Lo Staff del Progetto AGHBBs antivirus, propone link a Symantec Corp. USA.
Sotto riportato un glossario utile per chiarire dubbi e risolvere i problemi di sicurezza.

The glossary below contains many of the terms you will find in common use throughout the Symantec Security Response Web site. Please refer to this list or the Frequently Asked Questions (FAQ) page to find definition of terms and answers to other Internet security-related questions.

.dam
Indicates a detection for files that have been corrupted by a threat, or that may contain inactive remnants of a threat, causing the files to no longer be able to execute properly or produce reliable results.

.dr
Refers to a file that is considered a dropper. This is a program that drops the virus or worm onto the victim's computer.

.enc
Refers to a file that is encrypted or encoded. For example, a worm that creates a copy of itself with MIME encoding may be detected with the .enc suffix.

@m
Signifies the virus or worm is a "mailer". An example is Happy99 (W32.Ska), which only sends itself by email when you (the user) send mail.

@mm
Signifies the virus or worm is a "mass-mailer". An example is Melissa, which sends messages to every email address in your mailbox.

Also Known As
These are names that other antivirus vendors use to identify this threat. Often Symantec's bloodhound heuristics will identify a potential threat before a specific detection is added. In such cases, the name of the bloodhound detection will appear in this field.

Beta Virus Definitions
Beta virus definitions have not undergone any quality assurance testing by Symantec Security Response. While Symantec Security Response makes every effort to ensure that all virus definitions function correctly, you should understand that beta-quality virus definitions do pose additional risks. Beta virus definitions are most valuable during a high-level virus outbreak when users are unwilling or unable to wait for virus definitions that have undergone full quality assurance testing. Beta virus definitions are available here.

Blended Threat
Blended threats combine the characteristics of viruses, worms, Trojan horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. By utilizing multiple methods and techniques, blended threats can spread rapidly and cause widespread damage. Characteristics of blended threats include the following:

• Causes harm: Launches a denial of service attack at a target IP address, defaces Web servers, or plants Trojan horse programs for later execution.
• Propagates by multiple methods: Scans for vulnerabilities to compromise a system such as embedding code in html files on a server, infecting visitors to a compromised Web site, or sending unauthorized email from compromised servers with a worm attachment.
• Attacks from multiple points: Injects malicious code into .exe files on a system, raises the privilege level of the guest account, creates world read and writable network shares, makes numerous registry changes, and adds script code into html files.
• Spreads without human intervention: Continuously scans the Internet for vulnerable servers to attack.
• Exploits vulnerabilities: Takes advantage of known vulnerabilities such as buffer overflows, http input validation vulnerabilities, and known default passwords to gain unauthorized administrative access.

Effective protection from blended threats requires a comprehensive security solution that contains multiple layers of defense and response mechanisms.

Bug
A programming error in a software program than can have unwanted side effects. Examples: Various web browser security problems, Y2K software problems.

Causes system instability
This payload might cause the computer to crash or to behave in an unexpected fashion.

Compromises security settings
This payload might attempt to gain access to passwords or other system-level security settings. It might also search for openings in the Internet processing components of the computer to install a program on that system that could be controlled remotely by someone over the Internet.

CVE References
A list of standardized names for vulnerabilities and other information security exposures - CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. (Source: CVE Web site)

Click here to read more about Symantec & CVE compatibility.

Damage
The damage component measures the amount of harm that a given threat might inflict. This measurement includes triggered events, clogging email servers, deleting or modifying files, releasing confidential information, performance degradation, errors in the virus code, compromising security settings, and ease by which the damage might be fixed.

Degrades performance
This payload slows computer operations. This might involve allocating available memory, creating files that consume disk space, or causing programs to load or execute more slowly.

Deletes files
This payload deletes various files on the hard disk. The number and type of files that might be deleted vary among viruses.

Distribution
This component measures how quickly a threat is able to spread.

Encrypted Virus
A virus that uses encryption to hide itself from virus scanners. That is, it jumbles up its program code to make it difficult to detect.

Exploit
A program or technique that takes advantage of a vulnerability in software that can be used for breaking security or otherwise attacking a host over the network.

Firewall Rules
A security system that uses rules to block or allow connections and data transmissions between your computer and the Internet.

Geographic distribution
This measures the range of separate geographic locations where infections have been reported. The measures are high (global threat), medium (threat present in a few geographic regions), and low (localized or non-wild threat).

HLLW
Refers to a worm that is compiled using a High Level Language. (NOTE: This modifier may or may not be used as a prefix - it is only a prefix in the case of a DOS High Level Language Worm. If the Worm is a Win32 file, the proper name would be W32.HLLW.)

Infection Length
This is the size, in bytes, of the viral code that is inserted into a program by the virus. If this is a worm or Trojan horse the length represents the size of the file.

Intrusion Detection
The detection of break-ins or break-in attempts by reviewing logs or other information available on a network.

Large scale e-mailing
This type of payload involves sending emails out to large numbers of people. This is usually done by accessing a local address book and sending emails to a certain number of people within that address book.

Macro virus
A program or code segment written in the internal macro language of an application. Some macros replicate, while others infect documents.

MD5
A hash function, such as MD5, is a one-way operation that transforms a string of data of any length into a shorter fixed-length value. No two strings of data will produce the same hash value.

An MD5 checksum verifies data integrity by running a hash operation on the data after it is received. The resultant hash value is compared to the hash value that was sent with the data. If the two values match, the data has not been altered or tampered with, and the data's integrity may be trusted.

Click here to learn more about MD5 and download an MD5 checksum utility.

Click here for a list of MD5 hashes for all available Virus Definitions Intelligent Updater downloads.

Mobile Code
Code (software) that is transferred from a host to a client (or another host computer) to be executed (run). When we talk about malicious mobile code we may use a Worm as an example.

Modifies files
This payload changes the contents of files on the computer and might corrupt files.

Name of attachment
Most worms are spread as attachments to emails. This field indicates the usual name or names that the attachment might be called.

Number of countries
This is a measure of the number of countries where infections are known to have occurred.

Number of infections
This measures the number of computers that are known to be infected.

Number of sites
This measures the number of locations with infected computers. This normally refers to organizations such as companies, government offices, and the like.

Payload
This is the malicious activity that the virus performs. Not all viruses have payloads, but there are some that perform destructive actions.

Payload trigger
This is the condition that causes the virus to activate or drop its destructive payload. Some viruses trigger their payloads on a certain date. Others might trigger their payload based on the execution of certain programs or the availability of an Internet connection.

Polymorphic Virus
A virus that has the ability to change its byte pattern when it replicates thereby avoiding detection by simple string scanning techniques.

Ports
This field indicates the TCP/IP ports that the threat might attempt to use.

Releases confidential information
This payload might attempt to gain access to important data stored on the computer such as credit card numbers.

Removal
This measures the skill level needed to remove the threat from a given computer. Removal sometimes involves deleting files and modifying registry entries. The three levels are difficult (requires an experienced technician), moderate (requires some expertise), and easy (requires little or no expertise).

Retrovirus
A computer virus that actively attacks an anti-virus program or programs in an effort to prevent detection.

Sequence number
Sequence numbers are used only by the Norton AntiVirus Corporate products, and are an alternate method of representing the date of the latest definitions or required definitions. Sequence numbers are assigned to signature sets sequentially, and they are always cumulative. A signature set with a higher sequence number supersedes a signature set with a lower sequence number.

Shared drives
This field indicates whether or not the threat will attempt to replicate itself through mapped drives or other server volumes to which the user might be authenticated.

Size of attachment
This field indicates the size of the file that is attached to the infected email.

Subject of email
Some worms spread by sending themselves to other people through email. This field indicates the subject of the email that is sent by the worm.

Systems Affected
Refers to operating systems or applications that are vulnerable to a threat.

Systems Not Affected
Refers to operating systems or applications that are not vulnerable to a threat. The list of systems may change as more information about a given threat becomes available.

Technical description
This section describes the specific details of the infection such as registry entry modifications and files that are manipulated by the virus.

Threat assessment
This is a severity rating of the virus, worm or Trojan horse. It includes the damage that this threat causes, how quickly it can spread to other computers (distribution), and how widespread the infections are known to be (wild).

Threat containment
This is a measure of how well current antivirus technology can keep this threat from spreading. As a general rule, older virus techniques are generally well-contained; new threat types or highly complex viruses can be more difficult to contain, and are correspondingly more a threat to the user community. The measures are Easy (the threat is well-contained), Moderate (the threat is partially contained), and Difficult (the threat is not currently containable).

Time stamp of attachment
This field indicates the date and time of the file attachment.

Type: Hoax
Usually an email that gets mailed in chain letter fashion describing some devastating highly unlikely type of virus, you can usually spot a hoax because there's no file attachment, no reference to a third party who can validate the claim and the general 'tone' of the message.

Type: Joke
A harmless program that causes various benign activities to display on your computer (e.g., an unexpected screen-saver).

Type: Trojan Horse
A program that neither replicates or copies itself, but does damage or compromises the security of the computer. Typically it relies on someone emailing it to you, it does not email itself, it may arrive in the form of a joke program or software of some sort.

Type: Virus
A program or code that replicates, that is infects another program, boot sector, partition sector or document that supports macros by inserting itself or attaching itself to that medium. Most viruses just replicate, a lot also do damage.

Type: Worm
A program that makes copies of itself, for example from one disk drive to another, or by copying itself using email or some other transport mechanism. It may do damage and compromise the security of the computer. It may arrive in the form of a joke program or software of some sort.

Variants
New strains of viruses that "borrow" code directly from other known viruses, to varying degrees. Variants are usually identified by a letter, or letters, following the virus family name, eg. VBS.LoveLetter.B., VBS.LoveLetter.C, etc.

Virus Definitions (Intelligent Updater^TM)
Intelligent Updater^TM virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. Users that benefit most from downloading and installing the Intelligent Updater^TM virus definitions daily are corporate network administrators, as well as end-users that practice potentially risky Internet behavior (eg., clicking on email attachments from unknown senders or attachments included in unexpected emails, downloading files from newsgroups or suspicious Web sites, etc). Intelligent Updater^TM virus definitions are available here.

Home users: While it is possible, it is not absolutely necessary for home users to download and install Intellingent Updater definitions daily. Symantec receives samples of new viruses every day and every day we proceed to build new definitions for these viruses. But in many cases these viruses aren't in the wild or if in the wild they have a very low incidence of infection. In any event, if we detect that a virus in the wild is spreading rapidly, we go ahead and release LiveUpdate packages immediately to fully protect our customers. Additionally, if you suspect you may be infected by a virus, you can always take advantage of the Scan and Deliver functionality to submit the potentially infected file for analysis by Symantec Security Response. As part of our response we would send you the Intelligent Updater packages necessary to deal with that infection.

For detailed instructions on how to download and install the Intelligent Updater^TM virus definitions from the Symantec Security Response Web site, click here.

For detailed instructions on how to run LiveUpdate^TM, click here.

You may also manually download and install virus definitions. These virus definitions (known as Intelligent Updaters) are posted daily and are available for download here.

Vulnerability
Any characteristic of a computer system that will allow someone to keep it from operating correctly, or that will let unauthorized users take control of the system.

Vulnerability Management
The practice of identifying and removing weaknesses that can be used to compromise the confidentiality, integrity, or availability of a computer information asset; A preventative information security practice that identifies and removes weaknesses before they can be used to compromise a computer information asset.

Wild
The wild component measures the extent to which a virus is already spreading among computer users. This measurement includes the number of independent sites infected, the number of computers infected, the geographic distribution of infection, the ability of current technology to combat the threat, and the complexity of the virus.

Zoo
A threat that exists only in virus and anti-virus labs, not in the wild. Most zoo threats never get released into the wild, and as a result, rarely threaten users.