ESET SMART SECURITY 7 User Guide (intended for product version 7.0 and higher) Microsoft Windows 8.
ESET SMART SECURITY Copyright 2014 by ESET, spol. s r. o. ESET Sma rt Securi ty wa s devel oped by ESET, s pol . s r. o. For more i nforma ti on vi s i t www.es et.com. Al l ri ghts res erved. No pa rt of thi s documenta ti on ma y be reproduced, s tored i n a retri eva l s ys tem or tra ns mi tted i n a ny form or by a ny mea ns , el ectroni c, mecha ni ca l , photocopyi ng, recordi ng, s ca nni ng, or otherwi s e wi thout permi s s i on i n wri ti ng from the a uthor. ESET, s pol . s r. o.
Contents 4.1.3.2 Adding ..................................................................................35 Device control rules 1. ESET Smart .......................................................5 Security 4.1.4 HIPS ..............................................................................36 1.1 What's ....................................................................................................6 new in version 7 4.1.5 Gamer .............................................................
.5.2 Update ..............................................................................74 rollback 5.7.2 How..............................................................................107 to create rescue CD 4.5.3 How ..............................................................................75 to create update tasks 5.7.3 Target ..............................................................................107 selection 4.6 Tools .............................................................
1. ESET Smart Security ESET Smart Security represents a new approach to truly integrated computer security. The most recent version of the ThreatSense® scanning engine, combined with our custom Personal firewall and Antispam modules, utilizes speed and precision to keep your computer safe. The result is an intelligent system that is constantly on alert for attacks and malicious software that might endanger your computer.
1.1 What's new in version 7 ESET Smart Security version 7 features many small improvements: Device control – A replacement of Removable media control used in version 5 and 6. This module allows you to scan, block or adjust extended filters/permissions and define a users ability to access and work with a given device. Vulnerability shield – An extension of firewall that improves detection of known vulnerabilities on the network level.
1.3 Prevention When you work with your computer, and especially when you browse the Internet, please keep in mind that no antivirus system in the world can completely eliminate the risk of infiltrations and attacks.
2. Installation There are several methods for installing ESET Smart Security on your computer. Installation methods may vary depending on country and means of distribution: Live installer can be downloaded from the ESET website. The installation package is universal for all languages (choose a desired language). Live installer itself is a small file; additional files required to install ESET Smart Security will be downloaded automatically.
2.2 Offline installation Once you launch the offline installation (.msi) package, the installation wizard will guide you through the setup process. First, the program checks to see if a newer version of ESET Smart Security is available. If a newer version is found you will be notified in the first step of the installation process. If you select Download and install new version, the new version will be downloaded and installation will continue.
2.2.1 Advanced settings After selecting Advanced settings, you will be prompted to select a location for the installation. By default, the program installs to the following directory: C:\Program Files\ESET\ESET Smart Security\ Click Browse… to change this location (not recommended). Click Next to configure your Internet connection. If you use a proxy server, it must be correctly configured for virus signature updates to work.
If you would like to evaluate ESET Smart Security before making a purchase, select Activate Trial License. Fill in your email address and country to activate ESET Smart Security for a limited time. Your test license will be emailed to you. Trial licenses can only be activated once per customer. If you do not have a license and would like to buy one, click Purchase License. This will redirect you to the website of your local ESET distributor.
2.6 First scan after installation After installing ESET Smart Security, a computer scan will start 20 minutes after installation or computer restart in order to check for malicious code. You can also start a computer scan manually from the main program window by clicking Computer scan > Smart scan. For more information about computer scans, see the section Computer scan.
3. Beginner's guide This chapter provides an initial overview of ESET Smart Security and its basic settings. 3.1 The main program window The main program window of ESET Smart Security is divided into two main sections. The primary window on the right displays information that corresponds to the option selected from the main menu on the left. The following is a description of options within the main menu: Home – Provides information about the protection status of ESET Smart Security.
What to do if the program doesn't work properly? If the modules enabled are working properly, the Protection status icon will be green. A red exclamation point or orange notification indicates that maximum protection is not ensured. Additional information about the protection status of each module, as well as suggested solutions for restoring full protection, will be displayed under Home. To change the status of individual modules, click Setup and select the desired module.
Phantom account does not exist initially, but is a security feature that is triggered automatically when you mark a device as missing. You may need to create a Phantom account using the Optimization feature in the ESET Anti-Theft web interface. Gamer mode enabled – Enabling Gamer mode is a potential security risk. By enabling this feature, all popup windows are disabled and the activity of the scheduler will be completely stopped.
The Advanced setup window (click Setup in the main menu and then click Enter advanced setup..., or press F5 on your keyboard) contains additional update options. Click Update > Settings in the Advanced setup tree to the left. To configure advanced update options such as update mode, proxy server access and LAN connections, click Setup... in the Update window. 3.3 Trusted zone setup It is necessary to configure the Trusted zone to protect your computer in a network environment.
NOTE: By default, workstations from a Trusted zone are granted access to shared files and printers, have incoming RPC communication enabled and have remote desktop sharing available. 3.4 Anti-Theft To protect your computer in case of a loss or theft, choose from the following options to register your computer with the ESET Anti-Theft system. 1. After a successful activation click Enable Anti-Theft to activate ESET Anti-Theft features for the computer you just registered. 2.
4. Work with ESET Smart Security The ESET Smart Security setup options allow you to adjust the protection levels of your computer and network. The Setup menu contains following: Computer Network Web and Email Parental control Click any component to adjust the advanced settings of the corresponding protection module.
Web and Email protection setup allows you to enable or disable the following components: Web access protection – If enabled, all traffic through HTTP or HTTPS is scanned for malicious software. Email client protection – Monitors communication received through POP3 and IMAP protocol. Antispam protection – Scans unsolicited email, i.e., spam. Anti-Phishing protection – Filters websites suspected of distributing content intended to manipulate users into submitting confidential information.
4.1.1 Antivirus and antispyware Antivirus and antispyware protection guards against malicious system attacks by controlling file, email and Internet communication. If a threat with malicious code is detected, the Antivirus module can eliminate it by first blocking it and then cleaning, deleting or moving it to quarantine. Scanner options for all protection modules (e.g. Real-time file system protection, Web access protection, ...
Media to scan By default, all types of media are scanned for potential threats: Local drives – Controls all system hard drives. Device control – CD/DVDs, USB storage, Bluetooth devices, etc. Network drives – Scans all mapped drives. We recommend that you keep the default settings and only modify them in specific cases, such as when scanning certain media significantly slows data transfers. Scan on (Event-triggered scanning) By default, all files are scanned upon opening, creation or execution.
Additional ThreatSense parameters for executed files Advanced heuristics on file execution – By default, Advanced heuristics is used when files are executed. When enabled, we strongly recommend keeping Smart optimization and ESET Live Grid enabled to mitigate impact on system performance. Advanced heuristics on executing files from removable media – If you wish to exclude some removable media (USB) ports from being scanned by advanced heuristics on file execution, click Exceptions...
4.1.1.1.3 When to modify real-time protection configuration Real-time protection is the most essential component of maintaining a secure system. Always be careful when modifying its parameters. We recommend that you only modify its parameters in specific cases. After installing ESET Smart Security, all settings are optimized to provide the maximum level of system security for users.
Smart scan Smart scan allows you to quickly launch a computer scan and clean infected files with no need for user intervention. The advantage of Smart scan is it is easy to operate and does not require detailed scanning configuration. Smart scan checks all files on local drives and automatically cleans or deletes detected infiltrations. The cleaning level is automatically set to the default value. For more detailed information on types of cleaning, see Cleaning.
Infected items are not cleaned automatically. Scanning without cleaning can be used to obtain an overview of the current protection status. If you are only interested in scanning the system without additional cleaning actions, select Scan without cleaning. Furthermore, you can choose from three cleaning levels by clicking Setup... > Cleaning. Information about scanning is saved to a scan log. You can choose a profile from the Scan profile drop-down menu to be used for scanning chosen targets.
After all scans computer takes no action – Triggers a scheduled shutdown or reboot when the computer scan finishes. Once the scan has finished, a shutdown confirmation dialog window will open with a 60 second timeout. Click this option again to deactivate the selected action. 4.1.1.2.3 Scan profiles Your preferred scan parameters can be saved for future scanning. We recommend that you create a different profile (with various scan targets, scan methods and other parameters) for each regularly used scan.
4.1.1.3.1 Automatic startup file check When creating a System startup file check scheduled task, you have several options to adjust the following parameters: The Scan level drop-down menu specifies the scan depth for files run at system startup.
an asterisk (*) represents a variable string of zero or more characters. Examples If you wish to exclude all files in a folder, type the path to the folder and use the mask “*.*”. To exclude an entire drive including all files and subfolders, use the mask "D:\*". If you want to exclude doc files only, use the mask “*.doc“. If the name of an executable file has a certain number of characters (and characters vary) and you only know the first one for sure (say “D”), use the following format: “D????.exe”.
4.1.1.6 ThreatSense engine parameters setup ThreatSense is technology comprised of many complex threat detection methods. This technology is proactive, which means it also provides protection during the early spread of a new threat. It uses a combination of code analysis, code emulation, generic signatures and virus signatures which work in concert to significantly enhance system security.
writers. Its latest version introduces a completely new way of code emulation based on binary translation. This new binary translator helps to bypass anti-emulation tricks used by malware writers. In addition to these improvements, DNA-based scanning has been significantly updated to allow for better generic detections and address current malware more accurately.
4.1.1.6.6 Other You can configure the following options in the Other section: Log all objects – If this option is selected, the log file will show all the scanned files, even those not infected. For example, if an infiltration is found within an archive, the log will list also clean files contained within the archive.
Cleaning and deleting If there is no predefined action to take for Real-time file system protection, you will be prompted to select an option in the alert window. Usually the options Clean, Delete and No action are available. Selecting No action is not recommended, as this will leave infected files uncleaned. The exception to this is when you are sure that a file is harmless and has been detected by mistake. Apply cleaning if a file has been attacked by a virus that has attached malicious code to the file.
4.1.1.8 Document protection The Document protection feature scans Microsoft Office documents before they are opened, as well as files downloaded automatically by Internet Explorer such as Microsoft ActiveX elements. Document protection provides a layer of protection in addition to Real-time file system protection, and can be disabled to enhance performance on systems that are not exposed to a high volume of Microsoft Office documents. Integrate into system activates the protection system.
If the inserted external device applies an existing rule that performs the Block action, a notification window will pop-up in the lower right corner and access to the device will not be granted. 4.1.3.1 Device control rules The Device control rules editor window displays existing rules and allows for precise control of external devices that users connect to the computer.
4.1.3.2 Adding Device control rules A Device control rule defines the action that will be taken when a device meeting the rule criteria is connected to the computer. Enter a description of the rule into the Name field for better identification. Selecting the check box next to Enabled disables or enables this rule; this can be useful if you don't wish to delete the rule permanently. Device type Choose the external device type from the drop-down menu (USB/Bluetooth/FireWire/...).
number of the given media, not the CD drive. Note: If the above three descriptors are empty, the rule will ignore these fields while matching. Filtering parameters in all text fields are case-sensitive and no wildcards (*, ?) are supported. They must be written exactly as delivered by the vendor. Tip: In order to figure out the parameters of a device, create an allowing rule for the appropriate type of devices, connect the device to your computer and then check the device details in the Device control log.
1. Name the rule and select Block from the Action drop-down menu. 2. Open the Target applications tab. Leave the Source applications tab blank to apply your new rule to all applications attempting to perform any of the selected operations in the Operations list on applications in the Over these applications list. 3. Select Modify state of another application (all operations are described in product help, which can be accessed by pressing F1). 4. Add one or several applications you wish to protect. 5.
the exact parameters for your new rule. Rules created this way are considered equal to rules created manually, so a rule created from a dialog window can be less specific than the rule that triggered that dialog window. This means that after creating such a rule, the same operation can trigger another dialog window if the parameters that your previous rule set do not apply to the situation.
4.2 Network The Personal firewall controls all network traffic to and from the system. This is accomplished by allowing or denying individual network connections based on specified filtering rules. It provides protection against attacks from remote computers and enables blocking of some services. It also provides antivirus protection for HTTP, POP3 and IMAP protocols. This functionality represents a very important element of computer security.
Advanced Personal firewall setup... – Allows you to access the advanced firewall setup options. 4.2.1 Filtering modes Four filtering modes are available for the ESET Smart Security Personal firewall. Filtering modes can be found in Advanced setup (F5) by clicking Network > Personal firewall. The behavior of the firewall changes based on the selected mode. Filtering modes also influence the level of user interaction required.
4.2.1.1 Learning mode The Learning mode feature in ESET Smart Security's Personal firewall automatically creates and saves a rule for each communication that has been established in the system. No user interaction is required, because ESET Smart Security saves rules according to the predefined parameters. This mode is not safe, and is recommended only for initial configuration of the Personal firewall.
4.2.2 Firewall profiles Profiles can be used to control the behavior of the ESET Smart Security Personal firewall. When creating or editing a Personal firewall rule, you can assign it to a specific profile or have it apply to every profile. When you select a profile, only the global rules (rules with no profile specified) and the rules that have been assigned to that profile are applied. You can create multiple profiles with different rules assigned to easily alter the Personal firewall behavior.
Select what type of rules will be displayed in the Rules setup section using the Rules to display list: Only user defined rules – Displays only those rules created by the user. User and predefined rules – Displays all user-defined and default pre-defined rules. All rules (including system) – All rules are displayed. 4.2.3.1 Rules setup Rules setup allows you to view all rules applied to traffic generated by individual applications within trusted zones and the Internet.
4.2.3.1.1 Detailed view of all rules To see the following information in the Zone and rule setup window, click Toggle detailed view of all rules. Name – Name of rule, check box must be selected to activate the rule. Action – Shows the direction of communication and action.
4.2.3.2 Editing rules Modification is required each time any of the monitored parameters are changed. In this case, the rule cannot fulfill the conditions and the specified action cannot be applied. If parameters have changed, the given connection may be refused, which can result in problems with operation of the application in question. An example is a change of network address or port number for the remote side.
4.2.4.1 Network authentication For mobile computers, it is recommended that you verify the network credibility of the network that you are connecting to. The Trusted zone is identified by the local IP address of the network adapter. Mobile computers often enter networks with IP addresses that are similar to the trusted network. If the Trusted zone settings are not manually switched to Public network, the Personal firewall will continue to use the Home/work network mode.
The public key can be a file of one of the following types: PEM encrypted public key (.pem) This key can be generated using the ESET Authentication Server (see section Zone authentication – Server configuration). Encrypted public key Public key certificate (.crt) To test your settings, click Test. If authentication is successful, a Server authentication successful notification will appear.
4.2.4.1.2 Zone authentication - Server configuration The authentication process can be executed by any computer/server connected to the network that is to be authenticated. The ESET Authentication Server application needs to be installed on a computer/server that is always accessible for authentication whenever a client attempts to connect to the network. The installation file for the ESET Authentication Server application is available for download on ESET’s website.
4.2.5 Establishing connection - detection The Personal firewall detects each newly-created network connection. The active firewall mode determines which actions are performed for the new rule. If Automatic mode or Policy-based mode is activated, the Personal firewall will perform predefined actions with no user interaction. Interactive mode displays an informational window that reports detection of a new network connection, supplemented with detailed information about the connection.
4.2.6 Logging The ESET Smart Security Personal firewall saves all important events in a log file, which can be viewed directly from the main menu. Click Tools > Log files and then select Personal firewall from the Log drop-down menu. The log files can be used to detect errors and reveal intrusions into your system.
4.3 Web and email Web and email configuration can be found in the Setup pane by clicking on Web and email. From here you can access more detailed settings of the program. Internet connectivity is a standard feature for personal computers. Unfortunately, the Internet has become the primary medium for distributing malicious code. For this reason it is essential that you carefully consider your Web access protection settings.
4.3.1 Email client protection Email protection provides control of email communication received through the POP3 and IMAP protocols. Using the plug-in for Microsoft Outlook and other e-mail clients, ESET Smart Security provides control of all communications from the email client (POP3, MAPI, IMAP, HTTP). When examining incoming messages, the program uses all the advanced scanning methods included in the ThreatSense scanning engine.
4.3.1.1.1 Email client protection configuration The Email client protection module supports the following email clients: Microsoft Outlook, Outlook Express, Windows Mail, Windows Live Mail and Mozilla Thunderbird. Email protection works as a plug-in for these programs. The main advantage of the plug-in is that it is independent of the protocol used. When the email client receives an encrypted message, it is decrypted and sent to the virus scanner.
4.3.1.3 POP3, POP3S filter The POP3 protocol is the most widespread protocol used to receive email communication in an email client application. ESET Smart Security provides protection for this protocol regardless of the email client used. The protection module providing this control is automatically initiated at system startup and is then active in memory.
4.3.1.4 Antispam protection Unsolicited email, called spam, ranks among the greatest problems of electronic communication. Spam represents up to 80 percent of all email communication. Antispam protection serves to protect against this problem. Combining several email security principles, the Antispam module provides superior filtering to keep your inbox clean.
Spam score logging The ESET Smart Security Antispam engine assigns a spam score to every scanned message. The message will be recorded in the antispam log (ESET Smart Security > Tools > Log files > Antispam protection). Do not write – The Score cell in the Antispam protection log will be empty. Write only reclassified messages and messages marked as SPAM – Select this if you want to record a spam score for messages marked as SPAM.
4.3.2 Web access protection Internet connectivity is a standard feature in a personal computer. Unfortunately, it has also become the main medium for transferring malicious code. Web access protection works by monitoring communication between web browsers and remote servers, and complies with HTTP (Hypertext Transfer Protocol) and HTTPS (encrypted communication) rules. We strongly recommend that Web access protection is enabled.
4.3.2.2 URL address management The URL address management section enables you to specify HTTP addresses to block, allow or exclude from checking. Add, Edit, Remove and Export are used to manage the lists of addresses. Websites in the list of blocked addresses will not be accessible. Websites in the list of excluded addresses are accessed without being scanned for malicious code.
4.3.3 Protocol filtering Antivirus protection for the application protocols is provided by the ThreatSense scanning engine, which seamlessly integrates all advanced malware scanning techniques. The control works automatically, regardless of the Internet browser or email client used. For encrypted (SSL) communication see Protocol filtering > SSL. Enable application protocol content filtering – If enabled, all HTTP(S), POP3(S) and IMAP(S) traffic will be checked by the antivirus scanner.
4.3.3.2 Excluded applications To exclude communication of specific network-aware applications from content filtering, select them in the list. HTTP/POP3/IMAP communication of the selected applications will not be checked for threats. We recommend using this option only for applications that do not work properly with their communication being checked. Running applications and services will be available here automatically. Click Add...
4.3.3.3 Excluded IP addresses The entries in the list will be excluded from protocol content filtering. HTTP/POP3/IMAP communication from/to the selected addresses will not be checked for threats. We recommend that you only use this option for addresses that are known to be trustworthy. Add IPv4/IPv6 address – Click to add an IP address/address range/subnet of a remote point to which a rule is applied. Remove – Remove selected entries from the list. 4.3.3.3.
4.3.3.4 SSL protocol checking ESET Smart Security enables you to check protocols encapsulated in SSL protocol. You can use various scanning modes for SSL protected communications using trusted certificates, unknown certificates, or certificates that are excluded from SSL-protected communication checking. Always scan SSL protocol – Select this option to scan all SSL protected communications except communications protected by certificates excluded from checking.
4.3.3.4.1.2 Excluded certificates The Excluded certificates section contains certificates that are considered safe. The content of encrypted communications utilizing the certificates in the list will not be checked for threats. We recommend only excluding web certificates that are guaranteed to be safe and where communication utilizing the certificates does not need to be checked. To delete selected items from the list, click Remove.
NOTE: Potential phishing websites that have been whitelisted will expire after several hours by default. To allow a website permanently, you can use the URL address management tool. From Advanced setup (F5) click Web and email > Web access protection > URL address management and from the URL address management drop-down menu select List of allowed addresses and add your website to this list.
that do not match a category, click the Blocked and allowed web pages tab. If you click Parental control in the Setup pane from the main product window of ESET Smart Security, you will see that the main window is divided into three sections. 1. Parental control After deselecting Enabled on the right, a Temporarily disable protection window will appear. Here you can set the time interval for which protection is disabled. The option then changes to Disabled and all following settings will be hidden.
1. Open User Accounts by clicking the Start button (located at the bottom left side of your desktop), clicking Control Panel and then clicking User Accounts. 2. Click Manage another account. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. 3. Click Create a new account. 4. Type the name you want to give the user account, click an account type, and then click Create Account. 5.
4.4.1 Web page content filtering If the check box next to a category is selected, it is allowed. Deselect the check box next to a specific category to block it for the selected account. Moving the mouse over a category will show you a list of web pages that fall into that category. Here are some examples of categories (groups) that users might not be familiar with: Miscellaneous – Usually private (local) IP addresses such as intranet, 127.0.0.0/8, 192.168.0.0/16, etc.
4.4.2 Blocked and allowed web pages Enter a URL address into the blank field under the list, select Allow or Block and click Add to add it to the list. To delete an URL address from the list, click the remove button . In the URL address list, the special symbols * (asterisk) and ? (question mark) cannot be used. For example, web page addresses with multiple TLDs must be entered manually (examplepage.com, examplepage.sk, etc.).
Last successful update – The date of the last update. If you do not see a recent date, your virus signature database may not be current. Virus signature database version – The virus signature database number, which is also an active link to the ESET website. Click it to view a list of all signatures added within the given update. Click Check for updates to detect the latest available version of ESET Smart Security. Update process After clicking Update now, the download process begins.
necessary – Virus signature database is up to date will appear in the Update window. If this is not the case, the program is out of date and more vulnerable to infection. Please update the virus signature database as soon as possible. Otherwise, one of the following messages will be displayed: Virus signature database is out of date – This error will appear after several unsuccessful attempts to update the virus signature database. We recommend that you check the update settings.
4.5.1 Update settings Update setup options are available from the Advanced setup tree (F5 key) by clicking Update > Settings. This section specifies update source information, such as the update servers and authentication data for these servers. In the home version of ESET products you are not able to choose own update server. Update files will automatically be downloaded from the ESET server with the least network traffic.
4.5.1.1 Update profiles Update profiles can be created for various update configurations and tasks. Creating update profiles is especially useful for mobile users who need an alternative profile for Internet connection properties that regularly change. The Selected profile drop-down menu displays the currently selected profile and is set to My profile by default. To create a new profile, click Profiles... and then click Add... and enter your own Profile name.
4.5.1.2.2 Proxy server To access the proxy server setup options for a given update profile, click Update in the Advanced setup tree (F5) and then click Setup... to the right of Advanced update setup.
4.5.2 Update rollback If you suspect that a new update of the virus database and/or program modules may be unstable or corrupt, you can roll back to the previous version and disable updates for a set period of time. Alternatively, you can enable previously disabled updates if you had postponed them indefinitely. ESET Smart Security records snapshots of virus signature database and program modules for use with the rollback feature.
4.5.3 How to create update tasks Updates can be triggered manually by clicking Update virus signature database in the primary window displayed after clicking Update from the main menu. Updates can also be run as scheduled tasks. To configure a scheduled task, click Tools > Scheduler. By default, the following tasks are activated in ESET Smart Security: Regular automatic update Automatic update after dial-up connection Automatic update after user logon Each update task can be modified to meet your needs.
This menu includes the following tools: Log files Protection statistics Watch activity Running processes (if ESET Live Grid is enabled in ESET Smart Security) Scheduler Quarantine Network connections (if Personal firewall is integrated in ESET Smart Security) ESET SysInspector Submit file for analysis – Allows you to submit a suspicious file for analysis to the ESET Virus Lab. The dialog window displayed after clicking this option is described in the Submission of files for analysis section.
Parental control – Shows web pages blocked or allowed by Parental control. The Match type and Match values columns tell you how the filtering rules were applied. Device control – Contains records of removable media or devices that were connected to the computer. Only devices with respective Device control rules will be recorded to the log file. If the rule does not match a connected device, a log entry for a connected device will not be created.
checkboxes at the beginning of each entry to activate/deactivate the tasks.
4.6.3 Protection statistics To view a graph of statistical data related to ESET Smart Security's protection modules, click Tools > Protection statistics. Select the desired protection module from the Statistics drop-down menu to see the corresponding graph and legend. If you mouse over an item in the legend, only the data for that item will display in the graph. The following statistic graphs are available: Antivirus and Antispyware protection – Displays the number of infected and cleaned objects.
You can also select Network activity from the Activity drop-down menu. The graph display and options for File system activity and Network activity are the same except that the latter displays received data (red) and sent data (blue). 4.6.
Do not submit statistics – Select this option if you do not want to submit anonymous information gathered by ESET Live Grid about your computer. This information is related to newly detected threats, which may include the name of the infiltration, information about the date and time it was detected, the version of ESET Smart Security, information about your computer's operating system version and Location settings. The statistics are normally delivered to ESET servers once or twice a day.
4.6.7 Running processes Running processes displays the running programs or processes on your computer and keeps ESET immediately and continuously informed about new infiltrations. ESET Smart Security provides detailed information on running processes to protect users with ESET Live Grid technology. Process – Image name of the program or process that is currently running on your computer. You can also use the Windows Task Manager to see all running processes on your computer.
By clicking a given application at the bottom, the following information will appear at the bottom of the window: File – Location of an application on your computer. File size – File size in B (bytes). File description – File characteristics based on the description from the operating system. Company name – Name of the vendor or application process. File version – Information from the application publisher. Product name – Application name and/or business name.
The Configure connection view... option in the Network connections screen enters the advanced setup structure for this section, enabling you to modify connection view options: Resolve host names – If possible, all network addresses are displayed in DNS format, not in the numeral IP address format. Only show TCP protocol connections – The list only displays connections which belong to the TCP protocol suite.
4.6.9 Quarantine The main function of the quarantine is to safely store infected files. Files should be quarantined if they cannot be cleaned, if it is not safe or advisable to delete them or if they are being falsely detected by ESET Smart Security. You can choose to quarantine any file. This is advisable if a file behaves suspiciously but is not detected by the antivirus scanner. Quarantined files can be submitted for analysis to the ESET Virus Lab.
the context menu. 4.6.10 Proxy server setup In large LAN networks, the connection of your computer to the Internet can be mediated by a proxy server. If this is the case, the following settings need to be defined. Otherwise the program will not be able to update itself automatically. In ESET Smart Security, proxy server setup is available in two different sections within the Advanced setup tree. First, proxy server settings can be configured in Advanced setup under Tools > Proxy server.
Sender address – This field specifies the sender address which will be displayed in the header of notification emails. Recipient address – This field specifies the recipient address which will be displayed in the header of notification emails. Send event notifications to LAN computers by means of Messenger service – Select this check box to send messages to LAN computers via the Windows® messaging service.
4.6.12 Submission of samples for analysis The file submission dialog enables you to send a file or a site to ESET for analysis and can be found in Tools > Submit sample for analysis. If you find a suspiciously behaving file on your computer or suspicious site on the Internet, you can submit it to the ESET Virus Lab for analysis. If the file turns out to be a malicious application or website, its detection will be added to an upcoming update. Alternatively, you can submit the file by email.
The Context menu is displayed after right-clicking an object. Use this tool to integrate ESET Smart Security control elements into the context menu. 4.7.1 Graphics User interface configuration options in ESET Smart Security allow you to adjust the working environment to fit your needs. These configuration options are accessible in the Advanced setup tree by expanding User interface and clicking Graphics.
would be a system or network administrator. This option is especially useful for terminal servers, provided that all system notifications are sent to the administrator. 4.7.3 Hidden notification windows If Do not show this message again is selected for any notification window (alert) that was previously displayed that notification, it will appear in the list of hidden notification windows. Actions that are now executed automatically are displayed in the Confirm column.
protection, which guards against malicious system attacks by controlling file, web and email communication. Select Do not ask again to avoid this message in the future. The Time interval drop-down menu represents the period of time that Antivirus and antispyware protection will be disabled for. Block network – Personal firewall will block all outgoing / incoming network and internet traffic. Temporarily disable firewall – Switches the firewall to an inactive state.
5. Advanced user 5.1 Profile manager Profile manager is used in two places within ESET Smart Security – in the On-demand computer scan section and in the Update section. Computer scan Your preferred scan parameters can be saved for future scanning. We recommend that you create a different profile (with various scan targets, scan methods and other parameters) for each regularly used scan.
TAB Esc collapses Advanced setup tree nodes moves the cursor in a window closes the active dialog window 5.3 Diagnostics Diagnostics provides application crash dumps of ESET processes (for example, ekrn). If an application crashes, a dump will be generated. This can help developers to debug and fix various ESET Smart Security problems. Two dump types are available: Complete memory dump – Records all the contents of system memory when the application stops unexpectedly.
5.5 Idle state detection Idle state detection settings can be configured in Advanced setup under Tools > Idle state detection. These settings specify a trigger for Idle-state scanning, when: the screen saver is running, the computer is locked, a user logs off. Use the check boxes for each respective state to enable or disable the different idle state detection triggers. 5.6 ESET SysInspector 5.6.
5.6.2 User Interface and application usage For clarity the main program window is divided into four major sections – Program Controls located on the top of the main program window, Navigation window to the left, the Description window to the right and the Details window at the bottom of the main program window. The Log Status section lists the basic parameters of a log (filter used, filter type, is the log a result of a comparison etc.). 5.6.2.
Help Contains information about the application and its functions. Detail This setting influences the information displayed in the main program window to make the information easier to work with. In "Basic" mode, you have access to information used to find solutions for common problems in your system. In the "Medium" mode, the program displays less used details. In "Full" mode, ESET SysInspector displays all the information needed to solve very specific problems.
Description window you may find additional details for each process such as dynamic libraries used by the process and their location in the system, the name of the application's vendor and the risk level of the file. The Detail window contains additional information for items selected in the Description window such as the file size or its hash. NOTE: An operating system is comprised of several important kernel components running constantly that provide basic and vital functions for other user applications.
5.6.2.2.
Comparing Ctrl+Alt+O Ctrl+Alt+R Ctrl+Alt+1 Ctrl+Alt+2 Ctrl+Alt+3 Ctrl+Alt+4 Ctrl+Alt+5 Ctrl+Alt+C Ctrl+Alt+N Ctrl+Alt+P opens original / comparative log cancels comparison displays all items displays only added items, log will show items present in current log displays only removed items, log will show items present in previous log displays only replaced items (files inclusive) displays only differences between logs displays comparison displays current log opens previous log Miscellaneous F1 Alt+F4 Alt+Sh
Any comparative log can be saved to a file and opened at a later time. Example Generate and save a log, recording original information about the system, to a file named previous.xml. After changes to the system have been made, open ESET SysInspector and allow it to generate a new log. Save it to a file named current.xml. In order to track changes between those two logs, click File > Compare logs. The program will create a comparative log showing differences between the logs.
5.6.4 Service Script Service script is a tool that provides help to customers that use ESET SysInspector by easily removing unwanted objects from the system. Service script enables the user to export the entire ESET SysInspector log, or its selected parts. After exporting, you can mark unwanted objects for deletion. You can then run the modified log to delete marked objects. Service Script is suited for advanced users with previous experience in diagnosing system issues.
Example: 02) Loaded modules: - c:\windows\system32\svchost.exe - c:\windows\system32\kernel32.dll + c:\windows\system32\khbekhb.dll - c:\windows\system32\advapi32.dll [...] In this example the module khbekhb.dll was marked by a “+”. When the script runs, it will recognize the processes using that specific module and end them. 03) TCP connections This section contains information about existing TCP connections. Example: 03) TCP connections: - Active connection: 127.0.0.1:30606 -> 127.0.0.
Example: 06) Important registry entries: * Category: Standard Autostart (3 items) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - HotKeysCmds = C:\Windows\system32\hkcmd.exe - IgfxTray = C:\Windows\system32\igfxtray.exe HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Google Update = “C:\Users\antoniak\AppData\Local\Google\Update\GoogleUpdate.exe” /c * Category: Internet Explorer (7 items) HKLM\Software\Microsoft\Internet Explorer\Main + Default_Page_URL = http://thatcrack.com/ [...
Example: 09) Critical files: * File: win.ini - [fonts] - [extensions] - [files] - MAPI=1 [...] * File: system.ini - [386Enh] - woafont=dosapp.fon - EGA80WOA.FON=EGA80WOA.FON [...] * File: hosts - 127.0.0.1 localhost - ::1 localhost [...] The selected items will either be deleted or reset to their original values. 5.6.4.3 Executing Service scripts Mark all desired items, then save and close the script.
Is a specification available for the log file format? What about an SDK ? At the current time, neither a specification for the log file or an SDK are available since the program is still in development. After the program has been released, we may provide these based on customer feedback and demand.
5.6.6 ESET SysInspector as part of ESET Smart Security To open the ESET SysInspector section in ESET Smart Security, click Tools > ESET SysInspector. The management system in the ESET SysInspector window is similar to that of computer scan logs, or scheduled tasks. All operations with system snapshots – create, view, compare, remove and export – are accessible within one or two clicks.
Windows. Windows AIK supports: Windows 7 Windows Vista Windows XP Service Pack 2 with KB926044 Windows XP Service Pack 3 5.7.2 How to create rescue CD To launch the ESET SysRescue wizard, click Start > Programs > ESET > ESET Smart Security > ESET SysRescue. First, the wizard checks for the presence of Windows AIK or ADK and a suitable device for the boot media creation.
5.7.4.1 Folders Temporary folder is a working directory for files required during ESET SysRescue compilation. ISO folder is a folder, where the resulting ISO file is saved after the compilation is completed. The list on this tab shows all local and mapped network drives together with the available free space. If some of the folders here are located on a drive with insufficient free space, we recommend that you select another drive with more free space available.
5.7.4.4 Internet protocol This section allows you to configure basic network information and set up predefined connections after running ESET SysRescue. Select Automatic private IP address to obtain the IP address automatically from DHCP (Dynamic Host Configuration Protocol) server. Alternatively, this network connection can use a manually specified IP address (also known as a static IP address). Select Custom to configure the appropriate IP settings.
5.7.5.1 Using ESET SysRescue Suppose that computers in the network have been infected by a virus which modifies executable (.exe) files. ESET Security solution is capable of cleaning all infected files except for explorer.exe, which cannot be cleaned, even in Safe mode. This is because explorer.exe, as one of the essential Windows processes, is launched in Safe mode as well. ESET Security solution would not be able to perform any action with the file and it would remain infected.
/no-mailbox /sfx /no-sfx /rtp /no-rtp /unsafe /no-unsafe /unwanted /no-unwanted /suspicious /no-suspicious /pattern /no-pattern /heur /no-heur /adv-heur /no-adv-heur /ext=EXTENSIONS /ext-exclude=EXTENSIONS /clean-mode=MODE do not scan mailboxes scan self-extracting archives (default) do not scan self-extracting archives scan runtime packers (default) do not scan runtime packers scan for potentially unsafe applications do not scan for potentially unsafe applications (default) scan for potentially unwanted a
6. Glossary 6.1 Types of infiltration An Infiltration is a piece of malicious software trying to enter and/or damage a user’s computer. 6.1.1 Viruses A computer virus is a piece of malicious code that is pre-pended or appended to existing files on your computer. Viruses are named after biological viruses because they use similar techniques to spread from one computer to another. As for the term “virus”, it is often used incorrectly to mean any type of a threat.
If a file on your computer is detected as a Trojan, it is advisable to delete it, since it most likely contains nothing but malicious code. 6.1.4 Rootkits Rootkits are malicious programs that grant Internet attackers unlimited access to a system, while concealing their presence. Rootkits, after accessing a system (usually exploiting a system vulnerability), use functions in the operating system to avoid detection by antivirus software: they conceal processes, files and Windows registry data.
6.1.7 Packers Packer is a runtime self-extracting executable that rolls up several kinds of malware into a single package. The most common packers are UPX, PE_Compact, PKLite and ASPack. The same malware may be detected differently when compressed using a different packer. Packers also have the ability to make their "signatures" mutate over time, making malware more difficult to detect and remove. 6.1.
6.2.3 Worm attacks A computer worm is a program containing malicious code that attacks host computers and spreads via a network. Network worms exploit security vulnerabilities in various applications. Due to the availability of the Internet, they can spread all over the world within a few hours of their release. Most worm attacks (Sasser, SqlSlammer) can be avoided by using default security settings in the firewall, or by blocking unprotected and unused ports.
To avoid attacks, we recommend that you use authentication passwords or keys. 6.2.7 ICMP attacks The ICMP (Internet Control Message Protocol) is a popular and widely-used Internet protocol. It is used primarily by networked computers to send various error messages. Remote attackers attempt to exploit the weaknesses of the ICMP protocol. The ICMP protocol is designed for oneway communication requiring no authentication.
clean and also flagged to be excluded from future scans. If it is on the blacklist, appropriate actions are taken based on the nature of the threat. If no match is found, the file is scanned thoroughly. Based on the results of this scan, files are categorized as threats or non-threats. This approach has a significant positive impact on scanning performance.
6.4.3 Phishing The term phishing defines a criminal activity which uses techniques of social engineering (manipulating users in order to obtain confidential information). Its aim is to gain access to sensitive data such as bank account numbers, PIN codes, etc. Access is usually achieved by sending email masquerading as a trustworthy person or business (e.g., financial institution, insurance company).
6.4.4.2 Whitelist In general, a whitelist is a list of items or persons who are accepted, or have been granted permission. The term “email whitelist“ defines a list of contacts from whom the user wishes to receive messages. Such whitelists are based on keywords searched for in email addresses, domain names, or IP addresses. If a whitelist works in “exclusivity mode“, then messages from any other address, domain, or IP address will not be received.
