Post on 26-May-2020
UserGuide(intendedforproductversion4.2andhigher)
Microsoft®Windows®7/Vista/XP/2000/2003/2008
ESETSmartSecurity4
Contents
1. ESETSmartSecurity4.............................41.1 What’snew.................................................................. 41.2 Systemrequirements.................................................... 5
2. Installation............................................62.1 Typicalinstallation........................................................ 62.2 Custominstallation....................................................... 72.3 Usingoriginalsettings................................................... 92.4 EnteringUsernameandPassword................................... 92.5 On‑demandcomputerscan............................................ 9
3. Beginner’sguide................................... 103.1 Introducinguserinterfacedesign–modes......................10
3.1.1 Checkingoperationofthesystem......................... 103.1.2 Whattodoiftheprogramdoesn’tworkproperly... 10
3.2 Updatesetup................................................................113.3 Trustedzonesetup........................................................113.4 Proxyserversetup........................................................ 123.5 Settingsprotection...................................................... 12
4. WorkwithESETSmartSecurity..............134.1 Antivirusandantispywareprotection............................ 13
4.1.1 Real‑timefilesystemprotection............................134.1.1.1 Controlsetup........................................................134.1.1.1.1 Mediatoscan......................................................134.1.1.1.3 Advancedscanoptions..........................................134.1.1.2 Cleaninglevels......................................................134.1.1.3 Whentomodifyreal‑timeprotectionconfiguration144.1.1.4 Checkingreal‑timeprotection...............................144.1.1.5 Whattodoifreal‑timeprotectiondoesnotwork....144.1.2 Emailclientprotection..........................................144.1.2.1 POP3checking......................................................144.1.2.1.1 Compatibility.......................................................154.1.2.2 Integrationwithemailclients................................154.1.2.2.1 Appendingtagmessagestoemailbody..................154.1.2.3 Removinginfiltrations..........................................154.1.3 Webaccessprotection..........................................164.1.3.1 HTTP,HTTPs.........................................................164.1.3.1.1 Addressmanagement...........................................164.1.3.1.2 Webbrowsers.......................................................164.1.4 On‑demandcomputerscan................................... 174.1.4.1 Typeofscan.......................................................... 174.1.4.1.1 Smartscan........................................................... 174.1.4.1.2 Customscan......................................................... 174.1.4.2 Scantargets......................................................... 174.1.4.3 Scanprofiles......................................................... 174.1.5 Protocolfiltering...................................................184.1.5.1 SSL.......................................................................184.1.5.1.1 Trustedcertificates...............................................184.1.5.1.2 Excludedcertificates.............................................184.1.6 ThreatSenseengineparameterssetup...................184.1.6.1 Objectssetup.......................................................194.1.6.2 Options................................................................19
Copyright©2010byESET,spol.sr.o.
ESETSmartSecurity4wasdevelopedbyESET,spol.sr.o.Formoreinformationvisitwww.eset.com.Allrightsreserved.Nopartofthisdocumentationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanning,orotherwisewithoutpermissioninwritingfromtheauthor.
ESET,spol.sr.o.reservestherighttochangeanyofthedescribedapplicationsoftwarewithoutpriornotice.
CustomerCareWorldwide:www.eset.eu/supportCustomerCareNorthAmerica:www.eset.com/support
REV.20100225‑015
ESETSmartSecurity4
4.1.6.3 Cleaning...............................................................194.1.6.4 Extensions...........................................................204.1.6.5 Limits..................................................................204.1.6.6 Other..................................................................204.1.7 Aninfiltrationisdetected.....................................20
4.2 Personalfirewall.......................................................... 214.2.1 Filteringmodes.................................................... 214.2.2 Profiles................................................................. 214.2.2.1 Profilemanagement............................................. 214.2.3 Blockallnetworktraffic:disconnectnetwork........ 224.2.4 Disablefiltering:allowalltraffic........................... 224.2.5 Configuringandusingrules.................................. 224.2.5.1 Creatinganewrule.............................................. 224.2.5.2 Editingrules........................................................ 234.2.6 Configuringzones................................................ 234.2.6.1 Networkauthentication...................................... 234.2.6.1.1 Zoneauthentication‑Clientconfiguration............ 234.2.6.1.2 Zoneauthentication‑Serverconfiguration........... 244.2.7 Establishingconnection–detection..................... 254.2.8 Logging............................................................... 25
4.3 Antispamprotection....................................................254.3.1 Self‑learningAntispam......................................... 264.3.1.1 Addingaddressestowhitelistandblacklist............ 264.3.1.2 Markingmessagesasspam.................................. 26
4.4 Updatingtheprogram................................................. 264.4.1 Updatesetup....................................................... 274.4.1.1 Updateprofiles.................................................... 274.4.1.2 Advancedupdatesetup........................................ 274.4.1.2.1 Updatemode...................................................... 274.4.1.2.2 Proxyserver......................................................... 274.4.1.2.3 ConnectingtotheLAN......................................... 284.4.1.2.4 Creatingupdatecopies–Mirror............................ 284.4.1.2.4.1 UpdatingfromtheMirror..................................... 294.4.1.2.4.2TroubleshootingMirrorupdateproblems..............304.4.2 Howtocreateupdatetasks..................................30
4.5 Scheduler................................................................... 304.5.1 Purposeofschedulingtasks..................................304.5.2 Creatingnewtasks..............................................30
4.6 Quarantine.................................................................. 314.6.1 Quarantiningfiles.................................................314.6.2 RestoringfromQuarantine...................................314.6.3 SubmittingfilefromQuarantine............................31
4.7 Logfiles.......................................................................324.7.1 Logmaintenance................................................. 32
4.8 Userinterface..............................................................324.8.1 Alertsandnotifications........................................ 33
4.9 ThreatSense.Net..........................................................334.9.1 Suspiciousfiles.................................................... 344.9.2 Statistics............................................................. 344.9.3 Submission.......................................................... 35
4.10 Remoteadministration................................................354.11 Licenses......................................................................35
5. Advanceduser..................................... 365.2 Importandexportsettings...........................................36
5.2.1 Importsettings.................................................... 365.2.2 Exportsettings.................................................... 36
5.3 CommandLine.............................................................365.4 ESETSysInspector........................................................ 37
5.4.1 UserInterfaceandapplicationusage.................... 375.4.1.1 ProgramControls................................................. 375.4.1.2 NavigatinginESETSysInspector........................... 385.4.1.3 Compare............................................................. 385.4.1.4 SysInspectoraspartofESETSmartSecurity4........ 395.4.1.5 Servicescript....................................................... 395.4.1.5.1 GeneratingServicescripts.................................... 395.4.1.5.2 StructureoftheServicescript............................... 395.4.1.5.3 HowtoexecuteServicescripts..............................41
5.5 ESETSysRescue........................................................... 415.5.1 Minimumrequirements........................................415.5.2 HowtocreaterescueCD.......................................415.5.2.1 Folders.................................................................415.5.2.2 ESETAntivirus.......................................................415.5.2.3 Advanced.............................................................415.5.2.4 BootableUSBdevice............................................ 425.5.2.5 Burn.................................................................... 425.5.3 WorkingwithESETSysRescue.............................. 425.5.3.1 UsingESETSysRescue.......................................... 42
6. Glossary.............................................. 436.1 Typesofinfiltration......................................................43
6.1.1 Viruses................................................................ 436.1.2 Worms................................................................ 436.1.3 Trojanhorses....................................................... 436.1.4 Rootkits.............................................................. 436.1.5 Adware............................................................... 436.1.6 Spyware..............................................................446.1.7 Potentiallyunsafeapplications.............................446.1.8 Potentiallyunwantedapplications.......................44
6.2 Typesofremoteattacks............................................... 446.2.1 DoSattacks.........................................................446.2.2 DNSPoisoning.....................................................446.2.3 Wormattacks......................................................446.2.4 Portscanning......................................................446.2.5 TCPdesynchronization.........................................446.2.6 SMBRelay........................................................... 456.2.7 ICMPattacks....................................................... 45
6.3 Email......................................................................... 456.3.1 Advertisements................................................... 456.3.2 Hoaxes................................................................ 456.3.3 Phishing.............................................................. 456.3.4 Recognizingspamscams..................................... 456.3.4.1 Rules...................................................................466.3.4.1 Bayesianfilter......................................................466.3.4.2 Whitelist.............................................................466.3.4.3 Blacklist..............................................................466.3.4.5 Server‑sidecontrol...............................................46
4
1. ESETSmartSecurity4
ESETSmartSecurity4isthefirstrepresentativeofanewapproachtotrulyintegratedcomputersecurity.ItutilizesthespeedandprecisionofESETNOD32Antivirus,whichisguaranteedbythemostrecentversionoftheThreatSense®scanningengine,combinedwiththetailor‑madePersonalfirewallandAntispammodules.Theresultisanintelligentsystemthatisconstantlyonalertforattacksandmalicioussoftwareendangeringyourcomputer.
ESETSmartSecurityisnotaclumsyconglomerateofvariousproductsinonepackage,asofferedbyothervendors.Itistheresultofalong‑termefforttocombinemaximumprotectionwithminimumsystemfootprint.Theadvancedtechnologies,basedonartificialintelligence,arecapableofproactivelyeliminatinginfiltrationbyviruses,spyware,trojanhorses,worms,adware,rootkits,andotherInternet‑borneattackswithouthinderingsystemperformanceordisruptingyourcomputer.
1.1 What’snew
Thelong‑timedevelopmentexperienceofourexpertsisdemonstratedbytheentirelynewarchitectureofESETSmartSecurity,whichguaranteesmaximumdetectionwithminimumsystemrequirements.Thisrobustsecuritysolutioncontainsmoduleswithseveraladvancedoptions.Thefollowinglistoffersyouabriefoverviewofthesemodules.
• Antivirus&antispyware
ThismoduleisbuiltupontheThreatSense®scanningengine,whichwasusedforthefirsttimeintheaward‑winningNOD32Antivirussystem.ThreatSense®isoptimizedandimprovedwiththenewESETSmartSecurityarchitecture.
Feature Description
ImprovedCleaning Theantivirussystemnowintelligentlycleansanddeletesmostdetectedinfiltrationswithoutrequiringuserintervention.
BackgroundScanningMode
Computerscanningcanbelaunchedinthebackgroundwithoutslowingdownperformance.
SmallerUpdateFiles Coreoptimizationprocesseskeepthesizeofupdatefilessmallerthaninversion2.7.Also,theprotectionofupdatefilesagainstdamagehasbeenimproved.
PopularEmailClientProtection
ItisnowpossibletoscanincomingemailnotonlyinMicrosoftOutlookbutalsoinOutlookExpress,WindowsMail,WindowsLiveMailandMozillaThunderbird.
OtherMinorImprovements
– Directaccesstofilesystemsforhighspeedandthroughput.
– Blockedaccesstoinfectedfiles
– OptimizationfortheWindowsSecurityCenter,includingVista.
• Personalfirewall
ThePersonalfirewallmonitorsalltrafficbetweenaprotectedcomputerandothercomputersinthenetwork.ESETPersonalfirewallcontainstheadvancedfunctionslistedbelow.
Feature Description
Profiles ProfilesareatooltocontrolthebehavioroftheESETSmartSecurityPersonalfirewall.Multipleprofiles,thatcanhavedifferentrulesassignedtothemenableuserstoeasilyalterthebehaviorofthePersonalfirewall.
Zoneauthentication Allowsuserstoidentifythenetworktheyconnecttoanddefineanaction(e.g.switchingthefirewallprofileandblockingcommunicationtothezone)basedonthisinformation.
LowLayerNetworkCommunicationScanning
NetworkcommunicationscanningontheDataLinkLayerenablesESETPersonalfirewalltoovercomeavarietyofattacksthatwouldotherwisebeundetectable.
IPv6Support ESETPersonalfirewalldisplaysIPv6addressesandallowsuserstocreaterulesforthem.
ExecutableFileMonitoring
Monitoringchangesinexecutablefilesinordertoovercomeinfection.Itispossibletoallowfilemodificationofsignedapplications.
FileScanningIntegratedwithHTTP(s)andPOP3(s)
IntegratedfilescanningofHTTP(s)andPOP3(s)applicationprotocols.UsersareprotectedwhenbrowsingtheInternetordownloadingemails.
IntrusionDetectionSystem
Abilitytorecognizethecharacterofnetworkcommunicationandvarioustypesofnetworkattackswithanoptiontoautomaticallybansuchcommunication.
5
Interactive,Policy‑based,Learning,AutomaticandAutomaticmodewithexceptions
UserscanselectwhetherthePersonalfirewallactionswillbeexecutedautomaticallyoriftheywanttosetrulesinteractively.CommunicationinPolicy‑basedmodeishandledaccordingtorulespredefinedbytheuserorthenetworkadministrator.Learningmodeautomaticallycreatesandsavesrulesandissuitableforinitialconfigurationofthefirewall.
SupersedesIntegratedWindowsFirewall
SupersedestheIntegratedWindowsFirewallandinteractswiththeWindowsSecurityCentertomonitorsecuritystatus.ESETSmartSecurityinstallationturnsofftheWindowsfirewallbydefault.
• Antispam
ESETAntispamfiltersunsolicitedemailandthereforeincreasesthesecurityandcomfortofelectroniccommunication.
Feature Description
IncomingMailScoring
Allincomingmailisassignedaratingfrom0(amessageisnotspam)to100(amessageisspam)andfilteredaccordinglyintotheJunkMailfolderorintoacustomfoldercreatedbytheuser.Parallelscanningofincomingemailispossible.
SupportsaVarietyofScanningTechniques
– Bayesanalysis.
– Rule‑basedscanning.
– Globalfingerprintdatabasecheck.
FullIntegrationwithEmailClients
AntispamprotectionisavailabletousersofMicrosoftOutlook,OutlookExpress,WindowsMail,WindowsLiveMailandMozillaThunderbirdclients.
ManualSpamSelectionisAvailable
Optiontomanuallyselectordeselectemailasspam.
• Others
Feature Description
ESETSysRescue ESETSysRescueenablesusertocreateabootableCD/DVD/USBcontainingESETSmartSecurity,whichiscapableofrunningindependentoftheoperatingsystem.Itisbestusedtogetthesystemridofhard‑to‑removeinfiltrations.
ESETSysInspector ESETSysInspector,anapplicationthatthoroughlyinspectsyourcomputer,isnowintegrateddirectlyinESETSmartSecurity.IfyoucontactourCustomerCareServiceusingtheHelpandsupport>CustomerCaresupportrequest(recommended)option,youcanopttoincludeanESETSysInspectorstatussnapshotfromyourcomputer.
Documentprotection
TheDocumentprotectionservestoscanMicrosoftOfficedocumentsbeforetheyareopenedandfilesdownloadedautomaticallybyInternetExplorer,suchasMicrosoftActiveXelements.
SelfDefense ThenewSelfDefensetechnologyprotectsESETSmartSecuritycomponentsagainstdeactivationattempts.
Userinterface Theuserinterfaceisnowcapableofworkinginthenon‑graphicalmode,whichallowsforkeyboardcontrolofESETSmartSecurity.Theincreasedcompatibilitywithscreen‑readingapplicationletssight‑impairedpeoplecontroltheprogrammoreefficiently.
1.2 Systemrequirements
ForseamlessoperationofESETSmartSecurityandESETSmartSecurityBusinessEdition,yoursystemshouldmeetthefollowinghardwareandsoftwarerequirements:
ESETSmartSecurity:
Windows2000,XP 400MHz32‑bit/64‑bit(x86/x64)128MBRAMofsystemmemory130MBavailablespaceSuperVGA(800×600)
Windows7,Vista 1GHz32‑bit/64‑bit(x86/x64)512MBRAMofsystemmemory130MBavailablespaceSuperVGA(800×600)
ESETSmartSecurityBusinessEdition:
Windows2000,2000Server,XP,2003Server
400MHz32‑bit/64‑bit(x86/x64)128MBRAMofsystemmemory130MBavailablespaceSuperVGA(800×600)
Windows7,Vista,WindowsServer2008
1GHz32‑bit/64‑bit(x86/x64)512MBRAMofsystemmemory130MBavailablespaceSuperVGA(800×600)
6
2. Installation
Afterpurchase,theESETSmartSecurityinstallercanbedownloadedfromtheESETwebsite.Itcomesasawness_nt**_***.msi(ESETSmartSecurity)oressbe_nt**_***.msi(ESETSmartSecurityBusinessEdition)package.Launchtheinstallerandtheinstallationwizardwillguideyouthroughthebasicsetup.Therearetwotypesofinstallationavailablewithdifferentlevelsofsetupdetails:
1. Typicalinstallation
2. Custominstallation
2.1 Typicalinstallation
Typicalinstallationprovidesconfigurationoptionsappropriateformostusers.Thesettingsprovideexcellentsecuritycoupledwitheaseofuseandhighsystemperformance.Typicalinstallationisthedefaultoptionandisrecommendedifyoudonothaveparticularrequirementsforspecificsettings.
AfterselectingtheinstallationmodeandclickingNext,youwillbepromptedtoenteryourusernameandpasswordforautomaticupdatesoftheprogram.Thisplaysasignificantroleinprovidingconstantprotectionofyoursystem.
EnteryourUsernameandPassword,i.e.,theauthenticationdatayoureceivedafterthepurchaseorregistrationoftheproduct,intothecorrespondingfields.Ifyoudonotcurrentlyhaveyourusernameandpasswordavailable,authenticationdatacanbeinsertedatanytimelateron,fromwithintheuserinterface.
ThenextstepisconfigurationoftheThreatSense.NetEarlyWarning
System.TheThreatSense.NetEarlyWarningSystemhelpsensurethatESETisimmediatelyandcontinuouslyinformedaboutnewinfiltrationsinordertoquicklyprotectitscustomers.ThesystemallowsforsubmissionofnewthreatstoESET‘sThreatLab,wheretheyareanalyzed,processedandaddedtothevirussignaturedatabase.
Bydefault,theEnableThreatSense.NetEarlyWarningSystemoptionisselected,whichwillactivatethisfeature.ClickAdvancedsetup...tomodifydetailedsettingsforthesubmissionofsuspiciousfiles.
ThenextstepintheinstallationprocessistoconfigureDetectionofpotentiallyunwantedapplications.Potentiallyunwantedapplicationsarenotnecessarilymalicious,butcanoftennegativelyaffectthebehaviorofyouroperatingsystem.
Theseapplicationsareoftenbundledwithotherprogramsandmaybedifficulttonoticeduringtheinstallationprocess.Althoughtheseapplicationsusuallydisplayanotificationduringinstallation,theycaneasilybeinstalledwithoutyourconsent.
SelecttheEnabledetectionofpotentiallyunwantedapplicationsoptiontoallowESETSmartSecuritytodetectthistypeofthreat(recommended).
ThefinalstepinTypicalinstallationmodeistoconfirminstallationbyclickingtheInstallbutton.
7
2.2 Custominstallation
Custominstallationisdesignedforuserswhohaveexperiencefine‑tuningprogramsandwhowishtomodifyadvancedsettingsduringinstallation.
AfterselectingtheinstallationmodeandclickingNext,youwillbepromptedtoselectadestinationlocationfortheinstallation.Bydefault,theprograminstallsinC:\ProgramFiles\ESET\ESETSmartSecurity\.ClickBrowse…tochangethislocation(notrecommended).
Next,enteryourUsernameandPassword. ThisstepisthesameasinTypicalinstallation(seesection2.1,“Typicalinstallation”).
Afterenteringyourusernameandpassword,clickNexttoproceedtoConfigureyourInternetconnection.
Ifyouuseaproxyserver,itmustbecorrectlyconfiguredforvirussignatureupdatestoworkcorrectly.IfyoudonotknowwhetheryouuseaproxyservertoconnecttotheInternet,leavethedefaultsettingIamunsureifmyInternetconnectionusesaproxyserver.UsethesamesettingsasInternetExplorer(Recommended)andclickNext.Ifyoudonotuseaproxyserver,selecttheIdonotuseaproxyserveroption.
Toconfigureyourproxyserversettings,select IuseaproxyserverandclickNext.EntertheIPaddressorURLofyourproxyserverintheAddressfield. Inthe Portfield,specifytheportwheretheproxyserveracceptsconnections(3128bydefault).Intheeventthattheproxyserverrequiresauthentication,enteravalidUsernameandPasswordtograntaccesstotheproxyserver.ProxyserversettingscanalsobecopiedfromInternetExplorerifdesired.Todothis,clickApplyandconfirmtheselection.
8
ClickNexttoproceedtoConfigureautomaticupdatesettings.Thisstepallowsyoutodesignatehowautomaticprogramcomponentupdateswillbehandledonyoursystem.ClickChange...toaccesstheadvancedsettings.
Ifyoudonotwantprogramcomponentstobeupdated,selecttheNeverupdateprogramcomponentsoption.SelecttheAskbeforedownloadingprogramcomponentsoptiontodisplayaconfirmationwindowbeforedownloadingprogramcomponents.Todownloadprogramcomponentupgradesautomatically,selecttheAlwaysupdateprogramcomponentsoption.
NOTE:Afteraprogramcomponentupdate,arestartisusuallyrequired.WerecommendselectingtheIfnecessary,restartcomputerwithoutnotifying option.
Thenextinstallationwindowistheoptiontosetapasswordtoprotectyourprogramsettings.SelecttheProtectconfigurationsettingswithapasswordoptionandchooseapasswordtoenterin
theNewpasswordandConfirmnewpasswordfields.
ThenexttwoCustominstallationsteps,ThreatSense.NetEarlyWarningSystem andDetectionofpotentiallyunwantedapplications, arethesameasTypicalinstallation(seesection2.1,“Typicalinstallation”).
ThefinalstepinCustominstallationistoselectthePersonalfirewallfilteringmode.Fivemodesareavailable:
• Automaticmode
• Automaticmodewithexceptions(user‑definedrules)
• Interactivemode
• Learningmode
• Policy‑basedmode
Automaticmode–Recommendedformostusers.Allstandardoutgoingconnectionsareenabled(automaticallyanalyzedusingpredefinedsettings)andunsolicitedincomingconnectionsareautomaticallyblocked.
Automaticmodewithexceptions(user‑definedrules)–InadditiontotherulesinAutomaticmode,thismodeenablesyoutoaddcustomrules.
Interactivemode–Thismodeissuitableforadvancedusers.Communicationsarehandledbyuser‑definedrules.Ifthereisnorule
9
computerscan”.definedforacommunication,ESETSmartSecuritypromptsyoutoallowordenythecommunication.
Policy‑basedmode–Evaluatescommunicationsbasedonpredefinedrulescreatedbyanadministrator.Ifnoruleisavailable,theconnectionisautomaticallyblockedwithoutawarningmessage.WerecommendthatyouonlyselectPolicy‑basedmodeifyouareanadministratorwhointendstoconfigurenetworkcommunication.
Learningmode–Automaticallycreatesandsavesrules.NouserinteractionisrequiredbecauseESETSmartSecuritysavesrulesaccordingtopredefinedparameters.LearningmodeissuitableforinitialconfigurationofthePersonalfirewallandshouldonlybeuseduntilallrulesforrequiredcommunicationshavebeencreated.
ClickInstallintheReadytoinstallwindowtocompleteinstallation.
2.3 Usingoriginalsettings
IfyoureinstallESETSmartSecurity,theUsecurrentsettingsoptionwilldisplay.Selectthisoptiontotransfersetupparametersfromtheoriginalinstallationtothenewone.
2.4 EnteringUsernameandPassword
Foroptimalfunctionality,itisimportantthattheprogramisautomaticallyupdated.ThisisonlypossibleifthecorrectusernameandpasswordareenteredintheUpdatesetup.
Ifyoudidnotenteryourusernameandpasswordduringinstallation,youcannow.Fromthemainprogramwindow,clickUpdateandthenclickUsernameandPasswordsetup....EnterthelicensedatayoureceivedwithyourESETsecurityproductintotheLicensedetailswindow.
2.5 On‑demandcomputerscan
AfterinstallingESETSmartSecurity,acomputerscanformaliciouscodeshouldbeperformed.Fromthemainprogramwindow,clickComputerscanandthenclickSmartscan.FormoreinformationaboutOn‑demandcomputerscan,seesection4.1.4,“On‑demand
10
3. Beginner’sguide
ThischapterprovidesaninitialoverviewofESETSmartSecurityanditsbasicsettings.
3.1 Introducinguserinterfacedesign–modes
ThemainprogramwindowofESETSmartSecurityisdividedintotwomainsections.Theprimarywindowontherightdisplaysinformationthatcorrespondstotheoptionselectedfromthemainmenuontheleft.
Thefollowingisadescriptionofoptionswithinthemainmenu:
Protectionstatus–ProvidesinformationabouttheprotectionstatusofESETSmartSecurity.IfAdvancedmodeisactivated,theWatchactivity,NetworkconnectionsandStatisticssubmenuswilldisplay.
Computerscan–AllowsyoutoconfigureandlaunchanOn‑demandcomputerscan.
Update –Displaysinformationaboutupdatestothevirussignaturedatabase.
Setup–Selectthisoptiontoadjustyourcomputer’ssecuritylevel.IfAdvancedmodeisactivated,theAntivirusandantispyware,Personalfirewall,andAntispammodulesubmenuswilldisplay.
Tools–ProvidesaccesstoLogfiles,Quarantine,SchedulerandSysInspector.ThisoptiononlydisplaysinAdvancedmode.
Helpandsupport–Providesaccesstohelpfiles,theESETKnowledgebase,ESET’swebsiteandlinkstoopenaCustomerCaresupportrequest.
TheESETSmartSecurityuserinterfaceallowsuserstotogglebetweenStandardandAdvancedmode.Totogglebetweenmodes,clickChange...inthebottomleftcornerofthemainprogramwindow,orpressCTRL+Monyourkeyboard.
Standardmodeprovidesaccesstofeaturesrequiredforcommonoperations.Itdoesnotdisplayanyadvancedoptions.
TogglingtoAdvancedmodeaddstheToolsoptiontothemainmenu.TheToolsoptionallowsyoutoaccessthesubmenusforLogfiles,Quarantine,SchedulerandSysInspector.
NOTE:AllremaininginstructionsinthisguidetakeplaceinAdvancedmode.
3.1.1 Checkingoperationofthesystem
ToviewtheProtectionstatus,clickthetopoptionfromthemainmenu.AstatussummaryabouttheoperationofESETSmartSecuritywilldisplayintheprimarywindow,andasubmenuwiththreeitemswillappear:WatchActivity,NetworkConnectionsandStatistics.Selectanyofthesetoviewmoredetailedinformationaboutyoursystem.
3.1.2 Whattodoiftheprogramdoesn’tworkproperly
Iftheprotectionmodulesareenabledandworkingproperly,agreencheckmarkwilldisplaynexttothename.Ifnot,aredexclamationpointororangenotificationiconwilldisplay,andadditionalinformationaboutthemodulewithasuggestedsolutionwilldisplayintheupperpartofthewindow.Tochangethestatusofindividualmodules,clickSetupfromthemainmenuandclickthedesiredmodule.
11
Ifyouareunabletosolveaproblemusingthesuggestedsolutions,clickHelpandsupporttoaccessthehelpfilesorsearchtheKnowledgebase.Ifyoustillneedassistance,youcansubmitanESETCustomerCaresupportrequest.ESETCustomerCarewillrespondquicklytoyourquestionsandhelpdeterminearesolution.
3.2 Updatesetup
Updatingthevirussignaturedatabaseandupdatingprogramcomponentsareanimportantpartofprovidingcompleteprotectionagainstmaliciouscode.Pleasepayattentiontotheirconfigurationandoperation.Fromthemainmenu,selectUpdateandthenclickUpdatevirussignaturedatabase inprimarywindowtocheckforanewerdatabaseupdate. UsernameandPasswordsetup...displaysadialogboxwheretheusernameandpasswordreceivedatthetimeofpurchaseshouldbeentered.
IftheusernameandpasswordwereenteredduringinstallationofESETSmartSecurityyouwillnotbepromptedforthematthispoint.
TheAdvancedSetupwindow(clickSetupfromthemainmenuandthenclickEnterentireadvancedsetuptree...,orpressF5onyourkeyboard)containsadditionalupdateoptions.ClickUpdatefromtheAdvancedSetuptree.TheUpdateserver:drop‑downmenushouldbesettoChooseautomatically.Toconfigureadvancedupdateoptionssuchastheupdatemode,proxyserveraccess,LANconnectionsandcreatingvirussignaturecopies(ESETSmartSecurityBusinessEdition),clicktheSetup...button.
3.3 Trustedzonesetup
Trustedzoneconfigurationisnecessarytoprotectyourcomputerinanetworkenvironment.YoucanallowotheruserstoaccessyourcomputerbyconfiguringtheTrustedzonetoallowsharing.ClickSetup>Personalfirewall>Changetheprotectionmodeofyourcomputerinthenetwork....Awindowwilldisplayallowingyoutochoosethedesiredprotectionmodeofyourcomputerinthenetwork.
TrustedzonedetectionoccursafterESETSmartSecurityinstallationandwheneveryourcomputerconnectstoanewnetwork.Therefore,thereisusuallynoneedtodefinetheTrustedzone.Bydefault,adialogwindowdisplaysupondetectionofanewzonewhichallowsyoutosettheprotectionlevelforthatzone.
12
Warning:Anincorrecttrustedzoneconfigurationmayposeasecurityrisktoyourcomputer.
NOTE:Bydefault,workstationsfromaTrustedzonearegrantedaccesstosharedfilesandprinters,haveincomingRPCcommunicationenabled,andalsohaveremotedesktopsharingavailable.
3.4 Proxyserversetup
IfyouuseaproxyservertocontrolInternetconnections,itmustbespecifiedinAdvancedSetup.ToaccesstheProxyserverconfigurationwindow,pressF5toopentheAdvancedSetupwindowandclickMiscellaneous>ProxyserverfromtheAdvancedSetuptree.SelecttheUseproxyserveroption,andthenfillintheProxyserver(IPaddress)andPortfields.Ifneeded,selecttheProxyserverrequiresauthenticationoptionandthenentertheUsernameandPassword.
Ifthisinformationisnotavailable,youcantrytoautomaticallydetectproxyserversettingsbyclickingtheDetectproxyserver button.
NOTE:Proxyserveroptionsforvariousupdateprofilesmaydiffer.Ifthisisthecase,configurethedifferentupdateprofilesinAdvancedSetupbyclickingUpdatefromtheAdvancedSetuptree.
3.5 Settingsprotection
ESETSmartSecuritysettingscanbeveryimportantforyourorganization’ssecurity.Unauthorizedmodificationscanendangernetworkstabilityandprotection.Topasswordprotectthesettings,fromthemainmenuclickSetup>Enterentireadvancedsetuptree...>Userinterface>Accesssetup,selectthePasswordprotectsettingsoptionandclicktheSetpassword...button.
EnterapasswordintheNewpasswordandConfirmnewpassword
fieldsandclickOK.ThispasswordwillberequiredforanyfuturemodificationstoESETSmartSecuritysettings.
13
4. WorkwithESETSmartSecurity
4.1 Antivirusandantispywareprotection
Antivirusprotectionguardsagainstmalicioussystemattacksbycontrollingfile,emailandInternetcommunication.Ifathreatwithmaliciouscodeisdetected,theAntivirusmodulecaneliminateitbyfirstblockingit,andthencleaning,deletingormovingittoquarantine.
4.1.1 Real‑timefilesystemprotection
Real‑timefilesystemprotectioncontrolsallantivirus‑relatedeventsinthesystem.Allfilesarescannedformaliciouscodeatthemomenttheyareopened,createdorrunonyourcomputer.Real‑timefilesystemprotectionislaunchedatsystemstartup.
4.1.1.1 Controlsetup
TheReal‑timefilesystemprotectionchecksalltypesofmedia,andcontrolistriggeredbyvariousevents.UsingThreatSensetechnologydetectionmethods(asdescribedinsection4.1.6,“ThreatSenseengineparametersetup”),real‑timefilesystemprotectionmayvaryfornewlycreatedfilesandexistingfiles.Fornewlycreatedfiles,itispossibletoapplyadeeperlevelofcontrol.
Toprovidetheminimumsystemfootprintwhenusingreal‑timeprotection,fileswhichhavealreadybeenscannedarenotscannedrepeatedly(unlesstheyhavebeenmodified).Filesarescannedagainimmediatelyaftereachvirussignaturedatabaseupdate.ThisbehaviorisconfiguredusingSmartoptimization.Ifthisisdisabled,allfilesarescannedeachtimetheyareaccessed.Tomodifythisoption,opentheAdvancedSetupwindowandclickAntivirusandantispyware>Real‑timefilesystemprotectionfromtheAdvancedSetuptree.ThenclicktheSetup...buttonnexttoThreatSenseengineparametersetup,clickOtherandselectordeselecttheEnableSmartoptimizationoption.
Bydefault,Real‑timeprotectionlaunchesatsystemstartupandprovidesuninterruptedscanning.Inspecialcases(e.g.,ifthereisaconflictwithanotherReal‑timescanner),thereal‑timeprotectioncanbeterminatedbydeselectingtheStartReal‑timefilesystemprotectionautomaticallyoption.
4.1.1.1.1 Mediatoscan
Bydefault,alltypesofmediaarescannedforpotentialthreats.
Localdrives –Controlsallsystemharddrives
Removablemedia – Diskettes,USBstoragedevices,etc.
Networkdrives–Scansallmappeddrives
Werecommendthatyoukeepthedefaultsettingsandonlymodifytheminspecificcases,suchaswhenscanningcertainmediasignificantlyslowsdatatransfers.4.1.1.1.2 Scanon(Event‑triggeredscanning)
Bydefault,allfilesarescanneduponopening,creationorexecution.Werecommendthatyoukeepthedefaultsettings,astheseprovidethemaximumlevelofreal‑timeprotectionforyourcomputer.
TheDisketteaccessoptionprovidescontrolofthediskettebootsectorwhenthisdriveisaccessed.TheComputershutdownoptionprovidescontroloftheharddiskbootsectorsduringcomputershutdown.Althoughbootvirusesareraretoday,werecommendthatyouleavetheseoptionsenabled,asthereisstillthepossibilityofinfectionbyabootvirusfromalternatesources.
4.1.1.1.3 Advancedscanoptions
MoredetailedsetupoptionscanbefoundunderAntivirusandantispyware>Real‑timesystemprotection>Advancedsetup.
AdditionalThreatSenseparametersfornewlycreatedandmodifiedfiles–Theprobabilityofinfectioninnewly‑createdormodifiedfilesiscomparativelyhigherthaninexistingfiles.Thatiswhytheprogramchecksthesefileswithadditionalscanningparameters.Alongwithcommonsignature‑basedscanningmethods,advancedheuristicsareused,whichgreatlyimprovesdetectionrates.Inadditiontonewly‑createdfiles,scanningisalsoperformedonself‑extractingfiles(.sfx)andruntimepackers(internallycompressedexecutablefiles).Bydefault,archivesarescanneduptothe10thnestinglevelandarecheckedregardlessoftheiractualsize.Tomodifyarchivescansettings,deselecttheDefaultarchivescansettings option.
AdditonalThreatSenseparametersforexecutedfiles–Bydefault,advancedheuristicsarenotusedwhenfilesareexecuted.However,insomecasesyoumaywanttoenablethisoption(bycheckingtheAdvancedheuristicsonfileexecutionoption).Notethatadvancedheuristicsmayslowtheexecutionofsomeprogramsduetoincreasedsystemrequirements.
4.1.1.2 Cleaninglevels
Thereal‑timeprotectionhasthreecleaninglevels(toaccess,clicktheSetup...buttonintheReal‑timefilesystemprotectionsectionandthenclicktheCleaningbranch).
• Thefirstleveldisplaysanalertwindowwithavailableoptionsforeachinfiltrationfound.Youmustchooseanactionforeachinfiltrationindividually.Thislevelisdesignedformoreadvanceduserswhoknowwhichstepstotakeintheeventofaninfiltration.
• Thedefaultlevelautomaticallychoosesandperformsapredefinedaction(dependingonthetypeofinfiltration).Detectionanddeletionofaninfectedfileissignaledbyaninformationmessagelocatedinthebottomrightcornerofthescreen.However,anautomaticactionisnotperformediftheinfiltrationislocatedwithinanarchivewhichalsocontainscleanfiles,anditisnotperformedonobjectsforwhichthereisnopredefinedaction.
• Thethirdlevelisthemost“aggressive”–allinfectedobjectsarecleaned.Asthislevelcouldpotentiallyresultinthelossofvalidfiles,werecommendthatitbeusedonlyinspecificsituations.
14
4.1.1.3 Whentomodifyreal‑timeprotectionconfiguration
Real‑timeprotectionisthemostessentialcomponentofmaintainingasecuresystem.Therefore,pleasebecarefulwhenmodifyingitsparameters.Werecommendthatyouonlymodifyitsparametersinspecificcases.Forexample,ifthereisaconflictwithacertainapplicationorreal‑timescannerofanotherantivirusprogram.
AfterinstallationofESETSmartSecurity,allsettingsareoptimizedtoprovidethemaximumlevelofsystemsecurityforusers.Torestorethedefaultsettings,clicktheDefaultbuttonlocatedatthebottom‑rightoftheReal‑timefilesystemprotectionwindow(AdvancedSetup>Antivirusandantispyware>Real‑timefilesystemprotection).
4.1.1.4 Checkingreal‑timeprotection
Toverifythatreal‑timeprotectionisworkinganddetectingviruses,useatestfilefromeicar.com.Thistestfileisaspecialharmlessfiledetectablebyallantivirusprograms.ThefilewascreatedbytheEICARcompany(EuropeanInstituteforComputerAntivirusResearch)totestthefunctionalityofantivirusprograms.Thefileeicar.comisavailablefordownloadathttp://www.eicar.org/download/eicar.com
NOTE:Beforeperformingareal‑timeprotectioncheck,itisnecessarytodisablethefirewall.Ifthefirewallisenabled,itwilldetectthefileandpreventtestfilesfromdownloading.
4.1.1.5 Whattodoifreal‑timeprotectiondoesnotwork
Inthenextchapter,wedescribeproblemsituationsthatmayarisewhenusingreal‑timeprotection,andhowtotroubleshootthem.
Real‑timeprotectionisdisabled
Ifreal‑timeprotectionwasinadvertentlydisabledbyauser,itneedstobereactivated.Toreactivatereal‑timeprotection,navigatetoSetup>AntivirusandantispywareandclickEnableintheReal‑timefilesystemprotectionsectionofthemainprogramwindow.
Ifreal‑timeprotectionisnotinitiatedatsystemstartup,itisprobablyduetothedisabledoptionAutomaticreal‑timefilesystemprotectionstartup.Toenablethisoption,navigatetoAdvancedSetup (F5)andclickReal‑timefilesystemprotection intheAdvancedSetuptree.IntheAdvancedsetupsectionatthebottomofthewindow,makesurethattheAutomaticreal‑timefilesystemprotectionstartupcheckboxisselected.
IfReal‑timeprotectiondoesnotdetectandcleaninfiltrations
Makesurethatnootherantivirusprogramsareinstalledonyourcomputer.Iftworeal‑timeprotectionshieldsareenabledatthesametime,theymayconflictwitheachother.Werecommendthatyouuninstallanyotherantivirusprogramsonyoursystem.
Real‑timeprotectiondoesnotstart
Ifreal‑timeprotectionisnotinitiatedatsystemstartup(andtheAutomaticreal‑timefilesystemprotectionstartupoptionisenabled),itmaybeduetoconflictswithotherprograms.Ifthisisthecase,pleaseconsultESET‘sCustomerCarespecialists.
4.1.2 Emailclientprotection
EmailprotectionprovidescontrolofemailcommunicationreceivedthroughthePOP3protocol.Usingtheplug‑inprogramforMicrosoftOutlook,ESETSmartSecurityprovidescontrolofallcommunicationsfromtheemailclient(POP3,MAPI,IMAP,HTTP).Whenexaminingincomingmessages,theprogramusesalladvancedscanningmethodsprovidedbytheThreatSensescanningengine.Thismeansthatdetectionofmaliciousprogramstakesplaceevenbeforebeingmatchedagainstthevirussignaturedatabase.ScanningofPOP3protocolcommunicationsisindependentoftheemailclientused.
4.1.2.1 POP3checking
ThePOP3protocolisthemostwidespreadprotocolusedtoreceiveemailcommunicationinanemailclientapplication.ESETSmartSecurityprovidesprotectionforthisprotocolregardlessoftheemailclientused.
Theprotectionmoduleprovidingthiscontrolisautomaticallyinitiatedatsystemstartupandisthenactiveinmemory.Forthemoduletoworkcorrectly,pleasemakesureitisenabled–POP3checkingisperformedautomaticallywithnoneedforreconfigurationoftheemailclient.Bydefault,allcommunicationonport110isscanned,butothercommunicationportscanbeaddedifnecessary.Portnumbersmustbedelimitedbyacomma.
Encryptedcommunicationisnotcontrolled.
15
4.1.2.1.1 Compatibility
CertainemailprogramsmayexperienceproblemswithPOP3filtering(e.g.,ifreceivingmessageswithaslowInternetconnection,timeoutsmayoccurduetochecking).Ifthisisthecase,trymodifyingthewaycontrolisperformed.Decreasingthecontrollevelmayimprovethespeedofthecleaningprocess.ToadjustthecontrollevelofPOP3filtering,fromtheAdvancedSetuptree,navigatetoAntivirusandantispyware>Emailprotection>POP3,POP3s>Compatibility.
IfMaximumefficiencyisenabled,infiltrationsareremovedfrominfectedmessagesandinformationabouttheinfiltrationisinsertedbeforetheoriginalemailsubject(theoptionsDeleteorCleanmustbeactivated,orStrictorDefaultcleaninglevelmustbeenabled).
Mediumcompatibilitymodifiesthewaymessagesarereceived.Messagesaregraduallysenttotheemailclient–afterthelastpartofthemessageistransferred,itwillbescannedforinfiltrations.However,theriskofinfectionincreaseswiththislevelofcontrol.Thelevelofcleaningandthehandlingoftagmessages(notificationalertswhichareappendedtothesubjectlineandbodyofemails)isidenticaltothemaximumefficiencysetting.
WiththeMaximumcompatibilitylevel,youarewarnedbyanalertwindowwhichreportsthereceiptofaninfectedmessage.Noinformationaboutinfectedfilesisaddedtothesubjectlineortotheemailbodyofdeliveredmessagesandinfiltrationsarenotautomaticallyremoved–youmustdeleteinfiltrationsfromtheemailclient.
4.1.2.2 Integrationwithemailclients
IntegrationofESETSmartSecuritywithemailclientsincreasesthelevelofactiveprotectionagainstmaliciouscodeinemailmessages.Ifyouremailclientissupported,thisintegrationcanbeenabledinESETSmartSecurity.Ifintegrationisactivated,theESETSmartSecurityAntispamtoolbarisinserteddirectlyintotheemailclient,allowingformoreefficientemailprotection.Theintegrationsettings
areavailablethroughSetup>Enterentireadvancedsetuptree…>Miscellaneous>Emailclientintegration.Emailclientintegrationallowsyoutoactivateintegrationwithsupportedemailclients.EmailclientsthatarecurrentlysupportedincludeMicrosoftOutlook,OutlookExpress,WindowsMail,WindowsLiveMailandMozillaThunderbird.
SelecttheDisablecheckinguponinboxcontentchangeoptionifyouareexperiencingasystemslowdownwhenworkingwithyouremailclient.SuchasituationmaytakeplacewhendownloadingemailfromKerioOutlookConnectorStore
EmailprotectionisactivatedbyclickingSetup>Enterentireadvancedsetuptree…>Antivirusandantispyware>EmailclientprotectionandselectingtheEnableemailclientprotectionoption.
4.1.2.2.1 Appendingtagmessagestoemailbody
EachemailscannedbyESETSmartSecuritycanbemarkedbyappendingatagmessagetothesubjectoremailbody.Thisfeatureincreasesthelevelofcredibilityfortherecipientandifaninfiltrationisdetected,itprovidesvaluableinformationaboutthethreatlevelofagivenemailorsender.
TheoptionsforthisfunctionalityareavailablethroughAdvancedsetup>Antivirusandantispyware>Emailclientprotection.YoucanselecttoAppendtagmessagestoreceivedandreadmail,aswellasAppendtagmessagestosentmail.Youalsohavetheabilitytodecidewhethertagmessagesareappendedtoallscannedemail,toinfectedemailonly,ornotatall.
ESETSmartSecurityalsoallowsyoutoappendmessagestotheoriginalsubjectofinfectedmessages.Toenableappendingtothesubject,selectboththeAppendnotetothesubjectofreceivedandreadinfectedemailandAppendnotetothesubjectofsentinfectedemailoptions.
ThecontentofnotificationscanbemodifiedintheTemplateaddedtothesubjectofinfectedemailfield.Theabove‑mentionedmodificationscanhelpautomatetheprocessoffilteringinfectedemail,asitallowsyoutofilteremailwithaspecificsubject(ifsupportedinyouremailclient)toaseparatefolder.
4.1.2.3 Removinginfiltrations
Ifaninfectedemailmessageisreceived,analertwindowwilldisplay.Thealertwindowshowsthesendername,emailandthenameoftheinfiltration.InthelowerpartofthewindowtheoptionsClean,DeleteorLeaveareavailableforthedetectedobject.Inalmostallcases,werecommendthatyouselecteitherCleanorDelete.Incertainsituations,ifyouwishtoreceivetheinfectedfile,selectLeave.IfStrictcleaningisenabled,aninformationwindowwithnooptionsavailableforinfectedobjectswilldisplayed.
16
4.1.3 Webaccessprotection
Internetconnectivityisastandardfeatureinapersonalcomputer.Unfortunately,ithasalsobecomethemainmediumfortransferringmaliciouscode.Becauseofthis,itisessentialthatyoucarefullyconsideryourWebaccessprotection.WestronglyrecommendthattheEnablewebaccessprotectionoptionisselected.ThisoptionislocatedinAdvancedSetup(F5)>Antivirusandantispyware>Webaccessprotection.
4.1.3.1 HTTP,HTTPs
WebaccessprotectionworksbymonitoringcommunicationbetweenInternetbrowsersandremoteservers,andcomplieswithHTTP(HypertextTransferProtocol)andHTTPs(encryptedcommunication)rules.Bydefault,ESETSmartSecurityisconfiguredtousethestandardsofmostInternetbrowsers.However,theHTTPscannersetupoptionscanbemodifiedinAdvancedSetup(F5)>Antivirusandantispyware>Webaccessprotection>HTTP,HTTPs.InthemainHTTPfilterwindow,youcanselectordeselecttheEnableHTTPcheckingoption.YoucanalsodefinetheportnumbersusedforHTTPcommunication.Bydefault,theportnumbers80,8080and3128arepredefined.HTTPscheckingcanbeperformedinthefollowingmodes:
DonotuseHTTPsprotocolchecking–Encryptedcommunicationwillnotbechecked
UseHTTPsprotocolcheckingforselectedports–HTTPscheckingonlyforportsdefinedinPortsusedbyHTTPsprotocol
UseHTTPsprotocolcheckingforapplicationsmarkedasInternetbrowsersthatuseselectedports–OnlycheckapplicationsthatarespecifiedinthebrowserssectionanduseportsdefinedinPortsusedbyHTTPsprotocol.
4.1.3.1.1 Addressmanagement
ThissectionenablesyoutospecifyHTTPaddressestoblock,alloworexcludefromchecking.ThebuttonsAdd,Edit,Removeand
Exportareusedtomanagethelistsofaddresses.Websitesinthelistofblockedaddresseswillnotbeaccessible.Websitesinthelistofexcludedaddressesareaccessedwithoutbeingscannedformaliciouscode.Ifyouselectthe AllowaccessonlytoHTTPaddressesinthelistofallowedaddressesoption,onlyaddressespresentinthelistofallowedaddresseswillbeaccessible,whileallotherHTTPaddresseswillbeblocked.
Inalllists,thespecialsymbols*(asterisk)and?(questionmark)canbeused.Theasterisksubstitutesanycharacterstring,andthequestionmarksubstitutesanysymbol.Particularcareshouldbetakenwhenspecifyingexcludedaddresses,becausethelistshouldonlycontaintrustedandsafeaddresses.Similarly,itisnecessarytoensurethatthesymbols*and?areusedcorrectlyinthislist.Toactivatealist,selecttheListactive option.Ifyouwishtobenotifiedwhenenteringanaddressfromthecurrentlist,selectNotifywhenapplyingaddressfromthelistoption.
4.1.3.1.2 Webbrowsers
ESETSmartSecurityalsocontainstheWebbrowsersfeature,whichallowsyoutodefinewhetherthegivenapplicationisabrowserornot.Ifanapplicationismarkedasabrowser,allcommunicationfromthisapplicationismonitoredregardlessoftheportnumbersinvolved.
TheWebbrowsersfeaturecomplementstheHTTPcheckingfeature,asHTTPcheckingonlytakesplaceonpredefinedports.However,manyInternetservicesutilizechangingorunknownportnumbers.Toaccountforthis,theWebbrowserfeaturecanestablishcontrolofportcommunicationsregardlessoftheconnectionparameters.
ThelistofapplicationsmarkedaswebbrowsersisaccessibledirectlyfromtheWebbrowsers submenuoftheHTTPbranch.ThissectionalsocontainstheActivemodesubmenu,whichdefinesthecheckingmodeforInternetbrowsers.
Activemodeisusefulbecauseitexaminestransferreddataasawhole.Ifitisnotenabled,communicationofapplicationsis
17
monitoredgraduallyinbatches.Thisdecreasestheeffectivenessofthedataverificationprocess,butalsoprovideshighercompatibilityforlistedapplications.Ifnoproblemsoccurwhileusingit,werecommendthatyouenableactivecheckingmodebyselectingthecheckboxnexttothedesiredapplication.
4.1.4 On‑demandcomputerscan
Ifyoususpectthatyourcomputerisinfected(itbehavesabnormally),runanOn‑demandcomputerscantoexamineyourcomputerforinfiltrations.Fromasecuritypointofview,itisessentialthatcomputerscansarenotjustrunwhenaninfectionissuspected,butregularlyaspartofroutinesecuritymeasures.Regularscanningcandetectinfiltrationsthatwerenotdetectedbythereal‑timescannerwhentheyweresavedtothedisk.Thiscanhappenifthereal‑timescannerwasdisabledatthetimeofinfection,orifthevirussignaturedatabaseisnotup‑to‑date.
WerecommendthatyourunanOn‑demandcomputerscanatleastonceamonth.ScanningcanbeconfiguredasascheduledtaskfromTools>Scheduler.
4.1.4.1 Typeofscan
TwotypesofOn‑demandcomputerscanareavailable.Smartscanquicklyscansthesystemwithnoneedforfurtherconfigurationofthescanparameters.Customscan…allowsyoutoselectanyofthepredefinedscanprofiles,aswellaschoosespecificscantargets.
4.1.4.1.1 Smartscan
Smartscanallowsyoutoquicklylaunchacomputerscanandcleaninfectedfileswithnoneedforuserintervention.Itsmainadvantagesareeasyoperationwithnodetailedscanningconfiguration.Smartscanchecksallfilesonlocaldrivesandautomaticallycleansordeletes
detectedinfiltrations.Thecleaninglevelisautomaticallysettothedefaultvalue.Formoredetailedinformationontypesofcleaning,seesection4.1.6.3,“Cleaning”.
4.1.4.1.2 Customscan
Customscanisanoptimalsolutionifyouwishtospecifyscanningparameterssuchasscantargetsandscanningmethods.TheadvantageofCustomscanistheabilitytoconfiguretheparametersindetail.Theconfigurationscanbesavedtouser‑definedscanprofiles,whichcanbeusefulifscanningisrepeatedlyperformedwiththesameparameters.
Toselectscantargets,selectComputerscan>CustomscanandselectanoptionfromtheScantargetsdrop‑downmenuorselectspecifictargetsfromthetreestructure.Ascantargetcanalsobemorepreciselyspecifiedbyenteringthepathtothefolderorfile(s)youwishtoinclude.Ifyouareonlyinterestedinscanningthesystemwithoutadditionalcleaningactions,selecttheScanwithoutcleaningoption.Furthermore,youcanchoosefromthreecleaninglevelsbyclickingSetup...>Cleaning.
PerformingcomputerscanswithCustomscanissuitableforadvanceduserswithpreviousexperienceusingantivirusprograms.
4.1.4.2 Scantargets
TheScantargetsdrop‑downmenuallowsyoutoselectfiles,foldersanddevices(disks)tobescannedforviruses.
Byprofilesettings–Selectstargetssetintheselectedscanprofile
Removablemedia–Selectsdiskettes,USBstoragedevices,CD/DVD
Localdrives–Selectsallsystemharddrives
Networkdrives–Selectsallmappeddrives
Noselection–Cancelsallselections
4.1.4.3 Scanprofiles
Yourpreferredscanparameterscanbesavedforfuturescanning.Werecommendthatyoucreateadifferentprofile(withvariousscantargets,scanmethodsandotherparameters)foreachregularlyusedscan.
Tocreateanewprofile,opentheAdvancedSetupwindow (F5)andclickOn‑demandcomputerscan>Profiles...TheConfigurationprofileswindowhasadrop‑downmenuofexistingscanprofilesandtheoptiontocreateanewone.Tohelpyoucreateascanprofiletofityourneeds,seesection4.1.6,“ThreatSenseengineparameterssetup”foradescriptionofeachparameterofthescansetup.
Example:SupposethatyouwanttocreateyourownscanprofileandtheSmartscanconfigurationispartiallysuitable,butyoudon’twant
18
toscanruntimepackersorpotentiallyunsafeapplicationsandyoualsowanttoapplyStrictcleaning.FromtheConfigurationprofileswindow,clicktheAdd...button.EnterthenameofyournewprofileintheProfilenamefield,andselectSmartscanfromtheCopysettingsfromprofile: drop‑downmenu.Thenadjusttheremainingparameterstomeetyourrequirements.
4.1.5 Protocolfiltering
AntivirusprotectionfortheapplicationprotocolsPOP3andHTTPisprovidedbytheThreatSensescanningengine,whichseamlesslyintegratesalladvancedmalwarescanningtechniques.ThecontrolworksautomaticallyregardlessoftheInternetbrowseroremailclientused.Thefollowingoptionsareavailableforprotocolfiltering(iftheEnableapplicationprotocolcontentfilteringoptionisselected):
HTTPandPOP3ports‑LimitsscanningofcommunicationtoknownHTTPandPOP3ports.
ApplicationsmarkedasInternetbrowsersandemailclients–Enablethisoptiontoonlyfiltercommunicationofapplicationmarkedasbrowsers(Webaccessprotection>HTTP,HTTPS>Webbrowsers)andemailclients(Emailclientprotection>POP3,POP3s>Emailclients).
PortsandapplicationsmarkedasInternetbrowsersoremailclients–Bothportsandbrowsersarecheckedformalware
NOTE:StartingwithWindowsVistaServicePack1andWindowsServer2008,anewcommunicationfilteringmethodisused.Asaresult,theProtocolfilteringsectionisnotavailable.
4.1.5.1 SSL
ESETSmartSecurityenablesyoutocheckprotocolsencapsulatedinSSLprotocol.YoucanusevariousscanningmodesforSSLprotectedcommunicationsusingtrustedcertificates,unknowncertificates,orcertificatesthatareexcludedfromSSL‑protectedcommunicationchecking.
AlwaysscanSSLprotocol–SelectthisoptiontoscanallSSLprotectedcommunicationsexceptcommunicationsprotectedbycertificatesexcludedfromchecking.Ifanewcommunicationusinganunknown,signedcertificateisestablished,youwillnotbenotifiedaboutthefactandthecommunicationwillautomaticallybefiltered.Whenyouaccessaserverwithanuntrustedcertificatethatismarkedbyyouastrusted(itisaddedtothetrustedcertificateslist),communicationtotheserverisallowedandthecontentofthecommunicationchannelisfiltered.
Askaboutnon‑visitedsites(exclusionscanbeset)‑IfyouenteranewSSLprotectedsite(withanunknowncertificate),anactionselectiondialogisdisplayed.ThismodeenablesyoutocreatealistofSSLcertificatesthatwillbeexcludedfromscanning.
DonotscanSSLprotocol‑Ifselected,theprogramwillnotscancommunicationsoverSSL.
IfthecertificatecannotbeverifiedusingtheTrustedRootCertificationAuthoritiesstore(protocolfiltering>SSL>Certificates):
Askaboutcertificatevalidity–Promptsyoutoselectanactiontotake.
Blockcommunicationthatusesthecertificate–Terminatesconnectiontothesitethatusesthecertificate.
Ifthecertificateisinvalidorcorrupt(protocolfiltering>SSL>Certificates):
Askaboutcertificatevalidity–Promptsyoutoselectanactiontotake.
Blockcommunicationthatusesthecertificate–Terminatesconnectiontothesitethatusesthecertificate.
4.1.5.1.1 Trustedcertificates
InadditiontotheintegratedTrustedRootCertificationAuthoritiesstore,whereESETSmartSecuritystorestrustedcertificates,youcancreateacustomlistoftrustedcertificatesthatcanbeviewedinAdvancedSetup(F5)>Protocolfiltering>SSL>Certificates>Trustedcertificates.
4.1.5.1.2 Excludedcertificates
TheExcludedcertificatessectioncontainscertificatesthatareconsideredtobesafe.Theprogramwillnotcheckthecontentofencryptedcommunicationswhichusecertificatesinthislist.Werecommendinstallingonlythosewebcertificateswhichareguaranteedtobesafeandhavenoneedforcontentfiltering.
4.1.6 ThreatSenseengineparameterssetup
ThreatSenseisthenameofthetechnologyconsistingofcomplexthreatdetectionmethods.Thistechnologyisproactive,whichmeansitalsoprovidesprotectionduringtheearlyhoursofthespreadofanewthreat.Itusesacombinationofseveralmethods(codeanalysis,codeemulation,genericsignatures,virussignatures)whichworkinconcerttosignificantlyenhancesystemsecurity.Thescanningengineiscapableofcontrollingseveraldatastreamssimultaneously,maximizingtheefficiencyanddetectionrate.ThreatSensetechnologyalsosuccessfullyeliminatesrootkits.
TheThreatSensetechnologysetupoptionsallowyoutospecifyseveralscanparameters:
• Filetypesandextensionsthataretobescanned
• Thecombinationofvariousdetectionmethods
• Levelsofcleaning,etc.
Toenterthesetupwindow,clicktheSetup...buttonlocatedinanymodule‘ssetupwindowwhichusesThreatSensetechnology(seebelow).Differentsecurityscenarioscouldrequiredifferentconfigurations.Withthisinmind,ThreatSenseisindividuallyconfigurableforthefollowingprotectionmodules:
• Real‑timefilesystemprotection
• Systemstartupfilecheck
• Emailprotection
• Webaccessprotection
• On‑demandcomputerscan
TheThreatSenseparametersarehighlyoptimizedforeachmodule,andtheirmodificationcansignificantlyinfluencesystemoperation.Forexample,changingparameterstoalwaysscanruntimepackers,orenablingadvancedheuristicsinthereal‑timefilesystemprotectionmodulecouldresultinasystemslow‑down(normally,onlynewly‑createdfilesarescannedusingthesemethods).Therefore,werecommendthatyouleavethedefaultThreatSenseparametersunchangedforallmodulesexceptOn‑demandcomputerscan.
19
4.1.6.1 Objectssetup
TheObjectssectionallowsyoutodefinewhichcomputercomponentsandfileswillbescannedforinfiltrations.
Operatingmemory–Scansforthreatsthatattacktheoperatingmemoryofthesystem.
Bootsectors–Scansbootsectorsforthepresenceofvirusesinthemasterbootrecord.
Files–Providesscanningofallcommonfiletypes(programs,pictures,audio,videofiles,databasefiles,etc.).
Emailfiles–Scansspecialfileswhereemailmessagesarecontained.
Archives–Providesscanningoffilescompressedinarchives(.rar,.zip,.arj,.tar,etc.).
Self‑extractingarchives–Scansfileswhicharecontainedinself‑extractingarchivefiles,buttypicallypresentedwithan.exefileextension
Runtimepackers –Runtimepackers(unlikestandardarchivetypes)decompressinmemory,inadditiontostandardstaticpackers(UPX,yoda,ASPack,FGS,etc.).
4.1.6.2 Options
IntheOptionssection,youcanselectthemethodstobeusedwhenscanningthesystemforinfiltrations.Thefollowingoptionsareavailable:
Signatures–Signaturescanexactlyandreliablydetectandidentifyinfiltrationsbytheirnameusingvirussignatures.
Heuristics– Heuristicsuseanalgorithmthatanalysesthe(malicious)activityofprograms.Themainadvantageofheuristicdetectionistheabilitytodetectnewmalicioussoftwarewhichdidnotpreviouslyexist,orwasnotincludedinthelistofknownviruses(virussignaturesdatabase).
Advancedheuristics–Advancedheuristicscompriseauniqueheuristicalgorithm,developedbyESET,optimizedfordetectingcomputerwormsandtrojanhorseswritteninhigh‑levelprogramminglanguages.Duetoadvancedheuristics,thedetectionintelligenceoftheprogramissignificantlyhigher.
Adware/Spyware/Riskware–Thiscategoryincludessoftwarewhichcollectsvarioussensitiveinformationaboutuserswithouttheirinformedconsent.Thiscategoryalsoincludessoftwarewhichdisplaysadvertisingmaterial.
Potentiallyunwantedapplications–Potentiallyunwanted
applicationsarenotnecessarilyintendedtobemalicious,butmayaffecttheperformanceofyourcomputerinanegativeway.Suchapplicationsusuallyrequireconsentforinstallation.Iftheyarepresentonyourcomputer,yoursystembehavesdifferently(comparedtothestatebeforetheirinstallation).Themostsignificantchangesincludeunwantedpop‑upwindows,activationandrunningofhiddenprocesses,increasedusageofsystemresources,changesinsearchresults,andapplicationscommunicatingwithremoteservers.
Potentiallyunsafeapplications–Potentiallyunsafeapplicationsistheclassificationusedforcommercial,legitimatesoftware.Itincludesprogramssuchasremoteaccesstools,whichiswhythisoptionisdisabledbydefault.
4.1.6.3 Cleaning
Thecleaningsettingsdeterminethebehaviorofthescannerduringthecleaningofinfectedfiles.Thereare3levelsofcleaning:
Nocleaning–Infectedfilesarenotcleanedautomatically.Theprogramwilldisplayawarningwindowandallowyoutochooseanaction.
Standardcleaning–Theprogramwillattempttoautomaticallycleanordeleteaninfectedfile.Ifitisnotpossibletoselectthecorrectactionautomatically,theprogramwillofferachoiceoffollow‑upactions.Thechoiceoffollow‑upactionswillalsobedisplayedifapredefinedactioncouldnotbecompleted.
Strictcleaning–Theprogramwillcleanordeleteallinfectedfiles(includingarchives).Theonlyexceptionsaresystemfiles.Ifitisnotpossibletocleanthem,youwillbeofferedanactiontotakeinawarningwindow.
20
Warning: IntheDefaultmode,theentirearchivefileisdeletedonlyifallfilesinthearchiveareinfected.Ifthearchivealsocontainslegitimatefiles,itwillnotbedeleted.IfaninfectedarchivefileisdetectedinStrictcleaningmode,theentirearchivewillbedeleted,evenifcleanfilesarepresent.
4.1.6.4 Extensions
Anextensionispartofthefilenamedelimitedbyaperiod.Theextensiondefinesthetypeandcontentofthefile.ThissectionoftheThreatSenseparametersetupletsyoudefinethetypesoffilestoscan.
Bydefault,allfilesarescannedregardlessoftheirextension.Anyextensioncanbeaddedtothelistoffilesexcludedfromscanning.IftheScanallfilesoptionisdeselected,thelistchangestoshowallcurrentlyscannedfileextensions.UsingtheAddandRemovebuttons,youcanenableorprohibitscanningofdesiredextensions.
Toenablescanningoffileswithnoextension,selecttheScanextensionlessfilesoption.
Excludingfilesfromscanningissometimesnecessaryifscanningcertainfiletypespreventstheprogramwhichisusingtheextensionsfromrunningproperly.Forexample,itmaybeadvisabletoexcludethe.edb,.emland.tmpextensionswhenusingMicrosoftExchangeservers.
4.1.6.5 Limits
TheLimitssectionallowsyoutospecifythemaximumsizeofobjectsandlevelsofnestedarchivestobescanned:
Maximumobjectsize:– Definesthemaximumsizeofobjectstobescanned.Thegivenantivirusmodulewillthenscanonlyobjectssmallerthanthesizespecified.Wedonotrecommendchangingthedefaultvalue,asthereisusuallynoreasontomodifyit.Thisoptionshouldonlybechangedbyadvanceduserswhohavespecificreasonsforexcludinglargerobjectsfromscanning.
Maximumscantimeforobject(sec.):– Definesthemaximumtimevalueforscanninganobject.Ifauser‑definedvaluehasbeenenteredhere,theantivirusmodulewillstopscanninganobjectwhenthattimehaselapsed,regardlessofwhetherthescanhasfinished.
Archivenestinglevel:–Specifiesthemaximumdepthofarchivescanning.Wedonotrecommendchangingthedefaultvalueof10;undernormalcircumstances,thereshouldbenoreasontomodifyit.Ifscanningisprematurelyterminatedduetothenumberofnestedarchives,thearchivewillremainunchecked.
Maximumsizeoffileinarchive:–Thisoptionallowsyoutospecifythemaximumfilesizeforfilescontainedinarchives(whentheyareextracted)thataretobescanned.Ifscanningofanarchiveisprematurelyterminatedforthatreason,thearchivewillremain
unchecked.
4.1.6.6 Other
Scanalternatedatastreams(ADS)–Alternatedatastreams(ADS)usedbytheNTFSfilesystemarefileandfolderassociationswhichareinvisiblefromordinaryscanningtechniques.Manyinfiltrationstrytoavoiddetectionbydisguisingthemselvesasalternativedatastreams.
Runbackgroundscanswithlowpriority–Eachscanningsequenceconsumesacertainamountofsystemresources.Ifyouworkwithprogramsthatplaceahighloadonsystemresources,youcanactivatelowprioritybackgroundscanningandsaveresourcesforyourapplications.
Logallobjects–Ifthisoptionisselected,thelogfilewillshowallthescannedfiles,eventhosenotinfected.
EnableSmartoptimization–Selectthisoptionsothatfileswhichhavealreadybeenscannedarenotscannedrepeatedly(unlesstheyhavebeenmodified).Filesarescannedagainimmediatelyaftereachvirussignaturedatabaseupdate.
Preservelastaccesstimestamp–Selectthisoptiontokeeptheoriginalaccesstimeofscannedfilesinsteadofupdatingit(e.g.,forusewithdatabackupsystems).
Scrolllog–Thisoptionallowsyoutoenable/disablelogscrolling.Ifselected,informationscrollsupwardswithinthedisplaywindow.
Displaynotificationaboutscancompletioninaseparatewindow–Opensastandalonewindowcontaininginformationaboutscanresults.
4.1.7 Aninfiltrationisdetected
Infiltrationscanreachthesystemfromvariousentrypoints;webpages,sharedfolders,viaemailorfromremovablecomputerdevices(USB,externaldisks,CDs,DVDs,diskettes,etc.).
Ifyourcomputerisshowingsignsofmalwareinfection,e.g.,itisslower,oftenfreezes,etc.,werecommendthatyoudothefollowing:
• OpenESETSmartSecurityandclickComputerscan
• ClickSmartscan(formoreinformation,seesection4.1.4.1.1,“Smartscan”)
• Afterthescanhasfinished,reviewthelogforthenumberofscanned,infectedandcleanedfiles.
Ifyouonlywishtoscanacertainpartofyourdisk,clickCustomscanandselecttargetstobescannedforviruses.
AsageneralexampleofhowinfiltrationsarehandledinESETSmartSecurity,supposethataninfiltrationisdetectedbythereal‑timefilesystemmonitor,whichusestheDefaultcleaninglevel.Itwillattempttocleanordeletethefile.Ifthereisnopredefinedactiontotakeforthereal‑timeprotectionmodule,youwillbeaskedtoselectanoptioninanalertwindow.Usually,theoptionsClean,DeleteandLeaveareavailable.SelectingLeaveisnotrecommended,sincetheinfectedfile(s)wouldbeleftuntouched.Theexceptiontothisiswhenyouaresurethatthefileisharmlessandhasbeendetectedbymistake.
Cleaninganddeleting–Applycleaningifafilehasbeenattackedbyaviruswhichhasattachedmaliciouscodetothefile.Ifthisisthecase,firstattempttocleantheinfectedfileinordertorestoreittoitsoriginalstate.Ifthefileconsistsexclusivelyofmaliciouscode,itwillbedeleted.
21
Ifaninfectedfileis“locked“orinusebyasystemprocess,itwillusuallyonlybedeletedafteritisreleased(normallyafterasystemrestart).
Deletingfilesinarchives–IntheDefaultcleaningmode,theentirearchivewillbedeletedonlyifitcontainsinfectedfilesandnocleanfiles.Inotherwords,archivesarenotdeletediftheyalsocontainharmlesscleanfiles.However,usecautionwhenperformingaStrictcleaningscan–withStrictcleaningthearchivewillbedeletedifitcontainsatleastoneinfectedfile,regardlessofthestatusofotherfilesinthearchive.
4.2 Personalfirewall
ThePersonalfirewallcontrolsallnetworktraffictoandfromthesystem.Thisisaccomplishedbyallowingordenyingindividualnetworkconnectionsbasedonspecifiedfilteringrules.Itprovidesprotectionagainstattacksfromremotecomputersandenablesblockingofsomeservices.ItalsoprovidesantivirusprotectionforHTTPandPOP3protocols.Thisfunctionalityrepresentsaveryimportantelementofcomputersecurity.
4.2.1 Filteringmodes
FivefilteringmodesareavailablefortheESETSmartSecurityPersonalfirewall.Thebehaviorofthefirewallchangesbasedontheselectedmode.Filteringmodesalsoinfluencethelevelofuserinteractionrequired.
Filteringcanbeperformedinoneoffivemodes:
Automaticmode– Thedefaultmode.Itissuitableforuserswhoprefereasyandconvenientuseofthefirewallwithnoneedtodefinerules.Automaticmodeallowsalloutboundtrafficforthegivensystemandblocksallnewconnectionsinitiatedfromthenetworkside.
Automaticmodewithexceptions(user‑definedrules)–Inadditiontoautomaticmodeitenablesyoutoaddcustomrules.
Interactivemode– Allowsyoutobuildatailor‑madeconfigurationforyourPersonalfirewall.Whenacommunicationisdetectedandnoruleexistswhichappliestothatcommunication,adialogwindowreportinganunknownconnectionwillbedisplayed.Thedialogwindowgivestheoptionofallowingordenyingthecommunication,andthedecisiontoallowordenycanberememberedasanewruleforthePersonalfirewall.Ifyouchoosetocreateanewruleatthistime,
allfutureconnectionsofthistypewillbeallowedorblockedaccordingtotherule.
Policy‑basedmode– Blocksallconnectionswhicharenotdefinedbyaspecificrulethatallowsthem.Thismodeallowsadvanceduserstodefinerulesthatpermitonlydesiredandsecureconnections.AllotherunspecifiedconnectionswillbeblockedbythePersonalfirewall.
Learningmode–Automaticallycreatesandsavesrules;thismodeissuitableforinitialconfigurationofthePersonalfirewall.Nouserinteractionisrequired,becauseESETSmartSecuritysavesrulesaccordingtopredefinedparameters.Learningmodeisnotsecure,andshouldonlybeuseduntilallrulesforrequiredcommunicationshavebeencreated.
4.2.2 Profiles
ProfilesareatooltocontrolthebehavioroftheESETSmartSecurityPersonalfirewall.WhencreatingoreditingaPersonalfirewallrule,youcanassignittoaspecificprofileorhaveitapplytoeveryprofile.Whenyouselectaprofile,onlytheglobalrules(withnoprofilespecified)andtherulesthathavebeenassignedtothatprofileareapplied.YoucancreatemultipleprofileswithdifferentrulesassignedtoeasilyalterthePersonalfirewallbehavior.
4.2.2.1 Profilemanagement
ClicktheProfiles...button(seefigureinsection4.2.1,“Filteringmodes”)toopentheFirewallprofileswindow,whereyoucanAdd...,EditandRemoveprofiles.PleasenotethattoEditorRemoveaprofile,itmustnotbeselectedintheSelectedprofiledrop‑downmenu.Whenaddingoreditingaprofile,youcanalsodefinetheconditionsthattriggerit.Thefollowingpossibilitiesareavailable:
Donotswitchautomatically‑Theautomatictriggeristurnedoff(profilemustbeactivatedmanually).
Whentheautomaticprofilebecomesinvalidandnootherprofileisactivatedautomatically(defaultprofile)–Whentheautomaticprofilebecomesinvalid(ifthecomputerisconnectedtoanuntrustednetwork–seesection4.2.6.1,“Networkauthentication”)andanotherprofileisnotactivatedinitsplace(computerisnotconnectedtoanothertrustednetwork),thePersonalfirewallwillswitchtothisprofile.Onlyoneprofilecanusethistrigger.
Ifthiszoneisauthenticated–Thisprofilewillbetriggeredwhenthespecifiedzoneisauthenticated(seesection4.2.6.1,“Networkauthentication”).
22
WhenthePersonalfirewallswitchestoanotherprofile,anotificationwillappearinthelowerrightcornernearthesystemclock.
4.2.3 Blockallnetworktraffic:disconnectnetwork
TheonlyoptionforblockingallnetworktrafficistoclickBlockallnetworktraffic:disconnectnetwork.AllinboundandoutboundcommunicationisblockedbythePersonalfirewallwithnowarningdisplayed.Usethisoptiononlyifyoususpectcriticalsecurityrisksrequiringdisconnectionofthesystemfromthenetwork.
4.2.4 Disablefiltering:allowalltraffic
TheDisablefilteringoptionistheoppositeofblockingallnetworktraffic.Ifselected,allPersonalfirewallfilteringoptionsareturnedoffandallincomingandoutgoingconnectionsarepermitted.Ithasthesameeffectasnofirewallbeingpresent.
4.2.5 Configuringandusingrules
Rulesrepresentasetofconditionsusedtomeaningfullytestallnetworkconnectionsandallactionsassignedtotheseconditions.WiththePersonalfirewall,youcandefinewhatactiontotakeifaconnectiondefinedbyaruleisestablished.
Toaccesstherulefilteringsetup,navigatetoAdvancedSetup(F5)>Personalfirewall>Rulesandzones.Todisplaythecurrentconfiguration,clickSetup...intheZoneandruleeditorsection(ifthePersonalfirewallissettoAutomaticmode,thesesettingsarenotavailable).
IntheZoneandrulesetupwindow,anoverviewofeitherrulesorzonesisdisplayed(basedonthecurrentlyselectedtab).Thewindowisdividedintotwosections.Theuppersectionlistsallrulesinashortenedview.Thelowersectiondisplaysdetailsabouttherulecurrentlyselectedintheuppersection.AttheverybottomarethebuttonsNew,Edit,andDelete(Del),whichallowyoutoconfigurerules.
Connectionscanbedividedintoincomingandoutgoingconnections.Incomingconnectionsareinitiatedbyaremotecomputerattemptingtoestablishconnectionwiththelocalsystem.Outgoingconnectionsworkintheoppositeway–thelocalsidecontactsaremotecomputer.
Ifanewunknowncommunicationisdetected,youmustcarefullyconsiderwhethertoallowordenyit.Unsolicited,unsecuredorunknownconnectionsposeasecurityrisktothesystem.Ifsuchaconnectionisestablished,werecommendthatyoupayparticularattentiontotheremotesideandtheapplicationattemptingtoconnecttoyourcomputer.Manyinfiltrationstrytoobtainandsendprivatedata,ordownloadothermaliciousapplicationstohostworkstations.ThePersonalfirewallallowsyoutodetectandterminatesuchconnections.
4.2.5.1 Creatinganewrule
Wheninstallinganewapplicationwhichaccessesthenetworkorwhenmodifyinganexistingconnection(remoteside,portnumber,etc.),anewrulemustbecreated.
Toaddanewrule,verifythattheRulestabisselected.Then,clicktheNewbuttonintheZoneandrulesetupwindow.Clickingonthisbuttonopensanewdialogwindowtospecifyanewrule.Theupperpartofthewindowcontainsthreetabs:
• General:Specifyarulename,thedirectionoftheconnection,theaction,theprotocolandtheprofileinwhichtherulewillapply.
23
• Remote:Thistabcontainsinformationabouttheremoteport(portrange).ItalsoallowsyoutodefinealistofremoteIPaddressesorzonesforagivenrule.
• Local:Displaysinformationaboutthelocalsideoftheconnection,includingthenumberofthelocalportorportrangeandthenameofthecommunicatingapplication.
AgoodexampleofaddinganewruleisallowingyourInternetbrowsertoaccessthenetwork.Thefollowingmustbeprovidedinthiscase:
• OntheGeneraltab,enableoutgoingcommunicationviatheTCPandUDPprotocol
• Addtheprocessrepresentingyourbrowserapplication(forInternetExploreritisiexplore.exe)ontheLocaltab
• OntheRemotetab,enableportnumber80onlyifyouwishtoallowstandardInternetbrowsingactivities.
4.2.5.2 Editingrules
Tomodifyanexistingrule,clicktheEditbutton.Allparameters(seesection4.2.5.1,“Creatingnewrules”fordescriptions)canbemodified.
Modificationisrequiredeachtimeanyofthemonitoredparametersarechanged.Inthiscase,therulecannotfulfilltheconditionsandthespecifiedactioncannotbeapplied.Intheend,thegivenconnectionmayberefused,whichcanresultinproblemswithoperationoftheapplicationinquestion.Anexampleisachangeofnetworkaddressorportnumberfortheremoteside.
4.2.6 Configuringzones
IntheZonesetupwindowyoucanspecifythezonename,description,networkaddresslistandzoneauthentication(seesection4.2.6.1.1,“Zoneauthentication–Clientconfiguration”).
Azonerepresentsacollectionofnetworkaddresseswhichcreateonelogicalgroup.Eachaddressinagivengroupisassignedsimilarrulesdefinedcentrallyforthewholegroup.OneexampleofsuchagroupistheTrustedzone.TheTrustedzonerepresentsagroupofnetworkaddresseswhicharefullytrustedandnotblockedbythePersonalfirewallinanyway.
ThesezonescanbeconfiguredusingtheZonestabintheZoneandrulesetupwindow,byclickingtheNewbutton.EnteraNameforthezoneandaDescription,andaddaremoteIPaddressbyclickingthe
AddIPv4addressbutton.
4.2.6.1 Networkauthentication
TheTrustedzoneisidentifiedbythelocalIPaddressofthenetworkadapter.MobilecomputersoftenenternetworkswithIPaddressesthataresimilartothetrustednetwork.IftheTrustedzonesettingsarenotmanuallyswitchedtoStrictprotection,thePersonalfirewallwillcontinuetousetheAllowsharingmode.
Topreventthistypeofsituation,Zoneauthenticationsearchesforaspecificserverinthenetworkandusesasymmetricencryption(RSA)toauthenticatetheserver.Theauthenticationprocessisrepeatedforeachnetworkyourcomputerconnectsto.
4.2.6.1.1 Zoneauthentication‑Clientconfiguration
IntheZoneandrulesetupwindow,clicktheZonestabandcreateanewzoneusingthenameofthezoneauthenticatedbytheserver.ThenclickAddIPv4addressandselecttheSubnetoptiontoaddasubnetmaskthatcontainstheauthenticationserver.
ClicktheZoneauthenticationtabandselecttheIPaddresses/subnetsinthezonewillbecomevalidafterasuccessfulauthenticationoftheserverinthenetworkoption.Withthisoptionselected,thezonewillbecomeinvalidifauthenticationisunsuccessful.ToselectaPersonalfirewallprofiletobeactivatedafterasuccessfulzoneauthentication,clicktheProfiles...button.IfyouselecttheAddaddresses/subnetsofthezonetotheTrustedZoneoption,theaddresses/subnetsofthezonewillbeaddedtotheTrustedzoneafteranauthenticationissuccessful(recommended).
Therearethreeauthenticationtypesavailable:
1)UsingESETauthenticationserver
ClickSetup...andspecifyaservername,serverlisteningportandapublickeythatcorrespondstotheprivateserverkey(seesection4.2.6.1.2,“Zoneauthentication–Serverconfiguration”).TheservernamecanbeenteredintheformofanIPaddress,DNSorNetBiosname.Theservernamecanbefollowedbyapathspecifyingthelocationofthekeyontheserver(e.g.,server_name_/directory1/directory2/authentication).Entermultipleservers,separatedbysemicolons,toserveasalternateserversifthefirstoneisunavailable.
Thepublickeycanbeafileofoneofthefollowingtypes:
• PEMencryptedpublickey(.pem)‑ThiskeycanbegeneratedusingtheESETAuthenticationServer(seesection4.2.6.1.2,“Zone
24
authentication–Serverconfiguration”).
• Encodedpublickey
• Publickeycertificate(.crt)
Totestyoursettings,presstheTestbutton.Ifauthenticationissuccessful,aServer authentication successfulmessagewillappear.Ifauthenticationisnotconfiguredproperly,oneofthefollowingerrormessageswillappear:
Server authentication failed. Maximum time for authentication elapsed.Theauthenticationserverisinaccessible.Checktheservername/IPaddressand/orverifythePersonalfirewallsettingsoftheclientaswellastheserversection.
An error has occurred while communicating with the server.Theauthenticationserverisnotrunning.Starttheauthenticationserverservice(seesection4.2.6.1.2,“Zoneauthentication–Serverconfiguration”).
The name of the authentication zone does not match the server zone.Theconfiguredzonenamedoesnotcorrespondwiththeauthenticationserverzone.Reviewbothzonesandensuretheirnamesareidentical.
Server authentication failed. Server address not found in the list of addresses for the given zone.TheIPaddressofthecomputerrunningtheauthenticationserverisoutsidethedefinedIPaddressrangeofthecurrentzoneconfiguration.
Server authentication failed. Probably an invalid public key was entered.Verifythatthepublickeyspecifiedcorrespondstotheprivateserverkey.Alsoverifythatthepublickeyfileisnotcorrupted.
2)Bylocalnetworkconfiguration
Authenticationisperformedaccordingtoalocalnetworkadapterparameters.Authenticationissuccessfulifallselectedparametersforactiveconnectionarevalid.
4.2.6.1.2 Zoneauthentication‑Serverconfiguration
Theauthenticationprocesscanbeexecutedbyanycomputer/serverconnectedtothenetworkthatistobeauthenticated.TheESETAuthenticationServerapplicationneedstobeinstalledonacomputer/serverthatisalwaysaccessibleforauthenticationwheneveraclientattemptstoconnecttothenetwork.TheinstallationfilefortheESETAuthenticationServerapplicationisavailablefordownloadonESET’swebsite.
AfteryouinstalltheESETAuthenticationServerapplication,adialogwindowwillappear(youcanaccesstheapplicationanytimeunderStart>Programs>ESET>ESETAuthenticationServer>ESETAuthenticationServer).
Toconfiguretheauthenticationserver,entertheauthenticationzonename,theserverlisteningport(defaultis80)aswellasthelocationtostorethepublicandprivatekeypair.Thengeneratethepublicandprivatekeythatwillbeusedintheauthenticationprocess.TheprivatekeywillremainsetontheserverwhilethepublickeyneedstobeimportedontheclientsideintheZoneauthenticationsectionwhensettingupazoneinthefirewallsetup.
25
4.2.7 Establishingconnection–detection
ThePersonalfirewalldetectseachnewly‑creatednetworkconnection.Theactivefirewallmodedetermineswhichactionsareperformedforthenewrule.IfAutomaticmodeorPolicy‑basedmodeisactivated,thePersonalfirewallwillperformpredefinedactionswithnouserinteraction.TheInteractivemodedisplaysaninformationalwindowwhichreportsdetectionofanewnetworkconnection,supplementedwithdetailedinformationabouttheconnection.Youcanopttoallowtheconnectionorrefuse(block)it.Ifyourepeatedlyallowthesameconnectioninthedialogwindow,werecommendthatyoucreateanewrulefortheconnection.Todothis,selecttheRememberactionoption(Createrule)andsavetheactionasanewruleforthePersonalfirewall.Ifthefirewallrecognizesthesameconnectioninthefuture,itwillapplytheexistingrule.
Pleasebecarefulwhencreatingnewrulesandonlyallowconnectionswhicharesecure.Ifallconnectionsareallowed,thenthePersonalfirewallfailstoaccomplishitspurpose.Thesearetheimportantparametersforconnections:
• Remoteside:Onlyallowconnectionstotrustedandknownaddresses
• Localapplication:Itisnotadvisabletoallowconnectionsforunknownapplicationsandprocesses
• Portnumber:Communicationoncommonports(e.g.,webtraffic–portnumber80)shouldbeallowedundernormalcircumstances
Inordertoproliferate,computerinfiltrationsoftenusetheInternetandhiddenconnectionstohelptheminfectremotesystems.Ifrulesarecorrectlyconfigured,aPersonalfirewallbecomesausefultoolforprotectionagainstavarietyofmaliciouscodeattacks.
4.2.8 Logging
TheESETSmartSecurityPersonalfirewallsavesallimportanteventsinalogfile,whichcanbevieweddirectlyfromthemainmenu.ClickTools>LogfilesandthenselectESETPersonalfirewalllogfromtheLogdrop‑downmenu.
Thelogfilesareaninvaluabletoolfordetectingerrorsandrevealingintrusionsintoyoursystem,andshouldbegivenappropriateattention.ESETPersonalfirewalllogscontainthefollowingdata:
• Dateandtimeofevent
• Nameofevent
• Source
• Targetnetworkaddress
• Networkcommunicationprotocol
• Ruleapplied,ornameofworm,ifidentified
• Applicationinvolved
• User
Athoroughanalysisofthisdatacanhelpdetectattemptstocompromisesystemsecurity.Manyotherfactorsindicatepotentialsecurityrisksandallowyoutominimizetheirimpact:toofrequentconnectionsfromunknownlocations,multipleattemptstoestablishconnections,unknownapplicationscommunicatingorunusualportnumbersused.
4.3 Antispamprotection
Unsolicitedemail–calledspam–ranksamongthegreatestproblemsofelectroniccommunication.Itrepresentsupto80percentofallemailcommunication.Antispamprotectionservestoprotectagainstthisproblem.Combiningseveralefficientprinciples,theAntispammoduleprovidessuperiorfiltering.
26
Oneimportantprincipleinspamdetectionistheabilitytorecognizeunsolicitedemailbasedonpredefinedtrustedaddresses(whitelist)andspamaddresses(blacklist).Alladdressesfromyourcontactlistareautomaticallyaddedtothewhitelist,aswellasallotheraddressesyoumarkassafe.
Theprimarymethodusedtodetectspamisthescanningofemailmessageproperties.ReceivedmessagesarescannedforbasicAntispamcriteria(messagedefinitions,statisticalheuristics,recognizingalgorithmsandotheruniquemethods)andtheresultingindexvaluedetermineswhetheramessageisspamornot.
ESETSmartSecurity4supportsAntispamprotectionforMicrosoftOutlook,OutlookExpress,WindowsMail,WindowsLiveMailandMozillaThunderbird.
4.3.1 Self‑learningAntispam
Self‑learningAntispamisrelatedtotheBayesianfilter.Bymarkingmessagesasspamandnotspam,youcreateadatabaseofwordsusedinspamandnotspammessages.Themoremessagesclassified(markedasspamornotspam),themoreaccuratetheBayesianfilterwillbe.Addknownemailaddressestothewhitelisttoexcludethemfromfiltering.
4.3.1.1 Addingaddressestowhitelistandblacklist
Emailaddressesbelongingtopeopleyoucommunicatewithfrequentlycanbeaddedtothewhitelisttoensurethatnomessageoriginatingfromawhitelistaddressiseverclassifiedasspam.Knownspamaddressescanbeaddedtotheblacklistandalwaysbeclassifiedasspam.Toaddanewaddresstothewhitelistorblacklist,right‑clicktheemailandselectESETSmartSecurity>AddtoWhitelistorAddtoBlacklist,orclicktheTrustedaddressorSpamaddressbuttonintheESETSmartSecurityAntispamtoolbarinyouremailprogram.
Similarly,thisprocessappliestospamaddresses.Ifanemailaddressislistedontheblacklist,eachemailmessagewhicharrivesfromthataddressisclassifiedasspam.
4.3.1.2 Markingmessagesasspam
Anymessageviewedinyouremailclientcanbemarkedasspam.Todoso,right‑clickthemessageandclickESETSmartSecurity>Reclassifyselectedmessagesasspam,orclickSpamaddressintheESETSmartSecurityAntispamtoolbarlocatedintheuppersectionofyouremailclient.
ReclassifiedmessagesareautomaticallymovedtotheSPAMfolder,butthesenderemailaddressisnotaddedtotheBlacklist.Similarly,messagescanbeclassifiedas“notspam”.IfmessagesfromtheJunkE‑mailfolderareclassifiedasnotspam,theyaremovedtotheiroriginalfolder.MarkingamessageasnotspamdoesnotautomaticallyaddthesenderaddresstotheWhitelist.
4.4 Updatingtheprogram
RegularupdatingofESETSmartSecurityisthebasicpremiseforobtainingthemaximumlevelofsecurity.TheUpdatemoduleensuresthattheprogramisalwaysuptodateintwoways–byupdatingthevirussignaturedatabaseandbyupdatingsystemcomponents.
ByclickingUpdatefromthemainmenu,youcanfindthecurrentupdatestatus,includingthedateandtimeofthelastsuccessfulupdateandifanupdateisneeded.Theprimarywindowalsocontainsthevirussignaturedatabaseversion.ThisnumericindicatorisanactivelinktoESET’swebsite,listingallsignaturesaddedwithinthegivenupdate.
Inaddition,theoptiontomanuallybegintheupdateprocess– Updatevirussignaturedatabase–isavailable,aswellasbasicupdatesetupoptionssuchastheusernameandpasswordtoaccessESET’supdateservers.
UsetheProductactivationlinktoopenaregistrationformthatwillactivateyourESETsecurityproductandsendyouanemailwithyourauthenticationdata(usernameandpassword).
NOTE: TheusernameandpasswordareprovidedbyESETafter
27
purchasingESETSmartSecurity.
4.4.1 Updatesetup
Theupdatesetupsectionspecifiesupdatesourceinformationsuchastheupdateserversandauthenticationdatafortheseservers.Bydefault,theUpdateserverdrop‑downmenuissettoChooseautomaticallytoensurethatupdatefileswillautomaticallydownloadfromtheESETserverwiththeleastnetworktraffic.TheupdatesetupoptionsareavailablefromtheAdvancedSetuptree(F5key),underUpdate.
ThelistofavailableupdateserversisaccessibleviatheUpdateserverdrop‑downmenu.Toaddanewupdateserver,clickEdit...intheUpdatesettingsforselectedprofilesectionandthenclicktheAddbutton.AuthenticationforupdateserversisbasedontheUsernameandPasswordgeneratedandsenttoyouafterpurchase.
4.4.1.1 Updateprofiles
Updateprofilescanbecreatedforvariousupdateconfigurationsandtasks.Creatingupdateprofilesisespeciallyusefulformobileusers,whocancreateanalternativeprofileforInternetconnectionpropertiesthatregularlychange.
TheSelectedprofiledrop‑downmenudisplaysthecurrentlyselectedprofile,settoMyprofilebydefault.Tocreateanewprofile,clicktheProfiles...buttonandthenclicktheAdd...buttonandenteryourown Profilename.Whencreatinganewprofile,youcancopysettingsfromanexistingonebyselectingitfromtheCopysettingsfromprofiledrop‑downmenu.
Intheprofilesetupyoucanspecifytheupdateserverfromalistofavailableservers,oranewservercanbeadded.ThelistofexistingupdateserversisaccessibleviatheUpdateserver:drop‑downmenu.Toaddanewupdateserver,clickEdit…intheUpdatesettingsforselectedprofilesectionandthenclicktheAddbutton.
4.4.1.2 Advancedupdatesetup
ToviewtheAdvancedupdatesetup,clicktheSetup...button.AdvancedupdatesetupoptionsincludeconfigurationofUpdatemode,HTTPProxy,LAN and Mirror.
4.4.1.2.1 Updatemode
TheUpdatemode tabcontainsoptionsrelatedtotheprogramcomponentupdate.
IntheProgramcomponentupdate section,threeoptionsareavailable:
• Neverupdateprogramcomponents: Newprogramcomponentupdateswillnotbedownloaded.
• Alwaysupdateprogramcomponents:Newprogramcomponentupdateswilloccurautomatically.
• Askbeforedownloadingprogramcomponents:Thedefaultoption.Youwillbepromptedtoconfirmorrefuseprogramcomponentupdateswhentheyareavailable.
Afteraprogramcomponentupdate,itmaybenecessarytorestartyourcomputertoprovidefullfunctionalityofallmodules.TheRestartafterprogramcomponentupgrade sectionallowsyoutoselectoneofthefollowingoptions:
• Neverrestartcomputer
• Offercomputerrestartifnecessary
• Ifnecessary,restartcomputerwithoutnotifying
ThedefaultoptionisOffercomputerrestartifnecessary.Selectionofthemostappropriateoptiondependsontheworkstationwherethesettingswillbeapplied.Pleasebeawarethattherearedifferencesbetweenworkstationsandservers–e.g.,restartingtheserverautomaticallyafteraprogramupgradecouldcauseseriousdamage.
4.4.1.2.2 Proxyserver
Toaccesstheproxyserversetupoptionsforagivenupdateprofile:ClickUpdateintheAdvancedSetuptree(F5)andthenclicktheSetup...buttontotherightofAdvancedupdatesetup.ClicktheHTTPProxytabandselectoneofthethreefollowingoptions:
• Useglobalproxyserversettings
• Donotuseproxyserver
• Connectionthroughaproxyserver(connectiondefinedbytheconnectionproperties)
28
SelectingtheUseglobalproxyserversettingsoptionwillusetheproxyserverconfigurationoptionsalreadyspecifiedwithintheMiscellaneous>ProxyserverbranchoftheAdvancedSetuptree.
SelecttheDonotuseproxyserveroptiontospecifythatnoproxyserverwillbeusedtoupdateESETSmartSecurity.
TheConnectionthroughaproxyserver optionshouldbeselectedifaproxyservershouldbeusedtoupdateESETSmartSecurityandisdifferentfromtheproxyserverspecifiedintheglobalsettings(Miscellaneous>Proxyserver).Ifso,thesettingsshouldbespecifiedhere:Proxyserveraddress,communicationPort,plusUsernameandPasswordfortheproxyserver,ifrequired.
Thisoptionshouldalsobeselectediftheproxyserversettingswerenotsetglobally,butESETSmartSecuritywillconnecttoaproxyserverforupdates.
ThedefaultsettingfortheproxyserverisUseglobalproxyserversettings.
4.4.1.2.3 ConnectingtotheLAN
WhenupdatingfromalocalserverwithanNT‑basedoperatingsystem,authenticationforeachnetworkconnectionisrequiredbydefault.Inmostcases,alocalsystemaccountdoesnothavesufficientrightstoaccesstheMirrorfolder(theMirrorfoldercontainscopiesofupdatefiles).Ifthisisthecase,entertheusernameandpasswordintheupdatesetupsection,orspecifyanexistingaccountunderwhichtheprogramwillaccesstheupdateserver(Mirror).
Toconfiguresuchanaccount,clicktheLANtab.TheConnecttoLANassectionofferstheSystemaccount(default),Currentuser,andSpecifieduser options.
SelecttheSystemaccount(default)optiontousethesystemaccountforauthentication.Normally,noauthenticationprocesstakesplaceifthereisnoauthenticationdatasuppliedinthemainupdatesetupsection.
Toensurethattheprogramauthenticatesusingacurrentlylogged‑inuseraccount,select Currentuser.Thedrawbackofthissolutionisthattheprogramisnotabletoconnecttotheupdateserverifnouseriscurrentlyloggedin.
SelectSpecifieduserifyouwanttheprogramtouseaspecificuseraccountforauthentication.
Warning:Wheneither Currentuseror Specifieduserisselected,anerrormayoccurwhenchangingtheidentityoftheprogramtothedesireduser.WerecommendinsertingtheLANauthenticationdatainthemainupdatesetupsection.Inthisupdatesetupsection,theauthenticationdatashouldbeenteredasfollows:domain_name\user(ifitisaworkgroup,enterworkgroup_name\name)andpassword.WhenupdatingfromtheHTTPversionofthelocalserver,noauthenticationisrequired.
4.4.1.2.4 Creatingupdatecopies–Mirror
ESETSmartSecurityBusinessEditionallowsyoutocreatecopiesofupdatefileswhichcanbeusedtoupdateotherworkstationslocatedinthenetwork.UpdatingclientworkstationsfromaMirroroptimizesnetworkloadbalanceandsavesInternetconnectionbandwidth.
ConfigurationoptionsforthelocalMirrorserverareaccessible(afteraddingavalidlicensekeyinthelicensemanager,locatedintheESETSmartSecurityBusinessEditionAdvancedSetupsection)intheAdvancedupdatesetup:section.Toaccessthissection,pressF5andclickUpdateintheAdvancedSetuptree,thenclicktheSetup...buttonnexttoAdvancedupdatesetup:andselecttheMirrortab).
29
ThefirststepinconfiguringtheMirroristoselecttheCreateupdatemirroroption.SelectingthisoptionactivatesotherMirrorconfigurationoptionssuchasthewayupdatefileswillbeaccessedandtheupdatepathtothemirroredfiles.
ThemethodsofMirroractivationaredescribedindetailinsection4.4.1.2.4.1,“UpdatingfromtheMirror”.Fornow,notethattherearetwobasicmethodsforaccessingtheMirror–thefolderwithupdatefilescanbepresentedasasharednetworkfolderorasanHTTPserver.
ThefolderdedicatedtostoringupdatefilesfortheMirrorisdefinedintheFoldertostoremirroredfilessection.ClickFolder…tobrowseforafolderonthelocalcomputerorsharednetworkfolder.Ifauthorizationforthespecifiedfolderisrequired,authenticationdatamustbesuppliedintheUsernameandPasswordfields.TheusernameandpasswordshouldbeenteredintheformatDomain/UserorWorkgroup/User.Pleaseremembertosupplythecorrespondingpasswords.
WhenconfiguringtheMirror,youcanalsospecifythelanguageversionsforwhichyouwanttodownloadupdatecopies.LanguageversionsetupisaccessibleinthesectionFiles‑Availableversions:.
4.4.1.2.4.1 UpdatingfromtheMirror
TherearetwobasicmethodsofconfiguringtheMirror–thefolderwithupdatefilescanbepresentedasasharednetworkfolderorasanHTTPserver.
AccessingtheMirrorusinganinternalHTTPserver
Thisconfigurationisthedefault,specifiedinthepredefinedprogramconfiguration.InordertoallowaccesstotheMirrorusingtheHTTPserver,navigatetoAdvanceupdatesetup(theMirrortab)andselecttheCreateupdatemirroroption.
IntheAdvancedsetupsectionoftheMirrortabyoucanspecifytheServerPortwheretheHTTPserverwilllistenaswellasthetypeofAuthenticationusedbytheHTTPserver.Bydefault,theServerportissetto2221.TheAuthenticationoptiondefinesthemethodofauthenticationusedforaccessingtheupdatefiles.Thefollowingoptionsareavailable:NONE,Basic,andNTLM.SelectBasictousethebase64encodingwithbasicusernameandpasswordauthentication.TheNTLMoptionprovidesencodingusingasafeencodingmethod.Forauthentication,theusercreatedontheworkstationsharingtheupdatefilesisused.ThedefaultsettingisNONE,whichgrantsaccesstotheupdatefileswithnoneedforauthentication.
Warning:IfyouwanttoallowaccesstotheupdatefilesviatheHTTPserver,theMirrorfoldermustbelocatedonthesamecomputerastheESETSmartSecurityinstancecreatingit.
AfterconfigurationoftheMirroriscomplete,gototheworkstationsandaddanewupdateserverintheformathttp://IP_address_of_your_server:2221.Todothis,followthestepsbelow:
• OpenESETSmartSecurityAdvancedSetupandclicktheUpdatebranch.
• ClickEdit…totherightoftheUpdateserverdrop‑downmenuandaddanewserverusingthefollowingformat:http://IP_address_of_your_server:2221.
• Selectthisnewly‑addedserverfromthelistofupdateservers.
AccessingtheMirrorviasystemshares
First,asharedfoldershouldbecreatedonalocaloranetworkdevice.WhencreatingthefolderfortheMirror,youmustprovide“write”accessfortheuserwhowillsaveupdatefilestothefolderand“read”accessforalluserswhowillupdateESETSmartSecurityfromtheMirrorfolder.
Next,configureaccesstotheMirrorintheAdvancedupdatesetupsection(Mirrortab)bydisablingtheProvideupdatefilesviainternalHTTPserveroption.Thisoptionisenabledbydefaultintheprograminstallpackage.
Ifthesharedfolderislocatedonanothercomputerinthenetwork,youmustspecifyauthenticationdatatoaccesstheothercomputer.Tospecifyauthenticationdata,openESETSmartSecurityAdvancedSetup(F5)andclicktheUpdatebranch.ClicktheSetup...buttonandthenclicktheLANtab.Thissettingisthesameasforupdating,asdescribedinsection4.4.1.2.3,“ConnectingtoLAN”.
AftertheMirrorconfigurationiscomplete,proceedtotheworkstationsandset\\UNC\PATHastheupdateserver.Thisoperationcanbecompletedusingthefollowingsteps:
• OpenESETSmartSecurityAdvancedSetupandclickUpdate
• ClickEdit...nexttotheUpdateserverandaddanewserverusingthe\\UNC\PATHformat.
• Selectthisnewly‑addedserverfromthelistofupdateservers
NOTE:Forproperfunctioning,thepathtotheMirrorfoldermustbespecifiedasaUNCpath.Updatesfrommappeddrivesmaynotwork.
30
4.4.1.2.4.2 TroubleshootingMirrorupdateproblems
Inmostcases,problemsduringanupdatefromaMirrorserverarecausedbyoneormoreofthefollowing:incorrectspecificationoftheMirrorfolderoptions,incorrectauthenticationdatatotheMirrorfolder,incorrectconfigurationonlocalworkstationsattemptingtodownloadupdatefilesfromtheMirror,orbyacombinationofthereasonsabove.BelowisanoverviewofthemostfrequentproblemswhichmayoccurduringanupdatefromtheMirror:
ESETSmartSecurityreportsanerrorconnectingtoMirrorserver–Likelycausedbyincorrectspecificationoftheupdateserver(networkpathtotheMirrorfolder)fromwhichlocalworkstationsdownloadupdates.Toverifythefolder,clicktheWindowsStartmenu,clickRun,insertthefoldernameandclickOK.Thecontentsofthefoldershouldbedisplayed.
ESETSmartSecurityrequiresausernameandpassword–Likelycausedbyincorrectauthenticationdata(usernameandpassword)intheupdatesection.Theusernameandpasswordareusedtograntaccesstotheupdateserver,fromwhichtheprogramwillupdateitself.Makesurethattheauthenticationdataiscorrectandenteredinthecorrectformat.Forexample,Domain/Username,orWorkgroup/Username,plusthecorrespondingPasswords.IftheMirrorserverisaccessibleto“Everyone”,pleasebeawarethatthisdoesnotmeanthatanyuserisgrantedaccess.“Everyone”doesnotmeananyunauthorizeduser,itjustmeansthatthefolderisaccessibleforalldomainusers.Asaresult,ifthefolderisaccessibleto“Everyone”,adomainusernameandpasswordwillstillneedtobeenteredintheupdatesetupsection.
ESETSmartSecurityreportsanerrorconnectingtotheMirrorserver–CommunicationontheportdefinedforaccessingtheHTTPversionoftheMirrorisblocked.
4.4.2 Howtocreateupdatetasks
UpdatescanbetriggeredmanuallybyclickingUpdatevirussignaturedatabaseintheprimarywindowdisplayedafterclickingUpdatefromthemainmenu.
Updatescanalsoberunasscheduledtasks.Toconfigureascheduledtask,clickTools>Scheduler.Bydefault,thefollowingtasksareactivatedinESETSmartSecurity:
• Regularautomaticupdate
• Automaticupdateafterdial‑upconnection
• Automaticupdateafteruserlogon
Eachupdatetaskcanbemodifiedtomeetyourneeds.Inadditiontothedefaultupdatetasks,youcancreatenewupdatetaskswithauser‑definedconfiguration.Formoredetailsaboutcreatingandconfiguringupdatetasks,seesection4.5,“Scheduler”.
4.5 Scheduler
SchedulerisavailableifAdvancedmodeinESETSmartSecurityisactivated.SchedulercanbefoundintheESETSmartSecuritymainmenuunderTools.Schedulercontainsalistofallscheduledtasksandconfigurationpropertiessuchasthepredefineddate,time,andscanningprofileused.
Bydefault,thefollowingscheduledtasksaredisplayedinScheduler:
• Regularautomaticupdate
• Automaticupdateafterdial‑upconnection
• Automaticupdateafteruserlogon
• Automaticstartupfilecheck(afteruserlogon)
• Automaticstartupfilecheck(aftersuccessfulupdateofthevirussignaturedatabase)
Toedittheconfigurationofanexistingscheduledtask(bothdefaultanduser‑defined),right‑clickthetaskandclickEdit...orselectthedesiredtaskyouwishtomodifyandclicktheEdit...button.
4.5.1 Purposeofschedulingtasks
Schedulermanagesandlaunchesscheduledtaskswithpredefinedconfigurationandproperties.Theconfigurationandpropertiescontaininformationsuchasthedateandtimeaswellasspecifiedprofilestobeusedduringexecutionofthetask.
4.5.2 Creatingnewtasks
TocreateanewtaskinScheduler,clicktheAdd...buttonorright‑clickandselectAdd...fromthecontextmenu.Fivetypesofscheduledtasksareavailable:
• Runexternalapplication
• Systemstartupfilecheck
• Createacomputerstatussnapshot
• On‑demandcomputerscan
• Update
31
SinceUpdateisoneofthemostfrequentlyusedscheduledtasks,wewillexplainhowtoaddanewupdatetask.
FromtheScheduledtask:drop‑downmenu,selectUpdate.ClickNext andenterthenameofthetaskintotheTaskname:field.Selectthefrequencyofthetask.Thefollowingoptionsareavailable:Once,Repeatedly,Daily,Weekly and Eventtriggered.Basedonthefrequencyselected,youwillbepromptedwithdifferentupdateparameters.Next,definewhatactiontotakeifthetaskcannotbeperformedorcompletedatthescheduledtime.Thefollowingthreeoptionsareavailable:
• Waituntilthenextscheduledtime
• Runtaskassoonaspossible
• Runtaskimmediatelyifthetimesinceitslastexecutionexceedsspecifiedinterval(theintervalcanbedefinedusingtheTaskintervalscrollbox)
Inthenextstep,asummarywindowwithinformationaboutthecurrentscheduledtaskisdisplayed;theoptionRuntaskwithspecificparametersshouldbeautomaticallyenabled.ClicktheFinishbutton.
Adialogwindowwillappear,allowingyoutoselectprofilestobeusedforthescheduledtask.Hereyoucanspecifyaprimaryandalternativeprofile,whichisusedincasethetaskcannotbecompletedusingtheprimaryprofile.ConfirmbyclickingOKintheUpdateprofileswindow.Thenewscheduledtaskwillbeaddedtothelistofcurrentlyscheduledtasks.
4.6 Quarantine
Themaintaskofquarantineistosafelystoreinfectedfiles.Filesshouldbequarantinediftheycannotbecleaned,ifitisnotsafeoradvisabletodeletethem,oriftheyarebeingfalselydetectedbyESETSmartSecurity.
Youcanchoosetoquarantineanyfile.Thisisadvisableifafilebehavessuspiciouslybutisnotdetectedbytheantivirusscanner.QuarantinedfilescanbesubmittedforanalysistoESET’sThreatLab.
Filesstoredinthequarantinefoldercanbeviewedinatablewhichdisplaysthedateandtimeofquarantine,thepathtotheoriginallocationoftheinfectedfile,itssizeinbytes,reason(addedbyuser…),andnumberofthreats(e.g.,ifitisanarchivecontainingmultipleinfiltrations).
4.6.1 Quarantiningfiles
ESETSmartSecurityautomaticallyquarantinesdeletedfiles(ifyouhavenotcancelledthisoptioninthealertwindow).Ifdesired,youcanquarantineanysuspiciousfilemanuallybyclickingtheQuarantine...button.Ifthisisthecase,theoriginalfileisnotremovedfromitsoriginallocation.Thecontextmenucanalsobeusedforthispurpose–right‑clickintheQuarantinewindowandselectAdd...
4.6.2 RestoringfromQuarantine
Quarantinedfilescanalsoberestoredtotheiroriginallocation.UsetheRestorefeatureforthispurpose;thisisavailablefromthecontextmenubyright‑clickingonthegivenfileintheQuarantinewindow.ThecontextmenualsoofferstheoptionRestoreto,whichallowsyoutorestoreafiletoalocationotherthantheonefromwhichitwasdeleted.
NOTE:Iftheprogramquarantinedaharmlessfilebymistake,pleaseexcludethefilefromscanningafterrestoringandsendthefiletoESETCustomerCare.
4.6.3 SubmittingfilefromQuarantine
Ifyouhavequarantinedasuspiciousfilethatwasnotdetectedbytheprogram,orifafilewasincorrectlyevaluatedasinfected(e.g.,byheuristicanalysisofthecode)andsubsequentlyquarantined,pleasesendthefiletoESET‘sThreatLab.Tosubmitafilefromquarantine,right‑clickthefileandselectSubmitforanalysisfromthecontextmenu.
32
4.7 Logfiles
TheLogfilescontaininformationaboutallimportantprogrameventsthathaveoccurredandprovideanoverviewofdetectedthreats.Loggingactsasanessentialtoolinsystemanalysis,threatdetectionandtroubleshooting.Loggingisperformedactivelyinthebackgroundwithnouserinteraction.Informationisrecordedbasedonthecurrentlogverbositysettings.ItispossibletoviewtextmessagesandlogsdirectlyfromtheESETSmartSecurityenvironment,aswellastoarchivelogs.
LogfilesareaccessiblefromthemainmenubyclickingTools>Logfiles.SelectthedesiredlogtypeusingtheLog:drop‑downmenuatthetopofthewindow.Thefollowinglogsareavailable:
1. Detectedthreats –Usethisoptiontoviewallinformationabouteventsrelatedtothedetectionofinfiltrations.
2. Events –Thisoptionisdesignedforsystemadministratorsanduserstosolveproblems.AllimportantactionsperformedbyESETSmartSecurityarerecordedintheEventlogs.
3. On‑demandcomputerscan –Resultsofallcompletedscansaredisplayedinthiswindow.Double‑clickanyentrytoviewdetailsoftherespectiveOn‑demandscan.
4. ESETPersonalfirewalllog –ContainsrecordsofallcommunicationdetectedbyandrelatedtothePersonalfirewall.Analysisofthefirewalllogmayhelptodetectsysteminfiltrationattemptsintimetopreventunauthorizedaccesstoyoursystem.
Ineachsection,thedisplayedinformationcanbedirectlycopiedtotheclipboardbyselectingtheentryandclickingtheCopybutton.Toselectmultipleentries,theCTRLandSHIFTkeyscanbeused.
4.7.1 Logmaintenance
TheLoggingconfigurationofESETSmartSecurityisaccessiblefromthemainprogramwindow.ClickSetup>Enterentireadvancedsetuptree...>Tools>Logfiles.Youcanspecifythefollowingoptionsforlogfiles:
• Deleterecordsautomatically: Logentriesolderthanthespecifiednumberofdaysareautomaticallydeleted
• Optimizelogfilesautomatically:Enablesautomaticdefragmentationoflogfilesifthespecifiedpercentageofunusedrecordshasbeenexceeded
• Minimumloggingverbosity:Specifiestheloggingverbositylevel.Availableoptions:
– Diagnosticrecords–Logsinformationneededforfine‑tuningoftheprogramandallrecordsabove
– Informativerecords–Recordsinformativemessagesincludingsuccessfulupdatemessagesplusallrecordsabove
– Warnings–Recordscriticalerrorsandwarningmessages
– Errors–Only“Errordownloadingfile”messagesarerecorded,pluscriticalerrors
– Criticalwarnings–Logsonlycriticalerrors(errorstartingAntivirusprotection,Personalfirewall,etc…)
4.8 Userinterface
TheuserinterfaceconfigurationoptionsinESETSmartSecurityallowyoutoadjusttheworkingenvironmenttofityourneeds.TheseconfigurationoptionsareaccessiblefromtheUserinterfacebranchoftheESETSmartSecurityAdvancedSetuptree.
IntheUserinterfaceelementssection,theAdvancedmodeoptiongivesuserstheabilitytoallowtogglingtoAdvancedmode.AdvancedmodedisplaysmoredetailedsettingsandadditionalcontrolstoESETSmartSecurity.
TheGraphicaluserinterfaceoptionshouldbedisabledifthegraphicalelementsslowtheperformanceofyourcomputerorcauseotherproblems.Thegraphicalinterfacemayalsoneedtobeturnedoffforvisuallyimpairedusers,asitmayconflictwithspecialapplicationsthatareusedforreadingtextdisplayedonthescreen.
IfyouwishtodeactivatetheESETSmartSecuritysplash‑screen,deselecttheShowsplash‑screenatstartupoption.
33
AtthetopoftheESETSmartSecuritymainprogramwindowisaStandardmenuwhichcanbeactivatedordisabledbasedontheUsestandardmenuoption.
IftheShowtooltipsoptionisenabled,ashortdescriptionofanyoptionwillbedisplayedifthecursorisplacedovertheoption.TheSelectactivecontrolelementoptionwillcausethesystemtohighlightanyelementwhichiscurrentlyundertheactiveareaofthemousecursor.Thehighlightedelementwillbeactivatedafteramouseclick.
Todecreaseorincreasethespeedofanimatedeffects,selecttheUseanimatedcontrolsoptionandmovetheSpeedsliderbartotheleftorright.
Toenabletheuseofanimatediconstodisplaytheprogressofvariousoperations,selecttheUseanimatediconsforprogressindicationoption.Ifyouwanttheprogramtosoundawarningifanimportanteventtakesplace,selecttheUsesoundsignaloption.
TheUserinterfacefeaturesalsoincludetheoptiontopassword‑protecttheESETSmartSecuritysetupparameters.ThisoptionislocatedintheSettingsprotectionsubmenuunderUserinterface.Inordertoprovidemaximumsecurityforyoursystem,itisessentialthattheprogrambecorrectlyconfigured.Unauthorizedmodificationscouldresultinthelossofimportantdata.Tosetapasswordtoprotectthesetupparameter,clickSetpassword…
4.8.1 Alertsandnotifications
TheAlertsandnotificationssetupsectionunderUserinterfaceallowsyoutoconfigurehowthreatalertsandsystemnotificationsarehandledinESETSmartSecurity.
ThefirstitemisDisplayalerts.Disablingthisoptionwillcancelallalertwindowsandisonlysuitableforalimitedamountofspecificsituations.Formostusers,werecommendthatthisoptionbelefttoitsdefaultsetting(enabled).
Toclosepop‑upwindowsautomaticallyafteracertainperiodoftime,selecttheoptionClosemessageboxesautomaticallyafter(sec.).Iftheyarenotclosedmanually,alertwindowsareautomaticallyclosedafterthespecifiedtimeperiodhasexpired.
NotificationsontheDesktopandballoontipsareinformativeonly,anddonotrequireorofferuserinteraction.Theyaredisplayedinthenotificationareaatthebottomrightcornerofthescreen.ToactivatedisplayingDesktopnotifications,selecttheDisplaynotificationsondesktopoption.Moredetailedoptions–notificationdisplaytimeandwindowtransparencycanbemodifiedbyclickingtheConfigurenotifications...button.
Topreviewthebehaviorofnotifications,clickthePreviewbutton.Toconfigurethedurationoftheballoontipsdisplaytime,seetheoptionDisplayballoontipsintaskbar(forsec.).
ClickAdvancedsetup...toenteradditionalAlertsandnotificationsetupoptionsthatincludetheDisplayonlynotificationsrequiringuser’sinteraction.Thisoptionallowsyoutoturnon/offdisplayingofalertsandnotificationsthatrequirenouserinteraction.SelectDisplayonlynotificationsrequiringuser’sinteractionwhenrunningapplicationsinfullscreenmodetosuppressallnon‑interactivenotifications.FromtheMinimumverbosityofeventstodisplaydrop‑downmenuyoucanselectthestartingseveritylevelofalertsandnotificationtobedisplayed.
Thelastfeatureinthissectionallowsyoutoconfigurethedestinationofnotificationsinamulti‑userenvironment.TheOnmulti‑usersystems,displaynotificationsonthescreenoftheuser:fieldallowsyoutodefinewhowillreceiveimportantnotificationsfromESETSmartSecurity.Normallythiswouldbeasystemornetworkadministrator.Thisoptionisespeciallyusefulforterminalservers,providedthatallsystemnotificationsaresenttotheadministrator.
4.9 ThreatSense.Net
TheThreatSense.NetEarlyWarningSystemkeepsESETimmediatelyandcontinuouslyinformedaboutnewinfiltrations.ThebidirectionalThreatSense.NetEarlyWarningSystemhasasinglepurpose–toimprovetheprotectionthatwecanofferyou.Thebestwaytoensurethatweseenewthreatsassoonastheyappearisto“link“toasmanytoasmanyofourcustomersaspossibleandusethemasourThreatScouts.Therearetwooptions:
1. YoucandecidenottoenabletheThreatSense.NetEarlyWarningSystem.Youwillnotloseanyfunctionalityinthesoftware,andyouwillstillreceivethebestprotectionthatweoffer.
2. YoucanconfiguretheThreatSense.NetEarlyWarningSystemtosubmitanonymousinformationaboutnewthreatsandwherethenewthreateningcodeiscontained.ThisfilecanbesenttoESETfordetailedanalysis.StudyingthesethreatswillhelpESETupdateitsthreatdetectioncapabilities.
TheThreatSense.NetEarlyWarningSystemwillcollectinformation
34
aboutyourcomputerrelatedtonewly‑detectedthreats.Thisinformationmayincludeasampleorcopyofthefileinwhichthethreatappeared,thepathtothatfile,thefilename,thedateandtime,theprocessbywhichthethreatappearedonyourcomputerandinformationaboutyourcomputer‘soperatingsystem.
Whilethereisachancethatthismayoccasionallydisclosesomeinformationaboutyouoryourcomputer(usernamesinadirectorypath,etc.)toESET’sThreatLab,thisinformationwillnotbeusedforANYpurposeotherthantohelpusrespondimmediatelytonewthreats.
Bydefault,ESETSmartSecurityisconfiguredtoaskbeforesubmittingsuspiciousfilesfordetailedanalysistoESET‘sThreatLab.Fileswithcertainextensionssuchas.docor.xlsarealwaysexcluded.Youcanalsoaddotherextensionsifthereareparticularfilesthatyouoryourorganizationwantstoavoidsending.
TheThreatSense.NetsetupisaccessiblefromtheAdvancedSetuptree,underTools>ThreatSense.Net.SelecttheEnableThreatSense.NetEarlyWarningSystemoptiontoactivateandthenclicktheAdvancedsetup...button.
4.9.1 Suspiciousfiles
TheSuspiciousfilestaballowsyoutoconfigurethemannerinwhichthreatsaresubmittedtoESET‘sThreatLabforanalysis.
Ifyoufindasuspiciousfile,youcansubmititforanalysistoourThreatLabs.Ifitisamaliciousapplication,itsdetectionwillbeaddedtothenextvirussignatureupdate.
Filesubmissioncanbesettooccurautomatically,orselecttheAskbeforesubmittingoptionifyouwishtoknowwhichfileshavebeensentforanalysisandconfirmthesubmission.
Ifyoudonotwantanyfilestobesubmitted,selecttheDonotsubmit
foranalysisoption.Selectingnottosubmitfilesforanalysisdoesnotaffectsubmissionofstatisticalinformationwhichisconfiguredinitsownsetup(seesection4.9.2,“Statistics”).
Whentosubmit –Bydefault,theAssoonaspossibleoptionisselectedforsuspiciousfilestobesenttoESET‘sThreatLab.ThisisrecommendedifapermanentInternetconnectionisavailableandsuspiciousfilescanbedeliveredwithoutdelay.SelecttheDuringupdateoptionforsuspiciousfilestouploadedtoThreatSense.Netduringthenextupdate.
Exclusionfilter–TheExclusionfilterallowsyoutoexcludecertainfiles/foldersfromsubmission.Forexample,itmaybeusefultoexcludefileswhichmaycarryconfidentialinformation,suchasdocumentsorspreadsheets.Themostcommonfiletypesareexcludedbydefault(.doc,etc.).Youcanaddtothelistofexcludedfilesifdesired.
Contactemail–YourContactemail[optional]cansentwithanysuspiciousfilesandmaybeusedtocontactyouiffurtherinformationisrequiredforanalysis.PleasenotethatyouwillnotreceivearesponsefromESETunlessmoreinformationisneeded.
4.9.2 Statistics
TheThreatSense.NetEarlyWarningSystemcollectsanonymousinformationaboutyourcomputerrelatedtonewlydetectedthreats.Thisinformationmayincludethenameoftheinfiltration,thedateandtimeitwasdetected,theESETsecurityproductversion,youroperatingsystemversionandthelocationsetting.ThestatisticsaretypicallydeliveredtoESET‘sserversonceortwiceaday.
Belowisanexampleofastatisticalpackagesubmitted:
# utc_time=2005‑04‑14 07:21:28# country=“Slovakia“ # language=“ENGLISH“ # osver=5.1.2600 NT# engine=5417# components=2.50.2# moduleid=0x4e4f4d41# filesize=28368# filename=C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C14J8NS7\rdgFR1463[1].exe
Whentosubmit–Youcandefinewhenthestatisticalinformationwillbesubmitted.IfyouchoosetosubmitAssoonaspossiblestatisticalinformationwillbesentimmediatelyafteritiscreated.ThissettingissuitableifapermanentInternetconnectionisavailable.IftheDuringupdateoptionisselected,statisticalinformationwillbesubmittedcollectivelyduringthenextupdate.
35
4.9.3 Submission
YoucanselecthowfilesandstatisticalinformationwillbesubmittedtoESET.SelecttheBymeansofRemoteAdministratorordirectlytoESEToptionforfilesandstatisticstobesubmittedbyanyavailablemeans.SelecttheBymeansofRemoteAdministratoroptiontosubmitfilesandstatisticstotheremoteadministrationserver,whichwillensuretheirsubsequentsubmissiontoESET’sThreatLab.IftheoptionDirectlytoESETisselected,allsuspiciousfilesandstatisticalinformationaresenttoESET’sviruslabdirectlyfromtheprogram.
Whentherearefilespendingsubmission,the Submitnowbuttonwillbeactive.Clickthisbuttontoimmediatelysubmitfilesandstatisticalinformation.
SelecttheEnableloggingoptiontocreatealogtorecordfileandstatisticalinformationsubmissions.
4.10 Remoteadministration
ESETRemoteAdministrator(ERA)isapowerfultooltomanagesecuritypolicyandtoobtainanoverviewoftheoverallsecuritywithinanetwork.Itisespeciallyusefulwhenappliedtolargernetworks.ERAnotonlyincreasesthesecuritylevel,butalsoprovidesease‑of‑useintheadministrationofESETSmartSecurityonclientworkstations.
RemoteadministrationsetupoptionsareavailablefromthemainESETSmartSecurityprogramwindow.ClickSetup>Entertheentireadvancedsetuptree...>Miscellaneous>Remoteadministration.
ActivateremoteadministrationbyselectingtheConnecttoRemoteAdministrationserveroption.Youcanthenaccesstheotheroptionsdescribedbelow:
Serveraddress –NetworkaddressoftheserverwheretheERAServerisinstalled.
Port –Thisfieldcontainsapredefinedserverportusedforconnection.Werecommendthatyouleavethedefaultportsettingof2222
Intervalbetweenconnectionstoserver(min.) – ThisdesignatesthefrequencythatESETSmartSecuritywillconnecttotheERAServer.Ifitissetto0,informationwillbesubmittedevery5seconds.
RemoteAdministratorserverrequiresauthentication –AllowsyoutoenterapasswordtoconnecttotheERAServer,ifrequired.
ClickOKtoconfirmchangesandapplythesettings.ESETSmartSecuritywillusethesesettingstoconnecttotheERAServer.
4.11 Licenses
TheLicensesbranchallowsyoutomanagethelicensekeysforESETSmartSecurityandotherESETproductssuchasESETRemoteAdministrator,ESETNOD32forMicrosoftExchange,etc.Afterpurchase,licensekeysaredeliveredalongwithyourusernameandpassword.ToAdd/Removealicensekey,clickthecorrespondingbuttoninthelicensemanager(Licenses)window.ThelicensemanagerisaccessiblefromtheAdvancedSetuptreeunderMiscellaneous>Licenses.
Thelicensekeyisatextfilecontaininginformationaboutthepurchasedproduct:theowner,numberoflicenses,andtheexpirationdate.
ThelicensemanagerwindowallowsyoutouploadandviewthecontentofalicensekeyusingtheAdd…button–theinformationcontainedisdisplayedinthemanager.Todeletelicensefilesfromthelist,clickRemove.
Ifalicensekeyhasexpiredandyouareinterestedinpurchasingarenewal,clicktheOrder…button–youwillberedirectedtoouronlinestore.
36
5. Advanceduser
ThischapterdescribesfeaturesofESETSmartSecuritywhichmaybeusefulformoreadvancedusers.SetupoptionsforthesefeaturesareaccessibleonlyinAdvancedmode.ToswitchtoAdvancedmode,clickChange...inthebottomleftcornerofthemainprogramwindow,orpressCTRL+Monyourkeyboard.
5.1 Proxyserversetup
InESETSmartSecurity,proxyserversetupisavailableintwodifferentsectionswithintheAdvancedSetuptree.
First,proxyserversettingscanbeconfiguredunderMiscellaneous>Proxyserver.SpecifyingtheproxyserveratthisleveldefinesglobalproxyserversettingsforallofESETSmartSecurity.ParametersherewillbeusedbyallmodulesrequiringconnectiontotheInternet.
Tospecifyproxyserversettingsforthislevel,selecttheUseproxyservercheckboxandthenentertheaddressoftheproxyserverintotheProxyserver:field,alongwiththePortnumberoftheproxyserver.
Ifcommunicationwiththeproxyserverrequiresauthentication,selecttheProxyserverrequiresauthenticationcheckboxandenteravalidUsernameandPasswordintotherespectivefields.ClicktheDetectproxyserverbuttontoautomaticallydetectandinsertproxyserversettings.TheparametersspecifiedinInternetExplorerwillbecopied.
NOTE:Thisfeaturedoesnotretrieveauthenticationdata(usernameandpassword),itmustbesuppliedbyyou.
ProxyserversettingscanalsobeestablishedwithinAdvancedupdatesetup(UpdatebranchoftheAdvancedSetuptree).Thissettingappliesforthegivenupdateprofileandisrecommendedforlaptops,astheyoftenreceivevirussignatureupdatesfromdifferentlocations.Formoreinformationaboutthissetting,seeSection4.4,“Updatingtheprogram”.
5.2 Importandexportsettings
ImportingandexportingconfigurationsofESETSmartSecurityisavailableinAdvancedmodeunderSetup.
Bothimportandexportusethe.xmlfiletype.ImportandexportareusefulifyouneedtobackupthecurrentconfigurationofESETSmartSecuritytobeabletouseitlater.TheexportsettingsoptionisalsoconvenientforuserswhowishtousetheirpreferredconfigurationofESETSmartSecurityonmultiplesystems‑theycaneasilyimportan.xmlfiletotransferthedesiredsettings.
5.2.1 Importsettings
Importingaconfigurationisveryeasy.Fromthemainmenu,clickSetup>Importandexportsettings,andthenselecttheImportsettingsoption.Enterthenameoftheconfigurationfileorclickthe...buttontobrowsefortheconfigurationfileyouwishtoimport.
5.2.2 Exportsettings
Thestepstoexportaconfigurationareverysimilar.Fromthemainmenu,clickSetup>Importandexportsettings....SelecttheExportsettingsoptionandenterthenameoftheconfigurationfile.Usethebrowsertoselectalocationonyourcomputertosavetheconfigurationfile.
5.3 CommandLine
ESETSmartSecurity’santivirusmodulecanbelaunchedviathecommandline–manually(withthe“ecls”command)orwithabatch(“bat”)file.
ThefollowingparametersandswitchescanbeusedwhilerunningtheOn‑demandscannerfromthecommandline:
37
Generaloptions:– help showhelpandquit– version showversioninformationandquit– base‑dir=FOLDER loadmodulesfromFOLDER– quar‑dir=FOLDER quarantineFOLDER– aind showactivityindicator
Targets:– files scanfiles(default)– no‑files donotscanfiles– boots scanbootsectors(default)– no‑boots donotscanbootsectors– arch scanarchives(default)– no‑arch donotscanarchives– max‑archive‑level=LEVEL maximumarchivenestingLEVEL– scan‑timeout=LIMIT scanarchivesforLIMITsecondsat
maximum.Ifthescanningtimereachesthislimit,thescanningofthearchiveisstoppedandthescanwillcontinuewiththenextfile
– max‑arch‑size=SIZE scanonlythefirstSIZEbytesinarchives(default0=unlimited)
– mail scanemailfiles– no‑mail donotscanemailfiles– sfx scanself‑extractingarchives– no‑sfx donotscanself‑extractingarchives– rtp scanruntimepackers– no‑rtp donotscanruntimepackers– exclude=FOLDER excludeFOLDERfromscanning– subdir scansubfolders(default)– no‑subdir donotscansubfolders– max‑subdir‑level=LEVEL maximumsubfoldernestingLEVEL
(default0=unlimited)– symlink followsymboliclinks(default)– no‑symlink skipsymboliclinks– ext‑remove=EXTENSIONS– ext‑exclude=EXTENSIONS excludeEXTENSIONSdelimitedby
colonfromscanning
Methods:– adware scanforAdware/Spyware/Riskware– no‑adware donotscanforAdware/Spyware/
Riskware– unsafe scanforpotentiallyunsafe
applications– no‑unsafe donotscanforpotentiallyunsafe
applications– unwanted scanforpotentiallyunwanted
applications– no‑unwanted donotscanforpotentiallyunwanted
applications– pattern usesignatures– no‑pattern donotusesignatures– heur enableheuristics– no‑heur disableheuristics– adv‑heur enableadvancedheuristics– no‑adv‑heur disableadvancedheuristics
Cleaning:– action=ACTION performACTIONoninfectedobjects.
Availableactions:none,clean,prompt– quarantine copyinfectedfilestoQuarantine
(supplementsACTION)– no‑quarantine donotcopyinfectedfilesto
Quarantine
Logs:– log‑file=FILE logoutputtoFILE– log‑rewrite overwriteoutputfile(default–
append)– log‑all logalsocleanfiles– no‑log‑all donotlogcleanfiles(default)
Possibleexitcodesofthescan:
0 –nothreatfound1 –threatfoundbutnotcleaned10 –someinfectedfilesremained101 –archiveerror102 –accesserror103 –internalerror
NOTE: Exitcodesgreaterthan100meanthatthefilewasnotscannedandthuscanbeinfected.
5.4 ESETSysInspector
ESETSysInspectorisanapplicationthatthoroughlyinspectsyourcomputeranddisplayssystemdatainacomprehensiveway.Informationaboutinstalleddriversandapplications,networkconnectionsorimportantregistryentriescanhelpyouinvestigatesuspicioussystembehavioranddeterminewhetheritisduetosoftware/hardwareincompatibilityormalwareinfection.
YoucanaccessSysInspectortwoways:FromtheintegratedversioninESETSmartSecurityorbydownloadingthestandaloneversion(SysInspector.exe)forfreefromESET’swebsite.ToopenSysInspector,activateAdvancedmodebypressingCTRL+MandclickingTools>SysInspector.Bothversionsareidenticalinfunctionandhavethesameprogramcontrols.Theonlydifferenceishowoutputsaremanaged.Thedownloadedandintegratedversionseachallowyoutoexportsystemsnapshotstoan.xmlfileandsavethemtodisk.However,theintegratedversionalsoallowsyoutostoreyoursystemsnapshotsdirectlyinTools>SysInspector(formoreinformationseesection5.4.1.4,”SysInspectoraspartofESETSmartSecurity4”).
PleaseallowsometimewhileESETSysInspectorscansyourcomputer.Itmaytakefrom10secondsuptoafewminutesdependingonyourhardwareconfiguration,operatingsystemandthenumberofapplicationsinstalledonyourcomputer.
5.4.1 UserInterfaceandapplicationusage
Themainwindowincludesfoursections–ProgramControlsonthetop,theNavigationwindowontheleft,andtheDescriptionwindowontherightwhichisdirectlyabovetheDetailswindow.
5.4.1.1 ProgramControls
ThissectioncontainsdescriptionsofallprogramcontrolsavailableinESETSysInspector
File– Clickheretostoreyourcurrentreportstatusforlaterinvestigationortoopenapreviouslystoredreport.IfyouwanttopublishyourreportwerecommendyouchooseGenerate>Suitableforsending.Thisreportformatomitssensitiveinformation.
NOTE:YoucanopenpreviouslystoredESETSysInspectorreportsbydragging‑and‑droppingthemintothemainwindow.
Tree–Allowsyoutoexpandorcloseallnodes.
38
List–Containsfunctionsforeasiernavigationwithintheprogramaswellasvariousotherfunctionslikefindinginformationonline.
NOTE:Itemshighlightedinredareunknownandarethereforeconsideredpotentiallydangerous.Ifanitemisinred,itdoesnotautomaticallymeanthatyoucandeletethefile.Beforedeleting,pleasemakesurethatthefilesaretrulydangerousornotneeded.
Help–Containsinformationabouttheapplicationanditsfunctions.
Detail–InfluencesinformationdisplayedinothersectionsofSysInspector.InBasicmodeyouhaveaccesstoinformationusedtofindsolutionsforcommonproblemsinyoursystem.InMediummodetheprogramdisplayslessuseddetails.InFullmodeESETSysInspectordisplaysdetailedinformationneededtosolvemorecomplexproblems.
Itemfiltering–ThemosteffectiveuseofItemfilteringistofindsuspiciousfilesorregistryentriesinyoursystem.ByadjustingtheslideryoucanfilteritemsbytheirRiskLevel.Ifthesliderissettothefarleft(RiskLevel1)thenallitemsaredisplayed.Bymovingtheslidertotheright,theprogramfiltersoutitemsthatarelessriskythanthecurrentRiskLevelandonlydisplaysitemsthataremoresuspiciousthanthedisplayedlevel.Withtheslideronthefarright,theprogramdisplaysonlyknownharmfulitems.
Allitemswithintherange6to9canposeasecurityrisk.IfyoudonothaveanESETsecuritysolutioninstalled,werecommendyouscanyoursystemwiththeESETOnlinescanneraftertheprogramhasfoundanyhigh‑riskitems.ESETOnlinescannerisafreeserviceandcanbefoundathttp://www.eset.com/onlinescan/.
NOTE:TheRisklevelofanitemcanbedeterminedquicklybycomparingthecoloroftheitemwiththecolorontheRiskLevelslider.
Search–Searchcanbeusedtoquicklyfindaspecificitembyitsnameorpartofitsname.TheresultsofsearchrequestsaredisplayedintheDescriptionwindow.
Return–ByclickingthebackorforwardarrowyoucanreturntopreviouslydisplayedinformationintheDescriptionwindow.
Statussection–DisplaysthecurrentnodeintheNavigationwindow.
5.4.1.2 NavigatinginESETSysInspector
ESETSysInspectordividesvarioustypesofinformationintoseveralbasicsectionscallednodes.Ifavailable,youmayfindadditionaldetailsbyexpandingeachnodeintoitssubnodes.Toopenorcollapseanodejustdouble‑clickthenameofthenodeorclick or nexttothenameofthenode.AsyoubrowsethroughthetreestructureofnodesandsubnodesintheNavigationwindowyoumayfindvariousdetailsforeachnodeshownintheDescriptionwindow.IfyoubrowsethroughitemsintheDescriptionwindow,additionaldetailsforeachitemmaydisplayintheDetailswindow.
BelowaredescriptionsofthemainnodesintheNavigationwindowandrelatedinformationintheDescriptionandDetailswindows.
Runningprocesses–Thisnodecontainsinformationaboutapplicationsandprocessesrunningatthetimethereportwasgenerated.TheDescriptionwindowdisplaysdetailsforeachprocess,suchasdynamiclibrariesusedbytheprocessandtheirlocationinthesystem,thenameoftheapplication’svendor,therisklevelofthefile,etc.
TheDetailswindowcontainsadditionalinformationaboutitemsselectedintheDescriptionwindowsuchasthefilesizeoritshash.
NOTE:Anoperatingsystemiscomprisedofseveralimportantkernelprocesseswhichruncontinuallyinordertoprovidebasicfunctionsvitaltootherapplications.Incertaincases,suchprocessesaredisplayedinESETSysInspectorasafilepathbeginningwith\??\.Thesesymbolsindicateasafeandaccurateconfiguration.
Networkconnections–TheDescriptionwindowcontainsalistofprocessesandapplicationscommunicatingoverthenetwork.ThecommunicationprotocolusedisshownintheNavigationwindow(TCPorUDP)alongwiththeremoteaddresstowhichtheapplicationisconnecting.YoucanalsocheckDNSassignedIPaddresses.
TheDetailswindowcontainsadditionalinformationaboutitemsselectedintheDescriptionwindowsuchasthefilesizeoritshash.
ImportantRegistryEntries–Containsalistofselectedregistryentriesoftenrelatedtovariousproblemswithyoursystemsuchasspecifyingstartupprograms,browserhelperobjects(BHO),etc.
IntheDescriptionwindowyoumayfindwhichfilesarerelatedtospecificregistryentries.YoumayseeadditionaldetailsintheDetailswindow.
Services–TheDescriptionwindowcontainsalistoffilesregisteredasWindowsServices.YoumaycheckthewaytheserviceissettostartalongwithspecificdetailsaboutthefileintheDetailswindow.
Drivers–Thelistofdriversinstalledonthesystem.
Criticalfiles–TheDescriptionwindowdisplayscontentofcriticalfilesrelatedtotheMicrosoftWindows®operatingsystem.
Systeminformation–Containsdetailedinformationabouthardwareandsoftwarealongwithinformationaboutsetenvironmentalvariablesanduserrights.
Filedetails–AlistofimportantsystemfilesandfilesintheProgramFilesfolder.AdditionalinformationspecifictothefilescanbefoundintheDescriptionandDetailswindows.
About–InformationaboutESETSysInspector
5.4.1.3 Compare
TheComparefeatureallowsyoutocomparetwoexistingSysInspectorlogsinordertohighlightcommontobothlogs.Thisfeatureisusefulifyouwanttokeeptrackofchangestothesystemandmayallowyoutodetecttheactivityofmaliciouscode.
Afterlaunching,ESETSysInspectorcreatesanewlog,whichisdisplayedinanewwindow.NavigatetoFile>SaveLogtosavealogtoafile.Logfilescanlaterbeopenedandviewed.Toopenanexistinglog,clickFile>OpenLog.Inthemainprogramwindow,ESETSysInspectoralwaysdisplaysonelogatatime.
Ifyouarecomparingtwologs,it’simportanttocompareacurrentlyactivelogtoalogsavedinafile.Tocomparelogs,usetheoptionFile>CompareLogandchooseSelectfile.Theselectedlogwillbecomparedtotheactiveoneinthemainprogramwindows.Theresulting,socalledcomparativelogwilldisplayonlydifferencesbetweenthosetwologs.
NOTE:Ifyoucomparetwologfiles,selectFile>SaveLog,andsaveitasa.zipfile,bothfilesaresaved.Ifyoulateropenthisfile,thecontainedlogsareautomaticallycompared.
Nexttothedisplayeditems,SysInspectorshowssymbolsidentifyingdifferencesbetweenthecomparedlogs.Itemsmarkedbya canonlybefoundintheactivelogandwerenotpresentintheopenedcomparativelog.Itemsmarkedbya ontheotherhand,werepresentonlyintheopenedlogandaremissingintheactiveone.
Descriptionofallsymbolsthatcanbedisplayednexttoitems:
newvalue,notpresentinthepreviouslog
treestructuresectioncontainsnewvalues
removedvalue,presentinthepreviouslogonly
39
treestructuresectioncontainsremovedvalues
value/filehasbeenchanged
treestructuresectioncontainsmodifiedvalues/files
therisklevelhasdecreased/itwashigherinthepreviouslog
therisklevelhasincreased/itwaslowerinthepreviouslog
Theexplanationsectiondisplayedintheleftbottomcornerdescribesallsymbolsandalsodisplaysthenamesoflogswhicharebeingcompared.
Anycomparativelogcanbesavedtoafileandopenedatalatertime.
Example:–Generateandsavealog,recordingoriginalinformationaboutthesystem,toafilenamedprevious.xml.Afterchangestothesystemhavebeenmade,openSysInspectorandletitgenerateanewlog.Saveittoafilenamedcurrent.xml.
Inordertotrackchangesbetweenthosetwologs,clickFile>CompareLog.Theprogramwillcreateacomparativelogshowingdifferencesbetweenthelogs.
Thesameresultcanbeachievedifyouusethefollowingcommandlineoption:
SysIsnpector.exe current.xml previous.xml
5.4.1.4 SysInspectoraspartofESETSmartSecurity4
ToopenSysInspectorinESETSmartSecurity,clickTools>SysInspector.ThemanagementsystemintheSysInspectorwindowissimilartothatofcomputerscanlogs,orscheduledtasks.Alloperationswithsystemsnapshots‑create,view,compare,removeandexport‑areaccessiblewithinoneortwoclicks.
TheSysInspectorwindowcontainsbasicinformationaboutthecreatedsnapshotssuchascreatetime,shortcomment,nameoftheuserthatcreatedthesnapshotandsnapshotstatus.
ToCompare,Add...,orRemovesnapshots,usethecorrespondingbuttonslocatedbelowthelistofsnapshotsintheSysInspectorwindow.Thoseoptionsarealsoavailablefromthecontextmenu.Toviewtheselectedsystemsnapshot,usetheViewcontextmenuoption.Toexporttheselectedsnapshottoafile,right‑clickitandselectExport....Adetaileddescriptionoftheavailableoptionsisshownbelow:
Compare‑Allowsyoutocomparetwoexistinglogs.Thisfeatureisusefulifyouwanttotrackchangesbetweenthecurrentlogandanolderlog.Forthisoptiontotakeeffectyoumustselecttwosnapshotstobecompared.
Add–Createsanewrecord.Beforethatyoumustenterashortcommentabouttherecord.Toseethesnapshotcreationprogress(ofthecurrentlygeneratedsnapshot)inpercent,seetheStatuscolumn.AllcompletedsnapshotsaremarkedbytheCreatedstatus.
Remove–Removesentriesfromthelist
Show–Displaystheselectedsnapshot.Alternatively,youcandouble‑clicktheselectedentry.
Export...–Savestheselectedentryinan.xmlfile(aswellasa.zipversion)
5.4.1.5 Service script
Servicescriptisatoolthatdirectlyinfluencestheoperatingsystemandinstalledapplications,allowinguserstoexecutescriptsthatremoveproblematiccomponentsinthesystem,includingviruses,remnantsofviruses,blockedfiles,virusrecordsintheregistry,etc.Thescriptisstoredinatextfilegeneratedfromapre‑existing.xmlfile.Thedatainthe.txtscriptfileisorderedsimplyandlegibly,foreaseofuse.Thescriptwillinitiallyexhibitneutralbehavior.Inotherwords,itwillnothaveanyimpactonthesystemwhileinitsoriginalform.Theuserneedstoeditthescriptforittohaveanyeffect.
Warning:Thistoolisintendedforadvancedusersonly.Incorrectusemayresultindamagetoprogramsortheoperatingsystem.
5.4.1.5.1 Generating Service scripts
Togenerateascript,right‑clickanyitemfromthemenutree(intheleftpane)intheSysInspectormainwindow.Fromthecontextmenu,selecteithertheExportAllSectionsToServiceScriptoptionortheExportSelectedSectionsToServiceScriptoption.
5.4.1.5.2 Structure of the Service script
Inthefirstlineofthescript’sheaderyoucanfindinformationabouttheEngineversion(ev),GUIversion(gv)andtheLogversion(lv).Youcanusethisdatatotrackpossiblechangesinthe.xmlfilethatgeneratesthescriptandpreventanyinconsistenciesduringexecution.Thispartofthescriptshouldnotbealtered.
Theremainderofthefileisdividedintosectionsinwhichitemscanbeedited(denotethosethatwillbeprocessedbythescript).Youmarkitemsforprocessingbyreplacingthe“‑”characterinfrontofanitemwitha“+”character.Sectionsinthescriptareseparatedfromeachotherbyanemptyline.Eachsectionhasanumberandtitle.
01)Runningprocesses
Thissectioncontainsalistofallprocessesrunninginthesystem.EachprocessisidentifiedbyitsUNCpathand,subsequently,itsCRC16hashcodeinasterisks(*).
Example:
01) Running processes: ‑ \SystemRoot\System32\smss.exe *4725* ‑ C:\Windows\system32\svchost.exe *FD08* + C:\Windows\system32\module32.exe *CF8A* [...]
Inthisexampleaprocess,module32.exe,wasselected(markedbya“+”character);theprocesswillenduponexecutionofthescript.
02)Loadedmodules
Thissectionlistscurrentlyusedsystemmodules.
Example:
02) Loaded modules: ‑ c:\windows\system32\svchost.exe ‑ c:\windows\system32\kernel32.dll + c:\windows\system32\khbekhb.dll
40
‑ c:\windows\system32\advapi32.dll [...]
Inthisexamplethemodulekhbekhb.dllwasmarkedbya“+”.Whenthescriptruns,itwillrecognizetheprocessesusingthatspecificmoduleandendthem.
03)TCPconnections
ThissectioncontainsinformationaboutexistingTCPconnections.
Example:
03) TCP connections: ‑ Active connection: 127.0.0.1:30606 ‑> 127.0.0.1:55320, owner: ekrn.exe ‑ Active connection: 127.0.0.1:50007 ‑> 127.0.0.1:50006, ‑ Active connection: 127.0.0.1:55320 ‑> 127.0.0.1:30606, owner: OUTLOOK.EXE ‑ Listening on *, port 135 (epmap), owner: svchost.exe + Listening on *, port 2401, owner: fservice.exe Listening on *, port 445 (microsoft‑ds), owner: System [...]
Whenthescriptruns,itwilllocatetheownerofthesocketinthemarkedTCPconnectionsandstopthesocket,freeingsystemresources.
04)UDPendpoints
ThissectioncontainsinformationaboutexistingUDPendpoints.
Example:
04) UDP endpoints: ‑ 0.0.0.0, port 123 (ntp) + 0.0.0.0, port 3702 ‑ 0.0.0.0, port 4500 (ipsec‑msft) ‑ 0.0.0.0, port 500 (isakmp) [...]
Whenthescriptruns,itwillisolatetheownerofthesocketatthemarkedUDPendpointsandstopthesocket.
05)DNSserverentries
ThissectioncontainsinformationaboutthecurrentDNSserverconfiguration.
Example:
05) DNS server entries: + 204.74.105.85 ‑ 172.16.152.2 [...]
MarkedDNSserverentrieswillberemovedwhenyourunthescript.
06)Importantregistryentries
Thissectioncontainsinformationaboutimportantregistryentries.
Example:
06) Important registry entries: * Category: Standard Autostart (3 items) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
‑ HotKeysCmds = C:\Windows\system32\hkcmd.exe ‑ IgfxTray = C:\Windows\system32\igfxtray.exe HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ‑ Google Update = “C:\Users\antoniak\AppData\Local\Google\Update\GoogleUpdate.exe” /c
* Category: Internet Explorer (7 items) HKLM\Software\Microsoft\Internet Explorer\Main + Default_Page_URL = http://thatcrack.com/ [...]
Themarkedentrieswillbedeleted,reducedto0‑bytevaluesorresettotheirdefaultvaluesuponscriptexecution.Theactiontobeappliedtoaparticularentrydependsontheentrycategoryandkeyvalueinthespecificregistry.
07)Services
Thissectionlistsservicesregisteredwithinthesystem.
Example:
07) Services: ‑ Name: Andrea ADI Filters Service, exe path: c:\windows\system32\aeadisrv.exe, state: Running, startup: Automatic ‑ Name: Application Experience Service, exe path: c:\windows\system32\aelupsvc.dll, state: Running, startup: Automatic ‑ Name: Application Layer Gateway Service, exe path: c:\windows\system32\alg.exe, state: Stopped, startup: Manual [...]
Theservicesmarkedandtheirdependantserviceswillbestoppedanduninstalledwhenthescriptisexecuted.
08)Drivers
Thissectionlistsinstalleddrivers.
Example:
08) Drivers: ‑ Name: Microsoft ACPI Driver, exe path: c:\windows\system32\drivers\acpi.sys, state: Running, startup: Boot ‑ Name: ADI UAA Function Driver for High Definition Audio Service, exe path: c:\windows\system32\drivers\adihdaud.sys, state: Running, startup: Manual [...]
Whenyouexecutethescript,thedriversselectedwillbeunregisteredfromthesystemandremoved.
09)Criticalfiles
Thissectioncontainsinformationaboutfilescriticaltoproperfunctionoftheoperatingsystem.
Example:
09) Critical files: * File: win.ini ‑ [fonts] ‑ [extensions] ‑ [files] ‑ MAPI=1 […]
* File: system.ini ‑ [386Enh] ‑ woafont=dosapp.fon ‑ EGA80WOA.FON=EGA80WOA.FON […]
* File: hosts ‑ 127.0.0.1 localhost ‑ ::1 localhost […]
41
Theselecteditemswilleitherbedeletedorresettotheiroriginalvalues.
5.4.1.5.3 How to execute Service scripts
Markalldesireditems,thensaveandclosethescript.RuntheeditedscriptdirectlyfromtheSysInspectormainwindowbyselectingtheRunServiceScriptoptionfromtheFilemenu.Whenyouopenascript,theprogramwillpromptyouwiththefollowingmessage:Areyousureyouwanttoruntheservicescript“%Scriptname%”?Afteryouconfirmyourselection,anotherwarningmayappear,informingyouthattheservicescriptyouaretryingtorunhasnotbeensigned.ClickRuntostartthescript.
Adialogwindowwillconfirmsuccessfulexecutionofthescript.
Ifthescriptcouldonlybepartiallyprocessed,adialogwindowwiththefollowingmessagewillappear:Theservicescriptwasrunpartially.Doyouwanttoviewtheerrorreport?SelectYestoviewacomplexerrorreportlistingtheoperationsthatwerenotexecuted.
Yourscriptwasnotrecognizedasvalidandwillnotberunifyouseethefollowingmessage:Arethereanyissueswiththescriptconsistency(damagedheading,corruptsectiontitle,emptylinemissingbetweensectionsetc.)?Youcaneitherreopenthescriptfileandcorrecttheerrorswithinthescriptorcreateanewservicescript.
5.5 ESETSysRescue
ESETSysRescue(ESR)isautilitywhichenablesyoutocreateabootablediskcontainingESETSmartSecurity4(ESS).ThemainadvantageofESETRecoveryCDisthatESSrunsindependentofthehostoperatingsystem,whileithasdirectaccesstothediskandtheentirefilesystem.Thismakesitpossibletoremoveinfiltrationswhichnormallycouldnotbedeleted,e.g.,whentheoperatingsystemisrunning,etc.
5.5.1 Minimumrequirements
ESETSysRescue(ESR)worksintheMicrosoftWindowsPreinstallationEnvironment(WindowsPE)version2.x,whichisbasedonWindowsVista.WindowsPEisapartofthefreepackageWindowsAutomatedInstallationKit(WindowsAIK),andthereforeWindowsAIKmustbeinstalledbeforecreatingESR.Duetothesupportofthe32‑bitversionofWindowsPE,ESRcanbecreatedusingthe32‑bitversionofESSonly.ESRsupportsWindowsAIK1.1andlater.ESRisavailableinESS4.0andlater.
5.5.2 HowtocreaterescueCD
IftheminimumrequirementsforthecreationofESETSysRescue(ESR)CDaremet,itisquiteaneasytasktoaccomplish.TolaunchtheESRwizard,clickStart>Programs>ESET>ESETSmartSecurity>ESETSysRescue.
First,thewizardchecksforthepresenceofWindowsAIKandasuitabledeviceforthebootmediacreation.
InthenextstepselectthetargetmediawhereESRwillbelocated.InadditiontoCD/DVD/USByoucanchoosetosaveESRinan.isofile.Later,youcanburnthe.isoimageonCD/DVD,oruseitinotherways(e.g.,inavirtualenvironmentsuchasVmWareorVirtualbox).
Afteryouhavespecifiedallparameters,youwillseeacompilationpreviewinthelaststepofESETSysRescuewizard.Checktheparametersandstartthecompilation.Theavailableoptionsinclude:
FoldersESETAntivirusAdvancedBootableUSBdeviceBurning
5.5.2.1 Folders
Temporaryfolder–WorkingdirectoryforfilesrequiredduringESETSysRescuecompilation.
ISOfolder–Folderwheretheresulting.isofileissavedafterthecompilationiscompleted.
Thelistonthistabshowsalllocalandmappednetworkdrivestogetherwiththeavailablefreespace.Ifanyofthefoldersherearelocatedonadrivewithinsufficientfreespace,werecommendthatyouselectanotherdrivewithmorefreespaceavailable.Otherwisecompilationmayexitprematurelyduetoinsufficientfreediskspace.
Externalapplications–AllowsyoutospecifyadditionalprogramsthatwillberunorinstalledafterbootingfromaSysRescuemedium.
Includeexternalapplications–AllowsyoutoaddexternalprogramstotheSysRescuecompilation
Selectedfolder–FolderinwhichprogramstobeaddedtotheSysRescuediskarelocated
5.5.2.2 ESETAntivirus
TocreateanESETSysRescueCD,youcanselecttwosourcesofESETfilestobeusedbythecompiler.
ENAfolder–FilesalreadycontainedinthefoldertowhichtheESETproductisinstalledonyourcomputer
MSIfile–Filescontainedinthe.msiinstallerareused
Profile–Youcanuseoneofthefollowingtwosourcesofusernameandpassword:
InstalledENA–UsernameandpasswordarecopiedfromthecurrentlyinstalledESETsecurityproduct
Fromuser–Usernameandpasswordenteredinthecorrespondingtextboxesbelowareused
NOTE:TheESETsecurityproductontheESETSysRescueCDisupdatedeitherfromtheInternetorfromthecomputerrunningtheESETSysRescueCD.
5.5.2.3 Advanced
TheAdvancedtabletsyouoptimizeESETSysRescueCDaccordingtoyourcomputer’smemorycapacity.Select512MBandmoretowritethecontentoftheCDtotheoperatingmemory(RAM).Ifyouselectlessthan512MB,therecoveryCDwillbepermanentlyaccessedwhenWinPEisrunning.
Externaldrivers–Thissectionexplainshowtoadddriversforyourspecifichardware(e.g.,networkadapter).AlthoughWinPEisbasedonWindowsVistaSP1,whichsupportsalargerangeofhardware,occasionallyhardwareisnotrecognized.Thiswillrequiredthatyouaddadrivermanually.
TherearetwowaysofintroducingadriverintoanESETSysRescuecompilation‑manually(theAddbutton)andautomatically(theAut.Searchbutton).Ifyoumanuallyaddadriver,youneedtoselectthepathtothecorresponding.inffile(applicable*.sysfilemustalsobepresentinthisfolder).UsingtheAut.Searchbuttonautomaticallylocatesthedriverintheoperatingsystemofthegivencomputer.WerecommendyouusethisoptiononlyiftheoriginalcomputeronwhichtheSysRescuediscwascreatedandthecomputeryouarerestoringtousethesamenetworkadapter.Duringcreation,theESETSysRescuethedriverisintroducedintothecompilationsoyoudonotneedtolookforitlater.
42
5.5.2.4 BootableUSBdevice
IfyouhaveselectedUSBdeviceasyourtargetmedium,youcanselectoneoftheavailableUSBmediaontheBootableUSBdevicetab(incasetherearemoreUSBdevices).
Warning:TheselectedUSBdevicewillbeformattedduringESETSysRescuecreation.Alldataonthedevicewillbedeleted.
5.5.2.5 Burn
IfyouhaveselectedCD/DVDasyourtargetmedium,youcanspecifyadditionalburningparametersontheBurntab.
DeleteISOfile–Selectthisoptiontodelete.isofilesaftertheESETRescueCDiscreated.
Deletionenabled–Allowsyoutoselectfasterasingandcompleteerasing.
Burningdevice–Selectthedrivetobeusedforburning.
Warning:Thisisthedefaultoption.IfarewritableCD/DVDisused,alldataontheCD/DVDwillbeerased.
TheMediumsectioncontainsinformationaboutthecurrentmediuminsertedinyourCD/DVDdevice.
Burningspeed–Selectthedesiredspeedfromthedrop‑downmenu.ThecapabilitiesofyourburningdeviceandthetypeofCD/DVDusedshouldbeconsideredwhenselectingtheburningspeed.
5.5.3 WorkingwithESETSysRescue
FortherescueCD/DVD/USBtoworkeffectively,youmuststartyourcomputerfromtheESETSysRescuebootmedia.BootprioritycanbemodifiedintheBIOS.Alternatively,youcaninvokethebootmenuduringcomputerstartup‑usuallyusingoneoftheF9‑F12keysdependingontheversionofyourmotherboard/BIOS.
Afterbootingup,ESSwillstart.SinceESETSysRescueisusedonlyinspecificsituations,someprotectionmodulesandprogramfeaturespresentinthestandardversionofESSarenotneeded;theirlistisnarroweddowntoComputerscan,Update,andsomesectionsinSetup.TheabilitytoupdatethevirussignaturedatabaseisthemostimportantfeatureofESETSysRescue,werecommendthatyouupdatetheprogrampriorstartingaComputerscan.
5.5.3.1 UsingESETSysRescue
Supposethatcomputersinthenetworkhavebeeninfectedbyaviruswhichmodifiesexecutable(.exe)files.ESSiscapableofcleaningallinfectedfilesexceptforexplorer.exe,whichcannotbecleaned,eveninSafemode.
Thisisbecauseexplorer.exe,asoneoftheessentialWindowsprocesses,islaunchedinSafemodeaswell.ESSwouldnotbeabletoperformanyactionwiththefileanditwouldremaininfected.
Inthistypeofscenario,youcoulduseESETSysRescuetosolvetheproblem.ESETSysRescuedoesnotrequireanycomponentofthehostoperatingsystem,andisthereforecapableofprocessing(cleaning,deleting)anyfileonthedisk.
43
6. Glossary
6.1 Typesofinfiltration
AnInfiltrationisapieceofmalicioussoftwaretryingtoenterand/ordamageauser’scomputer.
6.1.1 Viruses
Acomputervirusisaninfiltrationthatcorruptsexistingfilesonyourcomputer.Virusesarenamedafterbiologicalviruses,becausetheyusesimilartechniquestospreadfromonecomputertoanother.
Computervirusesmainlyattackexecutablefilesanddocuments.Toreplicate,avirusattachesits“body“totheendofatargetfile.Inshort,thisishowacomputervirusworks:afterexecutionoftheinfectedfile,thevirusactivatesitself(beforetheoriginalapplication)andperformsitspredefinedtask.Onlyafterthatistheoriginalapplicationallowedtorun.Aviruscannotinfectacomputerunlessauser,eitheraccidentallyordeliberately,runsoropensthemaliciousprogrambyhim/herself.
Computervirusescanrangeinpurposeandseverity.Someofthemareextremelydangerousbecauseoftheirabilitytopurposelydeletefilesfromaharddrive.Ontheotherhand,somevirusesdonotcauseanydamage–theyonlyservetoannoytheuseranddemonstratethetechnicalskillsoftheirauthors.
Itisimportanttonotethatviruses(whencomparedtotrojansorspyware)areincreasinglyrarebecausetheyarenotcommerciallyenticingformalicioussoftwareauthors.Additionally,theterm“virus”isoftenusedincorrectlytocoveralltypesofinfiltrations.Thisusageisgraduallybeingovercomeandreplacedbythenew,moreaccurateterm“malware”(malicioussoftware).
Ifyourcomputerisinfectedwithavirus,itisnecessarytorestoreinfectedfilestotheiroriginalstate–i.e.,tocleanthembyusinganantivirusprogram.
Examplesofvirusesare:OneHalf,Tenga,andYankeeDoodle.
6.1.2 Worms
Acomputerwormisaprogramcontainingmaliciouscodethatattackshostcomputersandspreadsviaanetwork.Thebasicdifferencebetweenavirusandawormisthatwormshavetheabilitytoreplicateandtravelbythemselves–theyarenotdependentonhostfiles(orbootsectors).Wormsspreadthroughemailaddressesinyourcontactlistorexploitsecurityvulnerabilitiesinnetworkapplications.
Wormsarethereforemuchmoreviablethancomputerviruses.DuetothewideavailabilityoftheInternet,theycanspreadacrosstheglobewithinhoursorevenminutesoftheirrelease.Thisabilitytoreplicateindependentlyandrapidlymakesthemmoredangerousthanothertypesofmalware.
Awormactivatedinasystemcancauseanumberofinconveniences:Itcandeletefiles,degradesystemperformance,orevendeactivateprograms.Thenatureofacomputerwormqualifiesitasa“meansoftransport“forothertypesofinfiltrations.
Ifyourcomputerisinfectedwithaworm,werecommendyoudeletetheinfectedfilesbecausetheylikelycontainmaliciouscode.
Examplesofwell‑knownwormsare:Lovsan/Blaster,Stration/Warezov,Bagle,andNetsky.
6.1.3 Trojanhorses
Historically,computertrojanhorseshavebeendefinedasaclassofinfiltrationswhichattempttopresentthemselvesasusefulprograms,thustrickingusersintolettingthemrun.Butitisimportanttonotethatthiswastruefortrojanhorsesinthepast–today,thereisnolongeraneedforthemtodisguisethemselves.Theirsolepurposeistoinfiltrateaseasilyaspossibleandaccomplishtheirmaliciousgoals.“Trojanhorse”hasbecomeaverygeneraltermdescribingany
infiltrationnotfallingunderanyspecificclassofinfiltration.
Sincethisisaverybroadcategory,itisoftendividedintomanysubcategories:
Downloader–AmaliciousprogramwiththeabilitytodownloadotherinfiltrationsfromtheInternet.
Dropper–Atypeoftrojanhorsedesignedtodropothertypesofmalwareontocompromisedcomputers.
Backdoor–Anapplicationwhichcommunicateswithremoteattackers,allowingthemtogainaccesstoasystemandtotakecontrolofit.
Keylogger–(keystrokelogger)–Aprogramwhichrecordseachkeystrokethatausertypesandsendstheinformationtoremoteattackers.
Dialer–Dialersareprogramsdesignedtoconnecttopremium‑ratenumbers.Itisalmostimpossibleforausertonoticethatanewconnectionwascreated.Dialerscanonlycausedamagetouserswithdial‑upmodems,whicharenolongerregularlyused.
Trojanhorsesusuallytaketheformofexecutablefileswiththeextension.exe.Ifafileonyourcomputerisdetectedasatrojanhorse,itisadvisabletodeleteit,sinceitmostlikelycontainsmaliciouscode.
Examplesofwell‑knowntrojansare:NetBus,Trojandownloader.Small.ZL,Slapper
6.1.4 Rootkits
RootkitsaremaliciousprogramsthatgrantInternetattackersunlimitedaccesstoasystem,whileconcealingtheirpresence.Rootkits,afteraccessingasystem(usuallyexploitingasystemvulnerability),usefunctionsintheoperatingsystemtoavoiddetectionbyantivirussoftware:theyconcealprocesses,filesandWindowsregistrydata.Forthisreason,itisalmostimpossibletodetectthemusingordinarytestingtechniques.
Therearetwolevelsofdetectiontopreventrootkits:
1. Whentheytrytoaccessasystem.Theyarestillnotpresent,andarethereforeinactive.Mostantivirussystemsareabletoeliminaterootkitsatthislevel(assumingthattheyactuallydetectsuchfilesasbeinginfected).
2. Whentheyarehiddenfromtheusualtesting.ESETNOD32AntivirususershavetheadvantageofAnti‑Stealthtechnology,whichisalsoabletodetectandeliminateactiverootkits.
6.1.5 Adware
Adwareisashortforadvertising‑supportedsoftware.Programsdisplayingadvertisingmaterialfallunderthiscategory.Adwareapplicationsoftenautomaticallyopenanewpop‑upwindowcontainingadvertisementsinanInternetbrowser,orchangethebrowser’shomepage.Adwareisfrequentlybundledwithfreewareprograms,allowingtheircreatorstocoverdevelopmentcostsoftheir(usuallyuseful)applications.
Adwareitselfisnotdangerous–userswillonlybebotheredwithadvertisements.Itsdangerliesinthefactthatadwaremayalsoperformtrackingfunctions(asspywaredoes).
Ifyoudecidetouseafreewareproduct,pleasepayparticularattentiontotheinstallationprogram.Theinstallerwillmostlikelynotifyyouoftheinstallationofanextraadwareprogram.Oftenyouwillbeallowedtocancelitandinstalltheprogramwithoutadware.
Someprogramswillnotinstallwithoutadware,ortheirfunctionalitywillbelimited.Thismeansthatadwaremayoftenaccessthesystemina“legal”way,becauseusershaveagreedtoit.Inthiscase,itisbetter
44
tobesafethansorry.Ifthereisafiledetectedasadwareonyourcomputer,itisadvisabletodeleteit,sincethereisahighprobabilitythatitcontainsmaliciouscode.
6.1.6 Spyware
Thiscategorycoversallapplicationswhichsendprivateinformationwithoutuserconsent/awareness.Spywareusestrackingfunctionstosendvariousstatisticaldatasuchasalistofvisitedwebsites,emailaddressesfromtheuser‘scontactlist,oralistofrecordedkeystrokes.
Theauthorsofspywareclaimthatthesetechniquesaimtofindoutmoreaboutusers’needsandinterestsandallowbetter‑targetedadvertisement.Theproblemisthatthereisnocleardistinctionbetweenusefulandmaliciousapplicationsandnoonecanbesurethattheretrievedinformationwillnotbemisused.Thedataobtainedbyspywareapplicationsmaycontainsecuritycodes,PINs,bankaccountnumbers,etc.Spywareisoftenbundledwithfreeversionsofaprogrambyitsauthorinordertogeneraterevenueortoofferanincentiveforpurchasingthesoftware.Often,usersareinformedofthepresenceofspywareduringaprogram‘sinstallationtogivethemanincentivetoupgradetoapaidversionwithoutit.
Examplesofwell‑knownfreewareproductswhichcomebundledwithspywareareclientapplicationsofP2P(peer‑to‑peer)networks.SpyfalconorSpySheriff(andmanymore)belongtoaspecificspywaresubcategory–theyappeartobeantispywareprograms,butinfacttheyarespywareprogramsthemselves.
Ifafileisdetectedasspywareonyourcomputer,itisadvisabletodeleteit,sincethereisahighprobabilitythatitcontainsmaliciouscode.
6.1.7 Potentiallyunsafeapplications
Therearemanylegitimateprogramswhosefunctionistosimplifytheadministrationofnetworkedcomputers.However,inthewronghands,theymaybemisusedformaliciouspurposes.ESETSmartSecurityprovidestheoptiontodetectsuchthreats.
“Potentiallyunsafeapplications”istheclassificationusedforcommercial,legitimatesoftware.Thisclassificationincludesprogramssuchasremoteaccesstools,password‑crackingapplications,andkeyloggers(aprogramthatrecordseachkeystrokeausertypes).
Ifyoufindthatthereisapotentiallyunsafeapplicationpresentandrunningonyourcomputer(andyoudidnotinstallit),pleaseconsultyournetworkadministratororremovetheapplication.
6.1.8 Potentiallyunwantedapplications
Potentiallyunwantedapplicationsarenotnecessarilyintendedtobemalicious,butmayaffecttheperformanceofyourcomputerinanegativeway.Suchapplicationsusuallyrequireconsentforinstallation.Iftheyarepresentonyourcomputer,yoursystembehavesdifferently(comparedtothestatebeforetheirinstallation).Themostsignificantchangesare:
• Newwindowsyouhaven’tseenpreviouslyareopened
• Activationandrunningofhiddenprocesses
• Increasedusageofsystemresources
• Changesinsearchresults
• Applicationcommunicateswithremoteservers
6.2 Typesofremoteattacks
Therearemanyspecialtechniqueswhichallowattackerstocompromiseremotesystems.Thesearedividedintoseveralcategories.
6.2.1 DoSattacks
DoS,orDenialofService,isanattempttomakeacomputerornetworkunavailableforitsintendedusers.Thecommunicationbetweenafflictedusersisobstructedandcannolongercontinueinafunctionalway.ComputersexposedtoDoSattacksusuallyneedtoberestartedinordertoworkproperly.
Inmostcases,thetargetsarewebserversandtheaimistomakethemunavailabletousersforacertainperiodoftime.
6.2.2 DNSPoisoning
UsingDNS(DomainNameServer)poisoning,hackerscantricktheDNSserverofanycomputerintobelievingthatthefakedatatheysuppliedislegitimateandauthentic.Thefakeinformationiscachedforacertainperiodoftime,allowingattackerstorewriteDNSrepliesofIPaddresses.Asaresult,userstryingtoaccessInternetwebsiteswilldownloadcomputervirusesorwormsinsteadoftheiroriginalcontent.
6.2.3 Wormattacks
Acomputerwormisaprogramcontainingmaliciouscodethatattackshostcomputersandspreadsviaanetwork.Thenetworkwormsexploitsecurityvulnerabilitiesinvariousapplications.DuetotheavailabilityoftheInternet,theycanspreadallovertheworldwithinafewhoursoftheirrelease.Insomecases,eveninminutes.
Mostwormattacks(Sasser,SqlSlammer)canbeavoidedbyusingdefaultsecuritysettingsinthefirewall,orbyblockingunprotectedandunusedports.Also,itisessentialthatyouroperatingsystemisupdatedwiththemostrecentsecuritypatches.
6.2.4 Portscanning
Portscanningisusedtodeterminewhichcomputerportsareopenonanetworkhost.Aportscannerissoftwaredesignedtofindsuchports.
Acomputerportisavirtualpointwhichhandlesincomingandoutgoingdata–thisiscrucialfromasecuritypointofview.Inalargenetwork,theinformationgatheredbyportscannersmayhelptoidentifypotentialvulnerabilities.Suchuseislegitimate.
Still,portscanningisoftenusedbyhackersattemptingtocompromisesecurity.Theirfirststepistosendpacketstoeachport.Dependingontheresponsetype,itispossibletodeterminewhichportsareinuse.Thescanningitselfcausesnodamage,butbeawarethatthisactivitycanrevealpotentialvulnerabilitiesandallowattackerstotakecontrolofremotecomputers.
Networkadministratorsareadvisedtoblockallunusedportsandprotectthosethatareinusefromunauthorizedaccess.
6.2.5 TCPdesynchronization
TCPdesynchronizationisatechniqueusedinTCPHijackingattacks.Itistriggeredbyaprocessinwhichthesequentialnumberinincomingpacketsdiffersfromtheexpectedsequentialnumber.Packetswithanunexpectedsequentialnumberaredismissed(orsavedinthebufferstorage,iftheyarepresentinthecurrentcommunicationwindow).
Indesynchronization,bothcommunicationendpointsdismissreceivedpackets,atwhichpointremoteattackersareabletoinfiltrateandsupplypacketswithacorrectsequentialnumber.Theattackerscanevenmanipulateormodifycommunication.
TCPHijackingattacksaimtointerruptserver‑client,orpeer‑to‑peercommunications.ManyattackscanbeavoidedbyusingauthenticationforeachTCPsegment.Itisalsoadvisedtousetherecommendedconfigurationsforyournetworkdevices.
45
6.2.6 SMBRelay
SMBRelayandSMBRelay2arespecialprogramsthatarecapableofcarryingoutattacksagainstremotecomputers.TheprogramstakeadvantageoftheServerMessageBlockfilesharingprotocol,whichislayeredontoNetBIOS.AusersharinganyfolderordirectorywithintheLANmostlikelyusesthisfilesharingprotocol.
Withinlocalnetworkcommunication,passwordhashesareexchanged.
SMBRelayreceivesaconnectiononUDPport139and445,relaysthepacketsexchangedbytheclientandserver,andmodifiesthem.Afterconnectingandauthenticating,theclientisdisconnected.SMBRelaycreatesanewvirtualIPaddress.Thenewaddresscanbeaccessedusingthecommand“netuse\\192.168.1.1“.TheaddresscanthenbeusedbyanyoftheWindowsnetworkingfunctions.SMBRelayrelaysSMBprotocolcommunicationexceptfornegotiationandauthentication.RemoteattackerscanusetheIPaddress,aslongastheclientcomputerisconnected.
SMBRelay2worksonthesameprincipleasSMBRelay,exceptitusesNetBIOSnamesratherthanIPaddresses.Bothcancarryout“man‑in‑the‑middle”attacks.Theseattacksallowremoteattackerstoread,insertandmodifymessagesexchangedbetweentwocommunicationendpointswithoutbeingnoticed.Computersexposedtosuchattacksoftenstoprespondingorunexpectedlyrestart.
Toavoidattacks,werecommendthatyouuseauthenticationpasswordsorkeys.
6.2.7 ICMPattacks
TheICMP(InternetControlMessageProtocol)isapopularandwidely‑usedInternetprotocol.Itisusedprimarilybynetworkedcomputerstosendvariouserrormessages.
RemoteattackersattempttoexploittheweaknessesoftheICMPprotocol.TheICMPprotocolisdesignedforone‑waycommunicationrequiringnoauthentication.Thisenablesremoteattackerstotriggerso‑calledDoS(DenialofService)attacks,orattackswhichgiveunauthorizedindividualsaccesstoincomingandoutgoingpackets.
TypicalexamplesofanICMPattackarepingflood,ICMP_ECHOfloodandsmurfattacks.ComputersexposedtotheICMPattackaresignificantlyslower(thisappliestoallapplicationsusingtheInternet)andhaveproblemsconnectingtotheInternet.
6.3 Email
Email,orelectronicmail,isamodernformofcommunicationwithmanyadvantages.Itisflexible,fastanddirect,andplayedacrucialroleintheproliferationoftheInternetintheearly1990‘s.
Unfortunately,withahighlevelofanonymity,emailandtheInternetleaveroomforillegalactivitiessuchasspamming.Spamincludesunsolicitedadvertisements,hoaxesandproliferationofmalicioussoftware–malware.Theinconvenienceanddangertoyouisincreasedbythefactthatthecostofsendingspamisminimal,andauthorsofspamhavemanytoolstoacquirenewemailaddresses.Inaddition,thevolumeandvarietyofspammakesitverydifficulttoregulate.Thelongeryouuseyouremailaddress,themorelikelyitwillendupinaspamenginedatabase.Somehintsforprevention:
• Ifpossible,don’tpublishyouremailaddressontheInternet
• Onlygiveyouremailaddresstotrustedindividuals
• Ifpossible,don’tusecommonaliases–withmorecomplicatedaliases,theprobabilityoftrackingislower
• Don’treplytospamthathasalreadyarrivedinyourinbox
• BecarefulwhenfillingoutInternetforms–beespeciallycautious
ofoptionssuchas“Yes,Iwanttoreceiveinformation”.
• Use“specialized”emailaddresses–e.g.,oneforbusiness,oneforcommunicationwithyourfriends,etc.
• Fromtimetotime,changeyouremailaddress
• UseanAntispamsolution
6.3.1 Advertisements
Internetadvertisingisoneofthemostrapidlygrowingformsofadvertising.Itsmainmarketingadvantagesareminimalcostsandahighlevelofdirectness;what’smore,messagesaredeliveredalmostimmediately.Manycompaniesuseemailmarketingtoolstoeffectivelycommunicatewiththeircurrentandprospectivecustomers.
Thistypeofadvertisingislegitimate,sinceyoumaybeinterestedinreceivingcommercialinformationaboutsomeproducts.Butmanycompaniessendunsolicitedbulkcommercialmessages.Insuchcases,emailadvertisingcrossesthelineandbecomesspam.
Theamountofunsolicitedemailhasbecomeaproblemanditshowsnosignsofslowing.Authorsofunsolicitedemailoftenattempttodisguisespamaslegitimatemessages.
6.3.2 Hoaxes
AhoaxismisinformationwhichisspreadacrosstheInternet.HoaxesareusuallysentviaemailorcommunicationtoolslikeICQandSkype.ThemessageitselfisoftenajokeorUrbanLegend.
ComputerVirushoaxestrytogeneratefear,uncertaintyanddoubt(FUD)intherecipients,bringingthemtobelievethatthereisan“undetectablevirus“deletingfilesandretrievingpasswords,orperformingsomeotherharmfulactivityontheirsystem.
Somehoaxesworkbyaskingrecipientstoforwardmessagestotheircontacts,perpetuatingthehoax.Therearemobilephonehoaxes,pleasforhelp,peopleofferingtosendyoumoneyfromabroad,etc.Itisoftenimpossibletodeterminetheintentofthecreator.
Ifyouseeamessagepromptingyoutoforwardittoeveryoneyouknow,itmayverywellbeahoax.TherearemanywebsitesontheInternetthatcanverifyifanemailislegitimate.Beforeforwarding,performanInternetsearchonanymessageyoususpectisahoax.
6.3.3 Phishing
Thetermphishingdefinesacriminalactivitywhichusestechniquesofsocialengineering(manipulatingusersinordertoobtainconfidentialinformation).Itsaimistogainaccesstosensitivedatasuchasbankaccountnumbers,PINcodes,etc.
Accessisusuallyachievedbysendingemailmasqueradingasatrustworthypersonorbusiness(e.g.,financialinstitution,insurancecompany).Theemailcanlookverygenuine,andwillcontaingraphicsandcontentwhichmayhaveoriginallycomefromthesourceitisimpersonating.Youwillbeaskedtoenter,undervariouspretenses(dataverification,financialoperations),someofyourpersonaldata–bankaccountnumbersorusernamesandpasswords.Allsuchdata,ifsubmitted,caneasilybestolenandmisused.
Banks,insurancecompanies,andotherlegitimatecompanieswillneverrequestusernamesandpasswordsinanunsolicitedemail.
6.3.4 Recognizingspamscams
Generally,thereareafewindicatorswhichcanhelpyouidentifyspam(unsolicitedemails)inyourmailbox.Ifamessagefulfillsatleastsomeofthefollowingcriteria,itismostlikelyaspammessage.
• Senderaddressdoesnotbelongtosomeoneonyourcontactlist
• Youareofferedalargesumofmoney,butyouhavetoprovidea
46
smallsumfirst
• Youareaskedtoenter,undervariouspretenses(dataverification,Financialoperations),someofyourpersonaldata–bankaccountnumbers,usernamesandpasswords,etc.
• Itiswritteninaforeignlanguage
• Youareaskedtobuyaproductyouarenotinterestedin.Ifyoudecidetopurchaseanyway,pleaseverifythatthemessagesenderisareliablevendor(consulttheoriginalproductmanufacturer).
• Someofthewordsaremisspelledinanattempttotrickyourspamfilter.Forexample“vaigra”insteadof“viagra”,etc.
6.3.4.1 Rules
InthecontextofAntispamsolutionsandemailclients,rulesaretoolsformanipulatingemailfunctions.Theyconsistoftwologicalparts:
1. Condition(e.g.,anincomingmessagefromacertainaddress)
2. Action(e.g.,deletionofthemessage,movingittoaspecifiedfolder)
ThenumberandcombinationofrulesvarieswiththeAntispamsolution.Theserulesserveasmeasuresagainstspam(unsolicitedemail).Typicalexamples:
• 1.Condition:Anincomingemailmessagecontainssomeofthewordstypicallyseeninspammessages2.Action:Deletethemessage
• 1.Condition:Anincomingemailmessagecontainsanattachmentwithan.exeextension2.Action:Deletetheattachmentanddeliverthemessagetothemailbox
• 1.Condition:Anincomingemailmessagearrivesfromyouremployer2.Action:Movethemessagetothe“Work”folder.
WerecommendthatyouuseacombinationofrulesinAntispamprogramsinordertofacilitateadministrationandtomoreeffectivelyfilterspam.
6.3.4.1 Bayesianfilter
BayesianspamfilteringisaneffectiveformofemailfilteringusedbyalmostallAntispamproducts.Itisabletoidentifyunsolicitedemailwithhighaccuracyandcanworkonaper‑userbasis.
Thefunctionalityisbasedonthefollowingprinciple:Thelearningprocesstakesplaceinthefirstphase.Theusermanuallymarksasufficientnumberofmessagesaslegitimatemessagesorasspam(normally200/200).Thefilteranalyzesbothcategoriesandlearns,forexample,thatspamusuallycontainsthewords“rolex”or“viagra”,andlegitimatemessagesaresentbyfamilymembersorfromaddressesintheuser’scontactlist.Providedthatasufficientnumberofmessagesareprocessed,theBayesianfilterisabletoassignaspecific“spamindex”toeachmessageinordertodeterminewhetheritisspamornot.
ThemainadvantageofaBaysesianfilterisitsflexibility.Forexample,ifauserisabiologist,allincomingemailsconcerningbiologyorrelativefieldsofstudywillgenerallyreceivealowerprobabilityindex.Ifamessageincludeswordsthatwouldnormallyqualifyitasunsolicited,butitissentbysomeonefromtheuser’scontactlist,itwillbemarkedaslegitimate,becausesendersfromacontactlistdecreaseoverallspamprobability.
6.3.4.2 Whitelist
Ingeneral,awhitelistisalistofitemsorpersonswhoareaccepted,orhavebeengrantedpermission.Theterm“emailwhitelist“definesalistofcontactsfromwhomtheuserwishestoreceivemessages.Suchwhitelistsarebasedonkeywordssearchedforinemailaddresses,domainnames,orIPaddresses.
Ifawhitelistworksin“exclusivitymode“,thenmessagesfromanyotheraddress,domain,orIPaddresswillnotbereceived.Ifawhitelistisnotexclusive,suchmessageswillnotbedeleted,butfilteredinsomeotherway.
Awhitelistisbasedontheoppositeprincipletothatofablacklist.Whitelistsarerelativelyeasytomaintain,moresothanblacklists.WerecommendthatyouuseboththeWhitelistandBlacklisttofilterspammoreeffectively.
6.3.4.3 Blacklist
Generally,ablacklistisalistofunacceptedorforbiddenitemsorpersons.Inthevirtualworld,itisatechniqueenablingacceptanceofmessagesfromallusersnotpresentonsuchalist.
Therearetwotypesofblacklist:ThosecreatedbyuserswithintheirAntispamapplication,andprofessional,regularlyupdatedblacklistswhicharecreatedbyspecializedinstitutionsandcanbefoundontheInternet.
Itisessentialtouseblackliststosuccessfullyblockspam,buttheyaredifficulttomaintain,sincenewitemstobeblockedappeareveryday.Werecommendedyouusebothawhitelistandablacklisttomosteffectivelyfilterspam.
6.3.4.5 Server‑sidecontrol
Server‑sidecontrolisatechniqueforidentifyingmassspambasedonthenumberofreceivedmessagesandthereactionsofusers.Eachmessageleavesauniquedigital“footprint”basedonthecontentofthemessage.TheuniqueIDnumbertellsnothingaboutthecontentoftheemail.Twoidenticalmessageswillhaveidenticalfootprints,whiledifferentmessageswillhavedifferentfootprints.
Ifamessageismarkedasspam,itsfootprintissenttotheserver.Iftheserverreceivesmoreidenticalfootprints(correspondingtoacertainspammessage),thefootprintisstoredinthespamfootprintsdatabase.Whenscanningincomingmessages,theprogramsendsthefootprintsofthemessagestotheserver.Theserverreturnsinformationonwhichfootprintscorrespondtomessagesalreadymarkedbyusersasspam.