Synonyms: Anti-virus upgrade
Nearly all anti-virus programs make use of signature analysis: that is, using a database that contains byte sequences belonging to known viruses, worms, Trojans or other malicious code. As the list of known threats grows, new virus definitions (or signatures) are added to the anti-virus databases. Anti-virus researchers at Kaspersky Lab, for example, add around 200 new records to the database every day. Enhanced protection is passed on to users in the form of an update. In addition, new anti-virus engine functionality may also be delivered as part of an anti-virus database update.
Signature analysis is not the only protection method available. Anti-virus solutions have become increasingly sophisticated over the years, to counter the growing complexity of malicious programs. Proactive detection mechanisms designed to detect new threats before they appear in the field, such as heuristic analysis, generic detection or behavioral analysis, are also an important first line of defense.
Nevertheless, regular updating of anti-virus protection remains important, given the speed at which today’s threats are able to spread. Anti-virus vendors have successively reduced the time interval between virus definition updates: first quarterly, then monthly, then weekly, then daily updates. Kaspersky Lab now provides incremental virus definition updates every hour.
An archive file is a collection of data files that have been packaged together. This is done to save space (when backing up a series of files to removable media, for example) or to save data transmission time (when making files available for download or when transferring them via e-mail, for example).
Programs that compress data into archive files are called archivers. WinZip is probably the best known of these: in fact, many people equate ‘zipping’ a file with archiving it, even when using a different archiver.
There are numerous archiving programs on the market, though the most familiar include WinZip and WinRAR. Most are capable of creating and accessing ZIP files, in addition to whatever format the program is designed to product. The most common archive file formats are ZIP, RAR, ARJ and CAB. The CAB format is used to archive many Microsoft® Windows® distribution files.
It’s important for anti-virus programs to scan inside these files. Otherwise any archived file could provide a convenient hiding place for malicious code. Some e-mail worms have even been deliberately distributed as archive attachments.
Good anti-virus programs also scan recursively (a ZIP within a ZIP, for example) and include a smart algorithm to avoid extracting archive bombs.
Programs designed to launch advertisements, often pop-up banners, on host machines and/or to re-direct search engine results to promotional web sites. Adware programs are often built into freeware or shareware programs, where the adware forms an indirect ‘price’ for using the free program. Sometimes a Trojan silently downloads an adware program from a web site and installs it onto a user’s machine. Or hacker tools, often referred to as Browser Hijackers (because they subvert the web browser to install a program without the user’s knowledge), download the adware program using a web browser vulnerability.
Browser Hijackers may change browser settings, re-direct incorrect or incomplete URLs, or change the default homepage. They may also re-direct searches to ‘pay-to-view’ (often pornographic) web sites.
Typically, many adware programs do not show themselves in the system in any way: no listing under Start | Programs, no icons in the system tray, nothing in the task list. In addition, adware programs seldom come with a de-installation procedure and attempts to remove them manually may cause the original carrier program to malfunction.
A file containing a data sequence used to identify an attack on the network, typically using an operating system or application vulnerability. Such signatures are used by an Intrusion Detection System [IDS] or firewall to flag malicious activity directed at the system.
AIM is a specific implementation of IM [Instant Messaging].
Anti-virus databases hold the data needed to find and remove malicious code. The databases contain a series of virus definitions (or signatures), unique sequences of bytes specific to each piece of malicious code. Signature analysis is one of the key methods used to find and remove malicious code.
The engine, the core of any anti-virus product, is a software module that is purpose-built to find and remove malicious code. The engine is developed independently of any specific product implementation. So it ‘plugs-in’ equally well into personal products (such as personal scanners or real-time monitors), or solutions for servers, mail scanners, file servers, firewalls and proxy-servers. These products may be developed by the engine developer, or they may be developed by third parties who integrate the engine into their application or business process using the engine SDK.
The reliability of malicious code detection, and hence the security level provided by the products that use it, is determined by the quality of the engine.
An API defines the way that a piece of software communicates with other programs, allowing these programs to make use of its functionality. The API provides a series of commonly-used functions that third party developers might need. For example, an operating system vendor provides an API that allows developers to write applications that are consistent with the operating system. Typically, the API comes with a set of routines, modules and protocols that can be used to access the program’s functionality, known as an SDK [Software Development Kit]. Although distinct, the two terms are often used interchangeably. An anti-virus engine API provides a way for third parties to integrate anti-virus scanning into their application or business process.
This is a seemingly small archive file that is actually highly compressed and expands into a huge file or several identical files. Such archives typically take quite a long time to scan, thus potentially forming a DDoS attack on an anti-virus program that tries to scan them. Good anti-virus programs include a smart algorithm to avoid extracting such files.
Developed by ANSI [American National Standards Institute], ASCII is one of the most common standards for representing text in a computer. Each character (alphanumeric or special character) is represented by a binary number.
DOS- and Unix-based operating systems use ASCII. Windows® NT, Windows® 2000 and Windows® XP use a more recent standard called Unicode.