|
Network Chico security
terms glossary
| @ | A
| B | C | D
| E | F | G | H | I
| J | K | L
| M | N | O
| P | Q | R
| S | T | U
| V | W | X
| Y | Z |
Welcome to the Network Chico
computer security terms glossary.
=F=
False Positive, False Negative:
These terms derive from their use in statistics. If it is claimed
that a file or boot sector is infected by a virus when in reality
it is clean, a false positive (or Type-I) error is said to have
occurred. Conversely, if a file or boot sector that is infected
is claimed to not be infected, a false negative (or Type-II)
error has been made. From an antivirus perspective, false negatives
probably seem more serious than false positives, but both are
undesirable. False positives can cause a great deal of down-time
and lost productivity because proving a program cannot replicate
under some condition or other is generally much more time consuming
than discovering the conditions under which a viral program will
replicate. With good known-virus scanners, false positives are
rare. However, they can arise if the scan string for a virus
is poorly chosen, say because it is also present in some benign
programs. False negatives are a more common problem with virus
scanners because known-virus scanners tend to miss completely
new or heavily modified viruses. False positives have, historically,
been quite a problem for scanners that make heavy use of heuristic
detection mechanisms. Another related, serious problem is the
situation where a scanner detects a virus, but incorrectly identifies
which. Such misdiagnosed positives can lead to terrible problems
if the scanner, or its user, then engages in a virus-specific
disinfection routine based on detailed knowledge of the 'detected'
virus' characteristics. 'Generic disinfection' procedures are
not entirely immune from such problems either.
Fast Infector: When programs
infected with common file infectors (such as Jerusalem in days
of yore, and many others since) are run, the virus code usually
gets control first. It then checks it has not already gone resident,
copies itself into memory, and hooks a system interrupt or event
handler associated with the host platform's 'load and execute'
function. When that function is subsequently called, the virus'
infection routine runs, checking whether the program that is
about to run has been infected already, and infecting it if not.
In contrast, a fast infector not only infects programs as they
are executed, but even those that are just opened. Even more
aggressive fast infectors will infect suitable targets as they
are accessed in the most peripheral of ways, such as by reading
their directory information as happens during a 'DIR' listing
under DOS, or Explorer accessing a directory to display its contents
under Windows. Thus, if a fast infector is active in memory,
running a virus scanner or integrity checker can result in all
of the virus' potential victim files being infected. Early examples
were the Dark Avenger and Frodo viruses and more recently CIH
became very widespread, partly as a result of being a fast infector.
(c.f. Slow Infector) Note that, technically, most macro viruses
are fast infectors. For example, Word macro viruses tend to infect
the Word application environment (by deliberately targeting one
or more global templates) so they are always present in the Word
environment following initial infection. Also, most utilize some
form of auto or system macros, or standard event handlers, which
are normally triggered during the opening, closing or other user-initiated
processing of document files (saving, for example) within the
Word application environment. However, unlike executable infectors,
such macro viruses are not spread by normal virus scanners, as
the finding and opening of files occasioned by the use of a scanner
happens outside the host application's environment (i.e. it is
the operating system's file processing functions being used,
not those of Word, Excel, etc and thus the viral macros are not
invoked during this processing of the files). Also note that
residency is associated with fast infection. This was a poorly
chosen term, as it was settled on before multi-threaded or multi-process
operating systems were targeted by viruses. A virus can be written
for such systems to run as a separate process from its host,
staying loaded as long as it takes it to find and infect all
potential victim files, then exit (this has been done, for example
by Libertine.31672.). As this results in the near-immediate infection
of all hosts, the term 'fast infector' probably seems a good
description for such a virus despite it being a direct action
infector. However, the term 'fast infector' is intended for resident
viruses that infect on most file accesses - the development of
such viruses resulted in the addition of memory scanning to on-demand
virus scanners.
Fast Mailer: Another term
for Mass Mailer.
FAT: File Allocation
Table. A crucial part of the standard file systems employed
in all versions of DOS and Windows 9x. The FAT records the chaining
of disk clusters and the final cluster in a file. A file's first
cluster is stored in its directory entry and also acts as an
offset into the FAT's chaining table so the rest of the file
can be located. FAT16 file systems were limited to logical drives
with a maximum of 65,536 clusters. Thus, as drives got larger,
slack space wastage increased as the cluster size had to be increased
to keep the cluster count at or under 65,536. FAT32 file systems,
introduced in the OEM Service Release 2 (OSR2) version of Windows
95 and supported by Windows 98, ME and Windows 2000, extend the
FAT file system to support huge drives (up to 2 Terabytes) and
allow much larger drives to retain relatively efficient, smaller
cluster sizes, reducing slack space wastage. Technically, most
so-called FAT hard drive partitions are actually FAT16 partitions,
but the number is usually assumed. Standard sized 'DOS format
diskettes' still use the original FAT12 standard, which has always
been used on DOS diskettes.
Field Sample, Field Virus:
See In the Field.
File Infector: These are
viruses that attach themselves to (or replace; see Companion
Virus) .COM and .EXE files, although in some cases they will
infect files with other extensions such as .SYS, .DRV, .BIN,
.OVL, .CPL, .DLL, .SCR and others. The most common file viruses
are resident viruses, loading into memory at the time the first
copy is run, and taking clandestine control of the computer.
Such viruses commonly infect additional program files as they
are run or even just accessed. But there are many non-resident
viruses, too, which simply infect one or more files whenever
an infected file is run.
File race condition: Some
applications store information in unsecured files and folders
like the temp directory. A file race condition occurs where an
attacker has the chance to modify these files before the original
application has finished with them. If the attacker successfully
monitors, attacks and edits these temp files the original application
will then process them as if they were legitimate. The name of
this kind of attack is from the attackers 'race to edit the file'.
File System Virus: A synonym
for cluster virus.
Firewall Killer: Any hacker
tool intended to disable a user's personal firewall. Some will
also disable resident anti-virus software.
Flash Memory: Flash memory
became of interest to antivirus researchers when the full measure
of CIH's payload was decoded. Because the BIOS of most Pentium-class
and later PCs is shipped on a flash memory chip and most mainboard
and system designs result in write-mode for that memory being
readily enabled, the BIOS of a PC can no longer be considered
'carved in stone'. Fortunately, some BIOSes are write-protected,
requiring special measures be taken to allow flash write enabling
to be activated (such as opening the case and setting jumpers
or switches). However, testing reveals in many systems that appear
to have such a feature, it often does not work. To date, viruses
that attempt to re-flash a victim's BIOS and 'succeed' (in that
the contents of the BIOS change) all result in the 'trashing'
of the BIOS, rendering the victim machine unbootable. That is,
unbootable as in you cannot put a special recovery diskette in
the floppy, bootup and run a program to re-flash a good copy
of the BIOS program back into the flash memory chip. That is,
unbootable as in all that happens is the power supply and CPU
cooling fans, and the hard drives, spin up because that's what
they do when power is applied. Specialist equipment is needed
to re-program the flash chip once it is removed from the mainboard,
and as more mainboard designs move to surface-mount flash chips
rather than socketed ones, that option is not available for an
increasing number of machines.
Flooder: A program that
overloads a connection by any mechanism, such as fast pinging,
causing a DoS attack.
FTP Server: When installed
without user awareness, an FTP server allows an attacker to download
any file in the user's machine, to upload new files to that machine,
and to replace any existing file with an uploaded file.
| @ | A
| B | C | D
| E | F | G | H | I
| J | K | L
| M | N | O
| P | Q | R
| S | T | U
| V | W | X
| Y | Z |
|
