An Antivirus and Antispyware Policy scans for both viruses and for security risks; examples of security risks are spyware, adware, and other files that can put a computer or a network at risk. Antivirus and antispyware scans detect kernel-level rootkits. Rootkits are the programs that try to hide themselves from a computer's operating system and can be used for malicious purposes.
The default Antivirus and Antispyware Policy does the following actions:
See: Basics of Antivirus and Antispyware Protection.
The following describes viruses, security risks, and the types of risks for which the client software scans. The threat landscape is constantly changing. Symantec reserves the right to add, remove, or change these definitions over time.
Risk |
Description |
Viruses |
Programs or code that attach a copy of themselves to another computer program or document when it runs. When the infected program runs, the attached virus program activates and attaches itself to other programs and documents. When a user opens a document that contains a macro virus, the attached virus program activates and attaches itself to other programs and documents. Viruses generally deliver a payload, such as displaying a message on a particular date. Some viruses specifically damage data. These viruses can corrupt programs, delete files, or reformat disks. |
Malicious Internet bots |
Programs that run automated tasks over the Internet for malicious purposes. Bots can be used to automate attacks on computers or to collect information from Web sites. |
Worms |
Programs that replicate without infecting other programs. Some worms spread by copying themselves from disk to disk, while others replicate only in memory to slow a computer down. |
Trojan horses |
Malicious programs that hide themselves in something benign, such as a game or utility. |
Blended threats |
Threats that blend the characteristics of viruses, worms, Trojan horses, and code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. Blended threats use multiple methods and techniques to spread rapidly and cause widespread damage throughout the network. |
Adware |
Stand-alone or appended programs that secretly gather personal information through the Internet and relay it back to another computer. Adware may track browsing habits for advertising purposes. Adware can also deliver advertising content. Adware can be unknowingly downloaded from Web sites, typically in shareware or freeware, or can arrive through email messages or instant messenger programs. Often a user unknowingly downloads adware by accepting an End User License Agreement from a software program. |
Dialers |
Programs that use a computer, without the user's permission or knowledge, to dial out through the Internet to a 900 number or FTP site. Typically, these numbers are dialed to accrue charges. |
Hacking tools |
Programs that are used by a hacker to gain unauthorized access to a user's computer. For example, one hacking tool is a keystroke logger, which tracks and records individual keystrokes and sends this information back to the hacker. The hacker can then perform port scans or vulnerability scans. Hacking tools may also be used to create viruses. |
Joke programs |
Programs that alter or interrupt the operation of a computer in a way that is intended to be humorous or frightening. For example, a program can be downloaded from a Web site, email message, or instant messenger program. It can move the Recycle Bin away from the mouse when the user tries to delete it or cause the mouse to click in reverse. |
Other |
Other security risks that do not conform to the strict definitions of viruses, Trojan horses, worms, or other security risk categories. |
Remote access programs |
Programs that allow access over the Internet from another computer so that they can gain information or attack or alter a user's computer. For example, a user may install a program, or another process might install a program without the user's knowledge. The program can be used for malicious purposes with or without modification of the original remote access program. |
Spyware |
Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and relay it back to another computer. Spyware can be unknowingly downloaded from Web sites, typically in shareware or freeware, or can arrive through email messages or instant messenger programs. Often a user unknowingly downloads spyware by accepting an End User License Agreement from a software program. |
Trackware |
Stand-alone or appended applications that trace a user's path on the Internet and send information to the target system. For example, the application can be downloaded from a Web site, email message, or instant messenger program. It can then obtain confidential information regarding user behavior. |
Non-Viral malicious |
This is a general category for all non-viral threats that are unambiguously malicious. This category includes Worms, Trojan Horses, Downloaders, Infostealers, and so on. These are distinctly different from viral threats, and the distinction is important because these threats are generally self-contained and their removal will not affect existing user data or applications. Viruses are threats that modify the content of existing data/applications in order to propagate. |
Malicious |
This is a general category for all non-viral threats that are unambiguously malicious. This category includes Worms, Trojan Horses, Downloaders, Infostealers, and so on. These are distinctly different from viral threats, and the distinction is important because these threats are generally self-contained and their removal will not affect existing user data or applications. Viruses are threats that modify the content of existing data/applications in order to propagate. |
Antivirus – Heurisitc |
Heuristic detections identify files that are likely to be as-yet-undiscovered threats. These detections generally target generally malicious actions or generally malicious files, the criteria for which are determined by Symantec researchers. These detections are intended to be proactive, and as a result we cannot often provide much detailed information about the threat until it has been more thoroughly analyzed. |
Generic Load Point (GLP) |
GLPs refer to specific areas, primarily in the Windows Registry, that a program can use to load itself without requiring user interaction. Threats use these load points to load themselves transparently when Windows starts, and as a result we check these areas when scans are initialized. |
TruScan Proactive Threat Scan – Heuristic |
These detections are from the COH/BASH technology, which classifies files as good or bad based on a scoring algorithm. Scoring per file is based on a variety of characteristics that are common to programs. The actions the program takes and the characteristics of the program file(s) make up the scoring criteria. |
Cookie |
See: http://www.symantec.com/security_response/writeup.jsp?docid=2006-080217-3524-99 |
Client compliancy |
In a managed client-server relationship, the client is prompted to determine whether it has received and implemented the latest security policies from the management server. The client compliancy check returns “yes” or “no,” and the software takes whatever action the security manager has defined for each of those responses. This is also referred to as a “Host Integrity check.” |
By default, Auto-Protect scans for viruses, Trojan horses, worms, and security risks when it runs.
Some risks, such as Back Orifice, were detected as viruses in earlier versions of the client software. They remain detected as viruses so that the client software can continue to provide protection for legacy computers.