advertisement
9. Glossary
9.1 Types of infiltration
An Infiltration is a piece of malicious software trying to enter and/or damage a user’s computer.
9.1.1 Viruses
A computer virus is an infiltration that corrupts existing files on your computer. Viruses are named after biological viruses, because they use similar techniques to spread from one computer to another.
Computer viruses mainly attack executable files and documents. To replicate, a virus attaches its “body“ to the end of a target file. In short, this is how a computer virus works: after execution of the infected file, the virus activates itself (before the original application) and performs its predefined task. Only after that is the original application allowed to run. A virus cannot infect a computer unless a user, either accidentally or deliberately, runs or opens the malicious program by him/herself.
Computer viruses can range in purpose and severity. Some of them are extremely dangerous because of their ability to purposely delete files from a hard drive. On the other hand, some viruses do not cause any damage - they only serve to annoy the user and demonstrate the technical skills of their authors.
It is important to note that viruses (when compared to trojans or spyware) are increasingly rare because they are not commercially enticing for malicious software authors. Additionally, the term “virus” is often used incorrectly to cover all types of infiltrations. This usage is gradually being overcome and replaced by the new, more accurate term
“malware” (malicious software).
If your computer is infected with a virus, it is necessary to restore infected files to their original state - i.e., to clean them by using an antivirus program.
Examples of viruses are: OneHalf, Tenga, and Yankee Doodle.
9.1.2 Worms
A computer worm is a program containing malicious code that attacks host computers and spreads via a network.
The basic difference between a virus and a worm is that worms have the ability to replicate and travel by themselves - they are not dependent on host files (or boot sectors). Worms spread through email addresses in your contact list or exploit security vulnerabilities in network applications.
Worms are therefore much more viable than computer viruses. Due to the wide availability of the Internet, they can spread across the globe within hours or even minutes of their release. This ability to replicate independently and rapidly makes them more dangerous than other types of malware.
A worm activated in a system can cause a number of inconveniences: It can delete files, degrade system performance, or even deactivate programs. The nature of a computer worm qualifies it as a “means of transport“ for other types of infiltrations.
If your computer is infected with a worm, we recommend you delete the infected files because they likely contain malicious code.
Examples of well-known worms are: Lovsan/Blaster, Stration/Warezov, Bagle, and Netsky.
158
9.1.3 Trojan horses
Historically, computer trojan horses have been defined as a class of infiltrations which attempt to present themselves as useful programs, thus tricking users into letting them run. But it is important to note that this was true for trojan horses in the past- oday, there is no longer a need for them to disguise themselves. Their sole purpose is to infiltrate as easily as possible and accomplish their malicious goals. “Trojan horse” has become a very general term describing any infiltration not falling under any specific class of infiltration.
Since this is a very broad category, it is often divided into many subcategories:
Downloader - A malicious program with the ability to download other infiltrations from the Internet
Dropper - A type of trojan horse designed to drop other types of malware onto compromised computers
Backdoor - An application which communicates with remote attackers, allowing them to gain access to a system and to take control of it
Keylogger - (keystroke logger) - A program which records each keystroke that a user types and sends the information to remote attackers
Dialer - Dialers are programs designed to connect to premium-rate numbers. It is almost impossible for a user to notice that a new connection was created. Dialers can only cause damage to users with dial-up modems, which are no longer regularly used
Trojan horses usually take the form of executable files with the extension .exe. If a file on your computer is detected as a trojan horse, it is advisable to delete it, since it most likely contains malicious code.
Examples of well-known trojans are: NetBus, Trojandownloader. Small.ZL, Slapper
9.1.4 Rootkits
Rootkits are malicious programs that grant Internet attackers unlimited access to a system, while concealing their presence. Rootkits, after accessing a system (usually exploiting a system vulnerability), use functions in the operating system to avoid detection by antivirus software: they conceal processes, files and Windows registry data, etc. For this reason, it is almost impossible to detect them using ordinary testing techniques.
There are two levels of detection to prevent rootkits:
1) When they try to access a system. They are still not present, and are therefore inactive. Most antivirus systems are able to eliminate rootkits at this level (assuming that they actually detect such files as being infected).
2) When they are hidden from the usual testing. ESET File Security users have the advantage of Anti-Stealth technology, which is also able to detect and eliminate active rootkits.
9.1.5 Adware
Adware is a short for advertising-supported software. Programs displaying advertising material fall under this category. Adware applications often automatically open a new pop-up window containing advertisements in an
Internet browser, or change the browser’s home page. Adware is frequently bundled with freeware programs, allowing their creators to cover development costs of their (usually useful) applications.
Adware itself is not dangerous - users will only be bothered with advertisements. Its danger lies in the fact that adware may also perform tracking functions (as spyware does).
If you decide to use a freeware product, please pay particular attention to the installation program. The installer will most likely notify you of the installation of an extra adware program. Often you will be allowed to cancel it and install the program without adware.
Some programs will not install without adware, or their functionality will be limited. This means that adware may often access the system in a “legal” way, because users have agreed to it. In this case, it is better to be safe than sorry.If there is a file detected as adware on your computer, it is advisable to delete it, since there is a high probability that it contains malicious code.
159
9.1.6 Spyware
This category covers all applications which send private information without user consent/awareness. Spyware uses tracking functions to send various statistical data such as a list of visited websites, email addresses from the user‘s contact list, or a list of recorded keystrokes.
The authors of spyware claim that these techniques aim to find out more about users’ needs and interests and allow better-targeted advertisement. The problem is that there is no clear distinction between useful and malicious applications and no one can be sure that the retrieved information will not be misused. The data obtained by spyware applications may contain security codes, PINs, bank account numbers, etc. Spyware is often bundled with free versions of a program by its author in order to generate revenue or to offer an incentive for purchasing the software. Often, users are informed of the presence of spyware during a program‘s installation to give them an incentive to upgrade to a paid version without it.
Examples of well-known freeware products which come bundled with spyware are client applications of P2P
(peer-to-peer) networks. Spyfalcon or Spy Sheriff (and many more) belong to a specific spyware subcategory - they appear to be antispyware programs, but in fact they are spyware programs themselves.
If a file is detected as spyware on your computer, it is advisable to delete it, since there is a high probability that it contains malicious code.
9.1.7 Packers
A packer is a runtime self-extracting executable that combines several kinds of malware into a single package.
The most common packers are UPX, PE_Compact, PKLite and ASPack. The same malware may be detected differently when compressed using a different packer. Packers also have the ability to make their "signatures" mutate over time, making malware more difficult to detect and remove.
9.1.8 Exploit Blocker
Exploit Blocker is designed to fortify commonly exploited applications such as web browsers, PDF readers, email clients or MS Office components. It monitors behavior of processes for suspicious activity that might indicate an exploit. It adds another layer of protection, one step closer to attackers, by using a completely different technology compared to techniques focusing on detection of malicious files themselves.
When Exploit Blocker identifies a suspicious process, it can stop the process immediately and record data about the threat, which is then sent to the ESET Live Grid cloud system. This data is processed by the ESET Threat Lab and used to better protect all users from unknown threats and zero-day attacks (newly released malware for which there is no pre-configured remedy).
9.1.9 Advanced Memory Scanner
Advanced Memory Scanner works in combination with
Exploit Blocker
to provide better protection against malware that has been designed to evade detection by antimalware products through the use of obfuscation and/or encryption. In cases where ordinary emulation or heuristics might not detect a threat, the Advanced memory
Scanner is able to identify suspicious behavior and scan threats when they reveal themselves in system memory.
This solution is effective against even heavily obfuscated malware. Unlike Exploit Blocker, this is a post-execution method, which means that there is a risk that some malicious activity could have been performed prior to its detecting a threat. However in the case that other detection techniques have failed, it offers an additional layer of security.
160
9.1.10 Potentially unsafe applications
There are many legitimate programs whose function is to simplify the administration of networked computers.
However, in the wrong hands, they may be misused for malicious purposes. ESET File Security provides the option to detect such threats.
Potentially unsafe applications is the classification used for commercial, legitimate software. This classification includes programs such as remote access tools, password-cracking applications, and
keyloggers
records each keystroke a user types).
If you find that there is a potentially unsafe application present and running on your computer (and you did not install it), please consult your network administrator or remove the application.
9.1.11 Potentially unwanted applications
Potentially unwanted applications (PUAs) are not necessarily intended to be malicious, but may affect the performance of your computer in a negative way. Such applications usually require consent before installation. If they are present on your computer, your system behaves differently (compared to the state before their installation). The most significant changes are:
New windows you haven’t seen previously (pop-ups, ads)
Activating and running of hidden processes
Increased usage of system resources
Changes in search results
Application communicates with remote servers
161
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 3 Table of Contents
- 6 Introduction
- 6 What's new
- 7 System requirements
- 8 Types of protection
- 9 User interface
- 10 Managed via ESET Remote Administrator
- 10 ERA Server
- 11 Web Console
- 11 Agent
- 12 RD Sensor
- 12 Proxy
- 13 Installation
- 14 ESET File Security installation steps
- 18 Product activation
- 19 Terminal server
- 19 ESET AV Remover
- 20 Upgrading to a newer version
- 21 Beginner's guide
- 21 The user interface
- 24 Setting up virus DB update
- 26 Settings protection
- 27 Proxy server setup
- 28 Log files
- 30 Scan
- 32 Update
- 34 Tools
- 35 Running processes
- 36 Watch activity
- 37 Time period selection
- 37 ESET Log Collector
- 38 Protection statistics
- 39 Cluster
- 40 ESET Shell
- 41 Usage
- 45 Commands
- 47 Batch files / Scripting
- 48 ESET SysInspector
- 48 Create a computer status snapshot
- 48 ESET SysInspector
- 48 Introduction to ESET SysInspector
- 49 Starting ESET SysInspector
- 49 User Interface and application usage
- 49 Program Controls
- 51 Navigating in ESET SysInspector
- 52 Keyboard shortcuts
- 53 Compare
- 54 Command line parameters
- 55 Service Script
- 55 Generating Service script
- 55 Structure of the Service script
- 58 Executing Service scripts
- 58 FAQ
- 59 ESET SysRescue Live
- 60 Scheduler
- 62 Submit samples for analysis
- 63 Suspicious file
- 63 Suspicious site
- 63 False positive file
- 63 False positive site
- 64 Other
- 64 Quarantine
- 65 Help and support
- 65 How to
- 66 How to update ESET File Security
- 66 How to activate ESET File Security
- 67 How to create a new task in Scheduler
- 67 How to schedule a scan task (every 24 hours)
- 68 How to remove a virus from your server
- 68 Submit support request
- 68 ESET Specialized Cleaner
- 69 About ESET File Security
- 69 Product activation
- 70 Registration
- 70 Security Admin activation
- 70 Activation failure
- 70 License
- 70 Activation progress
- 70 Activation successful
- 71 Working with ESET File Security
- 72 Server
- 73 Automatic exclusions
- 74 Cluster
- 75 Cluster wizard - page1
- 77 Cluster wizard - page2
- 78 Cluster wizard - page3
- 80 Cluster wizard - page4
- 82 Computer
- 84 Antivirus
- 84 An infiltration is detected
- 85 Shared local cache
- 86 Real-time file system protection
- 87 Exclusions
- 88 Add or Edit exclusion
- 89 Exclusion format
- 89 ThreatSense parameters
- 91 Excluded extensions
- 92 Additional ThreatSense parameters
- 92 Cleaning levels
- 92 When to modify real-time protection configuration
- 93 Checking real-time protection
- 93 What to do if real-time protection does not work
- 93 Submission
- 94 Statistics
- 94 Suspicious files
- 95 On-demand computer scan
- 95 Custom scan launcher
- 97 Scan progress
- 98 Profile manager
- 99 Scan targets
- 99 Advanced scan option
- 100 Pause a scheduled scan
- 100 Idle-state scanning
- 101 Startup scan
- 101 Automatic startup file check
- 101 Removable media
- 102 Document protection
- 103 HIPS
- 104 HIPS rules
- 105 HIPS rule settings
- 107 Advanced setup
- 107 Drivers always allowed to load
- 107 Update
- 109 Update rollback
- 109 Update mode
- 110 HTTP Proxy
- 111 Connect to LAN as
- 112 Mirror
- 113 Updating from the Mirror
- 115 Mirror files
- 115 Troubleshooting Mirror update problems
- 115 How to create update tasks
- 116 Web and email
- 116 Protocol filtering
- 117 Excluded applications
- 118 Excluded IP addresses
- 118 Web and email clients
- 119 SSL protocol checking
- 120 Encrypted SSL communication
- 120 List of known certificates
- 121 Email client protection
- 121 Email protocols
- 122 Alerts and notifications
- 122 MS Outlook toolbar
- 123 Outlook Express and Windows Mail toolbar
- 123 Confirmation dialog
- 123 Rescan messages
- 123 Web access protection
- 124 URL address management
- 125 Create new list
- 125 HTTP addresses
- 126 Anti-Phishing protection
- 126 Device control
- 127 Device control rules
- 128 Adding Device control rules
- 129 Detected devices
- 129 Device groups
- 130 Tools
- 130 ESET Live Grid
- 131 Exclusion filter
- 131 Quarantine
- 132 Microsoft Windows update
- 132 Microsoft NAP
- 132 WMI Provider
- 133 Provided data
- 137 Accessing Provided Data
- 138 Log files
- 138 Log filtering
- 139 Find in log
- 140 Log maintenance
- 141 Proxy server
- 141 Email notifications
- 142 Message format
- 143 Presentation mode
- 143 Diagnostics
- 143 Customer Care
- 144 Cluster
- 145 User interface
- 146 Alerts and notifications
- 148 Access setup
- 148 Password
- 149 Password setup
- 149 Help
- 149 ESET Shell
- 149 Disable GUI on Terminal Server
- 150 Disabled messages and statuses
- 150 Confirmation messages
- 150 Disabled application statuses
- 150 System tray icon
- 151 Pause protection
- 151 Context menu
- 152 Revert all settings in this section
- 152 Revert to default settings
- 152 Import and export settings
- 153 Scheduler
- 153 Task details
- 154 Task timing - Once
- 154 Task timing - Repeatedly
- 154 Task timing - Daily
- 154 Task timing - Weekly
- 154 Task timing - Event triggered
- 154 Task details - Run application
- 155 Skipped task
- 155 Scheduler task details
- 155 Update profiles
- 155 Creating new tasks
- 156 Quarantine
- 157 Quarantining files
- 157 Restoring from Quarantine
- 157 Submitting file from Quarantine
- 157 Operating system updates
- 158 Glossary
- 158 Types of infiltration
- 158 Viruses
- 158 Worms
- 159 Trojan horses
- 159 Rootkits
- 159 Adware
- 160 Spyware
- 160 Packers
- 160 Exploit Blocker
- 160 Advanced Memory Scanner
- 161 Potentially unsafe applications
- 161 Potentially unwanted applications