USER GUIDE
Contents
1. Action Prompt for action Log On General E Watch system user accounts Help Figure 34 Configuring application activity control for Microsoft Windows XP Professional x64 Edition Microsoft Windows Vista Microsoft Windows Vista x64 10 1 2 Application Integrity Control This Proactive Defense component does not work under Microsoft Windows XP Professional x64 Edition or Microsoft Windows Vista or Microsoft Windows Vista x64 There are a number of programs that are critical for the system that could be used by malicious programs to distribute themselves such as browsers mail clients etc As a rule these are system applications and processes used for accessing the Internet working with email and other documents It is for this reason that these applications are considered critical in activity control Proactive Defense monitors these critical applications closely analyzing their activity and observing other processes which they spawn Kaspersky Internet Proactive Defense 123 Security comes with a list of critical applications each of which has its own monitoring rule to control application activity You can extend this list of critical applications and delete or edit the rules for the applications on the list provided Besides the list of critical applications there is a set of trusted modules allowed to be opened in all controlled applications For example modules that are dig2. CHAPTER 2 KASPERSKY INTERNET SECURITY 6 0 Kaspersky Internet Security 6 0 heralds a new generation of data security products What really sets Kaspersky Internet Security 6 0 apart from other software even from other Kaspersky Lab products is its multi faceted approach to data security 2 1 What s new in Kaspersky Internet Security 6 0 Kaspersky Internet Security 6 0 henceforth referred to as Kaspersky Internet Security or the program has a new approach to data security The program s main feature is that it combines and noticeably improves the existing features of all the company s products in one security solution The program provides protection against viruses spam attacks hacker attacks unknown threats phishing and rootkits You will no longer need to install several products on your computer for overall security It is enough simply to install Kaspersky Internet Security 6 0 Comprehensive protection guards all incoming and outgoing data channels All of the program s components have flexible settings which enable Kaspersky Internet Security to adapt to the needs of each user Configuration of the entire program can be done from one location Let s take a look at the new features in Kaspersky Internet Security New Protection Features e Kaspersky Internet Security protects you both from known malicious programs and from programs that have not yet been discovered Proactive Defense see Cha
3. 14 4 Configuring virus scan tasks The methods are used to scan objects on your computer are determined by the properties assigned for each task To configure task settings Select the task name in the Scan of the main window Right click on the task name to open the context menu or click the Actions button on the right of the list of scan objects and select Settings You can use the settings window for each task to e Select the security level that the task will use see 14 4 1 on pg 191 e Edit advanced settings e define what file types are to be scanned for viruses see 14 4 2 on pg 192 e configure task start using a different user profile see 6 4 on pg 77 e configure advanced scan settings see 14 4 5 on pg 197 e restore default scan settings see 14 4 3 on pg 195 e select an action that the program will apply when it detects an infected or potentially infected object see 14 4 4 on pg 195 e create a schedule see 6 5 on pg 78 to automatically run tasks In addition you can configure global settings see 14 4 6 on pg 199 for running all tasks The following sections examine the task settings listed above in detail 14 4 1 Selecting a security level Each virus scan task can be assigned a security level see fig 66 High the most complete scan of the entire computer or individual disks folders or files You are advised to use this level if you suspect that a virus has infected your comp
4. Established connections Open ports Traffic Host TP ad Rec Sent test1 172 16 8 2KB 5 2KB test2 192 16 Obytes 324 by test3 172 16 525 by O bytes test4 172 16 525 by O bytes testS 172 16 525 by O bytes test 172 16 5 4KB 3 6KB test8 172 16 525 by 0 bytes R Figure 99 Traffic on established network connections 17 4 General information about the program You can view general information on the program in the Service section of the main window see fig 100 242 Kaspersky Internet Security 6 0 4 Kaspersky Internet Security 6 0 Kas internet Security A serve D Hep o Protection Service Product info Product version 6 0 2 576 e Service Signatures published 15 01 2007 13 06 31 Update Number of signatures 258519 Data Files Rescue disk System info Operating system Microsoft Windows XP Professional Service Support Pack 2 build 2600 License info Owner Kaspersky Lab Number 0007 00048D 00708BB4 a Teepee Expiration date 15 01 2008 Security threats have been detected You are advised to neutralize them immediately Neutralize all Details kaspersky com yiruslist com Figure 100 Information on the program the license and the system it is installed on All the information is broken into three sections e The program version the date of the last update and the number of threats known to date are displayed in the Product info
5. 220 Kaspersky Internet Security 6 0 When you place an object in Quarantine it is moved not copied The object is deleted from the disk or email and is saved in the Quarantine folder Files in Quarantine are saved in a special format and are not dangerous 17 1 1 Actions with quarantined objects The total number of objects in Quarantine is displayed by selecting the Data files item in the Service area of the application s main window In the right hand part of the screen the Quarantine section displays e the number of potentially infected objects detected during Kaspersky Internet Security operation e the current size of Quarantine Here you can delete all objects in the quarantine with the Clean button Note that in doing so the Backup files and report files will also be deleted To access objects in Quarantine Left click in any part of the Quarantine box to open the Protection window which summarises protection given by the application You can take the following actions on the Quarantine tab see fig 77 e Move a file to Quarantine that you suspect is infected but the program did not detect To do so click Add and select the file in the standard selection window It will be added to the list with the status added by user Advanced options 221 K Protection Protection partially running R Threats have been detected Total scanned 14375 Start time 15 01 2007 14 49 42 Detect 8 Duration 01 01 19
6. Self Defense protects the program s own files from being modified or damaged by hackers blocks remote administration from using the program s features and restricts other users on your computer from performing certain actions in Kaspersky Internet Security see 17 11 1 3 on pg 259 For example changing the level of protection can significantly influence information security on your computer License Key Manager can obtain detailed information on the license used activate your copy of the program and manage license key files see 17 5 on pg 242 The program also provides a Help section see 17 4 on pg 241 and detailed reports see 17 3 on pg 225 on the operation of all protection components and virus scan tasks Advanced options 219 Monitored ports can regulate which Kaspersky Internet Security modules control data transferred on select ports see 17 7 on pg 246 The Rescue Disk can help restore your computers functionality after an infection see 17 10 on pg 251 This is particularly helpful when you cannot boot your computer s operating system after malicious code has damaged system files You can also change the appearance of Kaspersky Internet Security and can customize the program interface see 17 8 on pg 248 The following sections discuss these features in more detail 17 1 Quarantine for potentially infected objects Quarantine is a special storage area that holds potentially infected objects P
7. When you stop a protection component or a task all the statistics from previous work are cleared and when the component is started they are recorded over 6 1 4 Restoring protection on your computer If at some point you paused or stopped protection on your computer you can resume it using one of the following methods From the context menu To do so select Resume protection From the program s main window To do so click the button on the status bar in the Protection section of the main window Protection management system 67 The protection status immediately changes to running The program s system tray icon becomes active color The third protection indicator see 5 1 1 on l pg 53 will also inform you that All protection components are enabled 6 1 5 Shutting down the program If you have to shut down Kaspersky Internet Security select Exit from the program s context menu see 4 2 on pg 46 This will close the program leaving your computer unprotected If network connections that the program monitors are active on your computer when you close the program a notice will appear on the screen stating that these connections will be interrupted This is necessary for the program to shut down correctly The connections are terminated automatically after ten seconds or by clicking the Yes button The majority of connections will resume after a brief time Note that if you are downloading a file
8. e Inactive gray names of the disabled components in the Protection section of the main window e Inactive gray system tray icon e The third protection indicator see 5 1 1 on pg 53 on your computer which shows that Q No protection components are enabled 6 1 2 Stopping protection Stopping protection means fully disabling your protection components Virus scans and updates continue to work in this mode If protection is stopped it can be only be resumed by the user protection components will not automatically resume after system or program restarts Remember that if Kaspersky Internet Security is somehow in conflict with other programs installed on your computer you can pause individual components or create an exclusion see 6 3 on pg 68 list To stop all protection 1 Open the Kaspersky Internet Security main window 2 Select the Protection section and click Settings 3 Inthe program settings window uncheck M Enable protection After disabling protection all protection components will stop This is indicated by e Inactive gray names of the disabled components in the Protection section of the main window e Inactive gray system tray icon e The third protection indicator see 5 1 1 on pg 53 on your computer which shows that Q All protection components are disabled 6 1 3 Pausing stopping protection components virus scans and update tasks There are several ways to stop a protection compo
9. 184 Kaspersky Internet Security 6 0 13 3 10 Configuring spam processing in Microsoft Outlook Express Email that is classified by Anti Spam as spam or potential spam is by default marked with special markings SPAM or Probable Spam in the Subject line Additional actions for spam and potential spam in Microsoft Outlook Express can be found in the settings window that opens see fig 62 when you click the Configuration button near the Spam and Not Spam buttons on the tasks panel S Anti Spam Anti Spam K Anti Spam detects spam in incoming mail o Status Spam Filtration is enabled To disable spam filtering or change settings click here Spam Skip Mark as read Probable spam Skip Mark as read Additional Scan upon receiving C Use Microsoft Office Outlook rule Help Cancel Figure 62 Configuring spam processing in Microsoft Outlook Express It opens automatically when you first open the email client after installing the program and asks if you want to configure spam processing You can assign the following processing rules for both spam and potential spam Move to folder spam is moved to the specified folder Copy to folder a copy is created of the email and it is moved to the specified folder The original email stays in your Inbox Delete deletes spam from the user s mailbox Skip leaves the email in your Inbox Anti Spam 185 To assign these rules
10. 44 Kaspersky Internet Security 6 0 To install the application in the background and then restart the computer enter msiexec i lt package name gt ALLOWREBOOT 1 qn 3 4 Upgrading from 5 0 to 6 0 If Kaspersky Anti Virus 5 0 for Windows Workstations Kaspersky Anti Virus Personal or Kaspersky Anti Virus Personal Pro is installed on your computer you can upgrade it to Kaspersky Internet Security 6 0 After you start the Kaspersky Internet Security 6 0 installation program you will be given the choice of first uninstalling the already installed version 5 0 of the product When the program has been uninstalled you must restart your computer and installation of version 6 0 will then begin 6 0 Warning If you are installing Kaspersky Internet Security 6 0 from a password protected network folder over a previous version of the program please take note of the following After uninstalling version 5 0 of the application and restarting your computer the installation program will not allow you to access the network folder where the application installer package is located This will result in the program installation being interrupted To install the program correctly only run the installer from a local folder CHAPTER 4 PROGRAM INTERFACE Kaspersky Internet Security has a straightforward user friendly interface This chapter will discuss its basic features e System tray icon see 4 1 on pg 45 e Context m
11. LAN Settings Update source Additional C Run this task as C Documents and Settings All Users Application Data C Copy updates for all components Figure 14 Configuring an update task from another profile 6 5 Configuring virus scan and update schedules You can run virus scan and update tasks manually or automatically using a schedule Virus scans preinstalled with the application are started automatically according to a selected schedule except for startup items which are scanned every time you start your computer Similarly scheduling is switched off for the update tasks created during installation The Updater runs automatically as updates are released on the Kaspersky Lab servers To alter schedule settings select the task name in the main program window in the Scan section for virus scans or the Service section for update tasks and open the settings window by clicking Settings Protection management system 79 To have tasks start according to a schedule check the automatic task start box in the Run Mode section You can edit the times for starting the scan task in the Schedule window see fig Figure 15 that opens when you click Change A Schedule Critical areas Frequency Daily Schedule settings Every 1 days Every weekday Every weekend Time 14 49 Help Figure 15 Configuring a task schedule The most important step is t
12. Statistics Total scanned 1718 Detected 0 Untreated 0 Attacks blocked 0 Figure 5 The program s general statistics box You can left click anywhere in the box to view a report with detailed information The tabs display e Information on objects found see 17 3 2 on pg 229 and the status assigned to them e Event log see 17 3 3 on pg 230 e General scan statistics see 17 3 4 on pg 231 for your computer e Program performance settings see 17 3 5 on pg 231 58 Kaspersky Internet Security 6 0 5 2 How to scan your computer for viruses After installation the application will without fail inform you with a special notice in the lower left hand part of the application window that the server has not yet been scanned and will recommend that you scan it for viruses immediately Kaspersky Internet Security includes a task for a computer virus scan located in the Scan section of the program s main window After you select the task named My Computer the right hand panel will display the following statistics for the most recent computer scan task settings what level of protection is selected and what actions will be taken for dangerous objects To scan your computer for malicious programs Click the Scan button in the right hand part of the screen As a result the program will start scanning your computer and the details will be shown in a special window When you click the Close button the window with infor
13. make sure that the installer package is in the folder and that you have access to it 3 Select Start Programs Kaspersky Internet Security 6 0 gt Modify Repair or Remove An installation wizard then will open for the program Let s take a closer took at the steps of repairing modifying or deleting the program 278 Kaspersky Internet Security 6 0 Step 1 Installation Welcome window If you take all the steps described above necessary to repair or modify the program the Kaspersky Internet Security installation welcome window will appear To continue click the Next button Step 2 Selecting an operation At this stage you select which operation you want to run You can modify the program components repair the installed components remove components or remove the entire program To execute the operation you need click the appropriate button The program s response depends on the operation you select Modifying the program is like custom program installation where you can specify which components you want to install and which you want to delete Repairing the program depends on the program components installed The files will be repaired for all components that are installed and the Recommended security level will be set for each of them If you remove the program you can select which data created and used by the program you want to save on your computer To delete all Kaspersky Internet Security data selec
14. program that runs in split time mode drv device driver vxd Microsoft Windows virtual device driver pif program information file Ink Microsoft Windows link file reg Microsoft Windows system registry key file ini initialization file cla Java class Appendix A 283 vbs Visual Basic script vbe BIOS video extension js jse JavaScript source text htm hypertext document htt Microsoft Windows hypertext header hta hypertext program for Microsoft Internet Explorer asp Active Server Pages script chm compiled HTML file pht HTML with built in PHP scripts php script built into HTML files wsh Windows Script Host file wsf Microsoft Windows script the Microsoft Windows 95 desktop wallpaper hip Win Help file eml Microsoft Outlook Express email file nws Microsoft Outlook Express new email file msg Microsoft Mail email file plg email mbx extension for saved Microsoft Office Outlook emails doc Microsoft Office Word document dot Microsoft Office Word document template fpm database program start file for Microsoft Visual FoxPro rtf Rich Text Format document shs Shell Scrap Object Handler fragment dwg AutoCAD blueprint database msi Microsoft Windows Installer package otm VBA project for Microsoft Office Outlook pdf Adobe Acrobat document swf Shockwave Flash file jpg jpeg comp
15. Anti Hacker 159 12 9 List of network attacks detected There are currently a multitude of network attacks that utilize operating system vulnerabilities and other software system or otherwise installed on your computer Malefactors are constantly perfecting attack methods learning how to steal confidential information making your system malfunction or take over your computer to use it as part of a zombie network for carrying out new attacks To ensure your computer s security you must know what kinds of network attacks you might encounter Known network attacks can be divided into three major groups e Port scan this threat is not an attack in its own right but usually precedes one since it is one of the common ways of obtaining information about a remote computer The UDP TCP ports used by the network tools on the computer in question are scanned to find out what state they are in closed or open Port scans can tell a hacker what types of attacks will work on the system and what types will not In addition the information obtained by the scan will let the hacker determine what operating system the remote computer uses This in turn further restricts the number of potential attacks and correspondingly the time spent running them It also aids a hacker in attempting to use vulnerabilities particular to that operating system e DoS Denial of Service attacks these are attacks that render the attacked system unsta
16. Untreat 3 Attacks blocked 0 Detected Events Reports Quarantine Backup Status Object Size Added 8 Possibly infecte c eicar eicar c 73bytes 15 01 2007 15 55 08 o Possibly infecte c eicar eicar ei 73bytes 15 01 2007 15 55 06 Help Allreports Back Nex Figure 77 List of quarantined objects Scan and disinfect all potentially infected objects in Quarantine using the current threat signatures by clicking click Scan all After scanning and disinfecting any quarantined object its status may change to infected potentially infected false positive OK etc The infected status means that the object has been identified as infected but it could not be treated You are advised to delete such objects All objects marked false positive can be restored since their former status as potentially infected was not confirmed by the program once scanned again Restore the files to a folder selected by the user or their original folder prior to Quarantine default To restore an object select it from the list and click Restore When restoring objects from archives email databases and email format files placed in Quarantine you must also select the directory to restore them to 222 Kaspersky Internet Security 6 0 Tip We recommend that you only restore objects with the status false positive OK and disinfected since restoring other objects could lead to infecting your
17. intensive applications since the scope of email scanning is limited Thus only your incoming email is scanned on this level and in doing so archives and objects emails attached are not scanned if they take more than three minutes to scan This level is recommended if you have additional email protection software installed on your computer Security Level High Maximum protection Recommended for hostile environment Figure 24 Selecting an email security level By default the email security level is set to Recommended 96 Kaspersky Internet Security 6 0 You can raise or lower the email security level by selecting the level you want or editing the settings for the current level To change the security level Adjust the sliders By altering the security level you define the ratio of scan speed to the total number of objects scanned the fewer email objects are scanned for dangerous objects the higher the scan speed If none of the preinstalled levels meets your needs you can edit its settings If you do the level will be set to Custom Let s look at an example of when user defined email security levels could be useful Example Your computer is outside the local area network and uses a dial up Internet connection You use Microsoft Outlook Express as an email client for receiving and sending email and you use a free email service For a number of reasons your email contains archived attachments How do yo
18. Figure 13 Adding an application to the trusted list When you select a program Kaspersky Internet Security records the internal attributes of the executable file and uses them to identify the trusted program during scans The file path is inserted automatically when you select its name 3 Specify which actions performed by this process will not be monitored Do not scan opened files excludes from the scan all files that the trusted application process Do not control restrict application activity excludes from Proactive Defense monitoring any activity suspicious or otherwise that the trusted application performs Do not control restrict registry access excludes from scanning any accesses of the system registry initiated by the trusted application Protection management system 77 Do not scan network traffic excludes from scans for viruses and spam any network traffic initiated by the trusted application You can exclude all the application s network traffic or encrypted traffic SSL from the scan To do so click the all link It will change to encrypted In addition you can restrict the exclusion by assigning a remote host port To create a restriction click any which will change to selected and enter a value for the remote port host Note that if MJ Do not scan network traffic is checked traffic for that application will only be scanned for viruses and spam However this does not affect whethe
19. Read the EULA through carefully If you do not agree with the terms of the EULA you can return your boxed product to the reseller from whom you purchased it and be reimbursed for the amount you paid for the program If you do so the sealed envelope for the installation disk must still be sealed By opening the sealed installation disk you accept all the terms of the EULA 30 Kaspersky Internet Security 6 0 2 5 Support for registered users Kaspersky Lab provides its registered users with an array of services to make Kaspersky Internet Security more effective When the program has been activated you become a registered user and will have the following services available until the license expires e New versions of the program free of charge e Consultation on questions regarding installation configuration and operation of the program by phone and email e Notifications on new Kaspersky Lab product releases and new viruses this services is for users that subscribe to Kaspersky Lab news mailings Kaspersky Lab does not provide technical support for operating system use and operation or for any products other than its own CHAPTER 3 INSTALLING KASPERSKY INTERNET SECURITY 6 0 You can fully or partially install Kaspersky Internet Security on your computer If you choose partial installation you can select the components to install or automatically install just anti virus components see Step 9 of the install
20. SINGLE ENTITY CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT CLICK THE BUTTON THAT INDICATES THAT YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT AND DO NOT INSTALL THE SOFTWARE IF YOU HAVE PURCHASED THIS SOFTWARE ON A PHYSICAL MEDIUM HAVING BROKEN THE CD S SLEEVE YOU EITHER AN INDIVIDUAL OR A SINGLE ENTITY ARE CONSENTING TO BE BOUND BY THIS AGREEMENT IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT DO NOT BREAK THE CD s SLEEVE DOWNLOAD INSTALL OR USE THIS SOFTWARE IN ACCORDANCE WITH THE LEGISLATION REGARDING KASPERSKY SOFTWARE INTENDED FOR INDIVIDUAL CONSUMERS PURCHASED ONLINE FROM THE KASPERSKY LAB OR ITS PARTNER S INTERNET WEB SITE CUSTOMER SHALL HAVE A PERIOD OF FOURTEEN 14 WORKING DAYS AS FROM THE DELIVERY OF PRODUCT TO MAKE RETURN OF IT TO THE MERCHANT FOR EXCHANGE OR REFUND PROVIDED THE SOFTWARE IS NOT UNSEALED REGARDING THE KASPERSKY SOFTWARE INTENDED FOR INDIVIDUAL CONSUMERS NOT PURCHASED ONLINE VIA INTERNET THIS SOFTWARE NEITHER WILL BE RETURNED NOR EXCHANGED EXCEPT FOR CONTRARY PROVISIONS FROM THE PARTNER WHO SELLS THE PRODUCT IN THIS CASE KASPERSKY LAB WILL NOT BE HELD BY THE PARTNER S CLAUSES THE RIGHT TO RETURN AND REFUND EXTENDS ONLY TO THE ORIGINAL PURCHASER 294 Kaspersky Internet Security 6 0 All references to Software herein shall be deemed to include the software activation code with which you will be pro
21. The Settings tab see fig 85 displays a complete overview of the settings for components virus scans and program updates You can find out the current security level for a component or virus scan what actions are being taken with 232 Kaspersky Internet Security 6 0 dangerous objects or what settings are being used for program updates Use the Change settings link to configure the component You can configure advanced settings for virus scans Detected Events Statistics Settings Establish the priority of scan tasks used if the processor is heavily loaded The default setting for Concede resources to other applications is unchecked With this feature the program tracks the load on the processor and disk subsystems for the activity of other applications If the load on the processor increases significantly and prevents the user s applications from operating normally the program reduces scanning activity This increases scan time and frees up resources for the user s applications Parameter Value A Security Level Recommended Action Prompt For action when the scan is complete Run mode Manually File types Scan all files Scan only new and changed files No G Scan archives All Scan embedded OLE objects All Skip if object is larger than No Skip if scan takes longer than No G Parse email formate Na s a Concede resources to other applications C Shut down the computer when fin
22. The program records operations with registry keys that have been attempted since the program was started on the Registry tab see fig 87 unless forbidden by a rule see 10 1 4 2 on pg 131 234 Kaspersky Internet Security 6 0 Detected Events Macros Registry Time Application Keyname Yaluename Data Datatype Operation Status A 09 03 2006 16 32 23 vintikipo HKEY_US ICQ Lite in Unicode n Create detected 09 03 2006 16 32 23 vintikipo HKEY_US ICQ Lite ivin Unicode n Create allowed oO 09 03 2006 16 34 10 C Docum HKEY_LO Path C P Unicode n Create detected 7 09 03 2006 16 34 10 C Docum HKEY_LO Path C P Unicode n Create allowed 09 03 2006 16 34 11 C Docum HKEY_US ICQ Lite temp Unicode n Modify detected 09 03 2006 16 34 11 C Docum HKEY_US ICQ Lite temp Unicode n Modify allowed oO 09 03 2006 16 34 22 C Docum HKEY_LO ICQ Lite C P Unicode n Create detected 09 03 2006 16 34 22 C Docum HKEY_LO ICQ Lite CP Unicode n Create allowed 09 03 2006 16 34 24 C Progra HKEY_US ICQ Lite C P Unicode n Modify detected v Figure 87 Read and modify system registry events The tab lists the full name of the key its value the data type and information about the operation that has taken place what action was attempted at what time and whether it was allowed 17 3 8 The P
23. To mark a certain email as spam or not spam 1 Select it from the report list on the Events tab and use the Actions button 2 Select one of the four options e Mark as spam e Mark as accepted e Add to white list e Add to black list amp Anti Spam Anti Spam running ZB Please train Anti Spam on 49 non spam emails Messages scanned Start time 17 01 2007 16 59 13 Marked as Spam Duration 00 37 52 Events Settings MMM Time From Subject Category Reason Spam rate 17 01 2007 17 27 50 Training Wizard 17 01 2007 17 28 05 Training Wizard 9 17 01 2007 17 31 13 Sergey I bd 17 01 2007 17 31 17 Sergey I be 17 01 2007 17 31 19 Sergey I od 17 01 2007 17 31 21 Sergey I Training Training Training Training Details Mark as Spam Mark as Not Spam Add to White list Add to Black list Clear all Search Select all e Figure 55 Training Anti Spam from reports Anti Spam will continue further training based on this email Anti Spam 171 13 3 Configuring Anti Spam Fine tuning Anti Spam is essential for the spam security feature All settings for component operation are located in the Kaspersky Internet Security settings window and allow you to Determine the particulars of operation of Anti Spam see 13 3 1 on pg 171 Choose which spam filtration technologies to use see 13 3 2 on pg 172 Regulate the recognition accu
24. To prioritize application rules take the following steps 1 Select the application name 2 Use the Move up and Move down buttons on the application rules tab to move rules on the list changing their priority ranking To prioritize packet filtering rules take the following steps 1 Select the rule on the Rules for Packet Filtering tab 2 Use the Move up and Move down buttons on the packet filtering tab to move rules on the list thereby changing their priority ranking 12 6 Rules for security zones After you install Anti Hacker on your computer it analyzes your computer s network environment Based on the analysis it breaks down the entire network space into zones Internet the World Wide Web In this zone Kaspersky Internet Security operates as a personal firewall using default application and packet filtering rules to regulate all network activity and ensure maximum security You cannot change protection settings when working in this zone other than to enable Stealth Mode on your computer for added safety Security zones certain conventional zones that mostly correspond with subnets that your computer is registered on this could be local subnets at home or at work These zones are usually average risk level zones You can change the status of these zones based on how much you trust a certain subnet and you can configure appropriate rules for packet filtering and applications Anti Hacker 155 If Anti
25. and compliance with specific business requirements Kaspersky Lab s anti virus database is updated every hour The company provides its customers with a 24 hour technical support service which is available in several languages to accommodate its international clientele Appendix B 287 B 1 Other Kaspersky Lab Products Kaspersky Anti Virus 6 0 Kaspersky Anti Virus 6 0 is designed to safeguard personal computers against malicious software as an optimal combination of conventional methods of anti virus protection and new proactive technologies The program provides for complex anti virus checks including e Anti virus scanning of email traffic at the level of the data transmission protocol POP3 IMAP and NNTP for incoming email and SMTP for outgoing messages irrespective of the email client being used as well as disinfection of email databases e Real time anti virus scanning of Internet traffic transferred via HTTP e Anti virus scanning of individual files directories or drives In addition a preset scan task can be used to initiate anti virus analysis exclusively for critical areas of the operating system and start up objects of Microsoft Windows Proactive protection offers the following features e Control of changes within file system The program allows users to create a list of applications which it will control on a per component basis It helps protect application integrity against the influence of malicious
26. select the appropriate value from the dropdown list in the Spam or Probable Spam section 13 3 11 Configuring spam processing in The Bat This option is only supported for the 32 bit build of The Bat for computers running Microsoft Windows XP Professional x64 Edition and Microsoft Windows Vista x64 Actions for spam and probable spam in The Bat are defined by the email client s own tools To set up spam processing rules in The Bat 1 Select Preferences from the email client s Options menu 2 Select Anti Spam from the settings tree see fig 63 The protection settings for spam presented extend to all anti spam modules installed on the computer that support work with The Bat You must set the rating level and specify how to respond to emails with a certain rating in the case of Anti Spam the likelihood that the email is spam e Delete the emails with a rating higher than a given value e Move emails with a given range of ratings to a special folder for spam e Move spam marked with special headers to the spam folder e Leave spam in your Inbox 186 Kaspersky Internet Security 6 0 fot The Bat Preferences General System Applications Name Version Status DLL path Add Messages Kaspersky Anti Spam 6 0 plugin 0 0 2 OK C Progran Colour Groups and Font View Modes Message Headers Header Layout lt gt Delete Protection a ca Anti Virus Anti spam Viewer Editor Editor preferences Plain
27. software e Monitoring of processes in random access memory Kaspersky Anti Virus 6 0 notifies users in a timely manner whenever it detects dangerous suspicious or hidden processes or in cases when unauthorized changes occur in standard processes e Monitoring of changes in OS registry due to internal system registry control e Blocking of dangerous VBA macros in Microsoft Office documents e System restoration after malicious actions by spyware accomplished because the application records all changes to the registry and computer file system and enables their roll back at the user s discretion Kaspersky Lab News Agent The News Agent is intended for timely delivery of news published by Kaspersky Lab for notifications about the current state of virus activity and fresh news The program reads the list of available news channels and their content from the Kaspersky Lab news server at a specified frequency The product performs the following functions e Asystem tray icon indicates the current status of virus activity 288 Kaspersky Internet Security 6 0 e The product allows the users to subscribe and unsubscribe from news channels e It retrieves news from each subscribed channel at the specified frequency and notifies the user of fresh news e It allows news on the subscribed channels to be reviewed e It allows the list of channels and their status to be edited e t allows opening pages with news details in your brow
28. www viruslist com for example not a virus RiskWare RemoteAdmin RA 311 or Flooder Win32 Fuxx e threat name by mask For example e _ not a virus excludes potential dangerous programs from the scan as well as joke programs e Riskware excludes riskware from the scan e RemoteAdmin excludes all remote administration programs from the scan APPENDIX B KASPERSKY LAB Founded in 1997 Kaspersky Lab has become a recognized leader in information security technologies It produces a wide range of data security software and delivers high performance comprehensive solutions to protect computers and networks against all types of malicious programs unsolicited and unwanted email messages and hacker attacks Kaspersky Lab is an international company Headquartered in the Russian Federation the company has representative offices in the United Kingdom France Germany Japan USA CA the Benelux countries China Poland and Romania A new company department the European Anti Virus Research Centre has recently been established in France Kaspersky Lab s partner network incorporates more than 500 companies worldwide Today Kaspersky Lab employs more than 450 specialists each of whom is proficient in anti virus technologies with 10 of them holding M B A degrees 16 holding Ph Ds and senior experts holding membership in the Computer Anti Virus Researchers Organization CARO Kaspersky Lab offers best of b
29. 0 eee eesseeteeeereteeeeeeeeeees 103 8 2 5 Selecting actions for dangerous email objects ee eeeeseeteeeeeeneeeees 103 CHAPTER 9 WEBANTI VIRUS visiitti hapta aiti nap aiaa aids 106 9 1 Selecting the web security level eee estes eneeeeeeeeeeeeateeeecaeetateeeeeaeeatereeeas 107 9 2 Configuring Web Anti Virus eeeeeeeeeccnseeeeeecneeeeseeececaeeaeeeeesaeenaeeesesaaeatereeeas 109 9 2 1 Setting a SCAN MEHNO 0 ee eee eneeeeteeeeeeeeeeeeeecaeneeaeeeeesaeeateeeesaanenaeeeees 109 9 2 2 Creating a trusted address list ee eceeeseeeeeneeeeeeeeceeeeeaeeeeeeateateeeenenee 111 9 2 3 Restoring default Web Anti Virus settings 0 eeeeeeeenseeeeeeereneeeeeeees 111 9 2 4 Selecting responses to dangerous objects 112 CHAPTER 10 PROACTIVE DEFENSE ceeeceseeeeenseeeeeeecesneeaeeeeesaeeesaeeeseenenatens 114 10 1 Proactive Defense settings ic eceeeeeeenseeeeeeeeeeneeaeeeeecasneeaeeeeeseeateeeeaeeee 117 10 1 1 Activity control rules occ eee eeeeeecneeeeeeeceeseeaeeeecaeeaeseeeseaenateesesaaeatenseeas 119 10 1 2 Application Integrity Control eeceeeeeseneeeeeeecneeeeeeecsenetaeeeseeeeateeeens 122 10 1 2 1 Configuring Application Integrity Control rules eee eeeeeeeeeerees 123 10 1 2 2 Creating a list of Shared components 125 6 Kaspersky Internet Security 6 0 10 1 3 Office Guard iscsnartteeniia aside dare aeihdnaeeeceteaaeet sotvanieel 126 10 1 4 Registny G ard scrin a eapi aaea eaii 128 10 1 4 1 Selecti
30. Anti Virus settings The file scanning mode determines the File Anti Virus processing conditions You have following options Smart mode This mode is aimed at speeding up file processing and return them to the user When it is selected a decision to scan is made based on analyzing the operations performed with the file For example when using a Microsoft Office file Kaspersky Internet Security scans the file when it is first opened and last closed All operations in between that overwrite the file are not scanned Smart mode is the default On access and modification File Anti Virus scans files as they are opened or edited On access only scans files when an attempt is made to open them 90 Kaspersky Internet Security 6 0 e On execution only scans files when an attempt is made to run them You might need to pause File Anti Virus when performing tasks that require significant operating system resources To lower the load and ensure that the user regains access to files quickly we recommend configuring the component to disable at a certain time or while certain programs are used To pause the component for a certain length of time check LA On schedule and in the window that opens see Figure 7 click Schedule to assign a time frame for disabling and resuming the component To do so enter a value in the format HH MM in the corresponding fields 45 Pause task Pause task at Resume task at Help Fi
31. Hacker Training Mode is enabled a window will open every time your computer connects to a new zone displaying a basic description about it You must assign a status to the zone and network activity will be allowed based on that status The possible values of the status are as follows Internet This is the default status assigned to the Internet since when you are connected to it your computer is subjected to all potential threat types This status is also recommended for networks that are not protected by any anti virus programs firewalls filters etc When you select this status the program ensures maximum security while you are using this zone specifically e Blocking any network NetBios activity within the subnet e Blocking application and packet filtering rules that allow NetBios activity within this subnet Even if you have created an open access directory the information in it will not be available to users from subnets with this status Additionally when you select this status you cannot access files and printers on other computer networks Local Network The program assigns this status to all zones detected when it analyzes the computer s network environment except the Internet This status is recommended for zones with an average risk factor for example corporate LANs If you select this status the program allows e Any network NetBios activity within the subnet e Application and packet filtering rules that allow
32. NetBios activity within this subnet Select this status if you want to grant access to certain folders or printers on your computer but block any other outside activity Trusted This status is only recommended for zones that you feel are absolutely safe and where your computer will not be subject to attacks or invasions If you select this status all network activity is allowed Even if Maximum Protection is selected and you have created block rules they will not function for remote computers from a trusted zone Note that any restrictions of access to files is only in effect without this subnet You can use Stealth Mode for added security when using networks designated Internet This feature only allows network activity initiated from your computer so that your computer becomes invisible to its surroundings This mode does not affect your computer s performance on the Internet 156 Kaspersky Internet Security 6 0 We do not recommend using Stealth Mode if the computer is being used as a server for example an email or HTTP server as the computers that connect to the server will not see it as connected The list of zones on which your computer is registered is displayed on the Zones tab see fig 50 Each of them is assigned a status a brief description of the network and whether Stealth Mode is used To change a zone s status or to enable disable Stealth Mode select the zone from the list and use
33. Professional x64 Edition or computers running Microsoft Windows Vista or Microsoft Windows Vista x64 Kaspersky Internet Security protects you both from known threats and from new ones about which there is no information in the This is ensured by a specially developed component Proactive Defense The need for Proactive Defense has grown as malicious programs have begun to spread faster than anti virus updates can be released to neutralize them The reactive technique on which anti virus protection is based requires that a new threat infect at least one computer and requires enough time to analyze the malicious code add it to the threat signatures and update the database on user computers By that time the new threat might have inflicted massive damages Proactive Defense 115 f Threat signatures EJ update server J na What is the purpose of proactive defense Penetration occurs faster than threat signatures are updated Threat signatures Network attacks S INL Phishing Rootkit The preventative technologies provided by Kaspersky Internet Security Proactive Defense do not require as much time as the reactive technique and neutralize new threats before they harm your computer How is this done In contrast with reactive technologies which analyze code using a threat signature database preventative technologies recognize a new threat on your computer by a sequence of actions executed by a certain prog
34. Security creates a backup copy of it and sends it to Backup see 17 2 on pg 223 in case the object needs to be restored or an opportunity arises later to treat it 14 4 5 Advanced virus scan options In addition to configuring the basic virus scan settings you can also use additional settings see fig 69 198 Kaspersky Internet Security 6 0 Enable iChecker technology uses technology that can increase the scan speed by excluding certain objects from the scan An object is excluded from the scan using a special algorithm that takes into account the release date of the threat signatures the date the object was last scanned and modifications to scan settings 4 Custom Settings Scan General Additional E y L C Run this task as eeeccccces Advanced options Enable iChecker technology Enable iSwift technology Show detected dangerous objects on the Detected report tab Concede resources to other applications oc eet Figure 69 Advanced scan settings For example you have an archived file that the program scanned and assigned the status of not infected The next time the program will skip this archive unless it has been modified or the scan settings have been changed If the structure of the archive has changed because a new object has been added to it if the scan settings have changed or if the threat signatures have been updated the program will scan the archive again T
35. Settings Scan File types Scan all files Scan programs and documents by content Scan programs and documents by extension Productivity C Scan only new and changed files C Skip if scan takes longer than C Skip if object is larger than Compound files Scan All archives Scan All embedded OLE objects C Parse email formats C Scan password protected archives Figure 67 Configuring scan settings Tip Do not forget that someone could send a virus to your computer with the extension txt that is actually an executable file renamed as a txt file If you select the Scan Programs and documents by extension option the scan would skip such a file If the Scan Programs and documents by contents is selected the program will analyze file headers discover that the file is an exe file and thoroughly scan it for viruses 194 Kaspersky Internet Security 6 0 In the Productivity section you can specify that only new files and those that have been modified since the previous scan or new files should be scanned for viruses This mode noticeably reduces scan time and increases the program s performance speed To do so you must check M Scan only new and changed files This mode extends to simple and compound files You can also set time and file size limits for scanning in the Productivity section Skip if scan takes longer than secs Check this option and enter the maximum scan time
36. Text MicroEd HTMLj Windows Editor Out of 100 score to be used for actions below Source Viewer Average O Maximal O Minimal Character Sets XLAT System Hot Keys Plug Ins Anti SPAM Plug ins Configure Anti SPAM plug ins are checking messages on arrival and assign some score out of 100 to each checked message Because scoring methods are different for each plug in we leave it up to you to which score will be used C Delete a message if the score is greater than C Move a message to the Junk folder if the score is greater than Mark stored junk mail as read V Move messages marked as junk to the Junk Folder C Use the common Junk folder Cancel Help Figure 63 configuring spam recognition and processing in The Bat Warning After processing an email Kaspersky Internet Security assigns a spam or potential spam status to the email based on a factor see 13 3 3 on pg 173 with a value that you can adjust The Bat has its own spam rating method also based on a spam factor To ensure that there is no discrepancy between the spam factor in Kaspersky Internet Security and in The Bat all the emails scanned by Anti Spam are assigned a rating in accordance with the email status categories used by The Bat accepted email 0 probably spam 50 spam 100 This way the spam rating in The Bat corresponds not to the email factor assigned in Anti Spam but to the factor of the
37. The Bat Mail Anti Virus 95 e f no malicious code is discovered in the email it is immediately made available again to the user A special plug in see 8 2 2 on pg 99 is provided for Microsoft Office Outlook that can configure email scans more exactly If you use The Bat Kaspersky Internet Security can be used in conjunction with other anti virus applications The rules for processing email traffic see 8 2 3 on pg 101 are configured directly in The Bat and supersede the Kaspersky Internet Security email protection settings When working with other email programs including Microsoft Outlook Express Mozilla Thunderbird Eudora Incredimail Mail Anti Virus scans email on SMTP POP3 IMAP MAPI and NNTP protocols Note that emails transmitted on IMAP are not scanned in Thunderbird if you use filters that move them out of your Inbox 8 1 Selecting an email security level Kaspersky Internet Security protects your email at one of these levels see fig 24 High the level with the most comprehensive monitoring of incoming and outgoing emails The program scans email attachments including archives in detail regardless of how long the scan takes Recommended Kaspersky Lab experts recommend this level It scans the same objects as High with the exception of attachments or emails that will take more than three minutes to scan Low the security level with settings that let you comfortably use resource
38. a personal firewall In doing so default rules for packet filtering and applications regulate all network activity to ensure maximum security You cannot change protection settings when working in this zone other than enabling Stealth Mode on your computer for added safety Security zones certain zones that often correspond with subnets that include your computer this could be local subnets at home or at work These zones are by default average risk level zones You can change the status of these zones based on how much you trust a certain subnet and you can configure rules for packet filtering and applications All the zones detected will be displayed in a list Each of them is shown with a description their address and subnet mask and the degree to which any network activity will be allowed or blocked by Anti Hacker e Internet This is the default status assigned to the Internet since when you are connected to it your computer is subjected to all potential threat types This status is also recommended for networks that are not protected by any anti virus programs firewalls filters etc When you select this status the program ensures maximum security while you are using this zone specifically e blocking any network NetBios activity within the subnet 42 Kaspersky Internet Security 6 0 e blocking rules for applications and packet filtering that allow NetBios activity within this subnet Even if you have created an ope
39. any objects Compound objects can include several objects each of which may in turn contain other objects There are many examples archives files containing macros spreadsheets emails with attachments etc File Anti Virus 85 The file types scanned are defined in the File types section see fig Figure 18 Select one of the three options Scan all files With this option selected all file system objects that are opened run or saved will be scanned without exceptions Scan programs and documents by content If you select this group of files File Anti Virus will only scan potentially infected files files that a virus could imbed itself in Note There are a number of file formats that have a fairly low risk of having malicious code injected into them and subsequently being activated An example would be txt files And vice versa there are file formats that contain or can contain executable code Examples would be the formats exe dll or doc The risk of injection and activation of malicious code in such files is fairly high Before searching for viruses in a file its internal header is analyzed for the file format txt doc exe etc If the analysis shows that the file format cannot be infected it is not scanned for viruses and is immediately returned to the user If the file format can be infected the file is scanned for viruses scan programs and documents by extension If you select
40. are advised to neutralize them immediately Neutralize all Details kaspersky com yiruslist com Figure 102 Technical support information Depending on the problem we provide several technical support services User forum This resource is a dedicated section of the Kaspersky Lab website with questions comments and suggestions by program users You can look through the basic topics of the forum and leave a comment yourself You also might find the answer to your question To access this resource use the User forum link Knowledge Base This resource is also a dedicated section of the Kaspersky Lab website and contains Technical Support recommendations for using Kaspersky Lab software and answers to frequently asked questions Try to find an answer to your question or a solution to your problem with this resource To obtain technical support online click the Knowledge Base link Comments on program operation This service is designed for posting comments on program operation or describing a problem that surfaced in program operation You must fill out a special form on the company s website that describes the situation in detail In order to best deal with the problem Kaspersky Lab will need some information about your 246 Kaspersky Internet Security 6 0 computer You can describe the system configuration on your own or use the automatic information collector on your computer To go to the comment form use the S
41. are reference type messages which generally do not contain important information For example OK not processed These events are only reflected in the event log if VA Display all events is checked Detected Events Statistics Settings Time Name Status Reason iv 15 01 2007 16 41 30 File C Documents and Settings Desktop eicar I ok iSwift 15 01 2007 16 41 30 File C Documents and Settings Desktopleicar I ok iSwift 15 01 2007 16 41 30 File C Documents and Settings Desktop eicar I ok iSwift iv 15 01 2007 16 41 30 File C Documents and Settings Desktop eicar I ok iSwift 15 01 2007 16 41 30 File C Documents and Settings Desktop eicar I ok iSwift iv 15 01 2007 16 41 30 File C Documents and Settings Desktop eicar I ok iSwift 15 01 2007 16 41 30 File C Documents and Settings Desktop eicar I ok iSwift 15 01 2007 16 41 30 File C Documents and Settings Desktop eicar I ok iSwift iv 15 01 2007 16 41 30 File C Documents and Settings Desktop eicar I ok iSwift iv 15 01 2007 16 41 30 File C Documents and Settings Desktop eicar I ok iSwift 15 01 2007 16 41 30 File c documents and settings desktop eicar eic detected viru wa Show all events Figure 83 Events that take place in component operation The format for displaying events in the event log may vary with the component or task The following information is given for update tasks e Event name e Na
42. as the Microsoft Office Outlook rule Use Microsoft Office Outlook rule With this option incoming messages are processed based on a hierarchy of the Microsoft Office Outlook rules created One of the rules must be a rule about Anti Spam processing emails This is the best configuration It will not cause conflicts between Microsoft Office Outlook and the Anti Spam plug in The only drawback to this arrangement is that you must create and delete spam processing rules through Microsoft Office Outlook manually The Anti Spam plug in cannot be used as an Microsoft Office Outlook rule in Microsoft Office XP if you are running Microsoft Windows 9x ME NT4 due to an error in Microsoft Office Outlook XP To create a spam processing rule 1 Open Microsoft Office Outlook and go to Tools gt Rules and Alerts in the main menu In the Rules and Alerts windows that opens click on New Rule to open the Rules Wizard The command for opening the Wizard depends on your version of Microsoft Office Outlook This User Guide describes how to create a rule using Microsoft Office Outlook 2003 Anti Spam 183 2 The Rule Wizard will guide you through the following windows and steps Step One You can choose to create a rule from scratch or from a template Select Create new rule and select Apply this rule after the message arrives Click the Next button Step Two In the Rule Conditions window click Next without checking any bo
43. at the top of the list and automatically enables the source by checking the box beside the source name If several resources are selected as update sources the application tries to connect to them one after another starting from the top of the list and retrieves Program updates 211 the updates from the first available source You can change the order of sources in the list using the Move up and Move down buttons To edit the list use the Add Edit and Remove buttons The only source you cannot edit or delete is the one labeled Kaspersky Lab s update servers If you use Kaspersky Lab s update servers as the update source you can select the optimal server location for downloading updates Kaspersky Lab has servers in several countries Choosing the Kaspersky Lab update server closest to you will save you time and download updates faster To choose the closest server check LM Assign region do not use autodetect and select the country closest to your current location from the dropdown list If you check this box updates will run taking the region selected in the list into account This checkbox is deselected by default and information about the current region from the operating system registry is used 16 4 2 Selecting an update method and what to update When configuring updating settings it is important to define what will be updated and what update method will be used Update objects see fig 73 are the component
44. attack database in analysis which Kaspersky Lab adds to regularly and is updated together with the threat signatures Your computer is protected at the application level by making your computer s installed applications follow Anti Hacker s application rules for the use of network resources Similarly to the network security level the application level security is built on analyzing data packets for direction transfer protocol and what ports they use However at the application level both data packet traits and the specific application that sends and receives the packet are taken into account Using application rules helps you to configure specific protection allowing for example a certain connection type to be banned for some applications but not for others There are two Anti Hacker rule types based on the two Anti Hacker security levels e Packet filtering rules see 12 2 1 on pg 147 Used to create general restrictions on network activity regardless of the applications installed Example if you create a packet filtering rule that blocks inbound connections on port 21 no applications that use that port an ftp server for example will be accessible from the outside e Application rules see 12 2 on pg 145 Used to create restrictions on network activity for specific applications Example If connections on port 80 are blocked for each application you can create a rule that allows connections on that port for Firefox
45. by any command from the command line The return codes include general codes as well as codes specific to a specific type of task General return codes 0 Operation completed successfully 1 Invalid setting value 2 Unknown error 3 Task completion error 4 Task canceled Anti virus scan task return codes 101 All dangerous objects processed 102 Dangerous objects detected Modifying repairing and removing the program 277 CHAPTER 19 MODIFYING REPAIRING AND REMOVING THE PROGRAM You can uninstall the application in the following ways e using the application s Installation Wizard see 19 2 on pg 279 e from the command prompt see 19 2 on pg 279 19 1 Modifying repairing and removing the program using Install Wizard You may find it necessary to repair the program if you detect errors in its operation after incorrect configuration or file corruption Modifying the program can install missing Kaspersky Internet Security components and delete unwanted ones To repair or modify Kaspersky Internet Security missing components or delete the program 1 Exit the program To do so left click on the program icon in the system tray and select Exit from the context menu 2 Insert the installation CD into the CD ROM drive if you used one to install the program If you installed Kaspersky Internet Security from a different source public access folder folder on the hard drive etc
46. can define the maximum time that backup copes remain in the Backup area The default Backup storage time is 30 days at the end of which backup copies are deleted You can change the storage time or remove this restriction altogether To do so 1 Open the Kaspersky Internet Security settings window by clicking Settings in the main program window 2 Select Data files from the settings tree 3 Set the duration for storing backup copies in the repository in the Quarantine and Backup section see fig 78 on the right hand part of the screen Alternately uncheck the checkbox to disable automatic deletion 17 3 Reports Kaspersky Internet Security component actions virus task scans and updates are all recorded in reports The total number of reports created by the program and their total size is displayed by clicking on Data files in the Service section of the main program window The information is displayed in the Reports box To view reports Left click anywhere in the Reports box to open the Protection window which summarises protection given by the application The window will open to the Reports tab see fig 80 The Reports tab lists the latest reports on all components and virus scan tasks run during the current session of Kaspersky Internet Security The status is listed beside each component or task for example stopped or complete If you want to view the full history of report creation for the current session of the
47. cannot be disinfected it stays in the email Kaspersky Internet Security will always inform you if an email is infected But even if you select Delete in the Mail Anti Virus notice window the object will remain in the email since the action selected in The Bat takes precedent over the actions of Mail Anti Virus Remove infected parts delete the dangerous object in the email regardless of whether it is infected or suspected of being infected By default The Bat places all infected email objects in the Quarantine folder without treating them Mail Anti Virus 103 Warning The Bat does not mark emails containing dangerous objects with special headers 8 2 4 Restoring default Mail Anti Virus settings When configuring Mail Anti Virus you can always return to the default performance settings which Kaspersky Lab considers to be optimal and has combined in the Recommended security level To restore the default Mail Anti Virus settings 1 Select Mail Anti Virus in the main window and go to the component settings window by clicking Settings 2 Click the Default button in the Security Level section 8 2 5 Selecting actions for dangerous email objects If a scan shows that an email or any of its parts body attachment is infected or suspicious the steps taken by Mail Anti Virus depend on the object status and the action selected One of the following statuses can be assigned to the email object after
48. components they will also be shown on the list Examples of special settings would be white and black lists of phrases and addresses used by Anti Spam trusted address lists and trusted ISP telephone number lists used by Web Anti Virus and Anti Spy exclusion rules created for program components packet filtering and application rules for Anti Hacker and application rules for Proactive Defense These lists are populated gradually by using the program based on individual tasks and security requirements This process often takes some time Therefore we recommend saving them when you reset program settings The program saves all the custom settings on the list by default they are unchecked If you do not need to save one of the settings check the box next to it After you have finished configuring the settings click the Next button Setup Wizard will open Follow its instructions After you are finished with the Setup Wizard the Recommended security level will be set for all protection components except for the settings that you decided 264 Kaspersky Internet Security 6 0 to keep In addition settings that you configured with the Setup Wizard will also be applied CHAPTER 18 WORKING WITH THE PROGRAM FROM THE COMMAND PROMPT You can use Kaspersky Internet Security from the command prompt You can execute the following operations Starting stopping pausing and resuming the activity of application components Star
49. configuration file scan_setting txt After the scan generate a report in which all events are recorded avp com SCAN MEMORY objects2scan txt C scan_settings txt RA scan log 18 4 Program updates The syntax for updating Kaspersky Internet Security program modules and threat signatures from the command prompt is as follows avp com UPDATE lt path URL gt R A lt report file gt C lt settings file gt APP Parameter description lt path URL gt HTTP or FTP server or network folder for downloading updates If a path is not selected the update source will be taken from the Updater settings R A lt report_file gt R lt report file gt only log important events in the report R A lt report_file gt log all events in the report You can use an absolute or relative path to the file If the parameter is not defined the scan results are displayed on screen and all events are displayed Working with the program from the command prompt 273 C lt settings_file gt Path to the configuration file with the settings for program updates You can enter an absolute or relative path to the file If this parameter is not defined the values for the settings in the Kaspersky Internet Security interface are used APP Update program modules Examples Update threat signatures and record all events in the report avp com UPDAT
50. corresponding status For more details on the spam rating and processing rules see documentation for The Bat CHAPTER 14 SCANNING FOR VIRUSES ON YOUR COMPUTER One of the important aspects of protecting your computer is scanning user defined areas for viruses Kaspersky Internet Security can scan individual items files folders disks plug and play devices or the entire computer Scanning for viruses stops malicious code which has gone undetected by protection components from spreading Kaspersky Internet Security includes three default scan tasks Critical Areas Scans all critical areas of the computer for viruses including system memory programs loaded on startup boot sectors on the hard drive and the Windows and system32 system directories The task aims to detect active viruses quickly on the system without fully scanning the computer My Computer Scans for viruses on your computer with a thorough inspection of all disk drives memory and files Startup Objects Scans for viruses all programs loaded when the operating system boots The default settings for these tasks are the recommended ones You can edit these settings see 14 4 4 on pg 195 or create a schedule see 6 5 on pg 78 for running tasks You also have the option of creating your own tasks see 14 4 3 on pg 195 and creating a schedule for them For example you can schedule a scan task for email databases once per week or a virus sc
51. disk subsystems thereby slowing down other programs By default if such a situation arises the program pauses virus scans and frees up system resources for user applications However there are a number of programs that can be launched as soon as the processor s resources are freed and run in background mode For virus scans not to depend on the operation of such programs uncheck Give other applications priority over resources Protection management system 81 Note that this setting can be configured individually for every virus scan task If you choose to do this the configuration for a specific task has a higher priority Additional Enable Advanced Disinfection technology Disable scheduled scans while running on battery power Concede resources to other applications Figure 16 Configuring power settings To configure power settings for virus scan tasks Select the Protection section of the main program window and click the Settings link Configure power settings in the Additional box see fig 16 6 7 Advanced Disinfection Technology Today s malicious programs can invade the lowest levels of an operating system which makes them practically impossible to delete Kaspersky Internet Security 6 0 asks you if you want to run Advanced Disinfection Technology when it detects a threat currently active in the system This will neutralize the threat and delete it from the computer After this procedure you will need to res
52. downloaded to the buffer After the scan is complete the program either passes the object to the user or blocks it When using this scan type the full threat signature set is used which improves the level of malicious code detection However using this algorithm increases object processing time and hence makes web browsing slower it can also cause problems when copying and processing large objects because the connection with the HTTP client can time out One way to solve this problem is to limit the caching time for object fragments downloaded from the Internet When the time limit expires the user will receive the downloaded part of the file without it being scanned but once the object is fully copied it will be scanned in its entirety This can deliver the object to the user sooner and can solve the problem of 110 Kaspersky Internet Security 6 0 interrupting the connection without reducing security while using the Internet To select the scanning algorithm that Web Anti Virus will use 1 Click on the Customize button in the Web Anti Virus configuration window 2 In the window that opens see fig 30 select the option you want in the Scan method section By default Web Anti Virus performs a buffered scan on Internet data and uses the complete threat signature set The default caching time for file fragments is one second 3 Custom Settings Web Anti Virus Scan method Use streaming scan limited set of signa
53. emails should be marked as spam and which as accepted Emails that are spam or potential spam are modified the markings SPAM or Probable Spam are added to the subject line The rules for processing spam or potential spam emails for Microsoft Office Outlook Microsoft Outlook Express or The Bat are specified in special plug in components within the email client itself For other email clients you can configure filtration rules that search for the modified subject line containing SPAN or Probable Spam and move the email to a designated folder For more information about the filtration mechanism please consult the documentation for your email client 166 Kaspersky Internet Security 6 0 13 1 Selecting an Anti Spam sensitivity level Kaspersky Internet Security protects you from spam at one of the following levels see fig 54 Block all strictest level of sensitivity at which only messages containing phrases from the phrase white list see 13 3 4 1 on pg 175 and senders listed on the white list are accepted everything else is marked as spam At this level email is only analyzed against the white lists All other features all disabled Sensitivity 5 High __ Less spam will get through the protection More not spam emails could get lost Figure 54 Selecting the Anti Spam security level High a strict level that when activated raises the likelihood that some emails that are not spam
54. for a popup window the window is blocked For this reason we recommend configuring the browser and Popup Blocker together if you run Microsoft Windows XP Service Pack 2 If you want to view a popup window for any reason you must add it to the trusted address list To do so 1 Open the Kaspersky Internet Security settings window and select Anti Spy in the settings tree 2 Click Trusted sites in the Popup Blocker section 3 Click Add in the window that opens see fig 41 and enter a mask for sites whose popup windows you do not want to block Anti Spy 137 4 Specify if addresses in the Internet Explorer trusted zone or addresses on your local area network will be excluded from the scan The program considers them trusted by default and does not block pop up windows from these addresses Tip When entering a trusted address mask you can use the characters or For example the mask http www test excludes popups from any site that begins with that series of characters The new exclusion will be added at the top of the trusted address list To stop using the exclusion that you have added just uncheck the box next to its name If you want to remove an exclusion entirely select it on the list and click Delete 4 Settings trusted URLs Please specify masks for URLs which will not be scanned V http jiw google com Edit Delete Trusted sites Microsoft Internet Explorer security zon
55. for an object If this time is exceeded this object will be removed from the scan queue Skip if object is larger than MB Check this option and enter the maximum size for an object If this size is exceeded this object will be removed from the scan queue In the Compound files section specify which compound files will be analyzed for viruses Scan All New Only archives scan rar arj zip cab lha jar and ice archives Warning Kaspersky Internet Security does not delete compressed file formats that it does not support for example ha uue tar automatically even if you select the option of automatically curing or deleting if the objects cannot be cured To delete such compressed files click the Delete archives link in the dangerous object detection notification This notification will be displayed on the screen after the program begins processing objects detected during the scan You can also delete infected archives manually Scan All New Only embedded OLE objects scan objects imbedded in files for example Excel spreadsheets or a macro imbedded in a Microsoft Word file email attachments etc You can select and scan all files or only new ones for each type of compound file To do so use the link next to the name of the object It changes its value when you left click on it If the Productivity section has been set up only to scan new and modified files you will not be able to select the type
56. group of people or phenomena unrelated to human activity can threaten information security Following from this all threat sources can be put into one of three groups e The human factor This group of threats concerns the actions of people with authorized or unauthorized access to information Threats in this group can be divided into e External including cyber criminals hackers internet scams unprincipled partners and criminal organizations 12 Kaspersky Internet Security 6 0 e Internal including the actions of company staff and users of home PCs Actions taken by this group could be deliberate or accidental e The technological factor This threat group is connected with technical problems use of obsolete or poor quality software and hardware to process information This can lead to equipment failure and often to data loss e The natural disaster factor This threat group includes the whole range of events caused by nature and independent of human activity All three threat sources must be accounted for when developing a data security protection system This User Guide focuses on the area that is directly tied to Kaspersky Lab s expertise external threats involving human activity 1 2 How threats spread As modern computer technology and communications tools develop hackers have more opportunities for spreading threats Let s take a closer look at them The Internet The Internet is unique since it i
57. have been detected Total scanned 14375 Start time 15 01 2007 14 49 42 Detect 8 Duration 01 01 19 Untreat 3 Attacks blocked 0 Detected Events l Reports I Quarantine Backup Status Object Size 8 Infected virus EICAR Test File c eicar eicar c 73 bytes T Infected virus EICAR Test File ci eicar eicar ei 73 bytes Help Allreports Figure 79 Backup copies of deleted or disinfected objects You can restore selected copies using the Restore button The object is restored from Backup with the same name that it had prior to disinfection If there is an object in the original location with that name this is possible if a copy was made of the object being restored prior to disinfection a warning will be given You can change the location of the restored object or rename it You are advised to scan backup objects for viruses immediately after restoring them It is possible that with updated signatures you will be able to disinfect it without losing file integrity You are advised not to restore backup copies of objects unless absolutely necessary This could lead to an infection on your computer You are advised to periodically examine the Backup area and empty it using the Delete button You can also set up the program so that it automatically deletes the oldest copies from Backup see 17 2 2 on pg 225 Advanced options 225 17 2 2 Configuring Backup settings You
58. in each section You can assign both addresses and address masks as the address list When you enter an address the use of capitals is ignored Address masks can be used exactly as for the white list in the previous section e You can also use masks for phrases When entering a phrase the use of capitals is ignored Phrase masks can also be used exactly as for the white list in the previous section 178 Kaspersky Internet Security 6 0 To disable the use of a certain address or phrase as attributes of spam it can be deleted using the Delete button or the box alongside the text can be unchecked to disable them 13 3 5 Additional spam filtration features In addition to the main features that are used to filter spam creating white and black lists phishing analysis filtration technologies Kaspersky Internet Security provides you with advanced features To configure advanced spam filtration features 1 Select Anti Spam in the Kaspersky Internet Security settings window 2 Click the Customize button in the Sensitivity section of the settings window 3 Open the Options tab see fig 60 The tab lists a series of indicators that will classify email as being more likely than not spam PS Custom Settings Anti Spam White list Black list Spam recognition Additional Assign spam ratings to messages C Not addressed to me M Without text but with embedded images Containing links to external images
59. in the rule description section It will change to Block If you did not select an application prior to creating the rule you will need to do so by clicking select application Left click on the link and in the standard file selection window that opens select the executable file of the application for which you are creating the rule Determine the direction of the network connection for the rule The default value is a rule for a bi directional both inbound and outbound network connection To change the direction left click on incoming and outgoing and select the direction of the network connection in the window that opens inbound stream The rule is applied to network connections opened by a remote computer inbound packet The rule applies to data packets received by your computer except for TCP packets Inbound and outbound streams The rule is applied to inbound and outbound traffic regardless of which computer the local one or the remote one initiated the network connection Outbound stream The rule is only applied to network connections opened by your computer Outbound packet The rule is applied for inbound data packets that your computer sends except for TCP packets If it is important for you to specifically set the direction of packets in the rule Select whether they are inbound or outbound packets If you want to create a rule for streaming data select stream inbound outbound or both The d
60. in this Agreement shall exclude or limit Kaspersky Lab s liability for a the tort of deceit b death or personal injury caused by its breach of a common law duty of care or any negligent breach of a term of this Agreement or c any other liability which cannot be excluded by law Subject to paragraph i above Kaspersky Lab shall bear no liability whether in contract tort restitution or otherwise for any of the following losses or damage whether such losses or damage were foreseen foreseeable known or otherwise a Loss of revenue b Loss of actual or anticipated profits including for loss of profits on contracts c Loss of the use of money d Loss of anticipated savings e Loss of business f Loss of opportunity g Loss of goodwill h Loss of reputation i Loss of damage to or corruption of data or j Any indirect or consequential loss or damage howsoever caused including for the avoidance of doubt where such loss or damage is of the type specified in paragraphs ii a to ii i 298 Kaspersky Internet Security 6 0 iii Subject to paragraph i the liability of Kaspersky Lab whether in contract tort restitution or otherwise arising out of or in connection with the supply of the Software shall in no circumstances exceed a sum equal to the amount equally paid by you for the Software 7 This Agreement contains the entire understanding between the parties with respect to
61. is analyzed If the address does not match any of those on your list the e mail will be labeled as spam You can create and edit an address list in the My addresses using the Add Edit and Delete button 13 3 7 Mail Dispatcher Warning Mail Dispatcher is only available if you receive email via POP3 protocol Mail Dispatcher is designed for viewing the list of email messages on the server without downloading them to your computer This enables you to refuse to accept messages saving time and money when working with email and reducing the likelihood of downloading spam and viruses to your computer Mail Dispatcher see fig opens if the box Open Mail Dispatcher when receiving email is checked in the Anti Spam settings To delete emails from the server without downloading them onto your computer check the boxes on the left of the emails that you want to delete and click the Delete button The emails checked with be deleted from the server 180 Kaspersky Internet Security 6 0 The rest of your email will be downloaded to your computer after you close the Mail Dispatcher window Sometimes it can be difficult to decide whether to accept a certain email judging only by the sender and the email s subject line In such cases Mail Dispatcher gives you more information by downloading the email s headers To view email headers select the email from the list of incoming email The email s headers will be displa
62. is blocked Advanced options 239 17 3 15 The Packet Filtering tab The Packet filtering tab contains information about sending and receiving packets that match filtration rules and were logged during the current session of the application see fig 95 Network attacks Banned hosts Application activity Packet filtering Time Rule name Action 28 02 2007 11 51 28 DHCP Client Activity UDP Inbound Outbound allowed 28 02 2007 11 51 28 DHCP Client Activity UDP Inbound Outbound allowed 28 02 2007 11 51 31 DHCP Client Activity UDP Inbound Outbound allowed gt Figure 96 Monitored data packets Activity is only recorded if MI Log is checked in the rule It is unchecked by default in the packet filtering rules included with Kaspersky Internet Security The outcome of filtration whether the packet was blocked direction of the packet the protocol and other network connection settings for sending and receiving packets are indicated for each packet 17 3 16 The Established Connections tab All active network connections established on your computer at present are listed on the Established Connections tab see fig 97 Here you will find the name of the application that initiated the connection the protocol used the direction of the connection inbound or outbound and connection settings local and remote ports and IP addresses You can also see how long a connection has been activ
63. marked as spam Further processing depends on the action you select see 13 3 8 on pg 180 If the sender s address is not found on the white or black list the email is analyzed using PDB technology see 13 3 2 on pg 172 for phrases typical of spam using the database created by training the Anti Spam component Anti Spam examines the text of the email in detail and scans it for lines from the black or white list e Ifthe text of the email contains lines from the white list of lines the email is marked as accepted e f phrases from the phrase black list are encountered the email is marked as spam Further processing depends on the action you specify If the email does not contain phrases from the black or white list it is analyzed for phishing If the text of the email contains an address contained in the anti phishing database the email is marked as spam Further processing depends on the action you specify If the email does not contain phishing lines it is scanned for spam using special technologies e Image analysis using GSG technology e Message text analysis using the iBayesian algorithm for spam recognition Finally the email is scanned for advanced spam filtration factors see 13 3 5 on pg 178 specified by the user when Anti Spam was Anti Spam 165 installed This could include scanning for correctness of HTML tags font size or hidden characters You can enable or disable each of these stages of the a
64. means temporarily disabling all the protection components that monitor the files on your computer incoming and outgoing email executable scripts application behavior and Anti Hacker and Anti Spam To pause a Kaspersky Internet Security operation 1 Select Pause protection in the program s context menu see 4 2 on pg 46 2 In the Pause Protection window that opens see fig 7 select how soon you want protection to resume e in lt time interval gt protection will be enabled this amount of time later To select a time value use the drop down menu e At next program restart protection will resume if you open the program from the Start Menu or after you restart your computer provided the program is set to start automatically on startup see 6 1 5 on pg 67 e By user request only protection will stop until you start it yourself To enable protection select Resume protection from the program s context menu 4 Pause protection Protection will be automatically resumed In 1 minute v At next program restart By user request only onmo Figure 7 Pause protection window Tip You can also stop protection on your computer with one of the following methods e Click the ff button in the Protection section e Select Exit from the context menu If you pause protection all protection components will be paused This is indicated by Protection management system 65
65. new outbreak long before it reaches its peak The likelihood of the infection in such a case is low and 20 Kaspersky Internet Security 6 0 once you download the threat signature updates you will have plenty of time to protect yourself against the new virus Rule No 4 Do not trust virus hoaxes such as prank programs and emails about infection threats Rule No 5 Use the Windows Update tool and regularly install Microsoft Windows operating system updates Rule No 6 Buy legitimate copies of software from official distributors Rule No 7 Limit the number of people who are allowed to use your computer Rule No 8 Lower the risk of unpleasant consequences of a potential infection e Back up data regularly If you lose your data the system can fairly quickly be restored if you have backup copies Store distribution floppies CDs flash drives and other storage media with software and valuable information in a safe place e Create a Rescue Disk see 17 10 on pg 251 that you can use to boot up the computer using a clean operating system Rule No 9 Regularly inspect the list of installed programs on your computer To do so open Install Remove Programs in the Control Panel or open the Program Files directory You can discover software here that was installed on your computer without your knowledge for example while you were using the Internet or installing a different program Programs like these are almost always riskware
66. no formatting actually takes place or detecting viruses in uninfected files Rootkits These are utilities which are used to conceal malicious activity They mask malicious programs to keep anti virus programs from detecting them Rootkits modify basic functions of the computer s operating system to hide both their own existence and actions that the hacker undertakes on the infected computer 16 Kaspersky Internet Security 6 0 Other dangerous programs These are programs created to for instance set up denial of service DoS attacks on remote servers hack into other computers and programs that are part of the development environment for malicious programs These programs include hack tools virus builders vulnerability scanners password cracking programs and other types of programs for cracking network resources or penetrating a system Hacker attacks Hacker attacks can be initiated either by hackers or by malicious programs They are aimed at stealing information from a remote computer causing the system to malfunction or gaining full control of the system s resources You can find a detailed description of the types of attacks blocked by Kaspersky Internet Security in section 12 9 List of network attacks detected Some types of online scams Phishing is an online scam that uses mass emailings to steal confidential information from the user generally of a financial nature Phishing emails are designed to maximally
67. o Containing incorrect HTML tags C Containing background colour text C Containing very small fonts C Containing invisible characters M Containing scripts C Containing hidden elements C Containing at least o gt non ANSI characters C with empty subject line and body Do not check MS Exchange native messages Cancel Figure 60 Advanced spam recognition settings Anti Spam 179 To use an additional filtration indicator check the flag beside it Each of the factors also requires that you set a spam factor in percentage points that defines the likelihood that an email will be classified as spam The default value for the spam factor is 80 The email will be marked as spam if the sum of the likelihoods for all additional factors exceeds 100 If you enable filtration for messages not addressed to me you must specify your addresses in the window that opens by clicking My addresses For incoming email the recipient s address will be scanned during analysis If the address does not match any of those on the list of your own addresses the email will be marked as spam You can create and edit an address list in the My Email addresses window using the Add Edit and Delete buttons 13 3 6 Creating the list of trusted addresses If you enable spam filtration for messages not addressed to me you must specify your trusted e mail addresses The recipient s address will be scanned when the e mail
68. object Block access Disinfect E Mail Anti Virus will block access to the object and will attempt to disinfect it If it is successfully disinfected it is restored for regular use If the object could not be treated it is moved to Quarantine see 17 1 on pg 218 Information about this is recorded in the report Later you can attempt to disinfect this object Block access Disinfect Delete if disinfection fails E Mail Anti Virus will block access to the object and will attempt to disinfect it If it is successfully disinfected it is restored for regular use If the object cannot be disinfected it is deleted A copy of the object will be stored in Backup Objects with the status of potentially Tf you are using The Bat as your mail client dangerous email objects will either be disinfected or deleted when Mail Anti Virus takes this action depending on the action selected in The Bat Mail Anti Virus 105 infected will be moved to Quarantine Block access oO Disinfect Delete When E Mail Anti Virus detects an infected or potentially infected object it deletes it without informing the user When disinfecting or deleting an object Kaspersky Internet Security creates a backup copy see 17 2 on pg 223 before it attempts to treat the object or delete it in case the object needs to be restored or an opportunity arises to treat it CHAPTER 9 WEB ANTI V
69. of the application itself You can create rules for monitoring the integrity of modules from any application To do so add that application to the list of monitored applications This Proactive Defense component is not available under Microsoft Windows XP Professional x64 Edition Microsoft Windows Vista or Microsoft Windows Vista x64 118 Kaspersky Internet Security 6 0 A Settings Kaspersky Internet Security J Settings gi Proactive Defense Protection General File Anti Virus Enable Proactive Defense Mail Anti Virus Web Anti Virus Application Activity Analyzer Enable Application Activity Analyzer Anti Hacker Anti Spam Scan Critical areas amp C Enable Application Integrity Control My Computer Startup objects Service Registry Guard Update E C Enable Registry Guard Application Integrity Control ettings Data Files Network Settings Appearance Office Guard 04 Enable Office Guard Settings Figure 32 Proactive Defense settings e Whether system registry changes are monitored By default Enable Registry Guard is checked which means Kaspersky Internet Security analyzes all attempts to make changes to the Microsoft Windows system registry keys You can create your own rules see 10 1 4 2 on pg 131 for monitoring the registry depending on the registry key e Whether macros are scanned The monitoring of Visual Basic for Applications macros on your computer is
70. only There are two types of application and packet filtering rules allow and block The program installation includes rules which regulate network activity for the commonest applications and using the commonest protocols and ports Kaspersky Internet Security also includes a set of allow rules for trusted applications whose network activity is not suspect Kaspersky Internet Security breaks down the entire network space into security zones to make settings and rules more user friendly which largely correspond to the subnets that your computer belongs to You can assign a status to each zone Internet Local Area Network Trusted which determine the policy for applying rules and monitoring network activity in that zone see 12 5 on pg 154 A special feature of Anti Hacker Stealth Mode prevents the computer from being detected from the outside so that hackers cannot detect the computer to attack it This mode does not affect your computer s performance on the Internet you are advised not to use Stealth Mode if your computer is functioning as a server 144 Kaspersky Internet Security 6 0 12 1 Selecting an Anti Hacker security level When you use the network Kaspersky Internet Security protects your computer at one of the following levels see fig 44 Block all blocks any network activity on your computer If you select this security level you will not be able to use any network resources or programs that require a ne
71. or performance 0 there are one or more deviations in Kaspersky Internet Security performance from the recommended level of performance which could affect information security Please pay heed to the actions recommended by Kaspersky Lab which are given as links the computers security status is critical Please follow the recommendations closely to improve your computer s protection The recommended actions are given as links We will now examine protection indicators and the situations that each of them indicate in more detail The first indicator reflects the situation with malicious files and programs on your computer The three values of this indicator mean the following No threats detected Kaspersky Internet Security has not detected any dangerous files or programs on your computer 54 Kaspersky Internet Security 6 0 All threats have been neutralized Kaspersky Internet Security has treated all infected files and programs and deleted those that could not be treated Hacker attack has been blocked Kaspersky Internet Security has detected and blocked an attempted network attack Threats have been detected Your computer is at risk of infection Kaspersky Internet Security has detected malicious programs viruses Trojans worms etc that must be neutralized To do so use the Neutralize all link Click the Details link to see more detailed information about the malicious objects Please r
72. resemble informative emails from banks and well known companies These emails contain links to fake websites created by hackers to mimic the site of the legitimate organization On this site the user is asked to enter for example his credit card number and other confidential information Dialers to pay per use websites type of online scam using unauthorized use of pay per use Internet services which are commonly pornographic web sites The dialers installed by hackers initiate modem connections from your computer to the number for the pay service These phone numbers often have very high rates and the user is forced to pay enormous telephone bills Intrusive advertising Spam This includes popup windows and banner ads that open when using your web browser The information in these windows is generally not of benefit to the user Popup windows and banner ads distract the user from the task and take up bandwidth Spam is anonymous junk email and includes several different types of content adverts political messages requests for assistance emails that ask one to invest large amounts of money or to get involved in pyramid schemes emails aimed at stealing passwords and credit card numbers and emails that ask to be sent to friends chain letters Threats to Computer Security 17 Kaspersky Internet Security uses two methods for detecting and blocking these threat types e Reactive this method searches for malicious file
73. settings displayed see fig Figure 27 extend to all anti virus modules installed on the computer that support The Bat 102 Kaspersky Internet Security 6 0 fol The Bat Preferences General System Applications Name Version Status DlLpath Add Messages Kaspersky Anti Virus 6 0 plugin 0 0 7 OK C Documenii Colour Groups and Font view Modes Message Headers Header Layout gi gt Protection Anti Virus Anti spam Viewer Editor Editor preferences Plain Text MicroEd HTML Windows Editor Source Viewer Character Sets XLAT Move to the Quarantine folder System Hot Keys Plug Ins Virus Checking Plug ins Default settings V Check incoming mail For viruses when a virus detected C Send notification to the sender Perform this action M Check attachments for viruses before opening them from The Bat V Check attachments before the user saves them to the disk V Check outgoing mail for viruses Figure 27 Configuring email scans in The Bat You must decide e What group of emails will be scanned for viruses incoming outgoing e At what point in time email objects will be scanned for viruses when opening an email or before saving one to disk e The actions taken by the email client when dangerous objects are detected in emails For example you could select Try to cure infected parts tries to treat the infected email object and if the object
74. since if it is successful the hacker has complete control of your computer Hackers use this attack to obtain confidential information from a remote computer for example credit card numbers or passwords or to use its resources later for malicious purposes e g using the captured system in zombie networks or as a platform for new attacks This group contains more different types of attacks than any other They can be divided into three subgroups based on operating system Microsoft Windows attacks Unix attacks and a group for network services running either operating system The most common types of attacks that use operating system network tools are e Buffer overflow attacks a type of software vulnerability that surfaces due to insufficient control in handling massive amounts of data This is one of the oldest vulnerability types and the easiest for hackers to exploit e Format string attacks a type of software vulnerability that arises from insufficient control of input values for I O functions such as printf fprintf scanf and others from the C standard library If a program has this vulnerability a hacker using queries created with a special technique can gain complete control of the system The Intrusion Detection System automatically analyzes and blocks attempts to exploit vulnerabilities in the most common network tools FTP POP3 IMAP running on the user s computer section 12 7 on page 157 Mic
75. the Software to you and you will not acquire any rights to the Software except as expressly set forth in this Agreement 4 Confidentiality You agree that the Software and the Documentation including the specific design and structure of individual programs constitute confidential proprietary information of Kaspersky Lab You shall not disclose provide or otherwise make available such confidential information in any form to any third party without the prior written consent of Kaspersky Lab You shall implement reasonable security measures to protect such confidential information but without limitation to the foregoing shall use best endeavours to maintain the security of the activation code 5 Limited Warranty i Kaspersky Lab warrants that for six 6 months from first download or installation the Software purchased on a physical medium will perform substantially in accordance with the functionality described in the Documentation when operated properly and in the manner specified in the Documentation ii You accept all responsibility for the selection of this Software to meet your requirements Kaspersky Lab does not warrant that the Software and or the Documentation will be suitable for such requirements nor that any use will be uninterrupted or error free iii Kaspersky Lab does not warrant that this Software identifies all known viruses and spam letters nor that the Software will not occasionally erroneously report a virus
76. the appropriate links in the Rule Description box below the list You can perform similar tasks and edit addresses and subnet masks in the Zone settings window which you can open by clicking Edit You can add a new zone to the list while viewing it To do so click Refresh Anti Hacker will search for potential zones to register and if any are detected the program will ask you to select a status for them In addition you can add new zones to the list manually for example if you connect your laptop to a new network To do so use the Add button and fill in the necessary information in the Zone Settings window To delete a network from the list select it in the list and click on the Delete button PS Settings Anti Hacker Rules for applications Rules for packet filtering Zones Additional Zone Status Stealth moc Al 172 16 0 0 255 255 0 0 Local network internet Internet lt Rule description click underlined text to edit Default settings For all other connections Zone status Internet Block file and printer sharing NetBIOS Block error reporting ICMP Apply rules For applications and packet Filtering Stealth mode On neb Figure 50 List of rules for zones Anti Hacker 157 12 7 Firewall mode The Firewall mode see Figure 51 controls Anti Hacker compatibility with programs that establish multiple network connections and to network games Maximum compatibility the Fir
77. the subject matter hereof and supersedes all and any prior understandings undertakings and promises between you and Kaspersky Lab whether oral or in writing which have been given or may be implied from anything written or said in negotiations between us or our representatives prior to this Agreement and all prior agreements between the parties relating to the matters aforesaid shall cease to have effect as from the Effective Date When using demo software you are not entitled to the Technical Support specified in Clause 2 of this EULA nor do you have the right to sell the copy in your possession to other parties You are entitled to use the software for demo purposes for the period of time specified in the license key file starting from the moment of activation this period can be viewed in the Service window of the software s GUI
78. the web browser access to it Scripts are scanned according to the following algorithm 1 Web Anti Virus intercepts each script run on a web page and scans them for malicious code 2 Ifa script contains malicious code Web Anti Virus blocks it and informs the user with a special popup notice 3 Ifno malicious code is discovered in the script it is run 9 1 Selecting the web security level Kaspersky Internet Security protects you while you use the Internet at one of the following levels see fig Figure 29 High the level with the most comprehensive monitoring of scripts and objects incoming via HTTP The program performs a thorough scan of all objects using the full set of threat signatures This level of protection is recommended for sensitive environments when no other HTTP security tools are being used Recommended this level scans the same objects as High but limits the caching time for file fragments thus accelerating the scan and returning objects to the user sooner Low the security level with settings that let you comfortably use resource intensive applications since the scope of objects scanned is reduced by using a limited set of This security level is recommended if you have additional web protection software installed on your computer 108 Kaspersky Internet Security 6 0 Security Level Low Minimum protection Maximum speed Figure 29 Selecting a web security level By default the p
79. this level email is only processed using the black list and all other features all disabled By default Anti Spam is set to the Recommended sensitivity level You can boost or reduce the level or edit the settings for the current level To modify the level of protection In the application s Settings window click on Anti Spam to show the components settings In the Sensitivity section move the slider up or down to the required setting By adjusting the sensitivity level you define the correlation between spam potential spam and accepted email factors see 13 3 3 on pg 173 To modify the settings for the current level In the application s Settings window click on Anti Spam to show the components settings Click the Customize button in the Sensitivity section Edit the spam factor in the window that opens and click OK The security level s name will then change to Custom 13 2 Training Anti Spam Anti Spam comes with a pre installed email database containing fifty spam samples You are advised to give the Anti Spam module further training on your own emails There are several approaches to training Anti Spam e Use the Training Wizard see 13 2 1 on pg 168 e Train Anti Spam with outgoing emails see 13 2 2 on pg 168 e Train directly while working with email see 13 2 3 on pg 169 using special buttons in the email client tools panel or menu items e Training in Anti Spam reports see 13 2 4 on pg 169
80. this option File Anti Virus will only scan potentially infected files but the file format will be determined by the filename s extension Using the extension link you can review a list of file extensions see A 1 on pg 282 that are scanned with this option 86 Kaspersky Internet Security 6 0 PS Custom Settings File Anti Virus General protection scope Additional File types Scan all files Scan programs and documents by content O Scan programs and documents by extension Productivity M Scan new and changed files only Compound files C Scan archives C Scan installation packages M Scan embedded OLE objects M Extract archives in background if larger than o M Do not process archives larger than 8 Help Lx _ cancel Figure 18 Selecting the file types scanned for viruses Tip Do not forget that someone could send a virus to your computer with an extension e g txt that is actually an executable file renamed as a txt file If you select Scan Programs and documents by extension the scan would skip such a file If Scan Programs and documents by content is selected the extension is ignored and analysis of the file headers will uncover that the file is an exe file File Anti Virus would thoroughly scan the file for viruses In the Productivity section you can specify that only new and modified files should be scanned for viruses This mode noticeably
81. will be marked as spam At this level email is analyzed against the white and black list and also using PDB and GSG technologies and iBayes see 13 3 2 on pg 172 This level should be applied in cases when there is a high likelihood that the recipients address is unknown to spammers For example when the recipient is not signed to mass mailings and does not have an email address on free non corporate email servers Recommended the standard universal settings level for classifying email At this level it is possible that some spam will not be detected This shows that Anti Spam is not trained well enough You are advised to conduct additional training for the module using the Training Wizard see 13 2 1 on pg 168 or the Spam NOT Spam buttons or corresponding menu items in The Bat for emails that were incorrectly marked Low the most loyal settings level It is recommended for users whose incoming correspondence contains a significant number of words recognized by Anti Spam as spam but is not spam This may be because of the recipient s professional activity which forces him to use professional terms in his correspondence with colleagues that are widespread in spam All spam detection technologies are used to analyze emails at this level Anti Spam 167 Allow all lowest sensitivity level Only email that contains phrases from the phrase black list or senders listed on the address black list are marked as spam At
82. you want the rule to apply to a specific application left click on any and it will change to this Then click on the specify application name link A context menu will open click Browse to see the standard file selection window or click Applications to see a list of open applications and select one of them as necessary Select a rule on the list and assign the rule settings in the lower portion of the tab Define the Proactive Defense response to the selected application attempting to read edit or delete system registry files Proactive Defense 133 You can use any of these actions as a response allow prompt for action and block Left click on the link with the action until it reaches the value that you need e Choose if you want to generate a report on the operation carried out by clicking on the log do not log link You can create several rules and order their priority using the Move Up and Move Down buttons The higher the rule is on the list the higher the priority assigned to it will be You can also create an allow rule i e all actions are allowed for a system registry file from a notification window stating that a program is trying to execute an operation with the file To do so specify the system registry file that the rule will apply to in the window that opens CHAPTER 11 ANTI SPY The component of Kaspersky Internet Security which protects you against all types of malware is called Anti Spy R
83. 000 Professional Service Pack 2 or higher Microsoft Windows XP Home Edition Microsoft Windows XP Professional Service Pack 1 or higher e Intel Pentium 300 MHz processor or faster or compatible Kaspersky Internet Security 6 0 29 e 128 MB of RAM Microsoft Windows Vista Microsoft Windows Vista x64 e Intel Pentium 800 MHz 32 bit x86 64 bit x64 faster or compatible e 512 MB of RAM 2 4 Software packages You can purchase the boxed version of Kaspersky Internet Security from our resellers or download it from Internet shops including the eStore section of www kaspersky com If you buy the boxed version of the program the package will include e A sealed envelope with an installation CD containing the program files e A User Guide e The program activation code attached to the installation CD envelope e The end user license agreement EULA Before breaking the seal on the installation disk envelope carefully read through the EULA If you buy Kaspersky Internet Security from an online store you copy the product from the Kaspersky Lab website Downloads Product Downloads You can download the User Guide from the Downloads gt Documentation section You will be sent an activation code by email after your payment has been received The End User License Agreement is a legal agreement between you and Kaspersky Lab that specifies the terms on which you may use the software you have purchased
84. 1 http msnportal 112 207 net b ss msnportalhome 1 H 1 p blocked 207 net 15 01 2007 15 16 02 http rad msn comfADSAdClient31 dll GetSAd 8PG MSN blocked rad msn com e 15 01 2007 15 16 03 http f a rad msn com ADSAdClient31 dil GetSAd amp PG MS blocked rad msn com 15 01 2007 15 16 05 http b rad msn com ADSAdClient31 dll GetSAd 8 amp PG M5 blocked rad msn com 15 01 2007 15 16 06 http rad msn com ADSAdClient31 dll GetSAd amp PG MSN blocked rad msn com e 15 01 2007 15 16 07 http fa rad msn com ADSAdClient31 dll GetSAd amp PG MS blocked rad msn com 15 01 2007 15 16 15 http static exaccess ru asp static_script asp id_d 65493 blocked exaccess ru 15 01 2007 15 16 15 http www predskazanie ru banner adx js blocked ibanner 15 01 2007 15 16 15 http www predskazanie ru banner adjs php n 2900005 blocked banner 15 01 2007 15 16 16 http d clx rufshow php af 96768sx 4688sy 60 amp c 22 blocked Fide re P a annm smse sa bos on oe n er som 2n hee a oe lt i z Figure 90 Blocked banner ad list You can allow blocked banners to be displayed To do so select the object you want from the list and click Actions Allow 17 3 11 The Hidden Dials tab This tab see fig 91 displays all secret dialer attempts to connect to paid websites Such attempts are generally carried out by malicious programs installed on your computer In the report you can view what program a
85. 6 0 check the necessary boxes 3 2 2 Activating the program You can activate the program by installing a license key that Kaspersky Internet Security will use to check for a license and to determine the expiration date for it The license key contains system information necessary for all the program s features to operate and other information e Support information who provides program support and where you can obtain it e Name number and expiration date of your license Warning You must have an Internet connection to activate the program If you are not connected to the Internet during installation you can activate the program see 17 5 on pg 242 later from the program interface 3 2 2 1 Selecting a program activation method There are several options for activating the program depending on whether you have a license key for Kaspersky Internet Security or need to obtain one from the Kaspersky Lab server Activate with an activation code Select this activation option if you have purchased the full version of the program and were provided with an activation code Using this code you will receive a license key that provides you with complete access to all the program s features until the license expires Activate trial version Select this activation option if you want to install a trial version of the program before making the decision to purchase the commercial version You will be provided with a free
86. Application Integrity Control Critical applications Trusted modules Restrict execution of the Following applications svchost exe Allow E7 ala exe Allow P dwwin exe Allow P reqwiz exe Allow E rdpclip exe Allow Ez mstsc exe Allow E sessmgr exe Allow GB mobsvnc exe Allow oka KSPKSIKSUKSIKSIKSIKS Application Execute Content Prompt for Prompt for Prompt for Prompt for Prompt for Prompt for Prompt for Promot for Run as c Allow Allow Allow Allow Allow Allow Allow Allow Application C WINDOWS system32 svchost exe Execute Allow do nat log Content change Prompt for action log Run as child Allow log ee OT Figure 35 Configuring Application Integrity Control Select a rule on the list and assign rule settings in the lower portion of the tab e Define the Proactive Defense response to attempts to execute the critical application change its makeup or start it as a child process Proactive Defense 125 You can use any of these actions as a response allow prompt for action or block Left click on the action link until it reaches the value that you need e Choose if you want to generate a report about the activity by clicking log do not log To turn off the monitoring of an application s activity uncheck the next to its name Use the Details button to view a detailed list of modules
87. Corporate Suite provides comprehensive anti virus protection for e Workstations running Microsoft Windows 98 ME Microsoft Windows NT 2000 XP Workstation and Linux e File servers running Microsoft Windows NT 4 0 Server Microsoft Windows 2000 2003 Server Advanced Server Novell Netware FreeBSD Linux Samba file storage e Email systems including Microsoft Exchange Server 2000 2003 Lotus Notes Domino Sendmail Postfix Exim and Qmail e Internet gateways CheckPoint Firewall 1 Microsoft ISA Server 2000 Enterprise Edition Microsoft ISA Server 2004 Enterprise Edition e Hand held computers PDAs running Symbian OS Microsoft Windows CE and Palm OS and also smartphones running Microsoft Windows Mobile 2003 for Smartphone and Microsoft Smartphone 2002 The Kaspersky Corporate Suite distribution kit includes Kaspersky Administration Kit a unique tool for automated deployment and administration You are free to choose from any of these anti virus applications according to the operating systems and applications you use Kaspersky Anti Spam Kaspersky Anti Spam is a cutting edge software suite that is designed to help organizations with small and medium sized networks wage war against the onslaught of undesired email spam The product combines the revolutionary technology of linguistic analysis with modern methods of email filtration including DNS Black Lists and formal letter features Its unique combination of servi
88. Data Files Each protection component virus search task and program update creates a report as it runs The reports contain information on executed operations and their results By using the Reports feature you will remain up to date on the operation of all Kaspersky Internet Security components Should problems arise the reports can be sent to Kaspersky Lab allowing our specialists to study the situation in greater depth and help you as quickly as possible Kaspersky Internet Security sends all files suspected of being dangerous to a special Quarantine area where they are stored in encrypted form to avoid infecting the computer You can scan these objects for viruses restore them to their previous locations delete them or manually add files to Quarantine Files that are found not to be infected upon completion of the virus scan are automatically restored to their former locations The Backup area holds copies of files disinfected and deleted by the program These copies are created in case you either need to restore the files or want information about their infection These backup copies are also stored in an encrypted form to avoid further infection You can manually restore a file from Backup to the original location and delete the copy Rescue Disk Kaspersky Internet Security can create a Rescue Disk which provides a backup plan if system files are damaged by a virus attack and it is impossible to boot the operating system By
89. E popmgoopopoppoppp0p0g gaago KARK Settings Figure 107 Program events and event notification methods 258 Kaspersky Internet Security 6 0 17 11 1 2 Configuring email notification After you have selected the events see 17 11 1 1 on pg 256 about which you wish to receive email notifications you must set up notification delivery To do so 1 Open the program setup window with the Settings link in the main window 2 Select Service in the settings tree 3 Click Advanced in the Interaction with user section of the right hand part of the screen 4 On the Notification settings tab see fig 108 select the LA checkbox in the E mail chart for events that should trigger an e mail message 5 In the window see fig 108 that opens when you click E mail settings configure the following settings for sending e mail notifications e Assign the sending notification setting for From Email address e Specify the email address to which notices will be sent in To Email address e Assign a email notification delivery method in the Send mode If you want the program to send email as soon as the event occurs select Immediately when event occurs For notifications about events within a certain period of time fill out the schedule for sending informative emails by click Edit Daily notices are the default Advanced options 259 P3 Notification settings From Email address adm
90. E RA avbases_ upd txt Update the Kaspersky Internet Security program modules by using the settings in the configuration file updateapp ini avp com UPDATE APP C updateapp ini 18 5 Rollback settings Command syntax ROLLBACK R A lt report file gt R A lt report_file gt R lt report file gt record only important events in the report R A lt report_file gt log all events in the report You can use an absolute or relative path to the file If the parameter is not defined the scan results are displayed on screen and all events are displayed Example avp com ROLLBACK RA rollback txt 18 6 Exporting protection settings Command syntax avp com EXPORT lt profile taskid gt lt settings file gt 274 Kaspersky Internet Security 6 0 Parameter description lt profile gt Component or task with the settings being exported One of the following values may be used RTP all protection components FM File Anti Virus EM Mail Anti Virus WM Web Anti Virus BM Proactive Defense ASPY Anti Spy AH Anti Hacker As Anti Spam lt settings file gt Path to the file to which the Kaspersky Internet Security settings are exported You can use an absolute or relative path The configuration file is saved in binary format dat and it can be used later to import application settings on other computers The configuration file ca
91. File Anti Virus is Recommended You can raise or lower the protection level for files you use by either selecting the level you want or changing the settings for the current level To change the security level Adjust the sliders By adjusting the security level you define the ratio of scan speed to the total number of files scanned the fewer files are scanned for viruses the higher the scan speed If none of the set file security levels meet your needs you can customize the protection settings To do so select the level that is closest to what you need as a starting point and edit its settings In such a case the level will be set at Custom Let s look at an example of when user defined file security levels could be useful Example The work you do on your computer uses a large number of file types and some the files may be fairly large You would not want to run the risk of skipping any files in the scan because of the size or extension even if this would somewhat affect the productivity of your computer Tip for selecting a level 84 Kaspersky Internet Security 6 0 Based on the source data one can conclude that you have a fairly high risk of being infected by a malicious program The size and type of the files being handled is quite varied and skipping them in the scan would put your data at risk You want to scan the files you use by contents not by extension You are advised to start with the Recommended secu
92. IRUS Whenever you use the Internet information stored on your computer is open to the risk of infection by dangerous programs which can penetrate your computer when you read an article on the Internet Web Anti Virus is Kaspersky Internet Security s component for guarding your computer during Internet use It protects information that enters your computer via the HTTP protocol and also prevents dangerous scripts from being loaded on your computer Warning Web Anti Virus only monitors HTTP traffic that passes through the ports listed on the monitored port list see 17 7 on pg 246 The ports most commonly used for transmitting email and HTTP traffic are listed in the program package If you use ports that are not on this list add them to it to protect traffic passing through them If you are working on an unprotected network or using a modem for Internet access you are advised to use Web Anti Virus to protect yourself while using the Internet Even if your computer is running on a network protected by a firewall or HTTP traffic filters Web Anti Virus provides additional protection while you browse the Web The component s activity is indicated by the Kaspersky Internet Security system tray icon which looks like this E whenever scripts are being scanned Let s look at the component s operation in more detail Web Anti Virus consists of two modules that handle e Traffic scan scans objects that enter the user s c
93. KASPERSKY LAB Kaspersky Internet Security 6 0 KASPERSKY INTERNET SECURITY 6 0 User Guide Kaspersky Lab http www kaspersky com Revision date January 2007 Table of Contents CHAPTER 1 THREATS TO COMPUTER SECURITY ccecseseceseeeseresnteteeeeens 11 1 1 Sources of Threats 2 4 censde ee ada aa ai ia deine dic ae aa e 11 1 2 How threats spr ad iiit pesien eean enia aaea aT iaae e Eaa Aianei 12 1 3 Types of Threats 1 4 Signs of Infection 1 5 What to do if you suspect infection ose eee eeneeeeteeeeeeeeaeeeecaeeeeaeeesesneeateeeeeaeees 18 1 6 Preventing Infection sii ccat acini enarrare aaran 19 CHAPTER 2 KASPERSKY INTERNET SECURITY 6 0 leserne 21 2 1 What s new in Kaspersky Internet Security 6 0 21 2 2 The elements of Kaspersky Internet Security Defense eect 24 2 2 1 Protection COMPONEMIS svirrende riari 24 2 2 2 ViFUS SCAN TASKS inariana pengairan ia aaa i N 26 2 2 8 Programi tOOIS senansa a i ia i igi steer ded a 27 2 3 Hardware and software system requirements 0 eeeeeeeeeeeeeeeeeeeeneeeeeeeeeeenees 28 2 4 Software packages y f oc i ninan a ad aad ga 29 2 5 Support for registered USFS ceeseeeecneeeeteeeeeeneeaeeeeceseeeaeeecesateateeeseanenatereees 30 CHAPTER 3 INSTALLING KASPERSKY INTERNET SECURITY 6 0 eee 31 3 1 Installation procedure using the Installation Wizard SPASIT ATAA o csc toned sah ecnsSetsk es ea cens ets sapech habeas edad E 3 2 1 Using objects saved
94. Level section 14 4 4 Selecting actions for objects If a file is found to be infected or suspicious during a scan the program s next steps depend on the object status and the action selected One of the following statuses can be assigned to the object after the scan e Malicious program status for example virus Trojan e Potentially infected when the scan cannot determine whether the object is infected It is likely that the program detected a sequence of code in the file from an unknown virus or modified code from a known virus By default all infected files are disinfected and if they are potentially infected they are sent to Quarantine To edit an action for an object select the task name in the Scan section of the main program window and use the Settings link to open the task settings window The possible responses are displayed in the appropriate sections see fig 68 196 Kaspersky Internet Security 6 0 Action Prompt for action when the scan is complete Prompt for action during scan d Disinfect Delete if disinfection Fails Figure 68 Selecting actions for dangerous objects If the action selected was When it detects a malicious or potentially infected object Prompt for action when the scan is complete The program does not process the objects until the end of the scan When the scan is complete the statistics window will pop up with a list of objects detected an
95. Low are based on various spam and probable spam factor values You can edit the Anti Spam algorithm on your own To do so 1 Select Anti Spam in the Kaspersky Internet Security settings window 2 In the Sensitivity box on the right hand side of the window click Customize 3 In the window that opens adjust the spam and probable spam factors in the sections for them on the Spam Recognition tab see fig 57 13 3 4 Creating white and black lists manually Users can create black and white lists manually by using Anti Spam with their email These lists store information on user addresses that are considered safe or spam sources and various key words and phrases that identify them as spam or accepted email The chief application of the lists of key phrases and in particular the white list is that you can coordinate with trusted addressees for example with colleagues signatures containing a particular phrase You could use for example a PGP signature as an email signature You can use wildcards in the signatures and in the addresses and A represents any sequence of characters of any length A question mark represents any one character If there are asterisks and questions marks in the signature to prevent errors with Anti Spam processes them they should be preceded by a backslash Then two characters are used instead of one and Anti Spam 175 13 3 4 1 White lists for addresses and phrases Th
96. Riskware etc for more information on potentially dangerous programs detected by Kaspersky Internet Security see the Virus Encyclopedia at www viruslist com After the scan these programs may be blocked Since several of them are very common you have the option of excluding them from the scan To do so you must add the name or mask of the object to the trusted zone using the Virus Encyclopedia classification For example imagine you use a Remote Administrator program frequently in your work This is a remote access system with which you can work from a remote computer Kaspersky Internet Security views this sort of application activity as potentially dangerous and may block it To keep the application from being blocked you must create an exclusion rule that specifies not a virus RemoteAdmin Win32 RAdmin 22 as the classification When you add an exclusion a rule is created that several program components File Anti Virus Mail Anti Virus Proactive Defense and virus scan tasks can later use You can create exclusion rules in a special window that you can open from the program settings window from the notice about detecting the object and from the report window To add exclusions on the Exclusion Mask tab 1 Click on the Add button in the Exclusion Mask tab 2 In the window that opens see fig 9 click the exclusion type in the Settings section Object exclusion of a certain object directory or files that match a certain
97. SSL General IMAP Delete Comment You are advised to restart your email program and web browser to apply the new settings neb Figure 103 List of monitored ports This window provides a list of ports monitored by Kaspersky Internet Security To scan data streams enter on all open network ports select the option Monitor all ports To edit the list of monitored ports manually select Monitor only selected ports To add a new port to the monitored port list 1 Click on the Add button in the Port Settings window 2 Enter the port number and a description of it in the appropriate fields in the New Port window For example there might be a nonstandard port on your computer through which data is being exchanged with a remote computer using the HTTP protocol which is monitored by Web Anti Virus To analyze this traffic for malicious code you can add this port to a list of controlled ports When any of its components starts Kaspersky Internet Security opens port 1110 as a listening port for all incoming connections If that port is busy at the time it selects 1111 1112 etc as a listening port If you use Kaspersky Internet Security and another company s firewall simultaneously you must configure that firewall to allow the avp exe process the internal Kaspersky Internet Security process access to all the ports listed above For example say your firewall contains a rule for iexplorer exe tha
98. Select the Complete memory dump option from the drop down list in the Write debugging information section of the Startup and Recovery window By default the dump file will be saved into the system folder as memory dmp You can change the dump storage folder by editing the folder name in the corresponding field Reproduce the problem related to the operation of Kaspersky Internet Security Make sure that the complete memory dump file was successfully saved APPENDIX A REFERENCE INFORMATION This appendix contains reference materials on the file formats and extension masks used in Kaspersky Internet Security settings A 1 List of files scanned by extension If you select Scan programs and documents by extension File Anti Virus will scan files with the extensions below in depth for viruses Mail Anti Virus will also scan these files if you enable attachment filtration com executable file for a program exe executable file or self extracting archive sys system driver prg program text for dBase Clipper or Microsoft Visual FoxPro or a WAVmaker program bin binary file bat batch file cmd command file for Microsoft Windows NT similar to a bat file for DOS OS 2 dpl compressed Borland Delphi library dil dynamic loading library scr Microsoft Windows splash screen cpl Microsoft Windows control panel module ocx Microsoft OLE Object Linking and Embedding object tsp
99. TER 6 PROTECTION MANAGEMENT SYSTEM Kaspersky Internet Security lets you multi task computer security management e Enable disable and pause see 6 1 on pg 63 the program e Define the types of dangerous programs see 6 2 on pg 67 against which Kaspersky Internet Security will protect your computer e Create an exclusion list see 6 3 on pg 68 for protection e Create your own virus scan and update tasks see 6 4 on pg 77 e Configure a virus scan schedule see 6 5 on pg 78 e Configure power settings see 6 6 on pg 80 for antivirus protection 6 1 Stopping and resuming protection on your computer By default Kaspersky Internet Security boots at startup and protects your computer the entire time you are using it The words Kaspersky Internet Security 6 0 in the upper right hand corner of the screen let you know this All protection components see 2 2 on pg 24 are running You can fully or partially disable the protection provided by Kaspersky Internet Security Warning Kaspersky Lab strongly recommend that you do not disable protection since this could lead to an infection on your computer and consequent data loss Note that in this case protection is discussed in the context of the protection components Disabling or pausing protection components does not affect the performance of virus scan tasks or program updates 64 Kaspersky Internet Security 6 0 6 1 1 Pausing protection Pausing protection
100. The best method is to use the Training Wizard from the very onset of using Anti Spam as it can train Anti Spam on a large number of emails Note that you cannot train Anti Spam with more than 50 emails per folder If there are more emails in the folder the program will use fifty for training Additional training using special buttons in the email client interface are preferable when working directly with email 168 Kaspersky Internet Security 6 0 13 2 1 Training Wizard The Training Wizard trains Anti Spam by indicating which mailbox folders contain spam and which contain accepted email To open the Training Wizard 1 Select Anti Spam in the settings window 2 Click the Training Wizard button Training section of the settings window Training Wizard includes step by step procedures for training Anti Spam Use the Back and Next buttons to navigate between steps Step One of the Training Wizard involves selecting folders that contain accepted email At this stage you must only select the folders whose contents you fully trust Step Two of the Training Wizard consists of selecting folders that contain spam If you don t have any spam you can skip this step In Step Three Anti Spam is automatically trained on the folders you selected The emails in those folders populate the Anti Spam database The senders of accepted email are automatically added to the address white list In Step Four the results of trainin
101. WS GQ msimn exe C Program File KO OUTLOOK EXE Ci WINDOWS v explorer exe iexplore exe gt Import nep E ftp exe HI Figure 45 List of rules for the applications installed on a computer wo en w NON ANN NOON N O Ie i SRN SRA The behavior of the buttons in this window depends on how the rules are grouped that is whether the checkbox Group the rules by application is checked or not The rules on this tab can be grouped in one of two ways e Application rules If X Group the rules by application is checked then each application for which rules have been created will be shown on a single line in the list The following information is given for every application name and icon of the application command prompt root directory containing the application s executable file is and the number of rules created for it Using the Edit button you can go to the list of rules for the application selected on the list and edit it add a new rule edit existing ones and change their relative priority Using the Add button you can add a new application to the list and create a rule for it The Export and Import buttons are designed to transfer the rules to other computers which helps to configure Anti Hacker quickly Anti Hacker 147 General list of rules If X Group the rules by application is unchecked then each line in the general list displays complete information for a rule
102. able hard drive or memory stick used to transfer files between the office and home computers You can select an object for scanning with the standard tools of the Microsoft Windows operating system for example in the Explorer program window on your Desktop etc To scan an object Place the cursor over the name of the selected object open the Microsoft Windows context menu by right clicking and select Scan for viruses see fig 6 Open Run as View Dependencies J Scan for Viruses Send To gt Cut Copy Create Shortcut Delete Rename Properties Figure 6 Scanning an object selected using a standard Microsoft Windows context sensitive menu A scan of the selected object will then begin and the details will be shown in a special window When you click the Close button the window with information about installation progress will be hidden This will not stop the scan 60 Kaspersky Internet Security 6 0 5 5 How to train Anti Spam One step in getting started is training Anti Spam using your emails to filter out junk Spam is junk email although it is difficult to say what constitutes spam for a given user While there are email categories which can be applied to spam with a high degree of accuracy and generality for example mass emailings advertisements such emails could belong in the inbox of some users Therefore we ask that you determine for yourself what email is spam and what isn t Kaspersky In
103. abled see 16 4 4 on pg 215 16 2 Rolling back to the previous update Every time you start the Updater Kaspersky Internet Security creates a backup copy of the current threat signatures before it starts downloading updates This way you can return to using the previous version of signatures if an update fails The rollback option can be helpful if for example the update process fails because of a connection error You can roll back to the previous threat signatures and try to update it again later To rollback to the previous version of threat signatures 1 Select the Update component in the Service section of the main program window 2 Click the Rollback button in the right panel of the main program window 16 3 Creating update tasks Kaspersky Internet Security has a built in update task for updating program modules and threat signatures You can also create your own update tasks with various settings and start schedules 208 Kaspersky Internet Security 6 0 For example you installed Kaspersky Internet Security on a laptop that you use at home and at your office At home you update the program from the Kaspersky Lab update servers and at the office from a local folder that stores the updates you need Use two different tasks to avoid having to change update settings every time you change locations To create an advanced update task 1 Select Update from the Service section of the main program window ope
104. aded on startup boot sectors on the hard drive and the Windows system directories The task aims to detect active viruses quickly without fully scanning the computer My Computer Scans for viruses on your computer with a through inspection of all disk drives memory and files Startup Objects Scans for viruses in all programs that are loaded automatically on startup plus RAM and boot sectors on hard drives There is also the option to create other virus scan tasks and create a schedule for them For example you can create a scan task for email databases once per week or a virus scan task for the My Documents folder Kaspersky Internet Security 6 0 27 2 2 3 Program tools Kaspersky Internet Security includes a number of support tools which are designed to provide real time software support expanding the capabilities of the program and assisting you as you go Updater In order to be prepared for a hacker attack or to delete a virus or some other dangerous program Kaspersky Internet Security needs to be kept up to date The Updater component is designed to do exactly that It is responsible for updating the Kaspersky Internet Security threat signatures and program modules The Update Distribution feature enables you to save updates for the threat signature and network attack databases as well as application modules retrieved from Kaspersky Lab servers and then give other computers access to them to save bandwidth
105. all If you did not initialize the connection it is very probable that it was configured by a malicious program If you want to allow to make connections to certain numbers without being asked to confirm them every time you must add them to the trusted number list To do so 1 Open the Kaspersky Internet Security settings window and select Anti Spy in the settings tree 2 Click Trusted numbers in the Anti Dialer section 3 Click Add in the window that opens see fig 43 and enter a number or a mask for legitimate telephone numbers 4 Settings Trusted numbers Specify phone numbers or masks that you trust 89457978000 Delete Figure 43 Creating a trusted address list Tip When entering a trusted number mask you can use the characters or For example 79787 will cover any numbers beginning with 79787 for which the area code is five digits The new telephone number will be added at the top of the trusted number list To stop using the number exclusion that you have added just uncheck the box next to it on the list If you want to remove an exclusion entirely select it on the list and click Delete CHAPTER 12 ANTI HACKER Today computers have become quite vulnerable when connected to the Internet They are subjected both to virus infections and to other types of attacks that take advantage of vulnerabilities in operating systems and software The Kaspersky Internet Security A
106. am and a Kaspersky Anti Spam tab of settings see 13 3 9 on pg 181 in the Options dialog box menu item Tools Options Microsoft Outlook Express in addition to the Spam and Accepted buttons adds a Configure button to the task panel that opens a window with actions see 13 3 10 on pg 184 when spam is detected In The Bat there are no such buttons although the program can be trained using the special items Mark as spam and Mark as NOT spam on the Special menu If you decide that the currently open email is spam click the Spam button If the email is not spam click Accepted After this Anti Spam will be training itself using the email If you select several emails all of them will be used for training Warning In cases when you need to immediately select several emails or are certain that a certain folder only contains emails of one group spam or not spam you can take a multi faceted approach to training using the Training Wizard see 13 2 1 on pg 168 13 2 4 Training in Anti Spam reports You have the option of training Anti Spam through its reports To view the component s reports 1 Select Anti Spam in the Protection section of the main program window 170 Kaspersky Internet Security 6 0 2 Left click in the Statistics box see fig 55 The component s reports can help you make a conclusion about the accuracy of its configuration and if necessary make certain corrections to Anti Spam
107. an task for the My Documents folder In addition you can scan any object for viruses for example a portable hard drive used for transferring files between office and home without creating a special scan task You can select an object to scan from the Kaspersky Internet Security interface or with the standard tools of the Microsoft Windows operating system for example in the Explorer program window or on your Desktop You can view a complete list of virus scan tasks for your computer by clicking on Scan in the left hand pane of the main application window 188 Kaspersky Internet Security 6 0 14 1 Managing virus scan tasks You can run a virus scan task manually or automatically using a schedule see 6 5 on pg 78 To start a virus scan task manually Check the box beside the task name in the Scan section of the main program window and click the button on the status bar The tasks currently being performed are displayed in the context menu by right clicking on the system tray icon To pause a task Click the H button on the status bar The task status will change to paused This will pause the scan until you start the task again manually or it starts again automatically according to the schedule To stop a task Click the W button on the status bar The task status will change to stopped This will stop the scan until you start the task again manually or it starts again automatically according to the schedule The
108. anced tab see Figure 76 and in the field below specify the shared folder where updates retrieved will be placed You can enter the path manually or selected in the window that opens when you click Browse If the checkbox is selected updates will automatically be copied to this folder when they are retrieved 216 Kaspersky Internet Security 6 0 4 Settings Update LAN Settings Update source Additional i C Run this task as seecccesece y C Documents and Settings All Users Application Data C Copy updates for all components Cancel Figure 76 Copy updates tool settings You can also specify the method for update distribution e complete which copies threat signatures and component updates for all Kaspersky Lab 6 0 applications To select complete updates select the Copy updates for all components checkbox e custom which only copies threat signatures and updates for the Kaspersky Internet Security 6 0 components that are installed If you want to select this update method you must deselect the WA Copy updates for all components checkbox Note that Kaspersky Internet Security 6 0 only retrieves update packages for v 6 0 applications from the Kaspersky Lab update servers If you want other computers on the network to update from the folder that contains updates copied from the Internet you must take the following steps 1 Grant public access to this folder 2 Sp
109. angerous object Prompt for action File Anti Virus issues a warning message containing information about what malicious program has infected or potentially infected the file and gives you a choice of actions The choice can vary depending on the status of the object Block access File Anti Virus blocks access to the object Information about this is recorded in the report see 17 3 on pg 225 Later you can attempt to disinfect this object Block access Disinfect File Anti Virus will block access to the object and will attempt to disinfect it If disinfection fails the file will be assigned the status of potentially infected and it will be moved to Quarantine see 17 1 on pg 219 Information about this is recorded in the report Later you can attempt to disinfect this object Block access Disinfect Delete if disinfection fails File Anti Virus will block access to the object and will attempt to disinfect it If it is successfully disinfected it is restored for regular use If the object cannot be disinfected it is deleted A copy of the object will be stored in Backup see 17 2 on pg 223 Block access Disinfect Delete File Anti Virus will block access to the object and will delete it When disinfecting or deleting an object Kaspersky Internet Security creates a backup copy before it attempts to treat the object or delete it in case the object needs to be restored
110. anner ad black lists In addition to the standard list of banners blocked see 11 1 2 1 on pg 138 by Anti Banner you can create your own list To do so 1 Open the Kaspersky Internet Security settings window and select Anti Spy in the settings tree 2 Click the Settings button in the blocked banners section 3 Open the Black list tab Using the Add button enter a mask for the banner that you want Anti Banner to block You can either specify the whole or a partial URL for the banner or mask In the latter case when a banner attempts to load the program will scan its address for the mask When creating a mask you can use the wildcards or where represents a sequence of characters and any one character To stop using a mask that you created you can either delete it from the list or uncheck the box M next to it Using the Import and Export buttons you can copy the list of blocked banners from one computer to another 11 1 3 Creating an Anti Dialer trusted number list The Anti Dialer component monitors telephone numbers used to secretly connect to the Internet A connection is considered secret if it is configured not to inform the user of the connection or if it is a connection that you do not initialize Anti Spy 141 Whenever a secret connection is attempted the program notifies you by issuing a special message on the screen which prompts the user to either allow or block the phone c
111. are modified the markings SPAM or Probable Spam are added to the subject line You can select additional actions for spam or potential spam In Microsoft Office Outlook Microsoft Outlook Express and The Bat special plug ins are provided to do so For other email clients you can configure the filtration rules Anti Spam 181 13 3 9 Configuring spam processing in Microsoft Office Outlook Note that there is no spam plug in for Microsoft Office Outlook if you are running the application under Windows 9x This option is only supported for the 32 bit build of Microsoft Office Outlook for computers running Microsoft Windows XP Professional x64 Edition and Microsoft Windows Vista x64 Email that is classified by Anti Spam as spam or potential spam is by default marked with special markings SPAM or Probable Spam in the Subject line Additional actions for spam and potential spam in Microsoft Office Outlook can be found on the special Kaspersky Anti Spam tab on the Tools Options menu see fig 61 Options Preferences a Mail Setup Mail Format Spelling Security Other Delegates Anti Spam Anti Spam K Anti Spam detects spam in incoming mail e Status Spam filtration is enabled To disable spam filtering or change settings click here Spam Skip Mark as read Probable spam Skip Mark as read Additional Scan upon receiving C Use Microsoft Office Outlook rule Figu
112. ate box You can configure the schedule by clicking Change The default setting for this automatic scan is disabled Full computer scan For a full virus scan of your computer to run automatically check the appropriate box You can configure the schedule by clicking Change The default setting for scheduled running of this task is disabled However we recommend running a full virus scan of your computer immediately after installing the program 3 2 6 Restricting program access Since several people with different levels of computer literacy might use a personal computer and since malicious programs can disable protection you have the option of password protecting access to Kaspersky Internet Security Using a password can protect the program from unauthorized attempts to disable protecting or change settings To enable password protection check Enable password protection and complete the New password and Confirm fields Select the area below that you want password protection to apply to all operations except notifications of dangerous events Request password if the user attempts any action with the program except for responses to notifications on detection of dangerous objects Selected operations Saving program settings request password when a user attempts to save changes to program settings Exiting the program request password if a user attempts to close the program Stopping pausing protection com
113. ation procedure You can install the other program components later although you will need your installation disk to do so You are advised to copy the installation disk to your hard drive You can install the application in the following ways e Using the installation wizard see 3 1 on pg 31 e From the command prompt see 3 3 on pg 43 3 1 Installation procedure using the Installation Wizard Before beginning Kaspersky Internet Security installation we recommend closing all other applications To install Kaspersky Internet Security on your computer open the Windows Installer file on the installation CD Note Installing the program with an installer package downloaded from the Internet is identical to installing it from an installation CD An installation wizard will open for the program Each window contains a set of buttons for navigating through the installation process Here is a brief explanation of their functions e Next accepts an action and moves forward to the next step of installation e Back goes back to the previous step of installation e Cancel cancels product installation e Finish completes the program installation procedure 32 Kaspersky Internet Security 6 0 Let s take a closer look at the steps of the installation procedure Step 1 Checking for the necessary system conditions to install Kaspersky Internet Security Before the program is installed on your com
114. ation Settings window to configure email notification delivery settings if that is the notification method that is being used see 17 11 1 2 on pg 258 17 11 1 1 Types of events and notification delivery methods During Kaspersky Internet Security operation the following kinds of events arise Critical notifications are events of a critical importance Notifications are highly recommended since they point to problems in program operation or vulnerabilities in protection on your computer For example threat signatures corrupt or license expired Functional failures are events that lead to the application not working For example no license or threat signatures Important notifications are events that must be investigated since they reflect important situations in the operation of the program For example protection disabled or computer has not been scanned for viruses for a long time Minor notifications are reference type messages which generally do not contain important information For example all dangerous objects disinfected To specify which events the program should notify you of and how 1 Click the Settings link in the program s main window 2 In the program settings window select Service check Enable notifications and edit detailed settings by clicking the Advanced button Advanced options 257 You can configure the following notification methods for the events listed above in the Notification settings
115. ause of errors To do so check Log non critical events in the report settings window Run the virus scan task see 14 1 on pg 188 When you run a scan as suspicious or infected objects are detected notifications will be displayed on screen will information about the objects prompting the user for the next action to take Detected irus EICAR Test File File c eicar com Action File contains virus and cannot be Disinfected Skip E Apply to all Figure 71 Dangerous object detected 204 Kaspersky Internet Security 6 0 This way by selecting different options for actions you can test Kaspersky Internet Security reactions to detecting various object types You can view details on virus scan task performance in the report on the component CHAPTER 16 PROGRAM UPDATES Keeping your anti virus software up to date is an investment in your computer s security Because new viruses Trojans and malicious software emerge daily it is important to regularly update the application to keep your information constantly protected This task is managed by the Updater component Updating the application involves the following components being downloaded and installed on your computer e Threat Signatures network attack signatures and network drivers Information on your computer is protected using a database containing threat signatures and network attack profiles The software components that provide protectio
116. ble or entirely inoperable These attacks can damage or corrupt the targeted information resources and leave them unusable There are two basic types of DoS attacks e Sending the target computer specially created packets that the computer does not expect which cause the system either to restart or to stop e Sending the target computer many packets within a timeframe that the computer cannot process which exhaust system resources The following attacks are common examples of this type of attack e Ping of death sends an ICMP packet greater than the maximum of 64 KB This attack can crash some operating systems e Land sends a request to an open port on your computer to establish a connection with itself This sends the computer into 160 Kaspersky Internet Security 6 0 a cycle which intensifies the load on the processor and can end with some operating systems crashing e ICMP Flood sends a large number of ICMP packets to your computer The attack leads to the computer being forced to reply to each inbound packet which seriously weighs down the processor e SYN Flood sends a large number of queries to your computer to establish a fake connection The system reserves certain resources for each of those connections which completely drains your system resources and the computer stops reacting to other connection attempts Intrusion attacks which aim to take over your computer This is the most dangerous type of attack
117. bout a particular user or organization without their knowledge Spyware often escapes detection entirely In general the goal of spyware is to e trace user actions on a computer e gather information on the contents of your hard drive in such cases this usually involves scanning several directories and the system registry to compile a list of software installed on the computer e gather information on the quality of the connection bandwidth modem speed etc Riskware Potentially dangerous applications include software that has no malicious features but could form part of the development environment for malicious programs or could be used by hackers as auxiliary components for malicious programs This program category includes programs with backdoors and vulnerabilities as well as some remote administration utilities keyboard layout togglers IRC clients FTP servers and all purpose utilities for stopping processes or hiding their operation Another type of malicious program that is similar to adware spyware and riskware are programs that plug into your web browser and redirect traffic The web browser will open different web sites than those intended Jokes Joke software does not do any direct damage but displays messages stating that damage has already been done or will be under certain conditions These programs often warn the user of non existent dangers such as messages that warn of formatting the hard drive although
118. box e Basic information on the operation system installed on your computer is shown in the System info box e Basic information about the license you purchased for Kaspersky Internet Security is contained in the License info box You will need all this information when you contact Kaspersky Lab Technical Support see 17 5 on pg 242 17 5 Managing licenses Kaspersky Internet Security needs a license key to operate You are provided with a key when you buy the program It gives you the right to use the program from the day you install the key Advanced options 243 Without a license key unless a trial version of the application has been activated Kaspersky Internet Security will run in one update mode The program will not download any new updates If a trial version of the program has been activated after the trial period expires Kaspersky Internet Security will not run When a commercial license key expires the program will continue working except that you will not be able to update threat signatures As before you will be able to scan your computer for viruses and use the protection components but only using the threat signatures that you had when the license expired We cannot guarantee that you will be protected from viruses that surface after your program license expires To avoid infecting your computer with new viruses we recommend extending your Kaspersky Internet Security license The program will notify you t
119. can task My Computer task Critical Areas task Startup Objects task User defined task Components and tasks started from the command prompt are run with the settings configured with the program interface Examples To enable File Anti Virus type this at the command prompt avp com START FM To view the current status of Proactive Defense on your computer type the following text at the command prompt avp com STATUS BM To stop a My Computer scan task from the command prompt enter avp com STOP SCAN MY COMPUTER password lt your_password gt 18 3 Anti virus scans The syntax for starting a virus scan of a certain area and processing malicious objects from the command prompt generally looks as follows Working with the program from the command prompt 269 avp com SCAN lt object scanned gt lt action gt lt action query gt lt file types gt lt exclusions gt lt configuration file gt lt report settings gt To scan objects you can also start one of the tasks created in Kaspersky Internet Security from the command prompt see 18 1 on pg 266 The task will be run with the settings specified in the program interface Parameter description lt object scanned gt this parameter gives the list of objects that will be scanned for malicious code It can include several values from the following list separated by spaces lt files gt List of paths to the fi
120. cation scans all messages arriving at an Exchange Server via SMTP protocol checking them for the presence of viruses using Kaspersky Lab s anti virus technologies and for the presence of SPAM attributes It filters out spam based on formal attributes mail address IP address letter size heading and analyzes the content of messages and of their attachments using smart technologies including unique graphic signatures for identifying graphic SPAM The application scans both the message body and the attached files Kaspersky Mail Gateway Kaspersky Mail Gateway is a comprehensive solution that provides complete protection for users of email systems This application installed between the corporate network and the Internet scans all components of email messages for the presence of viruses and other malware Spyware Adware etc and performs centralized anti spam filtration of email stream This solution also includes some additional email traffic filtration features The application contains a number of advanced tools for filtering e mail traffic by name and MIME attachments and a series of tools that reduce the load on the mail system and prevent hacker attacks 292 Kaspersky Internet Security 6 0 Kaspersky Anti Virus for Proxy Server Kaspersky Anti Virus for Proxy Server is an antivirus solution for protecting web traffic transferred over HTTP protocol through a proxy server The application scans Internet traffic in real time
121. ceeeeeaeeeeceeeeeaeeesesaeeaeseeesaaeenateeees 275 18 10 Viewing Helpsincz2ss hn ees elias ar rea e a rae ee A E enee e EEA eEG 275 18 11 Return codes from the command line interface eeeeenee 276 CHAPTER 19 MODIFYING REPAIRING AND REMOVING THE PROGRAM 277 19 1 Modifying repairing and removing the program using Install Wizard 277 19 2 Uninstalling the program from the command prompt ceeseeeereeeeeeeees 279 CHAPTER 20 FREQUENTLY ASKED QUESTIONS eee enna 280 APPENDIX A REFERENCE INFORMATION ceteris eeeeeeenaeeeeeenes 282 10 Kaspersky Internet Security 6 0 A 1 List of files scanned by Extension cccceseeceeceeesceceeeceeeeeeeeeaeeeseeeeeeaeeaeenees 282 A 2 Possible file exclusion MASKS e esses eeeenseseeeeeceeeeeaeeeeeeseeateeeecaeeetateeseesenatees 284 A 3 Possible exclusion masks by Virus Encyclopedia classification 285 APPENDIX B KASPERSKY LAB cecseseeecenseseeeeeceeneeseeeeeeaeeaeaeeeseanenaeesesaeeataeeesaanee 286 B 1 Other Kaspersky Lab Products 0 eceeececeeeseeeeeceeeseeeeseeneeaeeeeecaeeetaeeeseenenatees 287 B 2 ContactUs sista sew winds a Sane ide Aa wads goa 292 APPENDIX C LICENSE AGREEMENT 0 0 0 cece ee tees seeseeseessenaeeneeeeaes 293 CHAPTER 1 THREATS TO COMPUTER SECURITY As information technology has rapidly developed and penetrated many aspects of human existence so the number and range of crimes aimed at br
122. ces allows users to identify and wipe out up to 95 of unwanted traffic Appendix B 291 Installed at the entrance to a_ network where it monitors incoming email traffic streams for spam Kaspersky Anti Spam acts as a barrier to unsolicited email The product is compatible with any email system and can be installed on either an existing email server or a dedicated one Kaspersky Anti Spam s high performance is ensured by daily updates to the content filtration database adding samples provided by the Company s linguistic laboratory specialists Databases are updated every 20 minutes Kaspersky SMTP Gateway Kaspersky SMTP Gateway for Linux Unix is a solution designed for anti virus processing of email transmitted via SMTP The application contains a number of additional tools for filtering email traffic by name and MIME type of attachments and a number of tools reducing the load on the email system and preventing hacker attacks DNS Black List support provides protection against emails coming from servers entered in these lists as sources distributing unwanted email spam Kaspersky Security for Microsoft Exchange 2003 Kaspersky Security for Microsoft Exchange performs anti virus processing of incoming and outgoing email messages messages stored at the server and letters in public folders It filters out unsolicited correspondence using smart spam recognition techniques in combination with Microsoft technologies The appli
123. cess If installation is completed successfully a message on the screen will advise you to restart your computer After restarting your system the Kaspersky Internet Security Setup Wizard will automatically launch If there is no need for restarting your system to complete the installation click Next to go on to the Setup Wizard 3 2 Setup Wizard The Kaspersky Internet Security 6 0 Setup Wizard starts after the program has finished installation It is designed to help you configure the initial program settings to conform to the features and uses of your computer The Setup Wizard interface is designed like a standard Windows Wizard and consists of a series of steps that you can move between using the Back and Next buttons or complete using the Finished button The Cancel button will stop the Wizard at any point You can skip this initial settings stage when installing the program by closing the Wizard window In the future you can run it again from the program interface if you restore the default settings for Kaspersky Internet Security see 17 12 on page 262 3 2 1 Using objects saved with Version 5 0 This wizard window appears when you install the application on top of Kaspersky Anti Virus 5 0 You will be asked to select what data used by version 5 0 you 36 Kaspersky Internet Security 6 0 want to import to version 6 0 This might include quarantined or backup files or protection settings To use this data in Version
124. ck type consists of sending a special type of UDP packets to a remote computer that can execute malicious code Remember that while connected to the network your computer is at constant risk of being attacked by a hacker To ensure your computer s security be sure to enable Anti Hacker when using the Internet and regularly update hacker attack signatures see 16 4 2 on pg 211 12 10 Blocking and allowing network activity If the security level for the Firewall is set to Training Mode a special notice appears on screen each time a network connection is attempted that has no rule 162 Kaspersky Internet Security 6 0 For example after opening Microsoft Office Outlook it downloads your email from a remote Exchange server To display your Inbox the program connects to the email server Anti Hacker always tracks this kind of network activity A message will appear on the screen see fig 53 containing e Description of activity name of the application and a brief description of the connection that it is initiating generally including the connection type the local port from which it is being initiated the remote port and the address being connected to Left click anywhere in the description section for more detailed information on the network activity The window that opens will contain information on the connection the process that initiated it and the developer of the application e Action series of operat
125. clicking Settings in the main program window 2 Select Proactive Defense in the settings tree 3 Click the Settings button in the Registry Guard section Kaspersky Lab has created a list of rules that control registry file operations and have included it in the program Operations with registry files are categorised into logical groups such as System Security Internet Security etc Each such group lists system registry files and rules for working with them This list is updated when the rest of the application is updated The Registry Guard settings window see fig 38 displays the complete list of rules Each group of rules has an execution priority that you can raise or lower using the Move Up and Move Down buttons The higher the group is on the list the higher the priority assigned to it If the same registry file falls under several groups the first rule applied to that file will be the one from the group with the higher priority You can stop using any group of rules in the following ways e Uncheck the box L next to the group s name Then the group of rules will remain on the list but will not be used e Delete the group of rules from the list We do not recommend deleting the groups created by Kaspersky Lab since they contain a list of system registry files most often used by malicious programs 130 Kaspersky Internet Security 6 0 4 Settings Registry Guard Registry key groups Name Keys Rules System Start
126. components These protection components defend your computer in real time File Anti Virus A file system can contain viruses and other dangerous programs Malicious programs can remain inactive in your file system for years after one day being copied from a floppy disk or from the Internet without showing themselves at all But you need only act upon the infected file and the virus is instantly activated File Anti virus is the component that monitors your computer s file system It scans all files that can be opened executed or saved on your computer and all connected disk drives The program intercepts every attempt to access a file and scans the file for known viruses only making the file available to be used further if it is not infected or is successfully disinfected by File Anti Virus If a file cannot be disinfected for any reason it will be deleted with a copy of the file either saved in Backup see 17 2 on pg 223 or moved to Quarantine see 17 1 on pg 219 Kaspersky Internet Security 6 0 25 Mail Anti Virus Email is widely used by hackers to spread malicious programs and is one of the most common methods of spreading worms This makes it extremely important to monitor all email The Mail Anti Virus component scans all incoming and outgoing email on your computer It analyzes emails for malicious programs only granting the addressee access to the email if it is free of dangerous objects Web Anti Virus By open
127. computer Delete any quarantined object or group of selected objects Only delete objects that cannot be disinfected To delete the objects select them in the list and click Delete 17 1 2 Setting up Quarantine You can configure the settings for the layout and operation of Quarantine specifically Set up automatic scans for objects in Quarantine after each threat signature update for more details see 16 4 4 on pg 215 Warning The program will not be able to scan quarantined objects immediately after updating the threat signatures if you are accessing the Quarantine area Set the maximum Quarantine storage time The default storage time 30 days at the end of which objects are deleted You can change the Quarantine storage time or disable this restriction altogether To do so 1 Open the Kaspersky Internet Security settings window by clicking Settings in the main program window Select Data files from the settings tree In the Quarantine amp Backup section see fig 78 enter the length of time after which objects in Quarantine will be automatically deleted Alternately uncheck the checkbox to disable automatic deletion Quarantine amp Backup Delete items from 30 days Quarantine and Backup after Figure 78 Configuring the Quarantine storage period Advanced options 223 17 2 Backup copies of dangerous objects Sometimes when objects are disinfected their integrity is lo
128. computer can The program includes filtering packet rules devised by Kaspersky Lab which determine whether data packets are dangerous or not Depending on the security level selected for the Firewall and the type of network the computer is running on the list of rules can be used in various ways Thus for example on the Maximum security level all network activity not covered by allow rules is blocked Warning Note that rules for security zones have higher priority than blocking packet rules Thus for example if you select the status Local Area Network packet exchanges will be allowed and so will access to shared folders regardless of blocking packet rules To work with the list of packet filtering rules 1 Click Settings in the Firewall section of the Anti Hacker settings window 2 In the window that opens select the Rules for packet filtering tab see fig 47 150 Kaspersky Internet Security 6 0 4 Settings Anti Hacker Rules for applications Rules for packet filtering Zones Additional Action Block Oa Block Block Block Block Block Allow Allow Allow M A olh lt M Rule name fad Windows DCOM RPC Activity Windows Internet Name Service A Windows NetBIOS Name Service 4 Windows NetBIOS Datagram Servic Windows NetBIOS Session Service Windows Server Message Block Ac Windows Server Message Block Ac Localhost Loopback UDP A
129. contact the Kaspersky Lab Technical Support Service The third indicator shows the current functionality of the program The indicator takes one of the following values All protection components are running Kaspersky Internet Security is protecting your computer on all channels by which malicious programs could penetrate All protective components are enabled Protection is not installed When Kaspersky Internet Security was installed none of the monitoring components were installed This means you can only scan for viruses For maximum security you should install protection components on your computer 1 Some protection components are paused One or more protection components has been paused In order to restore the inactive component select it from the list and click P All protection components are paused All protection components have been paused To restore the components select Resume protection from the context menu by clicking on the system tray icon Some protection components are disabled One or several protection components is stopped This could lead to your computer becoming infected and losing data You are strongly advised to enable protection To do so select an inactive component from the list and click P 56 Kaspersky Internet Security 6 0 All protection components are disabled Protection is fully disabled To restore the components select Resume protection from the context menu by clicking o
130. controlled by checking the box Enable Office Guard which is checked by default You can select which macros are considered dangerous and what to do to them see 10 1 3 on pg 126 Proactive Defense 119 This Proactive Defense component is not available under Microsoft Windows XP Professional x64 Edition Microsoft Windows Vista or Microsoft Windows Vista x64 You can configure exclusions see 6 3 1 on pg 69 for Proactive Defense modules and create a trusted application list see 6 3 2 on pg 74 The following sections examine these aspects in more detail 10 1 1 Activity control rules Note that configuring application control under Microsoft Windows XP Professional x64 Edition Microsoft Windows Vista or Microsoft Windows Vista x64 differs from the configuration process on other operating systems Information about configuring activity control for these operating systems is provided at the end of this section Kaspersky Internet Security monitors application activity on your computer The application includes a set of event descriptions that can be tracked as dangerous A monitoring rule is created for each such event If the activity of any application is classified as a dangerous event Proactive Defense will strictly adhere to the instructions stated in the rule for that event Select the Enable Activity Analysis checkbox if you want to monitor the activity of applications Let s take a look a several ty
131. criteria the next steps taken by the component match the instructions specified in the rule usually the activity is blocked A message will be displayed on the screen specifying the dangerous program its activity type and a history of actions Proactive Defense 117 taken You must accept the decision block or allow this activity on your own You can create a rule for the activity and cancel the actions taken in the system 10 1 Proactive Defense settings The categories of settings see fig 32 for the Proactive Defense component are as follows Whether application activity is monitored on your computer This Proactive Defense feature is enabled by checking the box W Enable Application Activity Analyzer By default this mode is enabled which ensures that the actions of any programs opened on your computer will be closely tracked and compared to a configurable list of dangerous activities You can configure the order in which applications are processed see 10 1 on pg 117 for that activity You can also create Proactive Defense exclusions which will stop the monitoring of selected applications Whether Application Integrity Control is enabled This feature is responsible for the integrity of application modules dynamic link libraries or DLLs installed on your computer and is enabled by checking the box Enable Application Integrity Control box Integrity is tracked by monitoring the checksum of the application modules and
132. ctivity Localhost Loopback TCP Activity PPTP Control Activity Raslicinnie Cafhnava lables Narbe Ms Rule description click underlined text to edit Allow Inbound ICMP packets where ICMP code Echo Reply Add Edit Delete Move down Export Import Cancel Figure 47 List of packet filtering rules The following information is given for every packet filtering rule name of the rule the action i e whether to allow or block the packet transfer the data transfer protocol the direction of the packet and the network connection settings used to transfer the packet If the box beside the name of the rule is checked the rule will be used You can work with the rule list using the buttons to the right of the list To create a new packet filtration rule Click the Add button on the Rules for packet filtering tab The New rule window that opens has a form that you can use to fine tune a rule see next section Anti Hacker 151 12 4 Fine tuning rules for applications and packet filtering The New rule window for advanced rule settings is practically identical for applications and data packets see Figure 48 S New rule Rule name Jew application rule Properties Remote IP address C Remote port Local port Time range Additional action _ Display warning C Log event Rule description click underlined text to edit Allow Inbound amp Ou
133. d A file that you or some program is opening saving or running is being scanned Kaspersky Internet Security threat signatures and program modules are being updated An error has occurred in some Kaspersky Internet Security component The icon also provides access to the basics of the program interface the context menu see 4 2 on pg 46 and the main window see 4 3 on pg 47 To open the context menu right click on the program icon To open the Kaspersky Internet Security main window at the Protection section this is the default first screen when you open the program double click the program icon If you single click the icon the main window will open at the section that was active when you last closed it 4 2 The context menu You can perform basic protection tasks from the context menu see fig 1 Scan My Computer Virus scan Update Network Monitor Block network traffic Settings Open Kaspersky Internet Security Pause Protection Exit Figure 1 The context menu The Kaspersky Internet Security menu contains the following items Program interface 47 Scan My Computer launches a complete scan of your computer for dangerous objects The files on all drives including removable storage media will be scanned Virus scan selects objects and starts scanning them for viruses The default list contains a number of files such as the My Documents folder the Startup folder email databa
134. d objects 219 17 1 1 Actions with quarantined objects 220 17 1 2 Setting UP QUArANTING ee eee i a ada 222 17 2 Backup copies of dangerous ODjeCtS 0 eee ee eeeeseeeeeeceeeeaeeeeeeteateeeeeeeeee 223 17 2 1 Actions with backup COPIES 0 0 eceeseteeeeteneeseeeeeceeeeeeeeeceenetateeteeateateteens 223 17 2 2 Configuring Backup settings oe eee eeseeseeeeeeceeeeeeeeecsetetaeeeteseeateeeeas 225 WS IREPOMS oa eed cei die lv arsed A ea E e 225 17 3 1 Configuring report settings ee eeeceeeeeeseneeeeeeeceeaeeeeeseeetateetesseeateeeeeas 228 17 3 2 The Detected tabiina kana arannana 229 17 3 3 TheEvents tabs isaac ended areenan a atarit 230 173 4 The Statistics lab ia ieee ipida 231 17 3 5 The S Mings tab sis ict cetten t dni ee ees 231 173 6 The MACOS TAD issii unie Geren Seats beaded te dvs abet vee beeen 233 17 3 7 The Registry tab s 5 eee eee Nes ee ee Ae eats 233 17 3 8 The PHISHING TAD EE TAE ceased tes sisaeh ences peadse eusen es 234 17 3 9 The POPUPS tab 20 ececceceecceseeeeeceseeecceeeceeeeeceeeaeeeceaeseceeeeecaesaeeeteaeeeseaeeeeaes 235 173 10 The Banners taboir aoe neh eae ela cen 235 17 3 11 The Hidden Dials tab d ssa aio aae 236 17 3 12 The Network Attacks tab 0 cecececcseceseeesenseeeeeeceeeeeeeceseetaeeeseeneeateeeens 237 17 3 13 The Banned Hosts tab viiniin iaeiiai 237 17 3 14 The Application Activity tab n 238 17 3 15 The Packet Filtering tab x isisisi iniiis 239 17 3 16 Th
135. d or after the program is restarted You can also resume file protection manually by clicking the P button located on the status bar e File Anti Virus stopped the component has been stopped by the user You can resume file protection manually by clicking the button located on the status bar Getting started 57 e File Anti Virus not running file protection is not available for some reason For example you do not have a license key for the program e File Anti Virus disabled error the component encountered an error If this occurs contact Kaspersky Lab s Technical Support If the component contains several modules the Status section will contain information on the status of each of them For components that do not have individual modules their status security level and for some components the response to dangerous programs are displayed There is no Status box for virus scan and update tasks The security level the action applied to dangerous programs for virus scan tasks and the run mode for updates are listed in the Settings box The Statistics box contains information on the operation of protection components updates or virus scan tasks 5 1 3 Program performance statistics Program statistics can be found in the Statistics box of the main window s Protection section and display general information on computer protection recorded from the time that Kaspersky Internet Security was installed
136. d since the last time the task was run This saves disk space by reducing the report size If Keep only recent events is checked the report will begin from scratch every time you restart the task However only non critical information will be overwritten e Set the storage time for reports By default the report storage time is 30 days at the end of which the reports are deleted You can change the maximum storage time or remove this restriction altogether Reports Fi Keep only recent events Delete reports after 30 days Figure 81 Configuring report settings Advanced options 229 17 3 2 The Detected tab To view detected objects In the main application window click on Data Files in the Service area on the left hand panel Click anywhere in the Reports section to open the Protection window which will open at the Reports tab Select a scan task in the list of reports and click on the Details button to open a detailed report on the scan task The window will open at the Detected tab This tab see fig 82 contains a list of dangerous objects detected by Kaspersky Internet Security The full filename and path is shown for each object with the status assigned to it by the program when it was scanned or processed If you want the list to contain both dangerous objects and successfully neutralized objects check W Show disinfected objects Detected Events Statistics Settings Status Object detec
137. d you will be asked if you want to process the objects Prompt for action during scan The program will issue a warning message containing information about what malicious code has infected or potentially infected the file and gives you the choice of one of the following actions Do not prompt for action The program records information about objects detected in the report without processing them or notifying the user You are advised not to use this feature since infected and potentially infected objects stay on your computer and it is practically impossible to avoid infection Do not prompt for action Disinfect The program attempts to treat the object detected without asking the user for confirmation If disinfection fails the file will be assigned the status of potentially infected and it will be moved to Quarantine see 17 1 on pg 219 Information about this is recorded in the report see 17 3 on pg 225 Later you can attempt to disinfect this object Scanning for viruses on your computer 197 Do not prompt for action Disinfect Delete if disinfection fails The program attempts to treat the object detected without asking the user for confirmation If the object cannot be disinfected it is deleted Do not prompt for action C Disinfect Delete The program automatically deletes the object When disinfecting or deleting an object Kaspersky Internet
138. der Advanced options 253 e Folder where rescue disk files will be saved before burning the CD If you are not creating an emergency disk for the first time this folder will already contain a set of files made the last time To use files saved previously check the corresponding box Note that a previous version of the rescue disk files will contain outdated threat signatures To optimally analyze the computer for viruses and to restore the system we recommend updating threat signatures and creating a new version of the rescue disk e The Microsoft Windows XP Service Pack 2 installation CD After entering the paths to the folders required click Next PE Builder will start up and the rescue disk creation process will begin Wait until the process is complete This could take several minutes 17 10 1 2 Creating an iso file After PE Builder has completed creating the rescue disk files a Create iso file window will open The iso file is a CD image of the rescue disk saved as an archive The majority of CD burning programs correctly recognize iso files Nero for example If this is not the first time that you have created a rescue disk you can select the iso file from the previous disk To do so select Existing iso file 17 10 1 3 Burning the disk This Wizard window will ask you to choose whether to burn the rescue disk files to CD now or later If you chose to burn the disk right away specify wh
139. der by clicking the Browse button and selecting it in the folder selection window or by entering the path to the folder in the field available Remember that if you enter the full installation folder name manually it must not exceed 200 characters or contain special characters To continue installation click the Next button Installing Kaspersky Internet Security 6 0 33 Step 5 Selecting an installation type In this stage you select how much of the program you want to install on your computer You have three options Complete If you select this option all Kaspersky Internet Security components will be installed The installation will recommence with Step 7 Custom If you select this option you can select the program components that you want to install For more see Step 6 Anti virus features This option installs only the components that protect you against viruses Anti Hacker Anti Spam and Anti Spy will not be installed To select a setup type click the appropriate button Step 6 Selecting program components to install You will only see this step if you select the Custom setup type If you selected Custom installation you can select the components of Kaspersky Internet Security that you want to install By default all components are selected To select the components you want to install right click the icon alongside a component name and select Will be installed on local hard drive fr
140. dialhk avp_io32 dll Low level I O driver Win 95 98 CKAHCOMM dll Kaspersky Anti Hacker Communication CKAHRULE dll Kaspersky Anti Hacker Rules Manager CKAHUM dll Kaspersky Anti Hacker User Mode Co dbghelp dll Windows Image Helper Fssync dll FSSYNC DLL GetSystemIn System Info keyfiledl dll Key File Downloader Klaveng dll EOE All Mee eee 1 fd ls f E lt _ NnNnNnNnNnNNNA Automatically add components signed by Microsoft Corporation to this list Figure 36 Configuring the trusted module list If you install programs on your computer you can ensure that those with modules signed by Microsoft are automatically added to the trusted modules list To do this check Automatically add components signed by Microsoft Corporation to this list Then if a controlled application attempts to load the Microsoft signed module Proactive Defense will automatically allow the module to load without checking and add it to the list of shared components To add to the trusted module list click Add and in the standard file selection window and select the module 10 1 3 Office Guard This Proactive Defense component does not work under Microsoft Windows XP Professional x64 Edition Microsoft Windows Vista or Microsoft Windows Vista x64 You can enable scanning and processing of dangerous macros run on your computer by checking LA Enable Office Guard see fig 32 This box is c
141. e riskware Service Update Data Files lt Additional esis Settings Enable Advanced Disinfection technology ppearance Disable scheduled scans while running on battery power Concede resources to other applications Figure 3 Kaspersky Internet Security settings window CHAPTER 5 GETTING STARTED One of Kaspersky Lab s main goals in creating Kaspersky Internet Security was to provide optimum configuration for each of the program s options This makes it possible for a user with any level of computer literacy to quickly protect their computer straight after installation However configuration details for your computer or the jobs you use it for can have their own specific requirements That is why we recommend performing a preliminary configuration to achieve the most flexible personalized protection of your computer To make getting started easier we have combined all the preliminary configuration stages in one Setup Wizard see 3 2 on pg 35 that starts as soon as the program is installed By following the Wizard s instructions you can activate the program configure settings for updates and virus scans password protect access to the program and configure Anti Hacker to match your network s properties After installing and starting the program we recommend that you take the following steps e Check the current protection status see 5 1 on pg 52 to make sure that Kaspersky Internet Security is ru
142. e 110 Program password protection settings 262 Kaspersky Internet Security 6 0 17 11 3 Resolving conflicts between Kaspersky Internet Security and other programs In some cases Kaspersky Internet Security may cause conflicts with other applications installed on a computer This is because those programs have built in self defense mechanisms that turn on when Kaspersky Internet Security attempts to inspect them These applications include the Authentica plug in for Acrobat Reader which verifies access to pdf files Oxygen Phone Manager II and some computer games that have digital rights management tools To fix this problem check Compatibility with application self defense in the Service section of the application settings window You must restart your operating system for this change to take effect However note that if you select the checkbox some Kaspersky Internet Security features specifically Office Guard and Anti Dialer will not work If you enable either of these components compatibility with application self dense will be disabled automatically Once enabled these components will only begin running after you restart the application 17 12 Importing and exporting Kaspersky Internet Security settings Kaspersky Internet Security allows you to import and export settings This feature is useful when for example the program is installed both on your home computer and in your office You can configure the program
143. e Established Connections tab eseeeeeeeeerereren 239 17 3 17 The Open Ports abisi gonen ausaria iii avintes 240 17 3 18 The Trafe taD eaa sche uae dn abate ian aai ate e aaah Aaen aait 241 17 4 General information about the program sssseseseseieierisisrsrersssiersrrirrnrsrerensss 241 17 5 Managing licenses c ccccecceseeseeceeeeeceeeceeeaeeeeeaeaecaeeaecaeeaeeeseaeaeseeareaeeanentes 242 17 6 Technical SUpPOMt i desire eccityen Sie edi le dees 244 17 7 Creating a monitored port list cesses eneeeeeeeceeneeseeeeeesesaeeeaeeateeeeeeeeee 246 17 8 Checking your SSL CONNECTION eee eeeeneeseteeeeeeeeeaeeeeecaeeeeateeseeaeeaeeeeeenenee 248 17 9 Configuring the Kaspersky Internet Security interface teeter 250 ALTO RESCUG DISK ci ceici tis EE EE PEN EE NE E E 251 Table of Contents 9 17 10 1 Creating a rescue CiSK sec eeccseseeeeeereteeseeececseeeteeeeseenenateeseesteateeeeees 252 17 10 1 1 Getting ready to write the diSK eee esseseeeeeecneeeeeeeseeneeateeeeens 252 17 10 1 2 Creating an iso file eee eeeeeeeeeneeeeseeeseeseeateeeecaeeetaeeeseseeateeeeees 253 1710 13 Burning the disk 2 2 40Asc deans aceon east eteinen niiin 253 17 10 1 4 Finishing creating a rescue disk 253 17 10 2 Using the reSCue ISK oo eeeseeeccnseeteeecseteeaeeeeecaeeesaeeeseeetaseesesaeeateeeeas 254 17 11 Using advanced OptonS isisi tieisiai eane a oeie eas 255 17 11 1 Kaspersky Internet Security event notifica
144. e and the volume of data sent and received You can create or delete rules for connection To do so use the appropriate options on the context menu which you can open by right clicking on the list of connections 240 Kaspersky Internet Security 6 0 Established connections Open ports l Traffic Application Command line Protocol Direction Local IP addr Lo amp DWRCS EXE SERVICE TCP Inbound 127 0 0 1 613 2 BUILDSERVICE EXE TCP Outbound 172 16 129 178 105 B System TCP Outbound 172 16 129 178 112 System TCP Outbound 172 16 129 178 112 amp DWRCST EXE 6139 TCP Outbound 127 0 0 1 112 OUTLOOK EXE RECYCLE TCP Outbound 172 16 129 178 115 OUTLOOK EXE RECYCLE TCP Outbound 172 16 129 178 115 OUTLOOK EXE RECYCLE TCP Outbound 172 16 129 178 116 We AvP EXE R TCP Inbound 127 0 0 1 111 QIP EXE TCP Outbound 127 0 0 1 117 We AvP EXE R TCP Outbound 172 16 129 178 117 We AVP EXE R TCP Inbound 127 0 0 1 111 QIP EXE TCP Outbound 127 0 0 1 315 We AVP EXE R TCP Outbound 172 16 129 178 315 C i Figure 97 List of established connections 17 3 17 The Open Ports tab All ports currently open on your computer for network connections are listed on the Open ports tab see fig 98 It lists the port number data transfer protocol name of the application that uses the port and how long the port has been open for each port Established connections Open ports Traffic Local p Pr
145. e as an exclusion and checked the subfolder option the file winword exe will be excluded from the scan if found in any C Program Files subfolders Enter the full name of the threat that you want to exclude from scans as given in the Virus Encyclopedia or use a mask see A 3 on pg 285 for the Verdict 72 Kaspersky Internet Security 6 0 You can add advanced settings for the following verdicts among others o Invader injects into program processes For this verdict you can give a name mask or complete path to the object being injected into for example a dll file as an additional exclusion condition o Opening Internet Browser For this verdict you can list browser open settings as additional exclusion settings For example you blocked browsers from opening with certain settings in the Proactive Defense application activity analysis However you want to allow the browser to open for the domain www kasperky com with a link from Microsoft Office Outlook as an exclusion rule To do so select Outlook as the exclusion Object and Opening Internet Browser as the Verdict and enter an allowed domain mask in the Advanced settings field 4 Define which Kaspersky Internet Security components will use this rule If any is selected this rule will apply to all components If you want to restrict the rule to one or several components click on any which will change to selected In the window that opens check the boxes for the comp
146. e white list contains key phrases from emails that you marked as accepted and addresses of trusted senders who would not send spam The white list is filled manually and the list of senders addresses is done automatically while training the Anti Spam component You can edit this list To configure the white list 1 Select Anti Spam in the Kaspersky Internet Security settings window 2 Click the Settings button in the right hand part of the settings window 3 Open the White list tab see fig 58 The tab is divided into two sections the upper portion contains the addresses of senders of good email and the lower contains key phrases from such emails To enable phrase and address white lists during spam filtration check the corresponding boxes in the Allowed senders and Allowed phrases sections You can edit the lists using the buttons in each section P3 Custom Settings Anti Spam White list Black list Spam recognition Additional Allowed senders I wish to receive messages From the Following senders Sender s address google Allowed phrases M I wish to receive messages containing the following phrases Key phrase Cancel Figure 58 Configuring address and phrase white lists 176 Kaspersky Internet Security 6 0 You can assign both addresses and address masks in the address list When entering an address the use of capitals is ignored Let s look at some examples
147. eaching information security has grown Cyber criminals have shown great interest in the activities of both state structures and commercial enterprises They attempt to steal or disclose confidential information which damages business reputations disrupts business continuity and may impair an organization s information resources These acts can do extensive damage to assets both tangible and intangible It is not only big companies who are at risk individual users can also be attacked Criminals can gain access to personal data for instance bank account and credit card numbers and passwords or cause a computer to malfunction Some types of attacks can give hackers complete access to a computer which can then be used as part of a zombie network of infected computers to attack servers send out spam harvest confidential information and spread new viruses and Trojans In today s world it is widely acknowledged that information is a valuable asset which should be protected At the same time information must be accessible to those who legitimately require it for instance employees clients and partners of a business Hence the need to create a comprehensive information security system which must take account of all possible sources of threats whether human man made or natural disasters and use a complete array of defensive measures at the physical administrative and software levels 1 1 Sources of Threats A person a
148. eceive a link to a phishing site via email or through an instant messenger program Anti Phishing tracks attempts to open phishing sites and blocks them The Kaspersky Internet Security threat signatures include the addresses of all phishing sites currently known Kaspersky Lab specialists populate the list with addresses obtained from the Anti Phishing Working Group an international organization Sites are added to the list by updating threat signatures Anti Spy 135 e The Popup Blocker component blocks access to Internet resources with advertising such as popup windows The information in these windows is generally not of benefit to you These windows open automatically when you open a certain website or go to a different window using a hyperlink They contain advertisements and other information that you did not request The Popup Blocker component blocks these windows and a special message above the system tray icon informs you about it You can determine directly in this message if you want to block the window or not Popup Blocker works correctly with the popup blocking module in Microsoft Internet Explorer included in Service Pack 2 for Microsoft Windows XP When you install Kaspersky Internet Security a plug in is installed in the browser that lets you allow popup windows directly from the browser Some sites use popup windows legitimately to deliver information more quickly and conveniently If you use such sites
149. ecently malware has increasingly included programs that aim to Steal your confidential information including passwords credit card numbers important documents etc Track your actions on the computer and analyze the software installed on it Deliver obtrusive advertising content in web browsers popup windows and banners in various programs Gain unauthorized access to the Internet from your computer to various websites Phishing and keyloggers focus on stealing your information autodialers joke programs and adware aim to waste your time and money Protecting you from these programs is what Anti Spy is designed to do Anti Spy includes the following modules The Anti Phishing component protects you against phishing Phishing generally consists of emails from supposed financial institutions that contain links to their websites The message text convinces the reader to click a link and enter confidential information into a web page for example a credit card number or a login and password for an real Internet banking site A common example of phishing is an email purporting to come from your bank with a link to the official site By clicking the link you go to an exact copy of the bank s website and can even see the address in the browser s address bar but are looking at page of a counterfeit site From this point forward all actions which you take on the site are tracked and can be used to steal your money You might r
150. ecify the shared folder as the update source on the network computers in the Updater settings Program updates 217 16 4 5 Actions after updating the program Every threat signature update contains new records that protect your computer from the latest threats Kaspersky Lab recommends that you scan quarantined objects and startup objects each time after the database is updated Why these objects should be scanned The quarantine area contains objects that have been flagged by the program as suspicious or possibly infected see 17 1 on pg 219 Using the latest version of the threat signatures Kaspersky Internet Security may be able to identify the threat and eliminate it By default the application scans quarantined objects after each threat signature update You are also advised to periodically view the quarantined objects because their statuses can change after several scans Some objects can then be restored to their previous locations and you will be able to continue working with them To disable scans of quarantined objects uncheck M Rescan Quarantine in the Actions after Update section Startup objects are critical for the safety of your computer If one of them is infected with a malicious application this could cause an operating system startup failure Kaspersky Internet Security has a built in scan task for startup objects see Chapter 14 on pg 187 You are advised to set up a schedule for this task so that it
151. econd indicator in the main program window informs you that your computer is out of date see 5 1 1 on pg 53 e A recommendation that the application needs updating appears in the message section in the main program window see 4 3 on pg 47 16 4 3 Configuring connection settings If you set up the program to retrieve updates from Kaspersky Lab s update servers or from other FTP or HTTP sites you are advised to first check your connection settings All settings are grouped on a special tab LAN Settings see fig 75 PE Settings Update LAN Settings Update source Additional Connection Connection timeout 10 Use proxy server Use custom proxy settings Use passive FTP mode if possible Automatically detect the proxy server settings Address Port 80 Figure 75 Configuring network update settings Bypass proxy server for local addresses 214 Kaspersky Internet Security 6 0 Check M Use passive FTP mode if possible if you download the updates from an FTP server in passive mode for example through a firewall If you are working in active FTP mode clear this checkbox In the Connection timeout sec field assign the time allotted for connection with the update server If the connection fails once this time has elapsed the program will attempt to connect to the next update server This continues until a connection is successfully made or un
152. ect your computer s performance on the Internet We do not recommend using Stealth Mode if you use your computer as a server for example a mail or HTTP server as the computers that attempt to connect to the server will not see it as connected To change the status of a zone or to enable disable Stealth Mode select the zone from the list and use the appropriate links in the Rule description box below the list You can perform similar tasks and edit addresses and subnet masks in the Zone Settings window which you can open by clicking Edit You can add a new zone to the list while viewing it To do so click Refresh Anti Hacker will search for available zones and if it detects any the program will ask you to select a status for them In addition you can add new zones to the list manually if you connect your laptop to a new network for example To do so use the Add button and fill in the necessary information in the Zone Settings window Installing Kaspersky Internet Security 6 0 43 To delete a network from the list click the Delete button 3 2 8 2 Creating a list of network applications The Setup Wizard analyzes the software installed on your computer and creates a list of applications that use network connections Anti Hacker creates a rule to control network activity for each such application The rules are applied using templates for common network applications created at Kaspersky Lab and included with t
153. ed The default setup for Mail Anti Virus is as follows 1 2 Mail Anti Virus intercepts each email received or sent by the user The email is broken down into its parts email headers its body and attachments The body and attachments of the email including OLE attachments are scanned for dangerous objects Malicious objects are detected using the threat signatures included in the program and with the heuristic algorithm The signatures contain descriptions of all the malicious programs known to date and methods for neutralizing them The heuristic algorithm can detect new viruses that have not yet been entered in the threat signatures After the virus scan you have the following available courses of action e if the body or attachments of the email contain malicious code Mail Anti Virus will block the email place a copy of the infected object in Backup and try to disinfect the object If the email is successfully disinfected it becomes available to the user again If not the infected object in the email is deleted After the virus scan special text is inserted in the subject line of the email stating that the email has been processed by Kaspersky Internet Security e f code is detected in the body or an attachment that appears to be but is not definitely malicious the suspicious part of the email is sent to Quarantine Emails sent with MAPI are scanned using a special plug in for Microsoft Office Outlook and
154. eed to update cancel network support 3 To open Kaspersky Internet Security click Start Programs Kaspersky Internet Security 6 0 Start The Kaspersky Internet Security main window will open In system rescue mode you can only access virus scans and threat signature updates from the LAN if you have enabled network support in Bart PE 4 Start the virus scan Note that threat signatures from the date that the rescue disk is created are used by default For this reason we recommend updating threat signatures before starting the scan It should also be noted that the application will only use the updated Threat Signatures during the current session with the rescue disk prior to restarting your computer Warning If infected or potentially infected objects were detected when you scanned the computer and they were processed and then moved to Quarantine or Backup Storage we recommend completing processing those objects during the current Advanced options 255 session with a rescue disk Otherwise these objects will be lost when you restart your computer 17 11 Using advanced options Kaspersky Internet Security provides you with the following advanced features e Notifications of certain events that occur in the program e Kaspersky Internet Security Self Defense against modules being disabled deleted or edited as well as password protection for the program e Resolving conflic
155. eeeeeeeaeeeeeens 175 13 3 4 2 Black lists for addresses and phrases 176 13 3 5 Additional spam filtration features occ eeseeeecenseeeeeeeeteeseeeeeeeeaeeeeeens 178 13 3 6 Creating the list of trusted AddreSSES ee eee eceneeeteeeeeeteeseeeeeeneeateeeeees 179 13 3 7 Mall Dispatcher iai aes deena a caw eel 13 3 8 Actions for spam 13 3 9 Configuring spam processing in Microsoft Office Outlook eee 181 13 3 10 Configuring spam processing in Microsoft Outlook Express 184 13 3 11 Configuring spam processing in The Bath eee eeseeeeeeeeneeeeeerens 185 CHAPTER 14 SCANNING FOR VIRUSES ON YOUR COMPUTER eee 187 14 1 Managing virus SCAN tASKS cccceceesceceeeceeeeeeeeceeeceeeeecaeeaeeeseaeeeseeeeaeeaeenees 188 14 2 Creating a list Of Objects to SCAN ececeecceeeeeeseeseeececeeecaeeaeeeteaeeeseeeesaeeaeente 188 14 3 Creating virus SCAN tasks 0 eee eeeeeteeeeeceeeeaeeeeeeeeeaeeeecaaeeateeeesaaeateeeeenenee 190 14 4 Configuring virus SCAN tasks oo eeeeeeeeceeeeseeececeeeaeeeeecaeseeateetesaaeateeeeenaeee 191 14 4 1 Selecting a security level eee ceeeeeeeeeteeseeeeecaeeeeeeeeseeetaeeetesateateeeeeas 191 14 4 2 Specifying the types of Objects tO scan 192 14 4 3 Restoring default scan settings 0 eee eeeeeeteeeeecneeeeeeeeceeeetseeeeeeaeeateeeeens 195 14 4 4 Selecting actions for ODjECtS eee eeeeseeeeteeeeeeneeeeeeeessetetateeteesteateeeens 195 14 4 5 Advanced virus SCAN Options sees ee e
156. efault when a dangerous HTTP object is detected Web Anti Virus displays a warning on the screen and offers a choice of several actions for the object Action Prompt for action O Block O Allow Figure 31 Selecting actions for dangerous scripts The possible options for processing dangerous HTTP objects are as follows If the action selected If a dangerous object is detected in the HTTP was traffic Prompt for action Web Anti Virus will issue a warning message containing information about what malicious code has potentially infected the object and will give you a choice of responses Block Web Anti Virus will block access to the object and will display a message on screen about blocking it Similar information will be recorded in the report see 17 3 on pg 225 Allow Web Anti Virus will grant access to the object This information is logged in the report Web Anti Virus 113 Web Anti Virus always blocks dangerous scripts and issues popup messages that inform the user of the action taken You cannot change the response to a dangerous script other than by disabling the script scanning module CHAPTER 10 PROACTIVE DEFENSE Warning This version of the application does not have the proactive defense component There are no Proactive Defense components in this version of the application Application Integrity Control and Office Guard for computers running Microsoft Windows XP
157. enter msiexec x lt package name gt ALLOWREBOOT 1 qn CHAPTER 20 FREQUENTLY ASKED QUESTIONS This chapter is devoted to the most frequently asked questions from users pertaining to installation setup and operation of the Kaspersky Internet Security here we shall try to answer them here in detail Question Is it possible to use Kaspersky Internet Security 6 0 with anti virus products of other vendors No We recommend uninstalling anti virus products of other vendors prior to installation of Kaspersky Internet Security to avoid software conflicts Question Kaspersky Internet Security does not rescan files that have been scanned earlier Why This is true Kaspersky Internet Security does not rescan files that have not changed since the last scan That has become possible due to new iChecker and iSwift technologies The technology is implemented in the program using a database of file checksums and file checksum storage in alternate NTFS streams Question Why do need the license key file Will Kaspersky Internet Security work without it Kaspersky Internet Security will run without a license key although you will not be able to access the Updater and Technical Support If you still have not decided whether to purchase Kaspersky Internet Security we can provide you with a trial license that will work for either two weeks or a month Once that time has elapsed the key will expire Question After the installatio
158. enu see 4 2 on pg 46 e Main window see 4 3 on pg 47 e Program settings window see 4 4 on pg 50 In addition to the main program interface there are plug ins for the following applications e Microsoft Office Outlook virus scans see 8 2 2 on pg 99 and spam scans see 13 3 9 on pg 181 e Microsoft Outlook Express see 13 3 10 on pg 184 e The Bat virus scans see 8 2 3 on pg 101 and spam scans see 13 3 11 on pg 185 e Microsoft Internet Explorer see Chapter 11 on pg 134 e Microsoft Windows Explorer see 14 2 on pg 188 The plug ins extend the functionality of these programs by making Kaspersky Internet Security management and settings possible from their interfaces 4 1 System tray icon As soon as you install Kaspersky Internet Security its icon will appear in the system tray The icon is an indicator for Kaspersky Internet Security functions It reflects the protection status and shows a number of basic functions performed by the program If the icon is active M amp color this means that your computer is being protected If the icon is inactive P black and white this means that protection is either fully stopped or that some protection components see 2 2 1 on pg 24 are paused 46 Kaspersky Internet Security 6 0 The Kaspersky Internet Security icon changes in relation to the operation being performed Ks Ne Emails are being scanned Scripts are being scanne
159. er 3 on page 31 6 Update threat signatures see 5 6 on pg 61 If possible download the updates off the Internet from a different uninfected computer for instance at a friend s an Internet caf or work It is better to use a different computer since when you connect an infected computer to the Internet there is a chance that the virus will send important information to hackers or spread the virus to the addresses in your address book That is why if you suspect that your computer has a virus you should immediately disconnect from the Internet You can also get threat signature updates on floppy disk from Kaspersky Lab or its distributors and update your signatures using the disk 7 Select the security level recommended by the experts at Kaspersky Lab 8 Start a full computer scan see 5 2 on pg 58 Threats to Computer Security 19 1 6 Preventing Infection Not even the most reliable and deliberate measures can provide 100 protection against computer viruses and Trojans but following such a set of rules significantly lowers the likelihood of virus attacks and the level of potential damage The basic safety rules are discussed in the rest of this chapter Rule No 1 Use anti virus software and Internet security programs To do so Install Kaspersky Internet Security as soon as possible Regularly see 5 6 on pg 61 update the program s threat signatures You should update the signatures several times per day d
160. er tools This group combines the most common and dangerous categories of malicious programs This is the minimum admissible security level Per recommendations of Kaspersky Lab experts Kaspersky Internet Security always monitors this category of malicious programs Spyware adware and dialers This group includes potentially dangerous software that may inconvenience the user or incur serious damage Potentially dangerous software riskware This group includes programs that are not malicious or dangerous However under certain circumstances they could be used to cause harm to your computer The groups listed above comprise the full range of threats which the program detects when scanning objects If all groups are selected Kaspersky Internet Security provides the fullest possible anti virus protection for your computer If the second and third groups are disabled the program will only protect you from the commonest malicious programs Kaspersky Lab does not recommend disabling monitoring for the second group If a situation arises when Kaspersky Internet Security classifies a program that you do not consider dangerous as a potentially dangerous program we recommend creating an exclusion for it see 6 3 on pg 68 6 3 Creating a trusted zone A trusted zone is a list of objects created by the user that Kaspersky Internet Security does not monitor In other words it is a set of programs excluded from protection The user creat
161. ernet Security will detected label it a virus and take the action set for that object type To test the reactions of Kaspersky Internet Security when different types of objects are detected you can modify the contents of the standard test virus by adding one of the prefixes in the table shown here Prefix Test virus status Corresponding action when the application processes the object No prefix The file contains a test The application will identify the standard test virus You cannot disinfect object as malicious and not virus the object subject to treatment and will delete it Testing Kaspersky Internet Security 201 features Corresponding action when the application processes the object The application could access the object but could not scan it since the object is corrupted for example the file structure is breached or it is an invalid file format Prefix Test virus status CORR Corrupted SUSP The file contains a test WARN virus modification You cannot disinfect the object This object is a modification of a known virus or an unknown virus At the time of detection the threat signature databases do not contain a description of the procedure for treating this object The application will place the object in Quarantine to be processed later with updated threat signatures An error occurred while processing the object the application cannot access t
162. ersion of the Software the latest version and the latest maintenance pack 1 1 8 You shall not use this Software in automatic semi automatic or manual tools designed to create virus signatures virus detection routines any other data or code for detecting malicious code or data 2 Support i Kaspersky Lab will provide you with the support services Support Services as defined below for a period specified in the License Key File and indicated in the Service window since the moment of activation on a payment of its then current support charge and b successful completion of the Support Services Subscription Form as provided to you with this Agreement or as available on the Kaspersky Lab website which will require you to enter activation code which will have been provided to you by Kaspersky Lab with this Agreement It shall be at the absolute discretion of Kaspersky Lab whether or not you have satisfied this condition for the provision of Support Services Support Services shall become available after Software activation Kaspersky Lab s technical support service is also entitled to demand from the End User additional registration for identifier awarding for Support Services rendering Until Software activation and or obtaining of the End User identifier Customer ID technical support service renders only assistance in Software activation and registration of the End User ii By completion of the Support Service
163. es Local network tel Figure 41 Creating an list of trusted addresses If you want to block popups from your intranet or websites included in the Microsoft Internet Explorer list of trusted sites uncheck the corresponding boxes in the Microsoft Internet Explorer security zones section When popup windows that are not on the trusted address list try to open a message appears over the program icon stating that it has blocked the window There are links in the message that allow you to cancel the block and add the window s address to the trusted address list 138 Kaspersky Internet Security 6 0 You can also unblock windows through Internet Explorer if you have Windows XP Service Pack 2 To do so use the context menu that you can open over the program icon that flashes in the bottom corner of the browser when popup windows are blocked 11 1 2 Banner ad blocking list Anti Banner is the Kaspersky Internet Security component responsible for blocking banner adverts Kaspersky Lab specialists have compiled a mask list of the most common banner ads based on specially conducted research and have included it with the program If Anti Banner is enabled it blocks banner ads that are selected by the masks on this list You can also create white and black lists for banner ads which will allow or block banner ads Note that if the blocked banners list or black list contains a mask for filtering domains you will still be able t
164. es larger than the size specified will be skipped by the scan 7 2 2 Defining protection scope By default File Anti Virus scans all files when they are used regardless of where they are stored whether it be a hard drive CD DVD ROM or flash drive You can limit the scope of protection To do so 1 Select File Anti Virus in the main window and go to the component settings window by clicking Settings 2 Click the Customize button and select the Protection Scope tab see fig 19 in the window that opens The tab displays a list of objects that File Anti Virus will scan Protection is enabled by default for all objects on hard drives removable media and network drives connected to your computer You can add to and edit the list using the Add Edit and Delete buttons If you want to protect fewer objects you can do so using the following methods 1 Specify only folders drives and files that need to be protected 2 Create a list of objects that do not need to be protected 3 Combine methods one and two create a protection scope that excludes a number of objects 88 Kaspersky Internet Security 6 0 PS Custom Settings File Anti Virus General Protection scope Additional Protected zone J All removable drives V lt All hard drives S amp S All network drives e Figure 19 Creating a protected zone You can use masks when you add objects for scanning Note that you can
165. es a protected zone based on the properties of the files she uses and the programs installed on his computer You might need to create such an exclusion list if for example Kaspersky Internet Security blocks access to an object or program and you are sure that the file or program is absolutely safe You can exclude files of certain formats from the scan use a file mask or exclude a certain area for example a folder or a program program processes or objects according to Virus Encyclopedia classification the status that the program assigns to objects during a scan Protection management system 69 Warning Excluded objects are not subject to scans when the disk or folder where they are located are scanned However if you select that object in particular the exclusion rule will not apply In order to create an exclusion list 1 Open the Kaspersky Internet Security settings window and select the Protection section 2 Click the Trusted Zone button in the General section 3 Configure exclusion rules for objects and create a list of trusted applications in the window that opens see fig 8 A Trusted zone Exclusion masks Trusted applications Object Verdict C Program Files microsoft fr lt 2 Rule description click underlined parameters to edit Object will not be scanned if the Following conditions are met Object name C Program Files microsoft Frontpage version3 0 bi
166. essage will appear on the screen containing a description of the network connection what program initiated it what port the protocol etc You must decide whether to allow this connection or not Using a special button in the message window you can create a rule for that connection so that in Anti Hacker 145 the future Anti Hacker will apply the new rule for that connection without warning you on screen Low Security blocks only banned network activity using block rules that either were installed by with the program or that you created However if there is a allow rule for an application with a higher priority than the block rule the program will allow the network activity of that application Allow all allows all network activity on your computer You are advised to set protection to this level in extremely rare cases when no active network attacks have been observed and you fully trust all network activity You can raise or lower the network security level by selected the existing level you want or by changing the settings for the current level To modify the network security level 1 Select Anti Hacker in the Kaspersky Internet Security settings window 2 Adjust the slider in the Firewall section to indicate the required security level To configure the network security level 1 Select the security level that best matches your preferences as above 2 Click the Settings button and edit the network securit
167. estart your computer In order to process the malicious files or programs you must restart your computer Save and close all files that you are working with and use the Restart computer link The second indicator shows the effectiveness of your computer s protection The indicator takes one of the following values oO Signatures released date time Both the application and the threat signatures used by Kaspersky Internet Security are most recent versions Signatures are out of date The program modules and Kaspersky Internet Security threat signatures have not been updated for several days You are running the risk of infecting your computer with new malicious programs that have appeared since you last updated the program We recommend updating Kaspersky Internet Security To do so use the Update link Please restart your computer You must restart your system for the program to run correctly Save and close all files that you are working with and use the Restart computer link Getting started 55 Signatures are obsolete Kaspersky Internet Security has not been updated for some time You are putting the data at great risk Update the program as soon as possible To do so use the Update link Signatures are corrupted or partially corrupted The threat signature files are fully or partially damaged If this occurs it is recommended to run program updates again If you encounter the same error message again
168. et Security creates backup copies of them that can be used if a rollback see 16 2 on pg 207 is required If for example the update process corrupts the threat signatures and leaves them unusable you can easily roll back to the previous version and try to update the signatures later You can distribute the updates retrieved to a local source while updating the application see 14 4 4 on pg 195 This feature allows you to update databases and modules used by 6 0 applications on networked computers to conserve bandwidth 16 1 Starting the Updater You can begin the update process at any time It will run from the update source that you have selected see 16 4 1 on pg 209 You can start the Updater from e the context menu see 4 2 on pg 46 e from the program s main window see 4 3 on pg 47 Program updates 207 To start the Updater from the shortcut menu 1 Right click the application icon in the system tray to open the shortcut menu 2 Select Update To start the Updater from the main program window 1 Select Update in the Service section 2 Click the Update now Button in the right panel of the main window or use the button on the status bar The update progress will be displayed in a special window which can be hidden by clicking Close The update will continue with the window hidden Note that updates are distributed to the local source during the update process provided that this service is en
169. etailed information on the performance of the selected component or task The resulting performance statistics are displayed in the upper part of the window and detailed information is provided on the tabs Depending on the component or task the tabs can vary e The Detected tab contains a list of dangerous objects detected by a component or a virus scan task performed e The Events tab displays component or task events e The Statistics tab contains detailed statistics for all scanned objects e The Settings tab displays settings used by protection components virus scans or threat signature updates Advanced options 227 e The Macros and Registry tabs are only in the Proactive Defense report and contain information about all macros which attempted to run on your computer and on all attempts to modify the operating system registry e The Phishing Sites Popup Windows Banner Ads and Dial Attempts tabs are only in the Anti Spy report They contain information on all the phishing attacks detected and all the popup windows banner ads and autodial attempts blocked during that session of the program e The Network Attacks Banned Hosts Application Activity and Packet Filtering tabs are only be found in the Anti Hacker report They include information on all attempted network attacks on your computer hosts banned after attacks descriptions of application network activity that matches existing activity rules and all data packets tha
170. ether you want to format the CD before burning To do so check the corresponding box You only have this option if you are using a CD RW The CD will start burning when you click the Next button Wait until the process is complete This could take several minutes 17 10 1 4 Finishing creating a rescue disk This Wizard window informs you that you have successfully created a rescue disk 254 Kaspersky Internet Security 6 0 17 10 2 Using the rescue disk Note that Kaspersky Internet Security only works in system rescue mode if the main window is opened When you close the main window the program will close Bart PE the default program does not support chm files or Internet browsers so you will not be able to view Kaspersky Internet Security Help or links in the program interface while in Rescue Mode If a situation arises when a virus attack makes it impossible to load the operating system take the following steps 1 Create an emergency boot disk by using Kaspersky Internet Security on an uninfected computer 2 Insert the emergency disk in the disk drive of the infected computer and restart Microsoft Windows XP SP2 will start with the Bart PE interface Bart PE has built in network support for using your LAN When the program starts it will ask you if you want to enable it You should enable network support if you plan to update threat signatures from the LAN before scanning your computer If you do not n
171. evel click the Customize button in the Web Anti Virus settings window Edit the web protection settings see 9 2 on pg 109 in the window that opens and click OK Web Anti Virus 109 9 2 Configuring Web Anti Virus Web Anti Virus scans all objects that are loaded on your computer via the HTTP protocol and monitors any WSH scripts JavaScript or Visual Basic Scripts etc that are run You can configure Web Anti Virus settings to increase component operation speed specifically e Set the scanning algorithm by selecting a complete or limited set of threat signatures e Creating a list of trusted web addresses It is also possible to select the actions that Web Anti Virus will take in response to discovering dangerous HTTP objects The following sections examine these settings in detail 9 2 1 Setting a scan method You can scan data from the Internet using one of the following algorithms e Streaming scan this method for detecting malicious code in network traffic scans data on the fly as a file is downloading from the Internet Web Anti Virus scans the file s portions as they are downloaded which delivers the scanned object to the user more quickly At the same time a limited set of threat signatures is used to perform streaming scans only the most active threats which significant lowers the security level for using the Internet e Buffering scan this method scans objects only after they have been fully
172. ewall ensures that Anti Hacker will work optimally with programs that establish multiple network connections for example file sharing network clients However this mode may lead to slow reaction time in network games If you encounter such problems you are advised to use Maximum Speed Maximum speed the Firewall ensures the best possible reaction time during network games However file sharing network clients and other network applications may experience conflicts with this mode To solve the problem disable Stealth Mode 4 Settings Anti Hacker Rules for applications Rules for packet filtering Zones Additional Firewall Mode Maximum compatibility recommended This mode provides maximum compatibility with most network applications but may increase response times For some network games Maximum speed This mode offers Faster response time for network gaming but may cause conflicts between Stealth Mode and some network applications for instance file sharing network clients Changes to these settings will take effect after restarting Anti Hacker Figure 51 Selecting an Anti Hacker mode To select a Firewall mode 1 Click Settings in the Firewall section of the Anti Hacker settings window 158 Kaspersky Internet Security 6 0 2 Select the Additional tab in the window that opens and select the mode you want Maximum Compatibility or Maximum Speed Changes to the Firewall settings wi
173. for scanning a single email object These settings are configured in the Restrictions section If your computer is not protected by any local network software and accesses the Internet without using a proxy server or firewall you are advised not to disable the archived attachment scan and not to set a time limit on scanning If you are working in a protected environment you can change the time restrictions on scanning to increase the email scan speed You can configure the filtration conditions for objects connected to an email in the Attachment Filter section Disable filtering do not use additional filtration for attachments Rename selected attachment types filter out a certain attachment format and replace the last character of the file name with an underscore You can select the file type by clicking the File types button Delete selected attachment types filter out and delete a certain attachment format You can select the file type by clicking the File types button Mail Anti Virus 99 You can find more information about filtered attachment types in section A 1 on pg 282 By using the filter you increase your computers security since malicious programs spread through email most frequently as attachments By renaming or deleting certain attachment types you protect your computer against automatically opening attachments when a message is received 8 2 2 Configuring email processing i
174. for the application selected The Settings Application Integrity modules window contains a list of the modules that are used when a monitored application is started and make up the application You can edit the list using the Add and Delete buttons in the right hand portion of the window You can also allow any controlled application modules to load or block them By default an allow rule is created for each module To modify the action select the module from the list and click the Modify button Select the needed action in the window that opens Note that Kaspersky Internet Security trains the first time you run the controlled application after installing it until you close that application The training process produces a list of modules used by the application Integrity Control rules will be applied the next time you run the application 10 1 2 2 Creating a list of shared components Kaspersky Internet Security includes a list of components which can be opened by all controlled applications You will find this list on the Trusted modules tab see fig 36 It includes modules used by Kaspersky Internet Security Microsoft signed components components can be added or removed by the user 126 Kaspersky Internet Security 6 0 PZ Settings Application Integrity Control Critical applications Trusted modules Allow these common components to embed in any process Library Description Add adialhk dll kl
175. frequently and the popup windows are important to you you can add them to the trusted sites list see 11 1 1 on pg 136 Pop up windows from trusted sites will not be blocked When using Microsoft Internet Explorer the M icon will appear in the browser status bar when a popup window is blocked You can unblock it or add the address to the trusted address list by clicking on the icon e The Anti Banner component blocks banner ads either on web pages or built into the interfaces of programs installed on your computer Banner ads are not just devoid of useful information but also distract you from your work and increase the amount of traffic on your computer Anti Banner blocks the most common banner ads based on masks created by Kaspersky Internet Security You can disable banner blocking or create your own lists of allowed and blocked banners To integrate Anti Banner into Opera add the following line to standard_menu ini section Image Link Popup Menu Item New banner Copy image address amp Execute program lt drive gt Program Files Kaspersky Lab Kaspersky Internet Security 6 0 for Workstation opera_banner_deny vbs nologo C e Anti Dialer protects computers against attempts to make unauthorized modem connections Anti Dialer runs on Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows XP x64 Microsoft Windows Vista and Microsoft Windows Vista x64 136 Kaspersky Internet Secu
176. g must be saved using one of the following methods add the results of training to the current database or replace the current database with the database created by training Please bear in mind that the program must be trained on at least 50 accepted emails and 50 junk emails for iBayes to work accurately To save time the Training Wizard only trains on 50 emails in each selected folder 13 2 2 Training with outgoing emails You can train Anti Spam with outgoing emails from your email client Then the Anti Spam address white list will be filled by analyzing outgoing messages Only the first fifty emails are used for training at which point training is complete To train Anti Spam with outgoing emails 1 Select Anti Spam in the settings window 2 Check Train using outgoing email messages in the Training section Anti Spam 169 Warning Anti Spam will only train itself with outgoing emails sent via MAPI protocol if you check Scan when sending in the Microsoft Office Outlook Mail Anti Virus plug in see 13 3 9 on pg 181 13 2 3 Training using your email client To training while using your mailbox you use special buttons on your email client s tools panel When you install Anti Spam on your computer it installs plug ins for the following email clients e Microsoft Office Outlook e Microsoft Outlook Express e The Bat For example the task panel of Microsoft Office Outlook has two buttons Spam and Not Sp
177. gure 21 Pausing the component To disable the component when working with programs that require significant resources check M On applications startup and edit the list of programs in the window that opens see Figure 22 by clicking List To add an application to the list use the Add button A context menu will open and by clicking Browse you can go to the standard file selection window and specify the executable file the application to add Or go to the list of applications currently running from the Applications item and select the one you want To delete an application select it from a list and click Delete You can temporarily disable the pause on File Anti Virus when using a specific application To do so uncheck the name of the application You do not have to delete it from the list K Applications C Program Files Kaspersky Labik FP c wInDows system32 ctfmon exe OK Cancel Figure 22 Creating an application list File Anti Virus 91 7 2 4 Restoring default File Anti Virus settings When configuring File Anti Virus you can always return to the default performance settings Kaspersky Lab considers them to be optimal and has combined them in the Recommended security level To restore the default File Anti Virus settings 1 Select File Anti Virus in the main window and go to the component settings window by clicking Settings 2 Click the Default button in the Security Level section If yo
178. he object being scanned since the integrity of the object has been breached for example no end to a multivolume archive or there is no connection to it if the object is being scanned on a network drive The object contains a virus that can be cured The application will scan the object for viruses after which it will be fully cured ERROS Processing error CURES The file contains a test virus It can be cured The object is subject to disinfection and the text of the body of the virus will change to CURE DELE The file contains a test virus You cannot disinfect the object This object contains a virus that cannot be disinfected or is a Trojan The application deletes these objects 202 Kaspersky Internet Security 6 0 The first column of the table contains the prefixes that need to be added to the beginning of the string for a standard test virus The second column describes the status and reaction of Kaspersky Internet Security to various types of test virus The third column contains information on objects with the same status that the application has processed Values in the anti virus scan settings determine the action taken on each of the objects 15 2 Testing File Anti Virus To test the functionality File Anti Virus 1 Create a folder on a disk copy to it the test virus downloaded from the organization s official website see 15 1 on pg 200 and the modif
179. he software You can view the list of network applications and their rules in the Anti Hacker settings window which you can open by clicking Applications For added security we recommend disabling DNS caching when using Internet resources DNS caching drastically cuts down on the time your computer is connected to this valuable Internet resource however it is also a dangerous vulnerability and by exploiting it hackers can create data leaks that cannot be traced using the firewall Therefore to increase the degree of security for your computer you are advised to disable DNS caching 3 2 9 Finishing the Setup Wizard The last window of the Wizard will ask if you want to restart your computer to complete the program installation You must restart for Kaspersky Internet Security drivers to register You can wait to restart but if you do some of the program s protection components will not work 3 3 Installing the program from the command prompt To install Kaspersky Internet Security enter this at the command prompt msiexec i lt package_ name gt The Installation Wizard will start see 3 1 on pg 31 Once the program is installed you must restart the computer You can also use one of the following methods when installing the application To install the application in the background without restarting the computer the computer should be restarted manually after installation enter msiexec i lt package_ name gt qn
180. hecked by default The checkbox is selected by default and the activity of each macro Proactive Defense 127 run is traced for dangerous behavior and if suspicious activity is detected Proactive Defense allows or blocks the macro Example The macro PDFMaker is a plug in for the Adobe Acrobat toolbar in Microsoft Office Word that can create a pdf file out of any document Proactive Defense classifies embedding elements in software as a dangerous action If Office Guard is enabled when a macro is loaded Proactive Defense issues a warning on the screen informing you that it has detected a dangerous macro command You can choose to terminate that macro or allow it to continue You can configure Kaspersky Internet Security s reactions to macros executing suspicious behavior If you are sure that this macro is not dangerous when working with a specific file for example an Microsoft Word document we recommend creating an exclusion rule If a situation arises that matches the terms of the exclusion rule the suspicious action performed by the macro will not be processed by Proactive Defense To configure Office Guard 1 Open the Kaspersky Internet Security settings window by clicking Settings in the main program window 2 Select Proactive Defense in the settings tree 3 Click the Settings button in the Office Guard box Rules for processing dangerous macros are configured in the Office Guard settings window see fig 37 I
181. hed to the listed registry file 3 Edit group Group name HOSTS File Keys Rules Key path Figure 39 Adding controlled registry keys You only need to use masks with an asterisk and a question mark at the same time as the Include subkeys feature if the wildcards are used in the name of the key If you select a folder of registry files using a mask and specify a specific value for it the rule will be applied to that value for any key in the group selected 10 1 4 2 Creating a Registry Guard rule A Registry Guard rule specifies e The program whose access to the system registry is being monitored e Proactive Defense s response when a program attempts to execute an operation with a system registry files 132 Kaspersky Internet Security 6 0 To create a rule for your selected system registry files 1 Click New on the Rules tab The new rule will be added at the top of the list see fig 40 4 Edit group Group name HOSTS File Keys Rules Application Read Allow Modify Delete Prompt Prompt Restrict access to this registry key group according to the Following rule Any application Read Allow do not log Modify Prompt for action log Delete Prompt for action log uf 2 Figure 40 Creating an registry key monitoring rule Specify the application The rule is created for any application by default If
182. here are limitations to iChecker it does not work with large files and only applies to objects with a structure that Kaspersky Internet Security recognizes for example exe dll Ink ttf inf sys com chm zip rar Enable iSwift technology This technology is a development of iChecker technology for computers using an NTFS file system There are limitations to iSwift it is bound to a specific location for the file in the file system and can only be applied to objects in an NTFS file system iSwift technology is not available on computers running Microsoft Windows 98SE ME XP64 Scanning for viruses on your computer 199 Show detected dangerous objects on the Detected report tab display a list of threats detected during the scan on the Detected tab of the report see 17 3 2 on pg 229 window Disabling this function may be appropriate for special scans for example of text collections to increase the scan speed Give other applications priority over resources pause that virus scan task if the processor is busy with other applications 14 4 6 Setting up global scan settings for all tasks Each scan task is executed according to its own settings By default the tasks created when you install the program on your computer use the settings recommended by Kaspersky Lab You can configure global scan settings for all tasks You will use a set of properties used to scan an individual object for vi
183. hi an 12 6 Rules for security zones 12 1 Firewall Mode aa i aaa a cise Me iaaa atan a edee anaa oiea line sciadces 12 8 Configuring the Intrusion Detection System eeeeeseerrrrnsee 158 12 9 List of network attacks detected ei eeceeeeseeeeectseseeeeeceeeeateeseeteateeeeeeteae 159 12 10 Blocking and allowing network activity 0 eee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeenee 161 CHAPTER 13 ANTI SPAM ccseeecseseseeeeeceeeeeseeeeecaeeaeaeeecesnesaseeeesaeeataeeesesnenareneesaaees 164 13 1 Selecting an Anti Spam sensitivity level oo eee ceeeseeeeeereeeeeeeeeeeeateeeeeeenees 166 13 2 Training Anti Spam iaai aea aa a ara aa taen ae 167 13 2 14 Training Wizards sanen e a dda vane 168 13 2 2 Training with outgoing EMAIIS eee eeeeeseeeeeceeeseeeeeceenetaeeeseeaeeaeeeeeees 168 13 2 3 Training using your email client 169 13 2 4 Training in Anti Spam reports oo ee eeeeseeceseeeeecneeeeeeeeseeneeaeeeseeaeeateeeens 169 13 3 Configuring Anti Spam uu eecccceeseeeecneeeeeeeceeeeaeeeecaeneeaeeesesaeeateeeeseenenatereee 171 13 3 1 Configuring SCAN settings oo eee ceeeeteeeceteeseeeeecaeeeeeeeeseesetateetesaeeateeeeeas 171 Table of Contents 7 13 3 2 Selecting spam filtration technologies 172 13 3 3 Defining spam and potential spam factors s es 173 13 3 4 Creating white and black lists Manually eee eeeeeeeeceeeeeteeeeeeneeaeeeeeens 174 13 3 4 1 White lists for addresses and Phrases 0 eeeeeeceseeeete
184. hishing tab This report tab see fig 88 displays all phishing attempts carried out during the current Kaspersky Internet Security session The report lists a link to the phishing site detected in the email or other source the date and time that the attack was detected and the attack status whether it was blocked Phishing Popups Banners Hidden dials Time Web site Status d 27 02 2006 17 45 56 http mujweb cz www siginebshowgisapidll dilfws ISAPI dllinde denied Figure 88 Blocked phishing attacks Advanced options 235 17 3 9 The Popups tab This report tab see fig 89 lists the addresses of all the popup windows that Anti Spy has blocked These windows generally open from websites The address and date and time when Popup Blocker blocked the window are recorded for each popup Phishing POPUPS Banners Hidden dials Time URL blocked 09 03 2006 15 18 50 http voffka com Figure 89 List of blocked popup windows 17 3 10 The Banners tab This report tab see fig 90 contains the addresses of the banner ads that Kaspersky Internet Security has detected in the current session The web address for each banner ad is listed along with the processing status banner blocked or banner displayed 236 Kaspersky Internet Security 6 0 Phishing Popups Banners Hidden dials Time URL blocked Status Template A 15 01 2007 15 16 0
185. ialists have optimally configured Anti Spam to recognize spam and probable spam Spam detection operates on state of the art filtration technologies see 13 3 2 on pg 172 and on training Anti Spam to recognize spam potential spam and accepted email accurately using emails from your Inbox Anti Spam is trained using the Training Wizard and through email client programs During training every individual element of accepted emails or spam is assigned a factor When an email enters your inbox Anti Spam scans the email with iBayes for elements of spam and of accepted email The factors for each element are totaled and the email is given a spam factor and an accepted email factor 174 Kaspersky Internet Security 6 0 The probable spam factor defines the likelihood that the email will be classified as probable spam If you are using the Recommended level any email has between a 50 and 59 chance of being considered probable spam Email that after being scanned has a likelihood of less than 50 will be considered accepted email The spam factor determines the likelihood that Anti Spam will classify an email as spam Any email with chances beyond that indicated above will be perceived as spam The default spam factor is 59 for the Recommended level This means that any email with a likelihood of more than 59 will be marked as spam In all there are five sensitivity levels see 13 1 on pg 166 three of which High Recommended and
186. ications of the test virus that you created 2 Allow all events to be logged so the report file retains data on corrupted objects and objects not scanned because of errors To do so check Log non critical events in the report settings window see 17 3 1 on pg 228 3 Run the test virus or a modification of it File Anti Virus will intercept your attempt to access the file will scan it and will inform you that it has detected a dangerous object File Anti irus Alert Detected Virus EICAR Test File File c eicar com Action File contains virus and cannot be Disinfected C Apply to all Figure 70 Dangerous object detected Testing Kaspersky Internet Security 203 features When you select different options for dealing with detected objects you can test File Anti Virus s reaction to detecting various object types You can view details on File Anti Virus performance in the report on the component 15 3 Testing Virus scan tasks To test Virus scan tasks 1 4 Create a folder on a disk copy to it the test virus downloaded from the organization s official website see 15 1 on pg 200 and the modifications of the test virus that you created Create a new virus scan task see 14 3 on pg 188 and select the folder containing the set of test viruses as the objects to scan see 15 1 on Allow all events to be logged so the report file retains data on corrupted objects and objects not scanned bec
187. icrosoft Office Outlook to connect to your email service on IMAP you are advised not to use Scan upon receiving mode Enabling this mode will lead to emails being copied to the local computer when delivered to the server and consequently the main advantage of IMAP is lost creating less traffic and dealing with unwanted email on the server without copying them to the user s computer The Mail Anti Virus plug in version for the 64 bit version of The Bat is not available in this version of Kaspersky Internet Security The action that will be taken on dangerous email objects is set in the Mail Anti Virus settings which can be configured by following the click here link in the Status section 8 2 3 Configuring email scans in The Bat Actions taken on infected email objects in The Bat are defined with the program s own tools Warning The Mail Anti Virus settings that determine whether incoming and outgoing email is scanned as well as actions on dangerous email objects and exclusions are ignored The only settings that The Bat takes into account relate to scanning archived attachments and time limits on scanning emails see 8 2 1 on pg 97 This version of Kaspersky Internet Security does not provide Mail Anti Virus plug ins for 64 bit The Bat To set up email protection rules in The Bat 1 Select Preferences from the email client s Options menu 2 Select Protection from the settings tree The protection
188. ients web browsers etc Each type is characterized by a set of specific activities such as sending and receiving mail or receiving and displaying html pages Each type uses a certain set of network protocols and ports This is why having rule templates helps to quickly and easily make initial configurations for rules based on the type of application To create an application rule from a template 148 Kaspersky Internet Security 6 0 4 Edit rules for mobsync exe Check Group the rules by application on the Rules for applications tab if not checked already and click the Add button In the window that opens select the executable file of the application for which you want to create a rule A window with rules for the application selected will open If rules for it already exist they will all be listed in the upper part of the window If no rules exist the rules window will be empty Click Preset in the rules for applications window and select one of the rule templates from the context menu see fig 46 pec ONS Service Microsoft Synchronization Manager HTTP Activity E Command line Help Move down Template Rule description click underlined text to edit Microsoft Synchronization Manager Allow Outbound stream UDP packets where Allow all Remote port 53 Block all E mail Client Browser Download Manager f FTP Client Saens Telnet Client Time Synchron
189. ifference between stream direction and packet direction is that when you create a rule for a stream you define the direction of the connection The direction of packets when transferring data on this connection is not taken into consideration For example if you configure a rule for data exchange with an FTP server that is running in passive mode you must allow an outbound stream To exchange data with an FTP server in active mode you must allow both outbound and inbound streams Anti Hacker 153 4 If you selected a remote address as a network connection property left click specify the address and enter the IP address for the rule in the window that opens You can use one type of IP address or several types for one rule Several addresses of each type can be specified Set the protocol that the network connection uses TCP is the default protocol for the connection If you are creating a rule for applications you can select one of two protocols TCP or UDP To do so left click on the link with the protocol name until it reaches the value that you need If you are creating a rule for packet filtering and want to change the default protocol click on its name and select the protocol you need in the window that opens If you select ICMP you may need to further indicate the type If you selected network connection settings address port time range you will have to assign them exact values as well After the rule is added to the
190. iisedin u 82 7 1 Selecting a file security level oo ee eee ee eecneeeeeeeceeseeatetecaeeeateeceeseeateeeesaaenates 82 7 2 Configuring File Anti Virus ceccseeeseesescneeeeeeeeceeneeaeeeeecaeeeeaeeesessesateeeesaaenaees 84 7 2 1 Defining the file types to De scanned 0 0 eeeneeteteeeeretteeeeteeeeeeeeeseenenatees 84 7 2 2 Defining Protection SCOPE eects eseneeeeeeeceeeeaeeeeecaeeetseeeseeenateeeesaaees 87 7 2 3 Configuring advanced SettINGS eee eeccsseeteeeseenseaeeeeeceeeeseeeseeteeateneeeaaees 88 7 2 4 Restoring default File Anti Virus settings 0 0 eeeeeeeeneeeeeeeseeteeaeeeeeeneees 91 7 2 5 Selecting Actions for ODjECtS es eeeeeeecesseeeteeeeeeeeaeeeeecaeeeeseeeceeeeateeeeeatees 91 7 3 Postponed GiSINfECHON is eccecct dened costsciseenduebeciect destedhtiennseecenennettenciest cceatecies 93 CHAPTER 8 MAIL ANTI VIRUS o oo ceeeeecceeseeeeeeceseerseeeceeneeaeeeeeseasesaeeesesaeeateeeesaaeanates 94 8 1 Selecting an email security level oo eee ec ceeeeteeeceeeeeaeeeeecaeeetaeeecesaeeateeeeeaaenaees 95 8 2 Configuring Mail Anti VirUS 2 ec eeceeseeeescneeeeeeeeceeneeaeeeeecaeeeeseeeseesesateeesaeanates 96 8 2 1 Selecting a protected email QrOUP eeeeeeeeecenseeteeeeeeeseaeeeeeeaeeeeeeeseenenatees 97 8 2 2 Configuring email processing in Microsoft Office Outlook 99 8 2 3 Configuring email scans in The Bat oo ee eeeeeeeeseneeeeeeecneeeeeeeseeneeatees 101 8 2 4 Restoring default Mail Anti Virus settings 0
191. iles containing threat signatures To create a rescue disk 1 Open the program s main window and select Rescue disk in the Service section 2 Click the Start Wizard button to begin creating the rescue disk A Rescue Disk is designed for the computer that it was created on Using it on other computers could lead to unforeseen consequences since it contains information on the parameters of a specific computer for example information on boot sectors You can only create a rescue disk under Microsoft Windows XP or Microsoft Windows Vista The rescue disk feature is not available under other supported operating systems including Microsoft Windows XP Professional x64 Edition and Microsoft Windows Vista x64 17 10 11 Creating a rescue disk Warning You will need the Microsoft Windows XP Service Pack 2 installation disk to create an emergency disk You need the program PE Builder to create the Rescue Disk You must install these PE Builder on your computer beforehand to create an emergency disk with it A special Wizard walks you through the creation of a rescue disk It consists of a series of windows steps which you can navigate using the Back and Next buttons You can complete the Wizard by clicking Finished The Cancel button will stop the Wizard at any point 17 10 1 1 Getting ready to write the disk To create a rescue disk specify the path to the following folders e PE Builder program fol
192. in a title not infected by that virus iv Your sole remedy and the entire liability of Kaspersky Lab for breach of the warranty at paragraph i will be at Kaspersky Lab option to repair replace or refund of the Software if reported to Kaspersky Lab or its designee during the warranty period You shall provide all information as Appendix C 297 v vi may be reasonably necessary to assist the Supplier in resolving the defective item The warranty in i shall not apply if you a make or cause to be made any modifications to this Software without the consent of Kaspersky Lab b use the Software in a manner for which it was not intended or c use the Software other than as permitted under this Agreement The warranties and conditions stated in this Agreement are in lieu of all other conditions warranties or other terms concerning the supply or purported supply of failure to supply or delay in supplying the Software or the Documentation which might but for this paragraph vi have effect between the Kaspersky Lab and your or would otherwise be implied into or incorporated into this Agreement or any collateral contract whether by statute common law or otherwise all of which are hereby excluded including without limitation the implied conditions warranties or other terms as to satisfactory quality fitness for purpose or as to the use of reasonable skill and care 6 Limitation of Liability i ii Nothing
193. in myhost ru SMTP server mail server ru Port 25 Account name jadmin Password COTTI To Email address admin myhost rul Send mode Immediately when event occurs Every 1 day s Change Heb Figure 108 Configuring email notification settings 17 11 1 3 Configuring event log settings To configure event log settings 1 Open the application settings window with the Settings link in the main window 2 Select Service in the settings tree 3 Click Advanced in the Interaction with user section of the right hand part of the screen In the Notification settings window select the option of logging information for an event and click the Log Settings button Kaspersky Internet Security has the option of recording information about events that arise while the program is running either in the Microsoft Windows general event log Application or in a dedicated Kaspersky Internet Security Kaspersky Event Log You cannot log events under Microsoft Windows 98 ME and you cannot log to the Kaspersky Event Log under Microsoft Windows NT 4 0 These limitations are because of the particulars of these operating systems 260 Kaspersky Internet Security 6 0 Logs can be viewed in the Microsoft Windows Event Viewer which you can open by going to Start Settings Control Panel Administration View Events 17 11 2 Self Defense and access restriction Kaspersky Internet Sec
194. ing various web sites on the Internet you risk infecting your computer with viruses that scripts on websites will install on your computer and you risk downloading a dangerous object onto your computer Web Anti Virus is specially designed to combat these risks by intercepting and blocking scripts on web sites if they pose a threat and by thoroughly monitoring all HTTP traffic Proactive Defense With every new day there are more and more malicious programs They are becoming more complex combining several types and the methods they use to spread themselves are becoming harder and harder to detect To detect a new malicious program before it has time to do any damage Kaspersky Lab has developed a special component Proactive Defense It is designed to monitor and analyze the behavior of all installed programs on your computer Kaspersky Internet Security decides based on the program s actions is it potentially dangerous Proactive Defense protects your computer both from known viruses and from new ones that have yet to be discovered Anti Spy Programs that display unwanted advertising for example banner ads and popup windows programs that call numbers for paid Internet services without user authorization remote administration and monitoring tools joke programs etc have become increasingly common Anti Spy traces and blocks these actions on your computer For example the component blocks banner ads and popup windows bl
195. installed on your computer including Kaspersky Lab products which could raise compatibility issues with Kaspersky Internet Security The installer will display on screen a list of any such programs it detects The program will ask you if you want to uninstall them before continuing installation You can select manual or automatic uninstall under the list of anti virus applications detected If the list of anti virus programs contains Kaspersky Anti Virus Personal or Kaspersky Anti Virus Personal Pro we recommend saving the license key that they use before deleting them as you can use it as your license key for Kaspersky Internet Security 6 0 We also recommend saving Quarantine and Backup objects These objects will automatically be moved to the Kaspersky Internet Security Quarantine and Backup and you can continue working with them To continue installation click the Next button Step 9 Finishing installing your program In this stage the program will ask you to finish installing the program on your computer You can decide if you want to use the protection settings threat signatures and the Anti Spam knowledge base from a previous version of Kaspersky Internet Security for example if you installed the beta version and now you are installing the commercial version Let s take a closer look at how to use the options described above If you have previously installed another version or build of Kaspersky Internet Security
196. ions that Anti Hacker will perform regarding the network activity detected This is what you must determine yourself G Anti Hacker training Outbound TCP connection m Generic Host Process for Win32 Services Remote address windowsupdates avp ru 10 64 0 24 Remote port Local port 2651 Action This address Edit rules Create a rule Turn off Training mode Figure 53 Network activity notification Carefully review the information on network activity and only then select actions for Anti Hacker We recommend that you use these tips when making a decision 1 Before doing anything else decide whether to allow or block the network activity It is possible that in this situation a set of rules already created for this application or packet will help you assuming that such have been created To do so use the Edit rules link Then a window will open with a complete list of rules created for the application or data packet 2 Decide whether to perform this action once or automatically every time this activity is detected Anti Hacker 163 To perform the action this time only uncheck Create a rule and click the button with the name of the action e g Allow To perform the action you select automatically every time this activity is initiated on your computer 1 Check Create a rule 2 Select the type of activity that you want the action to apply to from the dropdown list in the Acti
197. is launched automatically after each threat signature update see 6 5 on pg 78 CHAPTER 17 ADVANCED OPTIONS Kaspersky Internet Security has other features that expand its functionality The program places some objects in special storage areas in order to ensure maximum protection of data with minimum losses Backup contains copies of objects that Kaspersky Internet Security has changed or deleted see 17 2 on pg 223 If any object contained information that was important to you and could not be fully recovered during anti virus processing you can always restore the object from its backup copy Quarantine contains potentially infected objects that could not be processed using the current threat signatures see 17 1 on pg 219 It is recommended that you periodically examine the list of stored objects Some of them may already be outdated and some may have been restored The advanced options include a number of diverse useful features For example Technical Support provides comprehensive assistance with Kaspersky Internet Security see 17 5 on pg 242 Kaspersky provides you with several channels for support including on line support and a questions and comments forum for program users The Notifications feature sets up user notifications about key events for Kaspersky Internet Security see 17 11 1 on pg 255 These could be either events of an informative nature or critical errors that must be eliminated immediately
198. ished Change settings Figure 85 Component settings Set the computer s mode of operation for after a virus scan is complete You can configure the computer to shut down restart or go into standby or sleep mode To select an option left click on the hyperlink until it displays the option you need You may need this feature if for example you start a virus scan at the end of the work day and do not want to wait for it to finish However to use this feature you must take the following additional steps before launching the scan you must disable password requests for objects being scanned if enabled and enable automatic processing of dangerous objects to disable the program s interactive features Advanced options 233 17 3 6 The Macros tab All the macros that attempted to run during the current Kaspersky Internet Security session are listed on the Macros tab see fig Here you will find the full name of each macro the time it was executed and its status after macro processing Detected Events Macros Registry Time Name Status 27 02 2006 17 15 37 C Program Files Microsoft Office OFFICE1 1 STARTUP PDFMaker do 06 27 02 2006 17 15 40 C Program Files Microsoft Office OFFICE1 1 STARTUP PDFMaker do Figure 86 Detected dangerous macros You can choose view mode for this tab If you don t want to view informational events uncheck J Display all events 17 3 7 The Registry tab
199. itally signed by the Microsoft Corporation It is highly unlikely that these modules would be malicious so it is not necessary to monitor them closely which in turn lightens the load on your computer when using Proactive Defense Components with Microsoft signed signatures are automatically designated as trusted applications If necessary you can add or delete components from the list The monitoring of processes and their integrity in the system is enabled by checking the box Enable Application Integrity Control in the Proactive Defense settings window by default the box is unchecked If you enable this feature each application or application module opened is checked against the critical and trusted applications list If the application is on the list of critical applications its activity is controlled by Proactive Defense in accordance with the rule created for it To configure Application Integrity Control 1 Open the Kaspersky Internet Security settings window by clicking Settings in the main program window 2 Select Proactive Defense in the settings tree 3 Click the Settings button in the Application Integrity Control box Let s examine working with critical and trusted processes in greater detail 10 1 2 1 Configuring Application Integrity Control rules Critical applications are executable files of programs which are extremely important to monitor since malicious files uses such programs to distribute themselves A
200. ity in Quarantine To do so use the On Off link across from the appropriate setting You can assign a time value for how frequently the scan will run for detecting hidden processes in the system e Choose if you want to generate a report on the operation carried out To do so click on the Log link until it shows On or Off as required To turn off monitoring for a dangerous activity uncheck the W next to the name in the list Proactive Defense will no longer analyze that type of activity Specifics of configuring application activity control in Kaspersky Internet Security under Microsoft Windows XP Professional x64 Edition Microsoft Windows Vista or Microsoft Windows Vista x64 122 Kaspersky Internet Security 6 0 If you are running one of the operating systems listed above only one type of system event is controlled dangerous activity behavior analysis lf you want Kaspersky Internet Security to monitor modifications of system user accounts in addition to dangerous activity select the Monitor system user accounts checkbox see fig 34 User accounts control access to the system and identify the user and his her work environment which prevents other users from corrupting the operating system or data Dangerous activity involves modifying user accounts changing a password for example r KK Settings Application Activity Analyzer Events Action Report Dangerous behaviour Prompt for action On
201. ity monitoring 1 Open the Kaspersky Internet Security settings window by clicking Settings in the main program window Select Proactive Defense in the settings tree Click the Settings button in the Application Activity Analyzer section Proactive Defense 121 The types of activity that Proactive Defense monitors are listed in the Settings Application Activity Analyzer window see fig 33 4 Settings Application Activity Analyzer Action iT Dangerous behaviour Prompt for action Ej Launching Internet browser with parameters Prompt for action Intrusion into process invaders Prompt for action Hidden processes rootkit Prompt for action C Window hooks Prompt for action g Suspicious values in registry Prompt for action Suspicious system activity Alert Keylogger detection Alert Microsoft Windows Task Manager protection Block Action Prompt for action Log On Figure 33 Configuring application activity control To edit a dangerous activity monitoring rule select it from the list and assign the rule settings in the lower part of the tab e Assign the Proactive Defense response to the dangerous activity You can assign any of the following actions as a response allow prompt for action and terminate process Left click on the link with the action until it reaches the value that you need In addition to stopping the process you can place the application that initiated the dangerous activ
202. ity of the Microsoft Corporation digital signature when it establishes a connection with the server You can configure SSL scan settings on the Network settings tab of the program settings window Check all SSL connections scan all traffic incoming on SSL protocol for viruses Prompt user when new SSL connection is detected display a message prompting the user for action every time an SSL connection is established Do not scan SSL connections do not scan traffic incoming on SSL protocol for viruses 250 Kaspersky Internet Security 6 0 17 9 Configuring the Kaspersky Internet Security interface Kaspersky Internet Security gives you the option of changing the appearance of the program by creating and using skins You can also configure the use of active interface elements such as the system tray icon and popup messages To configure the program interface take the following steps 1 Open the Kaspersky Internet Security settings window by clicking the Settings link in the main window 2 Select Appearance in the Service section of the program settings tree see fig 105 General Use system colors and styles Enable semi transparent windows Transparency Factor Tray icon Animate tray icon when processing items Show icon above Microsoft Windows login window Directory with skin descriptions Browse Figure 105 Configuring program appearance settings In the right hand part of the settings windo
203. izer Cca Figure 46 Selecting a template for creating a new rule Allow all is a rule that allows all network activity for the application Block all is a rule that blocks all network activity for the application All attempts to initiate a network connection by the application in question will be blocked without notifying the user Other templates listed on the context menu create rules typical for the corresponding types of program For example the Mail Client template creates a set of rules that allow standard network activity for email clients such as sending email Anti Hacker 149 4 Edit the rules created for the application if necessary You can modify actions network connection direction remote address ports local and remote and the time range for the rule 5 If you want the rule to apply to a program opened with certain command line settings check WH Command line and enter the string in the field to the right The rule or set of rules created will be added to the end of the list with the lowest ranking priority You can raise the priority of the rule see 12 5 on pg 154 You can create a rule from the network activity detection alert window see 12 10 on pg 161 12 3 Packet filtering rules Kaspersky Internet Security includes a set of rules that it uses to filter incoming and outgoing data packets for your computer You can initiate data packet transfer or an installed program on your
204. k If you select this option put checkmarks next to the days of the week that on which you want the scan to run in the schedule settings Also enter the time at which the scan task will run in the Time field Monthly the scan task will run once per month at the specified day and time Note that the scan task for startup objects has a specific schedule You can configure how it runs automatically every time you turn on the computer and or download threat signatures updates To do so check the corresponding boxes in the Run Mode section of the task settings window If a scan task is skipped for any reason for example the computer was not on at that time you can configure the task that was missed to start automatically as soon as it can To do so check X Run task if skipped in the schedule window 6 6 Power options To conserve the battery of your laptop computer and to reduce the load on the central processor and disk subsystems you can postpone virus scans e Since virus scans and program updates sometimes require a fair amount of resources and can take up time you are advised to disable schedules for these tasks which will help you to save battery life If necessary you can manually update the program yourself see 5 6 on pg 61 or start a virus scan To use the battery saving feature check the Do not perform scheduled tasks when running on battery power box e Virus scans increase the load on the central processor and
205. les and or folders to be scanned You can enter absolute or relative paths Items in the list are separated by a space Notes e Ifthe object name contains a space it must be placed in quotation marks e If you select a specific folder all the files in it are scanned MEMORY System memory objects STARTUP Startup objects MAIL Email databases REMDRIVES All removable media drives FIXDRIVES All internal drives NETDRIVES All network drives QUARANTINE Quarantined objects ALL Complete scan 270 Kaspersky Internet Security 6 0 lt filelist 1lst gt Path to a file containing a list of objects and folders to be included in the scan The file should be in a text format and each scan object must start a new line You can enter an absolute or relative path to the file The path must be placed in quotation marks if it contains a space lt action gt this parameter sets responses to malicious objects detected during the scan If this parameter is not defined the default value is i2 i0 take no action on the object simply record information about it in the report il Treat infected objects and if disinfection fails skip i2 Treat infected objects and if disinfection fails delete Exceptions do not delete infected objects from compound objects delete compound objects with executable headers i e sfx archives default i3 Treat infected
206. license key with a limited trial period Use a license key obtained previously Activate the application using the license key file for Kaspersky Internet Security 6 0 Activate later If you choose this option you will skip the activation stage Kaspersky Internet Security 6 0 will be installed on your computer and you will have access to all program features except updates you can only update the threat signatures once after installing the program Installing Kaspersky Internet Security 6 0 37 The first two activation options use a Kaspersky Lab web server which requires an Internet connection Before activating make sure to edit your network settings see 16 4 3 on pg 213 in the window that opens when you click LAN settings if necessary For more in depth information on configuring network settings contact your system administrator or ISP 3 2 2 2 Entering the activation code To activate the program you must enter the activation code that was provided when you purchased the program The activation code must be entered in Latin letters Enter your personal information in the lower part of the window full name email address and country and city of residence This information might be requested to identify a registered user if a key is lost or stolen If this happens you can obtain a new license key with the personal information 3 2 2 3 Obtaining a license key The Setup Wizard connects to Kaspersky Lab server
207. list of rules for the application you can further configure the rule see Figure 49 If you want it to apply to an application opened with certain command line parameters check Command line and enter the parameter string in the field to the right This rule will not apply to applications started with a different command line You cannot specify command line settings in Microsoft Windows 98 4 Edit rules for Far exe ONS Service FAR Manager FTP Activity FAR Manager FTP DATA Activity Edit Delete Move up Template Rule description click underlined text to edit Allow Inbound stream TCP connections where Remote port 20 C Command line Help Figure 49 Advanced new rule settings 154 Kaspersky Internet Security 6 0 You can create a rule from the network activity detection alert window see 12 10 on pg 161 12 5 Ranking rule priority Each rule created for an program or a data packet has a priority ranking When other conditions are equal for example the network connection settings the action applied to the program activity will be the rule with the higher priority The priority of a rule is determined by its position on the list of rules The first rule on the list has the highest priority Each rule created manually is added at the top of the list Rules created from a template or from a notification are added at the bottom of the list
208. list of them was created when the application was installed and is shown on the Critical applications tab see fig 35 each application has its own monitoring rule A monitoring rule is created for each such application to regulate its behavior You can edit existing rules and create your own Proactive Defense analyzes the following operations involving critical applications their launch changing the makeup of application modules and starting an application as a child process You can select the Proactive Defense response to each of the operations listed allow or block the operation and also 124 Kaspersky Internet Security 6 0 specify whether to log component activity in the component report The default settings allow most critical operations are allowed to start be edited or be started as child processes To add an application to the critical application list and create a rule for it 1 Click Add on the Critical applications tab A context menu will open click Browse to open the standard file selection window or click Applications to see a list of currently active applications and select one of them as necessary The new application will be added to the top of the list and allow rules i e all activities are allowed will be created for it by default When that application is first started the modules that it accesses will be added to the list and those modules will similarly be given allow rules PZ Settings
209. ll be blocked If any of the actions listed are attempted a message will appear over the program icon in the system tray if the notification service has not been disabled by the user Advanced options 261 Self defense Enable Self Defense Disable external service control C Enable password protection ettings Figure 109 Configuring program defense To password protect the program check M Enable password protection Click on the Settings button to open the Password Protection window and enter the password and area that the access restriction will cover see fig 110 You can block any program operations except notifications for dangerous object detection or prevent any of the following actions from being performed e Change of program performance settings e Close Kaspersky Internet Security e Disable or pause protection on your computer Each of these actions lowers the level of protection on your computer so try to establish which of the users on your computer you trust to take such actions Now whenever any user on your computer attempts to perform the actions you selected the program will request a password 3 Password protection Old password New password Confirm new password Scope All operations except notifications of dangerous events F Saving program settings C Exiting the program oO Stopping pausing protection components or virus scan tasks ne Figur
210. ll not take effect until after Anti Hacker has been restarted 12 8 Configuring the Intrusion Detection System All currently known network attacks that could endanger the computer are listed in the threat signatures and updated during signature updates see Chapter 15 on pg 200 The Anti Hacker Intrusion Detection System uses this list of possible attacks By default Kaspersky Internet Security does not update attack signatures The Intrusion Detection System tracks network activity typical of network attacks and if it detects an attempt to attack your computer it blocks all network activity between the remote computer and your computer for one hour A warning will appear on the screen stating that a network attack attempt has taken place with specific information about the computer which attacked you You can configure the Intrusion Detection System To do so 1 Open the Anti Hacker settings window 2 Click Settings in the Intrusion Detection System section 3 In the window that opens see fig 52 determine whether you want to block an attacking computer and if so for how long The default blocked time is 60 minutes You can increase or decrease the blocked time by changing the value in the field next to Block the attacking computer for mins If you want to stop blocking traffic from an attacking computer directed at your computer uncheck this box Figure 52 Configuring the block time for attacking computers
211. lly according to the schedule created You can configure the schedule by clicking Change Manually If you choose this option you will run program updates yourself Note that the threat signatures and program modules included with the software may be outdated by the time you install the program That is why we recommend downloading the latest program updates To do so click Update now Then Kaspersky Internet Security will download the necessary updates from the update servers and will install them on your computer If you want to configure updates set up network properties select the resource from which updates will be downloaded or select the update server located nearest to you click Settings 3 2 5 Configuring a virus scan schedule Scanning selected areas of your computer for malicious objects is one of the key steps in protecting your computer When you install Kaspersky Internet Security three default virus scan tasks are created In this window the Settings Master asks you to choose a scan task setting Scan startup objects Kaspersky Internet Security scans startup objects automatically when it is started by default You can edit the schedule settings in another window by clicking Change Scan critical areas 40 Kaspersky Internet Security 6 0 To automatically scan critical areas of your computer system memory Startup objects boot sectors Microsoft Windows system folders for viruses check the appropri
212. m Click the Next button 4 Inthe second step specify folders with spam Click the Next button The training process is based on the folders that you specify When an email arrives in your inbox Anti Spam will scan it for spam content and add a special Spam tag to the subject line of spam You can configure a special Getting started 61 rule in your email client for these emails such as a rule that deletes them or moves them to a special folder 5 6 How to update the program Kaspersky Lab updates the threats signatures and modules for Kaspersky Internet Security using dedicated update servers Kaspersky Lab s update servers are the Kaspersky Lab Internet sites where the program updates are stored Warning You will need a connection to the Internet to update Kaspersky Internet Security By default Kaspersky Internet Security automatically checks for updates on the Kaspersky Lab servers If the server has the latest updates Kaspersky Internet Security will download and install them in the silent mode To update Kaspersky Internet Security manually select the Update component in the Service section of the main program window and click the Update now button in the right hand part of the window As a result Kaspersky Internet Security will begin the update process and display the details of the process in a special window 5 7 What to do if protection is not running If problems or errors ari
213. m scans these protocols for emails containing viruses and spam e IMAP SMTP POP3 regardless of which email client you use e NNTP virus scan only regardless of the email client e Regardless of the protocol MAPI HTTP when using plug ins for Microsoft Office Outlook and The Bat Special plug ins are available for the most common mail clients such as Microsoft Office Outlook Microsoft Outlook Express and The Bat These place email protection against both viruses and spam directly in the mail client Anti Spam now has a training mode based around the iBayes algorithm which learns by monitoring how you deal with email It also provides maximum flexibility in configuring spam detection for instance you can create black and white lists of addressees and key phrases that mark email as spam Anti Spam uses a phishing database which can filter out emails designed to obtain confidential financial information The program filters inbound and outbound traffic traces and blocks threats from common network attacks and lets you use the Internet in Stealth Mode When using a combination of networks you can also define which networks to trust completely and which to monitor with extreme caution Kaspersky Internet Security 6 0 23 The user notification function see 17 11 1 on pg 255 has been expanded for certain protection events You can select the method of notification by choosing from emails sound notifications log eve
214. main program window To open the license manager window left click anywhere in the box In the window that opens you can view information on the current key add a key or delete a key When you select a key from the list in the License info box information will be displayed on the license number type and expiration date To add a new license key click Add and activate the application with the activation wizard see 3 2 2 on pg 36 To delete a key from the list use the Delete button To review the terms of the EULA click the View EULA link To purchase a license through the e store on the Kaspersky Lab website click the Purchase license link 17 6 Technical Support Kaspersky Internet Security provides you with a wide range of options for questions and problems related to program operation They are all located in Support see fig 102 in the Service section Advanced options 245 K Kaspersky Internet Security 6 0 Kaspersky l Internet Security A sns D Her R Protection Support gt n EEL a Our specialists will answer all your questions concerning malicious programs their operational principles methods w Service 4 for neutralizing them and ways to prevent virus attacks D Update Data Files Web Support Rescue disk User Forum Support Knowledge base Submit a bug report or a suggestion Local Support Service www kaspersky com support Cry ae Security threats have been detected You
215. mask from scans Classification exclude objects from scans based on the status in the Virus Encyclopedia Protection management system 71 P5 Exclusion mask Properties Object Comment C verdict Rule description click underlined parameters to edit Object will not be scanned if the Following conditions are met Object name specify Checking task selected task File Anti Virus Figure 9 Creating an exclusion rule If you check both boxes at once a rule will be created for that object with a certain Virus Encyclopedia classification In such a case the following rules apply If you specify a certain file as the Object and a certain status in the Verdict section the file specified will only be excluded if it is classified as the threat selected during the scan If you select an area or folder as the Object and the status or verdict mask as the Verdict then objects with that status will only be excluded when that area or folder is scanned 3 Assign values to the selected exclusion types To do so left click in the Rule description section on the specify link located next to the exclusion type For the Object type enter its name in the window that opens this can be a file a particular directory or a file mask see A 2 on pg 285 Check Include subfolders for the object file file mask folder to be recursively excluded from the scan For example if you assign C Program Files winword ex
216. mation about installation progress will be hidden this will not stop the scan 5 3 How to scan critical areas of the computer There are areas on your computer that are critical from a security perspective These are the targets of malicious programs aimed at damaging your operating system processor memory etc It is extremely important to protect these critical areas so that your computer keeps running There is a special virus scan task for these areas which is located in the program s main window in the Scan section After selecting the task named Critical Areas the right hand panel of the main window will display the following statistics for the most recent scan of these areas task settings what level of protection was selected and what actions are applied to security threats Here you can also select which critical areas you want to scan and immediately scan those areas To scan critical areas of your computer for malicious programs Click the Scan button in the right hand part of the screen Getting started 59 When you do this a scan of the selected areas will begin and the details will be shown in a special window When you click the Close button the window with information about installation progress will be hidden This will not stop the scan 5 4 How to scan a file folder or disk for viruses Sometimes it is necessary to scan individual objects for viruses but not the entire computer for example a port
217. me of the object involved in the event e Time when the event occurred e Size of the file loaded Advanced options 231 For virus scan tasks the event log contains the name of the object scanned and the status assigned to it by the scan processing You can also train Anti Spam while viewing the report using the special context menu To do so select the name of the email and open the context menu by right clicking and select Mark as spam if the email is spam or Mark as accepted if the selected email is accepted email In addition based on the information obtained by analyzing the email you can add to the Anti Spam white and black lists To do so use the corresponding items on the context menu 17 3 4 The Statistics tab This tab see fig 84 provides you with detailed statistics on components and virus scan tasks Here you can learn e How many objects were scanned for dangerous traits in this session of a component or after a task is completed The number of scanned archives compressed files and password protected and corrupted objects is displayed e How many dangerous objects were detected not disinfected deleted or placed in Quarantine Detected Events Statistics Settings Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Pa G all objects 77 2 2 0 0 3 0 L C Documents and Settings G 77 2 2 0 0 3 0 A iv Figure 84 Component statistics 17 3 5 The Settings tab
218. meaning that it grants all applications access to network resources V Enable system registry monitoring ask for user decision if attempts to alter system registry keys are detected If the application is installed on a computer running Microsoft Windows XP Professional x64 Edition Microsoft Windows Vista or Microsoft Windows Vista x64 the interactive mode settings listed below will not be available V Enable Application Integrity Control prompt user to confirm actions taken when modules are loaded into applications being monitored V Enable extended proactive defense enable analysis of all suspicious activity in the system including opening browser with Installing Kaspersky Internet Security 6 0 39 command line settings loading into program processes and window hooks these settings are disabled by default 3 2 4 Configuring update settings Your computer s security depends directly on updating the threat signatures and program modules regularly In this window the Setup Wizard asks you to select a mode for program updates and to configure a schedule Automatically Kaspersky Internet Security checks the update source for update packages at specified intervals Scans can be set to be more frequent during virus outbreaks and less so when they are over When the program detects fresh updates it downloads them and installs them on the computer Every 1 day s Updates will run automatica
219. n Checking task selected task File Anti Virus oc J ces Figure 8 Creating a trusted zone 6 3 1 Exclusion rules Exclusion rules are sets of conditions that Kaspersky Internet Security uses to determine not to scan an object 70 Kaspersky Internet Security 6 0 You can exclude files of certain formats from the scan use a file mask or exclude a certain area such as a folder or a program program processes or objects according to their Virus Encyclopedia classification The classification is the status that Kaspersky Internet Security assigns to an object during the scan A status is assigned based on classification of malicious and potentially dangerous programs founded in the Kaspersky Lab Virus Encyclopedia The verdict is the status that Kaspersky Internet Security assigns to an object during the scan A verdict is based on the classification of malicious and potentially dangerous programs found in the Kaspersky Lab Virus Encyclopedia Potentially dangerous software does not have a malicious function but can be used as an auxiliary component for a malicious code since it contains holes and errors This category includes for example remote administration programs IRC clients FTP servers all purpose utilities for stopping or hiding processes keyloggers password macros autodialers etc These programs are not classified as viruses They can be divided into several types e g Adware Jokes
220. n Microsoft Office Outlook If you use Microsoft Office Outlook as your email client you can set up custom configurations for virus scans A special plug in is installed in Microsoft Office Outlook when you install Kaspersky Internet Security It can quickly access Mail Anti Virus settings and also set the maximum time that individual emails will be scanned for dangerous objects Warning This version of Kaspersky Internet Security does not provide Mail Anti Virus plug ins for 64 bit Microsoft Office Outlook The plug in comes in the form of a special Mail Anti Virus tab located under Service Options see fig 26 100 Kaspersky Internet Security 6 0 Options Preferences Mail Setup Mail Format Security Other Mail Anti Virus Mail Anti Virus K Mail Anti Virus scans incoming and outgoing email For viruses Trojans and other malicious objects Status Email scan is enabled To disable email scan or change settings click here Settings JV Scan upon receiving IV Scan when read IV Scan upon sending Spelling Anti Spam Figure 26 Configuring Mail Anti Virus settings in Microsoft Office Outlook Select an email scan mode Scan upon receiving analyzes each email when it enters your Inbox Scan when read scans each email when you open it to read it Scan upon sending scans each email for viruses when you send it Mail Anti Virus 101 Warning If you use M
221. n MB than the value assigned by lt size gt lt configuration file gt defines the path to the configuration file that contains the program settings for the scan You can enter an absolute or relative path to the file If this parameter is not defined the values set in the Kaspersky Internet Security interface are used C lt settings_file gt Use the settings values assigned in the file lt settings_file gt lt report settings gt this parameter determines the format of the report on scan results You can use an absolute or relative path to the file If the parameter is not defined the scan results are displayed on screen and all events are displayed R lt report_file gt Only log important events in this file RA lt report_file gt Log all events in this file Examples 272 Kaspersky Internet Security 6 0 Start a scan of RAM Startup programs email databases the directories My Documents and Program Files and the file test exe avp com SCAN MEMORY STARTUP MAIL C Documents and Settings All Users My Documents C Program Files C Downloads test exe Pause scan of selected objects and start full computer scan then continue to scan for viruses within the selected objects avp com PAUSE SCAN OBJECTS password lt your_ password gt avp com START SCAN MY COMPUTER avp com RESUME SCAN OBJECTS Scan RAM and the objects listed in the file object2scan txt Use the
222. n access directory the information in it will not be available to users from subnets with this status Additionally when you select this status you cannot access files and printers on other computer networks e Local Network The program assigns this status to the majority of security zones detected when it analyzes the computers network environment except the Internet It is recommended to apply this status to zones with an average risk factor for example corporate LANs If you select this status the program allows e any network NetBios activity within the subnet e rules for applications and packet filtering that allow NetBios activity within this subnet Select this status if you want to grant access to certain folders or printers on your computer but want to block all other outside activity e Trusted This status is given to networks that you feel are absolutely safe so that your computer is not subject to attacks and attempts to gain access to your data while connected to it When you are using this type of network all network activity is allowed Even if you have selected Maximum Protection and have created block rules they will not function for remote computers from a trusted network You can use Stealth Mode for added security when using networks labeled Internet This feature only allows network activity initiated from your computer meaning that your computer becomes invisible to its surroundings This mode does not aff
223. n be saved as a text file To do so specify the txt extension in the file name Example avp com EXPORT c settings dat 18 7 Importing settings Command syntax avp com IMPORT lt filename gt password lt password gt lt filename gt Path to the file from which the Kaspersky Internet Security settings are being imported You can use an absolute or relative path lt password gt Kaspersky Internet Security password assigned in the program interface Working with the program from the command prompt 275 Note that you cannot execute this command without entering the password Example avp com IMPORT c settings dat password lt password gt 18 8 Starting the program Command syntax avp com 18 9 Stopping the program Command syntax EXIT password lt password gt lt password gt Kaspersky Internet Security password assigned in the program interface Note that you cannot execute this command without entering the password 18 10 Viewing Help This command is available for viewing Help on command prompt syntax avp com HELP To get help on the syntax of a specific command you can use one of the following commands avp com lt command gt avp com HELP lt command gt 18 11 Return codes from the command line interface This section contains a list of return codes from the command line The general codes may be returned
224. n of Kaspersky Internet Security the operating system started behaving strangely blue screen of death frequent restarting etc What should I do Although rare it is possible that Kaspersky Internet Security and other software installed on your computer will conflict In order to restore the functionality of your operating system do the following 1 Press the F8 key repeatedly between the time when the computer just started loading until the boot menu is displayed 2 Select Safe Mode and load the operating system Chapter 20 281 3 Open Kaspersky Internet Security 4 Use the Settings link in the main window and select the Protection section in the program settings window 5 Uncheck Run program system startup and click OK 6 Reboot the operating system in regular mode After this contact the Technical Support Service through the Kaspersky Lab s corporate website Service gt Technical Support gt Send request to Technical Support Describe in detail the problem and the circumstances in which this problem occurs Make sure that you attach to your question a file containing a complete dump of Microsoft Windows operating system In order to create this file do the following 1 2 Right click My computer and select the Properties item in the shortcut menu that will open Select the Advanced tab in the System Properties window and then press the Settings button in the Startup and Recovery section
225. n the system tray icon Some protection components have malfunctioned One or more Kaspersky Internet Security components has internal errors If this occurs you are advised to enable the component or restart the computer as it is possible that the component drivers have to be registered after being updated 5 1 2 Kaspersky Internet Security component status To determine how Kaspersky Internet Security is guarding your file system email HTTP traffic or other areas where dangerous programs could penetrate your computer or to view the progress of a virus scan task or threat signature update simply open the corresponding section of the main program window For example to view the current File Anti Virus status select File Anti Virus from the left hand panel of the main window or to see if you are being protected against new viruses select Proactive Defense The right hand panel will display a summary of information about the component s operation For protection components the right hand panel contains the status bar the Status box and the Statistics box For the File Anti Virus component the status bar appears as follows File Anti irus running IE e File Anti Virus running file protection is active for the level selected see 7 1 on pg 82 e File Anti Virus paused File Anti Virus is disabled for a set period of time The component will resume operation automatically after the assigned period has expire
226. n the context menu by right clicking and select Save as 2 Enter the name for the task in the window that opens and click OK A task with that name will then appear in the Service section of the main program window Warning There is a limit to the number of update tasks that the user can create Maximum number two tasks The new task inherits all the properties of the task it is based on except for the schedule settings The default automatic scan setting for the new task is disabled After creating a task configure additional settings select an update source network connection settings and if necessary run a task with permissions and configure the schedule To rename a task Select the task from the Service section of the main program window open the context menu by right clicking and select Rename Enter the new name for the task in the window that opens and click OK The task name will then be changed in the Service section To delete a task Select the task from the Service section of the main program window open the context menu by right clicking and select Delete Confirm that you want to delete the task in the confirmation window The task will then be deleted from the list of tasks in the Service section Warning Rename and delete are only available for customized tasks 16 4 Configuring update settings The Updater settings specify the following parameters Program update
227. n use the database of threat signatures to search for and disinfect harmful objects on your computer The signatures are added to every hour with records of new threats and methods to combat them Therefore it is recommended that they are updated on a regular basis In addition to the threat signatures and the network attack database network drivers that enable protection components to intercept network traffic are updated Previous versions of Kaspersky Lab applications have supported standard and extended database sets Each database dealt with protecting your computer against different types of dangerous objects In Kaspersky Internet Security you don t need to worry about selecting the appropriate threat signature set Now our products use an threat signatures that protect you from both malicious and potentially dangerous objects and from hacker attacks e Application modules In addition to the signatures you can upgrade the modules for Kaspersky Internet Security New application updates appear regularly The main update source for Kaspersky Internet Security is Kaspersky Lab s update servers These are a few of the addresses http downloads1 kaspersky labs com updates http downloads2 kaspersky labs com updates ftp downloads1 kaspersky labs com updates To download available updates from the update servers your computer must be connected to the Internet 206 Kaspersky Internet Security 6 0 If you do not ha
228. nalysis Anti Spam exists as a plug in for the following email clients e Microsoft Office Outlook see 13 3 9 on pg 181 e Microsoft Outlook Express see 13 3 10 on pg 184 e The Bat see 13 3 11 on pg 185 This option is only supported for the 32 bit builds of Microsoft Office Outlook and The Bat for computers running Microsoft Windows XP Professional x64 Edition and Microsoft Windows Vista x64 The task panel for Microsoft Office Outlook and Microsoft Outlook Express clients has two buttons Spam and Accepted which can configure Anti Spam to detect spam right in your mailbox In The Bat there are no such buttons instead the program can be trained using the special items Mark as spam and Mark as NOT spam on the Special menu In addition special processing parameters see 13 3 1 on pg 171 for spam are added to all the settings of the email client Anti Spam uses special self training iBayes algorithm which allows the component over time to more accurately distinguish between spam and accepted email The data source for the algorithm is email contents Situations arise when iBayes is unable to classify a certain email as either spam or accepted email to a high degree of accuracy These emails are marked as potential spam In order to reduce the number of emails marked as potential spam you are advised to conduct additional Anti Spam training see 13 2 on pg 167 on such emails To do so you must specify which of those
229. nent virus scan or update Before doing so you are strongly advised to establish why you need to stop 66 Kaspersky Internet Security 6 0 them It is likely that the problem can be solved in another way for example by changing the security level If for example you are working with a database that you are sure does not contain viruses simply add its files as an exclusion see 6 3 on pg 68 To pause protection components virus scans and update tasks Select the component or task from the left hand part of the main window and click the Ef button on the status bar The component task status will change to paused The component or task will be paused until you resume it by clicking the button When you pause the component or a task statistics for the current Kaspersky Internet Security session are saved and will continue to be recorded after the component is updated To stop protection components virus scans and update tasks Click the W button on the status bar You can also stop protection components in the program settings window by deselecting Enable lt component name gt in the General section for that component The component task status will then change to stopped disabled The component or task will be stopped until you enable it by clicking the P button For virus scan and update tasks you will have the choice of the following options continue the task that was interrupted or restart it from the beginning
230. next time you run the task the program will ask if you would like to continue the task where it stopped or begin it over 14 2 Creating a list of objects to scan To view a list of objects to be scanned for a particular task select the task name for example My computer in the Scan section of main program window The list of objects will be displayed in the right hand part of the window under the status bar see fig 64 O My Documents C A Mail databases C d 3 5 Floppy A C lt Local Disk C C 23 CD Drive D C lt Local Disk E Figure 64 List of objects to scan Scanning for viruses on your computer 189 Object scan lists are already made for default tasks created when you install the program When you create your own tasks or select an object for a virus scan task you can create a list of objects You can add to or edit an object scan list using the buttons to the right of the list To add a new scan object to the list click the Add button and in the window that opens select the object to be scanned For the user s convenience you can add categories to a scan area such as mail databases RAM startup objects operating system backup and files in the Kaspersky Internet Security folder In addition when you add a folder that contains embedded objects to a scan area you can edit the recursion To do so use the corresponding item on the context menu To delete an object select it from the lis
231. ng registry keys for creating a rule seeeeeeeen 130 10 1 4 2 Creating a Registry Guard rule ee seeceeeneeeeecneeeeeeeeeeneeateeeeens 131 CHAPTER 11 ANTI SPY is sessscasevecetes accoustic agecutes second eecentea antec ead evden ceased teanies eatalely 134 11 1 Configuring Anti Spy siran ionnan a 136 11 1 1 Creating Popup Blocker trusted address list eceeeseeeseeeeeneeneeeeeens 136 11 1 2 Banner ad blocking list oo eee ecseeeteeeeseeeeseeeeeceeeaeeeeeseeetaeeetesaeeateeeeeas 138 11 1 2 1 Configuring the standard banner ad blocking list 0 0 0 eee 138 11 1 2 2 Banner ad white lists cee eseeeeeenseeeeeeeeeeeeaeeeeecaeeetaeeeseeneeateeeeeas 139 11 1 2 3 Banner ad black lists eee eeeeeeeeeneeeeeeeseeeeateeeecaeeetaeeesesaeeateeeeeas 140 11 1 3 Creating an Anti Dialer trusted number list 140 CHAPTER 12 ANTI HACKER c cccceseseeeeeceeeseseeeeecseeaeseeesesnenaeeesesaeeataeeesessananeeeesaaeas 142 12 1 Selecting an Anti Hacker security level oo eee eeceeseseeeeeenseeeeeeeeeneeateeeeenteee 144 12 2 Application rules 24 00 dtd esa in nda dn 145 12 2 1 Creating rules MANUAIlY eee cesses eeeeeeeseeeeecaeeeeeeeseseenaeeeseseeaeeeeeeas 147 12 2 2 Creating rules from template oo ee eecseeeeeeeecreeeeeeeeceeeeeaeeeseeeeateeeeens 147 12 3 Packet filtering rule vrais nren einden 149 12 4 Fine tuning rules for applications and packet filtering ee eeeeeeeeeeeneeees 151 12 5 Ranking rule priority eysi ae a
232. ng the program from the command prompt ee eeeeeeeteeeteteeeeteeateeteees 43 3 4 Upgrading from 5 0 t0 6 0 aihir eh el idea neh 44 CHAPTER 4 PROGRAM INTERFACE ceeceeeeceseeseseeeeecseaeeeecaeeeaeeecesaeeateeeesnananaees 45 4 1 SyStem tray 1COM a aae ree e arre o aea eraa ie ar eedi 45 4 2 The context menuin a dead ee a ee 46 4 3 Main program WINdOW ceeeecesseseeeesseneeaeeeeecaseeeseeeceeseeaceeeecaeeataseesessasateeeeeaaees 47 4 4 Program settingS WINGOW ee ccceeeseeeseteeeeeeeeeeetseeeceseeeaesesecaeataeeecessesateeeeeatees 50 CHAPTER 5 GETTING STARTED ceeccceeseeeeceseeeseeeeecaeeaeeeeessaenaeeeseeaeeataeeesaenananes 52 5 1 What is the protection status of my computer ee ceeeeeeeeeneeeeteeeeeeteeateeeeees 52 1 1 Protection indicators viida secede helt esada 53 5 1 2 Kaspersky Internet Security component Status ee eeeeseeeteeeeeeneeeeees 56 5 1 3 Program performance Statistics cece eeeeeseeeeeceeeeeseeeseeneeateeeeeneees 57 5 2 How to scan your computer fOr VirUSES eee eeeeeeseeeeeeeeeaeeeeecaeeeeseeeteeseeateeeeeas 58 5 3 How to scan critical areas of the COMPUTED ee eee eeeeeecneeeeteeeeeeseeeeeeteeateeeeees 58 5 4 How to scan a file folder or disk fOr viruses c cccccecsseceeeseeseeeseecsseeeseeeseeeees 59 5 5 How to train Anti Spam o oo eeeeeeecseeceeeeeeceeeaeseeeceenenaeeeeecaeeeeaeeesesseeaeeeeesnaarates 5 6 How to update the program 5 7 What to do if pro
233. ng the types of objects to scan By specifying the types of objects to scan you establish which file formats files sizes and drives will be scanned for viruses when this task runs The file types scanned are defined in the File types section see fig 67 Select one of the three options Scan all files With this option all objects will be scanned without exception Scan programs and documents by content If you select this group of programs only potentially infected files will be scanned files into which a virus could imbed itself Scanning for viruses on your computer 193 Note There are files in which viruses cannot insert themselves since the contents of such files does not contain anything for the virus to hook onto An example would be txt files And vice versa there are file formats that contain or can contain executable code Examples would be the formats exe dll or doc The risk of insertion and activation of malicious code in such files is fairly high Before searching for viruses in an object its internal header is analyzed for the file format txt doc exe etc scan programs and documents by extension In this case the program will only scan potentially infected files and in doing so the file format will be determined by the filename s extension Using the link you can review a list of file extensions that are scanned with this option see A 1 on pg 282 4 Custom
234. nning at the appropriate level e Train Anti Spam see 5 5 on pg 60 using your emails e Update the program see 5 6 on pg 61 if the Settings Wizard did not do so automatically after installing the program e Scan the computer see 5 2 on pg 58 for viruses 5 1 What is the protection status of my computer Composite information on your computer s protection is provided in the main program window in the Protection section The current protection status of the computer and the general performance statistics of the program are displayed here Computer protection status displays the current state of protection for your computer using special indicators see 5 1 1 on pg 53 Statistics see 5 1 2 on pg 56 analyses the current program session Getting started 53 5 1 1 Protection indicators Protection status is determined by three indicators each of which reflect a different aspect of your computer s protection at any given moment and indicate any problems in program settings and performance Computer protection status Threats have been detected Signatures released 18 01 2007 12 37 34 a gt All protection components are running Figure 4 Indicators reflecting the computer protection status Each indicator has three possible appearances the situation is normal the indicator is showing that your computer s protection is adequate and that there are no problems in the program settings
235. nt The program now has the ability to scan traffic sent over SSL protocol New features included application self defense technology protection from unauthorized remote access of Kaspersky Internet Security services and password protection for program settings These features help keep malicious programs hackers and unauthorized users from disabling protection The option of creating a rescue disk has been added Using this disk you can restart your operating system after a virus attack and scan it for malicious objects New Program Interface Features The new Kaspersky Internet Security interface makes the program s functions clear and easy to use You can also change the program s appearance by using your own graphics and color schemes The program regularly provides you with tips as you use it Kaspersky Internet Security displays informative messages on the level of protection accompanies its operation with hints and tips and includes a thorough Help section New Program Update Features This version of the application debuts our improved update procedure Kaspersky Internet Security automatically checks the update source for update packages When the program detects fresh updates it downloads them and installs them on the computer The program downloads updates incrementally ignoring files that have already been downloaded This lowers the download traffic for updates by up to 90 Updates are downloaded from the fa
236. ntained in the threat signatures and network attacks databases which are available on Kaspersky Lab s update servers 1 1 3 If you sell the computer on which the Software is installed you will ensure that all copies of the Software have been previously deleted 1 1 4 You shall not decompile reverse engineer disassemble or otherwise reduce any part of this Software to a humanly readable form nor permit any third party to do so The interface information necessary to achieve interoperability of the Software with independently created computer programs will be provided by Kaspersky Lab by request on payment of its reasonable costs and expenses for procuring and supplying such information In the event that Kaspersky Lab notifies you that it does not intend to make such information available for any reason including without limitation costs you shall be permitted to take such steps to achieve interoperability provided that you only reverse engineer or decompile the Software to the extent permitted by law 1 1 5 You shall not make error corrections to or otherwise modify adapt or translate the Software nor create derivative works of the Software nor permit any third party to copy other than as expressly permitted herein 1 1 6 You shall not rent lease or lend the Software to any other person nor transfer or sub license your license rights to any other person Appendix C 295 1 1 7 Kaspersky Lab may ask User to install the latest v
237. nternet Security not to block the macro uncheck the box next to that action The program will no longer consider that behavior dangerous and Proactive Defense will not process it By default whenever the program detects an action initiated by a macro the application will ask you if you want to allow or block the macro In order for the program to automatically block all dangerous behavior without prompting the user In the window with the macro list select Terminate 10 1 4 Registry Guard One of the goals of many malicious programs is to edit the Windows system registry on your computer These can either be harmless jokes or more dangerous malware that presents a serious threat to your computer For example malicious programs can copy their information to the registry key that makes applications open automatically on startup Malicious programs will then automatically be started when the operating system boots up Proactive Defense 129 Proactive Defense can detect unknown threats that attempt to edit registry keys on your computer through the Registry Guard module You can enable it by checking the box Enable Registry Guard in the Proactive Defense settings window The special Proactive Defense module traces modifications of system registry files You can turn this module on or off by checking Enable Registry Guard To configure system registry monitoring 1 Open the Kaspersky Internet Security settings window by
238. nti Hacker component ensures your security on local networks and the Internet by protecting your computer at the network and application levels and masking your computer on the net to prevent attacks Let s take a closer look at how Anti Hacker works Application Packet filtering rules level for applications Packet filtering data packet filtration Updatable rules rules database Network level Intrusion Detection System Updatable network attacks database You are protected at the network level through global packet filtration rules in which network activity is allowed or blocked based on an analysis of settings such as packet direction the data transfer protocol for the packet and the outbound packet port Rules for data packets establish access to the network regardless of the applications installed on your computer that use the network In addition to the packet filtration rules the Intrusion Detection System IDS provides additional security at the network level The goal of the IDS is to analyze inbound connections detect port scans on your computer and filter network packets aimed at exploiting software vulnerabilities When running the IDS blocks all inbound connections from an attacking computer for a certain Anti Hacker 143 amount of time and the user receives a message stating that his computer was subjected to an attempted network attack The Intrusion Detection System uses a special network
239. o access the root site For example if the blocked banner list includes a mask for truehits net you will be able to access http truehits net but access to http truehits net a jpg will be blocked 11 1 2 1 Configuring the standard banner ad blocking list Kaspersky Internet Security includes a list of masks for the most common banner ads on websites and program interfaces This list is compiled by Kaspersky Lab specialists and is updated along with the threat signatures You can select which standard banner ad masks you want to use when using Anti Banner To do so 1 Open the Kaspersky Internet Security settings window and select Anti Spy in the settings tree 2 Click the Settings button in the Anti Banner section 3 Open the General tab see fig 42 Anti Banner will block the banner ad masks listed on the tab You can use wildcards anywhere in a banner address Anti Spy 139 PZ Settings Anti Banner General Black List White List C Use heuristic analysis methods spylog com cnt clickxchange elxi topcto ru cgi bin top cgi uid banners j468j lad ladrot lads pl lads ro J Ca Cea Figure 42 Blocked banner list M M M M M M M M M M M The list of standard blocked masks cannot be edited If a do not want to block a banner covered by a standard mask uncheck the box W next to the mask To analyze banner ads that do not ma
240. o counteract new types of online scans such as phishing to stop the spread of malicious programs Removable storage media Removable media floppies CD DVD ROMs and USB flash drives are widely used for storing and transmitting information Opening a file that contains malicious code and is stored on a removable storage device can damage data stored on the local computer and spread the virus to the computer s other drives or other computers on the network 14 Kaspersky Internet Security 6 0 1 3 Types of Threats There are a vast number of threats to computer security today This section will review the threats that are blocked by Kaspersky Internet Security Worms This category of malicious programs spreads itself largely by exploiting vulnerabilities in computer operating systems The class was named for the way that worms crawl from computer to computer using networks and email This feature allows worms to spread themselves very rapidly Worms penetrate a computer search for the network addresses of other computers and send a burst of self made copies to these addresses In addition worms often utilize data from email client address books Some of these malicious programs occasionally create working files on system disks but they can run without any system resources except RAM Viruses Viruses are programs which infect other files adding their own code to them to gain control of the infected files when they are o
241. o determine the frequency at which the task starts You can select one of these options Mata specified time The task will run once on the day and at the time that you specify on program start The task starts up every time Kaspersky Anti Virus is run After each update The task starts after each threat signature update this only applies to virus scan tasks Once The task will run once on the day and at the time that you specify Minutely The time interval between scans will be a number of minutes not greater than 59 Specify the number of minutes between scans in the schedule settings Hourly The interval between scans is calculated in hours Enter the number of hours in the schedule settings Every n th hour and enter the value for n For example enter Every 1 hour if you want the task to run hourly Daily the period between scans is calculated in days Specify how often the scan should run in the schedule settings e Select the Every n th day option and enter a value for n Enter Every 2 days if you want to run the scan every other day 80 Kaspersky Internet Security 6 0 e Select Every weekday if you want the scan to run daily Monday through Friday e Select Every weekend for the task to run on Saturdays and Sundays only In addition to the frequency specify what time of day or night the scan task will run in the Time field Weekly the scan task will run on certain days of the wee
242. o whom the software is registered license number license type full beta testing demo etc and the expiration date for the license 3 2 3 Selecting a security mode In this window the Settings Wizard asks you to select the security mode that the program will operated with Basic This is the default setting and is designed for users who do not have extensive experience with computers or anti virus software It sets all the program s components to their recommended security levels and only informs the user of dangerous events such as detecting malicious code or dangerous actions being executed Interactive This mode provides more customized defense of your computer s data than Basic mode It can trace attempts to alter system settings suspicious activity in the system and unauthorized activity on the network All of the activities listed above could be signs of malicious programs or standard activity for some of the programs you use on your computer You will have to decide for each separate case whether those activities should be allowed or blocked If you choose this mode specify when it should be used Enable Anti Hacker Training Mode ask for user decisions when programs installed on your computer attempt to connect to a certain network resource You can either allow or block that connection and configure an Anti Hacker rule for that program If you disable Training Mode Anti Hacker runs with minimal protection settings
243. objects and if disinfection fails delete Also delete all compound objects completely if infected contents cannot be deleted i4 Delete infected objects and if disinfection fails delete Also delete all compound objects completely if infected contents cannot be deleted lt action query gt this parameter defines which actions will prompt the user for a response during the scan If the parameter is not defined the default value is a2 i8 Prompt the user for action if an infected object is detected i9 Prompt the user for action at the end of the scan lt file types gt this parameter defines the file types that will be subject to the anti virus scan If this parameter is not defined the default value is fi fe Scan only potentially infected files by extension Working with the program from the command prompt 271 fi Scan only potentially infected files by contents default fa Scan all files lt exclusions gt this parameter defines objects that are excluded from the scan It can include several values from the list provided separated by spaces e a Do not scan archives e b Do not scan email databases e m Do not scan plain text emails e lt mask gt Do not scan objects by mask e lt seconds gt Skip objects that are scanned for longer that the time specified in the lt seconds gt parameter es lt size gt Skip files larger i
244. ocks programs that attempt autodialing and analyzes web pages for phishing content Anti Hacker Hackers will use any potential hole to invade your computer whether it be an open port data transmissions between computers etc 26 Kaspersky Internet Security 6 0 The Anti Hacker component protects your computer while you are using the Internet and other networks It monitors inbound and outbound connections and scans ports and data packets Anti Spam Although not a direct threat to your computer spam increases the load on email servers fills up your email inbox and wastes your time thereby representing a business cost The Anti Spam component plugs into your computer s email client program and scans all incoming email for spam subject matter The component marks all spam emails with a special header Anti Spam can be configured to process spam as you like auto delete move to a special folder etc 2 2 2 Virus scan tasks In addition to constantly monitoring all potential pathways for malicious programs it is extremely important to periodically scan your computer for viruses This is necessary to detect malicious programs that were not previously discovered by the program because for instance its security level was set too low Kaspersky Internet Security configures by default three virus scan tasks Critical Areas Scans all critical areas of the computer for viruses This includes system memory programs lo
245. of address masks e ivanov test ru emails from this address will always be classified as accepted e test ru email from any sender in the domain test ru is accepted for example petrov test ru sidorov test ru e ivanov a sender with this name regardless of the email domain always sends only accepted email for example ivanov test ru ivanov mail ru e test email from any sender in a domain that begins with test is not spam for example ivanov test ru petrov test com e ivan test email from a sender whose name begins with ivan and whose domain name begins with test and ends in any three characters is always accepted for example ivan ivanov test com ivan petrov test org You can also use masks for phrases When entering a phrase the use of capitals is ignored Here are some examples of some of them e Hi Ivan an email that only contains this text is accepted It is not recommended to use such a phrase as a white list phrase e Hi Ivan an email beginning with the phrase Hi Ivan is accepted e Hi emails beginning with the greeting Hi and an exclamation point anywhere in the email will not to be treated as spam e Ivan the email contains a greeting to a user with the name lvan whose name is followed by any character and is not spam e van emails containing the phrase van are accepted To disable the use of a certain address or phrase as attribu
246. of compound files to be scanned Parse email formats scan email files and email databases If this checkbox is selected Kaspersky Internet Security will parse the mail file and analyze every component of the e mail body attachments for viruses If this checkbox is deselected the mail file will be scanned as a single object Scanning for viruses on your computer 195 Please note when scanning password protected email databases e Kaspersky Internet Security detects malicious code in Microsoft Office Outlook 2000 databases but does not disinfect them e Kaspersky Internet Security does not support scans for malicious code in Microsoft Office Outlook 2003 protected databases Scan password protected archives scans password protected archives With this feature a window will request a password before scanned archived objects If this box is not checked password protected archives will be skipped 14 4 3 Restoring default scan settings When configuring scan task settings you can always return to the recommended settings Kaspersky Lab considers them to be optimal and has combined them in the Recommended security level To restore the default virus scan settings 1 Select the task name in the Scan of the main window Right click on the task name to open the context menu or click the Actions button on the right of the list of scan objects and select Settings 2 Click the Default button in the Security
247. ograms run on the computer You can edit the rules at your own discretion by adding deleting or editing them Rules can block actions or grant permissions Let s examine the Proactive Defense algorithms 1 Immediately after the computer is started Proactive Defense analyzes the following factors using the set of rules and exclusions e Actions of each application running on the computer Proactive Defense records a history of actions taken in order and compares them with sequences characteristic of dangerous activity a database of dangerous activity types comes with the program and is updated with the threat signatures e Actions of each VBA macro run are analyzed for signs of malicious activity e Integrity of the program modules of the programs installed on your computer which detects the replacement of program modules by versions with malicious code injected into them e Each attempt to edit the system registry by deleting or adding system registry keys entering strange values for keys in an inadmissible format that prevents them from being viewed or edited etc 2 The analysis is conducted using allow and block rules from Proactive Defense 3 After the analysis the following courses of action are available e f the activity satisfies the conditions of the Proactive Defense allow rule or does not match any of the block rules it is not blocked e Ifthe activity is ruled as dangerous on the basis of the relevant
248. om the context menu You will find more information on what protection a selected component provides and how much disk space it requires for installation in the lower part of the program installation window If you do not want to install a component select Entire feature will be unavailable from the context menu Remember that by choosing not to install a component you deprive yourself of protection against a wide range of dangerous programs After you have selected the components you want to install click Next To return the list to the default programs to be installed click Reset Step 7 Disabling the Microsoft Windows firewall You will only take this step if you are installing the Anti Hacker component of Kaspersky Internet Security on a computer with the built in firewall enabled In this step Kaspersky Internet Security asks you if you want to disable the Windows Firewall since the Anti Hacker component of Kaspersky Internet Security provides full firewall protection If you want to use Anti Hacker as your firewall click Next The Windows Firewall will be disabled automatically 34 Kaspersky Internet Security 6 0 If you want to use the Windows Firewall select Keep Windows Firewall enabled If you select this option Anti Hacker will be installed but disabled to avoid program conflicts Step 8 Searching for other anti virus programs In this stage the installer searches for other anti virus products
249. omputer via HTTP e Script scan scans all scripts processed in Microsoft Internet Explorer as well as any WSH scripts JavaScript Visual Basic Script etc that are loaded while the user is on the computer A special plug in for Microsoft Internet Explorer is installed as part of Kaspersky Internet Security installation The M button in the browser s Standard Buttons toolbar indicates that it is installed Clicking on the icon opens an information panel with Web Anti Virus statistics on the number of scripts scanned and blocked Web Anti Virus guards HTTP traffic as follows 1 Each web page or file that can be accessed by the user or by a certain application via HTTP is intercepted and analyzed by Web Anti Virus for Web Anti Virus 107 malicious code Malicious objects are detected using both the threat signatures included in Kaspersky Internet Security and the heuristic algorithm The signatures contain descriptions of all malicious programs known to date and methods for neutralizing them The heuristic algorithm can detect new viruses that have not yet been entered in the threat signatures 2 After the analysis you have the following available courses of action a Ifthe web page or object contains malicious code the program blocks access to it and a message appears on the screen stating that the object or page is infected b If the file or web page does not contain malicious code the program immediately grants
250. omputers on the network This means that if one computer on the network is infected the others are at great risk of infection To avoid such situations both the network perimeter and each individual computer must be protected Since the overwhelming majority of computers have email client programs installed and since malicious programs exploit the contents of electronic address books conditions are usually right for spreading malicious programs The user of an infected computer might without realizing send infected emails to friends or coworkers who in turn send more infected emails For example it is common for infected file documents to go undetected when distributed with business information via a company s internal email system When this occurs more than a handful of people are infected It might be hundreds or thousands of company workers together with potentially tens of thousands of subscribers Beyond the threat of malicious programs lies the problem of electronic junk email or spam Although not a direct threat to a computer spam increases the load on email servers eats up bandwidth clogs up the users mailbox and wastes working hours thereby incurring financial harm Also hackers have begun using mass mailing programs and social engineering methods to convince users to open emails or click on a link to certain websites It follows that spam filtration capabilities are valuable for several purposes to stop junk email t
251. on download updates from Kaspersky Lab update servers The list of addresses which this item represents cannot be edited When updating Kaspersky Internet Security calls this list selects the address of the first server and tries to download files from this server If updates cannot be downloaded from the first server the application tries to connect to each of the servers in turn until it is successful The address of the server from which updates were successfully downloaded is automatically placed at the top of the list so that next time the application will try to connect to this server first 210 Kaspersky Internet Security 6 0 4 Settings Update LAN Settings Update source Additional Kaspersky Lab s update servers C Define region do not use autodetect OK Cancel Figure 72 Selecting an update source To download updates from another FTP or HTTP site 1 Click Add 2 In the Select Update Source dialog box select the target FTP or HTTP site or specify the IP address character name or URL address of this site in the Source field Warning If a resource located outside the LAN is selected as an update source you must have an Internet connection to update To update from a local folder 1 Click Add 2 In the Select Update Source dialog box select a folder or specify the full path to this folder in the Source field Kaspersky Internet Security adds new update sources
252. on section e All activity any network activity initiated by this application e Custom specific activity that you will have to define in a special window as with creating a rule see 12 2 1 on pg 147 e lt Template gt name of the template that includes the set of rules typical of the program s network activity This activity type appears on the list if Kaspersky Internet Security includes an appropriate template for the application that initiated the network activity see 12 2 2 on pg 147 In such a case you will not have to customize what activity to allow or block Use the template and a set of rules for the application will be created automatically 3 Click the button with the name of the action Allow or Block Remember that the rule created will be used only when all of the connection parameters match it This rule will not apply to a connection established from a different local port for example CHAPTER 13 ANTI SPAM The Kaspersky Internet Security component which detects spam processes it according to a set of rules and saves you time when using email is called Anti Spam Anti Spam uses the following method to determine whether an email is spam 1 The sender s address is scanned for matches on black and white lists of addresses e If the sender s address is on the white list the email is marked as accepted e f the sender s address is on the black list the email is
253. on your computer and you saved its threat signatures when you uninstalled it you can use it in the current version To do so check M Threat signatures The threat signatures included with the program installation will not be copied to your computer To use protection settings that you configured and saved from a previous version check Protection settings You are also advised to use the Anti Spam knowledge base if you saved one when you uninstalled the previous version of the program This way you will not have to retrain Anti Spam To use the knowledge base that you already created check Anti Spam knowledge base Installing Kaspersky Internet Security 6 0 35 We do not recommend deselecting the Enable protection modules before installing when initially installing Kaspersky Internet Security By enabling the protection modules you can correctly roll back installation if errors occur while installing the program If you are reinstalling the program we recommend that you deselect this checkbox If the application is installed remotely via Windows Remote Desktop we recommend checking Enable protection modules before installing Otherwise the installation procedure might not complete or complete correctly To continue installation click the Next button Step 10 Completing the installation procedure The Complete Installation window contains information on finishing the Kaspersky Internet Security installation pro
254. onents that you want this exclusion rule to apply to To create an exclusion rule from a program notice stating that it has detected a dangerous object 1 Use the Add to trusted zone link in the notification window see fig 10 Protection management system 73 Proactive Defense Alert Detected Riskware modification Suspicious Macro Execution Running process C Office STARTUP PDFMaker dot Action Terminate Dangerous macro command is detected You are advised to Skip terminate this script Details E Apply to all Add to Trusted Zone Figure 10 Dangerous object detection notification In the window that opens be sure that all the exclusion rule settings match your needs The program will fill in the object name and threat type automatically based on information from the notification To create the rule click OK To create an exclusion rule from the report window 1 2 3 Select the object in the report that you want to add to the exclusions Open the context menu and select Add to trusted zone see fig 11 The exclusion settings window will then open Be sure that all the exclusion rule settings match your needs The program will fill in the object name and threat type automatically based on the information from the report To create the rule click OK 74 Kaspersky Internet Security 6 0 K Virus scan DEX irus scan completed Threats have been detected Scanned 105 S
255. only enter masks will absolute paths to objects e C dir or C dir or C dir all files in folder C dir e C dir exe all files with the extension exe in the folder C dir e C dir ex all files with the extension ex in the folder C dir where can represent any one character e C dir test only the file C diritest In order for the scan to be carried out recursively check W Include subfolders Warning Remember that File Anti Virus will scan only the files that are included in the protection scope created Files not included in that scope will be available for use without being scanned This increases the risk of infection on your computer 7 2 3 Configuring advanced settings As additional File Anti Virus settings you can specify the file system scanning mode and configure the conditions for temporarily pausing the component File Anti Virus 89 To configure additional File Anti Virus settings 1 Select File Anti Virus in the main window and go to the component settings window by clicking the Settings link 2 Click the Customize button and select the Additional tab in the window that opens see fig Figure 20 PE Custom Settings File Anti Virus General Protection scope Additional Scan mode Smart mode On access and modification on access On execution Pause task C on schedule oO On applications startup Figure 20 Configuring additional File
256. or an opportunity arises to treat it File Anti Virus 93 7 3 Postponed disinfection If you select Block access as the action for malicious programs the objects will not be treated and access to them will be blocked If the actions selected were Block access Disinfect all untreated objects will also be blocked In order to regain access to blocked objects they must be disinfected To do so 1 Select File Anti Virus in the main window of the program and left click anywhere in the Statistics box 2 Select the objects that interest you on the Detected tab and click the Actions Neutralize all button Successfully disinfected files will be returned to the user Any that cannot be treated you can delete or skip it In the latter case access to the file will be restored However this significantly increases the risk of infection on your computer It is strongly recommended not to skip malicious objects CHAPTER 8 MAIL ANTI VIRUS Mail Anti Virus is Kaspersky Internet Security s component to prevent incoming and outgoing email from transferring dangerous objects It starts running when the operating system boots up stays active in your system memory and scans all email on protocols POP3 SMTP IMAP MAPI and NNTP as well as encryption for POP3 and IMAP SSL The component s activity is indicated by the Kaspersky Internet Security system tray icon which looks like this 3 whenever an email is being scann
257. ork resource is specified as an update source Kaspersky Internet Security tries to start the Updater after a certain amount of time has elapsed as specified in the previous update packet If a local folder is selected as an update source the application tries to download the updates from the local folder as often as specified in the update package that was downloaded during the previous update This option allows Kaspersky Lab to regulate how often the program is updated in case of virus outbreaks and other potentially dangerous situations Your application will receive the latest updates for the threat signatures network attacks and software modules in a timely manner thus preventing malicious software to penetrate your computer Run Mode Automatically O Every 1 day s O Manually Figure 74 Selecting an update run mode Every 1 day s The Updater is scheduled to start at a specified time The default schedule runs the Updater daily To edit the default schedule click the Change button in the Run Mode box and make the necessary changes in the window that opens for more details see 6 5 on pg 78 Program updates Manually With this option you start the Updater manually Kaspersky Internet Security notifies you when it needs to be updated e A popup message informing you that updating is required appears above the application icon in the system tray if notices are enabled see 17 11 1 on pg 255 e The s
258. otentially infected objects are objects that are suspected of being infected with viruses or modifications of them Why potentially infected This are several reasons why it is not always possible to determine whether an object is infected e The code of the object scanned resembles a known threat but is partially modified Threat signatures contain threats that have already been studied by Kaspersky Lab If a malicious program is modified by a hacker but these changes have not yet been entered into the signatures Kaspersky Internet Security classifies the object infected with this changed malicious program as being potentially infected and indicates what threat this infection resembles e The code of the object detected is reminiscent in structure of a malicious program although nothing similar is recorded in the threat signatures It is quite possible that this is a new type of threat so Kaspersky Internet Security classifies the object as a potentially infected object The heuristic code analyzer detects potential viruses identifying up to 92 of new viruses This mechanism is fairly effective and very rarely produces false positives A potentially infected object can be detected and placed in quarantine by File Anti Virus Mail Anti Virus Proactive Defense or in the course of a virus scan You can place an object in quarantine by clicking Quarantine in the notification that pops up when a potentially infected object is detected
259. otocol Application Command line Local IP addr CA Ei 445 UDP System 0 0 0 0 02 amp 445 TCP System 172 16 129 178 02 amp 138 UDP System 172 16 129 178 02 amp 137 UDP System 172 16 129 178 02 amp 139 TCP System 172 16 129 178 02 amp 1121 TCP System 0 0 0 0 ot ae 1122 TCP System 0 0 0 0 01 amp 1132 TCP System 0 0 0 0 01 a 138 UDP System 169 254 2 2 00 x 137 UDP System 169 254 2 2 00 amp 139 TCP System 169 254 2 2 00 m 135 TCP SVCHOST EXE K RPCSS 0 0 0 0 02 1025 UDP S CHOST EXE K NETWORKSER 0 0 0 0 02 1026 UDP SVCHOST EXE K NETWORKSER 0 0 0 0 02 m 1027 UDP L5AS5 EXE 127 0 0 1 02 500 UDP L5A55 EXE 0 0 0 0 024 ral ji B Figure 98 List of ports open on a computer Advanced options 241 This information may be useful during virus outbreaks and network attacks if you know exactly which port is vulnerable You can find out whether that port is open on your computer and take the necessary steps to protect your computer for example enabling Intrusion Detector closing the vulnerable port or creating a rule for it 17 3 18 The Traffic tab This tab see fig 99 holds information on all the inbound and outbound connections established between your computer and other computers including web servers email servers etc The following information is given for every connection name and IP address of the host that the connection is with and the amount of traffic sent and received
260. ows you to select exactly what group of emails to scan for dangerous objects By default the component protects email at the Recommended security level which means scanning both incoming and outgoing email When you first begin working with the program you are advised to scan outgoing email since it is possible that there are worms on your computer that use email as a channel for distributing themselves This will help avoid the possibility of unmonitored mass mailings of infected emails from your computer If you are certain that the emails that you are sending do not contain dangerous objects you can disable the outgoing email scan To do so 1 Select Mail Anti Virus in the main window and go to the component settings window by clicking Settings Click on the Customize button in the Mail Anti Virus configuration window 2 In the Mail Anti Virus Custom settings window that opens see Figure 25 select Only incoming email in the Scope section 98 Kaspersky Internet Security 6 0 S Custom Settings Mail Anti Virus Only incoming email Restrictions C Skip attached archives C Skip objects scanned longer than Attachment filter Disable filtering Rename selected attachment types Delete selected attachment types Figure 25 Mail Anti Virus settings In addition to selecting an email group you can specify whether archived attachments should be scanned and also set the maximum amount of time
261. pened This simple definition explains the fundamental action performed by a virus infection Trojans Trojans are programs which carry out unauthorized actions on computers such as deleting information on drives making the system hang stealing confidential information and so on This class of malicious program is not a virus in the traditional sense of the word because it does not infect other computers or data Trojans cannot break into computers on their own and are spread by hackers who disguise them as regular software The damage that they inflict can greatly exceed that done by traditional virus attacks Recently worms have been the commonest type of malicious program damaging computer data followed by viruses and Trojans Some malicious programs combine features of two or even three of these classes Adware Adware comprises programs which are included in software unknown to the user which is designed to display advertisements Adware is usually built into software that is distributed free The advertisement is situated in the program interface These programs also frequently collect personal data on the user and send it back to their developer change browser settings start page and search pages security levels etc and create Threats to Computer Security 15 traffic that the user cannot control This can lead to a security breach and to direct financial losses Spyware This software collects information a
262. persky Internet Security features od Service Update Data Files Rescue disk Support Here you can update the program view reports on the performance of any of the Kaspersky Internet Security components work with quarantined objects and backup copies review technical support information create a Rescue Disk and manage license keys 50 Kaspersky Internet Security 6 0 The Comments and tips section This section offers tips on raising accompanies you as you use the the security level of your application computer You will also find comments on the application s Attention sav current performance and its settings The links in this section guide you to take the actions Please restart your computer to complete recommended for a_ particular the installation of new or updated section or to view information in protection components more detail Restart computer Each element of the navigation panel is accompanied by a special context menu The menu contains points for the protection components and tools that help the user quickly configure them manage them and view reports There is an additional menu item for virus scan tasks that allows you to create your own task by modifying a copy of an existing task You can change the appearance of the program by creating and using your own graphics and color schemes 4 4 Program settings window You can open the Kaspersky Internet Securi
263. pes of events that occur in the system that the application will track as suspicious e Dangerous activity behavior analysis Kaspersky Internet Security analyzes the activity of applications installed on your computer and based on the list of rules created by Kaspersky Lab detects dangerous or suspicious actions by the programs Such actions include for example masked program installation or programs copying themselves e By analyzing this type of activity you can detect attempts to open a browser with settings This activity is characteristic of opening a web browser from an application with certain command prompt settings for example when you click a link to a certain URL in an advertisement e mail e Intrusion into process adding executable code or creating an additional stream to the process of a certain program This activity is widely used by Trojans 120 Kaspersky Internet Security 6 0 Appearance of masked processes A rootkit is a set of programs used to mask malicious programs and their processes in the system Kaspersky Internet Security analyzes the operating system for masked processes Invaders This activity is used in attempts to read passwords and other confidential information displayed in operating system dialog boxes Kaspersky Internet Security traces this activity if attempts are made to intercept data transferred between the operating system and the dialog box Suspicious characters in the
264. ponents or virus scan tasks request password if user attempts to pause or fully disable any protection component or virus scan task 3 2 7 Application Integrity Control In this stage the Kaspersky Internet Security wizard will analyze the applications installed on your computer dynamic library files digital manufacture signatures Installing Kaspersky Internet Security 6 0 41 count application checksum files and create a list of programs that can be trusted from a virus security perspective For example this list will automatically include all applications digitally signed by Microsoft In the future Kaspersky Internet Security will use information obtained while analyzing application structure to prevent malicious code from being imbedded in application modules Analyzing the applications installed on your computer may take some time 3 2 8 Configuring Anti Hacker settings Anti Hacker is the Kaspersky Internet Security component that guards your computer on local networks and the Internet At this stage the Setup Wizard asks you to create a list of rules that will guide Anti Hacker when analyzing your computer s network activity 3 2 8 1 Determining a security zone s status In this stage the Setup Wizard analyzes your computer s network environment Based on its analysis the entire network space is broken down into zones Internet the World Wide Web In this zone Kaspersky Internet Security operates as
265. program check Show report history 226 Kaspersky Internet Security 6 0 Tox K Protection Protection partially running Threats have been detected Total scanned 15284 Detect 9 Untreat 3 Attacks blocked 0 Detected Events Reports Quarantine Backup 15 01 2007 14 49 42 01 43 54 Start time Duration Component anti Hacker Anti Spam Anti Spy Proactive Defense File anti virus Mail Anti virus Web Anti virus Scan startup objects G Update anti spam Virus scan Status running Failed initializ running running running running running completed completed Failed initializ completed Start 15 01 2007 14 49 42 15 01 2007 14 49 42 15 01 2007 14 49 42 15 01 2007 14 49 42 15 01 2007 14 49 42 15 01 2007 14 49 42 15 01 2007 14 49 42 15 01 2007 14 51 43 15 01 2007 15 25 27 15 01 2007 15 27 15 15 01 2007 15 52 53 Finish 15 01 2007 14 49 47 15 01 2007 14 53 56 15 01 2007 15 27 18 15 01 2007 15 27 17 15 01 2007 15 55 18 0 bytes 0 bytes 77 2 KB 10 3 KB 2 5 MB 606 5 KB 139 KB 449 6 KB 30 4 KB O bytes 46 5 KB v C Show report history Help Allreports lt Back Next gt Figure 80 Reports on component operation To review all the events reported for a component or task Select the name of the component or task on the Reports tab and click the Details button A window will then open that contains d
266. protects against malware penetrating your system while web surfing and scans files downloaded from the Internet Kaspersky Anti Virus for MIMESweeper for SMTP Kaspersky Anti Virus for MIMESweeper for SMTP provides high speed scanning of SMTP traffic on servers that use Clearswift MIMESweeper The program is a plug in for Clearswift MIMESweeper for SMTP and scans for viruses and processes inbound and outbound e mail traffic in real time B 2 Contact Us If you have any questions comments or suggestions please refer them to one of our distributors or directly to Kaspersky Lab We will be glad to assist you in any matters related to our product by phone or via email Rest assured that all of your recommendations and suggestions will be thoroughly reviewed and considered Technical Please find the technical support information at support http www kaspersky com supportinter html Helpdesk www kaspersky com helpdesk html General WWW http www kaspersky com information http www viruslist com Email info kaspersky com APPENDIX C LICENSE AGREEMENT Standard End User License Agreement NOTICE TO ALL USERS CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT AGREEMENT FOR THE LICENSE OF KASPERSKY INTERNET SECURITY SOFTWARE PRODUCED BY KASPERSKY LAB KASPERSKY LAB IF YOU HAVE PURCHASED THIS SOFTWARE VIA THE INTERNET BY CLICKING THE ACCEPT BUTTON YOU EITHER AN INDIVIDUAL OR A
267. pter 10 on pg 114 is the program s key advantage It analyzes the behavior of applications installed on your computer monitoring changes to the system registry tracking macros and fighting hidden threats The component uses a heuristic analyzer to detect and record various types of malicious activity with which actions taken by malicious programs can be rolled back and the system can be restored to its state prior to the malicious activity 22 Kaspersky Internet Security 6 0 The program protects the computer against rootkits and dialers blocks banner ads popup windows and malicious scripts downloaded from web pages and detects phishing sites File Anti Virus technology has been improved to lower the load on the central processor and disk subsystems and increase the speed of file scans using iChecker and iSwift By operating this way the program rules out scanning files twice The scan process now runs as a background task enabling the user to continue using the computer If there is a competition for system resources the virus scan will pause until the user s operation is completed and then resumes at the point where it left off Critical areas of the computer where infection could lead to serious consequences are given their own separate task You can configure this task to run automatically every time the system is started E mail protection from malicious programs and spam has been significantly improved The progra
268. puter the installer checks your computer for the operating system and service packs necessary to install Kaspersky Internet Security It also checks your computer for other necessary programs and verifies that your user rights allow you to install software If any of these requirements is not met the program will display a message informing you of the fault You are advised to install any necessary service packs through Windows Update and any other necessary programs before installing Kaspersky Internet Security Step 2 Installation Welcome window If your system fully meets all requirements an installation window will appear when you open the installer file with information on beginning the installation of Kaspersky Internet Security To continue installation click the Next button You may cancel installation by clicking Cancel Step 3 Viewing the End User License Agreement The next window contains the End User License Agreement between you and Kaspersky Lab Carefully read through it and if you agree to all the terms of the agreement select accept the terms of the License Agreement and click the Next button Installation will continue Step 4 Selecting an installation folder The next stage of Kaspersky Internet Security installation determines where the program will be installed on your computer The default path is lt Drive gt Program Files Kaspersky Lab Kaspersky Internet Security 6 0 You can specify a different fol
269. r patch_12345 com will be scanned If an or is part of an actual URL added to the list when you enter them you must use a backslash to override the or following it Example You want to add this following URL to the trusted address list www virus com download _virus virus dll virus_name For Kaspersky Internet Security not to process as a wildcard put a backslash in front of it Then the URL that you are adding to the exclusion list will be as follows www virus com download_virus virus dll virus_name 9 2 3 Restoring default Web Anti Virus settings When configuring Web Anti Virus you can always return to the default performance settings which Kaspersky Lab considers to be optimal and has combined as the Recommended security level 112 Kaspersky Internet Security 6 0 To restore the default Web Anti Virus settings 1 Select Web Anti Virus in the main window and go to the component settings window by clicking Settings 2 Click the Default button in the Security Level section 9 2 4 Selecting responses to dangerous objects If analyzing an HTTP object shows that it contains malicious code the Web Anti Virus response depends on the actions you select To configure Web Anti Virus reactions to detecting a dangerous object Open the Kaspersky Internet Security settings window and select Web Anti Virus The possible responses for dangerous objects are listed in the Action section see fig 31 By d
270. r Anti Hacker scans traffic Anti Hacker settings govern analysis of network activity for that application 6 4 Starting virus scan and update tasks under another profile Note that this feature is unavailable in Microsoft Windows 98 ME Kaspersky Internet Security 6 0 has a feature that can start scan tasks under another user profile This feature is by default disabled and tasks are run under the profile under which you are logged into the system The feature is useful if for example you need access rights to a certain object during a scan By using this feature you can configure tasks to run under a user that has the necessary privileges Program updates may be made from a source to which you do not have access for example the network update folder or authorized user rights for a proxy server You can use this feature to run the Updater with another profile that has those rights To configure a scan task that starts under a different user profile 1 Select the task name in the Scan Service section of the main window and use the Settings link to open the task settings window 2 Click the Customize button in the task settings window and go to the Additional tab in the window that opens see fig 14 To enable this feature check Run this task as Enter the data for the login that you want to start the task as below user name and password 78 Kaspersky Internet Security 6 0 4 Settings Update
271. racy of spam and potential spam see 13 3 3 on pg 173 Create white and black lists for senders and key phrases see 13 3 4 on pg 174 Configure additional spam filtration features see 13 3 5 on pg 178 Maximally reduce the amount of spam in your Inbox through previewing with the Email Dispatcher see 13 3 7 on pg 179 The following sections will examine these settings in detail 13 3 1 Configuring scan settings You can configure the following scan settings Whether traffic from POP3 IMAP protocols are scanned By default Anti Spam scans email on all these protocols except emails encrypted with SSL Whether plug ins are activated for Microsoft Office Outlook and The Bat Whether email is viewed via POP3 in the Email Dispatcher see 13 3 7 on pg 179 prior to downloading it from the email server to the user s Inbox To configure these settings 1 2 Select Anti Spam in the Kaspersky Internet Security settings window Check or uncheck the boxes in the Connectivity section which correspond to the three options discussed immediately above see fig 56 172 Kaspersky Internet Security 6 0 Connectivity Process POP3 SMTPJIMAP traffic Enable Microsoft Office Outlook The Bat plug ins Open Mail Dispatcher when receiving email Figure 56 Configuring scan settings 13 3 2 Selecting spam filtration technologies Emails are scanned for spam using state of the art filtration technologies e iBayes ba
272. ram The application installation includes a set of criteria that can help determine how dangerous the activity of one program or another is If the activity analysis shows that a certain program s actions are suspicious Kaspersky Internet Security will take the action assigned by the rule for activity of the specific type Dangerous activity is determined by the total set of program actions For example when actions are detected such as a program copying itself to network resources the startup folder or the system registry and then sending copies of itself it is highly likely that this program is a worm Dangerous behavior also includes e Changes to the file system e Modules being embedded in other processes e Masking processes in the system e Modification of certain Microsoft Window system registry keys 116 Kaspersky Internet Security 6 0 Proactive Defense tracks and blocks all dangerous operations by using the set of rules together with a list of excluded applications Proactive Defense also tracks all macros executed in Microsoft Office applications In operation Proactive Defense uses a set of rules included with the program as well as rules created by the user while using the program A rule is a set of criteria that determine a set of suspicious behaviors and Kaspersky Internet Security s reaction to them Individual rules are provided for application activity and monitoring changes to the system registry macros and pr
273. re 61 Configuring spam processing in Microsoft Office Outlook 182 Kaspersky Internet Security 6 0 It opens automatically when the email client is first opened after installing the program and asks if you to configure spam processing You can assign the following processing rules for both spam and potential spam Move to folder spam is moved to the specified folder Copy to folder a copy is created of the email and it is moved to the specified folder The original email stays in your Inbox Delete deletes spam from the user s mailbox Skip leaves the email in your Inbox To do so select the appropriate value from the dropdown list in the Spam or Probable Spam section You can also configure Microsoft Office Outlook and Anti Spam to work together Scan upon receiving All emails that enter the user s inbox are initially processed according to the Outlook rules After processing is complete the Anti Spam plug in processes the remaining messages that do not fall under any of the rules In other words emails are processed according to the priority of the rules Sometimes the priority sequence may be ignored if for example a large number of emails arrive in your Inbox at the same time In such a case situations could arise when information about an email processed by the Microsoft Office Outlook rule is logged in the Anti Spam report as spam To avoid this we recommend configuring the Anti Spam plug in
274. reduces scan time and increases the program s performance speed To select this mode check Scan new and changed files only This mode applies to both simple and compound files In the Compound Files section specify which compound files to scan for viruses Scan archives scans zip cab rar and arj archives Scan installation packages scans self extracting archives for viruses Scan embedded OLE objects scans objects imbedded in files for example Excel spreadsheets or macros imbedded in a Microsoft Word file email attachments etc File Anti Virus 87 You can select and scan all files or only new files for each type of compound file To do so left click the link next to the name of the object to toggle its value If the Productivity section has been set up only to scan new and modified files you will not be able to select the type of compound files to be scanned To specify compound files that should not be scanned for viruses use the following settings Extract archives in background if larger than MB If the size of a compound object exceeds this restriction the program will scan it as a single object by analyzing the header and will return it to the user The objects that it contains will be scanned later If this option is not checked access to files larger than the size indicated will be blocked until they have been scanned Do not process archives larger than MB With this option checked fil
275. reed security solutions based on its unique experience and knowledge gained in over 14 years of fighting computer viruses A thorough analysis of computer virus activities enables the company to deliver comprehensive protection from current and future threats Resistance to future attacks is the basic policy implemented in all Kaspersky Lab s products At all times the company s products remain at least one step ahead of many other vendors in delivering extensive anti virus coverage for home users and corporate customers alike Years of hard work have made the company one of the top security software manufacturers Kaspersky Lab was one of the first businesses of its kind to develop the highest standards for anti virus defense The company s flagship product Kaspersky Internet Security provides full scale protection for all tiers of a network including workstations file servers email systems firewalls Internet gateways and hand held computers Its convenient and easy to use management tools ensure advanced automation for rapid virus protection across an enterprise Many well known manufacturers use the Kaspersky Internet Security kernel including Nokia ICG USA F Secure Finland Aladdin Israel Sybari USA G Data Germany Deerfield USA Alt N USA Microworld India and BorderWare Canada Kaspersky Lab s customers benefit from a wide range of additional services that ensure both stable operation of the company s products
276. registry The system registry is a database for storing system and user settings that control the operation of Windows as well as any utilities established on the computer Malicious programs attempting to mask their presence in the system copy incorrect values in registry keys Kaspersky Internet Security analyzes system registry entries for suspicious values Suspicious activity in the system The program analyzes actions executed by the Windows operating system and detects suspicious activity An example of suspicious activity would be an integrity breach which involves modifying one or several modules in a monitored application since the time it was last run Keyloggers This activity is used in attempts by malicious programs to read passwords and other confidential information which you have entered using your keyboard Windows Task Manager protection Kaspersky Internet Security protects Task Manager from malicious modules injecting themselves into it when aimed at blocking Task Manager operation The list of dangerous activities can be extended automatically by the Kaspersky Internet Security update process but it cannot be edited by the user You can Turn off monitoring for an activity by deselecting the LA next to its name Edit the rule that Proactive Defense uses when it detects a dangerous activity Create an exclusion list see 6 3 on pg 68 by listing applications that you do not consider dangerous To configure activ
277. ressed image graphics format emf Enhanced Metafile format Next generation of Microsoft Windows OS metafiles EMF files are not supported by 16 bit Microsoft Windows ico icon file ov Microsoft DOC executable files xl Microsoft Office Excel documents and files such as xla Microsoft Office Excel extension x c diagram xlt document templates etc 284 Kaspersky Internet Security 6 0 pp Microsoft Office PowerPoint documents and files such as pps Microsoft Office PowerPoint slide ppt presentation etc md Microsoft Office Access documents and files such as mda Microsoft Office Access work group mdb database etc Remember that the actual format of a file may not correspond with the format indicated in the file extension A 2 Possible file exclusion masks Let s look at some examples of possible masks that you can use when creating file exclusion lists 1 Masks without file paths e exe all files with the extension exe e ex all files with the extension ex where can represent any one character e test all files with the name test 2 Masks with absolute file paths e C dir or C dir or C dir all files in folder C dir e C dir exe all files with extension exe in folder C dir e 6C dir ex all files with extension ex in folder C dir where can represent any one character e C dir test only
278. rity 6 0 Dialers generally establish connections with specific websites such as sites with pornographic material Then you are forced to pay for expensive traffic that you never wanted or used If you want to exclude a number from the blocked list you must place it on the trusted numbers list see 11 1 3 on pg 140 11 1 Configuring Anti Spy Anti Spy protects you from all programs known to Kaspersky Lab which could steal your confidential information or money You can configure the component more specifically by e Creating a list of trusted websites see 11 1 1 on pg 136 whose popup windows you do not want to block e Creating black and white lists of banners see 11 1 2 on pg 138 e Creating trusted telephone number lists see 11 1 3 on pg 140 for dial up connections that you allow 11 1 1 Creating Popup Blocker trusted address list By default Anti Spy blocks the majority of automatic popup windows The exception is popup windows from websites on the trusted site list in Microsoft Internet Explorer and Intranet sites that you currently a part of If you are running Windows XP with Service Pack 2 Internet Explorer already has its own popup blocker which you can configure selecting which particular windows you want to block and which you do not Anti Spy is compatible with this blocker using the following principle a blocking rule takes precedence that is if either Internet Explorer or Anti Spy has a blocking rule
279. rity level and make the following changes remove the restriction on scanned file sizes and optimize File Anti Virus operation by only scanning new and modified files Then the scan will not take up as many system resources so you can comfortably use other applications To modify the settings for a security level Click the Settings button in the File Anti Virus settings window Edit the File Anti Virus settings in the window that opens and click OK As a result a fourth security level will be created Custom which contains the protection settings that you configured 7 2 Configuring File Anti Virus Your settings determine how File Anti Virus will defend your computer The settings can be broken down into the following groups Settings that define what file types see 7 2 1 on pg 84 are to be scanned for viruses Settings that define the scope of protection see 7 2 2 on pg 87 Settings that define how the program responds to dangerous objects see 7 2 5 on pg 91 Additional File Anti Virus settings see 7 2 3 on pg 88 The following sections will examine these groups in detail 7 2 1 Defining the file types to be scanned When you select file types to be scanned you establish what file formats sizes and what drives will be scanned for viruses when opened executed or saved To make configuration easier all files are divided into two groups simple and compound Simple files for example txt files do not contain
280. rity main window After selecting a section or component in the left part of the window you will find information in the right hand part that matches your selection Program interface 49 We will now examine the elements in the greater detail main window s navigation panel in Main Window Section Purpose This window mostly informs you of the protection status of your computer The Protection section is designed for exactly that R Protection File Anti virus Mail Anti virus Web Anti Virus Proactive Defense Anti Spy Anti Hacker Anti Spam To view general information about Kaspersky Internet Security operation review general program statistics and make sure that all protection components are running correctly select the Protection section from the navigation pane To view statistics and settings for a specific protection component you need only select the name of the component about which you want information in the Protection section To scan your computer for malicious files or programs use the special Scan section in the main window Scan Critical areas My Computer Startup objects This section contains a list of objects that can be scanned for viruses The commonest and most important tasks are included in the section These include virus scan tasks for critical areas for startup programs and a full computer scan The Service section includes additional Kas
281. rkstation and Linux e File servers running Microsoft Windows NT 4 0 Server Microsoft Windows 2000 2003 Server Advanced Server Microsoft Windows 2003 Server Novell Netware FreeBSD and OpenBSD Linux Samba file storage e Email systems including Microsoft Exchange 2000 2003 Lotus Notes Domino Postfix Exim Sendmail and Qmail e Internet gateways CheckPoint Firewall 1 Microsoft ISA Server 2004 Standard Edition The Kaspersky Anti Virus Business Optimal distribution kit includes Kaspersky Administration Kit a unique tool for automated deployment and administration Depending on the type of distribution kit 290 Kaspersky Internet Security 6 0 You are free to choose from any of these anti virus applications according to the operating systems and applications you use Kaspersky Corporate Suite This package provides corporate networks of any size and complexity with comprehensive scalable anti virus protection The package components have been developed to protect every tier of a corporate network even in mixed computer environments Kaspersky Corporate Suite supports the majority of operating systems and applications installed across an enterprise All package components are managed from one console and have a unified user interface Kaspersky Corporate Suite delivers a reliable high performance protection system that is fully compatible with the specific needs of your network configuration Kaspersky
282. rosoft Windows attacks are based on taking advantage of vulnerabilities in software installed on the computer for example programs such as Microsoft SQL Server Microsoft Internet Explorer Anti Hacker 161 Messenger and system components that can be accessed through the network DCom SMB Wins LSASS IIS5 Anti Hacker protects your computer from attacks that use the following known software vulnerabilities this list of vulnerabilities is cited with the Microsoft Knowledge Base numbering system MS03 026 DCOM RPC Vulnerability Lovesan worm MS03 043 Microsoft Messenger Service Buffer Overrun MS03 051 Microsoft Frontpage 2000 Server Extensions Buffer Overflow MS04 007 Microsoft Windows ASN 1 Vulnerability MS04 031 Microsoft NetDDE Service Unauthenticated Remote Buffer Overflow MS04 032 Microsoft Windows XP Metafile emf Heap Overflow MS05 011 Microsoft Windows SMB Client Transaction Response Handling MS05 017 Microsoft Windows Message Queuing Buffer Overflow Vulnerability MS05 039 Microsoft Windows Plug and Play Service Remote Overflow MS04 045 Microsoft Windows Internet Naming Service WINS Remote Heap Overflow MS05 051 Microsoft Windows Distributed Transaction Coordinator Memory Modification In addition there are isolated incidents of intrusion attacks using various malicious scripts including scripts processed by Microsoft Internet Explorer and Helkern type worms The essence of this atta
283. rotection level is set to Recommended You can raise or lower the security level by selecting the level you want or editing the settings for the current level To edit the security level Adjust the sliders By altering the security level you define the ratio of scan speed to the total number of objects scanned the fewer objects are scanned for malicious code the higher the scan speed If a preset level does not meet your needs you can create a Custom security level Let s look at an example of when such a level would be useful Example Your computer connects to the Internet via a modem It is not on a corporate LAN and you have no anti virus protection for incoming HTTP traffic Due to the nature of your work you regularly download large files from the Internet Scanning files like these takes up as a rule a fair amount of time How do you optimally protect your computer from infection through HTTP traffic or a script Tip for selecting a level Judging from this basic information we can conclude that your computer is running in a sensitive environment and you are at high risk for infection through HTTP traffic because there is no centralized web protection and due to the use of dial up to connect to the Internet It is recommended that you use High as your starting point with the following changes you are advised to limit the caching time for file fragments during the scan To modify a preinstalled security l
284. rus defense tools e anti virus scanner that scans information saved both in internal memory of PDA and smartphones or on memory cards of any type on user demand Appendix B 289 e anti virus monitor to intercept viruses in files that are either copied from other handhelds or are transferred using HotSync technology Kaspersky Security for PDA protects your handheld PDA from unauthorized intrusion by encrypting both access to the device and data stored on memory cards Kaspersky Anti Virus Mobile Kaspersky Anti Virus Mobile provides antivirus protection for mobile devices running Symbian OS and Microsoft Windows Mobile The program provides comprehensive virus scanning including e on demand scans of the mobile device s onboard memory memory cards an individual folder or a specific file If an infected file is detected it is moved to Quarantine or deleted e real time protection all incoming and outgoing files are automatically scanned as will as files when attempts are made to access them e scheduled scans of data stored in the mobile device s memory e protection from sms and mms spam Kaspersky Anti Virus Business Optimal This package provides a unique configurable security solution for small and medium sized corporate networks Kaspersky Anti Virus Business Optimal guarantees full scale anti virus protection for e Workstations running Microsoft Windows 98 ME Microsoft Windows NT 2000 XP Wo
285. ruses as a starting point To assign global scan settings for all tasks 1 Select the Scan section in the left hand part of the main program window and click Settings 2 In the settings window that opens configure the scan settings Select the security level see 14 4 1 on pg 191 configure advanced level settings and select an action see 14 4 4 on pg 195 for objects 3 To apply these new settings to all tasks click the Apply button in the Other scan tasks section Confirm the global settings that you have selected in the popup dialogue box CHAPTER 15 TESTING KASPERSKY INTERNET SECURITY FEATURES After installing and configuring Kaspersky Internet Security we recommend that you verify that settings and program operation are correct using a test virus and variations of it 15 1 The EICAR test virus and its variations The test virus was specially developed by eicar The European Institute for Computer Antivirus Research for testing antivirus functionality The test virus IS NOT A VIRUS and does not contain program code that could damage your computer However most antivirus programs will identify it as a virus Never use real viruses to test the functionality of an antivirus You can download the test virus from the official EICAR website http www eicar org anti_virus_test_file htm The file that you downloaded from the EICAR website contains the body of a standard test virus Kaspersky Int
286. s 209 e The source from which the updates are downloaded and installed see 16 4 1 on pg 209 e The run mode for the updating procedure see 16 4 2 on pg 211 e Which objects are updated e What actions are to be performed after updating is complete see 16 4 4 on pg 215 The following sections examine these aspects in detail 16 4 1 Selecting an update source The update source is where you download updates for the threat signatures and Kaspersky Internet Security application modules You can use the following as update sources e Kaspersky Labs update servers special web sites containing available updates for the threat signatures and application modules for all Kaspersky Lab products e FTP or HTTP server or local or network folder local server or folder that contains the latest updates If you cannot access Kaspersky Lab s update servers for example you have no Internet connection you can call the Kaspersky Lab main office at 7 495 797 87 00 to request contact information for Kaspersky Lab partners who can provide zipped updates on floppy disks or CDs Warning When requesting updates on removable media please specify whether you want to have the updates for application modules as well You can copy the updates from a disk and upload them to a FTP or HTTP site or save them in a local or network folder Select the update source on the Update Sources tab see fig 72 The default opti
287. s Subscription Form you consent to the terms of the Kaspersky Lab Privacy Policy which is deposited on www kaspersky com privacy and you explicitly consent to the transfer of data to other countries outside your own as set out in the Privacy Policy iii Support Services will terminate unless renewed annually by payment of the then current annual support charge and by successful completion of the Support Services Subscription Form again iv Support Services means a Hourly updates of the anti virus database b Updates of network attacks database c Updates of anti spam database d Free software updates including version upgrades 296 Kaspersky Internet Security 6 0 e Technical support via Internet and hot phone line provided by Vendor and or Reseller f Virus detection and disinfection updates in 24 hours period v Support Services are provided only if and when you have the latest version of the Software including maintenance packs as available on the official Kaspersky Lab website www kaspersky com installed on your computer 3 Ownership Rights The Software is protected by copyright laws Kaspersky Lab and its suppliers own and retain all rights titles and interests in and to the Software including all copyrights patents trademarks and other intellectual property rights therein Your possession installation or use of the Software does not transfer any title to the intellectual property in
288. s and sends them your registration data the activation code and personal information for inspection If the activation code passes inspection the Wizard receives a license key file If you install the demo version of the program the Setup Wizard will receive a trial key file without an activation code The file received will be installed automatically and you will see an activation completion window with detailed information on the license If the activation code does not pass inspection an information message will be displayed on the screen If this occurs contact the software vendors from whom you purchased the program for more information 3 2 2 4 Selecting a license key file If you have a license key file for Kaspersky Internet Security 6 0 the Wizard will ask if you want to install it If you do use the Browse button and select the file path for the file with the key extension in the file selection window After you have successfully installed the key you will see information about the license in the lower part of the window name of the person to whom the software is registered license number license type full beta testing demo etc and the expiration date for the license 38 Kaspersky Internet Security 6 0 3 2 2 5 Completing program activation The Setup Wizard will inform you that the program has been successfully activated It will also display information on the license key installed name of the person t
289. s frequently e Your computer loads programs slowly e You cannot boot up the operating system e Files and folders disappear or their contents are distorted e The hard drive is frequently accessed the light blinks 18 Kaspersky Internet Security 6 0 e The web browser e g Microsoft Internet Explorer freezes or behaves unexpectedly for example you cannot close the program window In 90 of cases these indirect systems are caused by malfunctions in hardware or software Despite the fact that such symptoms rarely indicate infection we recommend that upon detecting them you run a complete scan of your computer see 5 2 on pg 58 with the settings at the recommended level 1 5 What to do if you suspect infection If you notice that your computer is behaving suspiciously 1 Don t panic This is the golden rule it could save you from losing important data and from a lot of needless worry 2 Disconnect your computer from the Internet or local network if it is on one 3 If the computer will not boot from the hard drive the computer displays an error message when you turn it on try booting in safe mode or with the emergency Microsoft Windows boot disk that you created when you installed the operating system 4 Before doing anything else back up your work on removable storage media floppy CD DVD flash drive etc 5 Install Kaspersky Internet Security if you have not done so already See section Chapt
290. s no one s property and has no geographical borders In many ways this has promoted the development of web resources and the exchange of information Today anyone can access data on the Internet or create their own webpage However these very features of the worldwide web give hackers the ability to commit crimes on the Internet and makes the hackers difficult to detect and punish Hackers place viruses and other malicious programs on Internet sites and disguise them as useful freeware Furthermore scripts that run automatically when you open a webpage can execute dangerous actions on your computer including modifying the system registry stealing personal data and installing malicious software By using network technologies hackers can attack remote PCs and company servers These attacks can cause parts of your system to malfunction or could provide hackers with complete access to your system and thereby to the information stored on it They can also use it as part of a zombie network Lastly since it became possible to use credit cards and e money through the Internet in online stores auctions and bank homepages online scams have become increasingly common Threats to Computer Security 13 Intranet Email Your intranet is your internal network specially designed for handling information within a company or a home network An intranet is a unified space for storing exchanging and accessing information for all the c
291. s of all malicious programs threats and network attacks known to date with methods for neutralizing them After the analysis there are three available courses of action a If malicious code is detected in the file File Anti Virus blocks the file places a copy of it in Backup and attempts to disinfect the file If the file is successfully disinfected it becomes available again If not the file is deleted b If code is detected in a file that appears to be malicious but there is no guarantee the file is subject to disinfection and is sent to Quarantine c If no malicious code is discovered in the file it is immediately restored 7 1 Selecting a file security level File Anti Virus protects files that you are using at one of the following levels see fig 17 File Anti Virus 83 e High the level with the most comprehensive monitoring of files opened saved or run e Recommended Kaspersky Lab recommends this settings level It will scan the following object categories e Programs and files by contents e New objects and objects modified since the last scan e Embedded OLE objects e Low level with settings that let you comfortably use applications that require significant system resources since the scope of files scanned is reduced Security Level Recommended Optimal protection od Appropriate For most users Customize Figure 17 File Anti Virus security level The default setting for
292. s that will be updated e Threat signatures e Network drivers that enable protection components to intercept network traffic e Network attack databases used by Anti Hacker e Program modules The threat signatures network drivers and network attack database are always updated whereas the application modules are updated only if the corresponding mode is selected Update settings Update program modules Figure 73 Selecting update objects 212 Kaspersky Internet Security 6 0 If you want to download and install updates for program modules Check Update program modules in the Settings dialog box of the Update service If there are currently program module updates on the update source the program will download the updates it needs and apply them after the computer restarts The module updates will not be installed until the computer is restarted If the next program update occurs before the computer is restarted and before the previous program module updates were installed only the threat signatures will be updated Update method see fig 74 defines how the Updater is started You can select one of these methods Automatically Kaspersky Internet Security checks the update source for update packages at specified intervals see 16 4 1 on pg 208 When the program detects fresh updates it downloads them and installs them on the computer This mode is used by default If you have a dialup Internet connection and a netw
293. s used by this process from scanning add Notebook to the trusted applications list However the executable file and the trusted application process will be scanned for viruses as before To fully exclude the application from scanning you must use exclusion rules see 6 3 1_on pg 69 Protection management system 75 In addition some actions classified as dangerous are perfectly normal features for a number of programs For example keyboard layout toggling programs regularly intercept text entered on your keyboard To accommodate such programs and stop monitoring their activity you are advised to add them to the trusted application list Excluding trusted applications can also solve potential compatibility conflicts between Kaspersky Internet Security and other applications for example network traffic from another computer that has already been scanned by the anti virus application and can boost computer productivity which is especially important when using server applications By default Kaspersky Internet Security scans objects opened run or saved by any program process and monitors the activity of all programs and the network traffic they create You can create a list of trusted applications on the special Trusted Applications tab see Figure 12 This is contains by default a list of applications what will not be monitored based on Kaspersky Lab recommendations when you install Kaspersky Internet Security If you do not trus
294. s using a threat signature database that is regularly updated e Proactive in contrast to reactive protection this method is not based on analyzing code but on the system s behavior This method is aimed at detecting new threats that are still not defined in the signatures By employing both methods Kaspersky Internet Security provides comprehensive protection for your computer from both known and new threats 1 4 Signs of Infection There are a number of signs that a computer is infected The following events are good indicators that a computer is infected with a virus e Unexpected messages or images appear on your screen or you hear unusual sounds e The CD DVD ROM tray opens and closes unexpectedly e The computer arbitrarily launches a program without your assistance e Warnings pop up on the screen about a program attempting to access the Internet even though you initiated no such action There are also several typical traits of a virus infection through email e Friends or acquaintances tell you about messages from you that you never sent e Your inbox houses a large number of messages without return addresses or headers It must be noted that these signs can arise from causes other than viruses For example in the case of email infected messages can be sent with your return address but not from your computer There are also indirect indications that your computer is infected e Your computer freezes or crashe
295. se in the performance of any protection component be sure to check its status If the component status is not running or running subsystem malfunction try restarting the program If the problem is not solved after restarting the program we recommend correcting potential errors using the application restore feature Start Programs Kaspersky Internet Security 6 0 Modify restore or remove If the application restore procedure does not help contact Kaspersky Lab Technical Support You may need to save a report on component operation or the entire application to file and send it to Technical Support for further study 62 Kaspersky Internet Security 6 0 To save the report to file 1 Select the component in the Protection section of the main window of the program and left click anywhere in the Statistics box 2 Click the Save As button and in the window that opens specify the file name for the component s performance report To save a report for all Kaspersky Internet Security components at once protection components virus scan tasks support features 1 Select the Protection section in the main window of the program and left click anywhere in the Statistics box or Click All reports in the report window for any component Then the Reports tab will list reports for all program components 2 Click the Save As button and in the window that opens specify a file name for the program s performance report CHAP
296. sed on the Bayes theorem analyzes email text to detect phrases that mark it as spam The analysis uses the statistics obtained by training Anti Spam see 13 2 on pg 167 e GSG which analyzes graphic elements in emails using special graphic signatures to detect spam in graphics e PDB which analyzes email headers and classifies them as spam based on a set of heuristic rules By default all of these filtration technologies are enabled checking email for spam as completely as possible To disable any of these filtration technologies 1 Open the Anti Spam settings window with the Settings link in the main window 2 Click on the Customize button in the Sensitivity section and in the window that opens select the Spam recognition tab see fig 57 Anti Spam 173 4 Custom Settings Anti Spam White list Black list Spam recognition Additional Filters Use self training iBayes algorithm text recognition Use G5G technology image recognition Use PDB technology header recognition Definite spam rating threshold Add SPAM to subject if message has rating above v Probable spam rating threshold Add Probable spam to subject if message has rating above ox cet Figure 57 Configuring spam recognition 3 Uncheck the boxes next to the filtration technologies that you do not want to use for detecting spam 13 3 3 Defining spam and potential spam factors Kaspersky Lab spec
297. seeeeteeeeeceeeeeeeceeeetaeeeseeaeeaeeeeens 197 14 4 6 Setting up global scan settings for all tasks oo eee eeeeeeteeeeeeneeaeeeerens 199 CHAPTER 15 TESTING KASPERSKY INTERNET SECURITY FEATUREG 200 15 1 The EICAR test virus and its Variations 0 ee eeeeeeeeneeeeteeeeeeneeateeeeeeenetaeeeeee 200 15 2 Testing File Anti Virus oo neneiia aiaiai 202 15 3 Testing Vir s SCAN TASKS 0 0 eee ee eeeneeeeeeeceteeeseeeeeeaeeaeeeeseseeateetecateateeeeeneneea 203 CHAPTER 16 PROGRAM UPDATES ccceecessessteeseeeneeseeeecesenateeeeeaseataeeeseenenatens 205 16 1 Starting the Updaters Siriei ate Jai deh shi reel a intrede as 206 16 2 Rolling back to the previous UPCate a eee eceneeeeeeeeneeeeeeeeeeeeaeeeeeeneene 207 16 3 Creating Update tasks issiima irririk 207 16 4 Configuring Update settings oe eee eeneeseeeeeeeneeeeeeeeceetenaeeeteeaeeateeeeeanees 208 16 4 1 Selecting an update SOUPCE Qn ee ceecete ee etenceeeeeeceeeseeeeceetetaeeeseeneeateeeeeas 209 16 4 2 Selecting an update method and what to update 211 8 Kaspersky Internet Security 6 0 16 4 3 Configuring connection settings eee eceeeseeeeeceeeeeteeeceeeetaeeeeeeaeeateeeees 213 16 4 4 Update distriDUtion iiaiai eii aicnid 215 16 4 5 Actions after updating the Programm eeeseeeenseteeeeeeneeeeeeeteeneeaeeeeeens 217 CHAPTER 17 ADVANCED OPTIONS ccseeccsseeteeeeeeeeseeeecesnenaeeeeesaseetaeeeseeeeanets 218 17 1 Quarantine for potentially infecte
298. ser News Agent is a stand alone Microsoft Windows application which can be used independently or may be bundled with various integrated solutions offered by Kaspersky Lab Ltd Kaspersky OnLine Scanner The program is a free service offered to visitors to Kaspersky Lab s corporate website The service allows an efficient online anti virus scan of your computer The Kaspersky OnLine Scanner runs directly in your web browser Thus users can quickly test their computers if they suspect a malicious infection Using the service visitors can e Exclude archives and email databases from scanning e Select standard extended anti virus databases for scanning e Save a report on the scanning results in txt or html formats Kaspersky OnLine Scanner Pro The program is a subscription service offered to visitors to Kaspersky Lab s corporate website The service allows an efficient online anti virus scan of your computer and disinfection of dangerous files Kaspersky OnLine Scanner Pro runs directly in your web browser Using the service visitors can e Exclude archives and email databases from scanning e Select standard extended anti virus databases for scanning e Save a report on the scanning results in txt or html formats Kaspersky Security for PDA Kaspersky Security for PDA provides reliable anti virus protection for data stored on various types of hand held computers and smartphones The program includes an optimal set of anti vi
299. ser friendly interface to manage the program It can be divided into two parts e the left part of the window the navigation panel guides you quickly and easily to any component virus scan task performance or the program s support tools e the right part of the window the information panel contains information on the protection component selected in the left part of the window and displays settings for each of them giving you tools to carry out virus 48 Kaspersky Internet Security 6 0 scans work with quarantined files and backup copies manage license keys and so on 4 Kaspersky Internet Security 6 0 Kas intarnet Security vA Settings Help R Protection _ Protection running bim File Anti Virus Mail Anti Virus Protection is a suite of services protecting your computer ae against security threats like viruses spyware hacker Web Anti Virus attacks and spam These services can be suspended Proactive Defense resumed or disabled as a group or dealt with individually Anti Spy Computer protection status Anti Hacker a Anti Spam No threats detected t Please restart your computer Service All protection components are running C Mtention shy Statistics Total scanned Please restart your computer to complete Detected the installation of new or updated Untreated protection components Attacks blocked Restart computer kaspersky com yiruslist com Figure 2 Kaspersky Internet Secu
300. ses all the drives on your computer etc You can add to the list select files to be scanned and start virus scans Update download updates to program modules and threat signatures and install them on your computer Network Monitor view the list of network connections established open ports and traffic Block network traffic temporarily block all the computer s network connections When you select this item from the menu the Anti Hacker security level see 12 1 on pg 144 will change to Block all If you want to allow the computer to interact with the network repeatedly select this item from the context menu Activate activate the program This menu item is only available if the program is not activated Settings view and configure settings for Kaspersky Internet Security Open Kaspersky Internet Security open the main program window see 4 3 on pg 47 Pause Protection Resume Protection temporarily disable or enable protection components see 2 2 1 on pg 24 This menu item does not affect program updates or virus scan tasks Exit close Kaspersky Internet Security If a virus search task is running the context menu will display its name with a percentage progress meter By selecting the task you can open the report window to view current performance results 4 3 Main program window The Kaspersky Internet Security main window see fig 2 provides you with a straightforward u
301. st If a disinfected file contains important information which is partially or fully corrupted you can attempt to restore the original object from a backup copy A backup copy is a copy of the original dangerous object that is created before the object is disinfected or deleted It is saved in Backup Backup is a special storage area that contains backup copies of dangerous objects Files in backup are saved in a special format and are not dangerous 17 2 1 Actions with backup copies The total number of backup copies of objects in Backup is displayed in the Data files in the Service section of the application s main window In the right hand part of the screen the Backup section displays e the number of backup copies of objects created by Kaspersky Internet Security e the current size of Backup Here you can delete all the copies in Backup with the Clean up button Note that in doing so the Quarantine objects and report files will also be deleted To access dangerous object copies Left click anywhere in the Backup box to open the Protection window which summarises protection given by the application A list of backup copies is displayed in the Backup tab see fig 79 The following information is displayed for each copy the full path and filename of the object the status of the object assigned by the scan and its size 224 Kaspersky Internet Security 6 0 Protection Protection partially running oE Threats
302. stest source You can choose not to use a proxy server by downloading program updates from a local source This noticeably reduces the traffic on the proxy server The program has an update rollback feature that can return to the previous version of the signatures if for example the threat signatures are damaged or there is an error in copying A feature has been added for distributing updates to a local folder to give other network computers access to them to save bandwidth 24 Kaspersky Internet Security 6 0 2 2 The elements of Kaspersky Internet Security Defense Kaspersky Internet Security protection is designed with the sources of threats in mind In other words a separate program component deals with each threat monitoring it and taking the necessary action to prevent malicious effects of that threat on the user s data This setup makes the system flexible with easy configuration options for all of the components that fit the needs of a specific user or business as a whole Kaspersky Internet Security includes e Protection Components see 2 2 1 on pg 24 that comprehensively defend all channels of data transmission and exchange on your computer e Virus Scan Tasks see 2 2 2 on pg 26 that virus check the computer s memory and file system as individual files folders disks or regions e Support Tools see 2 2 3 on pg 27 that provide support for the program and extend its functionality 2 2 1 Protection
303. t Complete uninstall To save data select save application objects and specify which objects not to delete from this list e Activation data license key or program activation code e Threat signatures complete set of signatures of dangerous programs virus and other threats current as of the last update e Anti Spam knowledge base database used to detect junk email This database contains detailed information on what email is spam and what is not e Backup files backup copies of deleted or disinfected objects You are advised to save these in case they can be restored later e Quarantine files files that are potentially infected by viruses or modifications of them These files contain code that is similar to code of a known virus but it is difficult to determine if they are malicious You are advised to save them since they could actually not be infected or they could be disinfected after the threat signatures are updated e Application settings configurations for all program components e iSwift data database with information on objects scanned on NTFS file systems which can increase scan speed When it uses this database Kaspersky Internet Security only scans the files that have been modified since the last scan Modifying repairing and removing the program 279 Warning If a long period of time elapses between uninstalling one version of Kaspersky Internet Security and installing ano
304. t when you do so the name of the object will be dimmed and click the Delete button You can temporarily disable scanning for individual objects for any task without deleting them from the list To do so uncheck the object that you do not want scanned To start a scan task click the Scan button or select Start from the menu that opens when you click the Actions button In addition you can select an object to be scanned with the standard tools of the Microsoft Windows operating system for example in the Explorer program window or on your Desktop etc see fig 65 To do so select the object open the Microsoft Windows context menu by right clicking and select Scan for viruses Open Run as View Dependencies JZ Scan for Viruses Send To Cut Copy Create Shortcut Delete Rename Properties Figure 65 Scanning objects from the Windows context menu 190 Kaspersky Internet Security 6 0 14 3 Creating virus scan tasks To scan objects on your computer for viruses you can use built in scan tasks included with the program and create your own tasks New scan tasks are created using existing tasks that a template To create a new virus scan task 1 Select the task with the settings closest to those you need in the Scan section of the main program window 2 Open the context menu by right clicking on the task name or click the Actions button to the right of the scan object list and select Save as 3 En
305. t allows that process to establish connections on port 80 248 Kaspersky Internet Security 6 0 However when Kaspersky Internet Security intercepts the connection query initiated by iexplorer exe on port 80 it transfers it to avp exe which in turn attempts to establish a connection with the web page independently If there is no allow rule for avp exe the firewall will block that query The user will then be unable to access the webpage 17 8 Checking your SSL connection Connecting using SSL protocol protects data exchange through the Internet SSL protocol can identify the parties exchanging data using electronic certificates encrypt the data being transferred and ensure their integrity during the transfer These features of the protocol are used by hackers to spread malicious programs since most antivirus programs do not scan SSL traffic Kaspersky Internet Security 6 0 has the option of scanning SSL traffic for viruses When an attempt is made to connect securely to a web resource a notification will appear on screen see fig prompting the user for action The notification contains information on the program initiating the secure connection along with the remote address and port The program asks you to decide whether that connection should be scanned for viruses e Process scan traffic for viruses when connecting securely to the website We recommend that you always scan SSL traffic if you are using a suspicio
306. t an application on the list deselect the corresponding checkbox You can edit the list using the Add Edit and Delete buttons on the right A Trusted zone SystemRoot system32 svchost exe ProgramFiles Messenger msmsgs exe oProgramFiles o MSN Messenger MsnMsar Exe Edit Delete Rule description click underlined parameters to edit Do not scan encrypted network traffic at any remote host and at any remote port Figure 12 Trusted application list 76 Kaspersky Internet Security 6 0 To add a program to the trusted application list 1 2 Click the Add button on the right hand part of the window In the Trusted Applications window see fig 13 that opens select the application using the Browse button A context menu will open and by clicking Browse you can go to the file selection window and select the path to the executable file or by clicking Applications you can go to a list of applications currently running and select them as necessary S Trusted application Application C Program Files Kaspersky Lab Kasper Properties Do not scan opened Files gog Do not restrict application activity Do not restrict registry access Do not scan network traffic Rule description click underlined parameters to edit Do not scan opened files Do not restrict registry access Do not scan all network traffic at any remote host and at any remote port Help
307. t and click the Actions Unblock button 238 Kaspersky Internet Security 6 0 gt Network attacks Banned hosts Application activity Packet filtering Time Host 17 01 2007 18 10 36 10 0 0 5 Figure 93 Blocked host list 17 3 14 The Application Activity tab If Kaspersky Internet Security is using the Firewall all applications with actions that match rules for applications and were logged during the current session of the program are listed on the Application Activity tab see fig 94 Network attacks Banned hosts Application activity packet filtering Time Application name Command line Rule name Application PID Action Direction Protoc Q 28 02 2006 11 51 15 C PROGRAM FILES DNS Service 1864 allowed G 28 02 2006 11 51 15 C PROGRAM FILES DNS Service 1864 allowed G 28 02 2006 11 51 15 C PROGRAM FILES ICQ Client 1864 allowed Q 28 02 2006 11 51 15 C PROGRAM FILES ICQ Client O 1864 allowed lt j ji La Figure 94 Monitored application activity Activity is only recorded it M Log event is checked in the rule It is deselected by default in application rules included with Kaspersky Internet Security This tab displays the basic properties of each application name PID rule name and a brief summary of its activity protocol packet direction etc Information is also listed about whether the application s activity
308. t contains rules by default for actions that Kaspersky Lab classifies as dangerous The actions of dangerous macros include for example embedding modules in programs and deleting files If you do not consider one of the suspicious actions indicated in the list dangerous deselect the checkbox next to its name For example you might frequently use macros to open files not as read only and you are positive that this operation is not malicious 128 Kaspersky Internet Security 6 0 4 Settings Office Guard Macro command Description Import module Macro attempting to import module into p Export module Macro attempting to export module from Copy project items Macro attempting to copy a project item f Copy modules Word MacroCopy Macro attempting to copy code to anothe Microsoft Office Excel sheet copy Macro attempting to copy sheet and pos Add module Macro attempting to add a module to the Delete module Macro attempting to delete module Delete project items Macro attempting to delete a project item Rename project items Macro attempting to rename a project ite Create event procedure Macro attempting to create event Add code to module Macro attempting to add code Insert code in module From file Macro attempting to insert code From file Tal re one ee ek BR ene a bbw eb ebo te et HH Ft E Action Prompt for action Terminate Figure 37 Configuring Office Guard settings For Kaspersky I
309. t match Anti Hacker packet filtering rules e The Established Connections Open Ports and Traffic tabs also cover network activity on your computer displaying currently established connections open ports and the amount of network traffic your computer has sent and received You can export the entire report as a text file This feature is useful when an error has occurred which you cannot eliminate on your own and you need assistance from Technical Support If this happens the report must be sent as a txt file to Technical Support to enable our specialists can study the problem in detail and solve it as soon as possible To export a report as a text file Click Save as and specify where you want to save the report file After you are done working with the report click Close There is an Actions button on all the tabs except Settings and Statistics which you can use to define responses to objects on the list When you click it a context sensitive menu opens with a selection of these menu items the menu differs depending on the component all the possible options are listed below Disinfect attempts to disinfect a dangerous object If the object is not successfully disinfected you can leave it on this list to scan later with updated threat signatures or delete it You can apply this action to a single object on the list or to several selected objects Discard deletes record of detecting the object from the report Add
310. tart time 15 01 2007 15 52 53 Detect 7 Duration 00 02 25 Untreat E Finish time 15 01 2007 15 55 18 Detected Events Statistics Settings Status Object iv disinfected virus EICAR Test File File C Documents and Settings Gu detected virus EICAR Test Fil Disinfec File C Documents and Settings Gu deleted virus EICAR Test File Delete File C Documents and Settings Gu detected virus EICAR Test File add to Trusted zone File C Documents and Settings Gu quarantined virus EICAR Test Go to file File C Documents and Settings Gu quarantined virus EICAR Test Delete From the list File C Documents and Settings Gu detected malware Exploit Wing File C Documents and Settings Gu Neutralize all Discard all View on www viruslist com gt zii Search S Show neutralized objects Select all Actions Neutralize all Copy Figure 11 Creating an exclusion rule from a report 6 3 2 Trusted applications You can only exclude trusted applications from the scan in Kaspersky Internet Security if installed on a computer running Microsoft Windows NT 4 0 2000 XP Vista Kaspersky Internet Security can create a list of trusted applications that need not have their file and network activity monitored suspicious or otherwise For example you feel that objects and processes used by Windows Notepad are safe and do not need to be scanned To exclude object
311. tart your computer After restarting your computer we recommend running a full virus scan To use Advanced Disinfection Technology check Apply Advanced Disinfection Technology To enable disable advanced disinfection technology Select the Protection section of the main program window and click the Settings link Configure power settings in the Advanced box see fig 16 CHAPTER 7 FILE ANTI VIRUS The Kaspersky Internet Security component that protect your computer files against infection is called File Anti Virus It loads when you start your operating system runs in your computers RAM and scans all files opened saved or executed The component s activity is indicated by the Kaspersky Internet Security system tray icon which looks like this Ki whenever a file is being scanned File Anti Virus by default scans only new or modified files that is only files that have been added or changed since the previous scan Files are scanned with the following algorithm 1 The component intercepts attempts by users or programs to access any file File Anti Virus scans the iChecker and iSwift databases for information on the file intercepted A decision is made whether to scan the file based on the information retrieved The scanning process includes the following steps 1 The file is analyzed for viruses Malicious objects are detected by comparison with the program s threat signatures which contain description
312. tbound TCP connections where Remote IP address Enter IP address Local port Enter port Time range specify the time range Figure 48 Creating a new application rule Step One e Enter a name for the rule The program uses a default name that you should replace e Select network connection settings for the rule remote address remote port local address and the time that the rule was applied Check all the settings that you want to use in the rule e Configure settings for user notifications If you want a popup message with a brief commentary to appear on the screen when a rule is used check Display warning If you want the program to record invocations of the rule in the Anti Hacker report check X Log event The box is not checked by default when the rule is created You are advised to use additional settings when creating block rules 152 Kaspersky Internet Security 6 0 Note that when you a create a blocking rule in Anti Hacker training mode information about the rule being applied will automatically be entered in the report If you do not need to record this information deselect the Log event checkbox in the settings for that rule Step Two in creating a rule is assigning values for rule parameters and selecting actions These operations are carried out in the Rule Description section 1 The default action of every new rule is allow To change it to a block rule left click on the Allow link
313. tch the masks from the standard list check Use heuristic analysis methods Then the application will analyze the images loaded for signs typical of banner ads Pursuant to this analysis the image might be identified as a banner and blocked You can also create your own lists of allowed and blocked banners You can do so on the White list and Black list tabs 11 1 2 2 Banner ad white lists You can create a banner ad white list to allow certain banners to be displayed This list contains masks for allowed banner ads To add to a new mask to the white list 1 Open the Kaspersky Internet Security settings window and select Anti Spy in the settings tree 2 Click the Settings button in the Anti Banner section 3 Open the White list tab 140 Kaspersky Internet Security 6 0 Add the allowed banner mask with the Add button You can either specify the whole or a partial URL for the banner or mask In the latter case when a banner attempts to load the program will scan its address for the mask When creating a mask you can use the wildcards or where represents a sequence of characters and any one character To stop using a mask that you created you can either delete it from the list or uncheck the box M next to it Then banners that fall under this mask will revert to being blocked Using the Import and Export buttons you can copy the list of allowed banners from one computer to another 11 1 2 3 B
314. tection is NOt running ecceceececeeteeeeeceseeeeeeeeeeesceeeeeeeeaeeeees 61 CHAPTER 6 PROTECTION MANAGEMENT SYSTEM 63 6 1 Stopping and resuming protection ON yOUr COMPUTET eect ereteeteteeeeetees 63 6 1 1 PAUSING protection 00 ceceeeececeeeceeeeceeceaeeeceeeeecaeeaeeeesaeeeceaeeecaeteeeeseaeeeeeaeeeeaes 6 1 2 Stopping protection 6 1 3 Pausing stopping protection components virus scans and update TASKS scced ee etesap est des pes dutiieleazes eanenvibe chee sth eseneeee T 65 6 1 4 Restoring protection on your COMPUTEN ceccececeeceeeeceeeeeeeeeeeneeeeeeteaes 66 6 1 5 Shutting down the program eeeeseeeeeseeseeeeeeeeseeeeeeeseeeeeateeceeeeateeeesneeenaees 67 6 2 Types of programs to be MOMILOFEM oo eee eeeeeeeeeeceeeeeseeeeeeaeeateeeecaenenateeeees 67 6 3 Creating a trusted ZONE oo eee sitenin iati dieden teii igaitea dadida 68 6 3 1A Exclusion mules 33 30 sAeee fe ae ed Apes Aetae han ET 69 6 3 2 Trusted Applications eeeeeecesseeteeeceneeseeececeeaeseeeceseeaeeesesaeeatetecaeeanaees 74 Table of Contents 5 6 4 Starting virus scan and update tasks under another profile eee 77 6 5 Configuring virus scan and update schedules eee eeeeneeeteeeeeeneeeeteeeeneeees 78 6 62 POWER OPON Saiit ieee Ap eins araea aeda reaa iaraa i iaa 80 6 7 Advanced Disinfection Technology ssssssssesisrerisisisrrssisieisrrinisrsrerenssrsreren 81 CHAPTER 7 FILE ANTI VIRUS jiirng
315. ted virus EICAR Test File File C Documents and Settings Desktop eicar detected malware Exploit Win32 Cab File C Documents and Settings Desktop eicar Show neutralized objects Actions Neutralize all Figure 82 List of detected dangerous objects Dangerous objects detected by Kaspersky Internet Security are processed using the Disinfect button for one object or a group of selected objects or Disinfect all to process all the objects on the list When each object is processed a notification will be displayed on the screen where you must decide what actions will be taken next If you check W Apply to all in the notification window the selected action will be applied to all objects with the same status selected from the list before beginning processing 230 Kaspersky Internet Security 6 0 17 3 3 The Events tab This tab see fig 83 provides you with a complete list of all the important events in component operation virus scans and threat signature updates that were not overridden by an activity control rule see 10 1 1 on pg 119 These events can be Critical events are events of a critical importance that point to problems in program operation or vulnerabilities on your computer For example virus detected error in operation Important events are events that must be investigated since they reflect important situations in the operation of the program For example stopped Informative messages
316. ter the name for the new task in the window that opens and click OK A task with that name will then appear in the list of tasks in the Scan section of the main program window Warning There is a limit to the number of tasks that the user can create The maximum is four tasks The new task is a copy of the one it was based on You need to continue setting it up by creating an scan object list see 14 4 2 on pg 192 setting up properties that govern the task see 14 4 4 on pg 195 and if necessary configuring a schedule see 6 5 on pg 78 for running the task automatically To rename a task Select the task in the Scan section of the main program window Right click on the task s name to open the context menu or click the Actions button on the right of the list of scan objects and select Rename Enter the new name for the task in the window that opens and click OK The task name will also be changed in the Scan section To delete a task Select the task in the Scan section of the main program window Right click on the task s name to open the context menu or click the Actions button on the right of the list of scan objects and select Delete You will be asked to confirm that that you want to delete the task The task will then be deleted from the list of tasks in the Scan section Warning You can only rename and delete tasks that you have created Scanning for viruses on your computer 191
317. ternet Security will ask you after installation if you want to train Anti Spam to differentiate between spam and accepted email You can do this with special buttons that plug into your email client Microsoft Office Outlook Microsoft Outlook Express The Bat or using the special training wizard Warning This version of Kaspersky Internet Security does not provide Anti Spam plug ins for the 64 bit mail clients Microsoft Office Outlook Microsoft Outlook Express and The Bat To train Anti Spam using the plug in s buttons in the email client 1 Open your computer s default email client e g Microsoft Office Outlook You will see two buttons on the toolbar Spam and Accepted 2 Select an accepted email or group of emails that contains accepted email and click Accepted From this point onward emails from the addresses in the emails from the senders you selected will never be processed as spam 3 Select an email a group of emails or a folder of emails that you consider spam and click Spam Anti Spam will analyze the contents of these emails and in the future it will consider all emails with similar contents to be spam To train Anti Spam using the Training Wizard 1 Select Anti Spam in the Protection section of the main program window and click Settings 2 Inthe right hand part of the settings window click Training Wizard 3 In step one select folders from your email client that contain email that is not spa
318. tes of good email it can be deleted using the Delete button or the box alongside the text can be unchecked to disable them You have the option of importing CSV formatted files for white list addresses 13 3 4 2 Black lists for addresses and phrases The sender black list stores key phrases from emails that constitute spam and the addresses of their senders The list is filled manually Anti Spam 177 To fill the black list 1 Select Anti Spam in the Kaspersky Internet Security settings window 2 Click the Settings button in the right hand part of the settings window 3 Open the Black list tab see fig 59 The tab is divided into two sections the upper portion contains the addresses of spam senders and the lower contains key phrases from such emails To enable phrase and address black lists during spam filtration check the corresponding boxes in the Blocked senders and Blocked phrases sections 4 Custom Settings Anti Spam White list Blacklist Spam recognition Additional Blocked senders I do not wish to receive messages From the Following senders Sender s address Add Edi Blocked phrases I do not wish to receive messages containing the following phrases Key phrase Level a Add spam 25 Spree y M save 19 gua 70 ER k affa k 20 Help Figure 59 Configuring address and phrase black lists You can edit the lists using the buttons
319. the ACTIVATE command e using a license key file the ADDKEY command Command syntax ACTIVAT E lt activation_code gt ADDKEY lt file name gt Parameter description Working with the program from the command prompt 267 lt activation_ code gt Program activation code provided when you purchased it lt file_ name gt Name of the license key file with the extension key Example avp com ACTIVATE 00000000 0000 0000 0000 000000000000 avp com ADDKEY 00000000 key 18 2 Managing program components and tasks You can manage Kaspersky Internet Security components and tasks from the command prompt with these commands e START e PAUSE e RESUME e STOP e STATUS e STATISTICS The task or component to which the command applies is determined by its parameter STOP and PAUSE can only be executed with the Kaspersky Internet Security password assigned in the program interface Command syntax avp com lt command gt lt profile taskid gt avp com STOP PAUSE lt profile taskid gt password lt password gt One of the following values is assigned to lt profile taskid gt RTP All protection components FM File Anti Virus 268 Kaspersky Internet Security 6 0 ASPY AH AS UPDATER SCAN_OBJECTS SCAN_MY_ COMPUTER SCAN_CRITICAL AREAS SCAN_STARTUP lt task name gt Mail Anti Virus Web Anti Virus Proactive Defense Anti Spy Anti Hacker Anti Spam Updater Virus s
320. the Transparency factor scale to the desired position To remove message transparency uncheck Enable semi transparent windows This option is not available if you are running the application under Microsoft Windows 98 NT 4 0 ME Use your own skins for the program interface All the colors fonts icons and texts used in the Kaspersky Internet Security interface can be changed You can create your own graphics for the program or can localize it in another language To use a skin specify the directory with its settings in the Skins folder field Use the Browse button to select the directory By default the system colors and styles are used in the program s skin You can remove them by deselecting Use system colors and styles Then the styles that you specify in the screen theme settings will be used Note that modifications of Kaspersky Internet Security interface settings are not saved when default settings are restored or if the application is uninstalled 17 10 Rescue Disk Kaspersky Internet Security has a tool for creating a rescue disk The rescue disk is designed to restore system functionality after a virus attack that has damaged system files and made the operating system impossible to start This disk includes 252 Kaspersky Internet Security 6 0 e Microsoft Windows XP Service Pack 2 system files e A set of operating system diagnostic utilities e Kaspersky Internet Security program files e F
321. the application name and the command for starting it whether to allow or block network activity the data transfer protocol the direction of data inbound or outbound and other information Using the Add button you can create a new rule and you can alter an existing rule by selecting it on the list and clicking the Edit button You can also edit the basic settings in the lower part of the tab You can change their relative priority with the Move up and Move down buttons 12 2 1 Creating rules manually To create an application rule manually 1 2 Select the application To do so click the Add button on the Rules for Applications tab From the context menu that opens click Browse and select the executable file of the application for which you want to create a rule A list of rules for the application selected will open If rules for it already exist they will all be listed in the upper part of the window If no rules exist the rules window will be empty You can select an application later when configuring the conditions of the rule Click the Add button in the rules for applications window You can use the New rule window that opens to fine tune a rule see 12 6 on pg 154 12 2 2 Creating rules from template Anti Virus includes ready made rule templates that you can use when creating your own rules The entire gamut of existent network application can be broken down into several types mail cl
322. the file C dir test If you do not want the program to scan files in the subfolders of this folder uncheck M Include subfolders when creating the mask 3 Masks with relative file paths e dir or dir or dir all files in all dir folders e diritest all fest files in dir folders e dir exe all files with the extension exe in all din folders e dir ex all files with the extension ex in all C dir folders where can represent any one character If you do not want the program to scan files in the subfolders of this folder uncheck Include subfolders when creating the mask Appendix A 285 Tip and exclusion masks can only be used if you assign a classification excluded according to the Virus Encyclopedia Otherwise the threat specified will not be detected in any objects Using these masks without selecting a classification essentially disables monitoring We also do not recommend that you select a virtual drive created on the basis of a file system directory using the subst command as an exclusion There is no point in doing so since during the scan the program perceives this virtual drive as a folder and consequently scans it A 3 Possible exclusion masks by Virus Encyclopedia classification When adding threats with a certain status from the Virus Encyclopedia classification as exclusions you can specify e the full name of the threat as given in the Virus Encyclopedia at
323. the scan e Malicious program status for example virus Trojan for more details see 1 1 on pg 11 e Potentially infected when the scan cannot determine whether the object is infected This means that the program detected a sequence of code in the file from an unknown virus or modified code from a known virus By default when Mail Anti Virus detects a dangerous or potentially infected object it displays a warning on the screen and prompts the user to select an action for the object To edit an action for an object Open the Kaspersky Internet Security settings window and select Mail Anti Virus All possible actions for dangerous objects are listed in the Action box see fig 28 104 Kaspersky Internet Security 6 0 Action Prompt for action Disinfect Delete if disinfection Fails Figure 28 Selecting actions for dangerous email objects Let s look at the possible options for processing dangerous email objects in more detail If the action selected was When a dangerous object is detected Prompt for action Mail Anti Virus will issue a warning message containing information about what malicious program has infected potentially infected the file and gives you the choice of one of the following actions Block access Mail Anti Virus will block access to the object Information about this is recorded in the report see 17 3 on pg 225 Later you can attempt to disinfect this
324. the way you want it at home save those settings on a disk and using the import feature load them on your computer at work The settings are saved in a special configuration file To export the current program settings 1 Open the Kaspersky Internet Security main window 2 Select the Service section and click Settings 3 Click the Save button in the Configuration Manager section 4 Enter a name for the configuration file and select a save destination Advanced options 263 To import settings from a configuration file 1 Open the Kaspersky Internet Security main window 2 Select the Service section and click Settings 3 Click the Load button and select the file from which you want to import Kaspersky Internet Security settings 17 13 Resetting to default settings It is always possible to return to the default program settings which are considered the optimum and are recommended by Kaspersky Lab This can be done using the Setup Wizard To reset protection settings 1 Select the Service section and click Settings to go to the program configuration window 2 Click the Reset button in the Settings Manager section The window that opens asks you to define which settings should be restored to their default values The window lists the program components whose settings were changed by the user or that the program accumulated through training Anti Hacker or Anti Spam If special settings were created for any of the
325. ther you are advised not to use the Swift database from a previous installation A dangerous program could penetrate the computer during this period and its effects would not be detected by the database which could lead to an infection To start the operation selected click the Next button The program will begin copying the necessary files to your computer or deleting the selected components and data Step 3 Completing program modification repair or removal The modification repair or removal process will be displayed on screen after which you will be informed of its completion Removing the program generally requires you to restart your computer since this is necessary to account for modifications to your system The program will ask if you want to restart your computer Click Yes to restart right away To restart your computer later click No 19 2 Uninstalling the program from the command prompt To uninstall Kaspersky Internet Security from the command prompt enter msiexec x lt package name gt The installation wizard will open you can use it to uninstall the application see Chapter 19 on pg 277 You can also use the commands given below To uninstall the application in the background without restarting the computer the computer should be restarted manually after uninstalling enter msiexec x lt package name gt qn To uninstall the application in the background and then restart the computer
326. til all the available update servers are attempted Check Use proxy server if you are using a proxy server to access the Internet and if necessary select the following settings e Select the proxy server settings that will be used during updating Automatically detect proxy server address If you select this option the proxy settings are detected automatically using WPAD Web Proxy Auto Discovery Protocol If this protocol cannot detect the address Kaspersky Internet Security will use the proxy server settings specified in Microsoft Internet Explorer Use custom proxy settings Use a proxy that is different from that specified in the browser connection settings In the Address field enter either the IP address or the symbolic name of the proxy server and specify the number of the proxy port used to update the application in the Port field e Specify whether authentication is required on the proxy server Authentication is the process of verifying user registration data for access control purposes If authentication is required to connect to the proxy server check Proxy requires authorization and specify the username and password in the fields below In this event first NTLM authentication and then BASIC authentication will be attempted If this checkbox is not selected or if the data is not entered NTLM authentication will be attempted using the user account used to start the update see 6 4 on pg 77 If the proxy ser
327. ting stopping pausing and resuming virus scans Obtaining information on the current status of components tasks and statistics on them Scanning selected objects Updating threat signatures and program modules Accessing Help for command prompt syntax Accessing Help for command syntax The command prompt syntax is avp com lt command gt settings The following may be used as lt commands gt ACTIVATE Activates application via Internet using an activation code ADDKEY Activates application using a license key file START Starts a component or a task PAUSE Pauses a component or a task RESUME Resumes a component or a task STOP Stops a component or a task 266 Kaspersky Internet Security 6 0 STATUS Displays the current component or task status on screen STATISTICS Displays statistics for the component or task on screen HELP Help with command syntax and the list of commands SCAN Scans objects for viruses UPDATE Begins program update ROLLBACK Rolls back to the last program update made EXIT Closes the program you can only execute this command with the password assigned in the program interface IMPORT Import Kaspersky Internet Security settings EXPORT Export Kaspersky Internet Security settings Each command uses its own settings specific to that particular Kaspersky Internet Security component 18 1 Activating the application You can activate the program in two ways e via Internet using an activation code
328. tions 0 0 ee eceeeeeeneeeeees 255 17 11 1 1 Types of events and notification delivery methods eee 256 17 11 1 2 Configuring email notification oe eee ee eceneeeeeeeceeeeeeeeteeeeateeeeees 258 17 11 1 3 Configuring event log settings eee eeeeeeeeeesneeeeeeeeeeteeaeeeeeens 259 17 11 2 Self Defense and access restriction oo eects ersteeeeeeeeneeateeeeens 260 17 11 3 Resolving conflicts between Kaspersky Internet Security and other PIOGMAINIS sexs eee E SS oN Ean ease T T 262 17 12 Importing and exporting Kaspersky Internet Security settings 262 17 13 Resetting to default settings 0 eee eecneeeeteeeeeenseaeeeeeceenetateeteeeeateeeeneeee 263 CHAPTER 18 WORKING WITH THE PROGRAM FROM THE COMMAND PROMPU tits ste E ee a el a eh Se 265 18 1 Activating the application eee cesses eneeeeteeeeeeneeaeeeeecsneeaeeeteseeateeeeenenee 266 18 2 Managing program components and tasks 267 18 32 Anti Virs SCANS irian anaa nied nese 268 18 4 Program updates iiiajaackiesiect ache a Bie cate nadie 272 18 5 Rollback settings 0 cs0 ecisereeneaneee rage aiiai ies 273 18 6 Exporting protection Settings 0 0 eeeeecseeeeeeeeeeneeaeeeeeceneeaeeeeeeeeateeeeeateee 273 18 7 Importing Settings es sesneehds eseh eieeeelis Gaeta creeds genteel eee 274 18 8 Starting the PrOQrarn we eeeceeeeccnseeeeeeceeeeseeeceeseeaeeeeecasseeaeeeeesateataeeecaaeenaeeeeee 275 18 9 Stopping the ProQraM eeceeesceeeeeeecneeeeeee
329. to trusted zone excludes the object from protection A window will open with an exclusion rule for the object Go to File opens the folder where the object is located in Windows Explorer Neutralize All neutralizes all objects on the list Kaspersky Internet Security will attempt to process the objects using threat signatures 228 Kaspersky Internet Security 6 0 Discard All clears the report on detected objects When you use this function all detected dangerous objects remain on your computer View on www viruslist ru goes to a description of the object in the Virus Encyclopedia on the Kaspersky Lab website Search www google com find information on the object using this search engine Search enter search terms for objects on the list by name or status In addition you can sort the information displayed in the window in ascending and descending order for each of the columns by clicking on the column head 17 3 1 Configuring report settings To configure settings for creating and saving reports 1 Open the Kaspersky Internet Security settings window by clicking Settings in the main program window 2 Select Data files from the settings tree Edit the settings in the Reports box see fig 81 as follows e Allow or disable logging informative events These events are generally not important for security To log events check Log non critical events e Choose only to report events that have occurre
330. ts with Kaspersky Internet Security when using other applications To configure these features 1 Open the program setup window with the Settings link in the main window 2 Select Service from the settings tree In the right hand part of the screen you can define whether to use additional features in program operation 17 11 1 Kaspersky Internet Security event notifications Different kinds of events occur in Kaspersky Internet Security They can be of an informative nature or contain important information For example an event can inform you that the program has updated successfully or can record an error in a component that must be immediately eliminated To receive updates on Kaspersky Internet Security operation you can use the notification feature Notices can be delivered in several ways e Popup messages above the program icon in the system tray e Sound messages e Emails e Logging events 256 Kaspersky Internet Security 6 0 To use this feature you must 1 Check Enable Notifications in the Interaction with user box see fig 106 Interaction with user Enable notifications Figure 106 Enabling notifications 2 Click on the Settings button to open the Notification settings window 3 On the Events tab define the event types from Kaspersky Internet Security for which you want notifications and the notification delivery method see 17 11 1 1 on pg 256 4 Click Email Settings to open Notific
331. ttempted to dial the number to connect to the Internet and whether the attempt was blocked or allowed Phishing Popups Banners Hidden dials Time Process Number Status 27 02 2006 18 06 23 e winnt system32 rasdial exe 7 495 1112233 Figure 91 Dial attempt list Advanced options 237 17 3 12 The Network Attacks tab This tab see fig 92 displays a brief overview of network attacks on your computer This information is recorded if the Intrusion Detection System is enabled which monitors all attempts to attack your computer _ __ Network attacks Banned hosts Application activity Packet filtering Time Attack description Source Protocol Loc 27 02 2006 18 10 36 Scan Generic UDP 10 0 0 5 UDP lt gt Figure 92 List of blocked network attacks The Network attacks tab lists the following information on attacks e Source of the attack This could be an IP address host etc e Local port on which the attack on the computer was attempted e Brief description of the attack e The time when the attack was attempted 17 3 13 The Banned Hosts tab All hosts which have been blocked after an attack was detected by the Intrusion Detection System are listed on this report tab see fig 93 The name of each host and the time that it was blocked are shown You can unblock a host on this tab To do so select the host on the lis
332. tures Use buffering scan complete set of signatures Limit Fragment buffering time fi sec Trusted URLs http google com Edit Delete Figure 30 Configuring Web Anti Virus Warning If you encounter problems accessing resources like Internet radio streaming video or Internet conferencing use streaming scan Web Anti Virus 111 9 2 2 Creating a trusted address list You have the option of creating a list of trusted addresses whose contents you fully trust Web Anti Virus will not analyze data from those addresses for dangerous objects This option can be used in cases where Web Anti Virus repeatedly blocks the download of a particular file To create a list of trusted addresses 1 Click on the Customize button in the Web Anti Virus configuration window 2 In the window that opens see fig 30 create a list of trusted servers in the Trusted URLs section To do so use the buttons to the right of the list When entering a trusted address you can create masks with the following wildcards any combination of characters Example If you create the mask abc no URL contain abe will be scanned For example www virus com download_virus page 0 QYabcdef html any single character Example If you create mask Patch_123 com URLs containing that series of characters plus any single character following the 3 will not be scanned For example Patch_1234 com Howeve
333. twork connection We recommend that you only select this level in the event of a network attack or when using a dangerous network on an insecure connection Enable Firewall Low Security Allow the network activity of all applications except those explicitly prohibited by user defined application rules Settings Figure 44 Selecting an Anti Hacker security level High Security passes only allowed network activity using allow rules that either came with the program or that you created The set of rules included with Kaspersky Internet Security includes allow rules for applications whose network activity is not suspicious and for data packets that are absolutely safe to send and receive However if there is a block rule with a higher priority than the allow rule the program will block the network activity of that application Warning If you select this security level any network activity not recorded in an Anti Hacker allow rule will be blocked Therefore we recommend only using this level if you are certain that all the programs you need are allowed by the rules to make network connections and that you do not plan on installing new software Training mode protection level where Anti Hacker rules are created At this level whenever a program attempts to use a network resource Anti Hacker checks to see if there is a rule for that connection If there is a rule Anti Hacker applies it If there is no rule a m
334. ty settings window from the main window see 4 3 on pg 47 To do so click Settings in the upper part of it The settings window see fig 3 is similar in layout to the main window e the left part of the window gives you quick and easy access to the settings for each of the program components virus search tasks and program tools e the right part of the window contains a detailed list of settings for the item selected in the left part of the window When you select any section component or task in the left part of the settings window the right part will display its basic settings To configure advanced settings you can open second and third level settings windows by clicking on the corresponding buttons You can find a detailed description of program settings in the sections of the user guide Program interface 51 4 Settings Kaspersky Internet Security Jv Settings R Protection General 6 Protection File Anti Virus Enable protection Mail Anti Virus Launch Kaspersky Internet Security at startup Proactive Defense Trusted zone Anti Spy Anti Hacker Malware categories Anti Spam v Virus orms Trojans hack tools Scan Critical areas My Computer Startup objects 1 understand that some legal programs can be classified as potentially dangerous software and want them to be recognized as a threat on this computer Spyware adware dialers C Potentially dangerous softwar
335. u maximally protect your computer from infection through email Tip for selecting a level By analyzing your situation one can conclude that you are at a high risk of infection through email in the scenario outlined because there is no centralized email protection and through using a dial up connection You are advised to use High as your starting point with the following changes reduce the scan time for attachments to for example 1 2 minutes The majority of archived attachments will be scanned for viruses and the processing speed will not be seriously slowed To modify a preinstalled security level Click the Customize button in the Mail Anti Virus settings window Edit the email protection settings in the window that opens and click OK 8 2 Configuring Mail Anti Virus A series of settings govern how your email is scanned The settings can be broken down into the following groups e Settings that define the protected group see 8 2 1 on pg 97 of emails e Email scan settings for Microsoft Office Outlook see 8 2 2 on pg 99 and The Bat see 8 2 3 on pg 101 Mail Anti Virus 97 Warning This version of Kaspersky Internet Security does not provide Mail Anti Virus plug ins for 64 bit mail clients e settings that define actions for dangerous email objects see 8 2 4 on pg 103 The following sections examine these settings in detail 8 2 1 Selecting a protected email group Mail Anti Virus all
336. u modified the list of objects included in the protected zone when configuring File Anti Virus settings the program will ask you if you want to save that list for future use when you restore the initial settings To save the list of objects check Protected scope in the Restore Settings window that opens 7 2 5 Selecting actions for objects If File Anti Virus discovers or suspects an infection in a file while scanning it for viruses the program s next steps depend on the object s status and the action selected File Anti Virus can label an object with one of the following statuses e Malicious program status for example virus Trojan e Potentially infected when the scan cannot determine whether the object is infected This means that the program detected a sequence of code in the file from an unknown virus or modified code from a known virus By default all infected files are subject to disinfection and if they are potentially infected they are sent to Quarantine To edit an action for an object select File Anti Virus in the main window and go to the component settings window by clicking Settings All potential actions are displayed in the appropriate sections see fig 23 92 Kaspersky Internet Security 6 0 Action Prompt for action Disinfect Delete if disinfection Fails Figure 23 Possible File Anti Virus actions with dangerous objects If the action selected was When it detects a d
337. ubmit a bug report or a suggestion link Technical support If you need help with using Kaspersky Internet Security click the link located in the Local Technical Support box The Kaspersky Lab website will then open with information about how to contact our specialists 17 7 Creating a monitored port list Components such as Mail Anti Virus Web Anti Virus Anti Spy and Anti Spam monitor data streams that are transmitted using certain protocols and pass through certain open ports on your computer Thus for example Mail Anti Virus analyzes information transferred using SMTP protocol and Web Anti Virus analyzes information transferred using HTTP The standard list of ports that are usually used for transmitting email and HTTP traffic is included in the program package You can add a new port or disable monitoring for a certain port thereby disabling dangerous object detection for traffic passing through that port To edit the monitored port list take the following steps 1 Open the Kaspersky Internet Security settings window by clicking the Settings link in the main window 2 Select Network settings in the Service section of the program settings tree In the right hand part of the settings window click Port settings 4 Edit the list of the monitored ports in the window that opens see fig 103 Advanced options 247 DS Port settings Description General SMTP SMTP SSL General POP3 POPS SSL General NNTP NNTP
338. up 44 Internet Security 6 Internet Explorer Settings 16 Internet Explorer Plugins 3 System Security 6 System Services 3 Move down Figure 38 Controlled registry key groups You can create your own groups of monitored system registry files To do so click Add in the file group window Take these steps in the window that opens 1 Enter the name of the new file group for monitoring system registry keys in the Group name field 2 Select the Keys tab and create a list of registry files that will be included in the monitored group see 10 1 4 1 on pg 130 for which you want to create rules This could be one or several keys 3 Select the Rules tab and create a rule for files see 10 1 4 2 on pg 131 that will apply to the keys selected on the Keys tab You can create several rules and set the order in which they are applied 10 1 4 1 Selecting registry keys for creating a rule The file group created should contain at least one system registry file The Keys tab provides a list of files for the rule To add a system registry file 1 Click on the Add button in the Edit group window see fig 39 2 In the window that opens select the registry file or folder of files for which you want to create the monitoring rule Proactive Defense 131 3 Specify the file or group of files to which you want the rule to apply in the Value field 4 Check Including subkeys for the rule to apply to all files attac
339. uring virus outbreaks In such situations the threat signatures on Kaspersky Lab s update servers are updated immediately Select the security settings recommended by Kaspersky Lab for your computer You will be protected constantly from the moment the computer is turned on and it will be harder for viruses to infect your computer Select the settings for a complete scan recommended by Kaspersky Lab and schedule scans for at least once per week If you have not installed Anti Hacker we recommend that you do so to protect your computer when using the Internet Rule No 2 Use caution when copying new data to your computer Scan all removable storage drives for example floppies CD DVDs and flash drives for viruses before using them see 5 4 on pg 59 Treat emails with caution Do not open any files attached to emails unless you are certain that you were intended to receive them even if they were sent by people you know Be careful with information obtained through the Internet If any web site suggests that you install a new program be certain that it has a security certificate If you are copying an executable file from the Internet or local network be sure to scan it with Kaspersky Internet Security Use discretion when visiting web sites Many sites are infected with dangerous script viruses or Internet worms Rule No 3 Pay close attention to information from Kaspersky Lab In most cases Kaspersky Lab announces a
340. urity ensures your computer s security against malicious programs and because of that it can itself be the target of malicious programs that try to block it or delete it from the computer Moreover several people may be using the same computer all with varying levels of computer literacy Leaving access to the program and its settings open could dramatically lower the security of the computer as a whole To ensure the stability of your computer s security system Self Defense remote access defense and password protection mechanisms have been added to the program If you are running Kaspersky Internet Security under Microsoft Windows 98 ME the application self defense feature is not available On computers running 64 bit operating systems and Microsoft Windows Vista self defense is only available for preventing the program s own files on local drives and system registry records from being modified or deleted To enable Self Defense 1 Open the program settings window with the Settings link in the main window 2 Select Service from the settings tree Make the following configurations in the Self Defense box see fig 109 Enable Self Defense If this box is checked the program will protect its own files processes in memory and entries in the system registry from being deleted or modified Disable external service control If this box is checked any remote administration program attempting to use the program wi
341. us website or if an SSL data transfer begins when you go to the next page It is quite likely that this is a sign of a malicious program being transferred over secure protocol e Skip continue secure connection with the website without scanning traffic for viruses To apply the action selected in the future to all attempts to establish SSL connections check A Apply to all Advanced options 249 Traffic Monitor training Outgoing encrypted connection Internet Explorer Remote address 10 64 07 Remote port 3128 Scan encrypted connection Kaspersky Internet Security Skip can scan this encrypted connection For viruses Do you want this connection to be scanned Figure 104 Notification on SSL connection detection To scan encrypted connections Kaspersky Internet Security replaces the security certificate requested with a certificate it signs itself In some cases programs that are establishing connections will not accept this certificate resulting in no connection being established We recommend disabling SSL traffic scanning in the following cases e When connecting to a trusted web resource such as your bank s web page where you manage your personal account In this case it is important to receive confirmation of the authenticity of the bank s certificate e f the program establishing the connection checks the certificate of the website being accessed For example MSN Messenger checks the authentic
342. using the Rescue Disk in 28 Kaspersky Internet Security 6 0 such a case you can boot your computer and restore the system to the condition prior to the malicious action Support All registered Kaspersky Anti Virus users can take advantage of our technical support service To learn where exactly you can get technical support use the Support feature Using these links you can go to a Kaspersky Lab user forum and a list of frequently asked questions that may help you resolve your issue In addition by completing the form on the site you can send Technical Support a message on the error or failure in the operation of the application You will also be able to access Technical Support on line and of course our employees will always be ready to assist you with Kaspersky Internet Security by phone 2 3 Hardware and software system requirements For Kaspersky Internet Security 6 0 to run properly your computer must meet these minimum requirements General Requirements e 50 MB of free hard drive space e CD ROM drive for installing Kaspersky Internet Security 6 0 from an installation CD e Microsoft Internet Explorer 5 5 or higher for updating threat signatures and program modules through the Internet e Microsoft Windows Installer 2 0 Microsoft Windows 98 Microsoft Windows Me Microsoft Windows NT Workstation 4 0 Service Pack 6a e Intel Pentium 300 MHz processor or faster e 64 MB of RAM Microsoft Windows 2
343. uter Recommended Kaspersky Lab experts recommend this level The same files will be scanned as for the High setting except for email databases Low level with settings that let you comfortably use resource intensive applications since the scope of files scanned is reduced 192 Kaspersky Internet Security 6 0 Security Level E High i Maximum protection Recommended for hostile environment Figure 66 Selecting a virus scan security level By default the File Anti Virus security level is set to Recommended You can raise or lower the scan security level by selecting the level you want or changing the settings for the current level To edit the security level Adjust the sliders By adjusting the security level you define the ratio of scan speed to the total number of files scanned the fewer files are scanned for viruses the higher the scan speed If none of the file security levels listed meet your needs you can customize the protection settings To do so select the level that is closest to what you need as a starting point and edit its settings If you do so the level will be renamed as Custom To modify the settings for a security level click the Settings button in the task settings window Edit the scan settings in the window that opens and click OK As a result a fourth security level will be created Custom settings which contains the protection settings that you configured 14 4 2 Specifyi
344. ve access to Kaspersky Lab s update servers for example your computer is not connected to the Internet you can call the Kaspersky Lab main office at 7 495 797 87 00 to request contact information for Kaspersky Lab partners who can provide you with zipped updates on floppy disks or CDs Updates can be downloaded in one of the following modes e Auto Kaspersky Internet Security checks the update source for update packages at specified intervals Scans can be set to be more frequent during virus outbreaks and less so when they are over When the program detects fresh updates it downloads them and installs them on the computer This is the default setting e By schedule Updating is scheduled to start at a specified time e Manual With this option you launch the Updater manually During updating the application compares the threat signatures and application modules on your computer with the versions available on the update server If your computer has the latest version of the signatures and application modules you will see a notification window confirming that your computer is up do date If the signatures and modules on your computer differ from those on the update server only the missing part of the updates will be downloaded The Updater does not download threat signatures and modules that you already have which significantly increases download speed and saves Internet traffic Before updating threat signatures Kaspersky Intern
345. ver requires authentication and you did not enter the username and password or the data specified were not accepted by the proxy server for some reason a window will pop up when updates start asking for a username and password for authentication If authentication is successful the username and password will be used when the program is next updated Otherwise the authentication settings will be requested again To avoid using a proxy when the update source is a local folder select the Bypass proxy server for local addresses Program updates 215 This feature is unavailable under Windows 9X NT 4 0 However the proxy server is by default not used for local addresses 16 4 4 Update distribution If your home computers are connected through a home network you do not need to download and installed updates on each of them separately since this would consume more network bandwidth You can use the update distribution feature which helps reduce traffic by retrieving updates in the following manner 1 One of the computers on the network retrieves an application and threat signature update package from the Kaspersky Lab web servers or from another web resources hosting a current set of updates The updates retrieved are placed in a public access folder 2 Other computers on the network access the public access folder to retrieve application updates To enable update distribution select the Copy to folder checkbox on the Adv
346. vided by Kaspersky Lab as part of the Kaspersky Internet Security 6 0 1 License Grant Subject to the payment of the applicable license fees and subject to the terms and conditions of this Agreement Kaspersky Lab hereby grants you the non exclusive non transferable right to use one copy of the specified version of the Software and the accompanying documentation the Documentation for the term of this Agreement solely for your own internal business purposes You may install one copy of the Software on one computer 1 1 Use The Software is licensed as a single product it may not be used on more than one computer or by more than one user at a time except as set forth in this Section 1 1 1 The Software is in use on a computer when it is loaded into the temporary memory i e random access memory or RAM or installed into the permanent memory e g hard disk CD ROM or other storage device of that computer This license authorizes you to make only as many back up copies of the Software as are necessary for its lawful use and solely for back up purposes provided that all such copies contain all of the Software s proprietary notices You shall maintain records of the number and location of all copies of the Software and Documentation and will take all reasonable precautions to protect the Software from unauthorized copying or use 1 1 2 The Software protects computer against viruses and network attacks whose signatures are co
347. w you can determine e Whether to display the Kaspersky Internet Security protection indicator when the operating system starts This indicator by default appears in the upper right hand corner of the screen when the program loads It informs you that your computer is protected from all threat types If you do not want to use the protection indicator uncheck Show icon above Microsoft Windows login window e Whether to use animation in the system tray icon Advanced options 251 Depending on the program operation performed the system tray icon changes For example if a script is being scanned a small depiction of a script appears in the background of the icon and if an email is being scanned an envelope By default icon animation is enabled If you want to turn off animation uncheck Animate tray icon when processing items Then the icon will only reflect the protection status of your computer if protection is enabled the icon is in color and if protection is paused or disabled the icon becomes gray Degree of transparency of popup messages All Kaspersky Internet Security operations that must immediately reach you or require you to make a decision are presented as popup messages above the system tray icon The message windows are transparent so as not to interfere with your work If you move the cursor over the message the transparency disappears You can change the degree of transparency of such messages To do so adjust
348. window that opens see fig 107 e Popup messages above the program icon in the system tray that contain an informative message on the event that occurred To use this notification type check J in the Balloon section across from the event about which you want to be informed e Sound notification If you want this notice to be accompanied by a sound file check Sound across from the event e Email notification To use this type of notice check the Email column across from the event about which you want to be informed and configure settings for sending notices see 17 11 1 2 on pg 258 e Logging events To record information in the log about events that occur check J in the Log column and configure event log settings see 17 11 1 3 on pg 259 Balloon Sound Email 4 Notification settings Event type All notifications Critical notifications e Detection of viruses worms Troj Detection of possibly infected object Disinfection impossible License has expired Hacker attack detection 8 Threat signatures are obsolete Error notifications License is missing corrupted or bl Update error Task can not execute Threat signatures are missing or c Important notifications Detection of adware spyware etc License is about to expire RS PKSPKSPKSY KS PKI ESP ESPESES PKS PKS PKS PKSKSPKSAKSPKSI KOOKS b fi fb fe fi fi f fi f f S f f S
349. with Version 5 0 0 eeeseeeeeeeneeeeeeesneeeeteeeseeneeatees 35 3 2 2 Activating the program iisisti eiii een eae eee 36 3 2 2 1 Selecting a program activation method 36 3 2 2 2 Entering the activation code oo cesses ereeeeeeeeeeeeeeeeesesnenaseneeeatees 37 3 2 2 3 Obtaining a license Key eeeeeeeeeenseeeeeeeceeeeeaeeeeecaeeatseeesatetateeseeatees 37 3 2 2 4 Selecting a license Key file ee cceeeeeeecreeeeeeeeeeeeeeseeeseeeetaeereeeatees 37 3 2 2 5 Completing program Activation eeeecceeeeeeeseeteeeeeeeeneeeeeeeeeeneeatees 38 3 2 3 Selecting a securty mode ee eeceeseeeeeereeeeseeeceeeeaeeeeeeaeeetaeeesesseeateneeeaeees 38 3 2 4 Configuring Update SetINGS ee eee eneeeeeeeeeeeteeaeeeeecaeeetseeeseeeeatereeeatees 39 3 2 5 Configuring a virus SCAN schedule 00 0 eee eeneeeteeeeeeeeeaeeeeeeaeeeeaeeeteenenatees 39 3 2 6 Restricting program ACCESS eee eeceeseeeeecnseseeeeeeeeeaeeeeecaeeeeaeeeteateeateeeeeaaees 40 4 Kaspersky Internet Security 6 0 3 2 7 Application Integrity COmtrol cee eeseeeecenseseteeeeeeneeaeeeeesaseeeseeesesnesaeeneeeatees 40 3 2 8 Configuring Anti Hacker SettingS ccecseceseeeseneeeeeeeeeeeetseeeseeneeateneeeatees 41 3 2 8 1 Determining a security zone s status oo eee eee eneeeeteeeeeeteeateeeeeatees 41 3 2 8 2 Creating a list of network applications 43 3 2 9 Finishing the Setup Wizard 0 eee eceeseeeeseneeceeeeeeeeeeaeeeeecaeeeeaeeesesseeateneeeaaees 43 3 3 Installi
350. without a download manager when the connection is terminated the file transfer will be lost You will have to download the file over again You can choose not to interrupt the connections by clicking on the No button in the notice window If you do so the program will continue running After closing the program you can enable computer protection again by opening Kaspersky Internet Security Start Programs Kaspersky Internet Security 6 0 Kaspersky Internet Security 6 0 You can also resume protection automatically after restarting your operating system To enable this feature select the Protection section in the program settings window and check Start Kaspersky Internet Security 6 0 at startup 6 2 Types of programs to be monitored Kaspersky Internet Security protects you from various types of malicious programs Regardless of your settings the program always scans and neutralizes viruses Trojans and hack tools These programs can do significant damage to your computer To make your computer more secure you can expand the list of threats that the program will detect by making it monitor additional types of dangerous programs 68 Kaspersky Internet Security 6 0 To choose what malicious programs Kaspersky Internet Security will protect you from select the Protection section in the program settings window see 4 4 on pg 50 The Malware categories box contains threat types Viruses worms Trojans and hack
351. wo weeks prior to the expiration of your license and for the next two weeks it will display this message every time you open it To extend your license you must purchase and install a new license key f or Kaspersky Internet Security or enter a program activation code To do so 1 Contact the location where you purchased the product and purchase a program license key or activation code or Purchase a license key or activation code directly from Kaspersky Lab by clicking the Purchase license link in the license key window see figure 101 Complete the form on our website After payment is made we will send a link to the e mail address you enter in the order form With this link you can download a license key or receive a program activation code 244 Kaspersky Internet Security 6 0 P Kaspersky Internet Security License info BR Status Add Kaspersky Internet Sec Active License key information Owner Kaspersky Lab Number 0007 00048D 00708BB4 Type Commercial key for 2 computers Expiration date 15 01 2008 iew End User License Agreement nelo C Figure 101 License information Kaspersky Lab regularly has special pricing offers on license extensions for our products Check for specials on the Kaspersky Lab website in the Products gt Sales and special offers area Information about the license key used is available in the License info box in the Service section of the
352. xes Confirm in the dialog box that you want to apply this rule to all emails received Step Three In the window for selecting actions to apply to messages check Apply advanced action from action list In the lower portion of the window click advanced action In the window that opens select Kaspersky Anti Spam from the dropdown menu and click OK Step Four In the window for selecting exceptions to the rule click Next without checking any boxes Step Five In the window for finishing creating the rule you can edit its name the default is Kaspersky Anti Spam Make sure that Apply rule is checked and click Finished The default position for the new rule is first on the rule list in the Message rules window If you like move this rule to the end of the list so it is applied to the email last All incoming emails are processed with these rules The order in which the rules are applied depends on their priority with rules at the top of the list having higher priority than those lower down You can change the priority for applying rules to emails If you do not want the Anti Spam rule to further process emails after a rule is applied you must check Stop processing more rules in the rule settings see Step Three in creating a rule If you are experienced in creating email processing rules in Microsoft Office Outlook you can create your own rule for Anti Spam based on the setup that we have suggested
353. y settings in the window that opens 12 2 Application rules Kaspersky Internet Security includes a set of rules for the commonest Microsoft Windows applications These are programs whose network activity has been analyzed in detail by Kaspersky Lab and is strictly defined as either dangerous or trusted Depending on the security level see 12 1 on pg 144 selected for the Firewall and the type of network see 12 5 on pg 154 on which the computer is running the list of rules for programs can be used in various ways For example with Maximum protection any application network activity that does not match the allow rules is blocked To work with the application rule list 1 Click Settings in the Firewall section of the Anti Hacker settings window 2 In the window that opens select the Rules for Applications tab see fig 45 146 Kaspersky Internet Security 6 0 PZ Settings Anti Hacker Rules For applications Rules for packet filtering Zones Additional Group rules by application Application Rules Folder a Add svchost exe C WINDOWS alg exe C WINDOWS CAWINDOWS delete Delete cawmowsi 4 CBee dwwin exe C WINDOWS E reqwiz exe E7 rdpclip exe 3 Ci WINDOWS CAAWINDOWS CAWINDOWS SQ mstsc exe E sessmar exe CA WINDOWS C WINDOWS amp mobsync exe wuauclt exe a rundli32 exe spoolsv exe C WINDOWS C Program File C Program File C WINDO
354. yed in the lower part of the form Email headers are not of a significant size generally a few dozen bytes and cannot contain malicious code Here is an example of when it might help to view an email s headers spammers have installed a malicious program on a coworker s computer that sends spam with his name on it to everyone on his email client s contact list The likelihood that you are on your coworker s contact list is extremely high and undoubtedly your inbox will become full of spam from him It is impossible to tell judging by the sender s address alone whether the email was sent by your coworker or a spammer The email headers will however reveal this information allowing you to check who sent the email when and what size it is and to trace the email s path from the sender to your email server All this information should be in the email headers You can then decide whether it is really necessary to download that email from the server or if it is better to delete it Note You can sort emails by any of the columns of the email list To sort click on the column heading The rows will be sorted in ascending order To change the sorting direction click on the column heading again 13 3 8 Actions for spam If after scanning you find that an email is spam or potential spam the next steps that Anti Spam takes depend on the object status and the action selected By default emails that are spam or potential spam
Download Pdf Manuals
Related Search