The incidence of an antivirus program incorrectly identifying a legitimate file as 'infected', 'malicious' or 'suspicious'. This is also known as a False Positive.
False alarms occur if a program contains code sufficiently similar to a known malware signature to be deemed a security risk by a virus scanner.
A legitimate program that displays malware-like behavior may also trigger a false alarm from security software with heuristic analysis capabilities.
The incidence of an antivirus program incorrectly identifying a legitimate file as 'infected', 'malicious' or 'suspicious' is known as a False Positive. It may also be referred to as a False Alarm.
The converse of this is a False Negative, in which an antivirus program incorrectly identifies an infected or malicious file as 'clean'.
A protocol governing the transmission of files over networks that use the TCP/IP communication protocols (such as the Internet). File Transfer Protocol (FTP) is used as a way to transfer data reliably and efficiently from one computer to another, remote computer.
Though there are numerous other protocols governing file transmissions, FTP has become the most commonly used, particularly for transferring data to and from web servers.
A type of virus that infects files saved on a computer system, typically executable (EXE) and/or command (COM) files.
Depending on the file type infected, a file virus may also be referred to as an EXE infector or a COM infector. Though viruses exist that target other system components - BAT or REG viruses, for example - the most common type of virus today is an EXE infector.
Characterizing File Viruses
File viruses are usually described or characterized based on their physical characteristics or behavior. The most common way to classify a file virus is by the type of target it attacks - EXE or COM files, the boot sector, etc.
A file virus can be further characterized based on how it infects the targeted file (also known as the host file):
- Prepending: writes itself into the beginning of the host file's code
- Appending: writes itself to the end of the host file
- Overwriting: overwrites the host file's code with its own code
- Inserting: inserts itself into gaps inside the host file's code
- Companion: renames the original file and writes itself with the host file's name
- Cavity infector: writes itself between file sections of 32-bit file
A file virus can also be classified based on whether it is memory resident and non-memory resident. Memory resident viruses stay active in memory, trap one or more system functions (usually interrupt 21h or Windows file system hooks) and infect files while they are accessed. Non-memory resident viruses search for EXE files on a hard disk and infect them.
A file virus can be said to be non-encrypted, encrypted or polymorphic. An encrypted or polymorphic virus consists of one or more decryptors and a main code. A decryptor decrypts main virus code before it could be started. Encrypted viruses usually use fixed or variable key decryptors while polymorphic viruses have decryptors that are randomly generated from processor instructions and contain a lot of commands that are not used in decryption process.
Finally, file viruses can be described based on how they execute their payload:
- Direct action: Immediately upon execution
- Time bomb: After a specified period of time
- Condition triggered: Only under certain conditions
A hardware device or application that regulates access to a computer system or network.
Much like a gate, a firewall acts as a barrier between a 'trusted' security zone inside the system or network, and an 'untrusted' security zone beyond. As such, they are an important feature of network security setups.
A firewall uses a protocol to evaluate whether an communication coming into or exiting the trusted internal zone is authorized or unauthorized. If the firewall determines a communication is authorized, it is permitted into the system or network; if not, the communication is dropped.
The function of a firewall may also be approximated by a proxy server or device, which can also check the authorization of incoming and outgoing communications from a network.
A multimedia platform popularly used for animated and interactive web applications. Flash is owned by the software company Adobe.
Flash applications are frequently used on websites for elements such a games, scrolling advertisements and so on. To view these files, a user usually requires a separate 'player' application known as a Flash Player to be installed, usually as a plugin to their web browser.
Files for applications on this platform usually use the extension .swf, or SWF.
About Detection Names
A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.