The Complete Security and Antivirus Glossary of Terms

Mercy Pilkington
Posted: October 31, 2018

How can you choose an antivirus if you have no idea what any of their websites are talking about? One solution claims to detect viruses, malware, ransomware, and trojans—but what’s the difference between these? Does your machine need heuristic detection, real-time protection, or will a plain old definition-based tool do the job? And what does it all mean? Let our cybersecurity expert help you wade through all the terms.



Any type of program whose primary objective is displaying ads. The pop-ups earn developers’ revenue by displaying ads and even more money when the user clicks on them (pay per click).


An operating system for mobile devices developed by Google. It is based on a mobile-optimized version of the Linux kernel.


Any program that scans the filesystem and/or programs for viruses. These programs usually quarantine and delete what they find.

Background Processes

Tasks that a processor is running but which are invisible to the user. For mobile apps, cleanup tools often promise to forcibly stop these in order to improve battery life and reduce CPU temperature. By contrast, programs that are “open” and visible are said to be running in the foreground.


Basic Input Output System is the firmware that runs before the operating system and ensures that all connected peripherals are ready to use. Increasingly, viruses are targeting systems’ BIOS programs, so many vendors now include protection against these. BIOS is about to be replaced by a more modern form of boot firmware known as UEFI (Unified Extensible Firmware Interface).


A parental control tool allows users to manually specify URLs which the program will block. This is typically used when the website will not already be blocked by category-based filtering. 

Brute Force Attack

A relatively unsophisticated form of cybersecurity attack in which programs automatically generate and attempt to use every possible alphanumeric combination of an access password.


Temporary resources which websites store on users’ machines to make them load more quickly. Unlike cookies, these are usually not user-specific resources, but rather technical elements such as images and stylesheets that determine how websites appear.


Files that internet browsers place on users’ computers which help identify them upon their next visit. These improve the user’s browsing experience by allowing them to see a frequently accessed webpage without having to log in each time, for example.

Distributed Denial of Services (DDoS)

DDoS attacks target individual network resources from multiple computers at the same time. They are often used to sabotage large enterprise servers. Because blocking a single IP address will not stop the attack, they are difficult to defend against.


The European Institute of Computer Antivirus Research produces a standard antivirus test file which can be used to test the effectiveness of a desktop antivirus tool (without risking introducing a real virus to the system).


Converts readable information into code which can only be read by passing the file or data through a decryption key. It secures information ranging from files to internet connections.


Any internet-capable device connected over a TCP/IP network. Includes devices like desktops, smartphones, laptops, network printers, and point of sale (POS) terminals. The term is often encountered in the enterprise environment, where large numbers of “endpoints” may require centrally-managed antivirus protection.

False Positive

Occur when an antivirus software claims that a safe file or a legitimate program is a virus. Can happen because code samples from known viruses are often also present in harmless programs.


Ensures that computers outside of a Local Area Network (LAN) are not able to gain unauthorized access over machines “within” the network. Both Mac and Windows come with built-in firewalls and many antivirus tools include their own firewall component.

Heuristic-Based Scanning

Heuristic-based scanning monitors program commands that could be a threat to system health. Also referred to as behavior-based scanning.

Internet Protocol (IP) Address

IP address is a unique numeric identifier assigned to an internet-connected device. Because geolocation systems can often map IP addresses to geographical territories, VPNs route traffic through different servers to change users’ public IP addresses.


Apple’s operating system for mobile devices. It is the default OS on devices such as the iPhone, iPad, and iPod Touch.


Internet Protocol (IP) is the main communications tool that delivers information between the source and destination.


Internet Service Provider is a company that provides internet connectivity to customers.


The core of an operating system that controls all the components connected to the computer. It also manages low-level system operations, including the allocation of system memory (RAM) and CPU resources.


Keyloggers record every keystroke that a user takes regardless of whether keys are being pressed on physical or virtual keyboards (as on a smartphone).  Because full keystroke histories typically contain usernames, passwords, and message communications, keyloggers can be used by criminals for identity theft and stealing login information. Keylogger protection is an important component of any antivirus with phishing protection.


A family of operating systems built on the Linux kernel. The OS is free and open-source and many variants (called “distributions”) exist, the most popular of which is Ubuntu. Although it is the dominant choice of operating system for servers, Linux has the smallest market share of the major desktop operating systems.

Local Area Network (LAN)

A LAN is a network of connected IP devices. It can include both machines, such as desktops and laptops, and non-human interfaces such as printers.


Apple’s current default operating system for the Mac product family, including both desktops and MacBook laptops.


Malware refers to traditional viruses and newer forms of malicious software such as adware, spyware, worms, and trojans.

Man-in-the-Middle Attack

A hacking strategy in which an attacker secretly transmits information between two parties who falsely believe they have a direct line of contact. For instance, a phisher could create a replica of Facebook on a local network in order to deceive users into logging in then steal their account details.

On-Demand Scanning

An antivirus scan that the user manually initiates. It can be compared to automatic, scheduled scanning or real-time protection which runs continuously.


Peer to peer networks allow connected computers to share resources in order to speed up the transmission of large files. Because they are often used to share content illegally, many ISPs block their traffic.

Packet Sniffing

A hacking strategy in which attackers capture packets of information transmitted over a network, or whenever unencrypted communications (such as text messages) are successfully intercepted and inspected.


An attacker contacts the victim by an electronic medium (usually e-mail) and deceives the victim into surrendering sensitive information, such as login credentials, by pretending to have a legitimate request.


A network port is a number identifying one side of a connection between two computers. Ports help computers determine which application or process is sending and receiving internet traffic. Limiting open ports to prevent unauthorized network entry is an important function of firewalls.

Port Scanners

Port scanners automatically scan networks for open (active) or listening ports. They can be used for genuine, “white hat” purposes by network administrators or by attackers searching for vulnerable machines to target.

Potentially Unwanted Application (PUA)

See PUP, below.

Potentially Unwanted Program (PUP)

Programs that users may not wish to have on their systems and may have been deceived into downloading. Because PUPs are often spyware or adware, many malware solutions will scan for them and prompt users to remove them if they are found.


An intermediary server that forwards connection requests and information between computer users and the servers they are trying to access. Unlike VPNs (below), they do not transmit the traffic over a secure, encrypted tunnel. Like VPNs, they can be used to avoid geolocation restrictions.


Random Access Memory provides the fastest read/write speeds of any hardware medium. It is the main memory resource of a computer and—unlike hard disk drives (HDDs) or solid-state drives (SSDs)—its contents are deleted when the computer is turned off.


A form of malware that takes over a user’s computer before demanding a payment to self-delete. Ransomware usually demands payment via a cryptocurrency such as Bitcoin, which allows the cybercriminal to operate anonymously.

Real-Time Scanning

Continuously checks files on an operating system as they are accessed. Unlike on-demand scanning, it instantly detects and quarantines viruses as they are encountered. In mobile antivirus products, these scan newly downloaded apps as soon as they begin the installation process.


Clandestine computer programs that provide continuous elevated access to the criminals operating them. Elevated privileges provide administrative control over the operating system, so hackers can hide the existence of other malware operating in tandem on the same system.


Provides wireless and wired (Ethernet / RJ45) connectivity to a local network. They typically allow all devices on the local network to connect to the internet and enforce some basic firewall rules to regulate external access.


A testing environment that is separated from the main operating system, often by means of virtualization. It allows antivirus programs to safely open, test, and quarantine potential viruses without risking damage to the user’s computer.

Sector Viruses

Viruses that target operating systems’ boot sectors (the firmware used to load the operating system). Boot firmware is typically either BIOS or its successor, UEFI.

Signature-Based Scanning

Detects viruses and malware based on known code excerpts, often called “definitions.” Signature-based scanning engines can be supplemented by heuristic tools, which rely on pattern-recognition to detect threats.

Social Engineering

Attempts to exploit human behavior for cybercrime, such as leaving a virus-infected USB drive where a victim is likely to discover it and insert it into a target computer or sending an email with a harmful link that claims to contain photographs of the victims.


A type of malware that secretly records the user and transmits information to cybercriminals. Spyware can intercept microphones, webcams, and keyboards in order to capture potentially useful information. Many internet security tools offer protection against spyware.


A type of malware that disguises itself as legitimate software. This includes rogue antivirus software or programs that pose as detection tools but are actually malware.


A Uniform Resource Locator, typically referred to as a “web address,” is an alphanumeric domain name that makes it easy for users to access websites.


A cybersecurity threat that has the ability to replicate itself and spread to other computers. It relies on a desktop program to operate. The vast majority of viruses target Microsoft Windows.


Voice Over IP (VOIP) is used for transmitting voice communications by platforms like Skype.


A Virtual Private Network allows users to tunnel and encrypt their internet traffic between their connection point and an intermediary server, often in another location. VPNs use encryption to secure connections over untrusted connection points like public WiFi spots and mask users’ true locations.


A parental control tool that allows users to manually specify URLs which the program will allow access to. This is typically used when the website would otherwise be blocked by category-based filtering.


A self-replicating malware that spreads between computers. Unlike computer viruses, network worms do not need a host program and can spread over any form of network connection between IP endpoints.

Zero-Day Attacks

An attack that exploits a flaw in software, hardware, or firmware that hasn’t been identified and patched yet. Because definitions haven’t been created to recognize it, zero-day attacks cannot be stopped by traditional signature-based scanning engines. Heuristic and behavior-based tools often advertise their ability to identify these exploits.

Now that you understand all of these terms, you’ll be better able to choose the best antivirus for your needs.

About the Author

Mercy Pilkington
Mercy Pilkington

Mercy Pilkington has been a tech industry news writer for nearly ten years. She regularly covers topics such as software, cybercrime, and digital innovation.