System Watcher - Kaspersky Lab
System Watcher - Kaspersky Lab
System Watcher - Kaspersky Lab
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Anti-Virus 2012<br />
<strong>System</strong> <strong>Watcher</strong>
<strong>Kaspersky</strong> Anti-Virus 2012<br />
Table of Contents<br />
<strong>System</strong> <strong>Watcher</strong> ........................................................................................................................... 2<br />
Enabling/disabling <strong>System</strong> <strong>Watcher</strong> .......................................................................................... 2<br />
Using patterns of dangerous behavior (BSS) ............................................................................ 2<br />
Rolling back actions performed by malware .............................................................................. 4<br />
1 | 5
<strong>Kaspersky</strong> Anti-Virus 2012<br />
<strong>System</strong> <strong>Watcher</strong><br />
<strong>System</strong> <strong>Watcher</strong> in <strong>Kaspersky</strong> Anti-Virus 2012 collects data about applications actions on your<br />
computer and provides information to other components for improved protection.<br />
In <strong>Kaspersky</strong> Anti-Virus 2012 you can configure the <strong>System</strong> <strong>Watcher</strong> settings to perform a<br />
specified action when the application’s activity matches with the pattern of dangerous activity.<br />
<strong>System</strong> <strong>Watcher</strong> also allows you to roll back actions performed by malicious programs.<br />
Enabling/disabling <strong>System</strong> <strong>Watcher</strong><br />
By default, <strong>System</strong> <strong>Watcher</strong> is enabled, running in a mode that depends on the current mode of<br />
<strong>Kaspersky</strong> Anti-Virus 2012 – automatic or interactive.<br />
You are advised to avoid disabling the component, except for emergency cases, since this<br />
inevitably impacts efficiency of Proactive Defense and other protection components operation<br />
that may request the data collected by <strong>System</strong> <strong>Watcher</strong> in order to identify the potential threat<br />
detected.<br />
To disable <strong>System</strong> <strong>Watcher</strong>, perform the following actions:<br />
1. Open the application settings window.<br />
2. In the left part of the window under Protection Center select <strong>System</strong> <strong>Watcher</strong>.<br />
3. In the right part of the window<br />
► Uncheck the Enable <strong>System</strong> <strong>Watcher</strong> box, if you want to disable the component.<br />
► Check the Enable <strong>System</strong> <strong>Watcher</strong> box, if you want to enable the component.<br />
4. Click the Apply button.<br />
Using patterns of dangerous behavior (BSS)<br />
Patterns of dangerous activity (BSS – Behavior Stream Signatures) contain sequences of<br />
actions typical of applications classified as dangerous. In addition to exact matching between<br />
applications' activities and patterns of dangerous activity, <strong>System</strong> <strong>Watcher</strong> also detects actions<br />
that partly match patterns of dangerous activity, being considered suspicious based on the<br />
2 | 5
<strong>Kaspersky</strong> Anti-Virus 2012<br />
heuristic analysis. If suspicious activity is detected, <strong>System</strong> <strong>Watcher</strong> prompts the user for action<br />
regardless of the operation mode.<br />
Upon detection of a new virus or new modification of already known malware the application does<br />
not update the entire <strong>System</strong> <strong>Watcher</strong> component, but simply adds a new template to the<br />
database of heuristics and updates it together with the <strong>Kaspersky</strong> <strong>Lab</strong> databases.<br />
To select the action that the component should perform if an application's activity matches a<br />
pattern of dangerous activity, perform the following actions:<br />
1. Open the application settings window.<br />
2. In the left part of the window under Protection Center select <strong>System</strong> <strong>Watcher</strong>.<br />
3. In the right part of the component settings in the Heuristic Analysis section check the Use<br />
updatable patterns of dangerous activity (BSS) box.<br />
4. In the On detecting malware activity section perform the following actions:<br />
► Select the Select action automatically variant (if the automatic protection mode is<br />
enabled). In this case <strong>System</strong> <strong>Watcher</strong> will automatically apply an action recommended<br />
by <strong>Kaspersky</strong> <strong>Lab</strong> specialists.<br />
► Select the Prompt for action variant (if the interactive protection mode is enabled). In<br />
this case <strong>System</strong> <strong>Watcher</strong> will notify you of any suspicious activity detected in the<br />
system and will prompt for action: allow or block activity.<br />
► Choose the Select action variant:<br />
► Move file to Quarantine (malicious application will be moved to Quarantine).<br />
► Terminate the malicious application (all processes of the malicious application will<br />
be terminated).<br />
► Ignore (<strong>System</strong> <strong>Watcher</strong> takes no actions on the application).<br />
5. Click the Apply button.<br />
3 | 5
<strong>Kaspersky</strong> Anti-Virus 2012<br />
Rolling back actions performed by malware<br />
You can use the product feature for rolling back the actions performed by malware in the system.<br />
To enable a roll-back, <strong>System</strong> <strong>Watcher</strong> should log the history of program activity.<br />
By default, KAV 2012 rolls back relevant operations automatically when the protection<br />
components detect malicious activity (rolling back actions after malicious activity is detected in the<br />
system can be initiated either by the <strong>System</strong> <strong>Watcher</strong> component based on patterns of<br />
dangerous activity, or by Proactive Defense, and during virus scan task run or File Anti-Virus<br />
operation).<br />
When running in interactive mode, <strong>System</strong> <strong>Watcher</strong> prompts the user for action. You can specify<br />
the operation which should be performed whenever malicious activity is detected. The procedure<br />
of rolling back malware operations affects a strictly defined set of data. It causes no negative<br />
consequences for the operating system or data integrity on your computer.<br />
To configure rollback of malware operations, perform the following actions:<br />
1. Open the application settings window.<br />
2. In the left part of the window under Protection Center select <strong>System</strong> <strong>Watcher</strong>.<br />
3. In the right part of the component settings in the Rollback of malware action s section<br />
specify actions that <strong>System</strong> <strong>Watcher</strong> should perform if it has a possibility to roll back<br />
changes made by a malicious program:<br />
► Select the Select action automatically variant (if the automatic protection mode is<br />
enabled). In this case <strong>System</strong> <strong>Watcher</strong> will automatically apply an action recommended<br />
by <strong>Kaspersky</strong> <strong>Lab</strong> specialists.<br />
► Select the Prompt for action variant (if the interactive protection mode is enabled). In<br />
this case <strong>System</strong> <strong>Watcher</strong> will notify you that rollback is necessary and will prompt for<br />
action: perform or cancel rollback.<br />
► Select action<br />
If you choose the Select action variant, select an action from the drop-down list:<br />
► Roll back<br />
► Do not roll back<br />
4 | 5
<strong>Kaspersky</strong> Anti-Virus 2012<br />
Pay attention, you can limit the amount of data stored for rollback by clicking the corresponding<br />
box in the Limit data to be stored for rollback section.<br />
5 | 5