1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar




A general term mostly used by laypersons and the popular media to refer to an individual who gains, or attempts to gain, unauthorized access to a computer system or resource, usually for malicious or criminal purposes.

At one time, the alternate term 'cracker' was proposed by some members of the security or computing industries, with the term 'hacker' to be reserved for those who investigate computer security with benign intent, such as legitimate penetration testers and so on.

Despite the proposal however, 'hacker' has since become the ubiquitous word for any individual who engages in attacks on computer systems or networks, regardless of intent.




The Type designation 'Hacktool' was previously used by F-Secure to identify a utility program that can be used, or misused, to access remote computers.

With changes in the threat landscape today, programs previously identified as 'Hacktool' have been reclassified under the Riskware Category, with the Type designation 'Hack-Tool'.

The update in naming better clarifies the program's overall security profile in the current, more complex threat landscape.




A data area in a file that precedes its executable code and contains vital information about the file, such as its size, information contents and so on.

Headers & Viruses

Classic viruses often made changes to the file headers, either as part of their infection routine or as a way to conceal their presence.

For example, some early viruses would alter the header information to reflect the larger size of an infected file rather than the smaller, original file size. Security programs would then - hopefully - not detect the change in the file contents and leave the infection undisturbed.

Another modification viruses may make to the header involves altering how the program executes. Many file headers contain entry point addresses, which pointed out the proper starting point in the file's code for normal execution. Viruses inserting their code in the file may modify the entry point address, so that the computer would execute the malicious code first. Viruses that do so are referred to as EPO viruses, as they use Entry Point Obscuration techniques.



Heuristic Analysis

A type of analysis used by antivirus programs to examine the malicious properties of a suspicious file. This type of analysis is typically done when the file in question is too complex for traditional, signature-based analysis to work.

Today, most comprehensive antivirus products will use a combination of detection-based and heuristic analysis to provide stronger protection.

How Heuristic Analysis Works

Unlike more passive signature-based analysis, heuristic analysis involves emulation, which means executing a suspicious file's commands on a 'virtual system' that mimics a normal computer setup. This execution is done in a closed 'sandbox' environment to keep it separate from the user's own computer system.

Emulation allows the antivirus program to evaluate how the program's behavior would affect the virtual computer, without endangering the user's own system. The antivirus can then better determine how to treat the suspicious program based on the evaluation.

For example, if the program's actions produce obviously malicious or detrimental effects on the virtual system, the antivirus will prevent the program from running on the user's real system. If the program does not do anything objectionable, it is allowed to run normally.

In cases where the program performs suspicious but potentially legitimate actions - for example transferring many files between computers on a network - the antivirus may request that the user confirm the program is really wanted and authorized to do so.



Heuristic Detection

A detection that may be triggered by a file undergoing heuristic analysis.

Heuristic detections are used by antivirus products to identify certain types of suspicious behaviors or characteristics in a file being scanned.

This is in contrast to the more traditional, signature-based detections, which are used by the antivirus product to identify a specific malicious file during a scan.

About Detection Names

The type of behavior or characteristic a heuristic detection looks for is usually indicated in the detection name. For example, a heuristic detection named:

  • SuspectBehavior_W32FileModified

Indicates that the file or program being inspected would, if run normally, make a suspicious modification to an important system file.




The Type designation 'Hoax' was previously used by F-Secure to identify an application that does not perform as claimed.

With changes in the threat landscape today, programs previously identified as 'Hoax' have since been reclassified under the Riskware Category, with the Type designation 'Application'.

The update in naming better clarifies the program's overall security profile in the current, more complex threat landscape.

The Other Type of Hoax

The term "hoax" may also refer to a chain letter that contains false information, with the aim of spreading alarm or disinformation (see Threat Response: Hoax).

For non-computer related hoaxes, please check http://www.snopes.com/computer/virus/virus.asp for more information.




A term used to collectively refer to multiple honeypots on a single network.

A honeynet is usually used in large, diverse networks which may not be sufficiently protected by a single honeypot.



Hosts file

A list of IP addresses frequently accessed by the user and stored on the system itself.

The hosts file is used to match website domain names (which a user can remember easily) to its corresponding IP address, which is what the web browser uses to access the server hosting the website.

How the Hosts File Is Used

Each time a user clicks a link while browsing a website, or enters a website's address in the browser's address bar, the system will first check the hosts file to see if the requested address is already stored there. If so, the computer can communicate with the correct IP address without further ado.

If the IP address is not saved in the hosts file, the system must perform an extra step and connect to the Domain Name Server (DNS) service of the Internet Service Provider (ISP) in order to locate the correct IP address.

Maintaining the hosts file therefore allows the system to reduce the amount of time and processing required to access a particular website.

Hosts Files & Malware

Some malware are designed to attack the host file in order to hijack and redirect a web connection from the one desired, to a different and usually malicious site. This may be known as pharming.



Hypertext Markup Language (HTML)

The most common programming language used to create webpages. Hypertext Markup Language (HTML) is often used by novice website designers to create simple websites that may feature text, images and basic animations.

Though other languages have become more popular for use in creating heavily interactive websites, HTML still remains the dominant language used by the majority of websites online today.

HTML was originally specified by Tim Berners-Lee. Today, there are various 'versions' of HTML, which are due to differing specifications.



Hypertext Transfer Protocol (HTTP)

A protocol used to organize and easily retrieve resources on an information system.

Hyper Text Transfer Protocol (HTTP) is used to access information resources known as 'hypertext documents', and it is a significant part of the underlying architecture for the modern World Wide Web.

Most users who surf the Internet are mostly familiar with HTTP through the Universal Resource Locator (URL). The URL functions as the 'address' of each specific hypertext document, which can be a webpage, image or file. These documents are saved on hosts (web servers).

Whenever a user enters a URL into their web browser's address bar, or clicks a link on one webpage to get to another, they are really using HTTP to retrieve a specific hypertext document from a specific host.

Despite the relative simplicity behind the concept of HTTP, this simple mechanism allows a user to browse through a colossal amount of information on a staggering number of hosts with ease.





A classification term used by F-Secure to indicate the potential severity of threat a program may pose to the user's computer system and/or confidential information.



About Detection Names

A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.