy99 (W32.Ska) only sends itself by email when you send mail.

@mm
Signifies that the virus or worm is a "mass-mailer." An example: W97M.Melissa.A sends messages to every email address in your mailbox.

ACS
A communications server that manages a pool of modems. It directs outgoing messages to the next available modem and incoming messages to the appropriate workstation.

Action
A predefined response to an event or alert by a system or application.

Active
A status that indicates that a program, job, policy, or scan is running. For example, when a scheduled scan executes, it is considered active.

Activity log
A type of report in which all the recorded events are sequentially organized.

Administrative domain
An environment or context defined by a security policy, security model, or security architecture.

Administrator
An individual who:

• Oversees the operation of a network.
• Is responsible for installing programs on a network and configuring them for distribution to workstations.
• May also update security settings on workstations.

Age
A rating used to calculate the vulnerability based on the relative amount of time since the discovery of the vulnerability. According to experts, the potential for exploiting a vulnerability increases as the age of the vulnerability increases. The assumption that people are likely to be aware of the existence of the vulnerability supports this statement. The L-3 Network Security researchers assign lower ratings to the age factor of recently discovered vulnerabilities. Older vulnerabilities are rated higher.

Alarm
A sound or visual signal triggered by an error condition.

Alert
An automatic notification that an event or error has occurred.

Alertable event
Any event or member of an event set configured to trigger an alert.

Also Known As
Names that other antivirus vendors use to identify a threat. Often Symantec's bloodhound heuristics will identify a potential threat before a specific detection is added. In such cases, the name of the bloodhound detection will appear in this field.

Antivirus
A subcategory of a security policy that pertains to computer viruses.

Application server
A software server that lets thin clients use applications and databases that are managed by the server. The application server handles all the application operations and connections for the clients.

Asset
A physical item, informational item, or capability required by an organization to maintain productivity. Examples include a computer system, a customer database, and an assembly line.

Asset measure
A quantitative measurement of an asset. The asset measure is the confidentiality, integrity, and availability of an asset in relation to other assets in an organization.

Asset value
The perceived or intrinsic worth of an asset.

Attack signature
The features of network traffic, either in the heading of a packet or in the pattern of a group of packets, which distinguish attacks from legitimate traffic.

Attribute
A property of an object, such as a file or display device.

Authenticated, self-signed SSL
A type of SSL that provides authentication and data encryption through a self-signed certificate.

Authentication
The assurance that a party to some computerized transaction is not an impostor. Authentication typically involves using a password, certificate, PIN, or other information that can be used to validate the identity over a computer network.

AutoInstall package
An executable created by AI Snapshot and AI Builder that contains one or more applications distributed to client computers using the Symantec Ghost Console.

Backup regime
A group of settings that determines which computer to include in a backup task, as well as other details such as scheduling.

Banner grab
A client receives this readable string immediately following a connection to a server. The type of received string usually identifies the operating systems and server types.

Baseline risk
The risk that exists before safeguards are considered.

Benefit
The effectiveness of a safeguard in terms of vulnerability measure. If the safeguard is applied by itself, it lowers the danger that the vulnerability poses by the amount specified.

Bits per second (bps)
A measure of the speed at which a device, such as a modem, can transfer bits of data.

Blank
To clear or not show an image on the computer screen. You can configure a pcAnywhere host to blank the host's screen once a connection has been made. This enhances the security of an unattended pcAnywhere host.

Blended Threat
Blended threats combine the characteristics of viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. By using multiple methods and techniques, blended threats can rapidly spread and cause widespread damage. Characteristics of blended threats include:

• Causes harm: Launches a Denial of Service (DoS) attack at a target IP address, defaces Web servers, or plants Trojan Horse programs for later execution.
• Propagates by multiple methods: Scans for vulnerabilities to compromise a system, such as embedding code in HTML files on a server, infecting visitors to a compromised Web site, or sending unauthorized email from compromised servers with a worm attachment.
• Attacks from multiple points: Injects malicious code into the .exe files on a system, raises the privilege level of the guest account, creates world read and writeable network shares, makes numerous registry changes, and adds script code into HTML files.
• Spreads without human intervention: Continuously scans the Internet for vulnerable servers to attack.
• Exploits vulnerabilities: Takes advantage of known vulnerabilities, such as buffer overflows, HTTP input validation vulnerabilities, and known default passwords to gain unauthorized administrative access.

Boot package
A file, bootable disk, Ghost image, or Preboot Execution Environment (PXE) image of a bootable disk that contains the Symantec Ghost executable and any drivers required to start a client computer and Symantec Ghost.

Broadcast
To simultaneously send the same message to all the users on a network.

Broadcast alert action
An AMS2 response to an alert in which a message is sent to all the computers logged onto the server that generates the alert.

Bug
A programming error in a software program that can have unwanted side effects. Some examples include Various web browser security problems and Y2K software problems.

Callback
A security feature that lets a host disconnect a remote caller after a successful connection and then recall the remote computer, either for security verification or financial responsibility.

Canvas
The window in which hosts and other drawing objects, which represent a network scheme, are placed.

Capability
The measure of a threat's technical expertise or knowledge of a system's connectivity.

Capability Maturity Model for Software (CMM or SW-CMM)
A model for judging the maturity of the software processes of an organization and for identifying the key practices that are required to increase the maturity of these processes.

Captured attack sessions
A record of any network session that contains an attack signature. You can configure NetProwler to capture a record of any type of attack. You can view these sessions in the Attack Sessions branch of either the NetProwler Console or the Agent Graphical User Interface (GUI).

Case-sensitive
The discrimination between lowercase and uppercase characters.

Causes system instability
This payload may cause the computer to crash or to behave in an unexpected fashion.

Certificate
Cryptographic systems use this file as proof of identity. It contains a user's name and public key.

Certificate authority
An office or bureau that issues security certificates.

Certificate authority-signed SSL
A type of SSL that provides authentication and data encryption through a certificate that is digitally signed by a certificate authority.

Certificate store
A database that contains security certificates.

Channel
In communications, a medium for transferring information, which is also called a line or circuit. Depending on its type, a communications channel can carry information in analog or digital form. A communications channel can be a physical link, such as a cable that connects two stations in a network, or it can consist of some electromagnetic transmission.

Client
A program that makes requests of, or transmits data to, a parent server program.

Client computer
A computer that runs a client program. In a network, the client computer interacts in a client/server relationship with another computer running a server program.

Client/server program
A program in which one portion of the program is installed on a computer that acts as a server for that particular program; and, another portion is installed on one or more client computers.

Client/server relationship
A relationship in which two computers, usually a server and client, communicate across a network. Usually one computer manages or supplies services to the other computer.

Client-side reporting
A method of reporting in which data is retrieved from the server and processed at the client.

Clone
To make a specified folder on the host or remote computer identical to a specified folder on another computer. Any files in the source folder are copied to the destination folder. Files that are in the destination folder and that are not in the source folder are deleted from the disk. Also see synchronize.

Cluster server
A group of two or more servers linked together to balance variable workloads or provide continued operation in the event that one server fails.

CME initiative
The CME initiative is an effort headed by the United States Computer Emergency Readiness Team (US-CERT), in collaboration with key organizations within the security community. Through the adoption of a neutral, shared identification method, the CME initiative seeks to: reduce the public's confusion in referencing threats during malware incidents; enhance communication between anti-virus vendors; and improve communication and information sharing between anti-virus vendors and the rest of the information security community.

CME number
A Common Malware Enumeration (CME) number is a unique, vendor-neutral identifier for a particular threat (see CME initiative above).

Command-Line Interface (CLI)
A utility providing an alternate way to execute the ESM commands in UNIX and Windows NT environments. The CLI supports most of the ESM commands available in the ESM Console. In addition, you can create Agent records, remove modules, or execute batch files that contain CLI commands from the Command Line Interface.

Common Information Model (CIM)
A common data model of an implementation-neutral schema for describing overall management information in a network/enterprise environment. A Specification and Schema comprise CIM. The Specification defines the details for integration with other management models (such as the SNMP MIBs or the DMTF MIFs), while the Schema provides the actual model descriptions.

Communications
The transfer of data between computers by a device such as a modem or cable.

Communications device
Also called the connection device. The communications device is a modem, network interface card, or other hardware component enabling remote communications and data transfer between computers.

Communications link
A connection between computers (and/or peripherals) enabling data transfer. A communications link can be a network, modem, or cable.

Communications port (COM port)
Also called a serial port. The COM port is a location for sending and receiving serial data transmissions. The ports are referred to as COM1, COM2, COM3, and COM4.

Communications protocol
A set of rules designed to enable computers to exchange data. A communications protocol defines issues such as transmission rate, interval type, and mode.

Communications session
The time during which two computers maintain a connection and are usually engaged in transferring information.

Compile
To convert a high-level script into a low-level set of commands that can be executed or run. Syntax errors are discovered when a script is being compiled.

Compromises security settings
This payload may attempt to gain access to passwords or other system-level security settings. It may also search for openings in the Internet-processing components of the computer to install a program on that particular system, which an individual could remotely control over the Internet.

Connection
The successful establishment of a communications link.

Connection item
An item representing a pcAnywhere file, which contains connection device information and security settings to be used during a session.

Console
1. A program interface for the management of software or networks. 2. In a mainframe or UNIX environment, a terminal consisting of a monitor and keyboard.

Content filtering
A subcategory of a security policy that pertains to the semantic meaning of words in text (such as email messages). It can also include URL filtering.

Crash recovery
A file transfer option that directs pcAnywhere to continue transferring files where it left off when computers are reconnected after a broken connection, instead of restarting the transfer.

Current risk
The remaining risk after safeguards have been applied.

Current vulnerability measure
The danger posed by a vulnerability after accounting for the safeguards you use to secure it. If you use a valid safeguard, the current vulnerability measure is less than the default vulnerability measure.

CVE References
A list of standardized names for vulnerabilities and other information security exposures - CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. (Source: CVE Web site)

Click here to read more about Symantec and CVE compatibility.

Damage
The damage component measures the amount of harm that a given threat might inflict. This measurement includes triggered events, clogging email servers, deleting or modifying files, releasing confidential information, performance degradation, errors in the virus code, compromising security settings, and the ease with which the damage may be fixed.

Data conversion
To convert the configuration files (for example, connecting to a host computer) from an earlier version of pcAnywhere so that you can use them in the current version. You can also use data conversion to import or export configuration files to or from text files for record-keeping purposes.

Data template
A template that defines files or registry entries to be included in a backup.

Data transfer
The movement of information from one location to another. The transfer speed is called the data rate or data transfer rate.

Data transmission
The electronic transfer of information from a sending device to a receiving device.

Default threat measure rating
A rating based on the appropriate threat profile and the estimations of security experts. Expert estimations were obtained using the Delphi inquiry method.

Default vulnerability measure
The danger posed by a vulnerability before you account for the safeguards that you use to secure it. If you use a valid safeguard, the current vulnerability measure is less than the default vulnerability measure.

Degrades performance
This payload slows computer operations, which could involve allocating available memory, creating files that consume disk space, or causing programs to load or execute more slowly.

Deletes files
This payload deletes various files on the hard disk. The number and type of files that may be deleted vary among viruses.

Deploy
To perform a remote installation.

Desktop computer
1. A computer used primarily to perform work for individuals rather than to act as a server. 2. A personal computer or workstation designed to reside on or under a desktop.

Dial
To initiate a connection via LAN, modem, or direct connection, regardless of whether actual dialing is involved.

Direct connection
A form of data communication in which one computer is directly connected to another, usually via a null modem cable.

Disabled
A status indicating that a program, job, policy, or scan is not available. For example, if scheduled scans are disabled, a scheduled scan does not execute when the date and time specified for the scan is reached.

Discovery
A process in which one computer attempts to locate another computer on the same network or domain.

Distributed Management Task Force (DMTF)
An industry organization that leads the development, adoption, and unification of management standards and initiatives for desktop, enterprise, and Internet environments. Working with key technology vendors and affiliated standards groups, the DMTF enables a more integrated, cost-effective, and less crisis-driven approach to management through interoperable management solutions.

Distribution
This component measures how quickly a threat is able to spread.

Domain
A group of computers or devices that shares a common directory database and is administered as a unit. On the Internet, domains organize network addresses into hierarchical subsets. For example, the .com domain identifies host systems used for commercial business.

Domain Name System (DNS)
A hierarchical system of host naming that groups TCP/IP hosts into categories. For example, in the Internet naming scheme, names with .com extensions identify hosts in commercial businesses.

Download
To transfer data from one computer to another, usually over a modem or network. Download usually refers to the act of transferring a file from the Internet, a Bulletin Board System (BBS), or an online service to an individual's computer.

Download folder
The folder in which files that are received during file transfer are stored.

Driver
A program that interprets commands for transferring to and from peripheral devices and the CPU.

Electronic exposure
A rating used to calculate the vulnerability based on whether a threat must have electronic access to your system to exploit a vulnerability.

Enabled
A status indicating that a program, job, policy, or scan is available. For example, if the scheduled scans are enabled, any scheduled scan will execute when the date and time specified for the scan are reached.

Encrypted Virus
A virus using encryption to hide itself from virus scanners. That is, the encrypted virus jumbles up its program code to make it difficult to detect.

Encryption
A method of scrambling or encoding data to prevent unauthorized users from reading or tampering with the data. Only individuals with access to a password or key can decrypt and use the data. The data can include messages, files, folders, or disks.

Extended Partition Boot Record (EPBR)
Each logical partition resembles a physical hard disk, and on each logical hard disk, an EPBR occupies the same position as the MBR of a physical hard disk.

ESM Agent
A software component that performs security assessment on a host system and returns the results to the ESM Manager. The ESM Agents also store snapshot files of system-specific and user-account information, make user-requested corrections to files, and update snapshots to match corrected files.

ESM Enterprise Console
A Graphical User Interface (GUI) used to administer managers and agents. It receives user input, sends requests to the ESM Manager, and formats the returned security assessment data for display. The ESM Enterprise Console is supported for ESM versions 5.0 and later. Older versions of ESM use the ESM GUI.

ESM Manager
A software component that coordinates the work of its assigned ESM Agents, provides communication between the Agents and the ESM user interfaces, and stores security data gathered by the Agents.

Event
A significant occurrence in a system or application that a program detects. Events typically trigger actions, such as sending a user notification or adding a log entry.

Event class
A predefined event category used for sorting reports and configuring alerts.

Event normalization
The process by which events from disparate sources are mapped to a consistent framework.

Event viewer (ITA event viewer)
A separate Windows NT or UNIX Graphical User Interface (GUI) for viewing event data captured by intruder alert agents.

Exploit
A program or technique that takes advantage of a vulnerability in software and that can be used for breaking security, or otherwise attacking a host over the network.

Exposure
An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either:

• Allows an attacker to conduct information gathering activities
• Allows an attacker to hide activities
• Includes a capability that behaves as expected, but can be easily compromised
• Is a primary point of entry that an attacker may attempt to use to gain access to the system or data
• Is considered a problem according to some reasonable security policy

Extended (partition)
An extended partition is a primary partition that was originally developed in order to overcome the four-primary-partition limit. The extended partition is a container, or a place-holder, for logical partitions. The extended partition itself does not contain any data, nor does it receive a drive letter assignment. It can contain any number of logical partitions, and each logical partition receives a drive letter assignment, as long as the logical partition is recognized by the operating system.

eXtensible Markup Language (XML)
The common language of the Web used to exchange information.

External Hostile Structured (EHS) threat
An individual or group outside of an organization that is motivated to attack, exploit, or disrupt mission operations. This highly funded, extremely skilled threat has substantial resources and unique tools. Foreign intelligence services, criminal elements, and professional hackers involved in information warfare, criminal activities, or industrial intelligence often fall into the EHS threat category.

External Hostile Unstructured (EHU) threat
An individual outside of an organization who is motivated to attack, exploit, or disrupt mission operations. This individual has limited resources, tools, skills, and funding to accomplish a sophisticated attack. Many Internet hackers and most crackers and vandals fall into the EHU threat category.

External Nonhostile Structured (ENS) threat
An individual outside of an organization who has little or no motivation for attacking it. However, this threat has special resources, skills, tools, or funding to launch a sophisticated attack. System and network security professionals who use the Internet to obtain information or improve their skills usually fall into the ENS threat category.

External Nonhostile Unstructured (ENU) threat
An individual outside of an organization who has little or no motivation for attacking. This threat has limited resources, skills, tools, or funding to launch a sophisticated attack. Common Internet users fall into the ENU threat category.

External threat
A threat that originates outside of an organization.

File Allocation Table (FAT)
File Allocation Table. FAT can refer to three different types of partitions: FAT12, FAT16, and FAT16b. FAT16b is the most common type, and is used for partitions that are larger than 32 MB. FAT12 and FAT16 partitions were used with MS-DOS 5.0, and are still used with Windows 98 (depending on the partition size). The FAT file system format is used and recognized by DOS, Windows 3.x, Windows 95, Windows NT, OS/2, and nearly all other operating systems.

FAT32
32-bit File Allocation Table. File system format recognized by Windows 95 B (or later versions) and Windows NT 5(or later versions).

FAT32x
A FAT32 partition that crosses over the 1024th cylinder of a hard drive.

File transfer
The process of using communications to send a file from one computer to another. In communications, a protocol must be agreed upon by sending and receiving computers before a file transfer can occur.

Firewall Rules
A security system that uses rules to block or allow connections and data transmission between your computer and the Internet.

Fully Qualified Domain Name (FQDN)
A URL consisting of a host and domain name, including top-level domain. For example, the parsing of the FQDN, www.symantec.com, is:

• www is the host,
• symantec is the second-level domain, and
• .com is the top-level domain.

Geographic distribution
This measures the range of separate geographic locations where infections have been reported. The measures are high (global threat), medium (threat present in a few geographic regions), and low (localized or non-wild threat).

Group
In Windows NT user manager, an account that contains other accounts, which are called members. Permissions and rights granted to a group are also provided to its members, making groups a convenient way to grant common capabilities to collections of user accounts.

Hardware setup
A set of hardware parameters, such as modem type, port/device, and data rate, which is used as a singular named resource in launching a host or remote session.

HLLC
Refers to a virus compiled using a high-level language that adds itself to a location on the system from which it can be easily executed.

HLLO
Refers to a virus compiled using a high-level language that overwrites files.

HLLP
Refers to a virus compiled using a high-level language that is parasitic; that is, the virus infects files with itself.

HLLW
Refers to a worm that is compiled using a High-Level Language. (Note: This modifier may or may not be used as a prefix - it is only a prefix in the case of a DOS High-Level Language Worm. If the Worm is a Win32 file, the proper name is W32.HLLW.)

Hoax
Hoaxes usually arrive in the form of an email. Please disregard the hoax emails - they contain bogus warnings usually intent only on frightening or misleading users. The best course of action is to merely delete these hoax emails.

Host
1. In a network environment, a computer that provides data and services to other computers. Services may include peripheral devices, such as printers, data storage, email, or World Wide Web access. 2. In a remote control environment, a computer to which remote users connect to access or exchange data.

Hypertext Transfer Protocol Secure (HTTPS)
A variation of HTTP that is enhanced by a security mechanism, which is usually the Secure Sockets Layer (SSL).

Ignore
A condition that prevents an action from being executed on a rule.

Image file
A file that is created using Symantec Ghost. An image file of a disk or partition is created and used to produce duplicates of the original disk or partition.

Image file definition
A description of the properties of an image file, including the image file name, location, and status.

Impact
The effect, acceptable or unacceptable, of an incident on a system, operation, schedule, or cost. Unacceptable impact is impact deemed, by the system owner and as compared to the missions and goals of the U.S. Department of Defense (DOD), as severe enough to degrade an essential mission, capability, function, or system causing an unacceptable result. Like impact, unacceptable impact refers to the total system and all areas of operational concern, not only confidentiality.

Inactive
A status indicating that a program, job, policy, or scan is not currently running. For example, when a scheduled scan awaits for the specified date and time to execute, it is inactive.

Incident
The actualization of a risk. The event or result of a threat that exploits a system vulnerability.

Incident response
The ability to deliver the event or set of events to an incident management system or a HelpDesk system to resolve and track incidents.

Incident response cycle
The sequence of phases that a security event goes through from the time it is identified as a security compromise or incident to the time it is resolved and reported.

Infection Length
This is the size, in bytes, of the viral code that is inserted into a program by the virus. If this is a worm or Trojan Horse, the length represents the size of the file.

Information
A rating used to calculate a vulnerability, based on the relative availability of information that discloses a vulnerability. For example, if a vulnerability is disclosed in books or on the Internet, then the information factor is rated high. If a vulnerability is not well-known and little or no documentation on the vulnerability exists, then information is rated low.

Initialize
To prepare for use. In communications, initialize means to set a modem and software parameters at the start of a session.

Integrated Services Digital Network (ISDN)
A type of phone line used to enhance Wide Area Network (WAN) speeds. ISDN lines can transmit at speeds of 64 or 128 kilobits per second (Kbps), as opposed to standard phone lines, which transmit at only 9600 bps. The phone company installs an ISDN line at both the server and remote sites.

Internal Hostile Structured (IHS) threat
An individual or group within an organization that is motivated to disrupt mission operations or exploit assets. This threat has significant resources, tools, and skills to launch a sophisticated attack and potentially remove any evidence of the attack. An IHS threat is unlikely to act but has the greatest potential to cause damage. Highly skilled, disgruntled employees (such as system administrators or programmers) or technical users who could benefit from disrupting operations often fall into the IHS threat category.

Internal Hostile Unstructured (IHU) threat
An individual within an organization who has physical access to network components. This individual is motivated to disrupt the operations of the organization but lacks the resources, tools, or skills necessary to launch a sophisticated attack. It would not be unusual for this threat to attack the organization by deploying a common virus. Unskilled, disgruntled employees or users who could benefit from disrupting operations often fall into the IHU threat category.

Internal Nonhostile Structured (INS) threat
An individual within an organization who has physical access to network components. This individual is not motivated to disrupt mission operations but can do so by making common mistakes. Individuals executing INS threats are usually skilled and have tools to assist them in performing security-related functions. System administrators, network engineers, and programmers often fall into the INS threat category.

Internal Nonhostile Unstructured (INU) threat
An individual within an organization who has physical access to network components. This individual is not motivated to disrupt mission operations but can do so unknowingly. Individuals executing INU threats do not have any unusual skills or tools and are not interested in attacking. Usually, they are typical users who make mistakes that can impact mission operations. The INU threat category is typically the most likely to disrupt operations.

Internal threat
A threat that originates within an organization.

Internet Engineering Task Force (IETF)
An international community of network designers, operators, vendors, and researchers who are concerned with the evolution of Internet architecture and the smooth operation of the Internet. IETF is open to any interested individual. The technical work of the IETF is done in its working groups, which are organized by topic into several areas (such as routing, transport, security, and so on). Much of the work is handled via mailing lists.

Internet Protocol (IP) address
Identifies a workstation on a TCP/IP network and specifies routing information. Each workstation on a network must be assigned a unique IP address, which consists of the network ID, plus a unique host ID assigned by the network administrator. This address is usually represented in dot-decimal notation, with the decimal values separated by a period (for example 123.45.6.24).

Internet Relay Chat (IRC)
IRC is a multi-user chat system, where people meet on "channels" (rooms, virtual places, usually with a certain topic of conversation) to talk in groups, or privately. This system also allows for the distribution of executable content.

Interrupt Requests (IRQ)
Also called hardware interrupts. IRQ means that a connection device signals other hardware components that it needs attention. When you install new devices (such as serial ports, modems, and mouse devices), you may find that previous devices no longer work, because the new devices use the previously used IRQs.

Intruder Alert agent
In Intruder Alert, the agent monitors the hosts and responds to events, by performing defined actions based on applied security policies.

Intruder Alert manager
A software application that runs in the background mode as either a UNIX daemon or a Windows NT service.

Managers:

• Maintain secure communications with all registered Agents,
• Maintain the master list of domains and policies applied to each Agent,
• Communicate domain and policy changes to Agents,
• Receive and store event data from Agents, via the Record to Event Viewer action,
• Serve as the communications link among the Intruder Alert Administrator, Intruder Alert Event Viewer, and Agents, and
• Maintain the list of policies and the domains to which they are applied.

Intrusion Detection
A security service that monitors and analyzes system events to find and provide real-time or near real-time attempt warnings to access system resources in an unauthorized manner. This is the detection of break-ins or break-in attempts, by reviewing logs or other information available on a network.

Intrusion Detection Exchange Format (IDEF)
See Intrusion Detection Working Group (IDWG).

Intrusion Detection Working Group (IDWG)
A group that defines data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, as well as to management systems that may need to interact with them. The IDWG coordinates its efforts with other Internet Engineering Task Force work groups.

Known Dependencies
These programs have been known to install the security risk as a component, and will therefore not function as intended if the security risk is removed from the computer.

Large scale e-mailing
This type of payload involves sending emails to large numbers of people. This is usually done by accessing a local address book and sending emails to a certain number of people within that particular address book.

Launch
To start a program or application. In pcAnywhere, the host computer is launched so that a remote computer can call it and begin a remote control session.

Leased line
A telephone channel that is leased from a common carrier for private use. A leased line is faster and quieter than a switched line, but generally more expensive.

Local Area Network (LAN)
A group of computers and other devices in a relatively limited area (such as a single building) that are connected by a communications link, which enables any device to interact with any other device on the network.

Log
A record of actions and events that take place on a computer. Logging creates a record of actions and events that take place on a computer.

Logical (partition)
A logical partition is a partition that resides within an extended partition and receives a drive letter assignment (provided that the partition type is recognized by the operating system). Logical partitions are typically used to store data, although some operating systems can be installed on a logical partition.

Logon procedures
The process of identifying oneself to a computer after connecting to it over a communications line. During the logon procedure, the computer usually requests a user name and password. On a computer used by more than one person, the logon procedure identifies the authorized users, keeps track of their usage time, and maintains security by controlling access to sensitive files or actions.

Macro
A set of keystrokes and instructions that are recorded, saved, and assigned to a short key code. When the key code is typed, the recorded keystrokes and instructions execute (play back). Macros can simplify day-to-day operations, which otherwise become tedious. For example, a single macro keystroke can set up a connection using pcAnywhere.

Macro keys
Key codes assigned to sets of specific instructions. Also see macro.

Macro virus
A program or code segment written in the internal macro language of an application. Some macros replicate, while others infect documents.

Management Information Base (MIB)
A database of objects that can be monitored by a network management system. Both SNMP and RMON use standardized MIB formats that allow any SNMP and RMON tool to monitor any device defined by an MIB.

Master Boot Record (MBR)
Master Boot Record. The Master Boot Record is contained in the first sector of the hard drive. It identifies where the active partition is, and then starts the boot program for the boot sector of that partition. The boot sector identifies where the operating system is located and enables the boot information to be loaded into the computer's main storage or RAM. The Master Boot Record includes a table that locates each partition that is present on the hard drive.

MD5
A hash function such as MD5 is a one-way operation that transforms a data string of any length into a shorter, fixed-length value. No two strings of data will produce the same hash value.

An MD5 checksum verifies the data integrity by running a hash operation on the data after it is received. The resultant hash value is compared to the hash value that was sent with the data. If the two values match, this indicates that the data has not been altered or tampered with, and its integrity may be trusted.

Click here to learn more about MD5 and to download an MD5 checksum utility.

Click here for a list of MD5 hashes for all available Virus Definitions Intelligent Updater downloads.

Microsoft Management Console (MMC)
An extensible, common console framework for management applications. Management applications are composed of MMC snap-ins, which add management functionality to MMC. The Symantec System Center console and the Symantec AntiVirus Corporate Edition snap-ins add functionality to administer computers that run the Symantec AntiVirus Corporate Edition software.

Middleware
An application connecting two otherwise separate applications.

Mobile Code
Code (software) that is transferred from a host to a client (or another host computer) to be executed (run). A worm is an example of malicious mobile code.

Mode
A system state in which a single action or a series of actions are performed. A mode has an On condition and an Off condition.

For example, an Outbreak mode under Symantec Mail Security for MS Exchange might look like:

• Mode On condition: More than 30 email messages with the same subject line are detected in a period of 10 minutes.
• Action(s): Quarantine all emails with subject line , run LiveUpdate every 10 minutes.
• Mode Off condition: Less than 10 email messages with the same subject line are detected in a period of 10 minutes.

Modem
A device that enables a computer to transmit information over a standard telephone line. Modems can transmit at different speeds or data transfer rates. See also baud rate, bps.

Modifies files
This payload changes the contents of files on the computer and may corrupt files.

Module
An executable that runs security checks on specific areas of the server or workstation security.

Motivation
The relative amount of incentive that a threat has to compromise or damage the assets of an organization.

Multicast
To simultaneously send the same message to a list of recipients on a network.

Name of attachment
Most worms are spread as attachments to emails. This field indicates the usual name or names that the attachment can be called.

NetProwler agent
A component that monitors the traffic on a network segment to detect, identify, and respond to intrusion attacks.

NetProwler console
The Graphical User Interface (GUI) provided for managing all the agents assigned to a NetProwler manager. From the console, you can assign agents, configure agents, monitor agent alerts, query the NetProwler manager for specific information, and generate or view security reports.

NetProwler manager
A component that coordinates the work of NetProwler agents, provides communication between the agents and the user interfaces, and stores security data gathered by the agents.

Network
A group of computers and associated devices connected by communications facilities (both hardware and software) to share information and peripheral devices, such as printers and modems. Also see LAN.

Network resource
Any device or node on a network that NetRecon can identify. Examples include computers, printers, routers, and hubs (certain types). Since devices can be known to a network in multiple ways (for example, one computer may have multiple IP addresses, a NetBIOS name, and a NetWare name), the number of network resources discovered by NetRecon is generally much greater than the number of physical devices connected to the network.

Network station
A computer connected to a LAN through a network adapter card and software.

New Technology File System (NTFS)
File system format recognized only by Windows NT.

Node
1. In a tree structure, a point where two or more lines meet. 2. In a network, any addressable device attached to the network that can recognize, process, or forward data transmissions.

Notification
A predefined response triggered by a system condition, such as an event or error condition. Typical responses include sound or visual signals, such as displaying a message box, sending email, or paging an administrator. The administrator may be able to configure the response. Also see alert.

N-Tier system
A system with managed endpoints, middleware, stand-alone tools, and backend systems.

Null modem cable
A cable that enables two computers to communicate without using modems. A null modem cable accomplishes this by crossing the sending and receiving wires, so that the wire used for transmitting by one device is used for receiving by the other, and vice versa.

Number of countries
A measure of the number of countries where infections are known to have occurred.

Number of infections
Measures the number of computers known to be infected.

Number of sites
Measures the number of locations with infected computers. This normally refers to organizations, such as companies, government offices, and so on.

Occurrence measure
The likelihood that a threat will manifest itself within an organization.

Organizational unit
A group of associated systems whose hierarchy generally reflects the network topology. Organizational units can be nested and inherit their properties from parent units when they have not already been associated with a configuration.

Overlapping safeguards
Two or more assigned safeguards that secure the same vulnerability.

Package
An object that contains the files and instructions for distributing software.

Package definition
A link from the console to an AI package, either on an attached drive or on a Web server.

Parameter
A value that is assigned to a variable. In communications, a parameter is a means of customizing program (software) and hardware operation.

Parent server
A computer that runs the Symantec AntiVirus Corporate Edition Server software, as well as manages and communicates with computers that run the Symantec AntiVirus Corporate Edition Client software. The virus definition files and configuration updates are pushed from the parent server to its managed clients. Alerts are sent from the managed clients to the parent server.

Parity
The quality of an integer being odd or even. Also see parity bit, parity checking.

Parity bit
An extra bit (either 0 or 1) that is added to a group of bits to make it either even or odd, depending on whether even parity or odd parity is used. Parity bit is used to check for errors in data transfers between computers, usually over a modem or null modem cable.

Parity checking
The process of verifying the integrity of data transferred between computers, usually over a modem or null modem cable. The most common methods are even parity checking and odd parity checking. Depending on the parity checking method used, an extra bit, called a parity bit, is added to each group of bits to make the number of transmitted bytes either even or odd. Both computer systems must use the same method of parity checking.

Password
A unique string of characters that a user types as an identification code to restrict access to computers and sensitive files. The system compares the code against a stored list of authorized passwords and users. If the code is legitimate, the system allows access at the security level approved for the owner of the password.

Payload
This is the malicious activity that the virus performs. Not all viruses have payloads, but there are some that perform destructive actions.

Payload trigger
The condition that causes the virus to activate or drop its destructive payload. Some viruses trigger their payloads on a certain date. Others may trigger their payload based on the execution of certain programs or on the availability of an Internet connection.

Peripheral device
A piece of equipment (usually attached to one of the computer's ports) that lets users send and receive data to and from a computer. Printers, modems, mouse devices, and keyboards are all peripheral devices.

Physical exposure
A rating used to calculate the vulnerability, based on whether a threat must have physical access to your system to exploit a vulnerability.

Ping
A basic Internet program that lets you verify that a particular Internet address exists and can accept requests. The act of using the ping utility or command. Pinging is diagnostically used to ensure that a host computer, which you are trying to reach, actually operates.

Policy
The method of action selected from alternatives, given specific conditions to guide and determine present and future decisions.

Policy library
A repository of all of the policies (preconfigured and user-defined) in ITA.

Polymorphic Virus
A virus that can change its byte pattern when it replicates; thereby, avoiding detection by simple string-scanning techniques.

Port
A hardware location for passing data in and out of a computing device. Personal computers have various types of ports, including internal ports for connecting disk drives, monitors, and keyboards, as well as external ports, for connecting modems, printers, mouse devices, and other peripheral devices.

In TCP/IP and UDP networks, port is the name given to an endpoint of a logical connection. Port numbers identify types of ports. For example, both TCP and UDP use port 80 for transporting HTTP data. A threat may attempt to use a particular TCP/IP port.

Potential damage
A rating used to calculate a vulnerability, based on the relative damage incurred if a threat exploits a vulnerability. For example, if a threat can obtain root privileges by exploiting a vulnerability, the potential damage is rated high. If a vulnerability only lets the threat browse a portion of a file system, and this type of activity causes little or no damage to the network, the potential damage is rated low.

Predictive risk assessment
A process that consists of risk assessment, business objectives, business objective risk, business task, business task risk, and Business Impact Assessment (BIA).

Predictive vulnerability assessment
A process consisting of vulnerability assessment, safeguards, safeguard assessment, assets, asset value, asset measure, risk, risk measure, and residual risk.

Primary (partition)
A primary partition is referenced in the Master Boot Record partition table and is normally used to contain operating systems and their associated application files. One primary partition on a drive will be active at a time, and any others will typically be hidden and inaccessible (for purposes of DOS compatibility and in order to prevent data corruption between operating systems). A four-primary-partition limit exists on all PC hard drives; one of these primary partitions can be an extended partition, which can contain any number of logical partitions.

Primary server
A computer that runs the Symantec AntiVirus Corporate Edition Server software, which is responsible for configuration and virus definition file update functions in a server group. When you perform a task at the server group level in the Symantec System Center, the task runs on the primary server. The primary server forwards the task to its secondary servers. If the primary server runs Alert Management System2, it processes all the alerts.

Probe
Any effort, such as a request, transaction, or program, which is used to gather information about a computer or the network state. For example, sending an empty message to see whether a destination actually exists.

Ping is a common utility for sending such a probe. Some probes are inserted near key junctures in a network for monitoring or collecting data about network activity.

Profiler
An automated configuration tool that scans a network for live systems and guides you through the process of defining systems that you want to monitor, as well as attack signatures that you want associated with each system.

Profiling
The process of scanning a network for live systems to monitor and of associating attack signatures with those particular systems. Also see profiler.

Property filtering
A subcategory of a security policy that pertains to the properties of email messages, such as attachment size, number of recipients, or whether an attachment is encrypted.

Protocol
A set of rules enabling computers or devices to exchange data with one another with as little error as possible. The rules govern issues, such as error checking and data compression methods. Also see communications protocol.

Proxy
A software agent, often a firewall mechanism, which performs a function or operation on behalf of another application or system while hiding the details involved.

Quarantine
To isolate files suspected to contain a virus, so that the files cannot be opened or executed. The Symantec AntiVirus Corporate Edition heuristically detects suspect files and virus-infected files that cannot be repaired with the current set of virus definitions. From the Quarantine on the local computer, quarantined files can be forwarded to a central network quarantine and submitted to Symantec Security Response for analysis. If a new virus is discovered, the updated virus definitions are automatically returned.

Rapid Release Virus Definitions
Rapid release definitions are most valuable during a high-level outbreak when users are unable to wait for definitions to undergo full quality assurance testing. Rapid release definitions are available here. While rapid release definitions have not been fully certified, Symantec Security Response makes every effort to ensure that all definitions function correctly.

Record
To capture and store a set of data that consists of a series of actions and events.

Region
The part of a network administrated by an ESM Console user. An ESM region can contain managers, domains, agents, security policies, and a summary database that contains the results of the ESM policy runs.

Releases confidential information
This payload may attempt to gain access to important data stored on the computer, such as credit card numbers.

Remote
A computer that connects with a host computer and takes control of it in a remote control session.

Remote communication
The interaction with a host by a remote computer through a telephone connection or another communications line, such as a network or a direct serial cable connection.

Remote control session
A process in which a remote computer calls and connects with a host computer. Then, the remote computer operates the host while the host's video display is transmitted to the remote computer's monitor. CPU activity takes place on the host.

Remote networking
A connection in which a computer calls a network device, and then operates as a node on that particular network. Remote networking is also referred to as Dial-Up Networking or remote access. Also see remote control session.

Removal
Measures the skill level required to remove the threat from a given computer. Removal sometimes involves deleting files and modifying registry entries. The three levels are Difficult/High (requires an experienced technician), Moderate/Medium (requires some expertise), and Easy/Low (requires little or no expertise).

Replication
The process of duplicating data from one database to another.

Report
A set of data that is organized and formatted according to specific criteria.

Residual risk
The risk that remains after the application of selected safeguards.

Response actions
Actions that you can configure NetProwler to perform when it detects an attack. Response actions include capturing the attacker's session, resetting the session, emailing an administrator, or paging an administrator.

Retrovirus
A computer virus that actively attacks an antivirus program or programs in an effort to prevent detection.

Risk
A threat that exploits a vulnerability that may cause harm to one or more assets.

Risk assessment
The computation of risk. Risk is a threat that exploits some vulnerability that could cause harm to an asset. The risk algorithm computes the risk as a function of the assets, threats, and vulnerabilities. One instance of a risk within a system is represented by the formula (Asset * Threat * Vulnerability). Total risk for a network equates to the sum of all the risk instances.

Risk impact
Risk Impact is an overall assessment of how a security risk affects a computer. Symantec provides a risk impact rating scale from low to high, which takes into consideration the following factors:

Performance
This component measures the negative impact that the presence of a security risk has on the computer's performance. A low rating indicates that there is minimal degradation to the computer's performance, while a high rating indicates that the computer's performance is seriously degraded.

Privacy
This component assesses the level of privacy that is lost due to the presence of a security risk on a computer. Privacy may be lost due to activities such as monitoring Web sites visited or transmission of other personal information. A low rating indicates that the presence of the security risk results in little or no loss of privacy, while a high rating indicates that personal and other sensitive information may be stolen.

Removal
This component assesses the difficulty in removing a security risk from a computer. Several security risks have functioning uninstallers and are relatively easy to remove.

In other cases it may be necessary to uninstall the security risk by manually deleting files and registry entries. A program that is easily removed from a computer has a low rating, while a high rating is given to security risks that are difficult to remove.

Stealth
This component assesses how easy it is to determine if a security risk is present on a computer. A low rating indicates a program that makes little or no attempt to hide its presence on the compromised computer. A high rating indicates that the security risk is employing techniques to hide its presence on the computer, which may make it difficult to determine if the security risk is installed on the computer.

Risk management team
A group of people who hold varying views of a network: the people who use the network, and those who define the purpose of the network. The team should include end users, system administrators, system security officers, system engineers, and the owners of the data, residing on the network.

Risk measure
A quantitative measurement of risk. The product of the asset measure, threat measure, and vulnerability measure, based on proven algorithms.

RS-232-C standard
An industry standard for serial communication connections. Specific lines and signal characteristics control the transmission of serial data between devices.

Rule
A logical statement that lets you respond to an event, based on predetermined criteria.

Run
To execute a program or script.

Safeguard
A process, procedure, technique, or feature intended to mitigate the effects of risk. Safeguards rarely, if ever, eliminate risk-they reduce it to an acceptable level.

Safeguard assessment
A process identifying the safeguards that best support the risk-reduction strategy formed during the risk assessment phase.

Script
A type of program that consists of a set of instructions for an application. A script usually consists of instructions that are expressed using the application's rules and syntax, combined with simple control structures. The pcAnywhere source scripts have a .scr extension; compiled, executable pcAnywhere scripts have a .scx extension.

Secondary server
A computer running the Symantec AntiVirus Corporate Edition Server software, which is a child of a primary server. In a server group, all the secondary servers retrieve information from the same primary server. If the secondary server is a parent server, it in turn passes information to its managed clients.

Secure Sockets Layer (SSL)
A protocol that allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection.

Security architecture
A plan and set of principles that describe the security services that a system is required to provide to meet the needs of its users, the system elements required to implement the services, and the performance levels required in the elements to deal with the threat environment.

Security life cycle
A method of initiating and maintaining a security plan. It involves assessing the risk to your business, planning ways to reduce the risk to your business, implementing the plan, and monitoring your business to verify that the plan reduced the risk.

Security response
The process of research, creation, delivery, and notification of responses to viral and malicious code threats, as well as operating system, application, and network infrastructure vulnerabilities. Also see notification.

Security services
The security management, monitoring, and response services that let organizations leverage the knowledge of Internet security experts to protect the value of their networked assets and infrastructure.

Sequence number
Only the Norton AntiVirus Corporate products use the sequence numbers, which are an alternate method of representing the date of the latest definitions or required definitions. Sequence numbers are sequentially assigned to signature sets, and they are always cumulative. A signature set with a higher sequence number supersedes a signature set with a lower sequence number.

Serial communication
The transmission of information between computers, or between computers and peripheral devices, one bit at a time over a single line (or a data path that is one-bit wide). Serial communications can be either synchronous or asynchronous. The sender and receiver must use the same data transfer rate, parity, and flow control information. Most modems automatically synchronize to the highest data transfer rate that both modems can support.

pcAnywhere uses the asynchronous communications standard for personal computer serial communications.

Serial interface
A data transmission scheme in which data and control bits are sequentially sent in a one-bit-wide data path over a single transmission line. Also see the RS-232-C standard.

Serial port
Also known as a communications port or COM port. The serial port is a location for sending and receiving serial data transmissions. DOS references these ports by the names COM1, COM2, COM3, and COM4.

Serial transmission
The transmission of discrete signals one after the other. In communications and data transfer, serial transmission involves sending information over a single wire, one bit at a time. This is the method used in modem-to-modem communications over telephone lines.

Server group
A container of Symantec AntiVirus Corporate Edition servers and clients that share communication channels. Server group members can be managed as a unit. Server groups are independent of Windows NT/2000 domains.

Servlet
A Java applet that runs within a Web server environment.

Session
In communications, the time during which two computers maintain a connection and are usually engaged in transferring information.

Severity
A level assigned to an incident. See incident.

Shared drives
This field indicates whether the threat will attempt to replicate itself through mapped drives or other server volumes to which the user might be authenticated.

Size of attachment
This field indicates the size of the file attached to the infected email.

Source computer
A computer (with drivers and applications installed) that is used as a template. An image file of this computer is created and cloned onto other client computers.

SpeedSend
An option that enhances file transfer performance when sending files with duplicate file names, by comparing the two files and transferring only the data that is different in the source file.

Subject of email
Some worms spread by sending themselves to other people through email. This field indicates the subject of the email that the worm sends.

Stateful dynamic signature inspection
An intrusion detection method used to detect attacks. Stateful refers to the virtual processor that lets NetProwler build a context around a monitored network session, enabling efficient analysis and recording of complex events.

Dynamic refers to the ability to create and activate new attack signatures without taking the system offline. Signature Inspection is a method of detection that compares an attack signature with a cache of attack signatures on NetProwler.

Structured external threat
An individual outside of your organization who may be a threat. This person is technically skilled, may collaborate with others, and may use automated tools.

Structured internal threat
An individual inside your organization who may be a threat. This person is technically skilled, may collaborate with others, and may use automated tools.

Structured threat
An individual who may be a threat to your organization. This person is technically skilled, may collaborate with others, and may use automated tools.

Switched line
A standard dial-up telephone connection; the type of line that is established when a call is routed through a switching station. Also see leased line.

Symantec System Center (SSC) console
A type of software used to monitor and control computers that run supported Symantec client or server software. The SSC console is a snap-in to the Microsoft Management Center management tool. Additional snap-ins, such as the Norton AntiVirus Corporate Edition snap-in, add product-specific management capabilities to the SSC console.

Synchronize
To copy files between two folders on host and remote computers to make the folders identical to one another. (Copying occurs in both directions.) If there are two files with the same name, the file with the most current date and time is copied. Files are never deleted during the synchronization process. See also clone.

Synchronous transmission
A form of data transmission in which information is sent in blocks of bits separated by equal time intervals. The sending and receiving devices must first be set to interact with one another at precise intervals, then data is sent in a steady stream. Also see asynchronous transmission.

Syntax error
An error made by an author when creating a script, such as not enclosing a string in quotes or specifying the wrong number of parameters. Syntax errors are detected during the script compilation and are written to a file with the same source file name and the .err extension. You can use the pcAnywhere Editor to view the .err file, make corrections to the script, and re-attempt compilation.

Systems Security Engineering-Capability Maturity Model (SSE-CMM)
A system for describing the essential characteristics of an organization's security engineering process, which must exist to ensure good security engineering. Engineering organizations can use the model to evaluate and refine security engineering practices; customers, to evaluate a provider's security engineering capability; and security engineering evaluation organizations, to establish organizational, capability-based confidences.

System
A set of related elements that work together to accomplish a task or provide a service. For example, a computer system includes both hardware and software.

Systems Affected
Refers to operating systems or applications that are vulnerable to a threat.

Systems Not Affected
Refers to operating systems or applications that are not vulnerable to a threat. The list of systems may change as more information about a given threat becomes available.

Target of infection
Systems, files, or media (for example, hard drives), that a threat attempts to infect or otherwise disrupt.

Technical description
This section describes the specific details of the infection, such as registry entry modifications and files that are manipulated by the virus.

Telephony Application Programming Interface (TAPI)
Microsoft Windows operating systems use this standard to connect a computer to telephone services. Windows uses TAPI to automatically detect and configure communication hardware, such as modems, which are installed on a computer.

Template
In Enterprise Security Manager (ESM), a file that includes module control directives and definitions of objects, and their expected states.

Terminal services
A Microsoft technology that lets users remotely execute Windows-based applications on a terminal server. Applications run entirely on the server. The server transfers only the user interface, keystrokes, and mouse movements between the server and client.

Threat
A circumstance, event, or person with the potential to cause harm to a system in the form of destruction, disclosure, data modification, and/or Denial of Service (DoS).

Threat assessment
The severity rating of the virus, worm, or Trojan horse. The threat assessment includes the damage that this threat causes, how quickly it can spread to other computers (distribution), and how widespread the infections are known to be (wild).

Threat containment
A measure of how well current antivirus technology can keep this threat from spreading. As a general rule, older virus techniques are generally well-contained; new threat types or highly complex viruses can be more difficult to contain, and are correspondingly more a threat to the user community. The measures are Easy (the threat is well-contained), Moderate (the threat is partially contained), and Difficult (the threat is currently uncontainable).

Threat measure
A quantitative measurement of a threat. A threat's physical access, electronic access, capability, motivation, and occurrence measure determine the threat measure.

Threat safeguard
A process, procedure, technique, or feature that deters one or more threats to the network, by reducing the risk linked to a system's threat measure.

Threshold
The number of events that satisfy certain criteria. Administrators define threshold rules to determine how notifications are to be delivered.

Time stamp of attachment
This field indicates the date and time of the file attachment.

Time-out
A predetermined period of time during which a given task must be completed. If the time-out value is reached before or during task execution, the task is canceled. You can configure a pcAnywhere host to disconnect from a remote computer after a certain amount of time has passed without activity.

Transmission Control Protocol/Internet Protocol (TCP/IP)
A common set of protocols used on the Internet to link dissimilar computers across many kinds of networks.

Tune-up pack
An executable that installs software enhancements to a specific version of ESM.

Types of risks

Adware
Programs that facilitate delivery of advertising content to the user through their own window, or by utilizing another program's interface. In some cases, these programs may gather information from the user's computer, including information related to Internet browser usage or other computing habits, and relay this information back to a remote computer or other location in cyber-space.

Adware can be downloaded from Web sites (typically in shareware or freeware), email messages, and instant messengers. Additionally, a user may unknowingly receive and/or trigger adware by accepting an End User License Agreement from a software program linked to the adware or from visiting a website that downloads the adware with or without an End User License Agreement.

Dialers
Programs that use a computer or modem to dial out to a toll number or internet site, typically to accrue charges. Dialers can be installed with or without a user’s explicit knowledge, and may perform their dialing activity without a user’s specific consent prior to dialing.

Hack Tools
Tools that can be used by a hacker or unauthorized user to attack, gain unwelcome access to or perform identification or fingerprinting of your computer. While some hack tools may also be valid for legitimate purposes, their ability to facilitate unwanted access makes them a risk. Hack tools also generally:

• Attempt to gain information on or access hosts surreptitiously, utilizing methods that circumvent or bypass obvious security mechanisms inherent to the system it is installed on, and/or
• Facilitate an attempt at disabling a target computer, preventing its normal use

One example of a hack tool is a keystroke logger -- a program that tracks and records individual keystrokes and can send this information back to the hacker. Also applies to programs that facilitate attacks on third-party computers as part of a direct or distributed denial-of-service attempt.

Joke Program
Programs that alter or interrupt the normal behavior of your computer, creating a general distraction or nuisance. Joke programs generally do not themselves engage in the practice of gathering or distributing information from the user's computer.

Remote Access
Programs that allow one computer to access another computer (or facilitate such access) without explicit authorization when an access attempt is made. Once access is gained, usually over the Internet or by direct dial access, the remote access program can attack or alter the other computer. It may also have the ability to gather personal information, or infect or delete files. They may also create the risk that third party programs can exploit its presence to obtain access. Such remote access programs generally:

• Attempt to remain unnoticed, either by actively hiding or simply not making their presence on a system known to the user, and/or
• Attempt to hide any evidence of their being accessed remotely over a network or Internet

Means by which these programs provide access may include notifying a remote host of the machine by sending its address or location, or employing functionality that wholly or partially automates access to the computer on which the program is installed.

Spyware
Programs that have the ability to scan systems or monitor activity and relay information to other computers or locations in cyber-space. Among the information that may be actively or passively gathered and disseminated by Spyware: passwords, log-in details, account numbers, personal information, individual files or other personal documents. Spyware may also gather and distribute information related to the user's computer, applications running on the computer, Internet browser usage or other computing habits.

Spyware frequently attempts to remain unnoticed, either by actively hiding or by simply not making its presence on a system known to the user. Spyware can be downloaded from Web sites (typically in shareware or freeware), email messages, and instant messengers. Additionally, a user may unknowingly receive and/or trigger spyware by accepting an End User License Agreement from a software program linked to the spyware or from visiting a website that downloads the spyware with or without an End User License Agreement.

Trackware
Programs that track system activity, gather system information, or track user habits and relay this information to third-party organizations. The information gathered by such programs is neither personally identifiable nor confidential.

Trackware programs are installed with the user's consent and may also be packaged as part of other software installed by the user.

Viruses, Worms and Trojan Horses
A virus is a program or code that replicates itself onto other files with which it comes in contact; that is, a virus can infect another program, boot sector, partition sector, or a document that supports macros, by inserting itself or attaching itself to that medium. Most viruses only replicate, though many can do damage to a computer system or a user's data as well.

A worm is a program that makes and facilitates the distribution of copies of itself; for example, from one disk drive to another, or by copying itself using email or another transport mechanism. The worm may do damage and compromise the security of the computer. It may arrive via exploitation of a system vulnerability or by clicking on an infected e-mail.

A Trojan Horse portrays itself as something other than what it is at the point of execution. While it may advertise its activity after launching, this information is not apparent to the user beforehand. A Trojan Horse neither replicates nor copies itself, but causes damage or compromises the security of the computer. A Trojan Horse must be sent by someone or carried by another program and may arrive in the form of a joke program or software of some sort. The malicious functionality of a Trojan Horse may be anything undesirable for a computer user, including data destruction or compromising a system by providing a means for another computer to gain access, thus bypassing normal access controls.

Other
Risks that do not meet the definitions of Viruses, Trojan horses, Worms, or other security risk categories, but which may present a risk to a computer and its data, an unwanted nuisance to the user, or exhibit other unexpected or unwanted results when the risk is present and functioning. This category includes programs that encrypt or otherwise attempt to obfuscate some of their functionality, making it difficult to determine whether they fall into one of the other categories.

Unstructured external threat
An individual outside your organization who may be a threat. This person is technically unskilled or unsophisticated.

Unstructured internal threat
An individual inside your organization who may be a threat. This person is technically unskilled or unsophisticated.

Unstructured threat
A threat that tends to be technically unskilled or unsophisticated.

Upload
To send a file from one computer to another via modem, network, or serial cable. With a modem-based communications link, the process generally involves the requesting computer instructing the remote computer to prepare to receive the file on its disk and wait for the transmission to begin. Also see download.

User account
A Windows NT file that contains information that identifies a user to Windows NT. This includes the user name and password, groups in which the user account has membership, and the rights and permissions that the user has for using the system and accessing its resources.

User manager
A Windows NT utility that enables users with administrative privileges to edit and define individual user accounts and privileges for the local workstation.

Variants
New strains of viruses that borrow code, to varying degrees, directly from other known viruses. The variants are usually identified by a letter, or letters, following the virus family name; for example, VBS.LoveLetter.B., VBS.LoveLetter.C, and so on.

Virus Definitions (Intelligent Updater^TM)
Symantec Security Response fully tests the Intelligent Updater definitions for quality assurance. The definitions are posted daily and can be downloaded from the Symantec Security Response Web site and manually installed.

Corporate network administrators, as well as end users who practice potentially risky Internet behavior (for example, clicking on email attachments from unknown senders or attachments included in unexpected emails, downloading files from newsgroups or suspicious Web sites, and so on) benefit the most from downloading and installing the Intelligent Updater definitions on a daily basis. Intelligent Updater definitions are available here.

Home users: While it is possible, it is not absolutely necessary for you to download and install the Intelligent Updater definitions daily. Symantec receives samples of new risks every day and we build new definitions for these risks daily. However, in many cases these risks are not in the wild, or if in the wild, they have a very low incidence of infection. In any event, if we detect that a risk in the wild is rapidly spreading, we immediately release LiveUpdate packages to fully protect our customers. Additionally, if you suspect that a risk is present on your computer, take advantage of the Scan and Deliver functionality to submit the suspect file for analysis by Symantec Security Response.

For detailed instructions on how to download and install the Intelligent Updater definitions from the Symantec Security Response Web site, click here.

Virus Definitions (LiveUpdate^TM Daily)
LiveUpdate Daily definitions are made available each day, providing the most convenient method for protecting your PC from risks. Symantec Security Response fully tests all the definitions for quality assurance before they are posted to the LiveUpdate servers. LiveUpdate Daily is available for the Norton AntiVirus^TM 2006, Norton Internet Security^TM 2006, Symantec AntiVirus^TM Corporate Edition 10.0, and Symantec Client Security^TM 3.0 products.

For more information on how LiveUpdate works, click here.

For detailed instructions on how to run LiveUpdate, click here.

Virus Definitions (LiveUpdate^TM Plus)
LiveUpdate Plus definitions are available for enterprise customers with Platinum Support entitlements. LiveUpdate Plus allows for daily definition updates for large networks that use the LiveUpdate Administration Utility. For more information on the LiveUpdate Administration Utility, click here.

Virus Definitions (LiveUpdate^TM Weekly)
LiveUpdate is the easiest way to obtain definitions and product updates for consumer products. Symantec Security Response fully tests all the definitions for quality assurance before they are posted to the LiveUpdate servers. These definitions are released once each week (usually Wednesdays), unless there is a major outbreak.

For more information on how LiveUpdate works, click here.

For detailed instructions on how to run LiveUpdate, click here.

Virus definitions file
A file that provides information to antivirus software to find and repair risks. In the Symantec AntiVirus Corporate Edition, the administrator must regularly distribute updated definition files to the servers and clients of the Symantec AntiVirus Corporate Edition. Definition files contain protection for all the latest viruses, worms, Trojans and security risks.

Voice first
A functionality that allows the host and remote users have a voice conversation before beginning a data session. Use voice first when you have only one phone line and want to speak with the other user before starting the session.

Vulnerability
A (universal) vulnerability is a state in a computing system (or set of systems) which either:

• Allows an attacker to execute commands as another user
• Allows an attacker to access data that is contrary to the specified access restrictions for that data
• Allows an attacker to pose as another entity
• Allows an attacker to conduct a denial of service

Vulnerability assessment
The identification and quantification of a system's technical and environmental vulnerabilities.

Vulnerability Management
The practice of identifying and removing weaknesses that can be used to compromise the confidentiality, integrity, or availability of a computer information asset. A vulnerability management is a preventative information security practice that identifies and removes weaknesses before they can be used to compromise a computer information asset.

Vulnerability measure
A quantitative measurement of vulnerability. Symantec Risk Assessor measures each vulnerability through its physical exposure, electronic exposure, potential damage, age, and information.

Vulnerability measure factors
The elements used to calculate the danger posed by a vulnerability (vulnerability measure). Each vulnerability is rated in terms of its physical exposure, electronic exposure, potential damage, information, and age.

Vulnerability safeguard
A process, procedure, technique, or feature that assists in securing a vulnerability, by reducing the risk linked to the system's vulnerability measure.

Warning
A message that informs the user that performing an action can or will result in data loss on the user's system.

Web-Based Enterprise Management (WBEM)
A set of management and Internet standard technologies developed to unify the management of enterprise computing environments. WBEM enables the industry to deliver a well-integrated set of standards-based management tools that leverage emerging Web technologies.

Wild
The wild component measures the extent to which a virus is already spreading among computer users. This measurement includes the number of infected independent sites and computers, the geographic distribution of infection, the ability of current technology to combat the threat, and the complexity of the virus.

Wildcard
A symbol that enables multiple matching values to be returned based on a shared feature. The script language has two wildcards:

1. The question mark (?) stands for any single character.
   
   
2. The asterisk (*) stands for any character string of any length.

Workstation

1. A networked computer that uses server resources.
   
   
2. A computer that is connected to a mainframe computer. It is usually a personal computer connected to a Local Area Network (LAN), which shares the resources of one or more large computers.
   
   Workstations differ from terminals or dumb terminals in that they can be used independently of the mainframe. Also, they can have their own applications installed, as well as their own hard disks.
   
   
3. A type of computer that requires a significant amount of computing power and that can produce high-quality graphics.

Zoo
A threat that exists only in virus and antivirus labs, not in the wild. Most zoo threats never get released into the wild, and as a result, rarely threaten users.

Symantec Security Response - Glossary