|
Network Chico security
terms glossary
| @ | A
| B | C | D
| E | F | G
| H | I | J
| K | L | M
| N | O | P
| Q | R | S | T | U
| V | W | X
| Y | Z |
Welcome to the Network Chico
computer security terms glossary.
=R=
RAM: Random Access
Memory. The memory transient programs are loaded into so
they can be executed. It is also the memory that must be used
for revisable data storage, regardless of the location of the
program manipulating the data (e.g. a PC's interrupt table is
stored at a fixed location in system RAM even though it is initialized
and used by the BIOS, because the OS and user programs need to
be able to alter interrupts). Viruses must use some of this for
themselves if they are to remain active on a machine (i.e. if
they are to go resident). Thus, scanners check memory, at least
for signs of known memory-resident viruses. In the early days
of virus scanner development, many scanners would declare that
a virus was active simply when it is found in RAM. This could,
and often did, cause a particular type of false positive known
as ghost positives through the 'detection' of part of a virus'
code that was, for example, left over in a buffer area of RAM
rather than truly being active.
RAT:
- Remote Access Trojan (occasionally Remote Access Trapdoor).
- Remote Administration Tool. There are legitimate remote administration
tools included with many network management products, with helpdesk
and other support software, and the like. These are installed
with the system administrator's knowledge and consent (although
not necessarily with that of the end-users). Many programs that
are clearly designed to harass, annoy and spy on unsuspecting
users who are fooled into running their server part (that is,
programs that better fit the first expansion of this acronym)
are referred to as 'remote administration tools' in an attempt
(usually by their writers, resellers, agents, etc) to legitimize
them. Such tools that have 'silent' installation modes and such
useful administration functions as the ability to repeatedly
open and close the CD-ROM tray of the 'administered' machine
are perhaps better thought of as 'remote antagonism tools' and
should be treated as such
Registry: The registry
is a database used by the Windows32 operating system (Win9x/ME/NT/2000/XP)
to store configuration settings. The Registry is broken down
into several major sections, for example; HKEY_Current_User (where
all the preferences for the current user are stored) or HKEY_Local_Machine
(where settings are stored for hardware, installed applications
and the operating system). Many Windows applications write data
to the Registry. The Registry can be edited, although extreme
caution must be used when doing so. Actions such as altering
registry settings, deleting files from system areas and modifying
the content of system files are difficult and potentially dangerous
operations that SHOULD NOT be undertaken unless users
are aware of the risks involved. In XP you can use Start
> Run > regedit
Experimenting with registry settings
is likely to result in lost files and/or unusable programs and
can even cause the operating system to become corrupted.
Microsoft defines the registry thus:
"In Windows 32-bit operating systems, the tree-structured
hierarchical database where general system hardware and software
settings are stored."
There is also a definition
of registry in the glossary.
Remnant: There are many
approaches to disinfecting virus-infected objects. As a result,
some people are surprised to learn that not all products remove
all traces of a virus when disinfecting. Should this happen,
the remaining virus code will not be 'active' - it will not be
able to gain control in the flow of execution - so the disinfected
object is still 'safe'. These snippets of leftover code are sometimes
referred to as remnants. Because this does happen and not all
scanners use the same methods to detect any given virus (just
as they do not all use the same methods to disinfect), these
remnants may be detected by some scanners. If this happens, it
may cause them to raise an alert that the original virus is still
present or that a new variant of that virus may have been detected.
This is a special form of false positive known as a ghost positive.
Remote Access Trojan:
A program that surreptitiously allows access to a computer's
resources (files, network connections, configuration information,
etc) via a network connection is known as a remote access Trojan,
or RAT. Note that such functionality is often included in legitimate
software designed and intended to allow such access. For example,
software that allows remote administration of workstations on
a company network, or that allows helpdesk staff to 'take over'
a machine to remotely demonstrate how a user can achieve some
desired result, are genuinely useful tools (and even desirable
in many settings). The difference between remote access Trojans
and remote administration tools is that the latter are designed
into a system and installed and used with the knowledge and support
of the system administrator's and the other support staff they
involve. Remote access Trojans are also commonly referred to
as remote access trapdoors and backdoors, although the terms
trapdoor and backdoor tend to have their own specialized and
slightly different meanings.
Resident: A property of
most common computer viruses. A resident virus is one which is
normally running and active in the environment in which it is
infective. Thus, resident DOS executable infectors load into
memory, hook one or more interrupts and remain in memory, waiting
for some trigger event such as a file being opened. When the
trigger event occurs, the virus' infection code runs, attempting
to infect one or more suitable targets (usually the file(s) being
processed by the system or function call they have hooked). As
boot code is only executed at the very beginning of the boot
process, boot viruses have to be resident to have a chance to
infect any other targets. The more common macro viruses are also
resident, for example, installing themselves into global templates
in Word and Excel.
Retro-virus: Loosely based
on the biological concept with the same name, computer viruses
that attack antivirus products are sometimes referred to as retro-viruses.
Examples range from including code that is known to cause code
emulators to exit early, through disabling loading of well-known
antivirus products and disabling resident antivirus products
by patching them in memory to deleting the checksum data files
of products offering such features.
REVS: Rapid Exchange
of Virus Samples list. A mailing list for antivirus companies,
allowing their virus analysis staff to securely send samples
of 'emergency' viruses to other antivirus developers and for
the lab staff to discuss emerging 'virus emergencies'. REVS member
companies are expected to send samples of any 'urgent' viruses
they isolate to the mailing list no later than the time they
make press releases or other public announcements about such
viruses.
ROM: Read-Only Memory.
Apart from its contents normally not being modifiable, ROM is
usually also non-volatile. This type of memory is traditionally
used to hold a PC's BIOS and little else, although various kinds
of 'modifiable ROM' memory technologies, such as EPROM, EEPROM
and flash memory, have been used through the years, with flash
memory being preferred in recent years.
| @ | A
| B | C | D
| E | F | G
| H | I | J
| K | L | M
| N | O | P
| Q | R | S | T | U
| V | W | X
| Y | Z |
|
