UserGuide(intendedforproductversion4.2andhigher)

Microsoft®Windows®7/Vista/XP/2000/2003/2008

ESETSmartSecurity4

Contents

1. ESETSmartSecurity4.............................41.1 What’snew.................................................................. 41.2 Systemrequirements.................................................... 5

2. Installation............................................62.1 Typicalinstallation........................................................ 62.2 Custominstallation....................................................... 72.3 Usingoriginalsettings................................................... 92.4 EnteringUsernameandPassword................................... 92.5 On‑demandcomputerscan............................................ 9

3. Beginner’sguide................................... 103.1 Introducinguserinterfacedesign–modes......................10

3.1.1 Checkingoperationofthesystem......................... 103.1.2 Whattodoiftheprogramdoesn’tworkproperly... 10

3.2 Updatesetup................................................................113.3 Trustedzonesetup........................................................113.4 Proxyserversetup........................................................ 123.5 Settingsprotection...................................................... 12

4. WorkwithESETSmartSecurity..............134.1 Antivirusandantispywareprotection............................ 13

4.1.1 Real‑timefilesystemprotection............................134.1.1.1 Controlsetup........................................................134.1.1.1.1 Mediatoscan......................................................134.1.1.1.3 Advancedscanoptions..........................................134.1.1.2 Cleaninglevels......................................................134.1.1.3 Whentomodifyreal‑timeprotectionconfiguration144.1.1.4 Checkingreal‑timeprotection...............................144.1.1.5 Whattodoifreal‑timeprotectiondoesnotwork....144.1.2 Emailclientprotection..........................................144.1.2.1 POP3checking......................................................144.1.2.1.1 Compatibility.......................................................154.1.2.2 Integrationwithemailclients................................154.1.2.2.1 Appendingtagmessagestoemailbody..................154.1.2.3 Removinginfiltrations..........................................154.1.3 Webaccessprotection..........................................164.1.3.1 HTTP,HTTPs.........................................................164.1.3.1.1 Addressmanagement...........................................164.1.3.1.2 Webbrowsers.......................................................164.1.4 On‑demandcomputerscan................................... 174.1.4.1 Typeofscan.......................................................... 174.1.4.1.1 Smartscan........................................................... 174.1.4.1.2 Customscan......................................................... 174.1.4.2 Scantargets......................................................... 174.1.4.3 Scanprofiles......................................................... 174.1.5 Protocolfiltering...................................................184.1.5.1 SSL.......................................................................184.1.5.1.1 Trustedcertificates...............................................184.1.5.1.2 Excludedcertificates.............................................184.1.6 ThreatSenseengineparameterssetup...................184.1.6.1 Objectssetup.......................................................194.1.6.2 Options................................................................19

Copyright©2010byESET,spol.sr.o.

ESETSmartSecurity4wasdevelopedbyESET,spol.sr.o.Formoreinformationvisitwww.eset.com.Allrightsreserved.Nopartofthisdocumentationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanning,orotherwisewithoutpermissioninwritingfromtheauthor.

ESET,spol.sr.o.reservestherighttochangeanyofthedescribedapplicationsoftwarewithoutpriornotice.

CustomerCareWorldwide:www.eset.eu/supportCustomerCareNorthAmerica:www.eset.com/support

REV.20100225‑015

ESETSmartSecurity4

4.1.6.3 Cleaning...............................................................194.1.6.4 Extensions...........................................................204.1.6.5 Limits..................................................................204.1.6.6 Other..................................................................204.1.7 Aninfiltrationisdetected.....................................20

4.2 Personalfirewall.......................................................... 214.2.1 Filteringmodes.................................................... 214.2.2 Profiles................................................................. 214.2.2.1 Profilemanagement............................................. 214.2.3 Blockallnetworktraffic:disconnectnetwork........ 224.2.4 Disablefiltering:allowalltraffic........................... 224.2.5 Configuringandusingrules.................................. 224.2.5.1 Creatinganewrule.............................................. 224.2.5.2 Editingrules........................................................ 234.2.6 Configuringzones................................................ 234.2.6.1 Networkauthentication...................................... 234.2.6.1.1 Zoneauthentication‑Clientconfiguration............ 234.2.6.1.2 Zoneauthentication‑Serverconfiguration........... 244.2.7 Establishingconnection–detection..................... 254.2.8 Logging............................................................... 25

4.3 Antispamprotection....................................................254.3.1 Self‑learningAntispam......................................... 264.3.1.1 Addingaddressestowhitelistandblacklist............ 264.3.1.2 Markingmessagesasspam.................................. 26

4.4 Updatingtheprogram................................................. 264.4.1 Updatesetup....................................................... 274.4.1.1 Updateprofiles.................................................... 274.4.1.2 Advancedupdatesetup........................................ 274.4.1.2.1 Updatemode...................................................... 274.4.1.2.2 Proxyserver......................................................... 274.4.1.2.3 ConnectingtotheLAN......................................... 284.4.1.2.4 Creatingupdatecopies–Mirror............................ 284.4.1.2.4.1 UpdatingfromtheMirror..................................... 294.4.1.2.4.2TroubleshootingMirrorupdateproblems..............304.4.2 Howtocreateupdatetasks..................................30

4.5 Scheduler................................................................... 304.5.1 Purposeofschedulingtasks..................................304.5.2 Creatingnewtasks..............................................30

4.6 Quarantine.................................................................. 314.6.1 Quarantiningfiles.................................................314.6.2 RestoringfromQuarantine...................................314.6.3 SubmittingfilefromQuarantine............................31

4.7 Logfiles.......................................................................324.7.1 Logmaintenance................................................. 32

4.8 Userinterface..............................................................324.8.1 Alertsandnotifications........................................ 33

4.9 ThreatSense.Net..........................................................334.9.1 Suspiciousfiles.................................................... 344.9.2 Statistics............................................................. 344.9.3 Submission.......................................................... 35

4.10 Remoteadministration................................................354.11 Licenses......................................................................35

5. Advanceduser..................................... 365.2 Importandexportsettings...........................................36

5.2.1 Importsettings.................................................... 365.2.2 Exportsettings.................................................... 36

5.3 CommandLine.............................................................365.4 ESETSysInspector........................................................ 37

5.4.1 UserInterfaceandapplicationusage.................... 375.4.1.1 ProgramControls................................................. 375.4.1.2 NavigatinginESETSysInspector........................... 385.4.1.3 Compare............................................................. 385.4.1.4 SysInspectoraspartofESETSmartSecurity4........ 395.4.1.5 Servicescript....................................................... 395.4.1.5.1 GeneratingServicescripts.................................... 395.4.1.5.2 StructureoftheServicescript............................... 395.4.1.5.3 HowtoexecuteServicescripts..............................41

5.5 ESETSysRescue........................................................... 415.5.1 Minimumrequirements........................................415.5.2 HowtocreaterescueCD.......................................415.5.2.1 Folders.................................................................415.5.2.2 ESETAntivirus.......................................................415.5.2.3 Advanced.............................................................415.5.2.4 BootableUSBdevice............................................ 425.5.2.5 Burn.................................................................... 425.5.3 WorkingwithESETSysRescue.............................. 425.5.3.1 UsingESETSysRescue.......................................... 42

6. Glossary.............................................. 436.1 Typesofinfiltration......................................................43

6.1.1 Viruses................................................................ 436.1.2 Worms................................................................ 436.1.3 Trojanhorses....................................................... 436.1.4 Rootkits.............................................................. 436.1.5 Adware............................................................... 436.1.6 Spyware..............................................................446.1.7 Potentiallyunsafeapplications.............................446.1.8 Potentiallyunwantedapplications.......................44

6.2 Typesofremoteattacks............................................... 446.2.1 DoSattacks.........................................................446.2.2 DNSPoisoning.....................................................446.2.3 Wormattacks......................................................446.2.4 Portscanning......................................................446.2.5 TCPdesynchronization.........................................446.2.6 SMBRelay........................................................... 456.2.7 ICMPattacks....................................................... 45

6.3 Email......................................................................... 456.3.1 Advertisements................................................... 456.3.2 Hoaxes................................................................ 456.3.3 Phishing.............................................................. 456.3.4 Recognizingspamscams..................................... 456.3.4.1 Rules...................................................................466.3.4.1 Bayesianfilter......................................................466.3.4.2 Whitelist.............................................................466.3.4.3 Blacklist..............................................................466.3.4.5 Server‑sidecontrol...............................................46

4

1. ESETSmartSecurity4

ESETSmartSecurity4isthefirstrepresentativeofanewapproachtotrulyintegratedcomputersecurity.ItutilizesthespeedandprecisionofESETNOD32Antivirus,whichisguaranteedbythemostrecentversionoftheThreatSense®scanningengine,combinedwiththetailor‑madePersonalfirewallandAntispammodules.Theresultisanintelligentsystemthatisconstantlyonalertforattacksandmalicioussoftwareendangeringyourcomputer.

ESETSmartSecurityisnotaclumsyconglomerateofvariousproductsinonepackage,asofferedbyothervendors.Itistheresultofalong‑termefforttocombinemaximumprotectionwithminimumsystemfootprint.Theadvancedtechnologies,basedonartificialintelligence,arecapableofproactivelyeliminatinginfiltrationbyviruses,spyware,trojanhorses,worms,adware,rootkits,andotherInternet‑borneattackswithouthinderingsystemperformanceordisruptingyourcomputer.

1.1 What’snew

Thelong‑timedevelopmentexperienceofourexpertsisdemonstratedbytheentirelynewarchitectureofESETSmartSecurity,whichguaranteesmaximumdetectionwithminimumsystemrequirements.Thisrobustsecuritysolutioncontainsmoduleswithseveraladvancedoptions.Thefollowinglistoffersyouabriefoverviewofthesemodules.

• Antivirus&antispyware

ThismoduleisbuiltupontheThreatSense®scanningengine,whichwasusedforthefirsttimeintheaward‑winningNOD32Antivirussystem.ThreatSense®isoptimizedandimprovedwiththenewESETSmartSecurityarchitecture.

Feature Description

ImprovedCleaning Theantivirussystemnowintelligentlycleansanddeletesmostdetectedinfiltrationswithoutrequiringuserintervention.

BackgroundScanningMode

Computerscanningcanbelaunchedinthebackgroundwithoutslowingdownperformance.

SmallerUpdateFiles Coreoptimizationprocesseskeepthesizeofupdatefilessmallerthaninversion2.7.Also,theprotectionofupdatefilesagainstdamagehasbeenimproved.

PopularEmailClientProtection

ItisnowpossibletoscanincomingemailnotonlyinMicrosoftOutlookbutalsoinOutlookExpress,WindowsMail,WindowsLiveMailandMozillaThunderbird.

OtherMinorImprovements

– Directaccesstofilesystemsforhighspeedandthroughput.

– Blockedaccesstoinfectedfiles

– OptimizationfortheWindowsSecurityCenter,includingVista.

• Personalfirewall

ThePersonalfirewallmonitorsalltrafficbetweenaprotectedcomputerandothercomputersinthenetwork.ESETPersonalfirewallcontainstheadvancedfunctionslistedbelow.

Feature Description

Profiles ProfilesareatooltocontrolthebehavioroftheESETSmartSecurityPersonalfirewall.Multipleprofiles,thatcanhavedifferentrulesassignedtothemenableuserstoeasilyalterthebehaviorofthePersonalfirewall.

Zoneauthentication Allowsuserstoidentifythenetworktheyconnecttoanddefineanaction(e.g.switchingthefirewallprofileandblockingcommunicationtothezone)basedonthisinformation.

LowLayerNetworkCommunicationScanning

NetworkcommunicationscanningontheDataLinkLayerenablesESETPersonalfirewalltoovercomeavarietyofattacksthatwouldotherwisebeundetectable.

IPv6Support ESETPersonalfirewalldisplaysIPv6addressesandallowsuserstocreaterulesforthem.

ExecutableFileMonitoring

Monitoringchangesinexecutablefilesinordertoovercomeinfection.Itispossibletoallowfilemodificationofsignedapplications.

FileScanningIntegratedwithHTTP(s)andPOP3(s)

IntegratedfilescanningofHTTP(s)andPOP3(s)applicationprotocols.UsersareprotectedwhenbrowsingtheInternetordownloadingemails.

IntrusionDetectionSystem

Abilitytorecognizethecharacterofnetworkcommunicationandvarioustypesofnetworkattackswithanoptiontoautomaticallybansuchcommunication.

5

Interactive,Policy‑based,Learning,AutomaticandAutomaticmodewithexceptions

UserscanselectwhetherthePersonalfirewallactionswillbeexecutedautomaticallyoriftheywanttosetrulesinteractively.CommunicationinPolicy‑basedmodeishandledaccordingtorulespredefinedbytheuserorthenetworkadministrator.Learningmodeautomaticallycreatesandsavesrulesandissuitableforinitialconfigurationofthefirewall.

SupersedesIntegratedWindowsFirewall

SupersedestheIntegratedWindowsFirewallandinteractswiththeWindowsSecurityCentertomonitorsecuritystatus.ESETSmartSecurityinstallationturnsofftheWindowsfirewallbydefault.

• Antispam

ESETAntispamfiltersunsolicitedemailandthereforeincreasesthesecurityandcomfortofelectroniccommunication.

Feature Description

IncomingMailScoring

Allincomingmailisassignedaratingfrom0(amessageisnotspam)to100(amessageisspam)andfilteredaccordinglyintotheJunkMailfolderorintoacustomfoldercreatedbytheuser.Parallelscanningofincomingemailispossible.

SupportsaVarietyofScanningTechniques

– Bayesanalysis.

– Rule‑basedscanning.

– Globalfingerprintdatabasecheck.

FullIntegrationwithEmailClients

AntispamprotectionisavailabletousersofMicrosoftOutlook,OutlookExpress,WindowsMail,WindowsLiveMailandMozillaThunderbirdclients.

ManualSpamSelectionisAvailable

Optiontomanuallyselectordeselectemailasspam.

• Others

Feature Description

ESETSysRescue ESETSysRescueenablesusertocreateabootableCD/DVD/USBcontainingESETSmartSecurity,whichiscapableofrunningindependentoftheoperatingsystem.Itisbestusedtogetthesystemridofhard‑to‑removeinfiltrations.

ESETSysInspector ESETSysInspector,anapplicationthatthoroughlyinspectsyourcomputer,isnowintegrateddirectlyinESETSmartSecurity.IfyoucontactourCustomerCareServiceusingtheHelpandsupport>CustomerCaresupportrequest(recommended)option,youcanopttoincludeanESETSysInspectorstatussnapshotfromyourcomputer.

Documentprotection

TheDocumentprotectionservestoscanMicrosoftOfficedocumentsbeforetheyareopenedandfilesdownloadedautomaticallybyInternetExplorer,suchasMicrosoftActiveXelements.

SelfDefense ThenewSelfDefensetechnologyprotectsESETSmartSecuritycomponentsagainstdeactivationattempts.

Userinterface Theuserinterfaceisnowcapableofworkinginthenon‑graphicalmode,whichallowsforkeyboardcontrolofESETSmartSecurity.Theincreasedcompatibilitywithscreen‑readingapplicationletssight‑impairedpeoplecontroltheprogrammoreefficiently.

1.2 Systemrequirements

ForseamlessoperationofESETSmartSecurityandESETSmartSecurityBusinessEdition,yoursystemshouldmeetthefollowinghardwareandsoftwarerequirements:

ESETSmartSecurity:

Windows2000,XP 400MHz32‑bit/64‑bit(x86/x64)128MBRAMofsystemmemory130MBavailablespaceSuperVGA(800×600)

Windows7,Vista 1GHz32‑bit/64‑bit(x86/x64)512MBRAMofsystemmemory130MBavailablespaceSuperVGA(800×600)

ESETSmartSecurityBusinessEdition:

Windows2000,2000Server,XP,2003Server

400MHz32‑bit/64‑bit(x86/x64)128MBRAMofsystemmemory130MBavailablespaceSuperVGA(800×600)

Windows7,Vista,WindowsServer2008

1GHz32‑bit/64‑bit(x86/x64)512MBRAMofsystemmemory130MBavailablespaceSuperVGA(800×600)

6

2. Installation

Afterpurchase,theESETSmartSecurityinstallercanbedownloadedfromtheESETwebsite.Itcomesasawness_nt**_***.msi(ESETSmartSecurity)oressbe_nt**_***.msi(ESETSmartSecurityBusinessEdition)package.Launchtheinstallerandtheinstallationwizardwillguideyouthroughthebasicsetup.Therearetwotypesofinstallationavailablewithdifferentlevelsofsetupdetails:

1. Typicalinstallation

2. Custominstallation

2.1 Typicalinstallation

Typicalinstallationprovidesconfigurationoptionsappropriateformostusers.Thesettingsprovideexcellentsecuritycoupledwitheaseofuseandhighsystemperformance.Typicalinstallationisthedefaultoptionandisrecommendedifyoudonothaveparticularrequirementsforspecificsettings.

AfterselectingtheinstallationmodeandclickingNext,youwillbepromptedtoenteryourusernameandpasswordforautomaticupdatesoftheprogram.Thisplaysasignificantroleinprovidingconstantprotectionofyoursystem.

EnteryourUsernameandPassword,i.e.,theauthenticationdatayoureceivedafterthepurchaseorregistrationoftheproduct,intothecorrespondingfields.Ifyoudonotcurrentlyhaveyourusernameandpasswordavailable,authenticationdatacanbeinsertedatanytimelateron,fromwithintheuserinterface.

ThenextstepisconfigurationoftheThreatSense.NetEarlyWarning

System.TheThreatSense.NetEarlyWarningSystemhelpsensurethatESETisimmediatelyandcontinuouslyinformedaboutnewinfiltrationsinordertoquicklyprotectitscustomers.ThesystemallowsforsubmissionofnewthreatstoESET‘sThreatLab,wheretheyareanalyzed,processedandaddedtothevirussignaturedatabase.

Bydefault,theEnableThreatSense.NetEarlyWarningSystemoptionisselected,whichwillactivatethisfeature.ClickAdvancedsetup...tomodifydetailedsettingsforthesubmissionofsuspiciousfiles.

ThenextstepintheinstallationprocessistoconfigureDetectionofpotentiallyunwantedapplications.Potentiallyunwantedapplicationsarenotnecessarilymalicious,butcanoftennegativelyaffectthebehaviorofyouroperatingsystem.

Theseapplicationsareoftenbundledwithotherprogramsandmaybedifficulttonoticeduringtheinstallationprocess.Althoughtheseapplicationsusuallydisplayanotificationduringinstallation,theycaneasilybeinstalledwithoutyourconsent.

SelecttheEnabledetectionofpotentiallyunwantedapplicationsoptiontoallowESETSmartSecuritytodetectthistypeofthreat(recommended).

ThefinalstepinTypicalinstallationmodeistoconfirminstallationbyclickingtheInstallbutton.

7

2.2 Custominstallation

Custominstallationisdesignedforuserswhohaveexperiencefine‑tuningprogramsandwhowishtomodifyadvancedsettingsduringinstallation.

AfterselectingtheinstallationmodeandclickingNext,youwillbepromptedtoselectadestinationlocationfortheinstallation.Bydefault,theprograminstallsinC:\ProgramFiles\ESET\ESETSmartSecurity\.ClickBrowse…tochangethislocation(notrecommended).

Next,enteryourUsernameandPassword. ThisstepisthesameasinTypicalinstallation(seesection2.1,“Typicalinstallation”).

Afterenteringyourusernameandpassword,clickNexttoproceedtoConfigureyourInternetconnection.

Ifyouuseaproxyserver,itmustbecorrectlyconfiguredforvirussignatureupdatestoworkcorrectly.IfyoudonotknowwhetheryouuseaproxyservertoconnecttotheInternet,leavethedefaultsettingIamunsureifmyInternetconnectionusesaproxyserver.UsethesamesettingsasInternetExplorer(Recommended)andclickNext.Ifyoudonotuseaproxyserver,selecttheIdonotuseaproxyserveroption.

Toconfigureyourproxyserversettings,select IuseaproxyserverandclickNext.EntertheIPaddressorURLofyourproxyserverintheAddressfield. Inthe Portfield,specifytheportwheretheproxyserveracceptsconnections(3128bydefault).Intheeventthattheproxyserverrequiresauthentication,enteravalidUsernameandPasswordtograntaccesstotheproxyserver.ProxyserversettingscanalsobecopiedfromInternetExplorerifdesired.Todothis,clickApplyandconfirmtheselection.

8

ClickNexttoproceedtoConfigureautomaticupdatesettings.Thisstepallowsyoutodesignatehowautomaticprogramcomponentupdateswillbehandledonyoursystem.ClickChange...toaccesstheadvancedsettings.

Ifyoudonotwantprogramcomponentstobeupdated,selecttheNeverupdateprogramcomponentsoption.SelecttheAskbeforedownloadingprogramcomponentsoptiontodisplayaconfirmationwindowbeforedownloadingprogramcomponents.Todownloadprogramcomponentupgradesautomatically,selecttheAlwaysupdateprogramcomponentsoption.

NOTE:Afteraprogramcomponentupdate,arestartisusuallyrequired.WerecommendselectingtheIfnecessary,restartcomputerwithoutnotifying option.

Thenextinstallationwindowistheoptiontosetapasswordtoprotectyourprogramsettings.SelecttheProtectconfigurationsettingswithapasswordoptionandchooseapasswordtoenterin

theNewpasswordandConfirmnewpasswordfields.

ThenexttwoCustominstallationsteps,ThreatSense.NetEarlyWarningSystem andDetectionofpotentiallyunwantedapplications, arethesameasTypicalinstallation(seesection2.1,“Typicalinstallation”).

ThefinalstepinCustominstallationistoselectthePersonalfirewallfilteringmode.Fivemodesareavailable:

• Automaticmode

• Automaticmodewithexceptions(user‑definedrules)

• Interactivemode

• Learningmode

• Policy‑basedmode

Automaticmode–Recommendedformostusers.Allstandardoutgoingconnectionsareenabled(automaticallyanalyzedusingpredefinedsettings)andunsolicitedincomingconnectionsareautomaticallyblocked.

Automaticmodewithexceptions(user‑definedrules)–InadditiontotherulesinAutomaticmode,thismodeenablesyoutoaddcustomrules.

Interactivemode–Thismodeissuitableforadvancedusers.Communicationsarehandledbyuser‑definedrules.Ifthereisnorule

9

computerscan”.definedforacommunication,ESETSmartSecuritypromptsyoutoallowordenythecommunication.

Policy‑basedmode–Evaluatescommunicationsbasedonpredefinedrulescreatedbyanadministrator.Ifnoruleisavailable,theconnectionisautomaticallyblockedwithoutawarningmessage.WerecommendthatyouonlyselectPolicy‑basedmodeifyouareanadministratorwhointendstoconfigurenetworkcommunication.

Learningmode–Automaticallycreatesandsavesrules.NouserinteractionisrequiredbecauseESETSmartSecuritysavesrulesaccordingtopredefinedparameters.LearningmodeissuitableforinitialconfigurationofthePersonalfirewallandshouldonlybeuseduntilallrulesforrequiredcommunicationshavebeencreated.

ClickInstallintheReadytoinstallwindowtocompleteinstallation.

2.3 Usingoriginalsettings

IfyoureinstallESETSmartSecurity,theUsecurrentsettingsoptionwilldisplay.Selectthisoptiontotransfersetupparametersfromtheoriginalinstallationtothenewone.

2.4 EnteringUsernameandPassword

Foroptimalfunctionality,itisimportantthattheprogramisautomaticallyupdated.ThisisonlypossibleifthecorrectusernameandpasswordareenteredintheUpdatesetup.

Ifyoudidnotenteryourusernameandpasswordduringinstallation,youcannow.Fromthemainprogramwindow,clickUpdateandthenclickUsernameandPasswordsetup....EnterthelicensedatayoureceivedwithyourESETsecurityproductintotheLicensedetailswindow.

2.5 On‑demandcomputerscan

AfterinstallingESETSmartSecurity,acomputerscanformaliciouscodeshouldbeperformed.Fromthemainprogramwindow,clickComputerscanandthenclickSmartscan.FormoreinformationaboutOn‑demandcomputerscan,seesection4.1.4,“On‑demand

10

3. Beginner’sguide

ThischapterprovidesaninitialoverviewofESETSmartSecurityanditsbasicsettings.

3.1 Introducinguserinterfacedesign–modes

ThemainprogramwindowofESETSmartSecurityisdividedintotwomainsections.Theprimarywindowontherightdisplaysinformationthatcorrespondstotheoptionselectedfromthemainmenuontheleft.

Thefollowingisadescriptionofoptionswithinthemainmenu:

Protectionstatus–ProvidesinformationabouttheprotectionstatusofESETSmartSecurity.IfAdvancedmodeisactivated,theWatchactivity,NetworkconnectionsandStatisticssubmenuswilldisplay.

Computerscan–AllowsyoutoconfigureandlaunchanOn‑demandcomputerscan.

Update –Displaysinformationaboutupdatestothevirussignaturedatabase.

Setup–Selectthisoptiontoadjustyourcomputer’ssecuritylevel.IfAdvancedmodeisactivated,theAntivirusandantispyware,Personalfirewall,andAntispammodulesubmenuswilldisplay.

Tools–ProvidesaccesstoLogfiles,Quarantine,SchedulerandSysInspector.ThisoptiononlydisplaysinAdvancedmode.

Helpandsupport–Providesaccesstohelpfiles,theESETKnowledgebase,ESET’swebsiteandlinkstoopenaCustomerCaresupportrequest.

TheESETSmartSecurityuserinterfaceallowsuserstotogglebetweenStandardandAdvancedmode.Totogglebetweenmodes,clickChange...inthebottomleftcornerofthemainprogramwindow,orpressCTRL+Monyourkeyboard.

Standardmodeprovidesaccesstofeaturesrequiredforcommonoperations.Itdoesnotdisplayanyadvancedoptions.

TogglingtoAdvancedmodeaddstheToolsoptiontothemainmenu.TheToolsoptionallowsyoutoaccessthesubmenusforLogfiles,Quarantine,SchedulerandSysInspector.

NOTE:AllremaininginstructionsinthisguidetakeplaceinAdvancedmode.

3.1.1 Checkingoperationofthesystem

ToviewtheProtectionstatus,clickthetopoptionfromthemainmenu.AstatussummaryabouttheoperationofESETSmartSecuritywilldisplayintheprimarywindow,andasubmenuwiththreeitemswillappear:WatchActivity,NetworkConnectionsandStatistics.Selectanyofthesetoviewmoredetailedinformationaboutyoursystem.

3.1.2 Whattodoiftheprogramdoesn’tworkproperly

Iftheprotectionmodulesareenabledandworkingproperly,agreencheckmarkwilldisplaynexttothename.Ifnot,aredexclamationpointororangenotificationiconwilldisplay,andadditionalinformationaboutthemodulewithasuggestedsolutionwilldisplayintheupperpartofthewindow.Tochangethestatusofindividualmodules,clickSetupfromthemainmenuandclickthedesiredmodule.

11

Ifyouareunabletosolveaproblemusingthesuggestedsolutions,clickHelpandsupporttoaccessthehelpfilesorsearchtheKnowledgebase.Ifyoustillneedassistance,youcansubmitanESETCustomerCaresupportrequest.ESETCustomerCarewillrespondquicklytoyourquestionsandhelpdeterminearesolution.

3.2 Updatesetup

Updatingthevirussignaturedatabaseandupdatingprogramcomponentsareanimportantpartofprovidingcompleteprotectionagainstmaliciouscode.Pleasepayattentiontotheirconfigurationandoperation.Fromthemainmenu,selectUpdateandthenclickUpdatevirussignaturedatabase inprimarywindowtocheckforanewerdatabaseupdate. UsernameandPasswordsetup...displaysadialogboxwheretheusernameandpasswordreceivedatthetimeofpurchaseshouldbeentered.

IftheusernameandpasswordwereenteredduringinstallationofESETSmartSecurityyouwillnotbepromptedforthematthispoint.

TheAdvancedSetupwindow(clickSetupfromthemainmenuandthenclickEnterentireadvancedsetuptree...,orpressF5onyourkeyboard)containsadditionalupdateoptions.ClickUpdatefromtheAdvancedSetuptree.TheUpdateserver:drop‑downmenushouldbesettoChooseautomatically.Toconfigureadvancedupdateoptionssuchastheupdatemode,proxyserveraccess,LANconnectionsandcreatingvirussignaturecopies(ESETSmartSecurityBusinessEdition),clicktheSetup...button.

3.3 Trustedzonesetup

Trustedzoneconfigurationisnecessarytoprotectyourcomputerinanetworkenvironment.YoucanallowotheruserstoaccessyourcomputerbyconfiguringtheTrustedzonetoallowsharing.ClickSetup>Personalfirewall>Changetheprotectionmodeofyourcomputerinthenetwork....Awindowwilldisplayallowingyoutochoosethedesiredprotectionmodeofyourcomputerinthenetwork.

TrustedzonedetectionoccursafterESETSmartSecurityinstallationandwheneveryourcomputerconnectstoanewnetwork.Therefore,thereisusuallynoneedtodefinetheTrustedzone.Bydefault,adialogwindowdisplaysupondetectionofanewzonewhichallowsyoutosettheprotectionlevelforthatzone.

12

Warning:Anincorrecttrustedzoneconfigurationmayposeasecurityrisktoyourcomputer.

NOTE:Bydefault,workstationsfromaTrustedzonearegrantedaccesstosharedfilesandprinters,haveincomingRPCcommunicationenabled,andalsohaveremotedesktopsharingavailable.

3.4 Proxyserversetup

IfyouuseaproxyservertocontrolInternetconnections,itmustbespecifiedinAdvancedSetup.ToaccesstheProxyserverconfigurationwindow,pressF5toopentheAdvancedSetupwindowandclickMiscellaneous>ProxyserverfromtheAdvancedSetuptree.SelecttheUseproxyserveroption,andthenfillintheProxyserver(IPaddress)andPortfields.Ifneeded,selecttheProxyserverrequiresauthenticationoptionandthenentertheUsernameandPassword.

Ifthisinformationisnotavailable,youcantrytoautomaticallydetectproxyserversettingsbyclickingtheDetectproxyserver button.

NOTE:Proxyserveroptionsforvariousupdateprofilesmaydiffer.Ifthisisthecase,configurethedifferentupdateprofilesinAdvancedSetupbyclickingUpdatefromtheAdvancedSetuptree.

3.5 Settingsprotection

ESETSmartSecuritysettingscanbeveryimportantforyourorganization’ssecurity.Unauthorizedmodificationscanendangernetworkstabilityandprotection.Topasswordprotectthesettings,fromthemainmenuclickSetup>Enterentireadvancedsetuptree...>Userinterface>Accesssetup,selectthePasswordprotectsettingsoptionandclicktheSetpassword...button.

EnterapasswordintheNewpasswordandConfirmnewpassword

fieldsandclickOK.ThispasswordwillberequiredforanyfuturemodificationstoESETSmartSecuritysettings.

13

4. WorkwithESETSmartSecurity

4.1 Antivirusandantispywareprotection

Antivirusprotectionguardsagainstmalicioussystemattacksbycontrollingfile,emailandInternetcommunication.Ifathreatwithmaliciouscodeisdetected,theAntivirusmodulecaneliminateitbyfirstblockingit,andthencleaning,deletingormovingittoquarantine.

4.1.1 Real‑timefilesystemprotection

Real‑timefilesystemprotectioncontrolsallantivirus‑relatedeventsinthesystem.Allfilesarescannedformaliciouscodeatthemomenttheyareopened,createdorrunonyourcomputer.Real‑timefilesystemprotectionislaunchedatsystemstartup.

4.1.1.1 Controlsetup

TheReal‑timefilesystemprotectionchecksalltypesofmedia,andcontrolistriggeredbyvariousevents.UsingThreatSensetechnologydetectionmethods(asdescribedinsection4.1.6,“ThreatSenseengineparametersetup”),real‑timefilesystemprotectionmayvaryfornewlycreatedfilesandexistingfiles.Fornewlycreatedfiles,itispossibletoapplyadeeperlevelofcontrol.

Toprovidetheminimumsystemfootprintwhenusingreal‑timeprotection,fileswhichhavealreadybeenscannedarenotscannedrepeatedly(unlesstheyhavebeenmodified).Filesarescannedagainimmediatelyaftereachvirussignaturedatabaseupdate.ThisbehaviorisconfiguredusingSmartoptimization.Ifthisisdisabled,allfilesarescannedeachtimetheyareaccessed.Tomodifythisoption,opentheAdvancedSetupwindowandclickAntivirusandantispyware>Real‑timefilesystemprotectionfromtheAdvancedSetuptree.ThenclicktheSetup...buttonnexttoThreatSenseengineparametersetup,clickOtherandselectordeselecttheEnableSmartoptimizationoption.

Bydefault,Real‑timeprotectionlaunchesatsystemstartupandprovidesuninterruptedscanning.Inspecialcases(e.g.,ifthereisaconflictwithanotherReal‑timescanner),thereal‑timeprotectioncanbeterminatedbydeselectingtheStartReal‑timefilesystemprotectionautomaticallyoption.

4.1.1.1.1 Mediatoscan

Bydefault,alltypesofmediaarescannedforpotentialthreats.

Localdrives –Controlsallsystemharddrives

Removablemedia – Diskettes,USBstoragedevices,etc.

Networkdrives–Scansallmappeddrives

Werecommendthatyoukeepthedefaultsettingsandonlymodifytheminspecificcases,suchaswhenscanningcertainmediasignificantlyslowsdatatransfers.4.1.1.1.2 Scanon(Event‑triggeredscanning)

Bydefault,allfilesarescanneduponopening,creationorexecution.Werecommendthatyoukeepthedefaultsettings,astheseprovidethemaximumlevelofreal‑timeprotectionforyourcomputer.

TheDisketteaccessoptionprovidescontrolofthediskettebootsectorwhenthisdriveisaccessed.TheComputershutdownoptionprovidescontroloftheharddiskbootsectorsduringcomputershutdown.Althoughbootvirusesareraretoday,werecommendthatyouleavetheseoptionsenabled,asthereisstillthepossibilityofinfectionbyabootvirusfromalternatesources.

4.1.1.1.3 Advancedscanoptions

MoredetailedsetupoptionscanbefoundunderAntivirusandantispyware>Real‑timesystemprotection>Advancedsetup.

AdditionalThreatSenseparametersfornewlycreatedandmodifiedfiles–Theprobabilityofinfectioninnewly‑createdormodifiedfilesiscomparativelyhigherthaninexistingfiles.Thatiswhytheprogramchecksthesefileswithadditionalscanningparameters.Alongwithcommonsignature‑basedscanningmethods,advancedheuristicsareused,whichgreatlyimprovesdetectionrates.Inadditiontonewly‑createdfiles,scanningisalsoperformedonself‑extractingfiles(.sfx)andruntimepackers(internallycompressedexecutablefiles).Bydefault,archivesarescanneduptothe10thnestinglevelandarecheckedregardlessoftheiractualsize.Tomodifyarchivescansettings,deselecttheDefaultarchivescansettings option.

AdditonalThreatSenseparametersforexecutedfiles–Bydefault,advancedheuristicsarenotusedwhenfilesareexecuted.However,insomecasesyoumaywanttoenablethisoption(bycheckingtheAdvancedheuristicsonfileexecutionoption).Notethatadvancedheuristicsmayslowtheexecutionofsomeprogramsduetoincreasedsystemrequirements.

4.1.1.2 Cleaninglevels

Thereal‑timeprotectionhasthreecleaninglevels(toaccess,clicktheSetup...buttonintheReal‑timefilesystemprotectionsectionandthenclicktheCleaningbranch).

• Thefirstleveldisplaysanalertwindowwithavailableoptionsforeachinfiltrationfound.Youmustchooseanactionforeachinfiltrationindividually.Thislevelisdesignedformoreadvanceduserswhoknowwhichstepstotakeintheeventofaninfiltration.

• Thedefaultlevelautomaticallychoosesandperformsapredefinedaction(dependingonthetypeofinfiltration).Detectionanddeletionofaninfectedfileissignaledbyaninformationmessagelocatedinthebottomrightcornerofthescreen.However,anautomaticactionisnotperformediftheinfiltrationislocatedwithinanarchivewhichalsocontainscleanfiles,anditisnotperformedonobjectsforwhichthereisnopredefinedaction.

• Thethirdlevelisthemost“aggressive”–allinfectedobjectsarecleaned.Asthislevelcouldpotentiallyresultinthelossofvalidfiles,werecommendthatitbeusedonlyinspecificsituations.

14

4.1.1.3 Whentomodifyreal‑timeprotectionconfiguration

Real‑timeprotectionisthemostessentialcomponentofmaintainingasecuresystem.Therefore,pleasebecarefulwhenmodifyingitsparameters.Werecommendthatyouonlymodifyitsparametersinspecificcases.Forexample,ifthereisaconflictwithacertainapplicationorreal‑timescannerofanotherantivirusprogram.

AfterinstallationofESETSmartSecurity,allsettingsareoptimizedtoprovidethemaximumlevelofsystemsecurityforusers.Torestorethedefaultsettings,clicktheDefaultbuttonlocatedatthebottom‑rightoftheReal‑timefilesystemprotectionwindow(AdvancedSetup>Antivirusandantispyware>Real‑timefilesystemprotection).

4.1.1.4 Checkingreal‑timeprotection

Toverifythatreal‑timeprotectionisworkinganddetectingviruses,useatestfilefromeicar.com.Thistestfileisaspecialharmlessfiledetectablebyallantivirusprograms.ThefilewascreatedbytheEICARcompany(EuropeanInstituteforComputerAntivirusResearch)totestthefunctionalityofantivirusprograms.Thefileeicar.comisavailablefordownloadathttp://www.eicar.org/download/eicar.com

NOTE:Beforeperformingareal‑timeprotectioncheck,itisnecessarytodisablethefirewall.Ifthefirewallisenabled,itwilldetectthefileandpreventtestfilesfromdownloading.

4.1.1.5 Whattodoifreal‑timeprotectiondoesnotwork

Inthenextchapter,wedescribeproblemsituationsthatmayarisewhenusingreal‑timeprotection,andhowtotroubleshootthem.

Real‑timeprotectionisdisabled

Ifreal‑timeprotectionwasinadvertentlydisabledbyauser,itneedstobereactivated.Toreactivatereal‑timeprotection,navigatetoSetup>AntivirusandantispywareandclickEnableintheReal‑timefilesystemprotectionsectionofthemainprogramwindow.

Ifreal‑timeprotectionisnotinitiatedatsystemstartup,itisprobablyduetothedisabledoptionAutomaticreal‑timefilesystemprotectionstartup.Toenablethisoption,navigatetoAdvancedSetup (F5)andclickReal‑timefilesystemprotection intheAdvancedSetuptree.IntheAdvancedsetupsectionatthebottomofthewindow,makesurethattheAutomaticreal‑timefilesystemprotectionstartupcheckboxisselected.

IfReal‑timeprotectiondoesnotdetectandcleaninfiltrations

Makesurethatnootherantivirusprogramsareinstalledonyourcomputer.Iftworeal‑timeprotectionshieldsareenabledatthesametime,theymayconflictwitheachother.Werecommendthatyouuninstallanyotherantivirusprogramsonyoursystem.

Real‑timeprotectiondoesnotstart

Ifreal‑timeprotectionisnotinitiatedatsystemstartup(andtheAutomaticreal‑timefilesystemprotectionstartupoptionisenabled),itmaybeduetoconflictswithotherprograms.Ifthisisthecase,pleaseconsultESET‘sCustomerCarespecialists.

4.1.2 Emailclientprotection

EmailprotectionprovidescontrolofemailcommunicationreceivedthroughthePOP3protocol.Usingtheplug‑inprogramforMicrosoftOutlook,ESETSmartSecurityprovidescontrolofallcommunicationsfromtheemailclient(POP3,MAPI,IMAP,HTTP).Whenexaminingincomingmessages,theprogramusesalladvancedscanningmethodsprovidedbytheThreatSensescanningengine.Thismeansthatdetectionofmaliciousprogramstakesplaceevenbeforebeingmatchedagainstthevirussignaturedatabase.ScanningofPOP3protocolcommunicationsisindependentoftheemailclientused.

4.1.2.1 POP3checking

ThePOP3protocolisthemostwidespreadprotocolusedtoreceiveemailcommunicationinanemailclientapplication.ESETSmartSecurityprovidesprotectionforthisprotocolregardlessoftheemailclientused.

Theprotectionmoduleprovidingthiscontrolisautomaticallyinitiatedatsystemstartupandisthenactiveinmemory.Forthemoduletoworkcorrectly,pleasemakesureitisenabled–POP3checkingisperformedautomaticallywithnoneedforreconfigurationoftheemailclient.Bydefault,allcommunicationonport110isscanned,butothercommunicationportscanbeaddedifnecessary.Portnumbersmustbedelimitedbyacomma.

Encryptedcommunicationisnotcontrolled.

15

4.1.2.1.1 Compatibility

CertainemailprogramsmayexperienceproblemswithPOP3filtering(e.g.,ifreceivingmessageswithaslowInternetconnection,timeoutsmayoccurduetochecking).Ifthisisthecase,trymodifyingthewaycontrolisperformed.Decreasingthecontrollevelmayimprovethespeedofthecleaningprocess.ToadjustthecontrollevelofPOP3filtering,fromtheAdvancedSetuptree,navigatetoAntivirusandantispyware>Emailprotection>POP3,POP3s>Compatibility.

IfMaximumefficiencyisenabled,infiltrationsareremovedfrominfectedmessagesandinformationabouttheinfiltrationisinsertedbeforetheoriginalemailsubject(theoptionsDeleteorCleanmustbeactivated,orStrictorDefaultcleaninglevelmustbeenabled).

Mediumcompatibilitymodifiesthewaymessagesarereceived.Messagesaregraduallysenttotheemailclient–afterthelastpartofthemessageistransferred,itwillbescannedforinfiltrations.However,theriskofinfectionincreaseswiththislevelofcontrol.Thelevelofcleaningandthehandlingoftagmessages(notificationalertswhichareappendedtothesubjectlineandbodyofemails)isidenticaltothemaximumefficiencysetting.

WiththeMaximumcompatibilitylevel,youarewarnedbyanalertwindowwhichreportsthereceiptofaninfectedmessage.Noinformationaboutinfectedfilesisaddedtothesubjectlineortotheemailbodyofdeliveredmessagesandinfiltrationsarenotautomaticallyremoved–youmustdeleteinfiltrationsfromtheemailclient.

4.1.2.2 Integrationwithemailclients

IntegrationofESETSmartSecuritywithemailclientsincreasesthelevelofactiveprotectionagainstmaliciouscodeinemailmessages.Ifyouremailclientissupported,thisintegrationcanbeenabledinESETSmartSecurity.Ifintegrationisactivated,theESETSmartSecurityAntispamtoolbarisinserteddirectlyintotheemailclient,allowingformoreefficientemailprotection.Theintegrationsettings

areavailablethroughSetup>Enterentireadvancedsetuptree…>Miscellaneous>Emailclientintegration.Emailclientintegrationallowsyoutoactivateintegrationwithsupportedemailclients.EmailclientsthatarecurrentlysupportedincludeMicrosoftOutlook,OutlookExpress,WindowsMail,WindowsLiveMailandMozillaThunderbird.

SelecttheDisablecheckinguponinboxcontentchangeoptionifyouareexperiencingasystemslowdownwhenworkingwithyouremailclient.SuchasituationmaytakeplacewhendownloadingemailfromKerioOutlookConnectorStore

EmailprotectionisactivatedbyclickingSetup>Enterentireadvancedsetuptree…>Antivirusandantispyware>EmailclientprotectionandselectingtheEnableemailclientprotectionoption.

4.1.2.2.1 Appendingtagmessagestoemailbody

EachemailscannedbyESETSmartSecuritycanbemarkedbyappendingatagmessagetothesubjectoremailbody.Thisfeatureincreasesthelevelofcredibilityfortherecipientandifaninfiltrationisdetected,itprovidesvaluableinformationaboutthethreatlevelofagivenemailorsender.

TheoptionsforthisfunctionalityareavailablethroughAdvancedsetup>Antivirusandantispyware>Emailclientprotection.YoucanselecttoAppendtagmessagestoreceivedandreadmail,aswellasAppendtagmessagestosentmail.Youalsohavetheabilitytodecidewhethertagmessagesareappendedtoallscannedemail,toinfectedemailonly,ornotatall.

ESETSmartSecurityalsoallowsyoutoappendmessagestotheoriginalsubjectofinfectedmessages.Toenableappendingtothesubject,selectboththeAppendnotetothesubjectofreceivedandreadinfectedemailandAppendnotetothesubjectofsentinfectedemailoptions.

ThecontentofnotificationscanbemodifiedintheTemplateaddedtothesubjectofinfectedemailfield.Theabove‑mentionedmodificationscanhelpautomatetheprocessoffilteringinfectedemail,asitallowsyoutofilteremailwithaspecificsubject(ifsupportedinyouremailclient)toaseparatefolder.

4.1.2.3 Removinginfiltrations

Ifaninfectedemailmessageisreceived,analertwindowwilldisplay.Thealertwindowshowsthesendername,emailandthenameoftheinfiltration.InthelowerpartofthewindowtheoptionsClean,DeleteorLeaveareavailableforthedetectedobject.Inalmostallcases,werecommendthatyouselecteitherCleanorDelete.Incertainsituations,ifyouwishtoreceivetheinfectedfile,selectLeave.IfStrictcleaningisenabled,aninformationwindowwithnooptionsavailableforinfectedobjectswilldisplayed.

16

4.1.3 Webaccessprotection

Internetconnectivityisastandardfeatureinapersonalcomputer.Unfortunately,ithasalsobecomethemainmediumfortransferringmaliciouscode.Becauseofthis,itisessentialthatyoucarefullyconsideryourWebaccessprotection.WestronglyrecommendthattheEnablewebaccessprotectionoptionisselected.ThisoptionislocatedinAdvancedSetup(F5)>Antivirusandantispyware>Webaccessprotection.

4.1.3.1 HTTP,HTTPs

WebaccessprotectionworksbymonitoringcommunicationbetweenInternetbrowsersandremoteservers,andcomplieswithHTTP(HypertextTransferProtocol)andHTTPs(encryptedcommunication)rules.Bydefault,ESETSmartSecurityisconfiguredtousethestandardsofmostInternetbrowsers.However,theHTTPscannersetupoptionscanbemodifiedinAdvancedSetup(F5)>Antivirusandantispyware>Webaccessprotection>HTTP,HTTPs.InthemainHTTPfilterwindow,youcanselectordeselecttheEnableHTTPcheckingoption.YoucanalsodefinetheportnumbersusedforHTTPcommunication.Bydefault,theportnumbers80,8080and3128arepredefined.HTTPscheckingcanbeperformedinthefollowingmodes:

DonotuseHTTPsprotocolchecking–Encryptedcommunicationwillnotbechecked

UseHTTPsprotocolcheckingforselectedports–HTTPscheckingonlyforportsdefinedinPortsusedbyHTTPsprotocol

UseHTTPsprotocolcheckingforapplicationsmarkedasInternetbrowsersthatuseselectedports–OnlycheckapplicationsthatarespecifiedinthebrowserssectionanduseportsdefinedinPortsusedbyHTTPsprotocol.

4.1.3.1.1 Addressmanagement

ThissectionenablesyoutospecifyHTTPaddressestoblock,alloworexcludefromchecking.ThebuttonsAdd,Edit,Removeand

Exportareusedtomanagethelistsofaddresses.Websitesinthelistofblockedaddresseswillnotbeaccessible.Websitesinthelistofexcludedaddressesareaccessedwithoutbeingscannedformaliciouscode.Ifyouselectthe AllowaccessonlytoHTTPaddressesinthelistofallowedaddressesoption,onlyaddressespresentinthelistofallowedaddresseswillbeaccessible,whileallotherHTTPaddresseswillbeblocked.

Inalllists,thespecialsymbols*(asterisk)and?(questionmark)canbeused.Theasterisksubstitutesanycharacterstring,andthequestionmarksubstitutesanysymbol.Particularcareshouldbetakenwhenspecifyingexcludedaddresses,becausethelistshouldonlycontaintrustedandsafeaddresses.Similarly,itisnecessarytoensurethatthesymbols*and?areusedcorrectlyinthislist.Toactivatealist,selecttheListactive option.Ifyouwishtobenotifiedwhenenteringanaddressfromthecurrentlist,selectNotifywhenapplyingaddressfromthelistoption.

4.1.3.1.2 Webbrowsers

ESETSmartSecurityalsocontainstheWebbrowsersfeature,whichallowsyoutodefinewhetherthegivenapplicationisabrowserornot.Ifanapplicationismarkedasabrowser,allcommunicationfromthisapplicationismonitoredregardlessoftheportnumbersinvolved.

TheWebbrowsersfeaturecomplementstheHTTPcheckingfeature,asHTTPcheckingonlytakesplaceonpredefinedports.However,manyInternetservicesutilizechangingorunknownportnumbers.Toaccountforthis,theWebbrowserfeaturecanestablishcontrolofportcommunicationsregardlessoftheconnectionparameters.

ThelistofapplicationsmarkedaswebbrowsersisaccessibledirectlyfromtheWebbrowsers submenuoftheHTTPbranch.ThissectionalsocontainstheActivemodesubmenu,whichdefinesthecheckingmodeforInternetbrowsers.

Activemodeisusefulbecauseitexaminestransferreddataasawhole.Ifitisnotenabled,communicationofapplicationsis

17

monitoredgraduallyinbatches.Thisdecreasestheeffectivenessofthedataverificationprocess,butalsoprovideshighercompatibilityforlistedapplications.Ifnoproblemsoccurwhileusingit,werecommendthatyouenableactivecheckingmodebyselectingthecheckboxnexttothedesiredapplication.

4.1.4 On‑demandcomputerscan

Ifyoususpectthatyourcomputerisinfected(itbehavesabnormally),runanOn‑demandcomputerscantoexamineyourcomputerforinfiltrations.Fromasecuritypointofview,itisessentialthatcomputerscansarenotjustrunwhenaninfectionissuspected,butregularlyaspartofroutinesecuritymeasures.Regularscanningcandetectinfiltrationsthatwerenotdetectedbythereal‑timescannerwhentheyweresavedtothedisk.Thiscanhappenifthereal‑timescannerwasdisabledatthetimeofinfection,orifthevirussignaturedatabaseisnotup‑to‑date.

WerecommendthatyourunanOn‑demandcomputerscanatleastonceamonth.ScanningcanbeconfiguredasascheduledtaskfromTools>Scheduler.

4.1.4.1 Typeofscan

TwotypesofOn‑demandcomputerscanareavailable.Smartscanquicklyscansthesystemwithnoneedforfurtherconfigurationofthescanparameters.Customscan…allowsyoutoselectanyofthepredefinedscanprofiles,aswellaschoosespecificscantargets.

4.1.4.1.1 Smartscan

Smartscanallowsyoutoquicklylaunchacomputerscanandcleaninfectedfileswithnoneedforuserintervention.Itsmainadvantagesareeasyoperationwithnodetailedscanningconfiguration.Smartscanchecksallfilesonlocaldrivesandautomaticallycleansordeletes

detectedinfiltrations.Thecleaninglevelisautomaticallysettothedefaultvalue.Formoredetailedinformationontypesofcleaning,seesection4.1.6.3,“Cleaning”.

4.1.4.1.2 Customscan

Customscanisanoptimalsolutionifyouwishtospecifyscanningparameterssuchasscantargetsandscanningmethods.TheadvantageofCustomscanistheabilitytoconfiguretheparametersindetail.Theconfigurationscanbesavedtouser‑definedscanprofiles,whichcanbeusefulifscanningisrepeatedlyperformedwiththesameparameters.

Toselectscantargets,selectComputerscan>CustomscanandselectanoptionfromtheScantargetsdrop‑downmenuorselectspecifictargetsfromthetreestructure.Ascantargetcanalsobemorepreciselyspecifiedbyenteringthepathtothefolderorfile(s)youwishtoinclude.Ifyouareonlyinterestedinscanningthesystemwithoutadditionalcleaningactions,selecttheScanwithoutcleaningoption.Furthermore,youcanchoosefromthreecleaninglevelsbyclickingSetup...>Cleaning.

PerformingcomputerscanswithCustomscanissuitableforadvanceduserswithpreviousexperienceusingantivirusprograms.

4.1.4.2 Scantargets

TheScantargetsdrop‑downmenuallowsyoutoselectfiles,foldersanddevices(disks)tobescannedforviruses.

Byprofilesettings–Selectstargetssetintheselectedscanprofile

Removablemedia–Selectsdiskettes,USBstoragedevices,CD/DVD

Localdrives–Selectsallsystemharddrives

Networkdrives–Selectsallmappeddrives

Noselection–Cancelsallselections

4.1.4.3 Scanprofiles

Yourpreferredscanparameterscanbesavedforfuturescanning.Werecommendthatyoucreateadifferentprofile(withvariousscantargets,scanmethodsandotherparameters)foreachregularlyusedscan.

Tocreateanewprofile,opentheAdvancedSetupwindow (F5)andclickOn‑demandcomputerscan>Profiles...TheConfigurationprofileswindowhasadrop‑downmenuofexistingscanprofilesandtheoptiontocreateanewone.Tohelpyoucreateascanprofiletofityourneeds,seesection4.1.6,“ThreatSenseengineparameterssetup”foradescriptionofeachparameterofthescansetup.

Example:SupposethatyouwanttocreateyourownscanprofileandtheSmartscanconfigurationispartiallysuitable,butyoudon’twant

18

toscanruntimepackersorpotentiallyunsafeapplicationsandyoualsowanttoapplyStrictcleaning.FromtheConfigurationprofileswindow,clicktheAdd...button.EnterthenameofyournewprofileintheProfilenamefield,andselectSmartscanfromtheCopysettingsfromprofile: drop‑downmenu.Thenadjusttheremainingparameterstomeetyourrequirements.

4.1.5 Protocolfiltering

AntivirusprotectionfortheapplicationprotocolsPOP3andHTTPisprovidedbytheThreatSensescanningengine,whichseamlesslyintegratesalladvancedmalwarescanningtechniques.ThecontrolworksautomaticallyregardlessoftheInternetbrowseroremailclientused.Thefollowingoptionsareavailableforprotocolfiltering(iftheEnableapplicationprotocolcontentfilteringoptionisselected):

HTTPandPOP3ports‑LimitsscanningofcommunicationtoknownHTTPandPOP3ports.

ApplicationsmarkedasInternetbrowsersandemailclients–Enablethisoptiontoonlyfiltercommunicationofapplicationmarkedasbrowsers(Webaccessprotection>HTTP,HTTPS>Webbrowsers)andemailclients(Emailclientprotection>POP3,POP3s>Emailclients).

PortsandapplicationsmarkedasInternetbrowsersoremailclients–Bothportsandbrowsersarecheckedformalware

NOTE:StartingwithWindowsVistaServicePack1andWindowsServer2008,anewcommunicationfilteringmethodisused.Asaresult,theProtocolfilteringsectionisnotavailable.

4.1.5.1 SSL

ESETSmartSecurityenablesyoutocheckprotocolsencapsulatedinSSLprotocol.YoucanusevariousscanningmodesforSSLprotectedcommunicationsusingtrustedcertificates,unknowncertificates,orcertificatesthatareexcludedfromSSL‑protectedcommunicationchecking.

AlwaysscanSSLprotocol–SelectthisoptiontoscanallSSLprotectedcommunicationsexceptcommunicationsprotectedbycertificatesexcludedfromchecking.Ifanewcommunicationusinganunknown,signedcertificateisestablished,youwillnotbenotifiedaboutthefactandthecommunicationwillautomaticallybefiltered.Whenyouaccessaserverwithanuntrustedcertificatethatismarkedbyyouastrusted(itisaddedtothetrustedcertificateslist),communicationtotheserverisallowedandthecontentofthecommunicationchannelisfiltered.

Askaboutnon‑visitedsites(exclusionscanbeset)‑IfyouenteranewSSLprotectedsite(withanunknowncertificate),anactionselectiondialogisdisplayed.ThismodeenablesyoutocreatealistofSSLcertificatesthatwillbeexcludedfromscanning.

DonotscanSSLprotocol‑Ifselected,theprogramwillnotscancommunicationsoverSSL.

IfthecertificatecannotbeverifiedusingtheTrustedRootCertificationAuthoritiesstore(protocolfiltering>SSL>Certificates):

Askaboutcertificatevalidity–Promptsyoutoselectanactiontotake.

Blockcommunicationthatusesthecertificate–Terminatesconnectiontothesitethatusesthecertificate.

Ifthecertificateisinvalidorcorrupt(protocolfiltering>SSL>Certificates):

Askaboutcertificatevalidity–Promptsyoutoselectanactiontotake.

Blockcommunicationthatusesthecertificate–Terminatesconnectiontothesitethatusesthecertificate.

4.1.5.1.1 Trustedcertificates

InadditiontotheintegratedTrustedRootCertificationAuthoritiesstore,whereESETSmartSecuritystorestrustedcertificates,youcancreateacustomlistoftrustedcertificatesthatcanbeviewedinAdvancedSetup(F5)>Protocolfiltering>SSL>Certificates>Trustedcertificates.

4.1.5.1.2 Excludedcertificates

TheExcludedcertificatessectioncontainscertificatesthatareconsideredtobesafe.Theprogramwillnotcheckthecontentofencryptedcommunicationswhichusecertificatesinthislist.Werecommendinstallingonlythosewebcertificateswhichareguaranteedtobesafeandhavenoneedforcontentfiltering.

4.1.6 ThreatSenseengineparameterssetup

ThreatSenseisthenameofthetechnologyconsistingofcomplexthreatdetectionmethods.Thistechnologyisproactive,whichmeansitalsoprovidesprotectionduringtheearlyhoursofthespreadofanewthreat.Itusesacombinationofseveralmethods(codeanalysis,codeemulation,genericsignatures,virussignatures)whichworkinconcerttosignificantlyenhancesystemsecurity.Thescanningengineiscapableofcontrollingseveraldatastreamssimultaneously,maximizingtheefficiencyanddetectionrate.ThreatSensetechnologyalsosuccessfullyeliminatesrootkits.

TheThreatSensetechnologysetupoptionsallowyoutospecifyseveralscanparameters:

• Filetypesandextensionsthataretobescanned

• Thecombinationofvariousdetectionmethods

• Levelsofcleaning,etc.

Toenterthesetupwindow,clicktheSetup...buttonlocatedinanymodule‘ssetupwindowwhichusesThreatSensetechnology(seebelow).Differentsecurityscenarioscouldrequiredifferentconfigurations.Withthisinmind,ThreatSenseisindividuallyconfigurableforthefollowingprotectionmodules:

• Real‑timefilesystemprotection

• Systemstartupfilecheck

• Emailprotection

• Webaccessprotection

• On‑demandcomputerscan

TheThreatSenseparametersarehighlyoptimizedforeachmodule,andtheirmodificationcansignificantlyinfluencesystemoperation.Forexample,changingparameterstoalwaysscanruntimepackers,orenablingadvancedheuristicsinthereal‑timefilesystemprotectionmodulecouldresultinasystemslow‑down(normally,onlynewly‑createdfilesarescannedusingthesemethods).Therefore,werecommendthatyouleavethedefaultThreatSenseparametersunchangedforallmodulesexceptOn‑demandcomputerscan.

19

4.1.6.1 Objectssetup

TheObjectssectionallowsyoutodefinewhichcomputercomponentsandfileswillbescannedforinfiltrations.

Operatingmemory–Scansforthreatsthatattacktheoperatingmemoryofthesystem.

Bootsectors–Scansbootsectorsforthepresenceofvirusesinthemasterbootrecord.

Files–Providesscanningofallcommonfiletypes(programs,pictures,audio,videofiles,databasefiles,etc.).

Emailfiles–Scansspecialfileswhereemailmessagesarecontained.

Archives–Providesscanningoffilescompressedinarchives(.rar,.zip,.arj,.tar,etc.).

Self‑extractingarchives–Scansfileswhicharecontainedinself‑extractingarchivefiles,buttypicallypresentedwithan.exefileextension

Runtimepackers –Runtimepackers(unlikestandardarchivetypes)decompressinmemory,inadditiontostandardstaticpackers(UPX,yoda,ASPack,FGS,etc.).

4.1.6.2 Options

IntheOptionssection,youcanselectthemethodstobeusedwhenscanningthesystemforinfiltrations.Thefollowingoptionsareavailable:

Signatures–Signaturescanexactlyandreliablydetectandidentifyinfiltrationsbytheirnameusingvirussignatures.

Heuristics– Heuristicsuseanalgorithmthatanalysesthe(malicious)activityofprograms.Themainadvantageofheuristicdetectionistheabilitytodetectnewmalicioussoftwarewhichdidnotpreviouslyexist,orwasnotincludedinthelistofknownviruses(virussignaturesdatabase).

Advancedheuristics–Advancedheuristicscompriseauniqueheuristicalgorithm,developedbyESET,optimizedfordetectingcomputerwormsandtrojanhorseswritteninhigh‑levelprogramminglanguages.Duetoadvancedheuristics,thedetectionintelligenceoftheprogramissignificantlyhigher.

Adware/Spyware/Riskware–Thiscategoryincludessoftwarewhichcollectsvarioussensitiveinformationaboutuserswithouttheirinformedconsent.Thiscategoryalsoincludessoftwarewhichdisplaysadvertisingmaterial.

Potentiallyunwantedapplications–Potentiallyunwanted

applicationsarenotnecessarilyintendedtobemalicious,butmayaffecttheperformanceofyourcomputerinanegativeway.Suchapplicationsusuallyrequireconsentforinstallation.Iftheyarepresentonyourcomputer,yoursystembehavesdifferently(comparedtothestatebeforetheirinstallation).Themostsignificantchangesincludeunwantedpop‑upwindows,activationandrunningofhiddenprocesses,increasedusageofsystemresources,changesinsearchresults,andapplicationscommunicatingwithremoteservers.

Potentiallyunsafeapplications–Potentiallyunsafeapplicationsistheclassificationusedforcommercial,legitimatesoftware.Itincludesprogramssuchasremoteaccesstools,whichiswhythisoptionisdisabledbydefault.

4.1.6.3 Cleaning

Thecleaningsettingsdeterminethebehaviorofthescannerduringthecleaningofinfectedfiles.Thereare3levelsofcleaning:

Nocleaning–Infectedfilesarenotcleanedautomatically.Theprogramwilldisplayawarningwindowandallowyoutochooseanaction.

Standardcleaning–Theprogramwillattempttoautomaticallycleanordeleteaninfectedfile.Ifitisnotpossibletoselectthecorrectactionautomatically,theprogramwillofferachoiceoffollow‑upactions.Thechoiceoffollow‑upactionswillalsobedisplayedifapredefinedactioncouldnotbecompleted.

Strictcleaning–Theprogramwillcleanordeleteallinfectedfiles(includingarchives).Theonlyexceptionsaresystemfiles.Ifitisnotpossibletocleanthem,youwillbeofferedanactiontotakeinawarningwindow.

20

Warning: IntheDefaultmode,theentirearchivefileisdeletedonlyifallfilesinthearchiveareinfected.Ifthearchivealsocontainslegitimatefiles,itwillnotbedeleted.IfaninfectedarchivefileisdetectedinStrictcleaningmode,theentirearchivewillbedeleted,evenifcleanfilesarepresent.

4.1.6.4 Extensions

Anextensionispartofthefilenamedelimitedbyaperiod.Theextensiondefinesthetypeandcontentofthefile.ThissectionoftheThreatSenseparametersetupletsyoudefinethetypesoffilestoscan.

Bydefault,allfilesarescannedregardlessoftheirextension.Anyextensioncanbeaddedtothelistoffilesexcludedfromscanning.IftheScanallfilesoptionisdeselected,thelistchangestoshowallcurrentlyscannedfileextensions.UsingtheAddandRemovebuttons,youcanenableorprohibitscanningofdesiredextensions.

Toenablescanningoffileswithnoextension,selecttheScanextensionlessfilesoption.

Excludingfilesfromscanningissometimesnecessaryifscanningcertainfiletypespreventstheprogramwhichisusingtheextensionsfromrunningproperly.Forexample,itmaybeadvisabletoexcludethe.edb,.emland.tmpextensionswhenusingMicrosoftExchangeservers.

4.1.6.5 Limits

TheLimitssectionallowsyoutospecifythemaximumsizeofobjectsandlevelsofnestedarchivestobescanned:

Maximumobjectsize:– Definesthemaximumsizeofobjectstobescanned.Thegivenantivirusmodulewillthenscanonlyobjectssmallerthanthesizespecified.Wedonotrecommendchangingthedefaultvalue,asthereisusuallynoreasontomodifyit.Thisoptionshouldonlybechangedbyadvanceduserswhohavespecificreasonsforexcludinglargerobjectsfromscanning.

Maximumscantimeforobject(sec.):– Definesthemaximumtimevalueforscanninganobject.Ifauser‑definedvaluehasbeenenteredhere,theantivirusmodulewillstopscanninganobjectwhenthattimehaselapsed,regardlessofwhetherthescanhasfinished.

Archivenestinglevel:–Specifiesthemaximumdepthofarchivescanning.Wedonotrecommendchangingthedefaultvalueof10;undernormalcircumstances,thereshouldbenoreasontomodifyit.Ifscanningisprematurelyterminatedduetothenumberofnestedarchives,thearchivewillremainunchecked.

Maximumsizeoffileinarchive:–Thisoptionallowsyoutospecifythemaximumfilesizeforfilescontainedinarchives(whentheyareextracted)thataretobescanned.Ifscanningofanarchiveisprematurelyterminatedforthatreason,thearchivewillremain

unchecked.

4.1.6.6 Other

Scanalternatedatastreams(ADS)–Alternatedatastreams(ADS)usedbytheNTFSfilesystemarefileandfolderassociationswhichareinvisiblefromordinaryscanningtechniques.Manyinfiltrationstrytoavoiddetectionbydisguisingthemselvesasalternativedatastreams.

Runbackgroundscanswithlowpriority–Eachscanningsequenceconsumesacertainamountofsystemresources.Ifyouworkwithprogramsthatplaceahighloadonsystemresources,youcanactivatelowprioritybackgroundscanningandsaveresourcesforyourapplications.

Logallobjects–Ifthisoptionisselected,thelogfilewillshowallthescannedfiles,eventhosenotinfected.

EnableSmartoptimization–Selectthisoptionsothatfileswhichhavealreadybeenscannedarenotscannedrepeatedly(unlesstheyhavebeenmodified).Filesarescannedagainimmediatelyaftereachvirussignaturedatabaseupdate.

Preservelastaccesstimestamp–Selectthisoptiontokeeptheoriginalaccesstimeofscannedfilesinsteadofupdatingit(e.g.,forusewithdatabackupsystems).

Scrolllog–Thisoptionallowsyoutoenable/disablelogscrolling.Ifselected,informationscrollsupwardswithinthedisplaywindow.

Displaynotificationaboutscancompletioninaseparatewindow–Opensastandalonewindowcontaininginformationaboutscanresults.

4.1.7 Aninfiltrationisdetected

Infiltrationscanreachthesystemfromvariousentrypoints;webpages,sharedfolders,viaemailorfromremovablecomputerdevices(USB,externaldisks,CDs,DVDs,diskettes,etc.).

Ifyourcomputerisshowingsignsofmalwareinfection,e.g.,itisslower,oftenfreezes,etc.,werecommendthatyoudothefollowing:

• OpenESETSmartSecurityandclickComputerscan

• ClickSmartscan(formoreinformation,seesection4.1.4.1.1,“Smartscan”)

• Afterthescanhasfinished,reviewthelogforthenumberofscanned,infectedandcleanedfiles.

Ifyouonlywishtoscanacertainpartofyourdisk,clickCustomscanandselecttargetstobescannedforviruses.

AsageneralexampleofhowinfiltrationsarehandledinESETSmartSecurity,supposethataninfiltrationisdetectedbythereal‑timefilesystemmonitor,whichusestheDefaultcleaninglevel.Itwillattempttocleanordeletethefile.Ifthereisnopredefinedactiontotakeforthereal‑timeprotectionmodule,youwillbeaskedtoselectanoptioninanalertwindow.Usually,theoptionsClean,DeleteandLeaveareavailable.SelectingLeaveisnotrecommended,sincetheinfectedfile(s)wouldbeleftuntouched.Theexceptiontothisiswhenyouaresurethatthefileisharmlessandhasbeendetectedbymistake.

Cleaninganddeleting–Applycleaningifafilehasbeenattackedbyaviruswhichhasattachedmaliciouscodetothefile.Ifthisisthecase,firstattempttocleantheinfectedfileinordertorestoreittoitsoriginalstate.Ifthefileconsistsexclusivelyofmaliciouscode,itwillbedeleted.

21

Ifaninfectedfileis“locked“orinusebyasystemprocess,itwillusuallyonlybedeletedafteritisreleased(normallyafterasystemrestart).

Deletingfilesinarchives–IntheDefaultcleaningmode,theentirearchivewillbedeletedonlyifitcontainsinfectedfilesandnocleanfiles.Inotherwords,archivesarenotdeletediftheyalsocontainharmlesscleanfiles.However,usecautionwhenperformingaStrictcleaningscan–withStrictcleaningthearchivewillbedeletedifitcontainsatleastoneinfectedfile,regardlessofthestatusofotherfilesinthearchive.

4.2 Personalfirewall

ThePersonalfirewallcontrolsallnetworktraffictoandfromthesystem.Thisisaccomplishedbyallowingordenyingindividualnetworkconnectionsbasedonspecifiedfilteringrules.Itprovidesprotectionagainstattacksfromremotecomputersandenablesblockingofsomeservices.ItalsoprovidesantivirusprotectionforHTTPandPOP3protocols.Thisfunctionalityrepresentsaveryimportantelementofcomputersecurity.

4.2.1 Filteringmodes

FivefilteringmodesareavailablefortheESETSmartSecurityPersonalfirewall.Thebehaviorofthefirewallchangesbasedontheselectedmode.Filteringmodesalsoinfluencethelevelofuserinteractionrequired.

Filteringcanbeperformedinoneoffivemodes:

Automaticmode– Thedefaultmode.Itissuitableforuserswhoprefereasyandconvenientuseofthefirewallwithnoneedtodefinerules.Automaticmodeallowsalloutboundtrafficforthegivensystemandblocksallnewconnectionsinitiatedfromthenetworkside.

Automaticmodewithexceptions(user‑definedrules)–Inadditiontoautomaticmodeitenablesyoutoaddcustomrules.

Interactivemode– Allowsyoutobuildatailor‑madeconfigurationforyourPersonalfirewall.Whenacommunicationisdetectedandnoruleexistswhichappliestothatcommunication,adialogwindowreportinganunknownconnectionwillbedisplayed.Thedialogwindowgivestheoptionofallowingordenyingthecommunication,andthedecisiontoallowordenycanberememberedasanewruleforthePersonalfirewall.Ifyouchoosetocreateanewruleatthistime,

allfutureconnectionsofthistypewillbeallowedorblockedaccordingtotherule.

Policy‑basedmode– Blocksallconnectionswhicharenotdefinedbyaspecificrulethatallowsthem.Thismodeallowsadvanceduserstodefinerulesthatpermitonlydesiredandsecureconnections.AllotherunspecifiedconnectionswillbeblockedbythePersonalfirewall.

Learningmode–Automaticallycreatesandsavesrules;thismodeissuitableforinitialconfigurationofthePersonalfirewall.Nouserinteractionisrequired,becauseESETSmartSecuritysavesrulesaccordingtopredefinedparameters.Learningmodeisnotsecure,andshouldonlybeuseduntilallrulesforrequiredcommunicationshavebeencreated.

4.2.2 Profiles

ProfilesareatooltocontrolthebehavioroftheESETSmartSecurityPersonalfirewall.WhencreatingoreditingaPersonalfirewallrule,youcanassignittoaspecificprofileorhaveitapplytoeveryprofile.Whenyouselectaprofile,onlytheglobalrules(withnoprofilespecified)andtherulesthathavebeenassignedtothatprofileareapplied.YoucancreatemultipleprofileswithdifferentrulesassignedtoeasilyalterthePersonalfirewallbehavior.

4.2.2.1 Profilemanagement

ClicktheProfiles...button(seefigureinsection4.2.1,“Filteringmodes”)toopentheFirewallprofileswindow,whereyoucanAdd...,EditandRemoveprofiles.PleasenotethattoEditorRemoveaprofile,itmustnotbeselectedintheSelectedprofiledrop‑downmenu.Whenaddingoreditingaprofile,youcanalsodefinetheconditionsthattriggerit.Thefollowingpossibilitiesareavailable:

Donotswitchautomatically‑Theautomatictriggeristurnedoff(profilemustbeactivatedmanually).

Whentheautomaticprofilebecomesinvalidandnootherprofileisactivatedautomatically(defaultprofile)–Whentheautomaticprofilebecomesinvalid(ifthecomputerisconnectedtoanuntrustednetwork–seesection4.2.6.1,“Networkauthentication”)andanotherprofileisnotactivatedinitsplace(computerisnotconnectedtoanothertrustednetwork),thePersonalfirewallwillswitchtothisprofile.Onlyoneprofilecanusethistrigger.

Ifthiszoneisauthenticated–Thisprofilewillbetriggeredwhenthespecifiedzoneisauthenticated(seesection4.2.6.1,“Networkauthentication”).

22

WhenthePersonalfirewallswitchestoanotherprofile,anotificationwillappearinthelowerrightcornernearthesystemclock.

4.2.3 Blockallnetworktraffic:disconnectnetwork

TheonlyoptionforblockingallnetworktrafficistoclickBlockallnetworktraffic:disconnectnetwork.AllinboundandoutboundcommunicationisblockedbythePersonalfirewallwithnowarningdisplayed.Usethisoptiononlyifyoususpectcriticalsecurityrisksrequiringdisconnectionofthesystemfromthenetwork.

4.2.4 Disablefiltering:allowalltraffic

TheDisablefilteringoptionistheoppositeofblockingallnetworktraffic.Ifselected,allPersonalfirewallfilteringoptionsareturnedoffandallincomingandoutgoingconnectionsarepermitted.Ithasthesameeffectasnofirewallbeingpresent.

4.2.5 Configuringandusingrules

Rulesrepresentasetofconditionsusedtomeaningfullytestallnetworkconnectionsandallactionsassignedtotheseconditions.WiththePersonalfirewall,youcandefinewhatactiontotakeifaconnectiondefinedbyaruleisestablished.

Toaccesstherulefilteringsetup,navigatetoAdvancedSetup(F5)>Personalfirewall>Rulesandzones.Todisplaythecurrentconfiguration,clickSetup...intheZoneandruleeditorsection(ifthePersonalfirewallissettoAutomaticmode,thesesettingsarenotavailable).

IntheZoneandrulesetupwindow,anoverviewofeitherrulesorzonesisdisplayed(basedonthecurrentlyselectedtab).Thewindowisdividedintotwosections.Theuppersectionlistsallrulesinashortenedview.Thelowersectiondisplaysdetailsabouttherulecurrentlyselectedintheuppersection.AttheverybottomarethebuttonsNew,Edit,andDelete(Del),whichallowyoutoconfigurerules.

Connectionscanbedividedintoincomingandoutgoingconnections.Incomingconnectionsareinitiatedbyaremotecomputerattemptingtoestablishconnectionwiththelocalsystem.Outgoingconnectionsworkintheoppositeway–thelocalsidecontactsaremotecomputer.

Ifanewunknowncommunicationisdetected,youmustcarefullyconsiderwhethertoallowordenyit.Unsolicited,unsecuredorunknownconnectionsposeasecurityrisktothesystem.Ifsuchaconnectionisestablished,werecommendthatyoupayparticularattentiontotheremotesideandtheapplicationattemptingtoconnecttoyourcomputer.Manyinfiltrationstrytoobtainandsendprivatedata,ordownloadothermaliciousapplicationstohostworkstations.ThePersonalfirewallallowsyoutodetectandterminatesuchconnections.

4.2.5.1 Creatinganewrule

Wheninstallinganewapplicationwhichaccessesthenetworkorwhenmodifyinganexistingconnection(remoteside,portnumber,etc.),anewrulemustbecreated.

Toaddanewrule,verifythattheRulestabisselected.Then,clicktheNewbuttonintheZoneandrulesetupwindow.Clickingonthisbuttonopensanewdialogwindowtospecifyanewrule.Theupperpartofthewindowcontainsthreetabs:

• General:Specifyarulename,thedirectionoftheconnection,theaction,theprotocolandtheprofileinwhichtherulewillapply.

23

• Remote:Thistabcontainsinformationabouttheremoteport(portrange).ItalsoallowsyoutodefinealistofremoteIPaddressesorzonesforagivenrule.

• Local:Displaysinformationaboutthelocalsideoftheconnection,includingthenumberofthelocalportorportrangeandthenameofthecommunicatingapplication.

AgoodexampleofaddinganewruleisallowingyourInternetbrowsertoaccessthenetwork.Thefollowingmustbeprovidedinthiscase:

• OntheGeneraltab,enableoutgoingcommunicationviatheTCPandUDPprotocol

• Addtheprocessrepresentingyourbrowserapplication(forInternetExploreritisiexplore.exe)ontheLocaltab

• OntheRemotetab,enableportnumber80onlyifyouwishtoallowstandardInternetbrowsingactivities.

4.2.5.2 Editingrules

Tomodifyanexistingrule,clicktheEditbutton.Allparameters(seesection4.2.5.1,“Creatingnewrules”fordescriptions)canbemodified.

Modificationisrequiredeachtimeanyofthemonitoredparametersarechanged.Inthiscase,therulecannotfulfilltheconditionsandthespecifiedactioncannotbeapplied.Intheend,thegivenconnectionmayberefused,whichcanresultinproblemswithoperationoftheapplicationinquestion.Anexampleisachangeofnetworkaddressorportnumberfortheremoteside.

4.2.6 Configuringzones

IntheZonesetupwindowyoucanspecifythezonename,description,networkaddresslistandzoneauthentication(seesection4.2.6.1.1,“Zoneauthentication–Clientconfiguration”).

Azonerepresentsacollectionofnetworkaddresseswhichcreateonelogicalgroup.Eachaddressinagivengroupisassignedsimilarrulesdefinedcentrallyforthewholegroup.OneexampleofsuchagroupistheTrustedzone.TheTrustedzonerepresentsagroupofnetworkaddresseswhicharefullytrustedandnotblockedbythePersonalfirewallinanyway.

ThesezonescanbeconfiguredusingtheZonestabintheZoneandrulesetupwindow,byclickingtheNewbutton.EnteraNameforthezoneandaDescription,andaddaremoteIPaddressbyclickingthe

AddIPv4addressbutton.

4.2.6.1 Networkauthentication

TheTrustedzoneisidentifiedbythelocalIPaddressofthenetworkadapter.MobilecomputersoftenenternetworkswithIPaddressesthataresimilartothetrustednetwork.IftheTrustedzonesettingsarenotmanuallyswitchedtoStrictprotection,thePersonalfirewallwillcontinuetousetheAllowsharingmode.

Topreventthistypeofsituation,Zoneauthenticationsearchesforaspecificserverinthenetworkandusesasymmetricencryption(RSA)toauthenticatetheserver.Theauthenticationprocessisrepeatedforeachnetworkyourcomputerconnectsto.

4.2.6.1.1 Zoneauthentication‑Clientconfiguration

IntheZoneandrulesetupwindow,clicktheZonestabandcreateanewzoneusingthenameofthezoneauthenticatedbytheserver.ThenclickAddIPv4addressandselecttheSubnetoptiontoaddasubnetmaskthatcontainstheauthenticationserver.

ClicktheZoneauthenticationtabandselecttheIPaddresses/subnetsinthezonewillbecomevalidafterasuccessfulauthenticationoftheserverinthenetworkoption.Withthisoptionselected,thezonewillbecomeinvalidifauthenticationisunsuccessful.ToselectaPersonalfirewallprofiletobeactivatedafterasuccessfulzoneauthentication,clicktheProfiles...button.IfyouselecttheAddaddresses/subnetsofthezonetotheTrustedZoneoption,theaddresses/subnetsofthezonewillbeaddedtotheTrustedzoneafteranauthenticationissuccessful(recommended).

Therearethreeauthenticationtypesavailable:

1)UsingESETauthenticationserver

ClickSetup...andspecifyaservername,serverlisteningportandapublickeythatcorrespondstotheprivateserverkey(seesection4.2.6.1.2,“Zoneauthentication–Serverconfiguration”).TheservernamecanbeenteredintheformofanIPaddress,DNSorNetBiosname.Theservernamecanbefollowedbyapathspecifyingthelocationofthekeyontheserver(e.g.,server_name_/directory1/directory2/authentication).Entermultipleservers,separatedbysemicolons,toserveasalternateserversifthefirstoneisunavailable.

Thepublickeycanbeafileofoneofthefollowingtypes:

• PEMencryptedpublickey(.pem)‑ThiskeycanbegeneratedusingtheESETAuthenticationServer(seesection4.2.6.1.2,“Zone

24

authentication–Serverconfiguration”).

• Encodedpublickey

• Publickeycertificate(.crt)

Totestyoursettings,presstheTestbutton.Ifauthenticationissuccessful,aServer authentication successfulmessagewillappear.Ifauthenticationisnotconfiguredproperly,oneofthefollowingerrormessageswillappear:

Server authentication failed. Maximum time for authentication elapsed.Theauthenticationserverisinaccessible.Checktheservername/IPaddressand/orverifythePersonalfirewallsettingsoftheclientaswellastheserversection.

An error has occurred while communicating with the server.Theauthenticationserverisnotrunning.Starttheauthenticationserverservice(seesection4.2.6.1.2,“Zoneauthentication–Serverconfiguration”).

The name of the authentication zone does not match the server zone.Theconfiguredzonenamedoesnotcorrespondwiththeauthenticationserverzone.Reviewbothzonesandensuretheirnamesareidentical.

Server authentication failed. Server address not found in the list of addresses for the given zone.TheIPaddressofthecomputerrunningtheauthenticationserverisoutsidethedefinedIPaddressrangeofthecurrentzoneconfiguration.

Server authentication failed. Probably an invalid public key was entered.Verifythatthepublickeyspecifiedcorrespondstotheprivateserverkey.Alsoverifythatthepublickeyfileisnotcorrupted.

2)Bylocalnetworkconfiguration

Authenticationisperformedaccordingtoalocalnetworkadapterparameters.Authenticationissuccessfulifallselectedparametersforactiveconnectionarevalid.

4.2.6.1.2 Zoneauthentication‑Serverconfiguration

Theauthenticationprocesscanbeexecutedbyanycomputer/serverconnectedtothenetworkthatistobeauthenticated.TheESETAuthenticationServerapplicationneedstobeinstalledonacomputer/serverthatisalwaysaccessibleforauthenticationwheneveraclientattemptstoconnecttothenetwork.TheinstallationfilefortheESETAuthenticationServerapplicationisavailablefordownloadonESET’swebsite.

AfteryouinstalltheESETAuthenticationServerapplication,adialogwindowwillappear(youcanaccesstheapplicationanytimeunderStart>Programs>ESET>ESETAuthenticationServer>ESETAuthenticationServer).

Toconfiguretheauthenticationserver,entertheauthenticationzonename,theserverlisteningport(defaultis80)aswellasthelocationtostorethepublicandprivatekeypair.Thengeneratethepublicandprivatekeythatwillbeusedintheauthenticationprocess.TheprivatekeywillremainsetontheserverwhilethepublickeyneedstobeimportedontheclientsideintheZoneauthenticationsectionwhensettingupazoneinthefirewallsetup.

25

4.2.7 Establishingconnection–detection

ThePersonalfirewalldetectseachnewly‑creatednetworkconnection.Theactivefirewallmodedetermineswhichactionsareperformedforthenewrule.IfAutomaticmodeorPolicy‑basedmodeisactivated,thePersonalfirewallwillperformpredefinedactionswithnouserinteraction.TheInteractivemodedisplaysaninformationalwindowwhichreportsdetectionofanewnetworkconnection,supplementedwithdetailedinformationabouttheconnection.Youcanopttoallowtheconnectionorrefuse(block)it.Ifyourepeatedlyallowthesameconnectioninthedialogwindow,werecommendthatyoucreateanewrulefortheconnection.Todothis,selecttheRememberactionoption(Createrule)andsavetheactionasanewruleforthePersonalfirewall.Ifthefirewallrecognizesthesameconnectioninthefuture,itwillapplytheexistingrule.

Pleasebecarefulwhencreatingnewrulesandonlyallowconnectionswhicharesecure.Ifallconnectionsareallowed,thenthePersonalfirewallfailstoaccomplishitspurpose.Thesearetheimportantparametersforconnections:

• Remoteside:Onlyallowconnectionstotrustedandknownaddresses

• Localapplication:Itisnotadvisabletoallowconnectionsforunknownapplicationsandprocesses

• Portnumber:Communicationoncommonports(e.g.,webtraffic–portnumber80)shouldbeallowedundernormalcircumstances

Inordertoproliferate,computerinfiltrationsoftenusetheInternetandhiddenconnectionstohelptheminfectremotesystems.Ifrulesarecorrectlyconfigured,aPersonalfirewallbecomesausefultoolforprotectionagainstavarietyofmaliciouscodeattacks.

4.2.8 Logging

TheESETSmartSecurityPersonalfirewallsavesallimportanteventsinalogfile,whichcanbevieweddirectlyfromthemainmenu.ClickTools>LogfilesandthenselectESETPersonalfirewalllogfromtheLogdrop‑downmenu.

Thelogfilesareaninvaluabletoolfordetectingerrorsandrevealingintrusionsintoyoursystem,andshouldbegivenappropriateattention.ESETPersonalfirewalllogscontainthefollowingdata:

• Dateandtimeofevent

• Nameofevent

• Source

• Targetnetworkaddress

• Networkcommunicationprotocol

• Ruleapplied,ornameofworm,ifidentified

• Applicationinvolved

• User

Athoroughanalysisofthisdatacanhelpdetectattemptstocompromisesystemsecurity.Manyotherfactorsindicatepotentialsecurityrisksandallowyoutominimizetheirimpact:toofrequentconnectionsfromunknownlocations,multipleattemptstoestablishconnections,unknownapplicationscommunicatingorunusualportnumbersused.

4.3 Antispamprotection

Unsolicitedemail–calledspam–ranksamongthegreatestproblemsofelectroniccommunication.Itrepresentsupto80percentofallemailcommunication.Antispamprotectionservestoprotectagainstthisproblem.Combiningseveralefficientprinciples,theAntispammoduleprovidessuperiorfiltering.

26

Oneimportantprincipleinspamdetectionistheabilitytorecognizeunsolicitedemailbasedonpredefinedtrustedaddresses(whitelist)andspamaddresses(blacklist).Alladdressesfromyourcontactlistareautomaticallyaddedtothewhitelist,aswellasallotheraddressesyoumarkassafe.

Theprimarymethodusedtodetectspamisthescanningofemailmessageproperties.ReceivedmessagesarescannedforbasicAntispamcriteria(messagedefinitions,statisticalheuristics,recognizingalgorithmsandotheruniquemethods)andtheresultingindexvaluedetermineswhetheramessageisspamornot.

ESETSmartSecurity4supportsAntispamprotectionforMicrosoftOutlook,OutlookExpress,WindowsMail,WindowsLiveMailandMozillaThunderbird.

4.3.1 Self‑learningAntispam

Self‑learningAntispamisrelatedtotheBayesianfilter.Bymarkingmessagesasspamandnotspam,youcreateadatabaseofwordsusedinspamandnotspammessages.Themoremessagesclassified(markedasspamornotspam),themoreaccuratetheBayesianfilterwillbe.Addknownemailaddressestothewhitelisttoexcludethemfromfiltering.

4.3.1.1 Addingaddressestowhitelistandblacklist

Emailaddressesbelongingtopeopleyoucommunicatewithfrequentlycanbeaddedtothewhitelisttoensurethatnomessageoriginatingfromawhitelistaddressiseverclassifiedasspam.Knownspamaddressescanbeaddedtotheblacklistandalwaysbeclassifiedasspam.Toaddanewaddresstothewhitelistorblacklist,right‑clicktheemailandselectESETSmartSecurity>AddtoWhitelistorAddtoBlacklist,orclicktheTrustedaddressorSpamaddressbuttonintheESETSmartSecurityAntispamtoolbarinyouremailprogram.

Similarly,thisprocessappliestospamaddresses.Ifanemailaddressislistedontheblacklist,eachemailmessagewhicharrivesfromthataddressisclassifiedasspam.

4.3.1.2 Markingmessagesasspam

Anymessageviewedinyouremailclientcanbemarkedasspam.Todoso,right‑clickthemessageandclickESETSmartSecurity>Reclassifyselectedmessagesasspam,orclickSpamaddressintheESETSmartSecurityAntispamtoolbarlocatedintheuppersectionofyouremailclient.

ReclassifiedmessagesareautomaticallymovedtotheSPAMfolder,butthesenderemailaddressisnotaddedtotheBlacklist.Similarly,messagescanbeclassifiedas“notspam”.IfmessagesfromtheJunkE‑mailfolderareclassifiedasnotspam,theyaremovedtotheiroriginalfolder.MarkingamessageasnotspamdoesnotautomaticallyaddthesenderaddresstotheWhitelist.

4.4 Updatingtheprogram

RegularupdatingofESETSmartSecurityisthebasicpremiseforobtainingthemaximumlevelofsecurity.TheUpdatemoduleensuresthattheprogramisalwaysuptodateintwoways–byupdatingthevirussignaturedatabaseandbyupdatingsystemcomponents.

ByclickingUpdatefromthemainmenu,youcanfindthecurrentupdatestatus,includingthedateandtimeofthelastsuccessfulupdateandifanupdateisneeded.Theprimarywindowalsocontainsthevirussignaturedatabaseversion.ThisnumericindicatorisanactivelinktoESET’swebsite,listingallsignaturesaddedwithinthegivenupdate.

Inaddition,theoptiontomanuallybegintheupdateprocess– Updatevirussignaturedatabase–isavailable,aswellasbasicupdatesetupoptionssuchastheusernameandpasswordtoaccessESET’supdateservers.

UsetheProductactivationlinktoopenaregistrationformthatwillactivateyourESETsecurityproductandsendyouanemailwithyourauthenticationdata(usernameandpassword).

NOTE: TheusernameandpasswordareprovidedbyESETafter

27

purchasingESETSmartSecurity.

4.4.1 Updatesetup

Theupdatesetupsectionspecifiesupdatesourceinformationsuchastheupdateserversandauthenticationdatafortheseservers.Bydefault,theUpdateserverdrop‑downmenuissettoChooseautomaticallytoensurethatupdatefileswillautomaticallydownloadfromtheESETserverwiththeleastnetworktraffic.TheupdatesetupoptionsareavailablefromtheAdvancedSetuptree(F5key),underUpdate.

ThelistofavailableupdateserversisaccessibleviatheUpdateserverdrop‑downmenu.Toaddanewupdateserver,clickEdit...intheUpdatesettingsforselectedprofilesectionandthenclicktheAddbutton.AuthenticationforupdateserversisbasedontheUsernameandPasswordgeneratedandsenttoyouafterpurchase.

4.4.1.1 Updateprofiles

Updateprofilescanbecreatedforvariousupdateconfigurationsandtasks.Creatingupdateprofilesisespeciallyusefulformobileusers,whocancreateanalternativeprofileforInternetconnectionpropertiesthatregularlychange.

TheSelectedprofiledrop‑downmenudisplaysthecurrentlyselectedprofile,settoMyprofilebydefault.Tocreateanewprofile,clicktheProfiles...buttonandthenclicktheAdd...buttonandenteryourown Profilename.Whencreatinganewprofile,youcancopysettingsfromanexistingonebyselectingitfromtheCopysettingsfromprofiledrop‑downmenu.

Intheprofilesetupyoucanspecifytheupdateserverfromalistofavailableservers,oranewservercanbeadded.ThelistofexistingupdateserversisaccessibleviatheUpdateserver:drop‑downmenu.Toaddanewupdateserver,clickEdit…intheUpdatesettingsforselectedprofilesectionandthenclicktheAddbutton.

4.4.1.2 Advancedupdatesetup

ToviewtheAdvancedupdatesetup,clicktheSetup...button.AdvancedupdatesetupoptionsincludeconfigurationofUpdatemode,HTTPProxy,LAN and Mirror.

4.4.1.2.1 Updatemode

TheUpdatemode tabcontainsoptionsrelatedtotheprogramcomponentupdate.

IntheProgramcomponentupdate section,threeoptionsareavailable:

• Neverupdateprogramcomponents: Newprogramcomponentupdateswillnotbedownloaded.

• Alwaysupdateprogramcomponents:Newprogramcomponentupdateswilloccurautomatically.

• Askbeforedownloadingprogramcomponents:Thedefaultoption.Youwillbepromptedtoconfirmorrefuseprogramcomponentupdateswhentheyareavailable.

Afteraprogramcomponentupdate,itmaybenecessarytorestartyourcomputertoprovidefullfunctionalityofallmodules.TheRestartafterprogramcomponentupgrade sectionallowsyoutoselectoneofthefollowingoptions:

• Neverrestartcomputer

• Offercomputerrestartifnecessary

• Ifnecessary,restartcomputerwithoutnotifying

ThedefaultoptionisOffercomputerrestartifnecessary.Selectionofthemostappropriateoptiondependsontheworkstationwherethesettingswillbeapplied.Pleasebeawarethattherearedifferencesbetweenworkstationsandservers–e.g.,restartingtheserverautomaticallyafteraprogramupgradecouldcauseseriousdamage.

4.4.1.2.2 Proxyserver

Toaccesstheproxyserversetupoptionsforagivenupdateprofile:ClickUpdateintheAdvancedSetuptree(F5)andthenclicktheSetup...buttontotherightofAdvancedupdatesetup.ClicktheHTTPProxytabandselectoneofthethreefollowingoptions:

• Useglobalproxyserversettings

• Donotuseproxyserver

• Connectionthroughaproxyserver(connectiondefinedbytheconnectionproperties)

28

SelectingtheUseglobalproxyserversettingsoptionwillusetheproxyserverconfigurationoptionsalreadyspecifiedwithintheMiscellaneous>ProxyserverbranchoftheAdvancedSetuptree.

SelecttheDonotuseproxyserveroptiontospecifythatnoproxyserverwillbeusedtoupdateESETSmartSecurity.

TheConnectionthroughaproxyserver optionshouldbeselectedifaproxyservershouldbeusedtoupdateESETSmartSecurityandisdifferentfromtheproxyserverspecifiedintheglobalsettings(Miscellaneous>Proxyserver).Ifso,thesettingsshouldbespecifiedhere:Proxyserveraddress,communicationPort,plusUsernameandPasswordfortheproxyserver,ifrequired.

Thisoptionshouldalsobeselectediftheproxyserversettingswerenotsetglobally,butESETSmartSecuritywillconnecttoaproxyserverforupdates.

ThedefaultsettingfortheproxyserverisUseglobalproxyserversettings.

4.4.1.2.3 ConnectingtotheLAN

WhenupdatingfromalocalserverwithanNT‑basedoperatingsystem,authenticationforeachnetworkconnectionisrequiredbydefault.Inmostcases,alocalsystemaccountdoesnothavesufficientrightstoaccesstheMirrorfolder(theMirrorfoldercontainscopiesofupdatefiles).Ifthisisthecase,entertheusernameandpasswordintheupdatesetupsection,orspecifyanexistingaccountunderwhichtheprogramwillaccesstheupdateserver(Mirror).

Toconfiguresuchanaccount,clicktheLANtab.TheConnecttoLANassectionofferstheSystemaccount(default),Currentuser,andSpecifieduser options.

SelecttheSystemaccount(default)optiontousethesystemaccountforauthentication.Normally,noauthenticationprocesstakesplaceifthereisnoauthenticationdatasuppliedinthemainupdatesetupsection.

Toensurethattheprogramauthenticatesusingacurrentlylogged‑inuseraccount,select Currentuser.Thedrawbackofthissolutionisthattheprogramisnotabletoconnecttotheupdateserverifnouseriscurrentlyloggedin.

SelectSpecifieduserifyouwanttheprogramtouseaspecificuseraccountforauthentication.

Warning:Wheneither Currentuseror Specifieduserisselected,anerrormayoccurwhenchangingtheidentityoftheprogramtothedesireduser.WerecommendinsertingtheLANauthenticationdatainthemainupdatesetupsection.Inthisupdatesetupsection,theauthenticationdatashouldbeenteredasfollows:domain_name\user(ifitisaworkgroup,enterworkgroup_name\name)andpassword.WhenupdatingfromtheHTTPversionofthelocalserver,noauthenticationisrequired.

4.4.1.2.4 Creatingupdatecopies–Mirror

ESETSmartSecurityBusinessEditionallowsyoutocreatecopiesofupdatefileswhichcanbeusedtoupdateotherworkstationslocatedinthenetwork.UpdatingclientworkstationsfromaMirroroptimizesnetworkloadbalanceandsavesInternetconnectionbandwidth.

ConfigurationoptionsforthelocalMirrorserverareaccessible(afteraddingavalidlicensekeyinthelicensemanager,locatedintheESETSmartSecurityBusinessEditionAdvancedSetupsection)intheAdvancedupdatesetup:section.Toaccessthissection,pressF5andclickUpdateintheAdvancedSetuptree,thenclicktheSetup...buttonnexttoAdvancedupdatesetup:andselecttheMirrortab).

29

ThefirststepinconfiguringtheMirroristoselecttheCreateupdatemirroroption.SelectingthisoptionactivatesotherMirrorconfigurationoptionssuchasthewayupdatefileswillbeaccessedandtheupdatepathtothemirroredfiles.

ThemethodsofMirroractivationaredescribedindetailinsection4.4.1.2.4.1,“UpdatingfromtheMirror”.Fornow,notethattherearetwobasicmethodsforaccessingtheMirror–thefolderwithupdatefilescanbepresentedasasharednetworkfolderorasanHTTPserver.

ThefolderdedicatedtostoringupdatefilesfortheMirrorisdefinedintheFoldertostoremirroredfilessection.ClickFolder…tobrowseforafolderonthelocalcomputerorsharednetworkfolder.Ifauthorizationforthespecifiedfolderisrequired,authenticationdatamustbesuppliedintheUsernameandPasswordfields.TheusernameandpasswordshouldbeenteredintheformatDomain/UserorWorkgroup/User.Pleaseremembertosupplythecorrespondingpasswords.

WhenconfiguringtheMirror,youcanalsospecifythelanguageversionsforwhichyouwanttodownloadupdatecopies.LanguageversionsetupisaccessibleinthesectionFiles‑Availableversions:.

4.4.1.2.4.1 UpdatingfromtheMirror

TherearetwobasicmethodsofconfiguringtheMirror–thefolderwithupdatefilescanbepresentedasasharednetworkfolderorasanHTTPserver.

AccessingtheMirrorusinganinternalHTTPserver

Thisconfigurationisthedefault,specifiedinthepredefinedprogramconfiguration.InordertoallowaccesstotheMirrorusingtheHTTPserver,navigatetoAdvanceupdatesetup(theMirrortab)andselecttheCreateupdatemirroroption.

IntheAdvancedsetupsectionoftheMirrortabyoucanspecifytheServerPortwheretheHTTPserverwilllistenaswellasthetypeofAuthenticationusedbytheHTTPserver.Bydefault,theServerportissetto2221.TheAuthenticationoptiondefinesthemethodofauthenticationusedforaccessingtheupdatefiles.Thefollowingoptionsareavailable:NONE,Basic,andNTLM.SelectBasictousethebase64encodingwithbasicusernameandpasswordauthentication.TheNTLMoptionprovidesencodingusingasafeencodingmethod.Forauthentication,theusercreatedontheworkstationsharingtheupdatefilesisused.ThedefaultsettingisNONE,whichgrantsaccesstotheupdatefileswithnoneedforauthentication.

Warning:IfyouwanttoallowaccesstotheupdatefilesviatheHTTPserver,theMirrorfoldermustbelocatedonthesamecomputerastheESETSmartSecurityinstancecreatingit.

AfterconfigurationoftheMirroriscomplete,gototheworkstationsandaddanewupdateserverintheformathttp://IP_address_of_your_server:2221.Todothis,followthestepsbelow:

• OpenESETSmartSecurityAdvancedSetupandclicktheUpdatebranch.

• ClickEdit…totherightoftheUpdateserverdrop‑downmenuandaddanewserverusingthefollowingformat:http://IP_address_of_your_server:2221.

• Selectthisnewly‑addedserverfromthelistofupdateservers.

AccessingtheMirrorviasystemshares

First,asharedfoldershouldbecreatedonalocaloranetworkdevice.WhencreatingthefolderfortheMirror,youmustprovide“write”accessfortheuserwhowillsaveupdatefilestothefolderand“read”accessforalluserswhowillupdateESETSmartSecurityfromtheMirrorfolder.

Next,configureaccesstotheMirrorintheAdvancedupdatesetupsection(Mirrortab)bydisablingtheProvideupdatefilesviainternalHTTPserveroption.Thisoptionisenabledbydefaultintheprograminstallpackage.

Ifthesharedfolderislocatedonanothercomputerinthenetwork,youmustspecifyauthenticationdatatoaccesstheothercomputer.Tospecifyauthenticationdata,openESETSmartSecurityAdvancedSetup(F5)andclicktheUpdatebranch.ClicktheSetup...buttonandthenclicktheLANtab.Thissettingisthesameasforupdating,asdescribedinsection4.4.1.2.3,“ConnectingtoLAN”.

AftertheMirrorconfigurationiscomplete,proceedtotheworkstationsandset\\UNC\PATHastheupdateserver.Thisoperationcanbecompletedusingthefollowingsteps:

• OpenESETSmartSecurityAdvancedSetupandclickUpdate

• ClickEdit...nexttotheUpdateserverandaddanewserverusingthe\\UNC\PATHformat.

• Selectthisnewly‑addedserverfromthelistofupdateservers

NOTE:Forproperfunctioning,thepathtotheMirrorfoldermustbespecifiedasaUNCpath.Updatesfrommappeddrivesmaynotwork.

30

4.4.1.2.4.2 TroubleshootingMirrorupdateproblems

Inmostcases,problemsduringanupdatefromaMirrorserverarecausedbyoneormoreofthefollowing:incorrectspecificationoftheMirrorfolderoptions,incorrectauthenticationdatatotheMirrorfolder,incorrectconfigurationonlocalworkstationsattemptingtodownloadupdatefilesfromtheMirror,orbyacombinationofthereasonsabove.BelowisanoverviewofthemostfrequentproblemswhichmayoccurduringanupdatefromtheMirror:

ESETSmartSecurityreportsanerrorconnectingtoMirrorserver–Likelycausedbyincorrectspecificationoftheupdateserver(networkpathtotheMirrorfolder)fromwhichlocalworkstationsdownloadupdates.Toverifythefolder,clicktheWindowsStartmenu,clickRun,insertthefoldernameandclickOK.Thecontentsofthefoldershouldbedisplayed.

ESETSmartSecurityrequiresausernameandpassword–Likelycausedbyincorrectauthenticationdata(usernameandpassword)intheupdatesection.Theusernameandpasswordareusedtograntaccesstotheupdateserver,fromwhichtheprogramwillupdateitself.Makesurethattheauthenticationdataiscorrectandenteredinthecorrectformat.Forexample,Domain/Username,orWorkgroup/Username,plusthecorrespondingPasswords.IftheMirrorserverisaccessibleto“Everyone”,pleasebeawarethatthisdoesnotmeanthatanyuserisgrantedaccess.“Everyone”doesnotmeananyunauthorizeduser,itjustmeansthatthefolderisaccessibleforalldomainusers.Asaresult,ifthefolderisaccessibleto“Everyone”,adomainusernameandpasswordwillstillneedtobeenteredintheupdatesetupsection.

ESETSmartSecurityreportsanerrorconnectingtotheMirrorserver–CommunicationontheportdefinedforaccessingtheHTTPversionoftheMirrorisblocked.

4.4.2 Howtocreateupdatetasks

UpdatescanbetriggeredmanuallybyclickingUpdatevirussignaturedatabaseintheprimarywindowdisplayedafterclickingUpdatefromthemainmenu.

Updatescanalsoberunasscheduledtasks.Toconfigureascheduledtask,clickTools>Scheduler.Bydefault,thefollowingtasksareactivatedinESETSmartSecurity:

• Regularautomaticupdate

• Automaticupdateafterdial‑upconnection

• Automaticupdateafteruserlogon

Eachupdatetaskcanbemodifiedtomeetyourneeds.Inadditiontothedefaultupdatetasks,youcancreatenewupdatetaskswithauser‑definedconfiguration.Formoredetailsaboutcreatingandconfiguringupdatetasks,seesection4.5,“Scheduler”.

4.5 Scheduler

SchedulerisavailableifAdvancedmodeinESETSmartSecurityisactivated.SchedulercanbefoundintheESETSmartSecuritymainmenuunderTools.Schedulercontainsalistofallscheduledtasksandconfigurationpropertiessuchasthepredefineddate,time,andscanningprofileused.

Bydefault,thefollowingscheduledtasksaredisplayedinScheduler:

• Regularautomaticupdate

• Automaticupdateafterdial‑upconnection

• Automaticupdateafteruserlogon

• Automaticstartupfilecheck(afteruserlogon)

• Automaticstartupfilecheck(aftersuccessfulupdateofthevirussignaturedatabase)

Toedittheconfigurationofanexistingscheduledtask(bothdefaultanduser‑defined),right‑clickthetaskandclickEdit...orselectthedesiredtaskyouwishtomodifyandclicktheEdit...button.

4.5.1 Purposeofschedulingtasks

Schedulermanagesandlaunchesscheduledtaskswithpredefinedconfigurationandproperties.Theconfigurationandpropertiescontaininformationsuchasthedateandtimeaswellasspecifiedprofilestobeusedduringexecutionofthetask.

4.5.2 Creatingnewtasks

TocreateanewtaskinScheduler,clicktheAdd...buttonorright‑clickandselectAdd...fromthecontextmenu.Fivetypesofscheduledtasksareavailable:

• Runexternalapplication

• Systemstartupfilecheck

• Createacomputerstatussnapshot

• On‑demandcomputerscan

• Update

31

SinceUpdateisoneofthemostfrequentlyusedscheduledtasks,wewillexplainhowtoaddanewupdatetask.

FromtheScheduledtask:drop‑downmenu,selectUpdate.ClickNext andenterthenameofthetaskintotheTaskname:field.Selectthefrequencyofthetask.Thefollowingoptionsareavailable:Once,Repeatedly,Daily,Weekly and Eventtriggered.Basedonthefrequencyselected,youwillbepromptedwithdifferentupdateparameters.Next,definewhatactiontotakeifthetaskcannotbeperformedorcompletedatthescheduledtime.Thefollowingthreeoptionsareavailable:

• Waituntilthenextscheduledtime

• Runtaskassoonaspossible

• Runtaskimmediatelyifthetimesinceitslastexecutionexceedsspecifiedinterval(theintervalcanbedefinedusingtheTaskintervalscrollbox)

Inthenextstep,asummarywindowwithinformationaboutthecurrentscheduledtaskisdisplayed;theoptionRuntaskwithspecificparametersshouldbeautomaticallyenabled.ClicktheFinishbutton.

Adialogwindowwillappear,allowingyoutoselectprofilestobeusedforthescheduledtask.Hereyoucanspecifyaprimaryandalternativeprofile,whichisusedincasethetaskcannotbecompletedusingtheprimaryprofile.ConfirmbyclickingOKintheUpdateprofileswindow.Thenewscheduledtaskwillbeaddedtothelistofcurrentlyscheduledtasks.

4.6 Quarantine

Themaintaskofquarantineistosafelystoreinfectedfiles.Filesshouldbequarantinediftheycannotbecleaned,ifitisnotsafeoradvisabletodeletethem,oriftheyarebeingfalselydetectedbyESETSmartSecurity.

Youcanchoosetoquarantineanyfile.Thisisadvisableifafilebehavessuspiciouslybutisnotdetectedbytheantivirusscanner.QuarantinedfilescanbesubmittedforanalysistoESET’sThreatLab.

Filesstoredinthequarantinefoldercanbeviewedinatablewhichdisplaysthedateandtimeofquarantine,thepathtotheoriginallocationoftheinfectedfile,itssizeinbytes,reason(addedbyuser…),andnumberofthreats(e.g.,ifitisanarchivecontainingmultipleinfiltrations).

4.6.1 Quarantiningfiles

ESETSmartSecurityautomaticallyquarantinesdeletedfiles(ifyouhavenotcancelledthisoptioninthealertwindow).Ifdesired,youcanquarantineanysuspiciousfilemanuallybyclickingtheQuarantine...button.Ifthisisthecase,theoriginalfileisnotremovedfromitsoriginallocation.Thecontextmenucanalsobeusedforthispurpose–right‑clickintheQuarantinewindowandselectAdd...

4.6.2 RestoringfromQuarantine

Quarantinedfilescanalsoberestoredtotheiroriginallocation.UsetheRestorefeatureforthispurpose;thisisavailablefromthecontextmenubyright‑clickingonthegivenfileintheQuarantinewindow.ThecontextmenualsoofferstheoptionRestoreto,whichallowsyoutorestoreafiletoalocationotherthantheonefromwhichitwasdeleted.

NOTE:Iftheprogramquarantinedaharmlessfilebymistake,pleaseexcludethefilefromscanningafterrestoringandsendthefiletoESETCustomerCare.

4.6.3 SubmittingfilefromQuarantine

Ifyouhavequarantinedasuspiciousfilethatwasnotdetectedbytheprogram,orifafilewasincorrectlyevaluatedasinfected(e.g.,byheuristicanalysisofthecode)andsubsequentlyquarantined,pleasesendthefiletoESET‘sThreatLab.Tosubmitafilefromquarantine,right‑clickthefileandselectSubmitforanalysisfromthecontextmenu.

32

4.7 Logfiles

TheLogfilescontaininformationaboutallimportantprogrameventsthathaveoccurredandprovideanoverviewofdetectedthreats.Loggingactsasanessentialtoolinsystemanalysis,threatdetectionandtroubleshooting.Loggingisperformedactivelyinthebackgroundwithnouserinteraction.Informationisrecordedbasedonthecurrentlogverbositysettings.ItispossibletoviewtextmessagesandlogsdirectlyfromtheESETSmartSecurityenvironment,aswellastoarchivelogs.

LogfilesareaccessiblefromthemainmenubyclickingTools>Logfiles.SelectthedesiredlogtypeusingtheLog:drop‑downmenuatthetopofthewindow.Thefollowinglogsareavailable:

1. Detectedthreats –Usethisoptiontoviewallinformationabouteventsrelatedtothedetectionofinfiltrations.

2. Events –Thisoptionisdesignedforsystemadministratorsanduserstosolveproblems.AllimportantactionsperformedbyESETSmartSecurityarerecordedintheEventlogs.

3. On‑demandcomputerscan –Resultsofallcompletedscansaredisplayedinthiswindow.Double‑clickanyentrytoviewdetailsoftherespectiveOn‑demandscan.

4. ESETPersonalfirewalllog –ContainsrecordsofallcommunicationdetectedbyandrelatedtothePersonalfirewall.Analysisofthefirewalllogmayhelptodetectsysteminfiltrationattemptsintimetopreventunauthorizedaccesstoyoursystem.

Ineachsection,thedisplayedinformationcanbedirectlycopiedtotheclipboardbyselectingtheentryandclickingtheCopybutton.Toselectmultipleentries,theCTRLandSHIFTkeyscanbeused.

4.7.1 Logmaintenance

TheLoggingconfigurationofESETSmartSecurityisaccessiblefromthemainprogramwindow.ClickSetup>Enterentireadvancedsetuptree...>Tools>Logfiles.Youcanspecifythefollowingoptionsforlogfiles:

• Deleterecordsautomatically: Logentriesolderthanthespecifiednumberofdaysareautomaticallydeleted

• Optimizelogfilesautomatically:Enablesautomaticdefragmentationoflogfilesifthespecifiedpercentageofunusedrecordshasbeenexceeded

• Minimumloggingverbosity:Specifiestheloggingverbositylevel.Availableoptions:

– Diagnosticrecords–Logsinformationneededforfine‑tuningoftheprogramandallrecordsabove

– Informativerecords–Recordsinformativemessagesincludingsuccessfulupdatemessagesplusallrecordsabove

– Warnings–Recordscriticalerrorsandwarningmessages

– Errors–Only“Errordownloadingfile”messagesarerecorded,pluscriticalerrors

– Criticalwarnings–Logsonlycriticalerrors(errorstartingAntivirusprotection,Personalfirewall,etc…)

4.8 Userinterface

TheuserinterfaceconfigurationoptionsinESETSmartSecurityallowyoutoadjusttheworkingenvironmenttofityourneeds.TheseconfigurationoptionsareaccessiblefromtheUserinterfacebranchoftheESETSmartSecurityAdvancedSetuptree.

IntheUserinterfaceelementssection,theAdvancedmodeoptiongivesuserstheabilitytoallowtogglingtoAdvancedmode.AdvancedmodedisplaysmoredetailedsettingsandadditionalcontrolstoESETSmartSecurity.

TheGraphicaluserinterfaceoptionshouldbedisabledifthegraphicalelementsslowtheperformanceofyourcomputerorcauseotherproblems.Thegraphicalinterfacemayalsoneedtobeturnedoffforvisuallyimpairedusers,asitmayconflictwithspecialapplicationsthatareusedforreadingtextdisplayedonthescreen.

IfyouwishtodeactivatetheESETSmartSecuritysplash‑screen,deselecttheShowsplash‑screenatstartupoption.

33

AtthetopoftheESETSmartSecuritymainprogramwindowisaStandardmenuwhichcanbeactivatedordisabledbasedontheUsestandardmenuoption.

IftheShowtooltipsoptionisenabled,ashortdescriptionofanyoptionwillbedisplayedifthecursorisplacedovertheoption.TheSelectactivecontrolelementoptionwillcausethesystemtohighlightanyelementwhichiscurrentlyundertheactiveareaofthemousecursor.Thehighlightedelementwillbeactivatedafteramouseclick.

Todecreaseorincreasethespeedofanimatedeffects,selecttheUseanimatedcontrolsoptionandmovetheSpeedsliderbartotheleftorright.

Toenabletheuseofanimatediconstodisplaytheprogressofvariousoperations,selecttheUseanimatediconsforprogressindicationoption.Ifyouwanttheprogramtosoundawarningifanimportanteventtakesplace,selecttheUsesoundsignaloption.

TheUserinterfacefeaturesalsoincludetheoptiontopassword‑protecttheESETSmartSecuritysetupparameters.ThisoptionislocatedintheSettingsprotectionsubmenuunderUserinterface.Inordertoprovidemaximumsecurityforyoursystem,itisessentialthattheprogrambecorrectlyconfigured.Unauthorizedmodificationscouldresultinthelossofimportantdata.Tosetapasswordtoprotectthesetupparameter,clickSetpassword…

4.8.1 Alertsandnotifications

TheAlertsandnotificationssetupsectionunderUserinterfaceallowsyoutoconfigurehowthreatalertsandsystemnotificationsarehandledinESETSmartSecurity.

ThefirstitemisDisplayalerts.Disablingthisoptionwillcancelallalertwindowsandisonlysuitableforalimitedamountofspecificsituations.Formostusers,werecommendthatthisoptionbelefttoitsdefaultsetting(enabled).

Toclosepop‑upwindowsautomaticallyafteracertainperiodoftime,selecttheoptionClosemessageboxesautomaticallyafter(sec.).Iftheyarenotclosedmanually,alertwindowsareautomaticallyclosedafterthespecifiedtimeperiodhasexpired.

NotificationsontheDesktopandballoontipsareinformativeonly,anddonotrequireorofferuserinteraction.Theyaredisplayedinthenotificationareaatthebottomrightcornerofthescreen.ToactivatedisplayingDesktopnotifications,selecttheDisplaynotificationsondesktopoption.Moredetailedoptions–notificationdisplaytimeandwindowtransparencycanbemodifiedbyclickingtheConfigurenotifications...button.

Topreviewthebehaviorofnotifications,clickthePreviewbutton.Toconfigurethedurationoftheballoontipsdisplaytime,seetheoptionDisplayballoontipsintaskbar(forsec.).

ClickAdvancedsetup...toenteradditionalAlertsandnotificationsetupoptionsthatincludetheDisplayonlynotificationsrequiringuser’sinteraction.Thisoptionallowsyoutoturnon/offdisplayingofalertsandnotificationsthatrequirenouserinteraction.SelectDisplayonlynotificationsrequiringuser’sinteractionwhenrunningapplicationsinfullscreenmodetosuppressallnon‑interactivenotifications.FromtheMinimumverbosityofeventstodisplaydrop‑downmenuyoucanselectthestartingseveritylevelofalertsandnotificationtobedisplayed.

Thelastfeatureinthissectionallowsyoutoconfigurethedestinationofnotificationsinamulti‑userenvironment.TheOnmulti‑usersystems,displaynotificationsonthescreenoftheuser:fieldallowsyoutodefinewhowillreceiveimportantnotificationsfromESETSmartSecurity.Normallythiswouldbeasystemornetworkadministrator.Thisoptionisespeciallyusefulforterminalservers,providedthatallsystemnotificationsaresenttotheadministrator.

4.9 ThreatSense.Net

TheThreatSense.NetEarlyWarningSystemkeepsESETimmediatelyandcontinuouslyinformedaboutnewinfiltrations.ThebidirectionalThreatSense.NetEarlyWarningSystemhasasinglepurpose–toimprovetheprotectionthatwecanofferyou.Thebestwaytoensurethatweseenewthreatsassoonastheyappearisto“link“toasmanytoasmanyofourcustomersaspossibleandusethemasourThreatScouts.Therearetwooptions:

1. YoucandecidenottoenabletheThreatSense.NetEarlyWarningSystem.Youwillnotloseanyfunctionalityinthesoftware,andyouwillstillreceivethebestprotectionthatweoffer.

2. YoucanconfiguretheThreatSense.NetEarlyWarningSystemtosubmitanonymousinformationaboutnewthreatsandwherethenewthreateningcodeiscontained.ThisfilecanbesenttoESETfordetailedanalysis.StudyingthesethreatswillhelpESETupdateitsthreatdetectioncapabilities.

TheThreatSense.NetEarlyWarningSystemwillcollectinformation

34

aboutyourcomputerrelatedtonewly‑detectedthreats.Thisinformationmayincludeasampleorcopyofthefileinwhichthethreatappeared,thepathtothatfile,thefilename,thedateandtime,theprocessbywhichthethreatappearedonyourcomputerandinformationaboutyourcomputer‘soperatingsystem.

Whilethereisachancethatthismayoccasionallydisclosesomeinformationaboutyouoryourcomputer(usernamesinadirectorypath,etc.)toESET’sThreatLab,thisinformationwillnotbeusedforANYpurposeotherthantohelpusrespondimmediatelytonewthreats.

Bydefault,ESETSmartSecurityisconfiguredtoaskbeforesubmittingsuspiciousfilesfordetailedanalysistoESET‘sThreatLab.Fileswithcertainextensionssuchas.docor.xlsarealwaysexcluded.Youcanalsoaddotherextensionsifthereareparticularfilesthatyouoryourorganizationwantstoavoidsending.

TheThreatSense.NetsetupisaccessiblefromtheAdvancedSetuptree,underTools>ThreatSense.Net.SelecttheEnableThreatSense.NetEarlyWarningSystemoptiontoactivateandthenclicktheAdvancedsetup...button.

4.9.1 Suspiciousfiles

TheSuspiciousfilestaballowsyoutoconfigurethemannerinwhichthreatsaresubmittedtoESET‘sThreatLabforanalysis.

Ifyoufindasuspiciousfile,youcansubmititforanalysistoourThreatLabs.Ifitisamaliciousapplication,itsdetectionwillbeaddedtothenextvirussignatureupdate.

Filesubmissioncanbesettooccurautomatically,orselecttheAskbeforesubmittingoptionifyouwishtoknowwhichfileshavebeensentforanalysisandconfirmthesubmission.

Ifyoudonotwantanyfilestobesubmitted,selecttheDonotsubmit

foranalysisoption.Selectingnottosubmitfilesforanalysisdoesnotaffectsubmissionofstatisticalinformationwhichisconfiguredinitsownsetup(seesection4.9.2,“Statistics”).

Whentosubmit –Bydefault,theAssoonaspossibleoptionisselectedforsuspiciousfilestobesenttoESET‘sThreatLab.ThisisrecommendedifapermanentInternetconnectionisavailableandsuspiciousfilescanbedeliveredwithoutdelay.SelecttheDuringupdateoptionforsuspiciousfilestouploadedtoThreatSense.Netduringthenextupdate.

Exclusionfilter–TheExclusionfilterallowsyoutoexcludecertainfiles/foldersfromsubmission.Forexample,itmaybeusefultoexcludefileswhichmaycarryconfidentialinformation,suchasdocumentsorspreadsheets.Themostcommonfiletypesareexcludedbydefault(.doc,etc.).Youcanaddtothelistofexcludedfilesifdesired.

Contactemail–YourContactemail[optional]cansentwithanysuspiciousfilesandmaybeusedtocontactyouiffurtherinformationisrequiredforanalysis.PleasenotethatyouwillnotreceivearesponsefromESETunlessmoreinformationisneeded.

4.9.2 Statistics

TheThreatSense.NetEarlyWarningSystemcollectsanonymousinformationaboutyourcomputerrelatedtonewlydetectedthreats.Thisinformationmayincludethenameoftheinfiltration,thedateandtimeitwasdetected,theESETsecurityproductversion,youroperatingsystemversionandthelocationsetting.ThestatisticsaretypicallydeliveredtoESET‘sserversonceortwiceaday.

Belowisanexampleofastatisticalpackagesubmitted:

# utc_time=2005‑04‑14 07:21:28# country=“Slovakia“ # language=“ENGLISH“ # osver=5.1.2600 NT# engine=5417# components=2.50.2# moduleid=0x4e4f4d41# filesize=28368# filename=C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C14J8NS7\rdgFR1463[1].exe

Whentosubmit–Youcandefinewhenthestatisticalinformationwillbesubmitted.IfyouchoosetosubmitAssoonaspossiblestatisticalinformationwillbesentimmediatelyafteritiscreated.ThissettingissuitableifapermanentInternetconnectionisavailable.IftheDuringupdateoptionisselected,statisticalinformationwillbesubmittedcollectivelyduringthenextupdate.

35

4.9.3 Submission

YoucanselecthowfilesandstatisticalinformationwillbesubmittedtoESET.SelecttheBymeansofRemoteAdministratorordirectlytoESEToptionforfilesandstatisticstobesubmittedbyanyavailablemeans.SelecttheBymeansofRemoteAdministratoroptiontosubmitfilesandstatisticstotheremoteadministrationserver,whichwillensuretheirsubsequentsubmissiontoESET’sThreatLab.IftheoptionDirectlytoESETisselected,allsuspiciousfilesandstatisticalinformationaresenttoESET’sviruslabdirectlyfromtheprogram.

Whentherearefilespendingsubmission,the Submitnowbuttonwillbeactive.Clickthisbuttontoimmediatelysubmitfilesandstatisticalinformation.

SelecttheEnableloggingoptiontocreatealogtorecordfileandstatisticalinformationsubmissions.

4.10 Remoteadministration

ESETRemoteAdministrator(ERA)isapowerfultooltomanagesecuritypolicyandtoobtainanoverviewoftheoverallsecuritywithinanetwork.Itisespeciallyusefulwhenappliedtolargernetworks.ERAnotonlyincreasesthesecuritylevel,butalsoprovidesease‑of‑useintheadministrationofESETSmartSecurityonclientworkstations.

RemoteadministrationsetupoptionsareavailablefromthemainESETSmartSecurityprogramwindow.ClickSetup>Entertheentireadvancedsetuptree...>Miscellaneous>Remoteadministration.

ActivateremoteadministrationbyselectingtheConnecttoRemoteAdministrationserveroption.Youcanthenaccesstheotheroptionsdescribedbelow:

Serveraddress –NetworkaddressoftheserverwheretheERAServerisinstalled.

Port –Thisfieldcontainsapredefinedserverportusedforconnection.Werecommendthatyouleavethedefaultportsettingof2222

Intervalbetweenconnectionstoserver(min.) – ThisdesignatesthefrequencythatESETSmartSecuritywillconnecttotheERAServer.Ifitissetto0,informationwillbesubmittedevery5seconds.

RemoteAdministratorserverrequiresauthentication –AllowsyoutoenterapasswordtoconnecttotheERAServer,ifrequired.

ClickOKtoconfirmchangesandapplythesettings.ESETSmartSecuritywillusethesesettingstoconnecttotheERAServer.

4.11 Licenses

TheLicensesbranchallowsyoutomanagethelicensekeysforESETSmartSecurityandotherESETproductssuchasESETRemoteAdministrator,ESETNOD32forMicrosoftExchange,etc.Afterpurchase,licensekeysaredeliveredalongwithyourusernameandpassword.ToAdd/Removealicensekey,clickthecorrespondingbuttoninthelicensemanager(Licenses)window.ThelicensemanagerisaccessiblefromtheAdvancedSetuptreeunderMiscellaneous>Licenses.

Thelicensekeyisatextfilecontaininginformationaboutthepurchasedproduct:theowner,numberoflicenses,andtheexpirationdate.

ThelicensemanagerwindowallowsyoutouploadandviewthecontentofalicensekeyusingtheAdd…button–theinformationcontainedisdisplayedinthemanager.Todeletelicensefilesfromthelist,clickRemove.

Ifalicensekeyhasexpiredandyouareinterestedinpurchasingarenewal,clicktheOrder…button–youwillberedirectedtoouronlinestore.

36

5. Advanceduser

ThischapterdescribesfeaturesofESETSmartSecuritywhichmaybeusefulformoreadvancedusers.SetupoptionsforthesefeaturesareaccessibleonlyinAdvancedmode.ToswitchtoAdvancedmode,clickChange...inthebottomleftcornerofthemainprogramwindow,orpressCTRL+Monyourkeyboard.

5.1 Proxyserversetup

InESETSmartSecurity,proxyserversetupisavailableintwodifferentsectionswithintheAdvancedSetuptree.

First,proxyserversettingscanbeconfiguredunderMiscellaneous>Proxyserver.SpecifyingtheproxyserveratthisleveldefinesglobalproxyserversettingsforallofESETSmartSecurity.ParametersherewillbeusedbyallmodulesrequiringconnectiontotheInternet.

Tospecifyproxyserversettingsforthislevel,selecttheUseproxyservercheckboxandthenentertheaddressoftheproxyserverintotheProxyserver:field,alongwiththePortnumberoftheproxyserver.

Ifcommunicationwiththeproxyserverrequiresauthentication,selecttheProxyserverrequiresauthenticationcheckboxandenteravalidUsernameandPasswordintotherespectivefields.ClicktheDetectproxyserverbuttontoautomaticallydetectandinsertproxyserversettings.TheparametersspecifiedinInternetExplorerwillbecopied.

NOTE:Thisfeaturedoesnotretrieveauthenticationdata(usernameandpassword),itmustbesuppliedbyyou.

ProxyserversettingscanalsobeestablishedwithinAdvancedupdatesetup(UpdatebranchoftheAdvancedSetuptree).Thissettingappliesforthegivenupdateprofileandisrecommendedforlaptops,astheyoftenreceivevirussignatureupdatesfromdifferentlocations.Formoreinformationaboutthissetting,seeSection4.4,“Updatingtheprogram”.

5.2 Importandexportsettings

ImportingandexportingconfigurationsofESETSmartSecurityisavailableinAdvancedmodeunderSetup.

Bothimportandexportusethe.xmlfiletype.ImportandexportareusefulifyouneedtobackupthecurrentconfigurationofESETSmartSecuritytobeabletouseitlater.TheexportsettingsoptionisalsoconvenientforuserswhowishtousetheirpreferredconfigurationofESETSmartSecurityonmultiplesystems‑theycaneasilyimportan.xmlfiletotransferthedesiredsettings.

5.2.1 Importsettings

Importingaconfigurationisveryeasy.Fromthemainmenu,clickSetup>Importandexportsettings,andthenselecttheImportsettingsoption.Enterthenameoftheconfigurationfileorclickthe...buttontobrowsefortheconfigurationfileyouwishtoimport.

5.2.2 Exportsettings

Thestepstoexportaconfigurationareverysimilar.Fromthemainmenu,clickSetup>Importandexportsettings....SelecttheExportsettingsoptionandenterthenameoftheconfigurationfile.Usethebrowsertoselectalocationonyourcomputertosavetheconfigurationfile.

5.3 CommandLine

ESETSmartSecurity’santivirusmodulecanbelaunchedviathecommandline–manually(withthe“ecls”command)orwithabatch(“bat”)file.

ThefollowingparametersandswitchescanbeusedwhilerunningtheOn‑demandscannerfromthecommandline:

37

Generaloptions:– help showhelpandquit– version showversioninformationandquit– base‑dir=FOLDER loadmodulesfromFOLDER– quar‑dir=FOLDER quarantineFOLDER– aind showactivityindicator

Targets:– files scanfiles(default)– no‑files donotscanfiles– boots scanbootsectors(default)– no‑boots donotscanbootsectors– arch scanarchives(default)– no‑arch donotscanarchives– max‑archive‑level=LEVEL maximumarchivenestingLEVEL– scan‑timeout=LIMIT scanarchivesforLIMITsecondsat

maximum.Ifthescanningtimereachesthislimit,thescanningofthearchiveisstoppedandthescanwillcontinuewiththenextfile

– max‑arch‑size=SIZE scanonlythefirstSIZEbytesinarchives(default0=unlimited)

– mail scanemailfiles– no‑mail donotscanemailfiles– sfx scanself‑extractingarchives– no‑sfx donotscanself‑extractingarchives– rtp scanruntimepackers– no‑rtp donotscanruntimepackers– exclude=FOLDER excludeFOLDERfromscanning– subdir scansubfolders(default)– no‑subdir donotscansubfolders– max‑subdir‑level=LEVEL maximumsubfoldernestingLEVEL

(default0=unlimited)– symlink followsymboliclinks(default)– no‑symlink skipsymboliclinks– ext‑remove=EXTENSIONS– ext‑exclude=EXTENSIONS excludeEXTENSIONSdelimitedby

colonfromscanning

Methods:– adware scanforAdware/Spyware/Riskware– no‑adware donotscanforAdware/Spyware/

Riskware– unsafe scanforpotentiallyunsafe

applications– no‑unsafe donotscanforpotentiallyunsafe

applications– unwanted scanforpotentiallyunwanted

applications– no‑unwanted donotscanforpotentiallyunwanted

applications– pattern usesignatures– no‑pattern donotusesignatures– heur enableheuristics– no‑heur disableheuristics– adv‑heur enableadvancedheuristics– no‑adv‑heur disableadvancedheuristics

Cleaning:– action=ACTION performACTIONoninfectedobjects.

Availableactions:none,clean,prompt– quarantine copyinfectedfilestoQuarantine

(supplementsACTION)– no‑quarantine donotcopyinfectedfilesto

Quarantine

Logs:– log‑file=FILE logoutputtoFILE– log‑rewrite overwriteoutputfile(default–

append)– log‑all logalsocleanfiles– no‑log‑all donotlogcleanfiles(default)

Possibleexitcodesofthescan:

0 –nothreatfound1 –threatfoundbutnotcleaned10 –someinfectedfilesremained101 –archiveerror102 –accesserror103 –internalerror

NOTE: Exitcodesgreaterthan100meanthatthefilewasnotscannedandthuscanbeinfected.

5.4 ESETSysInspector

ESETSysInspectorisanapplicationthatthoroughlyinspectsyourcomputeranddisplayssystemdatainacomprehensiveway.Informationaboutinstalleddriversandapplications,networkconnectionsorimportantregistryentriescanhelpyouinvestigatesuspicioussystembehavioranddeterminewhetheritisduetosoftware/hardwareincompatibilityormalwareinfection.

YoucanaccessSysInspectortwoways:FromtheintegratedversioninESETSmartSecurityorbydownloadingthestandaloneversion(SysInspector.exe)forfreefromESET’swebsite.ToopenSysInspector,activateAdvancedmodebypressingCTRL+MandclickingTools>SysInspector.Bothversionsareidenticalinfunctionandhavethesameprogramcontrols.Theonlydifferenceishowoutputsaremanaged.Thedownloadedandintegratedversionseachallowyoutoexportsystemsnapshotstoan.xmlfileandsavethemtodisk.However,theintegratedversionalsoallowsyoutostoreyoursystemsnapshotsdirectlyinTools>SysInspector(formoreinformationseesection5.4.1.4,”SysInspectoraspartofESETSmartSecurity4”).

PleaseallowsometimewhileESETSysInspectorscansyourcomputer.Itmaytakefrom10secondsuptoafewminutesdependingonyourhardwareconfiguration,operatingsystemandthenumberofapplicationsinstalledonyourcomputer.

5.4.1 UserInterfaceandapplicationusage

Themainwindowincludesfoursections–ProgramControlsonthetop,theNavigationwindowontheleft,andtheDescriptionwindowontherightwhichisdirectlyabovetheDetailswindow.

5.4.1.1 ProgramControls

ThissectioncontainsdescriptionsofallprogramcontrolsavailableinESETSysInspector

File– Clickheretostoreyourcurrentreportstatusforlaterinvestigationortoopenapreviouslystoredreport.IfyouwanttopublishyourreportwerecommendyouchooseGenerate>Suitableforsending.Thisreportformatomitssensitiveinformation.

NOTE:YoucanopenpreviouslystoredESETSysInspectorreportsbydragging‑and‑droppingthemintothemainwindow.

Tree–Allowsyoutoexpandorcloseallnodes.

38

List–Containsfunctionsforeasiernavigationwithintheprogramaswellasvariousotherfunctionslikefindinginformationonline.

NOTE:Itemshighlightedinredareunknownandarethereforeconsideredpotentiallydangerous.Ifanitemisinred,itdoesnotautomaticallymeanthatyoucandeletethefile.Beforedeleting,pleasemakesurethatthefilesaretrulydangerousornotneeded.

Help–Containsinformationabouttheapplicationanditsfunctions.

Detail–InfluencesinformationdisplayedinothersectionsofSysInspector.InBasicmodeyouhaveaccesstoinformationusedtofindsolutionsforcommonproblemsinyoursystem.InMediummodetheprogramdisplayslessuseddetails.InFullmodeESETSysInspectordisplaysdetailedinformationneededtosolvemorecomplexproblems.

Itemfiltering–ThemosteffectiveuseofItemfilteringistofindsuspiciousfilesorregistryentriesinyoursystem.ByadjustingtheslideryoucanfilteritemsbytheirRiskLevel.Ifthesliderissettothefarleft(RiskLevel1)thenallitemsaredisplayed.Bymovingtheslidertotheright,theprogramfiltersoutitemsthatarelessriskythanthecurrentRiskLevelandonlydisplaysitemsthataremoresuspiciousthanthedisplayedlevel.Withtheslideronthefarright,theprogramdisplaysonlyknownharmfulitems.

Allitemswithintherange6to9canposeasecurityrisk.IfyoudonothaveanESETsecuritysolutioninstalled,werecommendyouscanyoursystemwiththeESETOnlinescanneraftertheprogramhasfoundanyhigh‑riskitems.ESETOnlinescannerisafreeserviceandcanbefoundathttp://www.eset.com/onlinescan/.

NOTE:TheRisklevelofanitemcanbedeterminedquicklybycomparingthecoloroftheitemwiththecolorontheRiskLevelslider.

Search–Searchcanbeusedtoquicklyfindaspecificitembyitsnameorpartofitsname.TheresultsofsearchrequestsaredisplayedintheDescriptionwindow.

Return–ByclickingthebackorforwardarrowyoucanreturntopreviouslydisplayedinformationintheDescriptionwindow.

Statussection–DisplaysthecurrentnodeintheNavigationwindow.

5.4.1.2 NavigatinginESETSysInspector

ESETSysInspectordividesvarioustypesofinformationintoseveralbasicsectionscallednodes.Ifavailable,youmayfindadditionaldetailsbyexpandingeachnodeintoitssubnodes.Toopenorcollapseanodejustdouble‑clickthenameofthenodeorclick or nexttothenameofthenode.AsyoubrowsethroughthetreestructureofnodesandsubnodesintheNavigationwindowyoumayfindvariousdetailsforeachnodeshownintheDescriptionwindow.IfyoubrowsethroughitemsintheDescriptionwindow,additionaldetailsforeachitemmaydisplayintheDetailswindow.

BelowaredescriptionsofthemainnodesintheNavigationwindowandrelatedinformationintheDescriptionandDetailswindows.

Runningprocesses–Thisnodecontainsinformationaboutapplicationsandprocessesrunningatthetimethereportwasgenerated.TheDescriptionwindowdisplaysdetailsforeachprocess,suchasdynamiclibrariesusedbytheprocessandtheirlocationinthesystem,thenameoftheapplication’svendor,therisklevelofthefile,etc.

TheDetailswindowcontainsadditionalinformationaboutitemsselectedintheDescriptionwindowsuchasthefilesizeoritshash.

NOTE:Anoperatingsystemiscomprisedofseveralimportantkernelprocesseswhichruncontinuallyinordertoprovidebasicfunctionsvitaltootherapplications.Incertaincases,suchprocessesaredisplayedinESETSysInspectorasafilepathbeginningwith\??\.Thesesymbolsindicateasafeandaccurateconfiguration.

Networkconnections–TheDescriptionwindowcontainsalistofprocessesandapplicationscommunicatingoverthenetwork.ThecommunicationprotocolusedisshownintheNavigationwindow(TCPorUDP)alongwiththeremoteaddresstowhichtheapplicationisconnecting.YoucanalsocheckDNSassignedIPaddresses.

TheDetailswindowcontainsadditionalinformationaboutitemsselectedintheDescriptionwindowsuchasthefilesizeoritshash.

ImportantRegistryEntries–Containsalistofselectedregistryentriesoftenrelatedtovariousproblemswithyoursystemsuchasspecifyingstartupprograms,browserhelperobjects(BHO),etc.

IntheDescriptionwindowyoumayfindwhichfilesarerelatedtospecificregistryentries.YoumayseeadditionaldetailsintheDetailswindow.

Services–TheDescriptionwindowcontainsalistoffilesregisteredasWindowsServices.YoumaycheckthewaytheserviceissettostartalongwithspecificdetailsaboutthefileintheDetailswindow.

Drivers–Thelistofdriversinstalledonthesystem.

Criticalfiles–TheDescriptionwindowdisplayscontentofcriticalfilesrelatedtotheMicrosoftWindows®operatingsystem.

Systeminformation–Containsdetailedinformationabouthardwareandsoftwarealongwithinformationaboutsetenvironmentalvariablesanduserrights.

Filedetails–AlistofimportantsystemfilesandfilesintheProgramFilesfolder.AdditionalinformationspecifictothefilescanbefoundintheDescriptionandDetailswindows.

About–InformationaboutESETSysInspector

5.4.1.3 Compare

TheComparefeatureallowsyoutocomparetwoexistingSysInspectorlogsinordertohighlightcommontobothlogs.Thisfeatureisusefulifyouwanttokeeptrackofchangestothesystemandmayallowyoutodetecttheactivityofmaliciouscode.

Afterlaunching,ESETSysInspectorcreatesanewlog,whichisdisplayedinanewwindow.NavigatetoFile>SaveLogtosavealogtoafile.Logfilescanlaterbeopenedandviewed.Toopenanexistinglog,clickFile>OpenLog.Inthemainprogramwindow,ESETSysInspectoralwaysdisplaysonelogatatime.

Ifyouarecomparingtwologs,it’simportanttocompareacurrentlyactivelogtoalogsavedinafile.Tocomparelogs,usetheoptionFile>CompareLogandchooseSelectfile.Theselectedlogwillbecomparedtotheactiveoneinthemainprogramwindows.Theresulting,socalledcomparativelogwilldisplayonlydifferencesbetweenthosetwologs.

NOTE:Ifyoucomparetwologfiles,selectFile>SaveLog,andsaveitasa.zipfile,bothfilesaresaved.Ifyoulateropenthisfile,thecontainedlogsareautomaticallycompared.

Nexttothedisplayeditems,SysInspectorshowssymbolsidentifyingdifferencesbetweenthecomparedlogs.Itemsmarkedbya canonlybefoundintheactivelogandwerenotpresentintheopenedcomparativelog.Itemsmarkedbya ontheotherhand,werepresentonlyintheopenedlogandaremissingintheactiveone.

Descriptionofallsymbolsthatcanbedisplayednexttoitems:

newvalue,notpresentinthepreviouslog

treestructuresectioncontainsnewvalues

removedvalue,presentinthepreviouslogonly

39

treestructuresectioncontainsremovedvalues

value/filehasbeenchanged

treestructuresectioncontainsmodifiedvalues/files

therisklevelhasdecreased/itwashigherinthepreviouslog

therisklevelhasincreased/itwaslowerinthepreviouslog

Theexplanationsectiondisplayedintheleftbottomcornerdescribesallsymbolsandalsodisplaysthenamesoflogswhicharebeingcompared.

Anycomparativelogcanbesavedtoafileandopenedatalatertime.

Example:–Generateandsavealog,recordingoriginalinformationaboutthesystem,toafilenamedprevious.xml.Afterchangestothesystemhavebeenmade,openSysInspectorandletitgenerateanewlog.Saveittoafilenamedcurrent.xml.

Inordertotrackchangesbetweenthosetwologs,clickFile>CompareLog.Theprogramwillcreateacomparativelogshowingdifferencesbetweenthelogs.

Thesameresultcanbeachievedifyouusethefollowingcommandlineoption:

SysIsnpector.exe current.xml previous.xml

5.4.1.4 SysInspectoraspartofESETSmartSecurity4

ToopenSysInspectorinESETSmartSecurity,clickTools>SysInspector.ThemanagementsystemintheSysInspectorwindowissimilartothatofcomputerscanlogs,orscheduledtasks.Alloperationswithsystemsnapshots‑create,view,compare,removeandexport‑areaccessiblewithinoneortwoclicks.

TheSysInspectorwindowcontainsbasicinformationaboutthecreatedsnapshotssuchascreatetime,shortcomment,nameoftheuserthatcreatedthesnapshotandsnapshotstatus.

ToCompare,Add...,orRemovesnapshots,usethecorrespondingbuttonslocatedbelowthelistofsnapshotsintheSysInspectorwindow.Thoseoptionsarealsoavailablefromthecontextmenu.Toviewtheselectedsystemsnapshot,usetheViewcontextmenuoption.Toexporttheselectedsnapshottoafile,right‑clickitandselectExport....Adetaileddescriptionoftheavailableoptionsisshownbelow:

Compare‑Allowsyoutocomparetwoexistinglogs.Thisfeatureisusefulifyouwanttotrackchangesbetweenthecurrentlogandanolderlog.Forthisoptiontotakeeffectyoumustselecttwosnapshotstobecompared.

Add–Createsanewrecord.Beforethatyoumustenterashortcommentabouttherecord.Toseethesnapshotcreationprogress(ofthecurrentlygeneratedsnapshot)inpercent,seetheStatuscolumn.AllcompletedsnapshotsaremarkedbytheCreatedstatus.

Remove–Removesentriesfromthelist

Show–Displaystheselectedsnapshot.Alternatively,youcandouble‑clicktheselectedentry.

Export...–Savestheselectedentryinan.xmlfile(aswellasa.zipversion)

5.4.1.5 Service script

Servicescriptisatoolthatdirectlyinfluencestheoperatingsystemandinstalledapplications,allowinguserstoexecutescriptsthatremoveproblematiccomponentsinthesystem,includingviruses,remnantsofviruses,blockedfiles,virusrecordsintheregistry,etc.Thescriptisstoredinatextfilegeneratedfromapre‑existing.xmlfile.Thedatainthe.txtscriptfileisorderedsimplyandlegibly,foreaseofuse.Thescriptwillinitiallyexhibitneutralbehavior.Inotherwords,itwillnothaveanyimpactonthesystemwhileinitsoriginalform.Theuserneedstoeditthescriptforittohaveanyeffect.

Warning:Thistoolisintendedforadvancedusersonly.Incorrectusemayresultindamagetoprogramsortheoperatingsystem.

5.4.1.5.1 Generating Service scripts

Togenerateascript,right‑clickanyitemfromthemenutree(intheleftpane)intheSysInspectormainwindow.Fromthecontextmenu,selecteithertheExportAllSectionsToServiceScriptoptionortheExportSelectedSectionsToServiceScriptoption.

5.4.1.5.2 Structure of the Service script

Inthefirstlineofthescript’sheaderyoucanfindinformationabouttheEngineversion(ev),GUIversion(gv)andtheLogversion(lv).Youcanusethisdatatotrackpossiblechangesinthe.xmlfilethatgeneratesthescriptandpreventanyinconsistenciesduringexecution.Thispartofthescriptshouldnotbealtered.

Theremainderofthefileisdividedintosectionsinwhichitemscanbeedited(denotethosethatwillbeprocessedbythescript).Youmarkitemsforprocessingbyreplacingthe“‑”characterinfrontofanitemwitha“+”character.Sectionsinthescriptareseparatedfromeachotherbyanemptyline.Eachsectionhasanumberandtitle.

01)Runningprocesses

Thissectioncontainsalistofallprocessesrunninginthesystem.EachprocessisidentifiedbyitsUNCpathand,subsequently,itsCRC16hashcodeinasterisks(*).

Example:

01) Running processes: ‑ \SystemRoot\System32\smss.exe *4725* ‑ C:\Windows\system32\svchost.exe *FD08* + C:\Windows\system32\module32.exe *CF8A* [...]

Inthisexampleaprocess,module32.exe,wasselected(markedbya“+”character);theprocesswillenduponexecutionofthescript.

02)Loadedmodules

Thissectionlistscurrentlyusedsystemmodules.

Example:

02) Loaded modules: ‑ c:\windows\system32\svchost.exe ‑ c:\windows\system32\kernel32.dll + c:\windows\system32\khbekhb.dll

40

‑ c:\windows\system32\advapi32.dll [...]

Inthisexamplethemodulekhbekhb.dllwasmarkedbya“+”.Whenthescriptruns,itwillrecognizetheprocessesusingthatspecificmoduleandendthem.

03)TCPconnections

ThissectioncontainsinformationaboutexistingTCPconnections.

Example:

03) TCP connections: ‑ Active connection: 127.0.0.1:30606 ‑> 127.0.0.1:55320, owner: ekrn.exe ‑ Active connection: 127.0.0.1:50007 ‑> 127.0.0.1:50006, ‑ Active connection: 127.0.0.1:55320 ‑> 127.0.0.1:30606, owner: OUTLOOK.EXE ‑ Listening on *, port 135 (epmap), owner: svchost.exe + Listening on *, port 2401, owner: fservice.exe Listening on *, port 445 (microsoft‑ds), owner: System [...]

Whenthescriptruns,itwilllocatetheownerofthesocketinthemarkedTCPconnectionsandstopthesocket,freeingsystemresources.

04)UDPendpoints

ThissectioncontainsinformationaboutexistingUDPendpoints.

Example:

04) UDP endpoints: ‑ 0.0.0.0, port 123 (ntp) + 0.0.0.0, port 3702 ‑ 0.0.0.0, port 4500 (ipsec‑msft) ‑ 0.0.0.0, port 500 (isakmp) [...]

Whenthescriptruns,itwillisolatetheownerofthesocketatthemarkedUDPendpointsandstopthesocket.

05)DNSserverentries

ThissectioncontainsinformationaboutthecurrentDNSserverconfiguration.

Example:

05) DNS server entries: + 204.74.105.85 ‑ 172.16.152.2 [...]

MarkedDNSserverentrieswillberemovedwhenyourunthescript.

06)Importantregistryentries

Thissectioncontainsinformationaboutimportantregistryentries.

Example:

06) Important registry entries: * Category: Standard Autostart (3 items) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

‑ HotKeysCmds = C:\Windows\system32\hkcmd.exe ‑ IgfxTray = C:\Windows\system32\igfxtray.exe HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ‑ Google Update = “C:\Users\antoniak\AppData\Local\Google\Update\GoogleUpdate.exe” /c

* Category: Internet Explorer (7 items) HKLM\Software\Microsoft\Internet Explorer\Main + Default_Page_URL = http://thatcrack.com/ [...]

Themarkedentrieswillbedeleted,reducedto0‑bytevaluesorresettotheirdefaultvaluesuponscriptexecution.Theactiontobeappliedtoaparticularentrydependsontheentrycategoryandkeyvalueinthespecificregistry.

07)Services

Thissectionlistsservicesregisteredwithinthesystem.

Example:

07) Services: ‑ Name: Andrea ADI Filters Service, exe path: c:\windows\system32\aeadisrv.exe, state: Running, startup: Automatic ‑ Name: Application Experience Service, exe path: c:\windows\system32\aelupsvc.dll, state: Running, startup: Automatic ‑ Name: Application Layer Gateway Service, exe path: c:\windows\system32\alg.exe, state: Stopped, startup: Manual [...]

Theservicesmarkedandtheirdependantserviceswillbestoppedanduninstalledwhenthescriptisexecuted.

08)Drivers

Thissectionlistsinstalleddrivers.

Example:

08) Drivers: ‑ Name: Microsoft ACPI Driver, exe path: c:\windows\system32\drivers\acpi.sys, state: Running, startup: Boot ‑ Name: ADI UAA Function Driver for High Definition Audio Service, exe path: c:\windows\system32\drivers\adihdaud.sys, state: Running, startup: Manual [...]

Whenyouexecutethescript,thedriversselectedwillbeunregisteredfromthesystemandremoved.

09)Criticalfiles

Thissectioncontainsinformationaboutfilescriticaltoproperfunctionoftheoperatingsystem.

Example:

09) Critical files: * File: win.ini ‑ [fonts] ‑ [extensions] ‑ [files] ‑ MAPI=1 […]

* File: system.ini ‑ [386Enh] ‑ woafont=dosapp.fon ‑ EGA80WOA.FON=EGA80WOA.FON […]

* File: hosts ‑ 127.0.0.1 localhost ‑ ::1 localhost […]

41

Theselecteditemswilleitherbedeletedorresettotheiroriginalvalues.

5.4.1.5.3 How to execute Service scripts

Markalldesireditems,thensaveandclosethescript.RuntheeditedscriptdirectlyfromtheSysInspectormainwindowbyselectingtheRunServiceScriptoptionfromtheFilemenu.Whenyouopenascript,theprogramwillpromptyouwiththefollowingmessage:Areyousureyouwanttoruntheservicescript“%Scriptname%”?Afteryouconfirmyourselection,anotherwarningmayappear,informingyouthattheservicescriptyouaretryingtorunhasnotbeensigned.ClickRuntostartthescript.

Adialogwindowwillconfirmsuccessfulexecutionofthescript.

Ifthescriptcouldonlybepartiallyprocessed,adialogwindowwiththefollowingmessagewillappear:Theservicescriptwasrunpartially.Doyouwanttoviewtheerrorreport?SelectYestoviewacomplexerrorreportlistingtheoperationsthatwerenotexecuted.

Yourscriptwasnotrecognizedasvalidandwillnotberunifyouseethefollowingmessage:Arethereanyissueswiththescriptconsistency(damagedheading,corruptsectiontitle,emptylinemissingbetweensectionsetc.)?Youcaneitherreopenthescriptfileandcorrecttheerrorswithinthescriptorcreateanewservicescript.

5.5 ESETSysRescue

ESETSysRescue(ESR)isautilitywhichenablesyoutocreateabootablediskcontainingESETSmartSecurity4(ESS).ThemainadvantageofESETRecoveryCDisthatESSrunsindependentofthehostoperatingsystem,whileithasdirectaccesstothediskandtheentirefilesystem.Thismakesitpossibletoremoveinfiltrationswhichnormallycouldnotbedeleted,e.g.,whentheoperatingsystemisrunning,etc.

5.5.1 Minimumrequirements

ESETSysRescue(ESR)worksintheMicrosoftWindowsPreinstallationEnvironment(WindowsPE)version2.x,whichisbasedonWindowsVista.WindowsPEisapartofthefreepackageWindowsAutomatedInstallationKit(WindowsAIK),andthereforeWindowsAIKmustbeinstalledbeforecreatingESR.Duetothesupportofthe32‑bitversionofWindowsPE,ESRcanbecreatedusingthe32‑bitversionofESSonly.ESRsupportsWindowsAIK1.1andlater.ESRisavailableinESS4.0andlater.

5.5.2 HowtocreaterescueCD

IftheminimumrequirementsforthecreationofESETSysRescue(ESR)CDaremet,itisquiteaneasytasktoaccomplish.TolaunchtheESRwizard,clickStart>Programs>ESET>ESETSmartSecurity>ESETSysRescue.

First,thewizardchecksforthepresenceofWindowsAIKandasuitabledeviceforthebootmediacreation.

InthenextstepselectthetargetmediawhereESRwillbelocated.InadditiontoCD/DVD/USByoucanchoosetosaveESRinan.isofile.Later,youcanburnthe.isoimageonCD/DVD,oruseitinotherways(e.g.,inavirtualenvironmentsuchasVmWareorVirtualbox).

Afteryouhavespecifiedallparameters,youwillseeacompilationpreviewinthelaststepofESETSysRescuewizard.Checktheparametersandstartthecompilation.Theavailableoptionsinclude:

FoldersESETAntivirusAdvancedBootableUSBdeviceBurning

5.5.2.1 Folders

Temporaryfolder–WorkingdirectoryforfilesrequiredduringESETSysRescuecompilation.

ISOfolder–Folderwheretheresulting.isofileissavedafterthecompilationiscompleted.

Thelistonthistabshowsalllocalandmappednetworkdrivestogetherwiththeavailablefreespace.Ifanyofthefoldersherearelocatedonadrivewithinsufficientfreespace,werecommendthatyouselectanotherdrivewithmorefreespaceavailable.Otherwisecompilationmayexitprematurelyduetoinsufficientfreediskspace.

Externalapplications–AllowsyoutospecifyadditionalprogramsthatwillberunorinstalledafterbootingfromaSysRescuemedium.

Includeexternalapplications–AllowsyoutoaddexternalprogramstotheSysRescuecompilation

Selectedfolder–FolderinwhichprogramstobeaddedtotheSysRescuediskarelocated

5.5.2.2 ESETAntivirus

TocreateanESETSysRescueCD,youcanselecttwosourcesofESETfilestobeusedbythecompiler.

ENAfolder–FilesalreadycontainedinthefoldertowhichtheESETproductisinstalledonyourcomputer

MSIfile–Filescontainedinthe.msiinstallerareused

Profile–Youcanuseoneofthefollowingtwosourcesofusernameandpassword:

InstalledENA–UsernameandpasswordarecopiedfromthecurrentlyinstalledESETsecurityproduct

Fromuser–Usernameandpasswordenteredinthecorrespondingtextboxesbelowareused

NOTE:TheESETsecurityproductontheESETSysRescueCDisupdatedeitherfromtheInternetorfromthecomputerrunningtheESETSysRescueCD.

5.5.2.3 Advanced

TheAdvancedtabletsyouoptimizeESETSysRescueCDaccordingtoyourcomputer’smemorycapacity.Select512MBandmoretowritethecontentoftheCDtotheoperatingmemory(RAM).Ifyouselectlessthan512MB,therecoveryCDwillbepermanentlyaccessedwhenWinPEisrunning.

Externaldrivers–Thissectionexplainshowtoadddriversforyourspecifichardware(e.g.,networkadapter).AlthoughWinPEisbasedonWindowsVistaSP1,whichsupportsalargerangeofhardware,occasionallyhardwareisnotrecognized.Thiswillrequiredthatyouaddadrivermanually.

TherearetwowaysofintroducingadriverintoanESETSysRescuecompilation‑manually(theAddbutton)andautomatically(theAut.Searchbutton).Ifyoumanuallyaddadriver,youneedtoselectthepathtothecorresponding.inffile(applicable*.sysfilemustalsobepresentinthisfolder).UsingtheAut.Searchbuttonautomaticallylocatesthedriverintheoperatingsystemofthegivencomputer.WerecommendyouusethisoptiononlyiftheoriginalcomputeronwhichtheSysRescuediscwascreatedandthecomputeryouarerestoringtousethesamenetworkadapter.Duringcreation,theESETSysRescuethedriverisintroducedintothecompilationsoyoudonotneedtolookforitlater.

42

5.5.2.4 BootableUSBdevice

IfyouhaveselectedUSBdeviceasyourtargetmedium,youcanselectoneoftheavailableUSBmediaontheBootableUSBdevicetab(incasetherearemoreUSBdevices).

Warning:TheselectedUSBdevicewillbeformattedduringESETSysRescuecreation.Alldataonthedevicewillbedeleted.

5.5.2.5 Burn

IfyouhaveselectedCD/DVDasyourtargetmedium,youcanspecifyadditionalburningparametersontheBurntab.

DeleteISOfile–Selectthisoptiontodelete.isofilesaftertheESETRescueCDiscreated.

Deletionenabled–Allowsyoutoselectfasterasingandcompleteerasing.

Burningdevice–Selectthedrivetobeusedforburning.

Warning:Thisisthedefaultoption.IfarewritableCD/DVDisused,alldataontheCD/DVDwillbeerased.

TheMediumsectioncontainsinformationaboutthecurrentmediuminsertedinyourCD/DVDdevice.

Burningspeed–Selectthedesiredspeedfromthedrop‑downmenu.ThecapabilitiesofyourburningdeviceandthetypeofCD/DVDusedshouldbeconsideredwhenselectingtheburningspeed.

5.5.3 WorkingwithESETSysRescue

FortherescueCD/DVD/USBtoworkeffectively,youmuststartyourcomputerfromtheESETSysRescuebootmedia.BootprioritycanbemodifiedintheBIOS.Alternatively,youcaninvokethebootmenuduringcomputerstartup‑usuallyusingoneoftheF9‑F12keysdependingontheversionofyourmotherboard/BIOS.

Afterbootingup,ESSwillstart.SinceESETSysRescueisusedonlyinspecificsituations,someprotectionmodulesandprogramfeaturespresentinthestandardversionofESSarenotneeded;theirlistisnarroweddowntoComputerscan,Update,andsomesectionsinSetup.TheabilitytoupdatethevirussignaturedatabaseisthemostimportantfeatureofESETSysRescue,werecommendthatyouupdatetheprogrampriorstartingaComputerscan.

5.5.3.1 UsingESETSysRescue

Supposethatcomputersinthenetworkhavebeeninfectedbyaviruswhichmodifiesexecutable(.exe)files.ESSiscapableofcleaningallinfectedfilesexceptforexplorer.exe,whichcannotbecleaned,eveninSafemode.

Thisisbecauseexplorer.exe,asoneoftheessentialWindowsprocesses,islaunchedinSafemodeaswell.ESSwouldnotbeabletoperformanyactionwiththefileanditwouldremaininfected.

Inthistypeofscenario,youcoulduseESETSysRescuetosolvetheproblem.ESETSysRescuedoesnotrequireanycomponentofthehostoperatingsystem,andisthereforecapableofprocessing(cleaning,deleting)anyfileonthedisk.

43

6. Glossary

6.1 Typesofinfiltration

AnInfiltrationisapieceofmalicioussoftwaretryingtoenterand/ordamageauser’scomputer.

6.1.1 Viruses

Acomputervirusisaninfiltrationthatcorruptsexistingfilesonyourcomputer.Virusesarenamedafterbiologicalviruses,becausetheyusesimilartechniquestospreadfromonecomputertoanother.

Computervirusesmainlyattackexecutablefilesanddocuments.Toreplicate,avirusattachesits“body“totheendofatargetfile.Inshort,thisishowacomputervirusworks:afterexecutionoftheinfectedfile,thevirusactivatesitself(beforetheoriginalapplication)andperformsitspredefinedtask.Onlyafterthatistheoriginalapplicationallowedtorun.Aviruscannotinfectacomputerunlessauser,eitheraccidentallyordeliberately,runsoropensthemaliciousprogrambyhim/herself.

Computervirusescanrangeinpurposeandseverity.Someofthemareextremelydangerousbecauseoftheirabilitytopurposelydeletefilesfromaharddrive.Ontheotherhand,somevirusesdonotcauseanydamage–theyonlyservetoannoytheuseranddemonstratethetechnicalskillsoftheirauthors.

Itisimportanttonotethatviruses(whencomparedtotrojansorspyware)areincreasinglyrarebecausetheyarenotcommerciallyenticingformalicioussoftwareauthors.Additionally,theterm“virus”isoftenusedincorrectlytocoveralltypesofinfiltrations.Thisusageisgraduallybeingovercomeandreplacedbythenew,moreaccurateterm“malware”(malicioussoftware).

Ifyourcomputerisinfectedwithavirus,itisnecessarytorestoreinfectedfilestotheiroriginalstate–i.e.,tocleanthembyusinganantivirusprogram.

Examplesofvirusesare:OneHalf,Tenga,andYankeeDoodle.

6.1.2 Worms

Acomputerwormisaprogramcontainingmaliciouscodethatattackshostcomputersandspreadsviaanetwork.Thebasicdifferencebetweenavirusandawormisthatwormshavetheabilitytoreplicateandtravelbythemselves–theyarenotdependentonhostfiles(orbootsectors).Wormsspreadthroughemailaddressesinyourcontactlistorexploitsecurityvulnerabilitiesinnetworkapplications.

Wormsarethereforemuchmoreviablethancomputerviruses.DuetothewideavailabilityoftheInternet,theycanspreadacrosstheglobewithinhoursorevenminutesoftheirrelease.Thisabilitytoreplicateindependentlyandrapidlymakesthemmoredangerousthanothertypesofmalware.

Awormactivatedinasystemcancauseanumberofinconveniences:Itcandeletefiles,degradesystemperformance,orevendeactivateprograms.Thenatureofacomputerwormqualifiesitasa“meansoftransport“forothertypesofinfiltrations.

Ifyourcomputerisinfectedwithaworm,werecommendyoudeletetheinfectedfilesbecausetheylikelycontainmaliciouscode.

Examplesofwell‑knownwormsare:Lovsan/Blaster,Stration/Warezov,Bagle,andNetsky.

6.1.3 Trojanhorses

Historically,computertrojanhorseshavebeendefinedasaclassofinfiltrationswhichattempttopresentthemselvesasusefulprograms,thustrickingusersintolettingthemrun.Butitisimportanttonotethatthiswastruefortrojanhorsesinthepast–today,thereisnolongeraneedforthemtodisguisethemselves.Theirsolepurposeistoinfiltrateaseasilyaspossibleandaccomplishtheirmaliciousgoals.“Trojanhorse”hasbecomeaverygeneraltermdescribingany

infiltrationnotfallingunderanyspecificclassofinfiltration.

Sincethisisaverybroadcategory,itisoftendividedintomanysubcategories:

Downloader–AmaliciousprogramwiththeabilitytodownloadotherinfiltrationsfromtheInternet.

Dropper–Atypeoftrojanhorsedesignedtodropothertypesofmalwareontocompromisedcomputers.

Backdoor–Anapplicationwhichcommunicateswithremoteattackers,allowingthemtogainaccesstoasystemandtotakecontrolofit.

Keylogger–(keystrokelogger)–Aprogramwhichrecordseachkeystrokethatausertypesandsendstheinformationtoremoteattackers.

Dialer–Dialersareprogramsdesignedtoconnecttopremium‑ratenumbers.Itisalmostimpossibleforausertonoticethatanewconnectionwascreated.Dialerscanonlycausedamagetouserswithdial‑upmodems,whicharenolongerregularlyused.

Trojanhorsesusuallytaketheformofexecutablefileswiththeextension.exe.Ifafileonyourcomputerisdetectedasatrojanhorse,itisadvisabletodeleteit,sinceitmostlikelycontainsmaliciouscode.

Examplesofwell‑knowntrojansare:NetBus,Trojandownloader.Small.ZL,Slapper

6.1.4 Rootkits

RootkitsaremaliciousprogramsthatgrantInternetattackersunlimitedaccesstoasystem,whileconcealingtheirpresence.Rootkits,afteraccessingasystem(usuallyexploitingasystemvulnerability),usefunctionsintheoperatingsystemtoavoiddetectionbyantivirussoftware:theyconcealprocesses,filesandWindowsregistrydata.Forthisreason,itisalmostimpossibletodetectthemusingordinarytestingtechniques.

Therearetwolevelsofdetectiontopreventrootkits:

1. Whentheytrytoaccessasystem.Theyarestillnotpresent,andarethereforeinactive.Mostantivirussystemsareabletoeliminaterootkitsatthislevel(assumingthattheyactuallydetectsuchfilesasbeinginfected).

2. Whentheyarehiddenfromtheusualtesting.ESETNOD32AntivirususershavetheadvantageofAnti‑Stealthtechnology,whichisalsoabletodetectandeliminateactiverootkits.

6.1.5 Adware

Adwareisashortforadvertising‑supportedsoftware.Programsdisplayingadvertisingmaterialfallunderthiscategory.Adwareapplicationsoftenautomaticallyopenanewpop‑upwindowcontainingadvertisementsinanInternetbrowser,orchangethebrowser’shomepage.Adwareisfrequentlybundledwithfreewareprograms,allowingtheircreatorstocoverdevelopmentcostsoftheir(usuallyuseful)applications.

Adwareitselfisnotdangerous–userswillonlybebotheredwithadvertisements.Itsdangerliesinthefactthatadwaremayalsoperformtrackingfunctions(asspywaredoes).

Ifyoudecidetouseafreewareproduct,pleasepayparticularattentiontotheinstallationprogram.Theinstallerwillmostlikelynotifyyouoftheinstallationofanextraadwareprogram.Oftenyouwillbeallowedtocancelitandinstalltheprogramwithoutadware.

Someprogramswillnotinstallwithoutadware,ortheirfunctionalitywillbelimited.Thismeansthatadwaremayoftenaccessthesystemina“legal”way,becauseusershaveagreedtoit.Inthiscase,itisbetter

44

tobesafethansorry.Ifthereisafiledetectedasadwareonyourcomputer,itisadvisabletodeleteit,sincethereisahighprobabilitythatitcontainsmaliciouscode.

6.1.6 Spyware

Thiscategorycoversallapplicationswhichsendprivateinformationwithoutuserconsent/awareness.Spywareusestrackingfunctionstosendvariousstatisticaldatasuchasalistofvisitedwebsites,emailaddressesfromtheuser‘scontactlist,oralistofrecordedkeystrokes.

Theauthorsofspywareclaimthatthesetechniquesaimtofindoutmoreaboutusers’needsandinterestsandallowbetter‑targetedadvertisement.Theproblemisthatthereisnocleardistinctionbetweenusefulandmaliciousapplicationsandnoonecanbesurethattheretrievedinformationwillnotbemisused.Thedataobtainedbyspywareapplicationsmaycontainsecuritycodes,PINs,bankaccountnumbers,etc.Spywareisoftenbundledwithfreeversionsofaprogrambyitsauthorinordertogeneraterevenueortoofferanincentiveforpurchasingthesoftware.Often,usersareinformedofthepresenceofspywareduringaprogram‘sinstallationtogivethemanincentivetoupgradetoapaidversionwithoutit.

Examplesofwell‑knownfreewareproductswhichcomebundledwithspywareareclientapplicationsofP2P(peer‑to‑peer)networks.SpyfalconorSpySheriff(andmanymore)belongtoaspecificspywaresubcategory–theyappeartobeantispywareprograms,butinfacttheyarespywareprogramsthemselves.

Ifafileisdetectedasspywareonyourcomputer,itisadvisabletodeleteit,sincethereisahighprobabilitythatitcontainsmaliciouscode.

6.1.7 Potentiallyunsafeapplications

Therearemanylegitimateprogramswhosefunctionistosimplifytheadministrationofnetworkedcomputers.However,inthewronghands,theymaybemisusedformaliciouspurposes.ESETSmartSecurityprovidestheoptiontodetectsuchthreats.

“Potentiallyunsafeapplications”istheclassificationusedforcommercial,legitimatesoftware.Thisclassificationincludesprogramssuchasremoteaccesstools,password‑crackingapplications,andkeyloggers(aprogramthatrecordseachkeystrokeausertypes).

Ifyoufindthatthereisapotentiallyunsafeapplicationpresentandrunningonyourcomputer(andyoudidnotinstallit),pleaseconsultyournetworkadministratororremovetheapplication.

6.1.8 Potentiallyunwantedapplications

Potentiallyunwantedapplicationsarenotnecessarilyintendedtobemalicious,butmayaffecttheperformanceofyourcomputerinanegativeway.Suchapplicationsusuallyrequireconsentforinstallation.Iftheyarepresentonyourcomputer,yoursystembehavesdifferently(comparedtothestatebeforetheirinstallation).Themostsignificantchangesare:

• Newwindowsyouhaven’tseenpreviouslyareopened

• Activationandrunningofhiddenprocesses

• Increasedusageofsystemresources

• Changesinsearchresults

• Applicationcommunicateswithremoteservers

6.2 Typesofremoteattacks

Therearemanyspecialtechniqueswhichallowattackerstocompromiseremotesystems.Thesearedividedintoseveralcategories.

6.2.1 DoSattacks

DoS,orDenialofService,isanattempttomakeacomputerornetworkunavailableforitsintendedusers.Thecommunicationbetweenafflictedusersisobstructedandcannolongercontinueinafunctionalway.ComputersexposedtoDoSattacksusuallyneedtoberestartedinordertoworkproperly.

Inmostcases,thetargetsarewebserversandtheaimistomakethemunavailabletousersforacertainperiodoftime.

6.2.2 DNSPoisoning

UsingDNS(DomainNameServer)poisoning,hackerscantricktheDNSserverofanycomputerintobelievingthatthefakedatatheysuppliedislegitimateandauthentic.Thefakeinformationiscachedforacertainperiodoftime,allowingattackerstorewriteDNSrepliesofIPaddresses.Asaresult,userstryingtoaccessInternetwebsiteswilldownloadcomputervirusesorwormsinsteadoftheiroriginalcontent.

6.2.3 Wormattacks

Acomputerwormisaprogramcontainingmaliciouscodethatattackshostcomputersandspreadsviaanetwork.Thenetworkwormsexploitsecurityvulnerabilitiesinvariousapplications.DuetotheavailabilityoftheInternet,theycanspreadallovertheworldwithinafewhoursoftheirrelease.Insomecases,eveninminutes.

Mostwormattacks(Sasser,SqlSlammer)canbeavoidedbyusingdefaultsecuritysettingsinthefirewall,orbyblockingunprotectedandunusedports.Also,itisessentialthatyouroperatingsystemisupdatedwiththemostrecentsecuritypatches.

6.2.4 Portscanning

Portscanningisusedtodeterminewhichcomputerportsareopenonanetworkhost.Aportscannerissoftwaredesignedtofindsuchports.

Acomputerportisavirtualpointwhichhandlesincomingandoutgoingdata–thisiscrucialfromasecuritypointofview.Inalargenetwork,theinformationgatheredbyportscannersmayhelptoidentifypotentialvulnerabilities.Suchuseislegitimate.

Still,portscanningisoftenusedbyhackersattemptingtocompromisesecurity.Theirfirststepistosendpacketstoeachport.Dependingontheresponsetype,itispossibletodeterminewhichportsareinuse.Thescanningitselfcausesnodamage,butbeawarethatthisactivitycanrevealpotentialvulnerabilitiesandallowattackerstotakecontrolofremotecomputers.

Networkadministratorsareadvisedtoblockallunusedportsandprotectthosethatareinusefromunauthorizedaccess.

6.2.5 TCPdesynchronization

TCPdesynchronizationisatechniqueusedinTCPHijackingattacks.Itistriggeredbyaprocessinwhichthesequentialnumberinincomingpacketsdiffersfromtheexpectedsequentialnumber.Packetswithanunexpectedsequentialnumberaredismissed(orsavedinthebufferstorage,iftheyarepresentinthecurrentcommunicationwindow).

Indesynchronization,bothcommunicationendpointsdismissreceivedpackets,atwhichpointremoteattackersareabletoinfiltrateandsupplypacketswithacorrectsequentialnumber.Theattackerscanevenmanipulateormodifycommunication.

TCPHijackingattacksaimtointerruptserver‑client,orpeer‑to‑peercommunications.ManyattackscanbeavoidedbyusingauthenticationforeachTCPsegment.Itisalsoadvisedtousetherecommendedconfigurationsforyournetworkdevices.

45

6.2.6 SMBRelay

SMBRelayandSMBRelay2arespecialprogramsthatarecapableofcarryingoutattacksagainstremotecomputers.TheprogramstakeadvantageoftheServerMessageBlockfilesharingprotocol,whichislayeredontoNetBIOS.AusersharinganyfolderordirectorywithintheLANmostlikelyusesthisfilesharingprotocol.

Withinlocalnetworkcommunication,passwordhashesareexchanged.

SMBRelayreceivesaconnectiononUDPport139and445,relaysthepacketsexchangedbytheclientandserver,andmodifiesthem.Afterconnectingandauthenticating,theclientisdisconnected.SMBRelaycreatesanewvirtualIPaddress.Thenewaddresscanbeaccessedusingthecommand“netuse\\192.168.1.1“.TheaddresscanthenbeusedbyanyoftheWindowsnetworkingfunctions.SMBRelayrelaysSMBprotocolcommunicationexceptfornegotiationandauthentication.RemoteattackerscanusetheIPaddress,aslongastheclientcomputerisconnected.

SMBRelay2worksonthesameprincipleasSMBRelay,exceptitusesNetBIOSnamesratherthanIPaddresses.Bothcancarryout“man‑in‑the‑middle”attacks.Theseattacksallowremoteattackerstoread,insertandmodifymessagesexchangedbetweentwocommunicationendpointswithoutbeingnoticed.Computersexposedtosuchattacksoftenstoprespondingorunexpectedlyrestart.

Toavoidattacks,werecommendthatyouuseauthenticationpasswordsorkeys.

6.2.7 ICMPattacks

TheICMP(InternetControlMessageProtocol)isapopularandwidely‑usedInternetprotocol.Itisusedprimarilybynetworkedcomputerstosendvariouserrormessages.

RemoteattackersattempttoexploittheweaknessesoftheICMPprotocol.TheICMPprotocolisdesignedforone‑waycommunicationrequiringnoauthentication.Thisenablesremoteattackerstotriggerso‑calledDoS(DenialofService)attacks,orattackswhichgiveunauthorizedindividualsaccesstoincomingandoutgoingpackets.

TypicalexamplesofanICMPattackarepingflood,ICMP_ECHOfloodandsmurfattacks.ComputersexposedtotheICMPattackaresignificantlyslower(thisappliestoallapplicationsusingtheInternet)andhaveproblemsconnectingtotheInternet.

6.3 Email

Email,orelectronicmail,isamodernformofcommunicationwithmanyadvantages.Itisflexible,fastanddirect,andplayedacrucialroleintheproliferationoftheInternetintheearly1990‘s.

Unfortunately,withahighlevelofanonymity,emailandtheInternetleaveroomforillegalactivitiessuchasspamming.Spamincludesunsolicitedadvertisements,hoaxesandproliferationofmalicioussoftware–malware.Theinconvenienceanddangertoyouisincreasedbythefactthatthecostofsendingspamisminimal,andauthorsofspamhavemanytoolstoacquirenewemailaddresses.Inaddition,thevolumeandvarietyofspammakesitverydifficulttoregulate.Thelongeryouuseyouremailaddress,themorelikelyitwillendupinaspamenginedatabase.Somehintsforprevention:

• Ifpossible,don’tpublishyouremailaddressontheInternet

• Onlygiveyouremailaddresstotrustedindividuals

• Ifpossible,don’tusecommonaliases–withmorecomplicatedaliases,theprobabilityoftrackingislower

• Don’treplytospamthathasalreadyarrivedinyourinbox

• BecarefulwhenfillingoutInternetforms–beespeciallycautious

ofoptionssuchas“Yes,Iwanttoreceiveinformation”.

• Use“specialized”emailaddresses–e.g.,oneforbusiness,oneforcommunicationwithyourfriends,etc.

• Fromtimetotime,changeyouremailaddress

• UseanAntispamsolution

6.3.1 Advertisements

Internetadvertisingisoneofthemostrapidlygrowingformsofadvertising.Itsmainmarketingadvantagesareminimalcostsandahighlevelofdirectness;what’smore,messagesaredeliveredalmostimmediately.Manycompaniesuseemailmarketingtoolstoeffectivelycommunicatewiththeircurrentandprospectivecustomers.

Thistypeofadvertisingislegitimate,sinceyoumaybeinterestedinreceivingcommercialinformationaboutsomeproducts.Butmanycompaniessendunsolicitedbulkcommercialmessages.Insuchcases,emailadvertisingcrossesthelineandbecomesspam.

Theamountofunsolicitedemailhasbecomeaproblemanditshowsnosignsofslowing.Authorsofunsolicitedemailoftenattempttodisguisespamaslegitimatemessages.

6.3.2 Hoaxes

AhoaxismisinformationwhichisspreadacrosstheInternet.HoaxesareusuallysentviaemailorcommunicationtoolslikeICQandSkype.ThemessageitselfisoftenajokeorUrbanLegend.

ComputerVirushoaxestrytogeneratefear,uncertaintyanddoubt(FUD)intherecipients,bringingthemtobelievethatthereisan“undetectablevirus“deletingfilesandretrievingpasswords,orperformingsomeotherharmfulactivityontheirsystem.

Somehoaxesworkbyaskingrecipientstoforwardmessagestotheircontacts,perpetuatingthehoax.Therearemobilephonehoaxes,pleasforhelp,peopleofferingtosendyoumoneyfromabroad,etc.Itisoftenimpossibletodeterminetheintentofthecreator.

Ifyouseeamessagepromptingyoutoforwardittoeveryoneyouknow,itmayverywellbeahoax.TherearemanywebsitesontheInternetthatcanverifyifanemailislegitimate.Beforeforwarding,performanInternetsearchonanymessageyoususpectisahoax.

6.3.3 Phishing

Thetermphishingdefinesacriminalactivitywhichusestechniquesofsocialengineering(manipulatingusersinordertoobtainconfidentialinformation).Itsaimistogainaccesstosensitivedatasuchasbankaccountnumbers,PINcodes,etc.

Accessisusuallyachievedbysendingemailmasqueradingasatrustworthypersonorbusiness(e.g.,financialinstitution,insurancecompany).Theemailcanlookverygenuine,andwillcontaingraphicsandcontentwhichmayhaveoriginallycomefromthesourceitisimpersonating.Youwillbeaskedtoenter,undervariouspretenses(dataverification,financialoperations),someofyourpersonaldata–bankaccountnumbersorusernamesandpasswords.Allsuchdata,ifsubmitted,caneasilybestolenandmisused.

Banks,insurancecompanies,andotherlegitimatecompanieswillneverrequestusernamesandpasswordsinanunsolicitedemail.

6.3.4 Recognizingspamscams

Generally,thereareafewindicatorswhichcanhelpyouidentifyspam(unsolicitedemails)inyourmailbox.Ifamessagefulfillsatleastsomeofthefollowingcriteria,itismostlikelyaspammessage.

• Senderaddressdoesnotbelongtosomeoneonyourcontactlist

• Youareofferedalargesumofmoney,butyouhavetoprovidea

46

smallsumfirst

• Youareaskedtoenter,undervariouspretenses(dataverification,Financialoperations),someofyourpersonaldata–bankaccountnumbers,usernamesandpasswords,etc.

• Itiswritteninaforeignlanguage

• Youareaskedtobuyaproductyouarenotinterestedin.Ifyoudecidetopurchaseanyway,pleaseverifythatthemessagesenderisareliablevendor(consulttheoriginalproductmanufacturer).

• Someofthewordsaremisspelledinanattempttotrickyourspamfilter.Forexample“vaigra”insteadof“viagra”,etc.

6.3.4.1 Rules

InthecontextofAntispamsolutionsandemailclients,rulesaretoolsformanipulatingemailfunctions.Theyconsistoftwologicalparts:

1. Condition(e.g.,anincomingmessagefromacertainaddress)

2. Action(e.g.,deletionofthemessage,movingittoaspecifiedfolder)

ThenumberandcombinationofrulesvarieswiththeAntispamsolution.Theserulesserveasmeasuresagainstspam(unsolicitedemail).Typicalexamples:

• 1.Condition:Anincomingemailmessagecontainssomeofthewordstypicallyseeninspammessages2.Action:Deletethemessage

• 1.Condition:Anincomingemailmessagecontainsanattachmentwithan.exeextension2.Action:Deletetheattachmentanddeliverthemessagetothemailbox

• 1.Condition:Anincomingemailmessagearrivesfromyouremployer2.Action:Movethemessagetothe“Work”folder.

WerecommendthatyouuseacombinationofrulesinAntispamprogramsinordertofacilitateadministrationandtomoreeffectivelyfilterspam.

6.3.4.1 Bayesianfilter

BayesianspamfilteringisaneffectiveformofemailfilteringusedbyalmostallAntispamproducts.Itisabletoidentifyunsolicitedemailwithhighaccuracyandcanworkonaper‑userbasis.

Thefunctionalityisbasedonthefollowingprinciple:Thelearningprocesstakesplaceinthefirstphase.Theusermanuallymarksasufficientnumberofmessagesaslegitimatemessagesorasspam(normally200/200).Thefilteranalyzesbothcategoriesandlearns,forexample,thatspamusuallycontainsthewords“rolex”or“viagra”,andlegitimatemessagesaresentbyfamilymembersorfromaddressesintheuser’scontactlist.Providedthatasufficientnumberofmessagesareprocessed,theBayesianfilterisabletoassignaspecific“spamindex”toeachmessageinordertodeterminewhetheritisspamornot.

ThemainadvantageofaBaysesianfilterisitsflexibility.Forexample,ifauserisabiologist,allincomingemailsconcerningbiologyorrelativefieldsofstudywillgenerallyreceivealowerprobabilityindex.Ifamessageincludeswordsthatwouldnormallyqualifyitasunsolicited,butitissentbysomeonefromtheuser’scontactlist,itwillbemarkedaslegitimate,becausesendersfromacontactlistdecreaseoverallspamprobability.

6.3.4.2 Whitelist

Ingeneral,awhitelistisalistofitemsorpersonswhoareaccepted,orhavebeengrantedpermission.Theterm“emailwhitelist“definesalistofcontactsfromwhomtheuserwishestoreceivemessages.Suchwhitelistsarebasedonkeywordssearchedforinemailaddresses,domainnames,orIPaddresses.

Ifawhitelistworksin“exclusivitymode“,thenmessagesfromanyotheraddress,domain,orIPaddresswillnotbereceived.Ifawhitelistisnotexclusive,suchmessageswillnotbedeleted,butfilteredinsomeotherway.

Awhitelistisbasedontheoppositeprincipletothatofablacklist.Whitelistsarerelativelyeasytomaintain,moresothanblacklists.WerecommendthatyouuseboththeWhitelistandBlacklisttofilterspammoreeffectively.

6.3.4.3 Blacklist

Generally,ablacklistisalistofunacceptedorforbiddenitemsorpersons.Inthevirtualworld,itisatechniqueenablingacceptanceofmessagesfromallusersnotpresentonsuchalist.

Therearetwotypesofblacklist:ThosecreatedbyuserswithintheirAntispamapplication,andprofessional,regularlyupdatedblacklistswhicharecreatedbyspecializedinstitutionsandcanbefoundontheInternet.

Itisessentialtouseblackliststosuccessfullyblockspam,buttheyaredifficulttomaintain,sincenewitemstobeblockedappeareveryday.Werecommendedyouusebothawhitelistandablacklisttomosteffectivelyfilterspam.

6.3.4.5 Server‑sidecontrol

Server‑sidecontrolisatechniqueforidentifyingmassspambasedonthenumberofreceivedmessagesandthereactionsofusers.Eachmessageleavesauniquedigital“footprint”basedonthecontentofthemessage.TheuniqueIDnumbertellsnothingaboutthecontentoftheemail.Twoidenticalmessageswillhaveidenticalfootprints,whiledifferentmessageswillhavedifferentfootprints.

Ifamessageismarkedasspam,itsfootprintissenttotheserver.Iftheserverreceivesmoreidenticalfootprints(correspondingtoacertainspammessage),thefootprintisstoredinthespamfootprintsdatabase.Whenscanningincomingmessages,theprogramsendsthefootprintsofthemessagestotheserver.Theserverreturnsinformationonwhichfootprintscorrespondtomessagesalreadymarkedbyusersasspam.