|
Network Chico security
terms glossary
| @ | A
| B | C | D
| E | F | G
| H | I | J
| K | L | M
| N | O | P
| Q | R | S
| T | U | V
| W | X | Y
| Z |
Welcome to the Network Chico
computer security terms glossary.
=G=
Generator Kit: See Constructor Kit.
Germ: A first generation
sample of a virus. Technically, the term is reserved for forms
of the virus that are in some way 'special', such that another
sample the same as the one being referred to could not be produced
as the result of a normal infection event. Examples include the
initial, unencrypted form of encrypted or polymorphic viruses
and 'virus code only' samples of simple prependers and appenders,
as would be produced by compiling their source code. Germ samples
are infective but not themselves the result of a natural infection
incident.
Ghost Positive: This is
a specific form of false positive, in which the error is due
to 'leftover pieces' or 'remnants' of a virus that are incorrectly
detected and reported as an infection. As the virus is not present,
no longer present (in the sense that it cannot be activated through
normal actions of the user or system), or present but inactive,
it is erroneous for a scanner to report an (active) infection.
(Usually only part of the virus will be present anyway.) For
example, under DOS or Windows, accessing a diskette to obtain
a listing of its root directory causes the diskette's system
boot sector to be read because details from the BPB must be obtained
to correctly access the rest of the disk's contents. Imagine
a diskette that had previously been infected with a boot virus
and disinfected by writing a very short boot program that simply
displays a message warning the diskette is not a functional system
diskette. Such a short program could easily leave a couple of
hundred bytes of the virus' boot sector code intact if the disinfecting
program did not overwrite the rest of the boot sector. Some scanners
may see this part of the virus' code and consequently report
the virus' presence. (See also Slack Space.)
In the early days of scanner development, some scanners would
false alarm on other scanners, or report viruses in memory after
another scanner had run. This was usually a form of ghost positive
caused by one scanner 'seeing' the scan strings of another scanner.
The simple solution to this was to not store scan strings in
plain text, but to cipher them in some way. Of course, once this
was done, the scanner had to work with them ciphered, as deciphering
them even just in memory could still lead to their detection
in-memory on a subsequent scanning run.
Global Template: Although
many applications have mechanisms for their users to extend the
default functionality and/or appearance of the application, some
allow this (partially) via template files. Originally used as
a means to provide standard document, spreadsheet, etc formatting,
the template files of some applications (like the document files
on which they are based) have been extended to hold all manner
of customizations (such as keyboard shortcuts and personalized
menu layouts) and macros (that add functionality by automating
routine processes and the like). Some products, such as Word
and Excel, have gone a couple of steps further and provide for
one or more specially named template files and/or directories
to be automatically loaded as the application starts up and also
allow 'Add-In' functionality to be implemented in templates.
For example, Word for Windows looks for the file 'Normal.dot'
in certain directories (while the Macintosh version looks for
a file of Word Template type named 'Normal' in matching folders)
and loads it into its environment without warning. Should a normal
template contain any auto macros that should run when such a
template is loaded, they are run, any menu or shortcut customizations
it contains are applied, and any system macros or standard event
handler macros in the template will become active, running when
the corresponding Word command or event occurs. Word and Excel
both support a 'startup' directory, although in slightly different
ways. Word will open and integrate any template files stored
in its startup directory into its runtime environment, just as
it integrates the contents of the normal template. Excel opens
and integrates any standard Excel file type stored in its startup
directory into its runtime environment. Registered Add-Ins are
also loaded when the application starts and if they are templates,
will be loaded from wherever they are registered. Thus, for Word,
the normal template, any templates in its startup folder and
any Add-Ins loaded as templates are all 'global templates', with
any customizations and macros they contain becoming available
throughout the Word environment. Infection of global templates
is thus an attractive proposition to macro viruses written for
such application environments, as it provides a simple form of
'residency'. This will improve its likelihood of infecting more
documents and thus improve its chances to spread. The term 'global
template' is also often, but incorrectly, used to mean 'Word's
normal template'. This is almost certainly a carryover from earlier
versions of Word's macro language, where the normal template
could often be referred to via the referent 'Global:', rather
than by its full path and name. Even in many of those versions
of Word, this usage was, at best, sloppy because of the possibility
(if not the actuality) of other 'global' templates.
Globbing: Globbing is
the use of wildcard characters or arguments to greatly increase
the amount of data requested. An example is Dir *.* in DOS, this
command is asking for all file names with all file extensions
(everything) in the current directory. By making globbing requests
to a web server it is sometimes possible to cause a Denial of
Service attack as the the server is too busy to deal with legitimate
requests.
Goat File:
- Some generic approaches to virus detection create 'dummy'
program files which are written to the drives of the machines
being monitored. These files are regularly checked for modification,
or created, checked and then deleted. Such files are sometimes
called 'goat files', 'decoy files' or 'bait files' because they
are not intended to be run for any practicable purpose, and act
solely as 'bait' to trap and detect the presence of an active
virus.
- Goat file is also widely used to refer to the 'standard'
files antivirus researchers commonly use to replicate viruses
onto. Such files can make it easier to analyze the virus, because
the researchers know what parts of the infected files they are
dealing with are part of the original 'goats', and thus can readily
ignore that code during their analysis of the virus. Different
researchers generally use different goats.
| @ | A
| B | C | D
| E | F | G
| H | I | J
| K | L | M
| N | O | P
| Q | R | S
| T | U | V
| W | X | Y
| Z |
|
