Skip to main content




ActiveX is a model for writing programs so that other programs and the operating system can call them. ActiveX technology is used with Microsoft Internet Explorer to make interactive Web pages that look and behave like computer programs, rather than static pages. With ActiveX, users can ask or answer questions, use push buttons, and interact in other ways with the Web page. ActiveX controls are often written using Visual Basic.

Active X is notable for a complete lack of security controls; computer security experts discourage its use over the Internet.


Adware is often combined with a host application that is provided at no charge as long as the user agrees to accept the adware. Because adware applications are usually installed after the user has agreed to a licensing agreement that states the purpose of the application, no offense is committed.

However, pop-up advertisements can become an annoyance, and in some cases degrade system performance. Also, the information that some of these applications collect may cause privacy concerns for users who were not fully aware of the terms in the license agreement.


Attempts to bypass security checks for creating new processes.

Antimalware Scanning Storm

Intensive use of system resources that occurs when antivirus software simultaneously scans multiple virtual machines on a single physical host.


Attempts to create a reverse shell, by scanning executable memory pages.

Archive bomb

An archive bomb is a repeatedly compressed file. When decompressed it can cause crashes of the antivirus program or system due to the extensive consumption of resources.


A hole in the security of a system deliberately left in place by designers or maintainers. The motivation for such holes is not always sinister; some operating systems, for example, come out of the box with privileged accounts intended for use by field service technicians or the vendor's maintenance programmers.


A bootkit is a malicious program having the ability to infect the master boot record (MBR), volume boot record (VBR), or boot sector. The bootkit remains active even after a system reboot.

Boot sector

A sector at the beginning of each disk that identifies the disk's architecture (sector size, cluster size, and so on). For startup disks, the boot sector also contains a program that loads the operating system.

Boot virus

A virus that infects the boot sector of a fixed or floppy disk. An attempt to boot from a diskette infected with a boot sector virus will cause the virus to become active in memory. Every time you boot your system from that point on, you will have the virus active in memory.


Short for Web browser, a software application used to locate and display Web pages.

Child process creation

Attempts to create any child process.


In a command-line interface, the user types commands in the space provided directly on the screen using command language.


Within the Internet industry, cookies are described as small files containing information about individual computers that can be analyzed and used by advertisers to track your online interests and tastes. In this realm, cookie technology is still being developed and the intention is to target ads directly to what you've said your interests are. It's a double-edge sword for many people because, on one hand, it's efficient and pertinent as you only see ads about what you're interested in. On the other hand, it involves actually "tracking" and "following" where you go and what you click. Understandably so, there is a debate over privacy and many people feel offended by the notion that they are viewed as a "SKU number" (you know, the bar code on the back of packages that gets scanned at the grocery check-out line). While this viewpoint may be extreme, in some cases it is accurate.

Credential access

The attacker steals credentials like usernames and passwords to gain access to the systems. For example brute-force attacks, unauthorized authentication exploits, password stealers.


This category comprises techniques designed to automate cybercrime. For example, Crimeware techniques are: nuclear exploits, various malware software such as Trojans and bots.


The term dialer is used to describe a program that uses the computer’s modem to establish a dial-up connection over the Internet. The connection is created by dialing a predetermined phone number and connecting to an international or premium rate local phone numbers. The program can perform unauthorized connections, bypassing the local Internet service provider. The purpose of this activity is to increase the victims phone bill and eventually make them lose money.


The attacker, once infiltrated, tries to obtain information about the systems and the internal network, before deciding what to do next. For example directory traversal exploits, HTTP directory traversal exploits.

Disk drive

It's a machine that reads data from and writes data onto a disk.

A hard disk drive reads and writes hard disks.

A floppy drive accesses floppy disks.

Disk drives can be either internal (housed within a computer) or external (housed in a separate box that connects to the computer).


DomainKeys Identified Mail - adds a digital signature to safeguard the email content of your outbound source. Configuring DKIM increases your domain reputation with different providers.


To copy data (usually an entire file) from a main source to a peripheral device. The term is often used to describe the process of copying a file from an online service to one's own computer. Downloading can also refer to copying a file from a network file server to a computer on the network.


It is a generic name for a program having a primary functionality of downloading content for unwanted or malicious purposes.

Dynamic malware

Dynamic malware includes different types of threats that operate at a pre-execution level. The malicious software can have multiple forms (scripts, files, URLs etc.) and use heavy obfuscation and evasion techniques.


Data egress refers to data leaving a network in transit to an external location. Examples of common channels for data egress include email, web uploads, cloud storage, removable media (USB, CD/DVD or external hard drives), FTP/HTTP transfers.


Electronic mail. A service that sends messages on computers via local or global networks.


An endpoint is any device, physical or virtual, that can interact and exchange information with another device, a user, or a network. Desktops, laptops, servers, virtual machines are examples of endpoints.


An action or occurrence detected by a program. Events can be user actions, such as clicking a mouse button or pressing a key, or system occurrences, such as running out of memory.


An exploit generally refers to any method used to gain unauthorized access to computers or a vulnerability in a system’s security that opens a system to an attack.

False positive

Occurs when a scanner identifies a file as infected when in fact it is not.

Filename extension

The portion of a filename, following the final point which indicates the kind of data stored in the file.

Many operating systems use filename extensions, e.g. Unix, VMS, and MS-DOS. They are usually from one to three letters (some sad old OSes support no more than three). Examples include "c" for C source code, "ps" for PostScript, "txt" for arbitrary text.


A class of software applications between legitimate software and malware. Though they are not as harmful as malware which affects the system’s integrity, their behavior is still disturbing, driving to unwanted situations such as data theft and unauthorized usage, and unwanted advertising. The most common greyware applications are spyware and adware.


A rule-based method of identifying new viruses. This method of scanning does not rely on specific virus signatures. The advantage of the heuristic scan is that it is not fooled by a new variant of an existing virus. However, it might occasionally report suspicious code in normal programs, generating the so-called "false positive".

Initial access

The attacker gains entry within a network by various means, including vulnerabilities of public-facing web servers. For example, information disclosure exploits, SQL injection exploits, and drive-by download injection vectors.


Internet Protocol - A routable protocol in the TCP/IP protocol suite that is responsible for IP addressing, routing, and the fragmentation and reassembly of IP packets.


Internet Protocol Flow Information Export -An IETF protocol allowing network engineers and administrators to collect flow information from routers, probes, and other switches then analyze the flow data through a network analyzer. The IPFIX standard defines how IP flow information is to be formatted and transferred from an exporter to a collector.

Java applet

A Java program that is designed to run only on a web page. To use an applet on a web page, you would specify the name of the applet and the size (length and width, in pixels) that the applet can utilize. When the web page is accessed, the browser downloads the applet from a server and runs it on the user's machine (the client). Applets differ from applications in that they are governed by a strict security protocol.

For example, even though applets run on the client, they cannot read or write data onto the client's machine. Additionally, applets are further restricted so that they can only read and write data from the same domain that they are served from.


A keylogger is an application that logs anything you type.

Keyloggers are not malicious in nature. They can be used for legitimate purposes, such as monitoring employees or children activity. However, they are increasingly being used by cyber-criminals for malicious purposes (for example, to collect private data, such as login credentials and social security numbers).

Lateral movement

The attacker explores the network, often by moving through multiple systems, to find the main target. The attacker may use specific tools to accomplish the objective. For example, command injection exploits, Shellshock exploits, and double extension exploits.

LSASS process protection

LSASS process is predisposed to leaking secrets such as password hashes and security settings.

Macro virus

A type of computer virus that is encoded as a macro embedded in a document. Many applications, such as Microsoft Word and Excel, support powerful macro languages.

These applications allow you to embed a macro in a document and have the macro execute each time the document is opened.

Mail client

An e-mail client is an application that enables you to send and receive e-mail.

Malicious process

A destructive program that can access unauthorized resources.


Malware is the generic term for software that is designed to do harm - a contraction of 'malicious software'. It is not yet in universal usage, but its popularity as a general term for viruses, Trojan Horses, worms, and malicious mobile code is growing.

Malware signature

Malware signatures are snippets of code extracted from actual malware samples. They are used by antivirus programs to perform pattern-matching and detect malware.

Signatures are also used to remove the malware code from infected files.

The Bitdefender Malware Signature Database is a collection of malware signatures updated hourly by the Bitdefender malware researchers.


Internal storage areas in the computer. The term memory identifies data storage that comes in the form of chips, and the word storage is used for memory that exists on tapes or disks. Every computer comes with a certain amount of physical memory, usually referred to as main memory or RAM.


This method of scanning relies on specific virus signatures. The advantage of the non-heuristic scan is that it is not fooled by what might seem to be a virus, and does not generate false alarms.

Obsolete process creation

Attempts to create new processes using obsolete techniques.

Packed programs

A file in a compression format. Many operating systems and applications contain commands that enable you to pack a file so that it takes up less memory. For example, suppose you have a text file containing ten consecutive space characters. Normally, this would require ten bytes of storage.

However, a program that packs files would replace the space characters with a special space-series character followed by the number of spaces being replaced. In this case, the ten spaces would require only two bytes. This is just one packing technique - there are many more.

Password stealer

A password stealer collects pieces of data that can be account names and associated passwords. These stolen credentials are then used for malicious purposes, like account takeovers.


The exact directions to a file on a computer. These directions are usually described by means of the hierarchical filing system from the top down.

The route between any two points, such as the communications channel between two computers.


A fraudulent attempt to obtain sensitive information. Usually, false websites are designed to appear as trustworthy and ask the users to update personal information, such as passwords and credit card, social security, and bank account numbers in an attempt to trick them

Policy rule violations

The following threat types represent policy violations according to the administrator-defined rules:

  • Restricted web category: the accessed web address is part of a restricted web category.

  • Restricted web traffic: the reported web traffic occurred during a restricted time interval.

  • Restricted web address: the accessed web address is restricted according to the applied policy.

  • Restricted data access: data traffic matching the data protection rules was reported.

  • Restricted application: the accessed application is restricted according to the applied policy.

  • Restricted email attachments: the email contains multiple malicious attachments with different types of malware.

  • Restricted content: the email contains restricted character strings according to the applied policy.

  • Restricted attachment type: the email contains a restricted attachment based on the applied policy.

  • Connected device: a device was connected to the endpoint.

  • Port scan attempt: a port scan attempt was discovered.

  • Network traffic initiated by process: the outgoing network traffic and the process that initiated it are restricted according to the applied policy.

  • Incoming network traffic: the incoming network traffic is restricted according to the applied policy.

Polymorphic virus

A virus that changes its form with each file it infects. Since they have no consistent binary pattern, such viruses are hard to identify.


An interface on a computer to which you can connect a device. Personal computers have various types of ports. Internally, there are several ports for connecting disk drives, display screens, and keyboards. Externally, personal computers have ports for connecting modems, printers, mice, and other peripheral devices.

In TCP/IP and UDP networks, an endpoint to a logical connection. The port number identifies what type of port it is. For example, port 80 is used for HTTP traffic.

Potentially harmful application

A Potentially harmful application is a program that may have a significant number of unwanted aspects or behaviors which can impact the system resources and performance as well as risking the safety of your personal and work-related data.

Potentially unwanted application (PUA) (PUA)

A Potentially Unwanted Application (PUA) is a program that may be unwanted on the PC and sometimes comes bundled with freeware software. Such programs can be installed without the user's consent (also called adware) or will be included by default in the express installation kit (ad-supported). Potential effects of these programs include the display of pop-ups, installing unwanted toolbars in the default browser, or running several processes in the background and slowing down the PC performance.

Privilege escalation

Attempts of processes to gain unauthorized privileges and access to resources.

Process Introspection

Protects against attempts of compromised parent processes to spawn child processes.

Protection layers

GravityZone provides protection through a series of modules and roles, collectively referred to as protection layers, which are divided into Endpoint Protection (EPP), or core protection, and various add-ons. Endpoint Protection includes Antimalware, Advanced Threat Control, Advanced Anti-Exploit, Firewall, Content Control, Device Control, Network Attack Defense, Power User, and Relay. Add-ons include protection layers such as Security for Exchange and Sandbox Analyzer.


A malware that locks you out of your computer or blocks access to your files and applications. Ransomware will demand that you pay a certain fee (ransom payment) in return for a decryption key that allows you to regain access to your computer or files.

Report file

A file that lists actions that have occurred. Bitdefender maintains a report file listing the path scanned, the folders, the number of archives and files scanned, how many infected and suspicious files were found.


A rootkit is a set of software tools that offer administrator-level access to a system. The term was first used for the UNIX operating systems and it referred to recompiled tools that provided intruders administrative rights, allowing them to conceal their presence so as not to be seen by the system administrators.

The main role of rootkits is to hide processes, files, logins, and logs. They may also intercept data from terminals, network connections, or peripherals if they incorporate the appropriate software.

Rootkits are not malicious in nature. For example, systems and even some applications hide critical files using rootkits. However, they are mostly used to hide malware or to conceal the presence of an intruder in the system. When combined with malware, rootkits pose a great threat to the integrity and the security of a system. They can monitor traffic, create backdoors into the system, alter files and logs and avoid detection.

ROP emulation

The attacker attempts to make the memory pages for data executable and then tries to execute them using the Return-Oriented Programming (ROP) technique.

ROP illegal call

Attempts to hijack the code flow using the ROP technique, by validating callers of sensitive system functions.

ROP make stack executable

Attempts to corrupt the stack using the ROP technique, by validating the stack page protection.

ROP return stack

Attempts to execute code directly on stack using the ROP technique, by validating return address range.

ROP stack misaligned

Attempts to corrupt the stack using the ROP technique, by validating the stack address alignment.

ROP stack pivot

Attempts to hijack the code flow using the ROP technique, by validating stack location.


Another term for macro or batch file, a script is a list of commands that can be executed without user interaction.

Shellcode EAF (Export address filtering)

Attempts of malicious code to access sensitive system functions from DLL exports.

Shellcode execution

Attempts to create new processes or download files, using shellcode.

Shellcode loadLibrary

Attempts to execute code via network paths, using shellcode.

Shellcode thread

Attempts to inject malicious code, by validating newly-created threads.


Electronic junk mail or junk newsgroup postings. Generally known as any unsolicited email.


Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about email addresses and even passwords and credit card numbers.

Spyware's similarity to a Trojan horse is the fact that users unwittingly install the product when they install something else. A common way to become a victim of spyware is to download certain peer-to-peer file swapping products that are available today.

Aside from the questions of ethics and privacy, spyware steals from the user by using the computer's memory resources and also by eating bandwidth as it sends information back to the spyware's home base via the user's Internet connection. Because spyware is using memory and system resources, the applications running in the background can lead to system crashes or general system instability.

Startup items

Any files placed in this folder will open when the computer starts. For example, a startup screen, a sound file to be played when the computer first starts, a reminder calendar, or application programs can be startup items. Normally, an alias of a file is placed in this folder rather than the file itself.


STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Indicator Information) represent standards aimed to improve the prevention and mitigation of cyber-attacks. These standards are not pieces of software themselves, but rather specifications that software can use. The combination of STIX and TAXII allows sharing more easily threat information with your constituency and peers.

Suspicious files and network traffic

Suspicious files are those with a doubtful reputation. This ranking is given by many factors, among which to name: the existence of the digital signature, number of occurrences in computer networks, packer used, etc. Network traffic is considered suspicious when it deviates from the pattern. For example, unreliable sources, connection requests to unusual ports, increased bandwidth usage, random connection times, etc.

System tray

Introduced with Windows 95, the system tray is located in the Windows taskbar (usually at the bottom next to the clock) and contains miniature icons for easy access to system functions such as fax, printer, modem, volume, and more. Double click or right-click an icon to view and access the details and controls.

Targeted attacks

Cyber-attacks that mainly aim financial advantages or denigration of reputation. The target can be an individual, a company, a software, or a system, well studied before the attack takes place. These attacks are rolled out over a long period of time and in stages, using one or more infiltration points. They are hardly noticed, most times when the damage has already been done.


Transmission Control Protocol/Internet Protocol - A set of networking protocols widely used on the Internet that provides communications across interconnected networks of computers with diverse hardware architectures and various operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and routing traffic.


A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer.

The term comes from a story in Homer's Iliad, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after the Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in and capture Troy.


A new version of a software or hardware product designed to replace an older version of the same product. In addition, the installation routines for updates often check to make sure that an older version is already installed on your computer; if not, you cannot install the update.

Bitdefender has its own update module that allows you to manually check for updates, or let it automatically update the product.

VBScript generic

Attempts to exploit VBScript.


A program or piece of code that is loaded onto your computer without your knowledge and runs against your will. Most viruses can also replicate themselves. All computer viruses are manmade. A simple virus that can copy itself over and over again is relatively easy to produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems.

Virus signature

The binary pattern of a virus, used by the antivirus program to detect and eliminate the virus.

Web fraud

Web fraud includes other types of scams besides phishing. For example, websites representing fake companies, which do not directly request private information, but instead try to pose as legitimate businesses and make a profit by tricking people into doing business with them.

Web malware

Web malware represents software developed with a malicious purpose to work on web pages and web servers. The web pages may contain, distribute or even download malware on your computer.


A program that propagates itself over a network, reproducing itself as it goes. It cannot attach itself to other programs.