0% found this document useful (0 votes)

106 views235 pages

Kav7 0en

Uploaded by

Sam

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

106 views235 pages

Kav7 0en

Uploaded by

Sam

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 235

KASPERSKY LAB

Threats to Computer Security

Intranet Your intranet is your internal network, specially designed for handling information within a company or a home network. An intranet is a unified space for storing, exchanging, and accessing information for all the computers on the network. Therefore, if any one network host is infected, other hosts run a significant risk of infection. To avoid such situations, both the network perimeter and each individual computer must be protected. Email Since the overwhelming majority of computers have email client programs installed, and since malicious programs exploit the contents of electronic address books, conditions are usually right for spreading malicious programs. The user of an infected host unwittingly sends infected messages out to other recipients who in turn send out new infected messages, etc. For example, it is common for infected file documents to go undetected when distributed with business information via a companys internal email system. When this occurs, more than a handful of people are infected. It might be hundreds or thousands of company workers, together with potentially tens of thousands of subscribers. Beyond the threat of malicious programs lies the problem of electronic junk email, or spam. Although not a direct threat to a computer, spam increases the load on email servers, eats up bandwidth, clogs up the users mailbox, and wastes working hours, thereby incurring financial harm. Also, hackers have begun using mass mailing programs and social engineering methods to convince users to open emails, or click on a link to certain websites. It follows that spam filtration capabilities are valuable for several purposes: to stop junk email; to counteract new types of online scans, such as phishing; to stop the spread of malicious programs. Removable storage media Removable media (floppies, CD/DVD-ROMs, and USB flash drives) are widely used for storing and transmitting information. Opening a file that contains malicious code and is stored on a removable storage device can damage data stored on the local computer and spread the virus to the computers other drives or other computers on the network.

Kaspersky Anti-Virus 7.0

1.3. Types of Threats

There are a vast number of threats to computer security today. This section will review the threats that are blocked by Kaspersky Anti-Virus. Worms This category of malicious programs spreads itself largely by exploiting vulnerabilities in computer operating systems. The class was named for the way that worms crawl from computer to computer, using networks and email. This feature allows worms to spread themselves very rapidly. Worms penetrate a computer, search for the network addresses of other computers, and send a burst of self-made copies to these addresses. In addition, worms often utilize data from email client address books. Some of these malicious programs occasionally create working files on system disks, but they can run without any system resources except RAM. Viruses Viruses are programs which infect other files, adding their own code to them to gain control of the infected files when they are opened. This simple definition explains the fundamental action performed by a virus infection. Trojans Trojans are programs which carry out unauthorized actions on computers, such as deleting information on drives, making the system hang, stealing confidential information, and so on. This class of malicious program is not a virus in the traditional sense of the word, because it does not infect other computers or data. Trojans cannot break into computers on their own and are spread by hackers, who disguise them as regular software. The damage that they inflict can greatly exceed that done by traditional virus attacks. Recently, worms have been the commonest type of malicious program damaging computer data, followed by viruses and Trojans. Some malicious programs combine features of two or even three of these classes. Adware Adware comprises programs which are included in software, unknown to the user, which is designed to display advertisements. Adware is usually built into software that is distributed free. The advertisement is situated in the program interface. These programs also frequently collect personal data on the user and send it back to their developer, change browser settings (start page and search pages, security levels, etc.) and create traffic that the user cannot control. This can lead to a security breach and to direct financial losses.

Threats to Computer Security

Spyware This software collects information about a particular user or organization without their knowledge. Spyware often escapes detection entirely. In general, the goal of spyware is to: trace user actions on a computer; gather information on the contents of your hard drive; in such cases, this usually involves scanning several directories and the system registry to compile a list of software installed on the computer; gather information on the quality of the connection, bandwidth, modem speed, etc. Riskware Potentially dangerous applications include software that has no malicious features but could form part of the development environment for malicious programs or could be used by hackers as auxiliary components for malicious programs. This program category includes programs with backdoors and vulnerabilities, as well as some remote administration utilities, keyboard layout togglers, IRC clients, FTP servers, and all-purpose utilities for stopping processes or hiding their operation. Another type of malicious program that is similar to adware, spyware, and riskware are programs that plug into your web browser and redirect traffic. The web browser will open different web sites than those intended. Jokes Software that does not cause a host any direct harm but displays messages that such harm has already been caused or will result under certain conditions. These programs often warn the user of non-existent dangers, such as messages that warn of formatting the hard drive (although no formatting actually takes place) or detecting viruses in uninfected files. Rootkits These are utilities which are used to conceal malicious activity. They mask malicious programs to keep anti-virus programs from detecting them. Rootkits modify basic functions of the computers operating system to hide both their own existence and actions that the hacker undertakes on the infected computer. Other dangerous programs These are programs created to, for instance, set up denial of service (DoS) attacks on remote servers, hack into other computers, and programs that are part of the development environment for malicious programs. These programs include hack tools, virus builders, vulnerability scanners, pass-

Kaspersky Anti-Virus 7.0

word-cracking programs, and other types of programs for cracking network resources or penetrating a system. Kaspersky Anti-Virus uses two methods for detecting and blocking these threat types: Reactive: it is a method designed to search for malicious objects using continuously updating application databases. This method requires at least one instance of infection to add the threat signature to the databases and to distribute a database update. Proactive in contrast to reactive protection, this method is based not on analyzing the objects code but on analyzing its behavior in the system. This method is aimed at detecting new threats that are still not defined in the signatures. By employing both methods, Kaspersky Anti-Virus provides comprehensive protection for your computer from both known and new threats. Warning! From this point forward, we will use the term "virus" to refer to malicious and dangerous programs. The type of malicious programs will only be emphasized where necessary.

1.4. Signs of Infection

There are a number of signs that a computer is infected. The following events are good indicators that a computer is infected with a virus: Unexpected messages or images appear on your screen or you hear unusual sounds; The CD/DVD-ROM tray opens and closes unexpectedly; The computer arbitrarily launches a program without your assistance; Warnings pop up on the screen about a program attempting to access the Internet, even though you initiated no such action; There are also several typical traits of a virus infection through email: Friends or acquaintances tell you about messages from you that you never sent; Your inbox houses a large number of messages without return addresses or headers.

Threats to Computer Security

It must be noted that these signs can arise from causes other than viruses. For example, in the case of email, infected messages can be sent with your return address but not from your computer. There are also indirect indications that your computer is infected: Your computer freezes or crashes frequently; Your computer loads programs slowly; You cannot boot up the operating system; Files and folders disappear or their contents are distorted; The hard drive is frequently accessed (the light blinks); The web browser (e.g., Microsoft Internet Explorer) freezes or behaves unexpectedly (for example, you cannot close the program window). In 90% of cases, these indirect systems are caused by malfunctions in hardware or software. Despite the low likelihood that these symptoms are indicative of infection, a full scan of your computer is recommended (see 5.3 on pg. 50) if they should manifest themselves.

1.5. What to do if you suspect infection

2.2.2. Virus scan tasks

In addition to constantly monitoring all potential pathways for malicious programs, it is extremely important to periodically scan your computer for viruses. This is required to stop the spread of malicious programs not detected by realtime protection components because of the low level of protection selected or for other reasons. The following tasks are provided by Kaspersky Anti-Virus to perform virus scans: Critical Areas Scans all critical areas of the computer for viruses. These include: system memory, system startup objects, master boot records, Microsoft Windows system folders. The objective is quickly to detect active viruses on the system without starting a full computer scan. My Computer Scans for viruses on your computer with a through inspection of all disk drives, memory, and files. Startup Objects Scans for viruses in all programs that are loaded automatically on startup, plus RAM and boot sectors on hard drives. Rootkit Scan Scans the computer for rootkits that hide malicious programs in the operating system. These utilities injected into system, hiding their presence and the presence of processes, folders, and registry keys of any malicious programs described in the configuration of the rootkit.

Kaspersky Anti-Virus 7.0

There is also the option to create other virus-scan tasks and create a schedule for them. For example, you can create a scan task for mailboxes once per week, or a virus scan task for the My Documents folder.

2.5. Support for registered users

Kaspersky Lab provides its registered users with an array of services to make Kaspersky Anti-Virus more effective. When the program has been activated, you become a registered user and will have the following services available until the key expires: Hourly updates of the application databases and new versions of the program free of charge Consultation on questions regarding installation, configuration, and operation of the program, by phone and email Notifications on new Kaspersky Lab product releases and new viruses (this service is provided for users that subscribe to Kaspersky Lab news mailings on the Technical Support Service website http://support.kaspersky.com/subscribe/) Kaspersky Lab does not provide technical support for operating system use and operation, or for any products other than its own.

CHAPTER 3. INSTALLING KASPERSKY ANTI-VIRUS 7.0

There are several ways to install Kaspersky Anti-Virus 7.0 to a host: interactively, using the application Installation Wizard (see 3.1 on pg. 27); this mode requires user input for the install to proceed; non-interactively, this type of install is performed from the command line and does not require any user input for the install to proceed (see 3.3 on pg. 38). Caution! It is recommended that all running applications be closed before a Kaspersky Anti-Virus install is attempted.

3.1. Installation procedure using the Installation Wizard

Note: Installing the program with an installer package downloaded from the Internet is identical to installing it from an installation CD. To install Kaspersky Anti-Virus to your computer, start the setup file on the product CD. This will attempt to locate the application install package (file with an *.msi extension) and if the package is located, you will be prompted to check for Kaspersky Anti-Virus updates on Kaspersky Lab servers. If no install package file is found, you will be prompted to download it. Following the download, the application install will begin. In the event that the user opts not to download, the install will continue normally. An installation wizard will open for the program. Each window contains a set of buttons for navigating through the installation process. Here is a brief explanation of their functions:

Kaspersky Anti-Virus 7.0

Next accepts an action and moves forward to the next step of installation. Back goes back to the previous step of installation. Cancel cancels product installation. Finish completes the program installation procedure. Lets take a closer look at the steps of the installation procedure.

Step 1. Checking for the necessary system conditions to install Kaspersky Anti-Virus
Before the program is installed on your computer, the installer checks your computer for the operating system and service packs necessary to install Kaspersky Anti-Virus. It also checks your computer for other necessary programs and verifies that your user rights allow you to install software. If any of these requirements is not met, the program will display a message informing you of the fault. You are advised to install any necessary service packs through Windows Update, and any other necessary programs, before installing Kaspersky Anti-Virus.

Step 2. Installation Welcome window

If your system fully meets all requirements, an installation window will appear when you open the installer file with information on beginning the installation of Kaspersky Anti-Virus. To continue installation, click the Next button. To cancel the installation, click Cancel.

Step 3. Viewing the End-User License Agreement

The next window contains the End-User License Agreement entered into between you and Kaspersky Lab. Carefully read through it, and if you agree to all the terms of the agreement, select I accept the terms of the License Agreement and click the Next button. Installation will continue. To cancel the installation, click Cancel.

Step 4. Selecting Installation Type

In this step, you are prompted to select installation type: Quick Install. If this option is selected, Kaspersky Anti-Virus will be installed using default settings only, as recommended by Kaspersky Lab specialists. At the end of the install, an activation wizard will be started (see 3.2.2 on pg. 32). Custom Install. Under this option you will be prompted to select the application components to be installed, the installation folder, and to activate as

Installing Kaspersky Anti-Virus 7.0

well as configure the installation using a special wizard (see 3.2 on pg. 31). Under the former option, the install will be performed non-interactively, i. e. subsequent steps described in this section will be skipped. In the latter case, you will be required to enter or confirm certain data.

Step 5.

Selecting an installation folder

The next stage of Kaspersky Anti-Virus installation determines where the program will be installed on your computer. The default path is: For 32-bit systems: <Drive>\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0 For 64-bit systems: <Drive> Program Files (86) Lab Kaspersky Anti-Virus 7.0. Kaspersky

You can specify a different folder by clicking the Browse button and selecting it in the folder selection window, or by entering the path to the folder in the field available. Caution! If you specify a full directory path manually, please note that it should not exceed 200 characters or contain special characters. To continue installation, click the Next button.

Step 6. Selecting program components to install

Note This step is not performed unless a Custom install is selected. If you selected Custom installation, you can select the components of Kaspersky Anti-Virus that you want to install. By default, all real-time protection and virus scan are selected. To select the components you want to install, left-click the icon alongside a component name and select Will be installed on local hard drive from the menu. You will find more information on what protection a selected component provides, and how much disk space it requires for installation, in the lower part of the program installation window. If you do not want to install a component, select Entire feature will be unavailable from the context menu. Remember that by choosing not to install a component you deprive yourself of protection against a wide range of dangerous programs.

Kaspersky Anti-Virus 7.0

After you have selected the components you want to install, click Next. To return the list to the default programs to be installed, click Reset.

Step 7. Using Previously Saved Installation Settings

In this step, you are prompted to specify whether you wish to use previously saved security settings or application databases if these were in fact saved when a previous Kaspersky Anti-Virus installation was removed from your computer. Let us look in more detail at ways to access the above functionality. If a previous version (build) of Kaspersky Anti-Virus was installed on your computer and application databases have been saved, they may be imported into the version being installed. Check Application databases. Databases bundled with the application will not be copied to your computer. To use protection settings configured for a previous version and saved on your computer, check Application Runtime Settings.

Step 8. Searching for other anti-virus programs

In this stage, the installer searches for other anti-virus products installed on your computer, including Kaspersky Lab products, which could raise compatibility issues with Kaspersky Anti-Virus. The installer will display on screen a list of any such programs it detects. The program will ask you if you want to uninstall them before continuing installation. You can select manual or automatic uninstall under the list of anti-virus applications detected. If the list of anti-virus programs contains Kaspersky Anti-Virus 6.0, we recommend in the event of a manual install saving the key file that it uses before deleting them, as you can use it as your key for Kaspersky Anti-Virus 7.0. We also recommend saving Quarantine and Backup objects. These objects will automatically be moved to the Kaspersky Anti-Virus Quarantine and Backup and you can continue working with them. In the event Kaspersky Anti-Virus 6.0 is uninstalled automatically, its activation information will be saved by the software and will be rolled over during a Version 7.0 install. Caution! Kaspersky Anti-Virus 7.0 supports Version 6.0 and Version 7.0 key files. Keys used for Version 5.0 applications are not supported. To continue installation, click the Next button.

Installing Kaspersky Anti-Virus 7.0

Step 9. Finishing Program Installation

In this stage, the program will ask you to finish installing the program on your computer. We do not recommend deselecting the Enable Self-Defense before installation when initially installing Kaspersky Internet Security. By enabling the protection modules, you can correctly roll back installation if errors occur while installing the program. If you are reinstalling the program, we recommend that you deselect this checkbox. If the application is installed remotely via Windows Remote Desktop, we recommend unchecking the flag Enable Self-Defense before installation. Otherwise the installation procedure might not complete or complete correctly. To continue installation, click the Next button. Caution! Current network connections are dropped during an install involving Kaspersky Anti-Virus components which intercept network traffic. Most dropped connections are re-established after a period of time.

Step 10. Completing the installation procedure

The Complete Installation window contains information on finishing the Kaspersky Anti-Virus installation process. If installation is completed successfully, a message on the screen will advise you to restart your computer. After restarting your system, the Kaspersky Anti-Virus Setup Wizard will automatically launch. If there is no need for restarting your system to complete the installation, click Next to go on to the Setup Wizard.

3.2. Setup Wizard

The Kaspersky Anti-Virus 7.0 Setup Wizard starts once the program has finished installation. It is designed to help you configure the initial program settings to conform to the features and uses of your computer. The Setup Wizard interface is designed like a standard Microsoft Windows Wizard and consists of a series of steps that you can move between using the Back and Next buttons, or complete using the Finish button. The Cancel button will stop the Wizard at any point.

Kaspersky Anti-Virus 7.0

You can skip this initial settings stage when installing the program by closing the Wizard window. In the future, you can run it again from the program interface if you restore the default settings for Kaspersky Anti-Virus (see 15.9.4 on pg. 189).

3.2.1. Using objects saved with Version 5.0

This wizard window appears when you install the application on top of Kaspersky Anti-Virus 5.0. You will be asked to select what data used by version 5.0 you want to import to version 7.0. This might include quarantined or backup files or protection settings. To use this data in Version 7.0, check the necessary boxes.

3.2.2. Activating the program

Before activating the program, make sure that the computer's system date settings match the actual date and time. The activation procedure consists in installing a key used by Kaspersky AntiVirus to verify the license to use the application and its expiration date. The key contains system information necessary for all the programs features to operate, and other information: Support information (who provides program support and where you can obtain it) Key name, number, and expiration date

3.2.2.1. Selecting a program activation method

There are several options for activating the program, depending on whether you have a key for Kaspersky Anti-Virus or need to obtain one from the Kaspersky Lab server: Activate using the activation code. Select this activation option if you have purchased the full version of the program and were provided with an activation code. Using this activation code you will obtain a key file providing access to the applications full functionality throughout the effective term of the license agreement. Activate trial version. Select this activation option if you want to install a trial version of the program before making the decision to purchase the commercial version. You will be provided with a free key with a limited trial period as defined in the appropriate license agreement.

Installing Kaspersky Anti-Virus 7.0

Apply existing key. Activate the application using the key file for Kaspersky Anti-Virus 7.0. Activate later. If you choose this option, you will skip the activation stage. Kaspersky Anti-Virus 7.0 will be installed on your computer and you will have access to all program features except updates (you can only update the application once after installation). Caution! An Internet connection is required for the first two activation options. If at the time of installation an Internet connection is unavailable, you can perform the activation later (see Chapter 14 on pg. 155) using the application interface or connect to the Internet from a different computer, and obtain a key using an activation code obtained by registering on the Kaspersky Lab Technical Support web site.

3.2.2.2. Entering the activation code

To activate the program, you must enter the activation code. When the application is purchased through the Internet, the activation code is sent to you via email. In case of purchasing the application on a physical medium, the activation code is printed on the installation disk. The activation code is a sequence of numbers and letters, divided by hyphens into four groups of five symbols without spaces. For example, 11AA1-11AAA1AA11-1A111. Please note that the activation code must be entered in Latin characters. If you have already registered with Kaspersky Lab at the web site of the Technical Support service and you have a customer number and password, enable the checkbox I already have a Customer ID and enter that information in the lower window part. If you have not registered yet, press the Next button leaving the box unchecked. Enter you client number and password at the bottom of the window if you have gone through the Kaspersky Lab client registration procedure and have this information. Leave the fields blank if you have not registered yet. This way the activation wizard will request your contact information and perform registration in the next step. At the end of registration you will be assigned a client number and a password which are required to obtain technical support. When using the activation wizard to register, the client number may be viewed in the Support section of the application main window (see 15.10 on pg. 190).

Kaspersky Anti-Virus 7.0

3.2.2.3. User Registration

This step of the activation wizard requires you to provide your contact information: email address, city and country of residence. This information is required for Kaspersky Lab Technical Support to identify you as a registered user. After the information is entered, it will be sent by the activation wizard to an activation server, and you will be assigned a client ID and a password for the Personal Cabinet on the Technical Support web site. Information on client ID is available under Support in the application main window.

3.2.2.4. Obtaining a Key File

The Setup Wizard connects to Kaspersky Lab servers and sends them your registration data (the activation code and personal information) for inspection. If the activation code passes inspection, the Wizard receives a key file. If you install the demo version of the program, the Setup Wizard will receive a trial key file without an activation code. The file obtained will be installed into the application automatically, and an activation complete window will be displayed for you with detailed information on the key being used. Note When this activation method is selected, the application does not download a physical file with the *.key extension from a server but rather obtains certain data that are written to the operating system registry and the file system. User registration at the Kaspersky Lab website is required to obtain an actual activation key. If the activation code does not pass inspection, an information message will be displayed on the screen. If this occurs, contact the software vendors from whom you purchased the program for more information.

3.2.2.5. Selecting a Key File

If you have a key file for Kaspersky Anti-Virus 7.0, the Wizard will ask if you want to install it. If you do, use the Browse button and select the file path for the file with the .key extension in the file selection window. Following successful key installation, current key information will be displayed at the bottom of the window: owner name, key code, key type (commercial, for beta testing, trial, etc.), and expiration date.

Installing Kaspersky Anti-Virus 7.0

3.2.2.6. Completing program activation

The Setup Wizard will inform you that the program has been successfully activated. It will also display information on the license key installed: owner name, key code, key type (commercial, for beta testing, trial, etc.), and expiration date.

3.2.3. Selecting a security mode

In this window, the Settings Wizard asks you to select the security mode that the program will operated with: Basic. This is the default setting and is designed for users, who do not have extensive experience with computers or anti-virus software. It implies that application components are set to their recommended security level and that the user is informed only of dangerous events (such as, detection of a malicious object, dangerous activity). Interactive. This mode provides more customized defense of your computers data than Basic mode. It can trace attempts to alter system settings, suspicious activity in the system, and unauthorized activity on the network. All of the activities listed above could be signs of malicious programs or standard activity for some of the programs you use on your computer. You will have to decide for each separate case whether those activities should be allowed or blocked. If you choose this mode, specify when it should be used: Enable system registry monitoring ask for user decision if attempts to alter system registry keys are detected. If the application is installed on a computer running Microsoft Windows XP Professional x64 Edition, Microsoft Windows Vista or Microsoft Windows Vista x64, the interactive mode settings listed below will not be available. Enable Application Integrity Control prompt user to confirm actions taken when modules are loaded into applications being monitored. Enable extended proactive defense enable analysis of all suspicious activity in the system, including opening browser with command line settings, loading into program processes, and window hooks (these settings are disabled by default).

You can perform basic protection tasks from the context menu (see Figure 1). The Kaspersky Anti-Virus menu contains the following items: Scan My Computer launches a complete scan of your computer for dangerous objects. The files on all drives, including removable storage media, will be scanned. Virus Scan select objects and start virus scan. The default list contains a number of files, such as the My Documents folder, the Startup folder, mailboxes, all the drives on your computer, etc. You can add to the list, select files to be scanned, and start virus scans. Update start Kaspersky Anti-Virus, module, and database updates and install updates on your computer.

Program interface

Activate activate the program. You must activate your version of Kaspersky Anti-Virus to obtain registered user status which provides access to the full functionality of the application and Technical Support. This menu item is only available if the program is not activated. Settings view and configure settings for Kaspersky Anti-Virus. Open Kaspersky Anti-Virus open the main program window (see 4.3 on pg. 41). Pause Protection / Resume Protection temporarily disable or enable real-time protection components (see 2.2.1 on pg. 21). This menu item does not affect program updates or virus scan tasks. About the program - calls up a window with info about Kaspersky AntiVirus. Exit close Kaspersky Anti-Virus (when this option is selected, the application will be unloaded from the computers RAM).

Figure 1. The context menu

If a virus search task is running, the context menu will display its name with a percentage progress meter. By selecting the task, you can open the report window to view current performance results.

4.3. Main program window

The Kaspersky Anti-Virus main window (see Figure 2) can be logically divided into three parts: upper part of window indicates your computers current protection status. There are three possible protection states (see 5.1 on pg. 47) each with its own color code much like a traffic light. Green indicates that your

Kaspersky Anti-Virus 7.0

computer is properly protected while yellow and red are indications of various problems in Kaspersky Anti-Virus configuration or operation. To obtain detailed troubleshooting information and speedy problem resolution, use the Security Wizard which opens when the security threat notification link is clicked.

your own, save the component report to a file using Action Save As and contact Kaspersky Lab Technical Support. Component status may be followed by information on settings being used by the component (such as, security level, action to be applied to dangerous objects). If a component consists of more than one module, module status is displayed: enabled or disabled. To edit current component settings, click Configure. In addition, certain component runtime statistics are displayed. To view a detailed report click on Open report. If for some reason a component is paused or stopped at a given moment in time, its results at the time of deactivation may be viewed by clicking Open last start report.

5.3. How to scan your computer for viruses

After installation, the application will without fail inform you with a special notice in the lower left-hand part of the application window that the computer has not yet been scanned and will recommend that you scan it for viruses immediately. Kaspersky Anti-Virus includes a task for a computer virus scan located in the Scan section of the programs main window. Selecting the My Computer task will display task settings: current security level, action to take with respect to malicious objects. A report of the latest scan is also available. To scan your computer for malicious programs, 1. 2. Select the My Computer task under Scan in the application main window. Click the Start Scan link.

As a result, the program will start scanning your computer, and the details will be shown in a special window. When you click the Close button, the window with information about installation progress will be hidden; this will not stop the scan.

Getting started

5.4. How to scan critical areas of the computer

There are areas on your computer that are critical from a security perspective. These are the targets of malicious programs aimed at damaging your operating system, processor, memory, etc. It is extremely important to protect these critical areas so that your computer keeps running. There is a special virus scan task for these areas, which is located in the programs main window in the Scan section. Selecting the Critical Areas will display task settings: current security level, the action to be applied to malicious objects. Here you can also select which critical areas you want to scan, and immediately scan those areas. To scan critical areas of your computer for malicious programs, 1. 2. Select the Critical Areas task under Scan in the application main window. Click the Start Scan link.

When you do this, a scan of the selected areas will begin, and the details will be shown in a special window. When you click the Close button, the window with information about installation progress will be hidden. This will not stop the scan.

5.5. How to scan a file, folder or disk for viruses

There are situations when it is necessary to scan individual objects for viruses but not the entire computer. For example, one of the hard drives, on which your programs and games, e-mail databases brought home from work, and archived files that came with e-mail are located, etc. You can select an object for scan with the standard tools of the Microsoft Windows operating system (for example, in the Explorer program window or on your Desktop, etc.). To scan an object, Place the cursor over the name of the selected object, open the Microsoft Windows context menu by right-clicking, and select Scan for viruses (see Figure 4).

Kaspersky Anti-Virus 7.0

Figure 4. Scanning an object selected using a standard Microsoft Windows context-sensitive menu

A scan of the selected object will then begin, and the details will be shown in a special window. When you click the Close button, the window with information about installation progress will be hidden. This will not stop the scan.

5.6. How to update the program

Kaspersky Lab updates databases and modules for Kaspersky Anti-Virus using dedicated update servers. Kaspersky Labs update servers are the Kaspersky Lab Internet sites where the program updates are stored. Warning! You will need a connection to the Internet to update Kaspersky Anti-Virus. By default, Kaspersky Anti-Virus automatically checks for updates on the Kaspersky Lab servers. If the server has the latest updates, Kaspersky Anti-Virus will download and install them in the silent mode. To update Kaspersky Anti-Virus manually, 1. 2. Select the Update section in the application main window. Click on Update databases.

Getting started

As a result, Kaspersky Anti-Virus will begin the update process, and display the details of the process in a special window.

5.7. What to do if protection is not running

If problems or errors arise in the performance of any protection component, be sure to check its status. If the component status is not running or running (subsystem malfunction), try restarting the program. If the problem is not solved after restarting the program, we recommend correcting potential errors using the application restore feature (see Chapter 17 on pg. 208). If the application restore procedure does not help, contact Kaspersky Lab Technical Support. You may need to save a report on component operation to file and send it to Technical Support for further study. To save component report to file: 1. Select component under Protection in the application main window and click on Open Report (component currently running) or Open Last Start Report (component disabled). In the report window, click Actions Save as and in the window that opens, specify the name of the file in which the report will be saved.

CHAPTER 6. PROTECTION MANAGEMENT SYSTEM

This section provides information on configuring common application settings used by all real-time protection components and tasks as well as information on creating protection scopes and lists of threats to be handled by the application and a list of trusted objects to be overlooked by protection: management of real-time protection (see 6.1 on pg. 54); utilization of Advanced Disinfection Technology (see 6.2 on pg. 58); running tasks on a portable computer (see 6.3 on pg. 58); cooperation of Kaspersky Anti-Virus with other applications (see 6.4on pg. 59); compatibility of Kaspersky Anti-Virus with self-defense features of other application (see 6.5 on pg. 59); list of threats (see 6.2 on pg. 58) protection from which will be provided by the application; list of trusted objects (see 6.9 on pg. 64) which will be overlooked by protection.

6.1. Stopping and resuming real-time protection on your computer

By default, Kaspersky Anti-Virus boots at startup and protects your computer the entire time you are using it. The words Kaspersky Anti-Virus 7.0 in the upper right-hand corner of the screen let you know this. All real-time protection components (see 2.2.1 on pg. 21) are running. You can fully or partially disable the protection provided by Kaspersky Anti-Virus. Warning! Kaspersky Lab strongly recommend that you not disable real-time protection, since this could lead to an infection on your computer and consequent data loss.

Protection management system

Note that in this case protection is discussed in the context of the protection components. Disabling or pausing protection components does not affect the performance of virus scan tasks or program updates.

6.1.1. Pausing protection

Pausing real-time protection means temporarily disabling all the protection components that monitor the files on your computer, incoming and outgoing email, executable scripts and application behavior. To pause a computer real-time protection: 1. 2. Select Pause protection in the programs context menu (see 4.2 on pg. 40). In the Pause protection window that opens (see Figure 5), select how soon you want protection to resume: In <time interval> protection will be enabled this amount of time later. To select a time value, use the drop-down menu. At next program restart protection will resume if you open the program from the Start Menu or after you restart your computer (provided the program is set to start automatically on startup (see 15.11 on pg. 192). By user request only protection will stop until you start it yourself. To enable protection, select Resume protection from the programs context menu. If you pause protection, all real-time protection components will be paused. This is indicated by: Inactive (gray) names of the disabled components in the Protection section of the main window. Inactive (gray) icon in the taskbar notification area.

Kaspersky Anti-Virus 7.0

Figure 5. Pause protection window

6.1.2. Stopping protection

Stopping protection means fully disabling your real-time protection components. Virus scans and updates continue to work in this mode. If protection is stopped, it can be only be resumed by the user: protection components will not automatically resume after system or program restarts. Remember that if Kaspersky Anti-Virus is somehow in conflict with other programs installed on your computer, you can pause individual components or create an exclusion list (see 6.9 on pg. 64). To stop all real-time protection: 1. 2. Open the application settings window and select Protection. Uncheck Enable protection.

Figure 8. Configuring an update task from another profile

6.7. Configuring Scheduled Tasks and Notifications

Scheduling configuration is the same for virus scan tasks, application updates, and Kaspersky Anti-Virus runtime messages. By default, the virus scan tasks created at application install are disabled. The only exception is a scan of startup objects which is run every time Kaspersky Anti-Virus is started. Updates are configured to occur automatically by default as updates become available on Kaspersky Lab update servers. In the event that you are not satisfied with these settings, you may reconfigure the scheduling. The primary value to define is the frequency of an event (task execution or notification). Select the desired option under Frequency (see Figure 9). Then, update settings for the selected option must be specified under Update Settings. The following selection is available: At a specified time. Run task or send notification on the specified date and at the specified time. At application startup. Run task or send notification every time Kaspersky Anti-Virus is started. A time delay to run the task after the application is started may also be specified . After each update. Task is run after each application database update (this option only applies to virus scan tasks). Minutely. Time interval between task runs or notifications is several minutes. Set time interval in minutes under schedule settings. It should not exceed 59 minutes. Hours. Interval between task runs and notifications is several hours. If this option is selected, specify the time interval under schedule settings: Every N hours and set N. For hourly runs, for example, specify Every 1 hours.

Kaspersky Anti-Virus 7.0

Figure 9. Creating Task Execution Schedule

Days. Tasks will be started or notifications sent every few days. Specify the interval length in the schedule settings: Select Every N days and specify N, if you wish to keep an interval of a certain number of days. Select Every weekday, if you wish to run tasks daily Monday through Friday. Select Every weekend to run tasks on Saturdays and Sundays only. Use the Time field to specify what time of day the scan task will be run. Weeks. Tasks will be run or notifications sent on certain days of the week. If this frequency is selected, check the days of the week the tasks will be run under schedule settings. Use the Time field to set the time. Monthly. Tasks will be started or notifications sent once a month at a specified time. If a task cannot run for some reason (an email program is not installed, for example, or the computer was shut down at the time), the task can be configured to run automatically as soon as it becomes possible. Check Run Task if Skipped in the schedule window.

Protection management system

6.8. Types of Malware to Monitor

Kaspersky Anti-Virus protects you from various types of malicious programs. Regardless of your settings, the program always protects your computer from the most dangerous types of malware such as viruses, trojans, and hack tools. These programs can do significant damage to your computer. To make your computer more secure, you can expand the list of threats that the program will detect by making it monitor additional types of dangerous programs. To choose what malicious programs Kaspersky Anti-Virus will protect you from, select the application settings window and select Threats and exclusions (see Figure 10). The Malware categories box contains threat types (see 1.3 on pg. 12): Viruses, worms, Trojans, hack tools. This group combines the most common and dangerous categories of malicious programs. This is the minimum admissible security level. Per recommendations of Kaspersky Lab experts, Kaspersky Anti-Virus always monitors this category of malicious programs. Spyware, adware, dialers. This group includes potentially dangerous software that may inconvenience the user or incur serious damage. Potentially dangerous software (riskware). This group includes programs that are not malicious or dangerous. However, under certain circumstances they could be used to cause harm to your computer. The groups listed above comprise the full range of threats which the program detects when scanning objects. If all groups are selected, Kaspersky Anti-Virus provides the fullest possible antivirus protection for your computer. If the second and third groups are disabled, the program will only protect you from the commonest malicious programs. This does not include potentially dangerous programs and others that could be installed on your computer and could damage your files, steal your money, or take up your time. Kaspersky Lab does not recommend disabling monitoring for the second group. If a situation arises when Kaspersky Anti-Virus classifies a program that you do not consider dangerous as a potentially dangerous program, we recommend creating an exclusion for it (see 6.9 on pg. 64). To select the types of malware to monitor, open the application settings window and select Threats and exclusions. Configuration is performed under Malware categories (see Figure 10).

Kaspersky Anti-Virus 7.0

Figure 10. Selecting Threats to Monitor

6.9. Creating a trusted zone

A trusted zone is a list of objects created by the user, that Kaspersky Anti-Virus does not monitor. In other words, it is a set of programs excluded from protection. The user creates a trusted zone based on the properties of the files he uses and the programs installed on his computer. You might need to create such an exclusion list if, for example, Kaspersky Anti-Virus blocks access to an object or program and you are sure that the file or program is absolutely safe. You can exclude files of certain formats from the scan, use a file mask, or exclude a certain area (for example, a folder or a program), program processes, or objects according to Virus Encyclopedia threat type classification (the status that the program assigns to objects during a scan). Note! Excluded objects are not subject to scans when the disk or folder where they are located are scanned. However, if you select that object in particular, the exclusion rule will not apply. To create an exclusion list 1. 2. 3. Open the application settings window and select the Threats and exclusions section (see Figure 10). Click the Trusted Zone button under Exclusions. Configure exclusion rules for objects and create a list of trusted applications in the window that opens (see Figure 11).

Protection management system

Figure 11. Creating a trusted zone

6.9.1. Exclusion rules

Exclusion rules are sets of conditions that Kaspersky Anti-Virus uses to determine not to scan an object. You can exclude files of certain formats from the scan, use a file mask, or exclude a certain area, such as a folder or a program, program processes, or objects according to their Virus Encyclopedia threat type classification. The Threat type is the status that Kaspersky Anti-Virus assigns to an object during the scan. A verdict is based on the classification of malicious and potentially dangerous programs found in the Kaspersky Lab Virus Encyclopedia. Potentially dangerous software does not have a malicious function but can be used as an auxiliary component for a malicious code, since it contains holes and errors. This category includes, for example, remote administration programs, IRC clients, FTP servers, all-purpose utilities for stopping or hiding processes, keyloggers, password macros, autodialers, etc. These programs are not classified as viruses. They can be divided into several types, e.g. Adware, Jokes, Riskware, etc. (for more information on potentially dangerous programs detected by

Kaspersky Anti-Virus 7.0

Kaspersky Anti-Virus, see the Virus Encyclopedia at www.viruslist.com). After the scan, these programs may be blocked. Since several of them are very common, you have the option of excluding them from the scan. To do so, you must add threat name or mask to the trusted zone using the Virus Encyclopedia classification. For example, imagine you use a Remote Administrator program frequently in your work. This is a remote access system with which you can work from a remote computer. Kaspersky Anti-Virus views this sort of application activity as potentially dangerous and may block it. To keep the application from being blocked, you must create an exclusion rule that specifies not-avirus:RemoteAdmin.Win32.RAdmin.22 as a threat type. When you add an exclusion, a rule is created that several program components (File Anti-Virus, Mail Anti-Virus, Proactive Defense, Web Anti-Virus) and virus scan tasks can later use. You can create exclusion rules in a special window that you can open from the program settings window, from the notice about detecting the object, and from the report window. To add exclusions on the Exclusion Masks tab: 1. 2. Click on the Add button in the Exclusion Masks window (see Figure 11). In the window that opens (see Figure 12), click the exclusion type in the Properties section: Object exclusion of a certain object, directory, or files that match a certain mask from scan. Threat type excluding an object from the scan based on its status from the Virus Encyclopedia classification. If you check both boxes at once, a rule will be created for that object with a certain status according to Virus Encyclopedia threat type classification. In such case, the following rules apply: If you specify a certain file as the Object and a certain status in the Threat type section, the file specified will only be excluded if it is classified as the threat selected during the scan. If you select an area or folder as the Object and the status (or verdict mask) as the Threat type, then objects with that status will only be excluded when that area or folder is scanned.

Protection management system

Figure 12. Creating an exclusion rule

Assign values to the selected exclusion types. To do so, left-click in the Rule description section on the specify link located next to the exclusion type: For the Object type, enter its name in the window that opens (this can be a file, a particular folder, or a file mask (see A.2 on pg. 216). Check Include subfolders for the object (file, file mask, folder) to be recursively excluded from the scan. For example, if you assign C:\Program Files\winword.exe as an exclusion and checked the subfolder option, the file winword.exe will be excluded from the scan if found in any C:\Program Files subfolders. Enter the full name of the threat that you want to exclude from scans as given in the Virus Encyclopedia or use a mask (see A.3 on pg. 216) for the Threat type. For some threat type, you can assign advanced conditions for applying rules in the Advanced settings field. In most cases, this field is filled in automatically when you add an exclusion rule from a Proactive Defense notification. You can add advanced settings for the following threats, among others: o Invader (injects into program processes). For this threat, you can give a name, mask, or complete path to the object being injected into (for example, a .dll file) as an additional exclusion condition.

Kaspersky Anti-Virus 7.0

Launching Internet Browser. For this threat, you can list browser open settings as additional exclusion settings. For example, you blocked browsers from opening with certain settings in the Proactive Defense application activity analysis. However, you want to allow the browser to open for the domain www.kasperky.com with a link from Microsoft Office Outlook as an exclusion rule. To do so, select Microsoft Office Outlook as Object and Launching Internet Browser as the Threat Type, and enter an allowed domain mask in the Advanced settings field.

Define which Kaspersky Anti-Virus components will use this rule. If any is selected as the value, this rule will apply to all components. If you want to restrict the rule to one or several components, click on any, which will change to selected. In the window that opens, check the boxes for the components that you want this exclusion rule to apply to.

Figure 13. Dangerous object detection notification

To create an exclusion rule from a program notice stating that it has detected a dangerous object: 1. Use the Add to trusted zone link in the notification window (see Figure 13).

Protection management system

In the window that opens, be sure that all the exclusion rule settings match your needs. The program will fill in the object name and threat type automatically, based on information from the notification. To create the rule, click OK.

The default setting for File Anti-Virus is Recommended. You can raise or lower the protection level for files you use by either selecting the level you want, or changing the settings for the current level. To change the security level: Adjust the sliders. By adjusting the security level, you define the ratio of scan speed to the total number of files scanned: the fewer files are scanned for viruses, the higher the scan speed. If none of the set file security levels meet your needs, you can customize and the protection settings. To do so, select the level that is closest to what you need as a starting point and edit its settings. This will change the name of the security level to Custom. Let us look at an example when preconfigured security level settings may need to be modified.

File Anti-Virus

Example: The work you do on your computer uses a large number of file types, and some the files may be fairly large. You would not want to run the risk of skipping any files in the scan because of the size or extension, even if this would somewhat affect the productivity of your computer. Tip for selecting a level: Based on the source data, one can conclude that you have a fairly high risk of being infected by a malicious program. The size and type of the files being handled is quite varied and skipping them in the scan would put your data at risk. You want to scan the files you use by contents, not by extension. You are advised to start with the Recommended security level and make the following changes: remove the restriction on scanned file sizes and optimize File Anti-Virus operation by only scanning new and modified files. Then the scan will not take up as many system resources so you can comfortably use other applications. To modify the settings for a security level: 1. 2. 3. Open the application settings window and select File Anti-Virus under Protection. Click on Customize under Security Level (see Figure 17). Edit file protection parameters in the resulting window and click OK.

7.2. Configuring File Anti-Virus

Your settings determine how File Anti-Virus will defend your computer. The settings can be broken down into the following groups: Settings that define what file types (see 7.2.1 on pg. 76) are to be scanned for viruses Settings that define the scope of protection (see 7.2.2 on pg. 78) Settings that define how the program responds to dangerous objects (see 7.2.6 on pg. 84) Settings defining the use of heuristic methods (see 7.2.4 on pg. 82) Additional File Anti-Virus settings (see 7.2.3 on pg. 80) The following sections will examine these groups in detail.

Kaspersky Anti-Virus 7.0

Heuristic methods are utilized by several real-time protection components, such as File, Mail, Web Anti-Virus, as well as virus scan tasks. Of course, scanning using the signature method with a database created previously containing a description of known threats and methods for treating them will give you a definite answer regarding whether a scanned object is malicious and what dangerous program class it is classified as. The heuristic method, unlike the signature method, is aimed at detecting typical behavior of operations rather than malicious code signatures that allow the program to make a conclusion on a file with a certain likelihood. The advantage of the heuristic method is that it does not require repopulated databases to function. Because of this, new threats are detected before virus analysts have encountered them. Heuristic analyzer emulates object execution in the Kaspersky Anti-Virus secure virtual environment. If an object does not exhibit suspicious behaviour, its execution in operating environment is allowed. If suspicious activity is discovered as the object executes, the object will be deemed malicious and will not be allowed to run on the host or a message will be displayed requesting further instructions from the user: Quarantine the new threat to be scanned and processed later using updated databases

File Anti-Virus

Delete the object Skip (if you are positive that the object cannot be malicious). To use the heuristic method, select Use heuristic analyzer. You can additionally select the level of detail of the scan. To do so, move the slider to one of these positions: Shallow, Medium, or Detail. Scan resolution provides a way to balance the thoroughness and, with it, the quality of the scan for new threats against operating system load and scan duration. The higher you set the heuristics level, the more system resources the scan will require, and the longer it will take. Warning: New threats detected using heuristic analysis are quickly analyzed by Kaspersky Lab, and methods for disinfecting them are added to the hourly database updates. Therefore, if application databases are regularly updated and computer protection levels are optimized, there is no need to engage heuristic analysis continuously.

Figure 23. Using Heuristic Analysis

Kaspersky Anti-Virus 7.0

The Heuristic analyzer tab (see Figure 23) may be used to disable / enable File Anti-Virus heuristic analysis for unknown threats. This requires that the following steps be performed: 1. 2. 3. Open the application settings window and select File Anti-Virus under Protection. Click the Customize button in the Security Level area (see Figure 17). Select the Heuristic analyzer tab in the resulting dialog.

7.2.5. Restoring default File Anti-Virus settings

When configuring File Anti-Virus, you can always return to the default performance settings. Kaspersky Lab considers them to be optimal and has combined them in the Recommended security level. To restore the default File Anti-Virus settings: 1. 2. Open the application settings window and select File Anti-Virus under Protection. Click the Default button in the Security Level area (see Figure 17).

If you modified the list of objects included in the protected zone when configuring File Anti-Virus settings, the program will ask you if you want to save that list for future use when you restore the initial settings. To save the list of objects, check Protected scope in the Restore Settings window that opens.

7.2.6. Selecting actions for objects

If File Anti-Virus discovers or suspects an infection in a file while scanning it for viruses, the programs next steps depend on the objects status and the action selected. File Anti-Virus can label an object with one of the following statuses: Malicious program status (for example, virus, Trojan) (see 1.3 on pg. 12). Potentially infected, when the scan cannot determine whether the object is infected. This means that the program detected a sequence of code in the file from an unknown virus or modified code from a known virus. By default, all infected files are subject to disinfection, and if they are potentially infected, they are sent to Quarantine.

File Anti-Virus

To edit an action for an object: open the application settings window and select File Anti-Virus under Protection. All potential actions are displayed in the appropriate sections (see Figure 24).

Figure 24. Possible File Anti-Virus actions with dangerous objects

If the action selected was Prompt for action

When it detects a dangerous object File Anti-Virus issues a warning message containing information about what malicious program has infected or potentially infected the file, and gives you a choice of actions. The choice can vary depending on the status of the object. File Anti-Virus blocks access to the object. Information about this is recorded in the report (see 15.3 on pg. 163). Later you can attempt to disinfect this object. File Anti-Virus will block access to the object and will attempt to disinfect it. If it is successfully disinfected, it is restored for regular use. If disinfection fails, the file will be assigned the status of potentially infected, and it will be moved to Quarantine (see 15.1 on pg. 158). Information about this is recorded in the report. Later you can attempt to disinfect this object. File Anti-Virus will block access to the object and will attempt to disinfect it. If it is successfully disinfected, it is restored for regular use. If the object cannot be disinfected, it is deleted. A copy of the object will be stored in Backup (see 15.2 on pg. 161). File Anti-Virus will block access to the object and

Block access

Block access Disinfect

Block access Disinfect Delete if disinfection fails

Block access

Kaspersky Anti-Virus 7.0

If the action selected was Delete

When it detects a dangerous object will delete it.

When disinfecting or deleting an object, Kaspersky Anti-Virus creates a backup copy before it attempts to treat the object or delete it, in case the object needs to be restored or an opportunity arises to treat it.

7.3. Postponed disinfection

If you select Block access as the action for malicious programs, the objects will not be treated and access to them will be blocked. If the actions selected were Block access Disinfect all untreated objects will also be blocked. In order to regain access to blocked objects, they must be disinfected. To do so: 1. 2. Select File Anti-Virus under Protection in the application main window and click on Open Report. Select the objects that interest you on the Detected tab and click the Actions Neutralize all button.

Successfully disinfected files will be returned to the user. Any that cannot be treated, you can delete or skip it. In the latter case, access to the file will be restored. However, this significantly increases the risk of infection on your computer. It is strongly recommended not to skip malicious objects.

CHAPTER 8. MAIL ANTI-VIRUS

Mail Anti-Virus is Kaspersky Anti-Viruss component to prevent incoming and outgoing email from transferring dangerous objects. It starts running when the operating system boots up, stays active in your system memory, and scans all email on protocols POP3, SMTP, IMAP, MAPI 1 and NNTP, as well as secure connections (SSL) using POP3 and IMAP. The components activity is indicated by the Kaspersky Anti-Virus icon in the taskbar notification area, which looks like this whenever an email is being scanned. The default setup for Mail Anti-Virus is as follows: 1. 2. 3. Mail Anti-Virus intercepts each email received or sent by the user. The email is broken down into its parts: email headers, its body, and attachments. The body and attachments of the email (including OLE attachments) are scanned for dangerous objects. Malicious objects are detected using the databases included in the program, and with the heuristic algorithm. The databases contain descriptions of all the malicious programs known to date and methods for neutralizing them. The heuristic algorithm can detect new viruses that have not yet been entered in the databases. After the virus scan, you have the following available courses of action: If the body or attachments of the email contain malicious code, Mail Anti-Virus will block the email, place a copy of the infected object in Backup, and try to disinfect the object. If the email is successfully disinfected, it becomes available to the user again. If not, the infected object in the email is deleted. After the virus scan, special text is inserted in the subject line of the email stating that the email has been processed by Kaspersky Anti-Virus. If code is detected in the body or an attachment that appears to be, but is not definitely malicious, the suspicious part of the email is sent to Quarantine.

Emails sent with MAPI are scanned using a special plug-in for Microsoft Office Outlook and The Bat!

Kaspersky Anti-Virus 7.0

If no malicious code is discovered in the email, it is immediately made available again to the user. A special plug-in (see 8.2.2 on pg. 92) is provided for Microsoft Office Outlook that can configure email scans more exactly. If you use The Bat!, Kaspersky Anti-Virus can be used in conjunction with other anti-virus applications. The rules for processing email traffic (see 8.2.3 on pg. 93) are configured directly in The Bat! and supersede the Kaspersky Anti-Virus email protection settings. When working with other email programs, including Microsoft Outlook Express (Windows Mail), Mozilla Thunderbird, Eudora, Incredimail, Mail Anti-Virus scans email on SMTP, POP3, IMAP, MAPI, and NNTP protocols. Note that emails transmitted on IMAP are not scanned in Thunderbird if you use filters that move them out of your Inbox.

8.1. Selecting an email security level

Kaspersky Anti-Virus protects your email at one of these levels (see Figure 25): Maximum Protection the level with the most comprehensive monitoring of incoming and outgoing emails. The program scans email attachments, including archives, in detail, regardless of how long the scan takes. Recommended Kaspersky Lab experts recommend this level. It scans the same objects as at Maximum Protection, with the exception of attachments or emails that will take more than three minutes to scan. High Speed the security level with settings that let you comfortably use resource-intensive applications, since the scope of email scanning is limited. Thus, only your incoming email is scanned on this level, and in doing so archives and objects (emails) attached are not scanned if they take more than three minutes to scan. This level is recommended if you have additional email protection software installed on your computer.

Figure 25. Selecting an email security level

By default, the email security level is set to Recommended.

Mail Anti-Virus

You can raise or lower the email security level by selecting the level you want, or editing the settings for the current level. To change the security level: Adjust the sliders. By altering the security level, you define the ratio of scan speed to the total number of objects scanned: the fewer email objects are scanned for dangerous objects, the higher the scan speed. If none of the preinstalled levels fully meet your requirements, their settings may be customized. It is recommended that you select a level closest to your requirements as basis and edit its parameters. This will change the name of the security level to Custom. Let us look at an example when preconfigured security level settings may need to be modified. Example: Your computer is outside the local area network and uses a dial-up Internet connection. You use Microsoft Outlook Express as an email client for receiving and sending email, and you use a free email service. For a number of reasons, your email contains archived attachments. How do you maximally protect your computer from infection through email? Tip for selecting a level: By analyzing your situation, one can conclude that you are at a high risk of infection through email in the scenario outlined, because there is no centralized email protection and through using a dial-up connection. You are advised to use Maximum Protection as your starting point, with the following changes: reduce the scan time for attachments to, for example, 1-2 minutes. The majority of archived attachments will be scanned for viruses and the processing speed will not be seriously slowed. To modify the current security level: 1. 2. 3. Open the application settings window and select Mail Anti-Virus under Protection. Click on Customize under Security Level (see Figure 25). Edit mail protection parameters in the resulting window and click OK.

8.2. Configuring Mail Anti-Virus

A series of settings govern how your email is scanned. The settings can be broken down into the following groups: Settings that define the protected group (see 8.2.1 on pg. 90) of emails

Kaspersky Anti-Virus 7.0

Settings defining the use of heuristic methods(see 8.2.4 on pg. 95) Email scan settings for Microsoft Office Outlook (see 8.2.2 on pg. 92) and The Bat! (see 8.2.3 on pg. 93) settings that define actions for dangerous email objects (see 8.2.4 on pg. 95) The following sections examine these settings in detail.

8.2.1. Selecting a protected email group

Mail Anti-Virus allows you to select exactly what group of emails to scan for dangerous objects. By default, the component protects email at the Recommended security level, which means scanning both incoming and outgoing email. When you first begin working with the program, you are advised to scan outgoing email, since it is possible that there are worms on your computer that use email as a channel for distributing themselves. This will help avoid the possibility of unmonitored mass mailings of infected emails from your computer. If you are certain that the emails that you are sending do not contain dangerous objects, you can disable the outgoing email scan. To do so: 1. 2. 3. Open the application settings window and select Mail Anti-Virus under Protection. Click the Customize button in the Security Level area (see Figure 25). In the window that opens (see Figure 26), select email in the Scope section. Only incoming

In addition to selecting an email group, you can specify whether archived attachments should be scanned, and also set the maximum amount of time for scanning a single email object. These settings are configured in the Restrictions section. If your computer is not protected by any local network software, and accesses the Internet without using a proxy server or firewall, you are advised not to disable the archived attachment scan and not to set a time limit on scanning. If you are working in a protected environment, you can change the time restrictions on scanning to increase the email scan speed.

Mail Anti-Virus

Figure 26. Mail Anti-Virus settings

You can configure the filtration conditions for objects connected to an email in the Attachment Filter section: Disable filtering do not use additional filtration for attachments. Rename selected attachment types filter out a certain attachment format and replace the last character of the file name with an underscore. You can select the file type by clicking the File types button. Delete selected attachment types filter out and delete a certain attachment format. You can select the file type by clicking the File types button. You can find more information about filtered attachment types in section A.1 on pg. 213. By using the filter, you increase your computers security, since malicious programs spread through email most frequently as attachments. By renaming or deleting certain attachment types, you protect your computer against automatically opening attachments when a message is received.

Kaspersky Anti-Virus 7.0

8.2.2. Configuring email processing in Microsoft Office Outlook

If you use Microsoft Office Outlook as your email client, you can set up custom configurations for virus scans. A special plug-in is installed in Microsoft Office Outlook when you install Kaspersky Anti-Virus. It can quickly access Mail Anti-Virus settings, and also set the maximum time that individual emails will be scanned for dangerous objects. The plug-in comes in the form of a special Mail Anti-Virus tab located under Service Options (see Figure 27). Select an email scan mode: Scan upon receiving analyzes each email when it enters your Inbox. Scan when read scans each email when you open it to read it. Scan upon sending scans each email for viruses when you send it. Warning! If you use Microsoft Office Outlook to connect to your email service on IMAP, you are advised not to use Scan upon receiving mode. Enabling this mode will lead to emails being copied to the local computer when delivered to the server, and consequently the main advantage of IMAP is lost creating less traffic and dealing with unwanted email on the server without copying them to the users computer. The action that will be taken on dangerous email objects is set in the Mail AntiVirus settings, which can be configured by following the click here link in the Status section.

Mail Anti-Virus

Figure 27. Configuring Mail Anti-Virus settings in Microsoft Office Outlook

8.2.3. Configuring email scans in The Bat!

Actions taken on infected email objects in The Bat! are defined with the program's own tools.

Kaspersky Anti-Virus 7.0

Warning! The Mail Anti-Virus settings that determine whether incoming and outgoing email is scanned, as well as actions on dangerous email objects and exclusions, are ignored. The only settings that The Bat! takes into account relate to scanning archived attachments and time limits on scanning emails (see 8.2.1 on pg. 90). To set up email protection rules in The Bat!: 1. 2. Select Preferences from the email clients Options menu. Select Protection from the settings tree.

The protection settings displayed (see Figure 28) extend to all anti-virus modules installed on the computer that support The Bat!

Figure 28. Configuring email scans in The Bat!

You must decide: What group of emails will be scanned for viruses (incoming, outgoing) At what point in time email objects will be scanned for viruses (when opening an email or before saving one to disk)

Mail Anti-Virus

The actions taken by the email client when dangerous objects are detected in emails. For example, you could select: Try to cure infected parts tries to treat the infected email object, and if the object cannot be disinfected, it stays in the email. Kaspersky Anti-Virus will always inform you if an email is infected. But even if you select Delete in the Mail Anti-Virus notice window, the object will remain in the email, since the action selected in The Bat! takes precedent over the actions of Mail Anti-Virus. Remove infected parts delete the dangerous object in the email, regardless of whether it is infected or suspected of being infected. By default, The Bat! places all infected email objects in the Quarantine folder without treating them. Warning! The Bat! does not mark emails containing dangerous objects with special headers.

8.2.4. Using Heuristic Analysis

Heuristic methods are utilized by several real-time protection components and virus scan tasks (see 7.2.4 at p. 82 for more detail).

Kaspersky Anti-Virus 7.0

Figure 29. Using Heuristic Analysis

Heuristic methods of detecting new threats may be enabled / disabled for the Mail Anti-Virus component using the Heuristic Analyzer tab. This requires that the following steps be performed: 1. 2. 3. Open the application settings window and select Mail Anti-Virus under Protection. Click the Customize button in the Security Level area (see Figure 25). Select Heuristic Analyzer tab in the resulting dialog (see Figure 29).

To use heuristic methods, check Use Heuristic Analyzer. Additionally, scan resolution may be set by moving the slider to one of the following settings: Shallow, Medium, or Detail.

8.2.5. Restoring default Mail Anti-Virus settings

When configuring Mail Anti-Virus, you can always return to the default performance settings, which Kaspersky Lab considers to be optimal and has combined in the Recommended security level.

Mail Anti-Virus

To restore the default Mail Anti-Virus settings: 1. 2. Open the application settings window and select Mail Anti-Virus under Protection. Click the Default button under Security Level (see Figure 25).

8.2.6. Selecting actions for dangerous email objects

If a scan shows that an email or any of its parts (body, attachment) is infected or suspicious, the steps taken by Mail Anti-Virus depend on the object status and the action selected. One of the following statuses can be assigned to the email object after the scan: Malicious program status (for example, virus, Trojan for more details, see 1.3 on pg. 12). Potentially infected, when the scan cannot determine whether the object is infected. This means that the program detected a sequence of code in the file from an unknown virus or modified code from a known virus. By default, when Mail Anti-Virus detects a dangerous or potentially infected object, it displays a warning on the screen and prompts the user to select an action for the object. To edit an action for an object: open the application settings window and select Mail Anti-Virus under Protection. All possible actions for dangerous objects are listed in the Action box (see Figure 30).

Figure 30. Selecting actions for dangerous email objects

Lets look at the possible options for processing dangerous email objects in more detail.

Kaspersky Anti-Virus 7.0

If the action selected was Prompt for action

When a dangerous object is detected Mail Anti-Virus will issue a warning message containing information about what malicious program has infected (potentially infected) the file and gives you the choice of one of the following actions. Mail Anti-Virus will block access to the object. Information about this is recorded in the report (see 15.3 on pg. 163). Later you can attempt to disinfect this object. E-Mail Anti-Virus will block access to the object and will attempt to disinfect it. If it is successfully disinfected, it is restored for regular use. If the object could not be treated, it is moved to Quarantine. Information about this is recorded in the report. Later you can attempt to disinfect this object. E-Mail Anti-Virus will block access to the object and will attempt to disinfect it. If it is successfully disinfected, it is restored for regular use. If the object cannot be disinfected, it is deleted. A copy of the object will be stored in Backup. Objects with the status of potentially infected will be moved to Quarantine.

Block access

Block access Disinfect

Block access Disinfect Delete if disinfection fails2

Block access Delete

When E-Mail Anti-Virus detects an infected or potentially infected object, it deletes it without informing the user.

When disinfecting or deleting an object, Kaspersky Anti-Virus creates a backup copy (see 15.2 on pg. 161) before it attempts to treat the object or delete it, in case the object needs to be restored or an opportunity arises to treat it.

If you are using The Bat! as your mail client, dangerous email objects will either be disinfected or deleted when Mail Anti-Virus takes this action (depending on the action selected in The Bat!).

CHAPTER 9. WEB ANTI-VIRUS

Whenever you use the Internet, information stored on your computer is open to the risk of infection by dangerous programs, which can penetrate your computer when you read an article on the Internet. Web Anti-Virus is Kaspersky Anti-Viruss component for guarding your computer during Internet use. It protects information that enters your computer via the HTTP protocol, and also prevents dangerous scripts from being loaded on your computer. Warning! Web Anti-Virus only monitors HTTP traffic that passes through the ports listed on the monitored port list (see 15.4 on pg. 171). The ports most commonly used for transmitting email and HTTP traffic are listed in the program package. If you use ports that are not on this list, add them to it to protect traffic passing through them. If you are working on an unprotected network, you are advised to use Web AntiVirus to protect yourself while using the Internet. Even if your computer is running on a network protected by a firewall or HTTP traffic filters, Web Anti-Virus provides additional protection while you browse the Web. The components activity is indicated by the Kaspersky Anti-Virus icon in the taskbar notification area, which looks like this whenever scripts are being scanned. Lets look at the components operation in more detail. Web Anti-Virus consists of two modules, that handle: Traffic scan scans objects that enter the users computer via HTTP. Script scan scans all scripts processed in Microsoft Internet Explorer, as well as any WSH scripts (JavaScript, Visual Basic Script, etc.) that are loaded while the user is on the computer. A special plug-in for Microsoft Internet Explorer is installed as part of Kaspersky Anti-Virus installation. The button in the browsers Standard Buttons toolbar indicates that it is installed. Clicking on the icon opens an information panel with Web Anti-Virus statistics on the number of scripts scanned and blocked.

100

Kaspersky Anti-Virus 7.0

Web Anti-Virus guards HTTP traffic as follows: 1. Each web page or file that can be accessed by the user or by a certain application via HTTP is intercepted and analyzed by Web Anti-Virus for malicious code. Malicious objects are detected using both the databases included in Kaspersky Anti-Virus, and the heuristic algorithm. The databases contain descriptions of all malicious programs known to date, and methods for neutralizing them. The heuristic algorithm can detect new viruses that have not yet been entered in the databases. After the analysis, you have the following available courses of action: If a web page or an object accessed by a user contains malicious code, access to such an object is blocked. A notification is displayed that the object or page being requested is infected. If a file or a web page contains no malicious code, it becomes immediately available to the user. Scripts are scanned according to the following algorithm: 1. 2. 3. Web Anti-Virus intercepts each script run on a web page and scans them for malicious code. If a script contains malicious code, Web Anti-Virus blocks it and informs the user with a special popup notice. If no malicious code is discovered in the script, it is run.

Caution! To intercept and scan http traffic and scripts for viruses, Web Anti-Virus has to be running before a connection is established with a web resource. Otherwise, traffic will not be scanned.

9.1. Selecting Web Security Level

Kaspersky Anti-Virus protects you while you use the Internet at one of the following levels (see Figure 31): Maximum Protection the level with the most comprehensive monitoring of scripts and objects incoming via HTTP. The program performs a thorough scan of all objects using the full set of application databases. This security level is recommended for aggressive environments, when no other HTTP protection tools are being used. Recommended settings of this level are recommended by Kaspersky Lab experts. This level scans the same objects as at Maximum Protection,

Web Anti-Virus

101

but limits the caching time for file fragments, thus accelerating the scan and returning objects to the user sooner. High Speed the security level with settings that let you comfortably use resource-intensive applications, since the scope of objects scanned is reduced by using a limited set of application databases. It is recommended to select this protection level if you have additional web protection software installed on your computer.

Figure 31. Selecting a web security level

By default, the protection level is set to Recommended. You can raise or lower the security level by selecting the level you want or editing the settings for the current level. To edit the security level: Adjust the sliders. By altering the security level, you define the ratio of scan speed to the total number of objects scanned: the fewer objects are scanned for malicious code, the higher the scan speed. If none of the preinstalled levels fully meet your requirements, their settings may be customized. It is recommended that you select a level closest to your requirements as basis and edit its parameters. This will change the name of the security level to Custom. Let us look at an example when preconfigured security level settings may need to be modified. Example: Your computer connects to the Internet via a modem. It is not on a corporate LAN, and you have no anti-virus protection for incoming HTTP traffic. Due to the nature of your work, you regularly download large files from the Internet. Scanning files like these takes up, as a rule, a fair amount of time. How do you optimally protect your computer from infection through HTTP traffic or a script? Tip for selecting a level: Judging from this basic information, we can conclude that your computer is running in a sensitive environment, and you are at high risk for infection

102

Kaspersky Anti-Virus 7.0

through HTTP traffic, because there is no centralized web protection and due to the use of dial-up to connect to the Internet. It is recommended that you use Maximum Protection as your starting point, with the following changes: you are advised to limit the caching time for file fragments during the scan. To modify a preinstalled security level: 1. 2. 3. Open the application settings window and select Web Anti-Virus under Protection. Click on Customize under Security Level (see Figure 31). Edit browsing protection parameters in the resulting window and click OK.

9.2. Configuring Web Anti-Virus

Web Anti-Virus scans all objects that are loaded on your computer via the HTTP protocol, and monitors any WSH scripts (JavaScript or Visual Basic Scripts, etc.) that are run. You can configure Web Anti-Virus settings to increase component operation speed, specifically: Configuring general scan settings (see 9.2.1 on pg. 102) Create a list of trusted web addresses (see 9.2.2 on pg. 104) Enable / disable heuristic analysis (see 9.2.3 on pg. 104) It is also possible to select the actions that Web Anti-Virus will take in response to discovering dangerous HTTP objects. The following sections examine these settings in detail.

9.2.1. General scan settings

To increase its success in detecting malicious code, Web Anti-Virus caches fragments of objects downloaded from the Internet. When using this method, Web Anti-Virus only scans an object after it has downloaded it completely. The object is then analyzed for viruses and, pursuant to the results, the program returns the object to the user or blocks it. However, using caching increases object processing time and the time before the program returns objects to the user, and can also cause problems when co-

Web Anti-Virus

103

pying and processing large objects because of the connection with the HTTP client timing out. We suggest limiting the caching time for web object fragments downloaded from the Internet to solve this problem. When this time limit expires, the user will receive the downloaded part of the file without it being scanned, and once the object is fully copied, it will be scanned in its entirety. This can deliver the object to the user faster and solve the problem of interrupting the connection without reducing security while using the Internet. By default, caching time for file fragments is limited to one second. Increasing this value or deselecting the caching time limit will lead to better anti-virus scans, but somewhat slower delivery of the object. To limit the caching time for file fragments or remove the limit: 1. 2. 3. Open the application settings window and select Web Anti-Virus under Protection. Click on the Customize button in the Security Level area (see Figure 31). In the window that opens (see Figure 32), select the option you want in the Scan settings section.

Figure 32. Selecting the web security level

104

Kaspersky Anti-Virus 7.0

9.2.2. Creating a trusted address list

You have the option of creating a list of trusted addresses whose contents you fully trust. Web Anti-Virus will not analyze data from those addresses for dangerous objects. This option can be used in cases where Web Anti-Virus repeatedly blocks the download of a particular file. To create a list of trusted addresses: 1. 2. 3. Open the application settings window and select Web Anti-Virus under Protection. Click on the Customize button under Security Level (see Figure 31). In the window that opens (see Figure 32), create a list of trusted servers in the Trusted URLs section. To do so, use the buttons to the right of the list.

When entering a trusted address, you can create masks with the following wildcards: * any combination of characters. Example: If you create the mask *abc*, no URL contain abc will be scanned. For example: www.virus.com/download_virus/page_0-9abcdef.html ? any single character. Example: If you create mask Patch_123?.com, URLs containing that series of characters plus any single character following the 3 will not be scanned. For example: Patch_1234.com However, patch_12345.com will be scanned. If an * or ? is part of an actual URL added to the list, when you enter them, you must use a backslash to override the * or ? following it. Example: You want to add this following URL to the trusted address list: www.virus.com/download_virus/virus.dll?virus_name= For Kaspersky Anti-Virus not to process ? as a wildcard, put a backslash ( \ ) in front of it. Then the URL that you are adding to the exclusion list will be as follows: www.virus.com/download_virus/virus.dll\?virus_name=

9.2.3. Using Heuristic Analysis

Heuristic methods are utilized by several real-time protection components and virus scan tasks (see 7.2.4 at p. 82 for more detail). Heuristic methods of detecting new threats may be enabled / disabled for the Web Anti-Virus component using the Heuristic Analyzer tab. This requires that the following steps be performed:

Web Anti-Virus

105

1. 2. 3.

Open the application settings window and select Web Anti-Virus under Protection. Click the Customize button in the Security Level area. Select Heuristic Analyzer tab in the resulting dialog (see Figure 33).

To use heuristic methods, check Use Heuristic Analyzer. In addition, scan resolution may be set by moving the slider to one of the following settings: Shallow, Medium, or Detail.

Figure 33. Using Heuristic Analysis

9.2.4. Restoring default Web Anti-Virus settings

When configuring Web Anti-Virus, you can always return to the default performance settings, which Kaspersky Lab considers to be optimal and has combined as the Recommended security level. To restore the default Web Anti-Virus settings: 1. Open the application settings window and select Web Anti-Virus under Protection.

106

Kaspersky Anti-Virus 7.0

Click the Default button under Security Level (see Figure 31).

9.2.5. Selecting responses to dangerous objects

If analyzing an HTTP object shows that it contains malicious code, the Web AntiVirus response depends on the actions you select. To configure Web Anti-Virus reactions to detecting a dangerous object: open the application settings window and select Web Anti-Virus under Protection. The possible responses for dangerous objects are listed in the Action section (see Figure 34). By default, when a dangerous HTTP object is detected, Web Anti-Virus displays a warning on the screen and offers a choice of several actions for the object.

Figure 34. Selecting actions for dangerous scripts

The possible options for processing dangerous HTTP objects are as follows. If the action selected was Prompt for action If a dangerous object is detected in the HTTP traffic Web Anti-Virus will issue a warning message containing information about what malicious code has potentially infected the object, and will give you a choice of responses. Web Anti-Virus will block access to the object and will display a message on screen about blocking it. Similar information will be recorded in the report (see 15.3 on pg. 163). Web Anti-Virus will grant access to the object. This information is logged in the report.

Block

Allow

Web Anti-Virus

107

Web Anti-Virus always blocks dangerous scripts, and issues popup messages that inform the user of the action taken. You cannot change the response to a dangerous script, other than by disabling the script scanning module.

CHAPTER 10. PROACTIVE DEFENSE

Warning! There is no Application Integrity Control component in this version of the application for computers running Microsoft Windows XP Professional x64 Edition, Microsoft Windows Vista or Microsoft Windows Vista x64. Kaspersky Anti-Virus protects you both from known threats and from new ones about which there is no information in the application databases. This is ensured by a specially developed component Proactive Defense. The need for Proactive Defense has grown as malicious programs have begun to spread faster than anti-virus updates can be released to neutralize them. The reactive technique, on which anti-virus protection is based, requires that a new threat infect at least one computer, and requires enough time to analyze the malicious code, add it to the application database and update the database on user computers. By that time, the new threat might have inflicted massive damages. The preventative technologies provided by Kaspersky Anti-Virus Proactive Defense do not require as much time as the reactive technique, and neutralize new threats before they harm your computer. How is this done? In contrast with reactive technologies, which analyze code using an application database, preventive technologies recognize a new threat on your computer by a sequence of actions executed by a certain program. The application installation includes a set of criteria that can help determine how dangerous the activity of one program or another is. If the activity analysis shows that a certain programs actions are suspicious, Kaspersky Anti-Virus will take the action assigned by the rule for activity of the specific type. Dangerous activity is determined by the total set of program actions. For example, when actions are detected such as a program copying itself to network resources, the startup folder, or the system registry, and then sending copies of itself, it is highly likely that this program is a worm. Dangerous behavior also includes: Changes to the file system Modules being embedded in other processes Masking processes in the system Modification of certain Microsoft Window system registry keys

Proactive Defense

109

Proactive Defense tracks and blocks all dangerous operations by using the set of rules together with a list of excluded applications. In operation, Proactive Defense uses a set of rules included with the program, as well as rules created by the user while using the program. A rule is a set of criteria that determine a set of suspicious behaviors and Kaspersky Anti-Virus's reaction to them. Individual rules are provided for application activity and monitoring changes to the system registry and programs run on the computer. You can edit the rules at your own discretion by adding, deleting, or editing them. Rules can block actions or grant permissions. Lets examine the Proactive Defense algorithms: 1. Immediately after the computer is started, Proactive Defense analyzes the following factors, using the set of rules and exclusions: Actions of each application running on the computer. Proactive Defense records a history of actions taken in order and compares them with sequences characteristic of dangerous activity (a data-

110

Kaspersky Anti-Virus 7.0

base of dangerous activity types comes with Kaspersky Anti-Virus and is updated with the application databases). Integrity of the program modules of the programs installed on your computer, which helps avoid application modules being substituted for malicious code embedded in them. Each attempt to edit the system registry by deleting or adding system registry keys, entering strange values for keys in an inadmissible format that prevents them from being viewed or edited, etc.). 2. 3. The analysis is conducted using allow and block rules from Proactive Defense. After the analysis, the following courses of action are available: If the activity satisfies the conditions of the Proactive Defense allow rule or does not match any of the block rules, it is not blocked. If the activity is ruled as dangerous on the basis of the relevant criteria, the next steps taken by the component match the instructions specified in the rule: usually the activity is blocked. A message will be displayed on the screen specifying the dangerous program, its activity type, and a history of actions taken. You must accept the decision, block, or allow this activity on your own. You can create a rule for the activity and cancel the actions taken in the system. If the user does not take any actions when a Proactive Defense notification appears, after a time the program will apply the default action recommended for that threat. The recommended action can be different for different threat types. The categories of settings (see Figure 35) for the Proactive Defense component are as follows: Whether application activity is monitored on your computer This Proactive Defense feature is enabled by checking the box Enable Application Activity Analyzer. By default the analyzer is enabled providing a strict analysis of actions performed by any program running on the host. You can configure the order in which applications are processed (see 10.1 on pg. 112) for that activity. You can also create Proactive Defense exclusions, which will stop the monitoring of selected applications. Whether Application Integrity Control is enabled This feature is responsible for the integrity of application modules (dynamic link libraries, or DLLs) installed on your computer, and is enabled by checking the box Enable Application Integrity Control box. Integrity is tracked by monitoring the checksum of the application mod-

Proactive Defense

111

ules, and of the application itself. You can create rules (see 10.2 on pg. 115) for monitoring the integrity of modules from any application. To do so, add that application to the list of monitored applications.

Figure 35. Proactive Defense settings

This Proactive Defense component is not available under Microsoft Windows XP Professional x64 Edition, Microsoft Windows Vista or Microsoft Windows Vista x64. Whether system registry changes are monitored By default, Enable Registry Guard is checked, which means Kaspersky Anti-Virus analyzes all attempts to make changes to the Microsoft Windows system registry keys. You can create your own rules (see 10.3.2 on pg. 122) for monitoring the registry, depending on the registry key. You can configure exclusions (see 6.9.1 on pg. 65) for Proactive Defense modules and create a trusted application list (see 6.9.2 on pg. 70). The following sections examine these aspects in more detail.

112

Kaspersky Anti-Virus 7.0

10.1. Activity Monitoring Rules

Note that configuring application control under Microsoft Windows XP Professional x64 Edition, Microsoft Windows Vista or Microsoft Windows Vista x64 differs from the configuration process on other operating systems. Information about configuring activity control for these operating systems is provided at the end of this section. Kaspersky Anti-Virus monitors application activity on your computer. The application includes a set of event descriptions that can be tracked as dangerous. A monitoring rule is created for each such event. If the activity of any application is classified as a dangerous event, Proactive Defense will strictly adhere to the instructions stated in the rule for that event. Select the Enable Application Activity Analyzer checkbox if you want to monitor the activity of applications. Let's take a look a several types of events that occur in the system that the application will track as suspicious: Dangerous behavior. Kaspersky Anti-Virus analyzes the activity of applications installed on your computer, and based on the list of rules created by Kaspersky Lab, detects dangerous or suspicious actions by the programs. Such actions include, for example, masked program installation, or programs copying themselves. Launching Internet browser with parameters. By analyzing this type of activity, you can detect attempts to open a browser with settings. This activity is characteristic of opening a web browser from an application with certain command prompt settings: for example, when you click a link to a certain URL in an advertisement e-mail. Intrusion into process (invaders) adding executable code or creating an additional stream to the process of a certain program. This activity is widely used by Trojans. Rootkit detection. A rootkit is a set of programs used to mask malicious programs and their processes in the system. Kaspersky Anti-Virus analyzes the operating system for masked processes. Window hooks. This activity is used in attempts to read passwords and other confidential information displayed in operating system dialog boxes. Kaspersky Anti-Virus traces this activity if attempts are made to intercept data transferred between the operating system and the dialog box.

Proactive Defense

113

Suspicious values in registry. The system registry is a database for storing system and user settings that control the operation of Microsoft Windows, as well as any utilities established on the computer. Malicious programs, attempting to mask their presence in the system, copy incorrect values in registry keys. Kaspersky Anti-Virus analyzes system registry entries for suspicious values. Suspicious system activity. The program analyzes actions executed by the Microsoft Windows operating system and detects suspicious activity. An example of suspicious activity would be an integrity breach, which involves modifying one or several modules in a monitored application since the time it was last run. Keylogger detection. This activity is used in attempts by malicious programs to read passwords and other confidential information which you have entered using your keyboard. The list of dangerous activities can be extended automatically by the Kaspersky Anti-Virus update process, but it cannot be edited by the user. You can: Turn off monitoring for an activity by deselecting the next to its name.

Edit the rule that Proactive Defense uses when it detects a dangerous activity. Create an exclusion list (see 6.9 on pg. 64) by listing applications that you do not consider dangerous. To configure activity monitoring, 1. 2. Open the application settings window and select Proactive Defense under Protection. Click the Settings button in the Application Activity Analyzer section (see Figure 35).

The types of activity that Proactive Defense monitors are listed in the Settings: Application Activity Analyzer window (see Figure 36).

114

Kaspersky Anti-Virus 7.0

Figure 36. Configuring application activity control

To edit a dangerous activity monitoring rule, select it from the list and assign the rule settings in the lower part of the tab: Assign the Proactive Defense response to the dangerous activity. You can assign any of the following actions as a response: allow, prompt for action, and terminate process. Left-click on the link with the action until it reaches the value that you need. In addition to stopping the process, you can place the application that initiated the dangerous activity in Quarantine. To do so, use the On / Off link across from the appropriate setting. You can assign a time value for how frequently the scan will run for detecting hidden processes in the system. Choose if you want to generate a report on the operation carried out. To do so, click on the Log link until it shows On or Off as required. To turn off monitoring for a dangerous activity, uncheck the next to the name in the list. Proactive Defense will no longer analyze that type of activity. Specifics of configuring application activity control in Kaspersky Anti-Virus under Microsoft Windows XP Professional x64 Edition, Microsoft Windows Vista, or Microsoft Windows Vista x64: If you are running one of the operating systems listed above, only one type of system event is controlled, dangerous behavior. Kaspersky Anti-Virus analyses the activity of applications installed on the computer and detects dangerous or

Proactive Defense

115

suspicious activities basing on the list of rules, created by Kaspersky Lab specialists. If you want Kaspersky Anti-Virus to monitor the activity of system processes in addition to user processes, select the Watch system user accounts checkbox (see Figure 37). This option is disabled by default. User accounts control access to the system and identify the user and his/her work environment, which prevents other users from corrupting the operating system or data. System processes are processes launched by system user accounts.

Figure 37. Configuring application activity control for Microsoft Windows XP Professional x64 Edition, Microsoft Windows Vista, Microsoft Windows Vista x64

10.2. Application Integrity Control

This Proactive Defense component does not work under Microsoft Windows XP Professional x64 Edition, or Microsoft Windows Vista or Microsoft Windows Vista x64. There are a number of programs that are critical for the system that could be used by malicious programs to distribute themselves, such as browsers, mail clients, etc. As a rule, these are system applications and processes used for accessing the Internet, working with email and other documents. It is for this reason that these applications are considered critical in activity control.

116

Kaspersky Anti-Virus 7.0

Proactive Defense monitors critical applications and analyzes their activity, integrity of the modules of those applications, and observes other processes which they spawn. Kaspersky Anti-Virus comes with a list of critical applications, each of which has its own monitoring rule to control application activity. You can extend this list of critical applications, and delete or edit the rules for the applications on the list provided. Besides the list of critical applications, there is a set of trusted modules allowed to be opened in all controlled applications. For example, modules that are digitally signed by the Microsoft Corporation. It is highly unlikely that the activity of applications that include such modules could be malicious, so it is not necessary to monitor them closely. Kaspersky Lab specialists have created a list of such modules to lighten the load on your computer when using Proactive Defense. Components with Microsoft-signed signatures are automatically designated as trusted applications. If necessary, you can add or delete components from the list. The monitoring of processes and their integrity in the system is enabled by checking the box Enable Application Integrity Control in the Proactive Defense settings window: by default, the box is unchecked. If you enable this feature, each application or application module opened is checked against the critical and trusted applications list. If the application is on the list of critical applications, its activity is controlled by Proactive Defense in accordance with the rule created for it. To configure Application Integrity Control: 1. 2. Open the application settings window and select Proactive Defense under Protection. Click the Settings button in the Application Integrity Control box (see Figure 35).

Lets examine working with critical and trusted processes in greater detail.

10.2.1. Configuring Application Integrity Control rules

Critical applications are executable files of programs which are extremely important to monitor, since malicious files uses such programs to distribute themselves. A list of them was created when the application was installed, and is shown on the Critical applications tab (see Figure 38): each application has its own monitoring rule. A monitoring rule is created for each such application to regulate its behavior. You can edit existing rules and create your own.

Proactive Defense

117

Proactive Defense analyzes the following operations involving critical applications: their launch, changing the makeup of application modules, and starting an application as a child process. You can select the Proactive Defense response to each of the operations listed (allow or block the operation), and also specify whether to log component activity in the component report. The default settings allow most critical operations are allowed to start, be edited, or be started as child processes. To add an application to the critical application list and create a rule for it: 1. Click Add on the Critical applications tab. A context menu will open: click Browse to open the standard file selection window, or click Applications to see a list of currently active applications and select one of them as necessary. The new application will be added to the top of the list, and allow rules (i.e. all activities are allowed) will be created for it by default. When that application is first started, the modules that it accesses will be added to the list, and those modules will similarly be given allow rules.

Figure 38. Configuring Application Integrity Control

Select a rule on the list and assign rule settings in the lower portion of the tab:

118

Kaspersky Anti-Virus 7.0

Define the Proactive Defense response to attempts to execute the critical application, change its makeup, or start it as a child process. You can use any of these actions as a response: allow, prompt for action, or block. Left-click on the action link until it reaches the value that you need. Choose if you want to generate a report about the activity, by clicking log / do not log. To turn off the monitoring of an applications activity, uncheck the name. next to its

Use the Details button to view a detailed list of modules for the application selected. The Settings: Application Integrity modules window contains a list of the modules that are used when a monitored application is started and make up the application. You can edit the list using the Add and Delete buttons in the right-hand portion of the window. You can also allow any controlled application modules to load or block them. By default, an allow rule is created for each module. To modify the action, select the module from the list and click the Modify button. Select the needed action in the window that opens. Note that Kaspersky Anti-Virus trains the first time you run the controlled application after installing it until you close that application. The training process produces a list of modules used by the application. Integrity Control rules will be applied the next time you run the application.

10.2.2. Creating a list of common components

Kaspersky Anti-Virus includes a list of common components which are allowed to be embedded into all controlled applications. You will find this list on the Trusted modules tab (see Figure 39). It includes modules used by Kaspersky Anti-Virus, Microsoft-signed components: components can be added or removed by the user. If you install programs on your computer, you can ensure that those with modules signed by Microsoft are automatically added to the trusted modules list. To do this, check Automatically add components signed by Microsoft Corporation to this list. Then if a controlled application attempts to load the Microsoft-signed module, Proactive Defense will automatically allow the module to load without checking, and add it to the list of shared components.

Proactive Defense

119

To add to the trusted module list, click Add and in the standard file selection window, and select the module.

Figure 39. Configuring the trusted module list

10.3. Registry Guard

One of the goals of many malicious programs is to edit the Microsoft Windows system registry on your computer. These can either be harmless jokes, or more dangerous malware that presents a serious threat to your computer. For example, malicious programs can copy their information to the registry key that makes applications open automatically on startup. Malicious programs will then automatically be started when the operating system boots up. The special Proactive Defense module traces modifications of system registry objects. You can turn this module on or off by checking the box Enable Registry Guard. To configure system registry monitoring: 1. Open the application settings window and select Proactive Defense under Protection.

120

Kaspersky Anti-Virus 7.0

Click the Settings button in the Registry Guard section (see Figure 35).

Kaspersky Lab has created a list of rules that control registry file operations, and have included it in the program. Operations with registry files are categorized into logical groups such as System Security, Internet Security, etc. Each such group lists system registry files and rules for working with them. This list is updated when the rest of the application is updated. The Registry Guard settings window (see Figure 40) displays the complete list of rules. Each group of rules has an execution priority that you can raise or lower, using the Move Up and Move Down buttons. The higher the group is on the list, the higher the priority assigned to it. If the same registry file falls under several groups, the first rule applied to that file will be the one from the group with the higher priority. You can stop using any group of rules in the following ways: Uncheck the box next to the groups name. Then the group of rules will remain on the list but will not be used. Delete the group of rules from the list. We do not recommend deleting the groups created by Kaspersky Lab, since they contain a list of system registry files most often used by malicious programs.

Figure 40. Controlled registry key groups

You can create your own groups of monitored system registry files. To do so, click Add in the file group window.

Proactive Defense

121

Take these steps in the window that opens: 1. 2. Enter the name of the new file group for monitoring system registry keys in the Group name field. Select the Keys tab, and create a list of registry files that will be included in the monitored group (see 10.3.1 on pg. 121) for which you want to create rules. This could be one or several keys. Select the Rules tab, and create a rule for files (see 10.3.2 on pg. 122) that will apply to the keys selected on the Keys tab. You can create several rules and set the order in which they are applied.

10.3.1. Selecting registry keys for creating a rule

The file group created should contain at least one system registry file. The Keys tab provides a list of files for the rule. To add a system registry file: 1. 2. 3. 4. Click on the Add button in the Edit group window (see Figure 41). In the window that opens, select the registry file, or folder of files, for which you want to create the monitoring rule. Specify an object value or mask for the group of objects, to which you want the rule to apply in the Value field. Check Including subkeys for the rule to apply to all files attached to the listed registry file.

You only need to use masks with an asterisk and a question mark at the same time as the Include subkeys feature if the wildcards are used in the name of the key. If you select a folder of registry files using a mask and specify a specific value for it, the rule will be applied to that value for any key in the group selected.

122

Kaspersky Anti-Virus 7.0

Figure 41. Adding controlled registry keys

10.3.2. Creating a Registry Guard rule

A Registry Guard rule specifies: The program whose access to the system registry is being monitored Proactive Defenses response when a program attempts to execute an operation with a system registry files To create a rule for your selected system registry files: 1. 2. Click New on the Rules tab. The new rule will be added at the top of the list (see Figure 42). Select a rule on the list and assign the rule settings in the lower portion of the tab: Specify the application.

Proactive Defense

123

The rule is created for any application by default. If you want the rule to apply to a specific application, left-click on any and it will change to this. Then click on the specify application name link. A context menu will open: click Browse to see the standard file selection window, or click Applications to see a list of open applications, and select one of them as necessary. Define the Proactive Defense response to the selected application attempting to read, edit, or delete system registry files. You can use any of these actions as a response: allow, prompt for action, and block. Left-click on the link with the action until it reaches the value that you need. Choose if you want to generate a report on the operation carried out, by clicking on the log / do not log link.

Figure 42. Creating an registry key monitoring rule

You can create several rules, and order their priority using the Move Up and Move Down buttons. The higher the rule is on the list, the higher the priority assigned to it will be.

124

Kaspersky Anti-Virus 7.0

You can also create an allow rule (i.e. all actions are allowed) for a system registry object from a notification window stating that a program is trying to execute an operation with an object. To do so, click Create allow rule in the notification and specify the system registry object that the rule will apply to in the window that opens.

CHAPTER 11. SCANNING COMPUTERS FOR VIRUSES

One of the important aspects of protecting your computer is scanning userdefined areas for viruses. Kaspersky Anti-Virus can scan individual items files, folders, disks, removable devices or the entire computer. Scanning for viruses stops malicious code which has gone undetected by real-time protection components from spreading. Kaspersky Anti-Virus includes the following default scan tasks: Critical Areas Scans all critical areas of the computer for viruses, including: system memory, programs loaded on startup, boot sectors on the hard drive, and the Windows and system32 system directories. The task aims to detect active viruses quickly on the system without fully scanning the computer. My Computer Scans for viruses on your computer with a thorough inspection of all disk drives, memory, and files. Startup Objects Scans for viruses all programs loaded when the operating system boots. Rootkit Scans (Rootkits) Scans the computer for rootkits that hide malicious programs in the operating system. These utilities injected into system, hiding their presence and the presence of processes, folders, and registry keys of any malicious programs described in the configuration of the rootkit. The default settings for these tasks are the recommended ones. You can edit these settings (see 11.4 on pg. 129) or create a schedule (see 6.6 on pg. 60) for running tasks. You also have the option of creating your own tasks (see 11.3 on pg. 128) and creating a schedule for them. For example, you can schedule a scan task for mailboxes once per week, or a virus scan task for the My Documents folder. In addition, you can scan any object for viruses (for example, the hard drive where programs and games are, e-mail databases that you've brought home from work, an archive attached to an e-mail, etc.) without creating a special scan task. You can select an object to scan from the Kaspersky Anti-Virus interface, or

126

Kaspersky Anti-Virus 7.0

with the standard tools of the Microsoft Windows operating system (for example, in the Explorer program window or on your Desktop). You can view a complete list of virus scan tasks for your computer by clicking on Scan in the left-hand pane of the main application window. You can create a rescue disk (see 15.4 on pg. 171) designed to help recover the system following a virus attack resulting in operating system file damage and boot failure. To accomplish this, click on Create Rescue Disk.

11.1. Managing virus scan tasks

You can run a virus scan task manually or automatically using a schedule (see 6.7 on pg. 61). To start a virus scan task manually: Select the task under Scan in the application main window and click Start Scan. The tasks currently being performed are displayed in the context menu by right-clicking on the application icon in the taskbar notification area. To pause a virus scan task: Select the under Scan in the application main window and click Pause. This will pause the scan until you start the task again manually or it starts again automatically according to the schedule. For manually task start click Resume. To stop a task: Select under Scan in the application main window and click Stop. This will stop the scan until you start the task again manually or it starts again automatically according to the schedule. The next time you run the task, the program will ask if you would like to continue the task where it stopped or begin it over.

11.2. Creating a list of objects to scan

To view a list of objects to be scanned for a particular task, select the task name (for example, My computer) in the Scan section of main program window. The list of objects will be displayed in the right-hand part of the window (see Figure 43).

Scanning computers for viruses

127

Figure 43. List of objects to scan

Object scan lists are already made for default tasks created when you install the program. When you create your own tasks or select an object for a virus scan task, you can create a list of objects. You can add to or edit an object scan list using the buttons to the right of the list. To add a new scan object to the list, click the Add button, and in the window that opens select the object to be scanned. For the user's convenience, you can add categories to a scan area such as user mailboxes, RAM, startup objects, operating system backup, and files in the Kaspersky Anti-Virus Quarantine folder. In addition, when you add a folder that contains embedded objects to a scan area, you can edit the recursion. To accomplish this, select an object from the list of objects to be scanned, open the context menu, and use the Include Subfolders option. To delete an object, select it from the list (object name will be highlighted in grey) and click Delete. Scans of certain objects may be temporarily disabled for some tasks without the objects themselves being deleted from the list. Simply uncheck the object to be skipped. To start a task, click Start Scan. In addition, you can select an object to be scanned with the standard tools of the Microsoft Windows operating system (for example, in the Explorer program window or on your Desktop, etc.) (see Figure 44). To do so, select the object, open the Microsoft Windows context menu by right-clicking, and select Scan for viruses.

128

Kaspersky Anti-Virus 7.0

Figure 44. Scanning objects from the Microsoft Windows context menu

11.3. Creating virus scan tasks

To scan objects on your computer for viruses, you can use built-in scan tasks included with the program and create your own tasks. New scan tasks are created using existing tasks that a template. To create a new virus scan task: 1. 2. 3. Select a task whose settings are closest to your requirements under Scan in the application main window. Open context menu and select Save As or click on New Scan Task. Enter the name for the new task in the window that opens and click OK. A task with that name will then appear in the list of tasks in the Scan section of the main program window.

Warning! There is a limit to the number of tasks that the user can create. The maximum is four tasks. The new task is a copy of the one it was based on. You need to continue setting it up by creating an scan object list (see 11.2 on pg. 126), setting up properties that govern the task (see 11.4 on pg. 129), and, if necessary, configuring a schedule (see 6.6 on pg. 60) for running the task automatically.

Scanning computers for viruses

129

To rename an existing task: select the task under Scan in the application main window and click Rename. Enter the new name for the task in the window that opens and click OK. The task name will also be changed in the Scan section. To delete an existing task: select the task under Scan in the application main window and click Delete. You will be asked to confirm that that you want to delete the task. The task will then be deleted from the list of tasks in the Scan section. Warning! You can only rename and delete tasks that you have created.

11.4. Configuring virus scan tasks

The methods are used to scan objects on your computer are determined by the properties assigned for each task. To configure task settings: open application settings window, select task name under Scan, and use the Settings link. You can use the settings window for each task to: Select the security level that the task will use (see 11.4.1 on pg. 130) Edit advanced settings: define what file types are to be scanned for viruses (see 11.4.2 on pg. 131) configure task start using a different user profile (see 6.6 on pg. 60) configure advanced scan settings (see 11.4.3 on pg. 133) enable rootkit scans (see 11.4.4 on pg. 135) and the heuristic analyzer (see 11.4.5 on pg. 136); restore default scan settings (see 11.4.6 on pg. 137) select an action that the program will apply when it detects an infected or potentially infected object (see 11.4.7 on pg. 137) create a schedule (see 6.7 on pg. 61) to run tasks automatically.

130

Kaspersky Anti-Virus 7.0

In addition, you can configure global settings (see 11.4.8 on pg. 139) for running all tasks. The following sections examine the task settings listed above in detail.

11.4.1. Selecting a security level

Each virus scan task can be assigned a security level (see Figure 45): Maximum Protection the most complete scan of the entire computer or individual disks, folders, or files. You are advised to use this level if you suspect that a virus has infected your computer. Recommended Kaspersky Lab experts recommend this level. The same files will be scanned as for the Maximum Protection setting, except for email databases. High Speed level with settings that let you comfortably use resource-intensive applications, since the scope of files scanned is reduced.

Figure 45. Selecting a virus scan security level

By default, the File Anti-Virus security level is set to Recommended. You can raise or lower the scan security level by selecting the level you want or changing the settings for the current level. To edit the security level: Adjust the sliders. By adjusting the security level, you define the ratio of scan speed to the total number of files scanned: the fewer files are scanned for viruses, the higher the scan speed. If none of the file security levels listed meet your needs, you can customize the protection settings. It is recommended that you select a level closest to your requirements as basis and edit its parameters. This will change the name of the security level to Custom. To modify the settings for a security level: 1. Open application settings window and select a scan task under Scan.

Scanning computers for viruses

131

2. 3.

Click on Customize under Security Level (see Figure 45). Edit file protection parameters in the resulting window and click OK.

11.4.2. Specifying the types of objects to scan

By specifying the types of objects to scan, you establish which file formats, files sizes, and drives will be scanned for viruses when this task runs. The file types scanned are defined in the File types section (see Figure 46). Select one of the three options: Scan all files. With this option, all objects will be scanned without exception. Scan programs and documents (by content). If you select this group of programs, only potentially infected files will be scanned files into which a virus could imbed itself. Note: There are files in which viruses cannot insert themselves, since the contents of such files does not contain anything for the virus to hook onto. An example would be .txt files. And vice versa, there are file formats that contain or can contain executable code. Examples would be the formats .exe, .dll, or .doc. The risk of insertion and activation of malicious code in such files is fairly high. Before searching for viruses in an object, its internal header is analyzed for the file format (txt, doc, exe, etc.). Scan programs and documents (by extension). In this case, the program will only scan potentially infected files, and in doing so, the file format will be determined by the filenames extension. Using the link, you can review a list of file extensions that are scanned with this option (see A.1 on pg. 213). Tip: Do not forget that someone could send a virus to your computer with the extension .txt that is actually an executable file renamed as a .txt file. If you select the Scan Programs and documents (by extension) option, the scan would skip such a file. If the Scan Programs and documents (by contents) is selected, the program will analyze file headers, discover that the file is an .exe file, and thoroughly scan it for viruses.

132

Kaspersky Anti-Virus 7.0

Figure 46. Configuring scan settings

In the Productivity section, you can specify that only new files and those that have been modified since the previous scan or new files should be scanned for viruses. This mode noticeably reduces scan time and increases the programs performance speed. To do so, you must check Scan only new and changed files. This mode extends to simple and compound files. You can also set time and file size limits for scanning in the Productivity section. Stop if scan takes longer than... sec. Check this option and enter the maximum scan time for an object. If this time is exceeded, this object will be removed from the scan queue. Do not scan archives larger than MB. Check this option and enter the maximum size for an object. If this size is exceeded, this object will be removed from the scan queue. In the Compound files section, specify which compound files will be analyzed for viruses: Scan all/new only archives scan .rar, .arj, .zip, .cab, .lha, .jar, and .ice archives.

Scanning computers for viruses

133

Warning! Kaspersky Anti-Virus does not delete compressed file formats that it does not support (for example, .ha, .uue, .tar) automatically, even if you select the option of automatically curing or deleting if the objects cannot be cured. To delete such compressed files, click the Delete archives link in the dangerous object detection notification. This notification will be displayed on the screen after the program begins processing objects detected during the scan. You can also delete infected archives manually. Scan all/new only embedded OLE objects scan objects imbedded in files (for example, Excel spreadsheets or a macro imbedded in a Microsoft Word file, email attachments, etc.). You can select and scan all files or only new ones for each type of compound file. To do so, use the link next to the name of the object. It changes its value when you left-click on it. If the Productivity section has been set up only to scan new and modified files, you will not be able to select the type of compound files to be scanned. Parse email formats scan email files and email databases. If this checkbox is selected, Kaspersky Anti-Virus will parse the mail file and analyze every component of the e-mail (body, attachments) for viruses. If this checkbox is deselected, the mail file will be scanned as a single object. Please note, when scanning password-protected email databases: Kaspersky Anti-Virus detects malicious code in Microsoft Office Outlook 2000 databases but does not disinfect them; Kaspersky Anti-Virus does not support scans for malicious code in Microsoft Office Outlook 2003 protected databases. Scan password-protected archives scans password protected archives. With this feature, a window will request a password before scanned archived objects. If this box is not checked, password-protected archives will be skipped.

11.4.3. Additional virus scan settings

In addition to configuring the basic virus scan settings, you can also use additional settings (see Figure 47): Use iChecker technology enable technology that can increase the scan speed by excluding certain objects from the scan. An object is excluded from the scan using a special algorithm that takes into account the release date of

134

Kaspersky Anti-Virus 7.0

the application databases, the date the object was last scanned, and modifications to scan settings.

Figure 47. Advanced scan settings

For example, you have an archived file that the program scanned and assigned the status of not infected. The next time, the program will skip this archive, unless it has been modified or the scan settings have been changed. If the structure of the archive has changed because a new object has been added to it, if the scan settings have changed, or if the application databases have been updated, the program will scan the archive again. There are limitations to iChecker: it does not work with large files and only applies to objects with a structure that Kaspersky Anti-Virus recognizes (for example, .exe, .dll, .lnk, .ttf, .inf, .sys, .com, .chm, .zip, .rar). Use iSwift technology This technology is a development of iChecker technology for computers using an NTFS file system. There are limitations to iSwift: it is bound to a specific location for the file in the file system and can only be applied to objects in an NTFS file system. Register information about dangerous objects in application statistics save information on dangerous objects detected in the applications overall statistics and display a list of threats on the Detected tab of the report win-

Scanning computers for viruses

135

dow (see para. 15.3.2 on pg. 166). If this box is unchecked, dangerous object data will not be recorded in the report; therefore, these objects will be impossible to process. Concede resources to other applications pause that virus scan task if the processor is busy with other applications.

11.4.4. Scanning for rootkits

A rootkit is a collection of utilities used to conceal malicious programs within the operating system. These utilities infiltrate the operating system, masking both their own presence and the presence of processes, folders, and registry keys belonging to any malware described in the rootkits configuration. Rootkit scans may be performed by any virus scan task (provided this option is enabled for the specific task); however, Kaspersky Lab experts have created and optimized a separate scan task to look for this type of malware. To enable scanning for rootkits, check Enable rootkit detection under Rootkit Scan. If scanning is enabled, an in-depth rootkit scan level may be requested by checking Enable extended rootkit scan. If you do so, the scan will carefully search for these programs by analyzing a large number of various objects. These checkboxes are deselected by default, since this mode requires significant operating system resources. To configure rootkit scans: 1. 2. Open application settings window and select a task under Scan. Click Customize under Security Level (see Figure 45) and select the Heuristic Analyzer tab in the resulting window (see Figure 48).

136

Kaspersky Anti-Virus 7.0

Figure 48. Configuring rootkit scans and heuristic methods

11.4.5. Using heuristic methods

Heuristic methods are utilized by several real-time protection components and virus scan tasks (see 7.2.4 at p. 82 for more detail). The Heuristic Analyzer tab (see Figure 48) may be used to disable / enable virus scan heuristic analysis for unknown threats. This requires that the following steps be performed: 1. 2. Open the application settings window and select a task under Scan. Click on Customize under Security Level and open the Heuristic Analyzer tab in the resulting dialog.

To use heuristic methods, check Use Heuristic Analyzer. An additional level of granularity may be set for the scan by moving the slider to one of the following settings: shallow, medium, or detail.

Scanning computers for viruses

137

11.4.6. Restoring default scan settings

When configuring scan task settings, you can always return to the recommended settings. Kaspersky Lab considers them to be optimal and has combined them in the Recommended security level. To restore the default virus scan settings: 1. 2. Open the application settings window and select a task under Scan. Click the Default button under Security Level (see Figure 45).

11.4.7. Selecting actions for objects

If a file is found to be infected or suspicious during a scan, the programs next steps depend on the object status and the action selected. One of the following statuses can be assigned to the object after the scan: Malicious program status (for example, virus, Trojan). Potentially infected, when the scan cannot determine whether the object is infected. It is likely that the program detected a sequence of code in the file from an unknown virus or modified code from a known virus. By default, all infected files are disinfected, and if they are potentially infected, they are sent to Quarantine. To edit an action for an object: open the application settings window and select a task under Scan. All possible actions are shown in the relevant section (see Figure 49).

Figure 49. Selecting actions for dangerous objects

138

Kaspersky Anti-Virus 7.0

If the action selected was

When it detects a malicious or potentially infected object The program does not process the objects until the end of the scan. When the scan is complete, the statistics window will pop up with a list of objects detected, and you will be asked if you want to process the objects. The program will issue a warning message containing information about what malicious code has infected or potentially infected the file, and gives you the choice of one of the following actions. The program records information about objects detected in the report without processing them or notifying the user. You are advised not to use this feature, since infected and potentially infected objects stay on your computer and it is practically impossible to avoid infection. The program attempts to treat the object detected without asking the user for confirmation. If disinfection fails, the file will be assigned the status of potentially infected, and it will be moved to Quarantine (see 15.1 on pg. 158). Information about this is recorded in the report (see 15.3 on pg. 163). Later you can attempt to disinfect this object. The program attempts to treat the object detected without asking the user for confirmation. If the object cannot be disinfected, it is deleted. The program automatically deletes the object

Prompt for action when the scan is complete

Prompt for action during scan

Do not prompt for action

Do not prompt for action Disinfect

Do not prompt for action Disinfect Delete if disinfection fails Do not prompt for action Disinfect Delete

Scanning computers for viruses

139

When disinfecting or deleting an object, Kaspersky Anti-Virus creates a backup copy of it, and sends it to Backup (see 15.2 on pg. 161) in case the object needs to be restored or an opportunity arises later to treat it.

11.4.8. Setting up global scan settings for all tasks

Each scan task is executed according to its own settings. By default, the tasks created when you install the program on your computer use the settings recommended by Kaspersky Lab. You can configure global scan settings for all tasks. You will use a set of properties used to scan an individual object for viruses as a starting point. To assign global scan settings for all tasks: 1. 2. Open program settings window and select the Scan section. Configure the scan settings: Select the security level (see 11.4.1 on pg. 130), configure advanced level settings, and select an action (see 11.4.7 on pg. 137) for objects. To apply these new settings to all tasks, click the Apply button in the Other scan tasks section. Confirm the global settings that you have selected in the popup dialogue box.

CHAPTER 12. TESTING KASPERSKY ANTI-VIRUS FEATURES

After installing and configuring Kaspersky Anti-Virus, we recommend that you verify that settings and program operation are correct using a test virus and variations of it.

12.1. The EICAR test virus and its variations

The test virus was specially developed by (The European Institute for Computer Antivirus Research) for testing anti-virus functionality. The test virus IS NOT A VIRUS and does not contain program code that could damage your computer. However, most antivirus programs will identify it as a virus. Never use real viruses to test the functionality of an antivirus! You can download the test virus from http://www.eicar.org/anti_virus_test_file.htm. the official EICAR website:

The file that you downloaded from the EICAR website contains the body of a standard test virus. Kaspersky Anti-Virus will detected, label it a virus, and take the action set for that object type. To test the reactions of Kaspersky Anti-Virus when different types of objects are detected, you can modify the contents of the standard test virus by adding one of the prefixes in the table shown here. Prefix Test virus status Corresponding action when the application processes the object The application will identify the object as malicious and not subject to treatment and will delete it.

No prefix, standard test virus

The file contains a test virus. You cannot disinfect the object.

Testing Kaspersky Anti-Virus features

141

Prefix

Test virus status

Corresponding action when the application processes the object The application could access the object but could not scan it, since the object is corrupted (for example, the file structure is breached, or it is an invalid file format). This object is a modification of a known virus or an unknown virus. At the time of detection, the application databases do not contain a description of the procedure for treating this object. The application will place the object in Quarantine to be processed later with updated databases. An error occurred while processing the object: the application cannot access the object being scanned, since the integrity of the object has been breached (for example, no end to a multivolume archive) or there is no connection to it (if the object is being scanned on a network drive). The object contains a virus that can be cured. The application will scan the object for viruses, after which it will be fully cured.

CORR

Corrupted.

SUSP WARN

The file contains a test virus (modification). You cannot disinfect the object.

ERRO

Processing error.

CURE

The file contains a test virus. It can be cured. The object is subject to disinfection, and the text of the body of the virus will change to CURE.

DELE

The file contains a test virus. You cannot disinfect the object.

This object contains a virus that cannot be disinfected or is a Trojan. The application deletes these objects.

The first column of the table contains the prefixes that need to be added to the beginning of the string for a standard test virus. The second column describes

142

Kaspersky Anti-Virus 7.0

the status and reaction of Kaspersky Anti-Virus to various types of test virus. The third column contains information on objects with the same status that the application has processed. Values in the anti-virus scan settings determine the action taken on each of the objects.

12.2. Testing File Anti-Virus

To test the functionality File Anti-Virus; 1. Allow all events to be logged so the report file retains data on corrupted objects and objects not scanned because of errors. To do so, check Log non-critical events under Reports and data files in the application settings window (see 15.3.1 on pg. 166). Create a folder on a disk, copy to it the test virus downloaded from the organization's official website (see 12.1 on pg. 140), and the modifications to the test virus that you created.

File Anti-Virus will intercept your attempt to access the file, will scan it, and will inform you that it has detected a dangerous object:

Figure 50. Dangerous object detected

Testing Kaspersky Anti-Virus features

143

When you select different options for dealing with detected objects, you can test File Anti-Virus's reaction to detecting various object types. You can view details on File Anti-Virus performance in the report on the component.

12.3. Testing Virus scan tasks

To test Virus scan tasks: 1. Create a folder on a disk, copy to it the test virus downloaded from the organization's official website (see 12.1 on pg. 140), and the modifications of the test virus that you created. Create a new virus scan task (see 11.3 on pg. 127) and select the folder containing the set of test viruses as the objects to scan (see 12.1 on pg. 140). Allow all events to be logged so the report file retains data on corrupted objects and objects not scanned because of errors. To do so, check Log non-critical events under Reports and data files in the application settings window (see 15.3.1 on pg. 166). Run the virus scan task (see 11.1 on pg. 126).

When you run a scan, as suspicious or infected objects are detected, notifications will be displayed on screen will information about the objects, prompting the user for the next action to take:

144

Kaspersky Anti-Virus 7.0

Figure 51. Dangerous object detected

This way, by selecting different options for actions, you can test Kaspersky AntiVirus reactions to detecting various object types. You can view details on virus scan task performance in the report on the component.

CHAPTER 13. PROGRAM UPDATES

Keeping your anti-virus software up-to-date is an investment in your computers security. Because new viruses, Trojans, and malicious software emerge daily, it is important to regularly update the application to keep your information constantly protected. Updating the application involves the following components being downloaded and installed on your computer: Anti-virus databases and network drivers Information on your computer is protected using the application databases. The software components that provide protection use the database of threat signatures to search for and disinfect harmful objects on your computer. The databases are added to every hour, with records of new threats and methods to combat them. Therefore, it is recommended that they are updated on a regular basis. In addition to the threat signatures, network drivers that enable protection components to intercept network traffic are updated. Previous versions of Kaspersky Lab applications have supported standard and extended databases sets. Each database dealt with protecting your computer against different types of dangerous objects. In Kaspersky AntiVirus you dont need to worry about selecting the appropriate databases set. Now our products use databases that protect both from malware and riskware. Application modules In addition to the application databases, you can upgrade the modules for Kaspersky Anti-Virus. New application updates appear regularly. The main update source for Kaspersky Anti-Virus is Kaspersky Labs update servers. To download available updates from the update servers, your computer must be connected to the Internet. Your computer has to be connected to the Internet to be able to download updates from update servers. In that event that connection to the Internet is through a proxy server, you will need to configure connection settings (see 15.7 on pg. 178).

146

Kaspersky Anti-Virus 7.0

If you do not have access to Kaspersky Labs update servers (for example, your computer is not connected to the Internet), you can call the Kaspersky Lab main office at +7 (495) 797-87-00, +7 (495) 645-79-39, +7 (495) 956-00-00 to request contact information for Kaspersky Lab partners, who can provide you with zipped updates on floppy disks or CD/DVDs. Updates can be downloaded in one of the following modes: Auto. Kaspersky Anti-Virus checks the update source for update packages at specified intervals. Scans can be set to be more frequent during virus outbreaks and less so when they are over. When the program detects fresh updates, it downloads them and installs them on the computer. This is the default setting. By schedule. Updating is scheduled to start at a specified time. Manual. With this option, you launch the Updater manually. During updating, the application compares the databases and application modules on your computer with the versions available on the update server. If your computer has the latest version of the databases and application modules, you will see a notification window confirming that your computer is up-do-date. If the databases and modules on your computer differ from those on the update server, only the missing part of the updates will be downloaded. The Updater does not download databases and modules that you already have, which significantly increases download speed and saves Internet traffic. Before updating databases, Kaspersky Anti-Virus creates backup copies of them, that can be used if a rollback (see 13.2 on pg. 147) is required. If, for example, the update process corrupts the databases and leaves them unusable, you can easily roll back to the previous version and try to update the databases later. You can distribute the updates retrieved to a local source while updating the application (see 13.3.3 on pg. 152. This feature allows you to update databases and modules used by 7.0 applications on networked computers to conserve bandwidth.

13.1. Starting the Updater

You can begin the update process at any time. It will run from the update source that you have selected (see 13.3.1 on pg. 148). You can start the Updater from: the context menu (see 4.2 on pg. 40). from the programs main window (see 4.3 on pg. 41).

Program updates

147

To start the Updater from the shortcut menu: 1. 2. Right click the application icon in the taskbar notification area to open the shortcut menu. Select Update.

To start the Updater from the main program window: 1. 2. Open application main window and select the Update component. Click Update databases link.

Update information will be displayed in the main window. To details on the update process, click Details. This will display a detailed update task report. The report window may be closed. To do so, click Close. The update will continue. Note that updates are distributed to the local source during the update process, provided that this service is enabled (see 13.3.3 on pg. 152).

13.2. Rolling back to the previous update

Every time you begin updating, Kaspersky Anti-Virus first creates a backup copy of the current databases and program modules and after this starts downloading updates. This way you can return to using the previous version of databases if an update fails. To rollback to the previous database of known threats: 1. 2. Open application main window and select the Update component. Click Rollback to the previous databases.

13.3. Configuring update settings

The Updater settings specify the following parameters: The source from which the updates are downloaded and installed (see 13.3.1 on pg. 148) The run mode for the updating procedure and the specific elements updated (see 13.3.2 on pg. 150) How frequently will the update run if scheduled (see 6.7 on pg. 61)

148

Kaspersky Anti-Virus 7.0

Which user will the update run as (see 6.6 on pg. 60) Whether downloaded updates are to be copied to a local directory (see 13.3.3 on pg. 152) What actions are to be performed after updating is complete (see 13.3.3 on pg. 152) The following sections examine these aspects in detail.

13.3.1. Selecting an update source

The update source is some resource, containing updates for the databases and Kaspersky Anti-Virus application modules. Update sources can exist as HTTP and FTP servers, local or network folders. The main update source is Kaspersky Labs update servers. These are special web sites containing available updates for the databases and application modules for all Kaspersky Lab products. If you cannot access Kaspersky Labs update servers (for example, you have no Internet connection), you can call the Kaspersky Lab main office at +7 (495) 79787-00, +7 (495) 956-00-00 to request contact information for Kaspersky Lab partners, who can provide zipped updates on floppy disks or CD/DVDs. Warning! When requesting updates on removable media, please specify whether you want to have the updates for application modules as well. You can copy the updates from a disk and upload them to a FTP or HTTP site, or save them in a local or network folder. Select the update source on the Update Sources tab (see Figure 52). By default, the updates are downloaded from Kaspersky Labs update servers. The list of addresses which this item represents cannot be edited. When updating, Kaspersky Anti-Virus calls this list, selects the address of the first server, and tries to download files from this server. If updates cannot be downloaded from the first server, the application tries to connect to each of the servers in turn until it is successful.

Program updates

149

Figure 52. Selecting an update source

To download updates from another FTP or HTTP site: 1. 2. Click Add. In the Select Update Source dialog box, select the target FTP or HTTP site or specify the IP address, character name, or URL address of this site in the Source field. When selecting an ftp site as an update source, authentication settings must be entered in the URL of the server in the format ftp://user:password@server.

Warning! If a resource located outside the LAN is selected as an update source, you must have an Internet connection to update. To update from a local folder: 1. 2. Click Add. In the Select Update Source dialog box, select a folder or specify the full path to this folder in the Source field.

150

Kaspersky Anti-Virus 7.0

Kaspersky Anti-Virus adds new update sources at the top of the list, and automatically enables the source, by checking the box beside the source name. If several resources are selected as update sources, the application tries to connect to them one after another, starting from the top of the list, and retrieves the updates from the first available source. You can change the order of sources in the list using the Move up and Move down buttons. To edit the list, use the Add, Edit and Remove buttons. The only source you cannot edit or delete is the one labeled Kaspersky Labs update servers. If you use Kaspersky Labs update servers as the update source, you can select the optimal server location for downloading updates. Kaspersky Lab has servers in several countries. Choosing the Kaspersky Lab update server closest to you will save you time and download updates faster. To choose the closest server, check Define region (do not use autodetect) and select the country closest to your current location from the dropdown list. If you check this box, updates will run taking the region selected in the list into account. This checkbox is deselected by default and information about the current region from the operating system registry is used.

13.3.2. Selecting an update method and what to update

When configuring updating settings, it is important to define what will be updated and what update method will be used. Update objects (see Figure 53) are the components that will be updated: Application databases Network drivers that enable protection components to intercept network traffic Program modules Application databases and network drivers are always updated, and the application modules are only updated if the settings are configured for it.

Figure 53. Selecting update objects

Program updates

151

If you want to download and install updates for program modules: open application settings window, select Update, and check plication modules. Update ap-

If there is an application module update on the update source, the application will download the required updates and apply them after the system is restarted. Downloaded module updates will not be installed until the computer is restarted. If the next program update occurs before the computer is restarted and previously downloaded application module updates are installed, application databases only will be updated. Update method (see Figure 54) defines how the Updater is started. One of the following modes may be selected under Run Mode: Automatically. Kaspersky Anti-Virus checks the update source for update packages at specified intervals (see 13.3.1 on pg. 147). When the program detects fresh updates, it downloads them and installs them on the computer. This mode is used by default. If a network resource is specified as an update source, Kaspersky Anti-Virus tries to launch updating after a certain amount of time has elapsed as specified in the previous update package. If a local folder is selected as an update source, the application tries to download the updates from the local folder at a frequency specified in the update package that was downloaded during the last updating. This option allows Kaspersky Lab to regulate the updating frequency in case of virus outbreaks and other potentially dangerous situations. Your application will receive the latest updates for application databases and software modules in a timely manner, thus excluding the possibility for malicious software to penetrate your computer.

Figure 54. Selecting an update run mode

By schedule. Updating is scheduled to start at a specified time. By default, scheduled updates will occur daily. To edit the default schedule, click the Change... button near the mode title and make the necessary changes in the window that opens (for more details, see 6.7 on pg. 61). Manually. With this option, you start the Updater manually. Kaspersky AntiVirus notifies you when it needs to be updated:

152

Kaspersky Anti-Virus 7.0

13.3.3. Update distribution

If your home computers are connected through a home network, you do not need to download and installed updates on each of them separately, since this would consume more network bandwidth. You can use the update distribution feature, which helps reduce traffic by retrieving updates in the following manner: 1. One of the computers on the network retrieves an application update package from the Kaspersky Lab web servers or from another web resources hosting a current set of updates. The updates retrieved are placed in a public access folder. Other computers on the network access the public access folder to retrieve application updates.

To enable update distribution, select the Update distribution folder checkbox on the Additional tab (see Figure 55), and in the field below, specify the shared folder where updates retrieved will be placed. You can enter the path manually or selected in the window that opens when you click Browse. If the checkbox is selected, updates will automatically be copied to this folder when they are retrieved.

Program updates

153

The program also provides detailed reports (see 15.3 on pg. 163) on the operation of all protection components, virus scan tasks, and updates. Monitored ports can regulate which Kaspersky Anti-Virus modules control data transferred on select ports (see 15.4 on pg. 171). Configuration of proxy server settings (see 15.7 on pg. 178) provides the application access to the Internet which is critical for certain real-time protection components and updates. The Rescue Disk can help restore your computers functionality after an infection (see 15.4 on pg. 171). This is particularly helpful when you cannot boot your computers operating system after malicious code has damaged system files. You can also change the appearance of Kaspersky Anti-Virus and can customize the program interface (see 15.7 on pg. 178). The following sections discuss these features in more detail.

15.1. Quarantine for potentially infected objects

Quarantine is a special storage area that holds potentially infected objects. Potentially infected objects are objects that are suspected of being infected with viruses or modifications of them. Why potentially infected? This are several reasons why it is not always possible to determine whether an object is infected: The code of the object scanned resembles a known threat but is partially modified. Application databases contain threats that have already been studied by Kaspersky Lab. If a malicious program is modified by a hacker but these changes have not yet been entered into the databases, Kaspersky AntiVirus classifies the object infected with this changed malicious program as being potentially infected, and indicates what threat this infection resembles. The code of the object detected is reminiscent in structure of a malicious program, although nothing similar is recorded in the application databases. It is quite possible that this is a new type of threat, so Kaspersky AntiVirus classifies the object as a potentially infected object. The heuristic code analyzer detects potential viruses. This mechanism is fairly effective and very rarely produces false positives.

Advanced options

159

A potentially infected object can be detected and placed in quarantine by File Anti-Virus, Mail Anti-Virus, Proactive Defense or in the course of a virus scan. You can place an object in quarantine by clicking Quarantine in the notification that pops up when a potentially infected object is detected. When you place an object in Quarantine, it is moved, not copied. The object is deleted from the disk or email and is saved in the Quarantine folder. Files in Quarantine are saved in a special format and are not dangerous.

15.1.1. Actions with quarantined objects

The total number of objects in Quarantine is displayed in the Reports and data files section of the main window. In the right-hand part of the screen there is a special Quarantine section that displays: the number of potentially infected objects detected during Kaspersky Anti-Virus operation; the current size of Quarantine. Here you can delete all objects in the quarantine using the Clear link. To access objects in Quarantine: Click Quarantine. You can take the following actions on the Quarantine tab (see Figure 57): Move a file to Quarantine that you suspect is infected but the program did not detect. To do so, click Add and select the file in the standard selection window. It will be added to the list with the status added by user. Scan and disinfect all potentially infected objects in Quarantine using the current version of application databases by clicking, click Scan all. After scanning and disinfecting any quarantined object, its status may change to infected, potentially infected, false positive, OK, etc. The infected status means that the object has been identified as infected but it could not be treated. You are advised to delete such objects. All objects marked false positive can be restored, since their former status as potentially infected was not confirmed by the program once scanned again. Restore the files to a folder selected by the user or their original folder prior to Quarantine (default). To restore an object, select it from the list and click Restore. When restoring objects from archives, email data-

160

Kaspersky Anti-Virus 7.0

bases, and email format files placed in Quarantine, you must also select the directory to restore them to.

Figure 57. List of quarantined objects

Tip: We recommend that you only restore objects with the status false positive, OK, and disinfected, since restoring other objects could lead to infecting your computer. Delete any quarantined object or group of selected objects. Only delete objects that cannot be disinfected. To delete the objects, select them in the list and click Delete.

15.1.2. Setting up Quarantine

You can configure the settings for the layout and operation of Quarantine, specifically:

Advanced options

161

Set up automatic scans for objects in Quarantine after each application database update (for more details, see 13.3.3 on pg. 152). Warning! The program will not be able to scan quarantined objects immediately after updating the databases if you are accessing the Quarantine area. Set the maximum Quarantine storage time. The default storage time 30 days, at the end of which objects are deleted. You can change the Quarantine storage time or disable this restriction altogether. To do so: 1. 2. Open the application settings window and select Reports and data files. In the Quarantine & Backup section (see Figure 58), enter the length of time after which objects in Quarantine will be automatically deleted. Alternately, uncheck the checkbox to disable automatic deletion.

Figure 58. Configuring the Quarantine storage period

15.2. Backup copies of dangerous objects

Sometimes when objects are disinfected their integrity is lost. If a disinfected file contains important information which is partially or fully corrupted, you can attempt to restore the original object from a backup copy. A backup copy is a copy of the original dangerous object that is created before the object is disinfected or deleted. It is saved in Backup. Backup is a special storage area that contains backup copies of dangerous objects. Files in backup are saved in a special format and are not dangerous.

162

Kaspersky Anti-Virus 7.0

15.2.1. Actions with backup copies

The total number of backup copies of objects placed in the repository is displayed in the Reports and data files section of the main window. In the righthand part of the screen there is a special Backup section that displays: the number of backup copies of objects created by Kaspersky Anti-Virus the current size of Backup. Here you can delete all copies in backup using the Clear link. To access dangerous object copies: Click Backup. A list of backup copies is displayed in the Backup tab (see Figure 59). The following information is displayed for each copy: the original full path and filename of the object, the status of the object assigned by the scan, and its size.

Figure 59. Backup copies of deleted or disinfected objects

Advanced options

163

You can restore selected copies using the Restore button. The object is restored from Backup with the same name that it had prior to disinfection. If there is an object in the original location with that name (this is possible if a copy was made of the object being restored prior to disinfection), a warning will be given. You can change the location of the restored object or rename it. You are advised to scan backup objects for viruses immediately after restoring them. It is possible that with updated application databases you will be able to disinfect it without losing file integrity. You are advised not to restore backup copies of objects unless absolutely necessary. This could lead to an infection on your computer. You are advised to periodically examine the Backup area, and empty it using the Delete button. You can also set up the program so that it automatically deletes the oldest copies from Backup (see 15.2.2 on pg. 163).

15.2.2. Configuring Backup settings

You can define the maximum time that backup copes remain in the Backup area. The default Backup storage time is 30 days, at the end of which backup copies are deleted. You can change the storage time or remove this restriction altogether. To do so: 1. 2. Open the application settings window and select Reports and Data Files. Set the duration for storing backup copies in the repository in the Quarantine and Backup section (see Figure 58) on the right-hand part of the screen. Alternately, uncheck the checkbox to disable automatic deletion.

15.3. Reports
Kaspersky Anti-Virus component actions, virus task scans and updates are all recorded in reports. The total number of reports created by the program at a given point in time and their total size in bites is displayed in Reports and data files section of the main program window. This information is displayed in the Report files section. To view reports: Click Reports.

164

Kaspersky Anti-Virus 7.0

The Reports tab (see Figure 60) lists the latest reports on all components and virus scan and update tasks run during the current session of Kaspersky AntiVirus. The status is listed beside each component or task, for example, running, paused, or complete. If you want to view the full history of report creation for the current session of the program, check Show report history.

Figure 60. Reports on component operation

To review all the events reported for a component or task: Select the name of the component or task on the Reports tab and click the Details button. A window will then open that contains detailed information on the performance of the selected component or task. The resulting performance statistics are displayed in the upper part of the window, and detailed information is provided on the tabs. Depending on the component or task, the tabs can vary: The Detected tab contains a list of dangerous objects detected by a component or a virus scan task performed. The Events tab displays component or task events. The Statistics tab contains detailed statistics for all scanned objects.

Advanced options

165

The Settings tab displays settings used by protection components, virus scans, or application database updates. The Registry tabs are only in the Proactive Defense report and contain information about all attempts to modify the operating system registry. You can export the entire report as a text file. This feature is useful when an error has occurred which you cannot eliminate on your own, and you need assistance from Technical Support. If this happens, the report must be sent as a .txt file to Technical Support to enable our specialists can study the problem in detail and solve it as soon as possible. To export a report as a text file: Click ActionsSave as and specify where you want to save the report file. After you are done working with the report, click Close. There is an Actions button on all the tabs (except Settings and Statistics) which you can use to define responses to objects on the list. When you click it, a context-sensitive menu opens with a selection of these menu items (the menu differs depending on the component all the possible options are listed below): Disinfect attempts to disinfect a dangerous object. If the object is not successfully disinfected, you can leave it on this list to scan later with updated application databases or delete it. You can apply this action to a single object on the list or to several selected objects. Delete - delete dangerous object from computer. Delete from list remove the record on the object detected from the report. Add to trusted zone excludes the object from protection. A window will open with an exclusion rule for the object. Go to File opens the folder where the object is located in Microsoft Windows Explorer. Neutralize All neutralizes all objects on the list. Kaspersky Anti-Virus will attempt to process the objects using application databases. Discard All clears the report on detected objects. When you use this function, all detected dangerous objects remain on your computer. View on www.viruslist.com goes to a description of the object in the Virus Encyclopedia on the Kaspersky Lab website. Search enter search terms for objects on the list by name or status. Save as save report as a text file. In addition, you can sort the information displayed in the window in ascending and descending order for each of the columns, by clicking on the column head. To process dangerous objects detected by Kaspersky Anti-Virus, press the Neutralize button (for one object or a group of selected objects) or Neutralize all (to

166

Kaspersky Anti-Virus 7.0

process all the objects on the list). After each object is processed, a message will appear on screen. Here you will have to decide what to do with them next. If you check Apply to all in the notification window, the action selected will be applied to all objects with the status selected from the list before beginning processing.

15.3.1. Configuring report settings

To configure settings for creating and saving reports: 1. 2. Open the application settings window and select Reports and data files. Edit the settings under Reports (see Figure 61) as follows: Allow or disable logging informative events. These events are generally not important for security. To log events, check Log noncritical events; Choose only to report events that have occurred since the last time the task was run. This saves disk space by reducing the report size. If Keep only recent events is checked, the report will begin from scratch every time you restart the task. However, only noncritical information will be overwritten. Set the storage time for reports. By default, the report storage time is 30 days, at the end of which the reports are deleted. You can change the maximum storage time or remove this restriction altogether.

Figure 61. Configuring report settings

15.3.2. The Detected tab

This tab (see Figure 62) contains a list of dangerous objects detected by Kaspersky Anti-Virus. The full filename and path is shown for each object, with the status assigned to it by the program when it was scanned or processed.

Advanced options

167

If you want the list to contain both dangerous objects and successfully neutralized objects, check Show neutralized objects.

Figure 62. List of detected dangerous objects

Dangerous objects detected by Kaspersky Anti-Virus are processed using the Disinfect button (for one object or a group of selected objects) or Disinfect all (to process all the objects on the list). When each object is processed, a notification will be displayed on the screen, where you must decide what actions will be taken next. If you check Apply to all in the notification window, the selected action will be applied to all objects with the same status selected from the list before beginning processing.

15.3.3. The Events tab

This tab (see Figure 63) provides you with a complete list of all the important events in component operation, virus scans, and updates that were not overridden by an activity control rule (see 10.1 on pg. 112). These events can be: Critical events are events of a critical importance that point to problems in program operation or vulnerabilities on your computer. For example, virus detected, error in operation.

168

Kaspersky Anti-Virus 7.0

Important events are events that must be investigated, since they reflect important situations in the operation of the program. For example, stopped. Informative messages are reference-type messages which generally do not contain important information. For example, OK, not processed. These events are only reflected in the event log if Show all events is checked.

Figure 63. Events that take place in component operation

The format for displaying events in the event log may vary with the component or task. The following information is given for update tasks: Event name Name of the object involved in the event Time when the event occurred Size of the file loaded For virus scan tasks, the event log contains the name of the object scanned and the status assigned to it by the scan/processing.

15.3.4. The Statistics tab

This tab (see Figure 64) provides you with detailed statistics on components and virus scan tasks. Here you can learn:

Advanced options

169

How many objects were scanned for dangerous traits in this session of a component, or after a task is completed. The number of scanned archives, compressed files, and password protected and corrupted objects is displayed. How many dangerous objects were detected, not disinfected, deleted, or placed in Quarantine.

Figure 64. Component statistics

15.3.5. The Settings tab

The Settings tab (see Figure 65) displays a complete overview of the settings for components, virus scans and program updates. You can find out the current security level for a component or virus scan, what actions are being taken with dangerous objects, or what settings are being used for program updates. Use the Change settings link to configure the component. You can configure advanced settings for virus scans: Establish the priority of scan tasks used if the processor is heavily loaded. The Concede resources to other applications box is checked by default. With this feature, the program tracks the load on the processor and disk subsystems for the activity of other applications. If the load on the processor increases significantly and prevents the user's applications from operating normally, the program reduces scanning activity. This increases scan time and frees up resources for the user's applications.

170

Kaspersky Anti-Virus 7.0

Figure 65. Component settings

Set the computers mode of operation for after a virus scan is complete. You can configure the computer to shut down, restart, or go into standby or sleep mode. To select an option, left-click on the hyperlink until it displays the option you need. You may need this feature if, for example, you start a virus scan at the end of the work day and do not want to wait for it to finish. However, to use this feature, you must take the following additional steps: before launching the scan, you must disable password requests for objects being scanned, if enabled, and enable automatic processing of dangerous objects, to disable the programs interactive features.

15.3.6. The Registry tab

The program records operations with registry keys that have been attempted since the program was started on the Registry tab (see Figure 66), unless forbidden by a rule (see 10.3.2 on pg. 122).

Advanced options

171

Figure 66. Read and modify system registry events

The tab lists the full name of the key, its value, the data type, and information about the operation that has taken place: what action was attempted, at what time, and whether it was allowed.

15.4. Rescue Disk

Kaspersky Anti-Virus has a tool for creating a rescue disk. The rescue disk is designed to restore system functionality after a virus attack that has damaged system files and made the operating system impossible to start. This disk includes: Microsoft Windows XP Service Pack 2 system files A set of operating system diagnostic utilities Kaspersky Anti-Virus program files Files containing application databases. To create a rescue disk: 1. 2. Open the application main window and select Scan. Click the Create Rescue Disk to proceed to disk creation.

A Rescue Disk is designed for the computer that it was created on. Using it on other computers could lead to unforeseen consequences, since it contains information on the parameters of a specific computer (for example, information on boot sectors).

172

Kaspersky Anti-Virus 7.0

You can only create a rescue disk under Microsoft Windows XP or Microsoft Windows Vista. The rescue disk feature is not available under other supported operating systems, including Microsoft Windows XP Professional x64 Edition and Microsoft Windows Vista x64.

15.4.1. Creating a rescue disk

Warning! You will need the Microsoft Windows XP Service Pack 2 installation disk to create a rescue disk. You need the program PE Builder to create the Rescue Disk. You must install PE Builder on your computer beforehand to create disk with it. A special Wizard walks you through the creation of a rescue disk. It consists of a series of windows/steps which you can navigate using the Back and Next buttons. You can complete the Wizard by clicking Finished. The Cancel button will stop the Wizard at any point.

Step 1.

Getting ready to write the disk

To create a rescue disk, specify the path to the following folders: PE Builder program folder Folder where rescue disk files will be saved before burning the CD/DVD If you are not creating a disk for the first time, this folder will already contain a set of files made the last time. To use files saved previously, check the corresponding box. Please note that an earlier version of rescue disk files contains an old version of application databases. To optimize virus scans and system recovery, it is recommended that databases be updated and a new rescue disk created. The Microsoft Windows XP Service Pack 2 installation CD After entering the paths to the folders required, click Next. PE Builder will start up and the rescue disk creation process will begin. Wait until the process is complete. This could take several minutes.

Advanced options

173

Step 2.

Creating an .iso file

After PE Builder has completed creating the rescue disk files, a Create .iso file window will open. The .iso file is a CD image of the disk, saved as an archive. The majority of CD burning programs correctly recognize .iso files (Nero, for example). If this is not the first time that you have created a rescue disk, you can select the .iso file from the previous disk. To do so, select Existing .iso file.

Step 3.

Burning the disk

This Wizard window will ask you to choose whether to burn the rescue disk files to CD now or later. If you chose to burn the disk right away, specify whether you want to format the CD before burning. To do so, check the corresponding box. You only have this option if you are using a CD-RW. The CD will start burning when you click the Next button. Wait until the process is complete. This could take several minutes.

Step 4.

Finishing the rescue disk

This Wizard window informs you that you have successfully created a rescue disk.

15.4.2. Using the rescue disk

Note that Kaspersky Anti-Virus only works in system rescue mode if the main window is opened. When you close the main window, the program will close.

Bart PE, the default program, does not support .chm files or Internet browsers, so you will not be able to view Kaspersky Anti-Virus Help or links in the program interface while in Rescue Mode. If a situation arises when a virus attack makes it impossible to load the operating system, take the following steps: 1. 2. Create a rescue disk by using Kaspersky Anti-Virus on an uninfected computer. Insert the rescue disk in the disk drive of the infected computer and restart. Microsoft Windows XP SP2 will start with the Bart PE interface.

174

Kaspersky Anti-Virus 7.0

Bart PE has built-in network support for using your LAN. When the program starts, it will ask you if you want to enable it. You should enable network support if you plan to update application databases from the LAN before scanning your computer. If you do not need to update, cancel network support. To open Kaspersky Anti-Virus, click StartProgramsKaspersky AntiVirus 7.0 Start. The Kaspersky Anti-Virus main window will open. In system rescue mode, you can only access virus scans and application database updates from the LAN (if you have enabled network support in Bart PE). Start the virus scan.

4. 5.

Note that application databases from the date that the rescue disk is created are used by default. For this reason, we recommend updating the databases before starting the scan. It should also be noted that the application will only use the updated application databases during the current session with the rescue disk, prior to restarting your computer.

Warning! If infected or potentially infected objects were detected when you scanned the computer, and they were processed and then moved to Quarantine or Backup Storage, we recommend completing processing those objects during the current session with a rescue disk. Otherwise, these objects will be lost when you restart your computer.

15.5. Creating a monitored port list

Components such as Mail Anti-Virus and Web Anti-Virus monitor data streams that are transmitted using certain protocols and pass through certain open ports on your computer. Thus, for example, Mail Anti-Virus analyzes information transferred using SMTP protocol, and Web Anti-Virus analyzes information transferred using HTTP. The standard list of ports that are usually used for transmitting email and HTTP traffic is included in the program package. You can add a new port or disable monitoring for a certain port, thereby disabling dangerous object detection for traffic passing through that port.

Advanced options

175

To edit the monitored port list, take the following steps: 1. 2. 3. Open the application settings window and select Traffic Monitoring. Click Port Settings. Update the list of monitored ports in the Port Settings dialog (see Figure 67).

Figure 67. List of monitored ports

This window provides a list of ports monitored by Kaspersky Anti-Virus. To scan data streams enter on all open network ports, select the option Monitor all ports. To edit the list of monitored ports manually, select Monitor selected ports only. To add a new port to the monitored port list: 1. 2. Click on the Add button in the Port settings window. Enter the port number and a description of it in the appropriate fields in the New Port window.

For example, there might be a nonstandard port on your computer through which data is being exchanged with a remote computer using the HTTP protocol, which is monitored by Web Anti-Virus. To analyze this traffic for malicious code, you can add this port to a list of controlled ports.

176

Kaspersky Anti-Virus 7.0

When any of its components starts, Kaspersky Anti-Virus opens port 1110 as a listening port for all incoming connections. If that port is busy at the time, it selects 1111, 1112, etc. as a listening port. If you use Kaspersky Anti-Virus and another companys firewall simultaneously, you must configure that firewall to allow the avp.exe process (the internal Kaspersky Anti-Virus process) access to all the ports listed above. For example, say your firewall contains a rule for iexplorer.exe that allows that process to establish connections on port 80. However, when Kaspersky Anti-Virus intercepts the connection query initiated by iexplorer.exe on port 80, it transfers it to avp.exe, which in turn attempts to establish a connection with the web page independently. If there is no allow rule for avp.exe, the firewall will block that query. The user will then be unable to access the webpage.

15.6. Scanning Secure Connections

Connecting using SSL protocol protects data exchange through the Internet. SSL protocol can identify the parties exchanging data using electronic certificates, encrypt the data being transferred, and ensure their integrity in transit. These features of the protocol are used by hackers to spread malicious programs, since most antivirus programs do not scan SSL traffic. Kaspersky Anti-Virus offers the option of scanning SSL traffic for viruses. When an attempt is made to connect securely to a web resource, a notification will appear on screen (see Figure 68) prompting the user for action. The notification contains information on the program initiating the secure connection, along with the remote address and port. Select one of the options below to continue or discontinue scanning: Process scan traffic for viruses when connecting securely to the website. Skip stay connected to a web resource without scanning traffic for viruses. Check Apply to all to apply the selected action to all subsequent attempts to establish SSL-connections in the current browser session.

Advanced options

177

Figure 68. Notification on SSL connection detection

To scan encrypted connections, Kaspersky Anti-Virus replaces the security certificate requested with a self-signed one. In some cases, programs that are establishing connections will not accept this certificate, resulting in no connection being established. In such situations we recommend selecting the Skip option from the notice regarding the scan of a secure connection: When connecting to a trusted web resource, such as your banks web page, where you manage your personal account. In this case, it is important to receive confirmation of the authenticity of the bank's certificate. If the program establishing the connection checks the certificate of the website being accessed. For example, MSN Messenger checks the authenticity of the Microsoft Corporation digital signature when it establishes a connection with the server. You can configure SSL connection scan settings under Traffic Monitoring of the program settings window (see Figure 69): Check all encrypted connections scan all traffic incoming on SSL protocol for viruses. Prompt for scan when a new encrypted connection is detected display a message prompting the user for action every time an SSL connection is established.

178

Kaspersky Anti-Virus 7.0

Do not check encrypted connections do not scan traffic incoming on SSL protocol for viruses.

Figure 69. Configuring Secure Connection Scans

15.7. Configuring Proxy-Server

Connection to a proxy server may be configured using the Proxy Server section (see Figure 70) of the application settings window (if connection to the Internet is through a proxy). Kaspersky Anti-Virus utilizes these settings for several realtime protection components and to update application databases and modules. If a proxy server is used to connect to the Internet, check and configure the following settings as necessary: Select proxy server parameters to use: Automatically detect the proxy server settings. If this option is selected, proxy server settings are autodetected using the WPAD (Web Proxy Auto-Discovery Protocol) protocol. If the above protocol is unable to determine the address, Kaspersky Anti-Virus uses the proxy server settings specified for Microsoft Internet Explorer. Use specified proxy server settings: use a proxy server other than the one specified in the browser connection settings. Enter an IP address or a domain name in the Address field and a proxy server port number in the Port field. Not to use a proxy server for updates from local or network directories, check Bypass proxy server for local addresses. Use Proxy Server

Advanced options

179

Figure 70. Configuring Proxy-Server

Specify whether the proxy server uses authentication. Authentication is a procedure to verify user account information for the purposes of access control. If authentication is required to connect to the proxy server, check Use authentication and enter user name and password in the appropriate fields. This will result in an attempt to perform an NTLMauthorization followed by a BASIC authorization. If the check box is unchecked, NTLM authorization will be attempted using the login under which the task (such as an update, cf. Section 6.6 on pg. 60) is running. If the proxy server required authorization, and user name and password are not specified or rejected by the proxy for whatever reason, a dialog requesting user name and password will be displayed. If authorization is successful, the specified user name and password will be remembered for subsequent use. Otherwise, authorization information will be requested again. Pressing the Cancel button in the authentication prompt dialog replaces the current source of updates with the next one from the list; the authentication parameters specified in that window or defined in the program interface will be ignored. Therefore, the application will attempt NTLM authentication based on the account used to launch the task. If an ftp server is used to update, a passive connection to the server is established by default. If this connection attempt returns an error, an attempt is made to establish an active connection.

180

Kaspersky Anti-Virus 7.0

By default, the update server connection timeout is 1 minute. If connection fails, an attempt will be made to connect to the next update server once this timeout expires. This enumeration continues until a connection is successfully established or until all available update servers are enumerated.

15.8. Configuring the Kaspersky Anti-Virus interface

Kaspersky Anti-Virus gives you the option of changing the appearance of the program by creating and using skins. You can also configure the use of active interface elements such as the application icon in the taskbar notification area and popup messages. To configure the Kaspersky Anti-Virus interface: Open the application settings window and select Appearance section (see Figure 71).

Figure 71. Configuring application interface settings

Advanced options

181

In the right-hand part of the settings window, you can configure: User defined graphical components and color scheme in the application interface. By the default the graphical user interface uses system colors and styles. These can be replaced by unchecking Use System colors and styles. This will enable the styles specified when configuring display themes. All colors, fonts, icons, and text used in the Kaspersky Anti-Virus interface are configurable. Customized skins may be created for the application. The application itself may be localized in another language. To plug in a skin, enter the directory containing its description in Directory with skin descriptions. Use the Browse button to select a directory. Degree of transparency of popup messages. All Kaspersky Anti-Virus operations that must immediately reach you or require you to make a decision are presented as popup messages above the application icon in the taskbar notification area. The message windows are transparent so as not to interfere with your work. If you move the cursor over the message, the transparency disappears. You can change the degree of transparency of such messages. To do so, adjust the Transparency factor scale to the desired position. To remove message transparency, uncheck Enable semi-transparent windows. Animation of application icon in the taskbar notification area. Depending on the program operation performed, the icon changes. For example, if a script is being scanned, a small depiction of a script appears in the background of the icon, and if an email is being scanned, an envelope. By default, icon animation is enabled. If you want to turn off animation, uncheck Animate taskbar icon when processing items. Then the icon will only reflect the protection status of your computer: if protection is enabled, the icon is in color, and if protection is paused or disabled, the icon becomes gray. Notifications of news from Kaspersky Lab By default, if news are received, a special icon is displayed in the taskbar notification area which displays a window containing the news item, when clicked. To disable notifications, uncheck Use taskbar icon for news notifications. Display of Kaspersky Anti-Virus icon at operating system startup. This indicator by default appears in the upper right-hand corner of the screen when the program loads. It informs you that your computer is

182

Kaspersky Anti-Virus 7.0

protected from all threat types. If you do not want to use the protection indicator, uncheck Show icon above Microsoft Windows login window. Note that modifications of Kaspersky Anti-Virus interface settings are not saved when default settings are restored or if the application is uninstalled.

15.9. Using advanced options

Kaspersky Anti-Virus provides you with the following advanced features (see Figure 72): starting Kaspersky Anti-Virus at operating system startup (see 15.11 on pg. 192); user notification of certain application events (see 15.9.1 on pg. 183); Kaspersky Anti-Virus self-defense from module shutdown, removal, or modification, password protection of application (see 15.9.2 on pg. 187); export / import of Kaspersky Anti-Virus runtime settings (see 15.9.3 on pg. 189); recovery of default settings (see 15.9.4 on pg. 189). To configure these features: Open the application settings window and select Service. In the right hand part of the screen you can define whether to use additional features in program operation.

Advanced options

183

Figure 72. Configuring Advanced Options

15.9.1. Kaspersky Anti-Virus event notifications

Different kinds of events occur in Kaspersky Anti-Virus. They can be of an informative nature or contain important information. For example, an event can inform you that the program has updated successfully, or can record an error in a component that must be immediately eliminated. To receive updates on Kaspersky Anti-Virus operation, you can use the notification feature. Notices can be delivered in several ways: Popup messages above the application icon in the taskbar notification area Sound messages Emails Logging events To use this feature, you must: 1. Check Enable notifications under Events notification in the Appearance section of the application settings window (see Figure 71).

184

Kaspersky Anti-Virus 7.0

Define the event types from Kaspersky Anti-Virus for which you want notifications, and the notification delivery method (see 15.9.1.1 on pg. 184). Configure email notification delivery settings, if that is the notification method that is being used (see 15.9.1.2 on pg. 185).

15.9.1.1. Types of events and notification delivery methods

During Kaspersky Anti-Virus operation, the following kinds of events arise: Critical notifications are events of a critical importance. Notifications are highly recommended, since they point to problems in program operation or vulnerabilities in protection on your computer. For example, application databases corrupt or key expired. Functional failures are events that lead to the application not working. For example, no key or application databases. Important notifications are events that must be investigated, since they reflect important situations in the operation of the program. For example, protection disabled or computer has not been scanned for viruses for a long time. Minor notifications are reference-type messages which generally do not contain important information. For example, all dangerous objects disinfected. To specify which events the program should notify you of and how: 1. 2. Open the application settings window and select Appearance (see Figure 71). Check Enable Notifications under Events notification and go to advanced settings by clicking Advanced.

The following methods of notification of the above events may be configured, using the Events Notification Settings dialog (see Figure 73): Popup messages above the application icon in the taskbar notification area that contain an informative message on the event that occurred. To use this notification type, check in the Balloon section across from the event about which you want to be informed. Sound notification If you want this notice to be accompanied by a sound file, check Sound across from the event.

Advanced options

185

Email notification To use this type of notice, check the E-Mail column across from the event about which you want to be informed, and configure settings for sending notices (see 15.9.1.2 on pg. 185). Logging events To record information in the log about events that occur, check in the Log column and configure event log settings (see 15.9.1.3 on pg. 186).

Figure 73. Program events and event notification methods

15.9.1.2. Configuring email notification

After you have selected the events (see 15.9.1.1 on pg. 184) about which you wish to receive email notifications, you must set up notification delivery. To do so: 1. 2. Open the application settings window and select Appearance (see Figure 71). Click Advanced under Events notification.

186

Kaspersky Anti-Virus 7.0

3. 4.

Use the Events notification settings window (see Figure 73) to check events that should trigger email notification in the E-mail column. In the window (see Figure 74) that opens when you click Email settings, configure the following settings for sending e-mail notifications: Assign the sending notification setting for From: Email address. Specify the email address to which notices will be sent in To: Email address. Assign a email notification delivery method in the Send mode. If you want the program to send email as soon as the event occurs, select Immediately when event occurs. For notifications about events within a certain period of time, fill out the schedule for sending informative emails by click Change. Daily notices are the default.

Figure 74. Configuring email notification settings

15.9.1.3. Configuring event log settings

To configure event log settings: 1. Open the application settings window and select Appearance (see Figure 71).

Advanced options

187

Click Advanced under Events notification.

Use the Events Notification settings window to select the option of logging information for an event and click the Log Settings button. Kaspersky Anti-Virus has the option of recording information about events that arise while the program is running, either in the Microsoft Windows general event log (Application) or in a dedicated Kaspersky Anti-Virus (Kaspersky Event Log). Logs can be viewed in the Microsoft Windows Event Viewer, which you can open by going to Start/Settings/Control Panel/Administration/View Events.

15.9.2. Self-Defense and access restriction

Kaspersky Anti-Virus is an application which protects computers from malware and, as such, is of interest to malicious software attempting to disable the application or even remove it from computers. Moreover, several people may be using the same computer, all with varying levels of computer literacy. Leaving access to the program and its settings open could dramatically lower the security of the computer as a whole. To ensure the stability of your computer's security system, Self-Defense, remote access defense, and password protection mechanisms have been added to the program. On computers running 64-bit operating systems and Microsoft Windows Vista, self-defense is only available for preventing the program's own files on local drives and system registry records from being modified or deleted. To enable Self-Defense: 1. 2. Open the application settings window and select Service (see Figure 72). Make the following configurations in the Self-Defense box: Enable Self-Defense. If this box is checked, the program will protect its own files, processes in memory, and entries in the system registry from being deleted or modified. Disable external service control. If this box is checked, any remote administration program attempting to use the program will be blocked. For remote administration tools (such as, RemoteAdmin) to gain access to Kaspersky Anti-Virus, these tools should be added to the

188

Kaspersky Anti-Virus 7.0

trusted applications list, and the setting Do not monitor application activity should be enabled (see 6.9.2 on pg. 70). If any of the actions listed are attempted, a message will appear over the application icon in the taskbar notification area (unless the notification service has been disabled by user). To password protect the program, check Enable password protection in the area of the same name. Click on the Settings button to open the Password Protection window, and enter the password and area that the access restriction will cover (see Figure 75). You can block any program operations, except notifications for dangerous object detection, or prevent any of the following actions from being performed: Change of program performance settings Close Kaspersky Anti-Virus Disable or pause protection on your computer Each of these actions lowers the level of protection on your computer, so try to establish which of the users on your computer you trust to take such actions. Now whenever any user on your computer attempts to perform the actions you selected, the program will request a password.

Figure 75. Program password protection settings

Advanced options

189

15.9.3. Importing and exporting Kaspersky Anti-Virus settings

Kaspersky Anti-Virus allows you to import and export application settings. This feature is useful when, for example, the program is installed both on your home computer and in your office. You can configure the program the way you want it at home, save those settings on a disk, and using the import feature, load them on your computer at work. The settings are saved in a special configuration file. To export the current program settings: 1. 2. 3. Open the program settings window and select the Service section (see Figure 72). Click the Save button in the Configuration Manager section. Enter a name for the configuration file and select a save destination.

To import settings from a configuration file: 1. 2. Open the program settings window and select the Service section. Click the Load button and select the file from which you want to import Kaspersky Anti-Virus settings.

15.9.4. Restoring default settings

It is always possible to return to the default program settings, which are considered the optimum and are recommended by Kaspersky Lab. This can be done using the Setup Wizard. To reset protection settings: 1. 2. Open the program settings window and select the Service section (see Figure 72). Click the Reset button in the Settings Manager section.

The window that opens asks you to define which settings should be restored to their default values. The window lists the program components whose settings were changed by the user. If special settings were created for any of the components, they will also be shown on the list.

190

Kaspersky Anti-Virus 7.0

Examples of special settings would be trusted address lists used by Web AntiVirus; exclusion rules created for program components, and application rules for Proactive Defense. These lists are populated gradually by using the program, based on individual tasks and security requirements. This process often takes some time. Therefore, we recommend saving them when you reset program settings. The program saves all the custom settings on the list by default (they are unchecked). If you do not need to save one of the settings, check the box next to it. After you have finished configuring the settings, click the Next button. Initial Setup Wizard will open (see 3.2, pg. 31). Follow its instructions. After you are finished with the Setup Wizard, the Recommended security level will be set for all protection components, except for the settings that you decided to keep. In addition, settings that you configured with the Setup Wizard will also be applied.

15.10. Technical Support

Information on technical support made available to users by Kaspersky Lab is provided under Support (see Figure 76) in the application main window. The top section presents general application information: version, database publication date, as well as a summary of your computers operating system. If problems should arise while running Kaspersky Anti-Virus, first make sure that troubleshooting instructions for the problem are not provided in this help system or the Knowledge Base at the Kaspersky Lab Technical Support web site. The Knowledge Base is a separate section of the Technical Support web site and comprises recommendations for Kaspersky Lab products as well as answers to frequently asked questions. Try using this resource to find an answer to your question or a solution to your issue. Click on Web Support to go to the Knowledge Base. The Kaspersky Lab user forum is another application information resource. It is also made into a separate section at the Technical Support web site and contains user questions, feedback, and requests. You can view the main topics, leave feedback, or find an answer to a question. Click User Forum to go to this resource. If you do not find a solution to your problem in Help, the Knowledge Base, or User Forum, we recommend that you contact Kaspersky Lab Technical Support. Please note that you have to be a registered user of Kaspersky Anti-Virus commercial version to obtain technical support. No support is provided to users of trial versions.

Advanced options

191

User registration is performed using the Activation Wizard (see 3.2.2 on pg. 32), if the application is being activated using an activation code. A client ID will be assigned at the end of the registration process which may be viewed under Support (see Figure 76) of the main window. A client number is a personal user ID which is required for phone or web form-based technical support. If a key file is used for activation, register directly at the Technical Support web site. A new service referred to as the Personal Cabinet provides users access to a personal section of the Technical Support web site. The Personal Cabinet enables you to: send Technical Support requests without logging in; exchange messages with Technical Support without using email; monitor requests in real-time; view the complete history of your Technical Support requests; obtain a backup copy of the key file. Use the Create Request link to send an online form-based request to Technical Support. Enter your Personal Cabinet on the Technical Support site which will open as a result and complete the request form.

192

Kaspersky Anti-Virus 7.0

Figure 76. Technical Support Information

For urgent assistance, use the contact numbers provided in the Help System (see B.2 on pg. 228). Telephone support is provided 24/7 in Russian, English, French, German, and Spanish. Use the Online Course link to obtain further information on training events for Kaspersky Lab products.

15.11. Closing Application

If Kaspersky Anti-Virus needs to be shut down, select Exit on the application context menu (see 4.2 on pg. 40). This will cause the application to be unloaded from random access memory, which would mean that your computer was unprotected at the moment. In the event that there were open network connections at the time the application was shut down, a message will be displayed that these connections have been broken. This is required for the application to exit properly. Disconnection is automatic after 10 seconds or occurs when Yes is clicked. Most such connections are re-established after a period of time.

Advanced options

193

Please note that any downloads underway at the time the connections are broken will be interrupted unless a download manager is being used. The download will have to be restarted for you to get the file. You can prevent the connections from being broken by clicking No in the notification window. This will cause the application to continue running. If the application is shut down, protection may be re-enabled by restarting Kaspersky Anti-Virus by selecting Start Programs Kaspersky Anti-Virus 7.0 Kaspersky Anti-Virus 7.0. Protection will also restart automatically following an operating system reboot.. To enable this mode, select Service (see Figure 72) in the application settings window and check Launch application at startup under Autoload.

CHAPTER 16. WORKING WITH THE PROGRAM FROM THE COMMAND LINE
You can use Kaspersky Anti-Virus from the command line. You can execute the following operations: Starting, stopping, pausing and resuming the activity of application components Starting, stopping, pausing and resuming virus scans Obtaining information on the current status of components, tasks and statistics on them Scanning selected objects Updating databases and program modules Accessing Help for command prompt syntax Accessing Help for command syntax The command line syntax is: avp.com <command> [settings] You must access the program from the command prompt from the program installation folder or by specifying the full path to avp.com. The following may be used as <commands>: ACTIVAE ADDKEY Activates application via Internet using an activation code Activates application using a key file (command can only be executed if the password assigned through the program interface is entered) Starts a component or a task Pauses a component or a task (command can only be executed if the password assigned through the program interface is entered)

START PAUSE

Working with the program from the command line

195

RESUME STOP

Resumes a component or a task Stops a component or a task (command can only be executed if the password assigned through the program interface is entered) Displays the current component or task status on screen Displays statistics for the component or task on screen Help with command syntax and the list of commands Scans objects for viruses Begins program update Rolls back to the last program update made (command can only be executed if the password assigned through the program interface is entered) Closes the program (you can only execute this command with the password assigned in the program interface) Import Kaspersky Anti-Virus settings (command can only be executed if the password assigned through the program interface is entered) Export Kaspersky Anti-Virus settings

STATUS STATISTICS HELP SCAN UPDATE ROLLBACK

EXIT

IMPORT

EXPORT

Each command uses its own settings specific to that particular Kaspersky AntiVirus component.

16.1. Activating the application

You can activate the program in two ways: via Internet using an activation code (the ACTIVATE command) using a key file (the ADDKEY command) Command syntax: ACTIVATE <activation_code>

196

Kaspersky Anti-Virus 7.0

ADDKEY <file_name> /password=<your_password> Parameter description: <activation_code> Program activation code provided when you purchased it. Name of the key file with the extension .key. Password for accessing Kaspersky Anti-Virus assigned in the application interface.

<file_name> <your_password>

Note that you cannot execute the ADDKEY command without entering the password. Example: avp.com ACTIVATE 11AA1-11AAA-1AA11-1A111 avp.com ADDKEY 1AA111A1.key /password=<your_password>

16.2. Managing program components and tasks

Command syntax: avp.com <command> <profile|task_name> [/R[A]:<report_file>] avp.com STOP|PAUSE <profile|task_name> /password=<your_password> [/R[A]:<report_file>] Parameter description: <command> You can manage Kaspersky Anti-Virus components and tasks from the command prompt with the following commands: START - load a real-time protection component or task. STOP - stop a real-time protection component or task. PAUSE - stop a real-time protection component or task. RESUME - resume a real-time protection component

Working with the program from the command line

197

or task. STATUS - display the current status of the real-time protection component or task. STATISTICS outputs statistics to the screen on realtime protection component or task operation. Note that you cannot execute the commands PAUSE and STOP without entering the password. <profile|task_name> You can specify any real-time protection component, modules in the components, on-demand scan tasks, or updates for the values of <profile> (the standard values used in the program are shown in the table below). You can specify the name of any on-demand scan or update task as the value for <task_name>. <your_password> Kaspersky Anti-Virus password assigned in the program interface. R:<report_file> only log important events in the report. /RA:<report_file> log all events in the report.. You can use an absolute or relative path to the file. If the parameter is not defined, the scan results are displayed on screen, and all events are displayed. One of the following values is assigned to <profile>: RTP All protection components The command avp.com START RTP starts all realtime protection components if protection is fully disabled (see 6.1.2 on pg. 56) or paused (see 6.1.1 on pg. 55). This command will also start any realtime protection component that was paused that was paused from the GUI or the PAUSE command from the command prompt. If the component was disabled from the GUI or the STOP command from the command prompt, the command avp.com START RTP will not start it. In order to start it, you must execute the command

/R[A]:<report_file>

198

Kaspersky Anti-Virus 7.0

avp.com START <profile>, with the value for the specific protection component entered for <profile>. For example, avp.com START FM. FM EM WM File Anti-Virus Mail Anti-Virus Web Anti-Virus Values for Web Anti-Virus subcomponents: httpscan scans http traffic sc scans scripts BM Proactive Defense Values for Proactive Defense subcomponents: pdm application activity analysis UPDATER Rollback SCAN_OBJECTS SCAN_MY_COMPUTER SCAN_CRITICAL_ARE AS SCAN_STARTUP SCAN_QUARANTINE SCAN_ROOTKITS Updater Rolls back to the previous update Virus scan task My Computer task Critical Areas task

Startup Objects task Scans quarantined objects Rootkit scan task

Components and tasks started from the command prompt are run with the settings configured with the program interface. Examples: To enable File Anti-Virus, type this at the command prompt: avp.com START FM

Working with the program from the command line

199

To view the current status of Proactive Defense on your computer, type the following text at the command prompt: avp.com STATUS BM To stop a My Computer scan task from the command prompt, enter: avp.com STOP SCAN_MY_COMPUTER /password=<your_password>

16.3. Anti-virus scans

The syntax for starting a virus scan of a certain area, and processing malicious objects, from the command prompt generally looks as follows: avp.com SCAN [<object scanned>] [<action>] [<file types>] [<exclusions>] [<configuration file>] [<report settings>] [<advanced settings>] To scan objects, you can also start one of the tasks created in Kaspersky AntiVirus from the command prompt (see 16.1 on pg. 195). The task will be run with the settings specified in the program interface. Parameter description. <object scanned> - this parameter gives the list of objects that will be scanned for malicious code. It can include several values from the following list, separated by spaces. <files> List of paths to the files and/or folders to be scanned. You can enter absolute or relative paths. Items in the list are separated by a space. Notes: If the object name contains a space, it must be placed in quotation marks If you select a specific folder, all the files in it are scanned. /MEMORY /STARTUP /MAIL System memory objects Startup objects Mailboxes

200

Kaspersky Anti-Virus 7.0

/REMDRIVES /FIXDRIVES /NETDRIVES /QUARANTINE /ALL /@:<filelist.lst>

All removable media drives All internal drives All network drives Quarantined objects Complete scan Path to a file containing a list of objects and folders to be included in the scan. The file should be in a text format and each scan object must start a new line. You can enter an absolute or relative path to the file. The path must be placed in quotation marks if it contains a space.

<action> - this parameter sets responses to malicious objects detected during the scan. If this parameter is not defined, the default value is /i8. /i0 take no action on the object; simply record information about it in the report. Treat infected objects, and if disinfection fails, skip Treat infected objects, and if disinfection fails, delete. Exceptions: do not delete infected objects from compound objects; delete compound objects with executable headers, i.e. sfx archives (default ). Treat infected objects, and if disinfection fails, delete. Also delete all compound objects completely if infected contents cannot be deleted. Delete infected objects, and if disinfection fails, delete. Also delete all compound objects completely if infected contents cannot be deleted. Prompt the user for action if an infected object is detected. Prompt the user for action at the end of the scan.

/i1 /i2

/i3

/i4

/i8

/i9

Working with the program from the command line

201

<file types> - this parameter defines the file types that will be subject to the antivirus scan. If this parameter is not defined, the default value is /fi. /fe /fi Scan only potentially infected files by extension Scan only potentially infected files by contents (default) Scan all files

/fa

<exclusions> - this parameter defines objects that are excluded from the scan. It can include several values from the list provided, separated by spaces. -e:a -e:b -e:m -e:<filemask> -e:<seconds> Do not scan archives Do not scan mailboxes Do not scan plain text emails Do not scan objects by mask Skip objects that are scanned for longer that the time specified in the <seconds> parameter. Skip files larger (in MB) than the value assigned by <size>.

-es:<size>

<configuration file> - defines the path to the configuration file that contains the program settings for the scan. The configuration file is a file in the text format, containing a set of command line parameters for anti-virus scan. You can enter an absolute or relative path to the file. If this parameter is not defined, the values set in the Kaspersky Anti-Virus interface are used. /C:<file_name> Use the settings values assigned <file_name> in the file

202

Kaspersky Anti-Virus 7.0

<report settings> - this parameter determines the format of the report on scan results. You can use an absolute or relative path to the file. If the parameter is not defined, the scan results are displayed on screen, and all events are displayed. /R:<report_file> /RA:<report_file> Only log important events in this file Log all events in this file

<advanced settings> settings that define the use of anti-virus scanning technologies. /iChecker=<on|off> /iSwift=<on|off> Examples: Start a scan of RAM, Startup programs, mailboxes, the directories My Documents and Program Files, and the file test.exe: avp.com SCAN /MEMORY /STARTUP /MAIL "C:\Documents and Settings\All Users\My Documents" "C:\Program Files" "C:\Downloads\test.exe" Pause scan of selected objects and start full computer scan, then continue to scan for viruses within the selected objects: avp.com PAUSE SCAN_OBJECTS /password=<your_password> avp.com START SCAN_MY_COMPUTER avp.com RESUME SCAN_OBJECTS Scan RAM and the objects listed in the file object2scan.txt. Use the configuration file scan_setting.txt. After the scan, generate a report in which all events are recorded: avp.com SCAN /MEMORY /@:objects2scan.txt /C:scan_settings.txt /RA:scan.log Sample configuration file: /MEMORY /@:objects2scan.txt /C:scan_settings.txt /RA:scan.log Enable/ disable iChecker Enable/ disable iSwift

Working with the program from the command line

203

16.4. Program updates

The syntax for updating Kaspersky Anti-Virus databases and modules from the command prompt is as follows: avp.com UPDATE [<update_source>] [/R[A]:<report_file>] [/C:<file_name>] [/APP=<on|off>] Parameter description: [<update_source>] HTTP or FTP server or network folder for downloading updates. You can specify the full path to the update source or a URL as the value for this parameter. If a path is not selected, the update source will be taken from the Update settings. /R:<report_file> only log important events in the report. /RA:<report_file> log all events in the report. You can use an absolute or relative path to the file. If the parameter is not defined, the scan results are displayed on screen, and all events are displayed. /C:<file_name> Path to the configuration file with the settings for program updates. The configuration file is a file in the text format, containing a set of command line parameters for application update. You can enter an absolute or relative path to the file. If this parameter is not defined, the values for the settings in the Kaspersky Anti-Virus interface are used. /APP=<on | off> Examples: Update Kaspersky Anti-Virus databases and record all events in the report: avp.com UPDATE /RA:avbases_upd.txt Enable / disable application module updates

/R[A]:<report_file>

204

Kaspersky Anti-Virus 7.0

Update the Kaspersky Anti-Virus program modules by using the settings in the configuration file updateapp.ini: avp.com UPDATE /APP=on/C:updateapp.ini Sample configuration file: "ftp://my_server/kav updates" /RA:avbases_upd.txt /app=on

16.5. Rollback settings

Command syntax: ROLLBACK [/R[A]:<report_file>] [/password=<password>] /R[A]:<report_file> /R:<report_file> events in the report. record only important

/RA:<report_file> - log all events in the report. You can use an absolute or relative path to the file. If the parameter is not defined, the scan results are displayed on screen, and all events are displayed. <password> Password for accessing Kaspersky Anti-Virus assigned in the application interface.

Note that you cannot execute this command without entering the password. Example: avp.com ROLLBACK /RA:rollback.txt /password=<your_password>

16.6. Exporting protection settings

Command syntax: avp.com EXPORT <profile> <file_name> Parameter description: <profile> Component or task with the settings being exported. You can use any value for <profile> that is listed in 16.2 on pg. 196.

Working with the program from the command line

205

<file_name>

Path to the file to which the Kaspersky Anti-Virus settings are exported. You can use an absolute or relative path. The configuration file is saved in binary format (.dat), and it can be used later to import application settings on other computers. The configuration file can be saved as a text file. To do so, specify the .txt extension in the file name. This file can only be used to specify the main settings for program operation.

Example: avp.com EXPORT c:\settings.dat

16.7. Importing settings

Command syntax: avp.com IMPORT <filename> [/password=<password>] <file_name> Path to the file from which the Kaspersky Anti-Virus settings are being imported. You can use an absolute or relative path. Settings can only be imported from binary files. <your_password> Kaspersky Anti-Virus password assigned in the program interface.

Note that you cannot execute this command without entering the password. Example: avp.com IMPORT c:\settings.dat /password=<password>

16.8. Starting the program

Command syntax: avp.com

206

Kaspersky Anti-Virus 7.0

16.9. Stopping the program

Command syntax: EXIT /password=<your_password> <your_password> Kaspersky Anti-Virus password assigned in the program interface.

Note that you cannot execute this command without entering the password.

16.10. Creating a trace file

You might need to create a trace file if you have problems with the program to troubleshoot them more exactly with the specialists at Technical Support. Command syntax: avp.com TRACE [file] [on|off] [<trace_level>] Parameter description: [on|off] [file] <trace_level> Enable/disable trace creation. Output trace to file. This value can be an integer from 0 (minimum level, only critical messages) to 700 (maximum level, all messages). A Technical Support will tell you what trace level you need when you contact Technical Support. If it is not specified, we recommend setting the level to 500. Warning! We only recommend creating trace files for troubleshooting a specific problem. Regularly enabling traces could slow down your computer and fill up your hard drive. Examples: To disable trace file creation: avp.com TRACE file off

Working with the program from the command line

207

To create a trace file to send to Technical Support with a maximum trace level of 500: avp.com TRACE file on 500

16.11. Viewing Help

This command is available for viewing Help on command prompt syntax: avp.com [ /? | HELP ] To get help on the syntax of a specific command, you can use one of the following commands: avp.com <command> /? avp.com HELP <command>

16.12. Return codes from the command line interface

This section contains a list of return codes from the command line. The general codes may be returned by any command from the command line. The return codes include general codes as well as codes specific to a specific type of task. General return codes 0 1 2 3 4 Operation completed successfully Invalid setting value Unknown error Task completion error Task canceled

Anti-virus scan task return codes 101 102 All dangerous objects processed Dangerous objects detected

CHAPTER 17. MODIFYING, REPAIRING, AND REMOVING THE PROGRAM

You can uninstall the application in the following ways: using the application's Setup Wizard (see 17.2 on pg. 210) from the command prompt (see 17.2 on pg. 210)

17.1. Modifying, repairing, and removing the program using Install Wizard
You may find it necessary to repair the program if you detect errors in its operation after incorrect configuration or file corruption. Modifying the program can install missing Kaspersky Anti-Virus components and delete unwanted ones. To repair or modify Kaspersky Anti-Virus missing components or delete the program: 1. Insert the installation CD into the CD/DVD-ROM drive, if you used one to install the program. If you installed Kaspersky Anti-Virus from a different source (shared folder, folder on the hard drive, etc.), make sure that the installer package is available from the source and that you have access to it. Select Start Programs Repair, or Remove. Kaspersky Anti-Virus 7.0 Modify,

An installation wizard then will open for the program. Lets take a closer took at the steps of repairing, modifying, or deleting the program.

Step 1.

Selecting an operation

At this stage, you select which operation you want to run. You can modify the program components, repair the installed components, remove components or

Modifying, repairing, and removing the program

209

remove the entire program. To execute the operation you need, click the appropriate button. The programs response depends on the operation you select. Modifying the program is like custom program installation where you can specify which components you want to install, and which you want to delete. Repairing the program depends on the program components installed. The files will be repaired for all components that are installed and the Recommended security level will be set for each of them. If you remove the program, you can select which data created and used by the program you want to save on your computer. To delete all Kaspersky Anti-Virus data, select Complete uninstall. To save data, select Save application objects and specify which objects not to delete from this list: Activation information application key file. Application databases complete set of signatures of dangerous programs, virus, and other threats current as of the last update. Backup files backup copies of deleted or disinfected objects. You are advised to save these, in case they can be restored later. Quarantine files files that are potentially infected by viruses or modifications of them. These files contain code that is similar to code of a known virus but it is difficult to determine if they are malicious. You are advised to save them, since they could actually not be infected, or they could be disinfected after the application databases are updated. Protection settings configurations for all program components. iSwift data database with information on objects scanned on NTFS file systems, which can increase scan speed. When it uses this database, Kaspersky Anti-Virus only scans the files that have been modified since the last scan. Warning! If a long period of time elapses between uninstalling one version of Kaspersky Anti-Virus and installing another, you are advised not to use the iSwift database from a previous installation. A dangerous program could penetrate the computer during this period and its effects would not be detected by the database, which could lead to an infection. To start the operation selected, click the Next button. The program will begin copying the necessary files to your computer or deleting the selected components and data.

210

Kaspersky Anti-Virus 7.0

Step 2.

Completing program modification, repair, or removal

The modification, repair, or removal process will be displayed on screen, after which you will be informed of its completion. Removing the program generally requires you to restart your computer, since this is necessary to account for modifications to your system. The program will ask if you want to restart your computer. Click Yes to restart right away. To restart your computer later, click No.

17.2. Uninstalling the program from the command line

To uninstall Kaspersky Anti-Virus from the command line, enter: msiexec /x <package_name> The Setup Wizard will open. You can use it to uninstall the application (see Chapter 17 on pg. 208 ). To uninstall the application noninteractively without restarting the computer (the computer should be restarted manually after uninstalling), enter: msiexec /x <package_name> /qn

CHAPTER 18. FREQUENTLY ASKED QUESTIONS

This chapter is devoted to the most frequently asked questions from users pertaining to installation, setup and operation of the Kaspersky Anti-Virus; here we shall try to answer them here in detail. Question: Is it possible to use Kaspersky Anti-Virus 7.0 with anti-virus products of other vendors? No. We recommend uninstalling anti-virus products of other vendors prior to installation of Kaspersky Anti-Virus to avoid software conflicts. Question: Kaspersky Anti-Virus does not rescan files that have been scanned earlier. Why? This is true. Kaspersky Anti-Virus does not rescan files that have not changed since the last scan. That has become possible due to new iChecker and iSwift technologies. The technology is implemented in the program using a database of file checksums and file checksum storage in alternate NTFS streams. Question: Why is activation required? Will Kaspersky Anti-Virus work without a key file? Kaspersky Anti-Virus will run without a key, although you will not be able to access the Updater and Technical Support. If you still have not decided whether to purchase Kaspersky Anti-Virus, we can provide you with a trial license that will work for either two weeks or a month. Once that time has elapsed, the key will expire. Question: After the installation of Kaspersky Anti-Virus the operating system started behaving strangely (blue screen of death, frequent restarting, etc.) What should I do? Although rare, it is possible that Kaspersky Anti-Virus and other software installed on your computer will conflict. In order to restore the functionality of your operating system do the following: 1. 2. Press the F8 key repeatedly between the time when the computer just started loading until the boot menu is displayed. Select Safe Mode and load the operating system.

212

Kaspersky Anti-Virus 7.0

3. 4. 5. 6.

Open Kaspersky Anti-Virus. Open the application settings window and select Service. Uncheck Launch application at startup and click OK. Reboot the operating system in regular mode.

Send a request to Kaspersky Lab Technical Support. Open the application main window, select Support, and click Send Request. Describe the problem and its signature in as much detail as possible. Make sure that you attach to your question a file containing a complete dump of Microsoft Windows operating system. In order to create this file, do the following: 1. 2. Right-click My computer and select the Properties item in the shortcut menu that will open. Select the Advanced tab in the System Properties window and then press the Settings button in the Startup and Recovery section. Select the Complete memory dump option from the drop-down list in the Write debugging information section of the Startup and Recovery window. By default, the dump file will be saved into the system folder as memory.dmp. You can change the dump storage folder by editing the folder name in the corresponding field. 4. 5. Reproduce the problem related to the operation of Kaspersky AntiVirus. Make sure that the complete memory dump file was successfully saved.

APPENDIX A. REFERENCE INFORMATION

This appendix contains reference materials on the file formats and extension masks used in Kaspersky Anti-Virus settings.

A.1. List of files scanned by extension

If the Scan Programs and Documents (By Extension) is selected as the File Antivirus scan option or virus scan task, files with the extensions listed below will be analyzed closely for viruses. These file types are also scanned by Mail Anti-Virus if message attachment scanning is activated: com executable file for a program exe executable file or self-extracting archive sys system driver prg program text for dBase, Clipper or Microsoft Visual FoxPro, or a WAVmaker program bin binary file bat batch file cmd command file for Microsoft Windows NT (similar to a .bat file for DOS), OS/2 dpl compressed Borland Delphi library dll dynamic loading library scr Microsoft Windows splash screen cpl Microsoft Windows control panel module ocx Microsoft OLE (Object Linking and Embedding) object tsp program that runs in split-time mode drv device driver vxd Microsoft Windows virtual device driver pif program information file lnk Microsoft Windows link file reg Microsoft Windows system registry key file ini initialization file

214

Kaspersky Anti-Virus 7.0

cla Java class vbs Visual Basic script vbe BIOS video extension js, jse JavaScript source text htm hypertext document htt Microsoft Windows hypertext header hta hypertext program for Microsoft Internet Explorer asp Active Server Pages script chm compiled HTML file pht HTML with built-in PHP scripts php script built into HTML files wsh Microsoft Windows Script Host file wsf Microsoft Windows script the Microsoft Windows 95 desktop wallpaper hlp Win Help file eml Microsoft Outlook Express email file nws Microsoft Outlook Express new email file msg Microsoft Mail email file plg email mbx extension for saved Microsoft Office Outlook emails doc* Microsoft Office Word document, such as : doc Microsoft Office Word document, docx Microsoft Office Word 2007 document with XML support, docm Microsoft Office Word 2007 document with macro support. dot* Microsoft Office Word document template, such as, dot Microsoft Office Word document template, dotx Microsoft Office Word 2007 document template, dotm Microsoft Office Word 2007 document template with macro support. fpm database program, start file for Microsoft Visual FoxPro rtf Rich Text Format document shs Shell Scrap Object Handler fragment dwg AutoCAD blueprint database msi Microsoft Windows Installer package otm VBA project for Microsoft Office Outlook pdf Adobe Acrobat document swf Shockwave Flash file jpg, jpeg, png compressed image graphics format

Appendix A

215

emf Enhanced Metafile format Next generation of Microsoft Windows OS metafiles. EMF files are not supported by 16-bit Microsoft Windows ico icon file ov? Microsoft DOC executable files xl* - Microsoft Office Excel documents and files, such as: xla Microsoft Office Excel add-on, xlc diagram, xlt document template, xlsx Microsoft Office Excel 2007 work book, xltm Microsoft Office Excel 2007 work book with macro support, xlsb Microsoft Office Excel 2007 in binary (non-XML) format, xltx Microsoft Office Excel 2007 template, xlsm Microsoft Office Excel 2007 template with macro support, xlam Microsoft Office Excel 2007 add-on with macro support. pp* - Microsoft Office PowerPoint documents and files, such as: pps Microsoft Office PowerPoint slide, ppt presentation, pptx Microsoft Office PowerPoint 2007 presentation, pptm Microsoft Office PowerPoint 2007 presentation with macro support, potx Microsoft Office PowerPoint 2007 presentation template, potm Microsoft Office PowerPoint 2007 presentation template with macro support, ppsx Microsoft Office PowerPoint 2007 slide show, ppsm Microsoft Office PowerPoint 2007 slide show with macro support, ppam Microsoft Office PowerPoint 2007 add-on with macro support. md* Microsoft Office Access documents and files, such as: mda Microsoft Office Access work group, mdb database, etc. sldx a Microsoft PowerPoint 2007 slide. sldm a Microsoft PowerPoint 2007 slide with Macro support. thmx a Microsoft Office 2007 theme. Remember that the actual format of a file may not correspond with the format indicated in the file extension.

A.2. Valid file exclusion masks

Lets look at some examples of possible masks that you can use when creating file exclusion lists: 1. Masks without file paths: *.exe all files with the extension .exe *.ex? all files with the extension .ex?, where ? can represent any one character test all files with the name test 2. Masks with absolute file paths:

216

Kaspersky Anti-Virus 7.0

C:\dir\*.* or C:\dir\* or C:\dir\ all files in folder C:\dir\ C:\dir\*.exe all files with extension .exe in folder C:\dir\ C:\dir\*.ex? all files with extension .ex? in folder C:\dir\, where ? can represent any one character C:\dir\test only the file C:\dir\test If you do not want the program to scan files in the subfolders of this folder, uncheck Include subfolders when creating the mask. 3. Masks with relative file paths: dir\*.* or dir\* or dir\ all files in all dir\ folders dir\test all test files in dir\ folders dir\*.exe all files with the extension .exe in all dir\ folders dir\*.ex? all files with the extension .ex? in all C:\dir\ folders, where ? can represent any one character If you do not want the program to scan files in the subfolders of this folder, uncheck Include subfolders when creating the mask. Tip: *.* and * exclusion masks can only be used if you assign an excluded threat type according to the Virus Encyclopedia. Otherwise the threat specified will not be detected in any objects. Using these masks without selecting a threat type essentially disables monitoring. We also do not recommend that you select a virtual drive created on the basis of a file system directory using the subst command as an exclusion. There is no point in doing so, since during the scan, the program perceives this virtual drive as a folder and consequently scans it.

A.3. Valid exclusion masks by Virus Encyclopedia classification

When adding threats with a certain status from the Virus Encyclopedia classification as exclusions, you can specify: the full name of the threat as given in the Virus Encyclopedia at www.viruslist.com (for example, not-avirus:RiskWare.RemoteAdmin.RA.311 or Flooder.Win32.Fuxx);

Appendix A

217

threat name by mask. For example: not-a-virus* excludes potential dangerous programs from the scan, as well as joke programs. *Riskware.* excludes riskware from the scan. *RemoteAdmin.* excludes all remote administration programs from the scan.

APPENDIX B. KASPERSKY LAB

Founded in 1997, Kaspersky Lab has become a recognized leader in information security technologies. It produces a wide range of data security software and delivers high-performance, comprehensive solutions to protect computers and networks against all types of malicious programs, unsolicited and unwanted email messages, and hacker attacks. Kaspersky Lab is an international company. Headquartered in the Russian Federation, the company has representative offices in the United Kingdom, France, Germany, Japan, USA (CA), the Benelux countries, China, Poland, and Romania. A new company department, the European Anti-Virus Research Centre, has recently been established in France. Kaspersky Lab's partner network incorporates more than 500 companies worldwide. Today, Kaspersky Lab employs more than 450 specialists, each of whom is proficient in anti-virus technologies, with 10 of them holding M.B.A. degrees, 16 holding Ph.Ds, and senior experts holding membership in the Computer AntiVirus Researchers Organization (CARO). Kaspersky Lab offers best-of-breed security solutions, based on its unique experience and knowledge, gained in over 14 years of fighting computer viruses. A thorough analysis of computer virus activities enables the company to deliver comprehensive protection from current and future threats. Resistance to future attacks is the basic policy implemented in all Kaspersky Lab's products. At all times, the companys products remain at least one step ahead of many other vendors in delivering extensive anti-virus coverage for home users and corporate customers alike. Years of hard work have made the company one of the top security software manufacturers. Kaspersky Lab was one of the first businesses of its kind to develop the highest standards for anti-virus defense. The companys flagship product, Kaspersky Anti-Virus, provides full-scale protection for all tiers of a network, including workstations, file servers, email systems, firewalls, Internet gateways, and hand-held computers. Its convenient and easy-to-use management tools ensure advanced automation for rapid virus protection across an enterprise. Many well-known manufacturers use the Kaspersky Anti-Virus kernel, including Nokia ICG (USA), F-Secure (Finland), Aladdin (Israel), Sybari (USA), G Data (Germany), Deerfield (USA), Alt-N (USA), Microworld (India) and BorderWare (Canada). Kaspersky Lab's customers benefit from a wide range of additional services that ensure both stable operation of the company's products, and compliance with specific business requirements. Kaspersky Lab's anti-virus database is updated every hour. The company provides its customers with a 24-hour technical support service, which is available in several languages to accommodate its international clientele.

APPENDIX C. LICENSE AGREEMENT

Standard End User License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT (AGREEMENT), FOR THE LICENSE OF KASPERSKY ANTIVIRUS (SOFTWARE) PRODUCED BY KASPERSKY LAB (KASPERSKY LAB). IF YOU HAVE PURCHASED THIS SOFTWARE VIA THE INTERNET BY CLICKING THE ACCEPT BUTTON, YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY) CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE BUTTON THAT INDICATES THAT YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT AND DO NOT INSTALL THE SOFTWARE. IF YOU HAVE PURCHASED THIS SOFTWARE ON A PHYSICAL MEDIUM, HAVING BROKEN THE CD/DVDS SLEEVE YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY) ARE CONSENTING TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT DO NOT BREAK THE CD/DVDs SLEEVE, DOWNLOAD, INSTALL OR USE THIS SOFTWARE. IN ACCORDANCE WITH THE LEGISLATION, REGARDING KASPERSKY SOFTWARE INTENDED FOR INDIVIDUAL CONSUMERS PURCHASED ONLINE FROM THE KASPERSKY LAB OR ITS PARTNERS INTERNET WEB SITE, CUSTOMER SHALL HAVE A PERIOD OF FOURTEEN (14) WORKING DAYS AS FROM THE DELIVERY OF PRODUCT TO MAKE RETURN OF IT TO THE MERCHANT FOR EXCHANGE OR REFUND, PROVIDED THE SOFTWARE IS NOT UNSEALED. REGARDING THE KASPERSKY SOFTWARE INTENDED FOR INDIVIDUAL CONSUMERS NOT PURCHASED ONLINE VIA INTERNET, THIS SOFTWARE NEITHER WILL BE RETURNED NOR EXCHANGED EXCEPT FOR CONTRARY PROVISIONS FROM THE PARTNER WHO SELLS THE PRODUCT. IN THIS CASE, KASPERSKY LAB WILL NOT BE HELD BY THE PARTNER'S CLAUSES. THE RIGHT TO RETURN AND REFUND EXTENDS ONLY TO THE ORIGINAL PURCHASER.

Appendix C

231

All references to Software herein shall be deemed to include the software activation code with which you will be provided by Kaspersky Lab as part of the Kaspersky Anti-Virus 7.0. 1. License Grant. Subject to the payment of the applicable license fees, and subject to the terms and conditions of this Agreement, Kaspersky Lab hereby grants you the non-exclusive, non-transferable right to use one copy of the specified version of the Software and the accompanying documentation (the Documentation) for the term of this Agreement solely for your own internal business purposes. You may install one copy of the Software on one computer. 1.1 Use. The Software is licensed as a single product; it may not be used on more than one computer or by more than one user at a time, except as set forth in this Section. 1.1.1 The Software is in use on a computer when it is loaded into the temporary memory (i.e., random-access memory or RAM) or installed into the permanent memory (e.g., hard disk, CD/DVD-ROM, or other storage device) of that computer. This license authorizes you to make only as many back-up copies of the Software as are necessary for its lawful use and solely for back-up purposes, provided that all such copies contain all of the Softwares proprietary notices. You shall maintain records of the number and location of all copies of the Software and Documentation and will take all reasonable precautions to protect the Software from unauthorized copying or use. 1.1.2 The Software protects computer against viruses whose signatures are contained in the threat signatures database which is available on Kaspersky Lab's update servers. 1.1.3 If you sell the computer on which the Software is installed, you will ensure that all copies of the Software have been previously deleted. 1.1.4 You shall not decompile, reverse engineer, disassemble or otherwise reduce any part of this Software to a humanly readable form nor permit any third party to do so. The interface information necessary to achieve interoperability of the Software with independently created computer programs will be provided by Kaspersky Lab by request on payment of its reasonable costs and expenses for procuring and supplying such information. In the event that Kaspersky Lab notifies you that it does not intend to make such information available for any reason, including (without limitation) costs, you shall be permitted to take such steps to achieve interoperability, provided that you only reverse engineer or decompile the Software to the extent permitted by law. 1.1.5 You shall not make error corrections to, or otherwise modify, adapt, or translate the Software, nor create derivative works of the Software, nor permit any third party to copy (other than as expressly permitted herein). 1.1.6 You shall not rent, lease or lend the Software to any other person, nor transfer or sub-license your license rights to any other person.

232

Kaspersky Anti-Virus 7.0

1.1.7 You shall not provide the activation code or license key file to third parties or allow third parties access to the activation code or license key. The activation code and license key are confidential data. 1.1.8 Kaspersky Lab may ask User to install the latest version of the Software (the latest version and the latest maintenance pack). 1.1.9 You shall not use this Software in automatic, semi-automatic or manual tools designed to create virus signatures, virus detection routines, any other data or code for detecting malicious code or data. 2. Support. (i) Kaspersky Lab will provide you with the support services (Support Services) as defined below for a period, specified in the License Key File and indicated in the "Service" window, since the moment of activation on: (a) (b) payment of its then current support charge, and: successful completion of the Support Services Subscription Form as provided to you with this Agreement or as available on the Kaspersky Lab website, which will require you to enter activation code which will have been provided to you by Kaspersky Lab with this Agreement. It shall be at the absolute discretion of Kaspersky Lab whether or not you have satisfied this condition for the provision of Support Services. Support Services shall become available after Software activation. Kaspersky Lab's technical support service is also entitled to demand from the End User additional registration for identifier awarding for Support Services rendering. Until Software activation and/or obtaining of the End User identifier (Customer ID) technical support service renders only assistance in Software activation and registration of the End User. (ii) By completion of the Support Services Subscription Form you consent to the terms of the Kaspersky Lab Privacy Policy, which is deposited on www.kaspersky.com/privacy, and you explicitly consent to the transfer of data to other countries outside your own as set out in the Privacy Policy. Support Services will terminate unless renewed annually by payment of the then-current annual support charge and by successful completion of the Support Services Subscription Form again. Support Services means: (a) (b) Hourly updates of the anti-virus database; Free software updates, including version upgrades;

(iii)

(iv)

Appendix C

233

(c) (d) (v)

Technical support via Internet and hot phone-line provided by Vendor and/or Reseller; Virus detection and disinfection updates in 24-hours period

Support Services are provided only if and when you have the latest version of the Software (including maintenance packs) as available on the official Kaspersky Lab website (www.kaspersky.com) installed on your computer.

3. Ownership Rights. The Software is protected by copyright laws. Kaspersky Lab and its suppliers own and retain all rights, titles and interests in and to the Software, including all copyrights, patents, trademarks and other intellectual property rights therein. Your possession, installation, or use of the Software does not transfer any title to the intellectual property in the Software to you, and you will not acquire any rights to the Software except as expressly set forth in this Agreement. 4. Confidentiality. You agree that the Software and the Documentation, including the specific design and structure of individual programs constitute confidential proprietary information of Kaspersky Lab. You shall not disclose, provide, or otherwise make available such confidential information in any form to any third party without the prior written consent of Kaspersky Lab. You shall implement reasonable security measures to protect such confidential information, but without limitation to the foregoing shall use best endeavours to maintain the security of the activation code. 5. Limited Warranty. (i) Kaspersky Lab warrants that for six (6) months from first download or installation the Software purchased on a physical medium will perform substantially in accordance with the functionality described in the Documentation when operated properly and in the manner specified in the Documentation. You accept all responsibility for the selection of this Software to meet your requirements. Kaspersky Lab does not warrant that the Software and/or the Documentation will be suitable for such requirements nor that any use will be uninterrupted or error free. Kaspersky Lab does not warrant that this Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus. Your sole remedy and the entire liability of Kaspersky Lab for breach of the warranty at paragraph (i) will be at Kaspersky Lab option, to repair, replace or refund of the Software if reported to Kaspersky Lab or its designee during the warranty period. You shall provide all information as may

(ii)

(iii)

(iv)

234

Kaspersky Anti-Virus 7.0

be reasonably necessary to assist the Supplier in resolving the defective item. (v) The warranty in (i) shall not apply if you (a) make or cause to be made any modifications to this Software without the consent of Kaspersky Lab, (b) use the Software in a manner for which it was not intended, or (c) use the Software other than as permitted under this Agreement. The warranties and conditions stated in this Agreement are in lieu of all other conditions, warranties or other terms concerning the supply or purported supply of, failure to supply or delay in supplying the Software or the Documentation which might but for this paragraph (vi) have effect between the Kaspersky Lab and your or would otherwise be implied into or incorporated into this Agreement or any collateral contract, whether by statute, common law or otherwise, all of which are hereby excluded (including, without limitation, the implied conditions, warranties or other terms as to satisfactory quality, fitness for purpose or as to the use of reasonable skill and care).

(vi)

6. Limitation of Liability. (i) Nothing in this Agreement shall exclude or limit Kaspersky Labs liability for (a) the tort of deceit, (b) death or personal injury caused by its breach of a common law duty of care or any negligent breach of a term of this Agreement, or (c) any other liability which cannot be excluded by law. Subject to paragraph (i) above, Kaspersky Lab shall bear no liability (whether in contract, tort, restitution or otherwise) for any of the following losses or damage (whether such losses or damage were foreseen, foreseeable, known or otherwise): (a) (b) (c) (d) (e) (f) (g) (h) (i) (j) Loss of revenue; Loss of actual or anticipated profits (including for loss of profits on contracts); Loss of the use of money; Loss of anticipated savings; Loss of business; Loss of opportunity; Loss of goodwill; Loss of reputation; Loss of, damage to or corruption of data, or: Any indirect or consequential loss or damage howsoever caused (including, for the avoidance of doubt, where such loss or damage is of the type specified in paragraphs (ii), (a) to (ii), (i).

(ii)

Appendix C

235

(iii)

Subject to paragraph (i), the liability of Kaspersky Lab (whether in contract, tort, restitution or otherwise) arising out of or in connection with the supply of the Software shall in no circumstances exceed a sum equal to the amount equally paid by you for the Software.

7. This Agreement contains the entire understanding between the parties with respect to the subject matter hereof and supersedes all and any prior understandings, undertakings and promises between you and Kaspersky Lab, whether oral or in writing, which have been given or may be implied from anything written or said in negotiations between us or our representatives prior to this Agreement and all prior agreements between the parties relating to the matters aforesaid shall cease to have effect as from the Effective Date. ________________________________________________________________
When using demo software, you are not entitled to the Technical Support specified in Clause 2 of this EULA, nor do you have the right to sell the copy in your possession to other parties. You are entitled to use the software for demo purposes for the period of time specified in the license key file starting from the moment of activation (this period can be viewed in the Service window of the software's GUI).

KWU Turbine System
100% (11)
KWU Turbine System
90 pages
Turbine Erection
92% (13)
Turbine Erection
131 pages
Turbine Erection
92% (13)
Turbine Erection
131 pages
Duct
100% (4)
Duct
100 pages
KWU Text Governing
100% (5)
KWU Text Governing
43 pages
Generator Class
100% (9)
Generator Class
93 pages
Introduction To Turbovisory Instruments
80% (5)
Introduction To Turbovisory Instruments
40 pages
Turbo Generator
100% (3)
Turbo Generator
92 pages
Water Circulation System
67% (3)
Water Circulation System
37 pages
Water Circulation System
67% (3)
Water Circulation System
37 pages
How To Install Kaspersky Anti-Virus - SoftwareKeep
100% (1)
How To Install Kaspersky Anti-Virus - SoftwareKeep
6 pages
Steps
100% (2)
Steps
62 pages
Generator Commissioning
96% (23)
Generator Commissioning
90 pages
Soot Blower Erosion: Typical Locations Corrective Action
No ratings yet
Soot Blower Erosion: Typical Locations Corrective Action
65 pages
Automatic Turbine Tester Ee
100% (4)
Automatic Turbine Tester Ee
17 pages
Feedwater System
100% (1)
Feedwater System
70 pages
Automatic Turbine Testor
100% (3)
Automatic Turbine Testor
26 pages
Vibration Measurement & Analysis
100% (1)
Vibration Measurement & Analysis
48 pages
Keswin 11.5.0 en Us
No ratings yet
Keswin 11.5.0 en Us
561 pages
Equipment at HPS
100% (1)
Equipment at HPS
60 pages
Infrastructure in Power Project 1
50% (2)
Infrastructure in Power Project 1
51 pages
Vindh 9 CAVT Report
No ratings yet
Vindh 9 CAVT Report
20 pages
Schemes Talcher
100% (1)
Schemes Talcher
206 pages
Recording, Reporting of Output
100% (4)
Recording, Reporting of Output
30 pages
Accident - Causes &amp Factors
100% (2)
Accident - Causes &amp Factors
38 pages
L-2 Presentation Gen Mech Aux
100% (2)
L-2 Presentation Gen Mech Aux
36 pages
Boiler Erection PDF
100% (1)
Boiler Erection PDF
44 pages
Startup
100% (1)
Startup
35 pages
L-03 Spring Loaded Foundation-Presentation
100% (1)
L-03 Spring Loaded Foundation-Presentation
34 pages
Ppe Dis
100% (1)
Ppe Dis
12 pages
Kaspersky Endpoint Security For Windows manual-11.8.0-en-US
No ratings yet
Kaspersky Endpoint Security For Windows manual-11.8.0-en-US
747 pages
Kaspersky Security 10 For Windows Server, Admin Guide - Ks4ws - Admin - Guide - en
100% (1)
Kaspersky Security 10 For Windows Server, Admin Guide - Ks4ws - Admin - Guide - en
440 pages
5.-Revised-Tle-As-Css-10-Q3-Installing Antivirus
No ratings yet
5.-Revised-Tle-As-Css-10-Q3-Installing Antivirus
4 pages
ks4ws Admin Guide en
No ratings yet
ks4ws Admin Guide en
584 pages
Vertical Tube, Variable Pressure Furnace For Supercritical Steam Boilers
No ratings yet
Vertical Tube, Variable Pressure Furnace For Supercritical Steam Boilers
7 pages
Avira Internet Security: User Manual
No ratings yet
Avira Internet Security: User Manual
233 pages
Kaspersky Internet Security 2013: User Guide
No ratings yet
Kaspersky Internet Security 2013: User Guide
76 pages
SECURING YOUR DIGITAL WORLD With KASPERSKY ANTI VIRUS
No ratings yet
SECURING YOUR DIGITAL WORLD With KASPERSKY ANTI VIRUS
16 pages
Kaspersky Anti-Virus 2013: User Guide
No ratings yet
Kaspersky Anti-Virus 2013: User Guide
73 pages
Kasp10.0 SC Gsen
No ratings yet
Kasp10.0 SC Gsen
79 pages
K7TS User Manual
No ratings yet
K7TS User Manual
163 pages
Kaspersky PURE: User Guide
No ratings yet
Kaspersky PURE: User Guide
88 pages
Kaspersky Internet Security: User Guide Application Version: 16.0 Maintenance Release 1
No ratings yet
Kaspersky Internet Security: User Guide Application Version: 16.0 Maintenance Release 1
180 pages
Kaspersky Anti-Virus 5.5 For Proxy Server: Administrator Guide
No ratings yet
Kaspersky Anti-Virus 5.5 For Proxy Server: Administrator Guide
59 pages
Kav6.0 Wseeadminguide en
No ratings yet
Kav6.0 Wseeadminguide en
421 pages
Kav5.0 Winfsen
No ratings yet
Kav5.0 Winfsen
114 pages
User Guide: Kaspersky Anti-Virus For Windows Workstations 6.0
No ratings yet
User Guide: Kaspersky Anti-Virus For Windows Workstations 6.0
326 pages
Kaspersky Security For Business Portfolio 2015. Product Catalogue
No ratings yet
Kaspersky Security For Business Portfolio 2015. Product Catalogue
19 pages
(Kaspersky) Kaspersky Anti-Virus 8.0 For Windows Servers Enterprise Edition
No ratings yet
(Kaspersky) Kaspersky Anti-Virus 8.0 For Windows Servers Enterprise Edition
159 pages
Kasp9.0 SCWC Userguide en
No ratings yet
Kasp9.0 SCWC Userguide en
64 pages
User Guidekis 2010 en
No ratings yet
User Guidekis 2010 en
96 pages
Kaspersky Lab
No ratings yet
Kaspersky Lab
321 pages
Task 2.2
No ratings yet
Task 2.2
7 pages
02.kaspersky KES10 Management V3 5
No ratings yet
02.kaspersky KES10 Management V3 5
8 pages
Ks4ws Install Guide en
No ratings yet
Ks4ws Install Guide en
115 pages
Geckoandfly Com
No ratings yet
Geckoandfly Com
31 pages
User Guide
No ratings yet
User Guide
125 pages
Kis2014 en
No ratings yet
Kis2014 en
87 pages
Kaspersky Internet Security: Application Version: 14.0
No ratings yet
Kaspersky Internet Security: Application Version: 14.0
85 pages
Man Avira Internet Security en
No ratings yet
Man Avira Internet Security en
178 pages
Administrator'S Guide: Kaspersky Lab
No ratings yet
Administrator'S Guide: Kaspersky Lab
89 pages
KAV 2011 User Guide - English
No ratings yet
KAV 2011 User Guide - English
108 pages
Kaspersky Anti-Virus Quick Start Guide
No ratings yet
Kaspersky Anti-Virus Quick Start Guide
4 pages
How To Use Kaspersky Antivirus: Presented By: Nabihah Binti Abu Bakar Fatimah Az-Zahraa Binti Zaharuddin
No ratings yet
How To Use Kaspersky Antivirus: Presented By: Nabihah Binti Abu Bakar Fatimah Az-Zahraa Binti Zaharuddin
16 pages
Kaspersky 6.0 Guide
No ratings yet
Kaspersky 6.0 Guide
265 pages
Kaspersky Anti-Virus 2010: SER Uide
No ratings yet
Kaspersky Anti-Virus 2010: SER Uide
96 pages
Extra Security Concerns Can Install Macintosh Versions of Anti-Virus, Anti-Malware and Firewall Programs
No ratings yet
Extra Security Concerns Can Install Macintosh Versions of Anti-Virus, Anti-Malware and Firewall Programs
3 pages
Kaspersky Internet Security 2009: SER Uide
No ratings yet
Kaspersky Internet Security 2009: SER Uide
88 pages
Kaspersky Lab Kaspersky Anti-Virus 7.0 User'S Guide
No ratings yet
Kaspersky Lab Kaspersky Anti-Virus 7.0 User'S Guide
77 pages
Kaspersky Endpoint Security 8 For Windows
No ratings yet
Kaspersky Endpoint Security 8 For Windows
2 pages
Kaspersky Lab: Kaspersky® Anti-Virus 6.0.4.1424 For Windows Workstations
No ratings yet
Kaspersky Lab: Kaspersky® Anti-Virus 6.0.4.1424 For Windows Workstations
10 pages
KAV 6.0.4.1424 MP4 For Windows Workstations (Automated) - GITN
No ratings yet
KAV 6.0.4.1424 MP4 For Windows Workstations (Automated) - GITN
10 pages
Kaspersky2012 en
No ratings yet
Kaspersky2012 en
226 pages
Mastering Python Advanced Concepts and Practical Applications
From Everand
Mastering Python Advanced Concepts and Practical Applications
Aissa Younes
No ratings yet
Cloud Computing : Beginners And Intermediate User Guide
From Everand
Cloud Computing : Beginners And Intermediate User Guide
David comer
No ratings yet
Risk Management and System Safety
From Everand
Risk Management and System Safety
Leonam dos Santos Guimarães
5/5 (1)
Gray Hat Hacking the Ethical Hacker's
From Everand
Gray Hat Hacking the Ethical Hacker's
Çağatay Şanlı
5/5 (1)
Cybersecurity for Executives: A Guide to Protecting Your Business
From Everand
Cybersecurity for Executives: A Guide to Protecting Your Business
Matthew C. Smith
No ratings yet
The Linux Terminal for Advanced Users - The Command Line Made Easy: First Edition
From Everand
The Linux Terminal for Advanced Users - The Command Line Made Easy: First Edition
Michael Basler
No ratings yet
Software Patterns Made Easy
From Everand
Software Patterns Made Easy
Justice Nanhou
No ratings yet
Content Creation Revolution with chatGPT
From Everand
Content Creation Revolution with chatGPT
Maria Cowen
No ratings yet
Unlocking Statistics for the Social Sciences
From Everand
Unlocking Statistics for the Social Sciences
Norma Sinclair
No ratings yet
Conquering the Competition: Strategies for Standing Out in the Gaming Content Landscape
From Everand
Conquering the Competition: Strategies for Standing Out in the Gaming Content Landscape
Rian McCullen
No ratings yet
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
From Everand
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
Matthew C. Smith
No ratings yet
CAN Bus for Beginners: A Practical Guide to Automotive Networking
From Everand
CAN Bus for Beginners: A Practical Guide to Automotive Networking
Mohamad Charara
No ratings yet
Intrusion Detection Honeypots
From Everand
Intrusion Detection Honeypots
Chris Sanders
3/5 (2)
Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your Traffic
From Everand
Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your Traffic
Jay Nans
No ratings yet
ChatGPT for Business: Strategies for Success
From Everand
ChatGPT for Business: Strategies for Success
Matthew C. Smith
No ratings yet
A To Z of Internet: Everything You Wanted to Know
From Everand
A To Z of Internet: Everything You Wanted to Know
Bittu Kumar
No ratings yet