Glossary

agent
The Host Intrusion Prevention module that is installed on each host system in your network. An agent serves as a protective layer surrounding a computer’s operating system and applications, identifying and preventing suspected breaches of security and malicious attacks.

 

agent AutoUpgrade
The act of automatically upgrading the agent whenever a newer version is available on the ePolicy Orchestrator server.

 

agent host
See client computer.

 

agent installation package
The Setup program and all other files needed to install the agent.

 

agent wakeup call
The ability to initiate agent-to-server communication from the server-side.
See also SuperAgent wakeup call.

 

agent-to-server communication
Any communication that occurs between ePolicy Orchestrator agents and the ePolicy Orchestrator server where agents and server exchange data. Typically, the agent initiates all communication with the server.

 

agent-to-server communications interval (ASCI)
The time period between predefined agent-to-server communication.

 

aggregated view
A view of identical items grouped into a single aggregate.

 

alert
See also event.

 

ASCI
See agent-to-server communication interval.

 

attack
An attempted breach of system security. Attacks range in severity from low, someone having an unauthorized view of data on your system, to high, someone destroying or stealing data or shutting down your system.

 

Adaptive mode
An operating mode for an agent where IPS and firewall rules are learned and added automatically without user intervention. This mode is applicable to IPS, firewall, and application blocking rules.

 

application blocking
A feature that allows or blocks certain applications. Two types of application blocking are available: application creation and application hooking.

 

attack
An attempted breach of system security. Attacks range in severity from low (someone having an unauthorized view of data on a system) to high (someone destroying or stealing data or shutting down a system).

 

back orifice
A remote administration tool that can provide unwanted access to and control of a computer by way of its Internet link. It runs on Windows 95, Windows 98, and Windows NT.

 

backdoor
A planned security breach in an application that can allow unauthorized access to data.

 

behavioral rule
IPS rule that defines a profile of legitimate activity. Activity that does not match the profile triggers an event.
See also signature.

 

blocked host
A specific host from which Host Intrusion Prevention allows you to block communication; it attempts to trace the source of the packets received from the blocked host.

 

branch
Locations on the master repository that allow you to store and distribute different versions of selected updates.
See also selective updating.

 

brute force
A hacking method used to find passwords or encryption keys by trying every possible combination of characters until the code is broken.

 

buffer overflow attack
The method of overfilling a software buffer in order to insert and execute some other code with elevated privileges, often a shell from which further commands can be issued.

 

camping out
A hacking technique of breaking into a system, and then finding a safe place from which to monitor the system, store information, or re-enter the system at a later time.

 

category
A division of an Host Intrusion Prevention feature to which you can assign a policy. The IPS feature includes an IPS Options, IPS Protection, and IPS Rules category.

 

check in, checking in
The process of adding files to the master repository.

 

client computer
A computer on which the ePolicy Orchestrator agent and Host Intrusion Prevention agent is installed.

 

client rules
An IPS, Firewall, or Application Blocking rule created on a client to allow legitimate activity that is otherwise blocked. Client rules are not part of a server-side policy but can be moved to a policy for application to other clients.

 

common framework
The architecture that allows different McAfee products to share the common components and code, which are the Scheduler, AutoUpdate, and the ePolicy Orchestrator agent.

 

complete properties
The entire set of properties being exchanged during agent-to-server communication.
See also incremental properties.

 

computers
In the console tree, the physical computers on the network managed by ePolicy Orchestrator. Computers can be added under existing sites or groups in the Directory.

 

configuration settings
See policy.

 

console tree item
The individual icons in the console tree of the ePolicy Orchestrator console.

 

console tree
The contents of the Tree tab in the left pane of the ePolicy Orchestrator console; it shows the items that are available in the console.

 

custom agent installation package
An agent installation package that uses the user credentials you provide to perform the installation, instead of those of the currently logged on user.

 

DAT files
Detection definition files, sometimes referred to as signature files.
See also EXTRA.DAT file, incremental DAT files, and SuperDAT.

 

denial of service
An attack method whereby a computer is overwhelmed with bogus requests, causing it to crash or keeping it from honoring legitimate requests.

 

denial-of-service attack (DoS)
A means of attack, an intrusion, against a computer, server or network that disrupts the ability to respond to legitimate connection requests. A denial-of-service attack overwhelms its target with false connection requests, so that the target ignores legitimate requests.

 

deploy, deployment
The act of distributing and installing and configuring client computers from a central location.

 

details pane
The right pane of the ePolicy Orchestrator console, which shows details of the currently selected console tree item.

 

Directory
In the console tree, the list of all computers to be managed via ePolicy Orchestrator; the link to the primary interfaces for managing these computers.

 

distributed software repositories
A collection of web sites or computers located across the network in such a way as to provide bandwidth-efficient access to client computers. Distributed software repositories store the files that client computers need to install supported products and updates to these products.
See also fallback repository, global distributed repository, local distributed repository, master repository, mirror distributed repository, source repository, and SuperAgent distributed repository.

 

download site
The McAfee web site from which you retrieve product or dat updates.
See also update site.

 

effective policy
A union of all IPS Rules and Trusted Application Rules policies for a selected node.

 

enforce, enforcement
The act of applying predefined settings on client computers at predetermined intervals.

 

ePolicy Orchestrator agent
A program that performs background tasks on managed computers, mediates all requests between the ePolicy Orchestrator server and the anti-virus and security products on these computers, and reports back to the server to indicate the status of these tasks.

 

ePolicy Orchestrator console
The user interface of the ePolicy Orchestrator software that is used to remotely control and monitor managed computers.
See also ePolicy Orchestrator remote console.

 

ePolicy Orchestrator database server
The computer that hosts the ePolicy Orchestrator database. This can be the same computer on which the ePolicy Orchestrator server is installed or a separate computer.

 

ePolicy Orchestrator database
The database that stores all data received by the ePolicy Orchestrator server from ePolicy Orchestrator agents and all settings made on the server itself.
See also ePolicy Orchestrator database server.

 

ePolicy Orchestrator remote console
The ePolicy Orchestrator user interface when it is installed on a separate computer from the ePolicy Orchestrator server.
See also ePolicy Orchestrator console.

 

ePolicy Orchestrator server
The back-end component of the ePolicy Orchestrator software.
See also ePolicy Orchestrator agent and ePolicy Orchestrator console.

 

error reporting utility
A utility specifically designed to track and log failures in the McAfee software on your system. The information that is obtained can be used to analyze problems.

 

event
An alert triggered when a security violation as defined by a signature occurs. All events triggered on a selected host appear in the list of IPS events.
See also Signature.

 

exception rule
A permit rule allowing legitimate activity that is otherwise blocked by a signature.

 

EXTRA.DAT file
Supplemental virus definition file that is created in response to an outbreak of a new virus or a new variant of an existing virus.
See also DAT files, incremental DAT files, and SUPERDAT.

 

fallback repository
A type of distributed software repository used in the event that client computers cannot contact any of their predefined distributed repositories. Typically, another source repository is defined as the fallback repository.
See also replicate, replication.

 

false positive
An event triggered by a legitimate operation of a benign process rather than an intrusion.

 

feature
A functional division of a product. Host Intrusion Prevention features include IPS, Firewall, Application Blocking, and General.

 

firewall
A filter between a system and the network or Internet. The firewall scans all incoming and outgoing traffic at the packet level. It reviews each arriving or departing packet, then checks its list of firewall rules to determine whether to allow or prevent an action.

 

force install, force uninstall
See product deployment client task.

 

framepkg.exe
See agent installation package.

 

full properties
All properties that can be exchanged during agent-to-server communication.
See also minimal properties.

 

global/McAfee default policy
The default policy for a category.

 

global administrator
A user account with read, write, and delete permissions, as well as rights to all operations; specifically, operations that affect the entire installation, and are reserved for use by only the global administrator.
Compare to global reviewer, site administrator, site reviewer.

 

global blacklist
A list of e-mail addresses or domains that the administrator creates as a company-wide standard. Any e-mail messages from the addresses or domains on the global blacklist will always be treated as spam.
Compare to global whitelist; see also blacklist.

 

global distributed repository
A distributed software repository that can be automatically kept current with the contents of the master repository.
See also replicate, replication.

 

global policy
The default McAfee policy for a category.

 

global reviewer
A user account with read-only permissions, that can view all settings in the software for an entire installation, but cannot change any settings.
Compare to global administrator, site administrator, site reviewer.

 

global updating
A method for deploying product updates as soon as the files are checked into the master repository without user intervention. Files are immediately replicated to all SuperAgent and global distributed repositories; the ePolicy Orchestrator server sends a wakeup call to all SuperAgents; SuperAgents send a broadcast wakeup call to all agents in the same subnet; then all client computers retrieve the updated files from the nearest repository.

 

group
In the console tree, a logical collection of entities assembled for ease of management. Groups can contain other groups or computers, and can be assigned IP address ranges or IP subnet masks to allow sorting computers by IP address. If you create a group by importing a Windows NT domain, you can automatically send the agent installation package to all imported computers in the domain.

 

high-risk application
Under Application Protection Rules, an application that is open to having code injected into its memory space or dynamic library and thus requiring protection.

 

host, host computer
See client computer.

 

host IPS (HIPS)
Host protection rules that monitor and prevent attacks on the operating system and applications of a host system.

 

HotFix releases (now Patches)
Intermediate releases of the product that fix specific issues.

 

inactive agent
Any agent that has not communicated with the ePolicy Orchestrator server within a specified time period.

 

inherit, inheritance
The act of applying the settings defined for an item within a hierarchy from the item above it.

 

item
See console tree item.

 

Learn mode
The Host Intrusion Prevention protection setting that creates rules when a packet is encountered and no rule exists to tell how to handle it. The user is prompted to allow or block the action and a rule is generated to handle similar packets. This mode is applicable to the Firewall and Application Blocking features.

 

local distributed repository
A type of distributed software repository whose content is manually updated.

 

Lost&Found group
A group used to temporarily store computers whose appropriate location in the Directory cannot be determined.

 

managed products
A security product like Host Intrusion Prevention that is managed from ePolicy Orchestrator.

 

master repository
A type of distributed software repository whose contents acts as the standard for all other distributed repositories. Typically, the master repository contents are defined from a combination of the source repository contents and additional files added to the master repository manually.
See also pull; replicate, replication.

 

.NAP file
The file extension used to designate McAfee software program files that are installed in the software repository for ePolicy Orchestrator to manage

 

network IPS (NIPS)
Network protection rules that monitor and prevent network attacks.

 

node
See console tree item.

 

package catalog file
A file that contains details about each update package, including the name of the product for which the update is intended, language version, and any installation dependencies.

 

ping attack
The method of overwhelming a network with ping commands.

 

ping of death
A hacking technique used to cause a denial of service by sending a large ICMP packet to a target. As the target attempts to reassemble the packet, the size of the packet overflows the buffer and can cause the target to reboot or hang.

 

policy
A group of settings assigned to a category of a product feature. For most categories, only one named policy for each category is permitted. The exceptions are IPS Rules and Application Rules, where one or more rules can be applied.

 

policy enforcement interval
The time period during which the agent enforces the settings it has received from the ePolicy Orchestrator server. Because these settings are enforced locally, this interval does not require any bandwidth.

 

policy files
Set of policy settings for one or more products that are saved to the local drive of the ePolicy Orchestrator server, but cannot be accessed by a remote console.
See also policy templates.

 

policy pages
Part of the ePolicy Orchestrator console; they allow you to set policies and create scheduled tasks for products, and are stored on individual ePolicy Orchestrator servers (they are not added to the master repository).

 

port scanning
A hacking technique used to check TCP/IP ports to reveal which services are available in order to plan an exploit involving those services, and to determine the operating system of a particular computer.

 

product deployment client task
A scheduled task for deploying all products currently checked into the master repository at once. It enables you to schedule product installation and removal during off-peak hours or during the policy enforcement interval.

 

profile
A grouping of policies based on common use of applications, network location, or access rights and privileges.

 

properties
Data exchanged during agent-to-server communication that includes information about each managed computer (for example, hardware and software) and its managed products (for example, specific policy settings and the product version number).

 

pull
The act of copying files from a source or fallback repository to the master repository. Because additional files can be added to the master repository manually, only those files on the source or fallback repository are overwritten.

 

quarantine mode
Enforced isolation of a computer until action can be taken to update protection policies.

 

reaction
The response by an agent when intercepting a signature. Three possible reactions can occur: Ignore (ignores the operation), Log (logs the operation in the database as an intrusion), and Prevent (prevents the specific illegal operation from taking place and logs it).

 

remote console
See ePolicy Orchestrator remote console.

 

Repository
The location that stores policy pages used to manage products.

 

selective updating
The ability to specify which version of updates you want client computers to retrieve from distributed software repositories.
See also branch.

 

server tasks
Tasks that can be executed on the server-side of the software.

 

severity level
One of four levels of risk assigned to signatures:
Information (blue) – a modification to the system configuration or an attempt to access sensitive system components, but which are not generally evidence of an attack.
Low (yellow) – a modification to the system configuration or an attempt to access sensitive system components, but are not identified as known attacks and are indicative of suspicious behavior on the part of a user or application.
Medium (orange) – a known attack with low to medium risk, or highly suspicious behavior by a user or an application.
High (red) – attack that poses a serious threat to security.

 

signature
The set of rules that describes security threats and instructions to a host or network. Each of the three types of IPS signatures, host (HIPS), custom (HIPS), and network (NIPS), has an associated severity level indicating the danger of the potential attack.
See also behavioral rule.

 

signature files
See DAT files.

 

silent installation
An installation method that installs a software package onto a computer silently, without need for user intervention.

 

site
In the console tree, a logical collection of entities assembled for ease of management. Sites can contain groups or computers, and can be organized by IP address range, IP subnet mask, location, department, and others.

 

site administrator
A user account with read, write, and delete permissions, as well as rights to all operations for the specified site (except those restricted to the global administrator), and for all groups and computers under it on the console tree.
Compare to global reviewer, global administrator, site reviewer.

 

site reviewer
A user account with read-only permissions, that can view all settings in the software for the specified site, but cannot change any settings.
Compare to global administrator, global reviewer, site administrator.

 

smurf attack
A denial-of-service attack that floods its target with replies to ICMP echo (ping) requests. A smurf attack sends ping requests to Internet broadcast addresses, which forward the ping requests to as many as 255 hosts on a subnet. The return address of the ping request is spoofed to be the address of the attack target. All hosts receiving ping requests reply to the attack target, flooding the target with replies.

 

snooping
Passively observing a network.

 

spoofing
Forging something, such as an IP address, to hide one’s location and identity.

 

state
Describes the manner in which an agent is actually functioning (current state), or is functioning after its next communication with the server (requested state). The console recognizes four different states for an agent: Normal, Uninstalling, No connection, No license.

 

Status Monitor
See Agent Monitor.

 

SYN flood
A hacking technique used to cause a denial of service. SYN packets are sent from a client with a spoofed IP address and are sent at a rate faster than the TCP stack on the host can handle. As the client address is spoofed, the client sends no SYN-ACK, but continues to flood the host with SYN packets, tying up the resources of the host.

 

task
See client tasks, server tasks.

 

Trojan horse
A program that either pretends to have, or is described as having, a set of useful or desirable features, but actually contains a damaging payload. Trojan horses are not technically viruses, because they do not replicate.

 

trusted application
An application that is known to be safe in an environment, has no known vulnerabilities, and is allowed to perform any operation.

 

tuning
The process of identifying a few profiles and creating policies for them in an effort to reduce the number of false positives and prevent generating events.

 

update package
Package files from McAfee that provide updates to a product. All packages are considered product updates with the exception of the product binary (Setup) files.

 

updating
The process of installing updates to existing products or upgrading to new versions of products.

 

zero-day attack
Exploit that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known.

 

Copyright © 2006 McAfee, Inc. All Rights Reserved.