ESET NOD32 Antivirus 4

eset.la.com

ESET NOD32 Antivirus 4

1. ESET NOD32 Antivirus 4As a result of the increasing popularity of Mac-basedoperating systems, malware users are developing morethreats to target Mac users. ESET NOD32 Antivirus forMac offers users efficient protection against threats.ESET NOD32 Antivirus for Mac includes the ability todeflect Windows threats, protecting Mac users as theyinteract with Windows users and vice versa. Windowsmalware does not pose a direct threat to Mac, butdisabling malware that has infected a Mac machine willprevent its spread to Windows-based computersthrough a local network or the Internet.1.1 System requirementsFor the seamless operation of ESET NOD32 Antivirus,your system should meet the following hardware andsoftware requirements:ESET NOD32 Antivirus:ProcessorArchitectureSystem32bit, 64bit Intel®10.5 and later4


3. Beginners guideThis chapter provides an initial overview of ESET NOD32Antivirus and its basic settings.3.1 Introducing user interface design -modesThe main program window of ESET NOD32 Antivirus isdivided into two main sections. The primary window onthe right displays information that corresponds to theoption selected from the main menu on the left.The following is a description of options within the mainmenu:Protection status – Provides information about theprotection status of ESET NOD32 Antivirus. If Advancedmode is activated, the Statistics submenu will display.Computer scan – This option allows you to configureand launch the On-demand computer scan.Update – Displays information about updates to thevirus signature database.Setup – Select this option to adjust your computer’ssecurity level. If Advanced mode is activated, theAntivirus and antispyware submenu will display.Tools – Provides access to Log files, Quarantine andScheduler. This option only displays in Advanced mode.Help – Provides access to help files, the ESETKnowledgebase, ESET’s website and links to open aCustomer Care support request.The ESET NOD32 Antivirus user interface allows users totoggle between Standard and Advanced mode.Standard mode provides access to features required forcommon operations. It does not display any advancedoptions. To toggle between modes, click the plus iconnext to Activate advanced mode/Activate standardmode in the bottom left corner of the main programwindow.Advanced mode:3.1.1 Checking operation of the systemTo view the Protection status, click the top option fromthe main menu. A status summary about the operationof ESET NOD32 Antivirus will display in the primarywindow as well as a submenu with Statistics. Select itto view more detailed information and statistics aboutcomputer scans that have been performed on yoursystem. The Statistics window is available only inadvanced mode.The Standard mode provides access to featuresrequired for common operations. It does not display anyadvanced options.Toggling to Advanced mode adds the Tools option tothe main menu. The Tools option allows you to accessthe submenus for Log files, Quarantine and Scheduler.NOTE: All remaining instructions in this guide take placein Advanced mode.Standard mode:3.1.2 What to do if the program doesn't workproperlyIf the modules enabled are working properly, they areassigned a green check icon. If not, a red exclamationpoint or orange notification icon is displayed, andadditional information about the module is shown in theupper part of the window. A suggested solution forfixing the module is also displayed. To change the statusof individual modules, click Setup in the main menu andclick on the desired module.7


protection.You can enter the ThreatSense engine setup window byclicking the Setup... button next to ThreatSense Enginein the Advanced Setup window. For more detailedinformation about ThreatSense engine parameters seeThreatSense engine parameter setup 11 .4.1.1.2 When to modify real time protectionconfigurationReal-time protection is the most essential component ofmaintaining a secure system. Use caution whenmodifying the real-time protection parameters. Werecommend that you only modify these parameters inspecific cases. For example, a situation in which there is aconflict with a certain application or real-time scanner ofanother antivirus program.After installation of ESET NOD32 Antivirus, all settingsare optimized to provide the maximum level of systemsecurity for users. To restore the default settings, clickthe Default button located at the bottom-left of theReal-time file system protection window (AdvancedSetup window > Protection > Real-time protection).4.1.1.3 Checking real time protectionTo verify that real-time protection is working anddetecting viruses, use the eicar.com test file. This test fileis a special harmless file detectable by all antivirusprograms. The file was created by the EICAR company(European Institute for Computer Antivirus Research) totest the functionality of antivirus programs. The file eicar.com is available for download at http://www.eicar.org/download/eicar.com4.1.1.4 What to do if real time protection doesnot workIn this chapter, we describe problem situations that mayarise when using real-time protection, and how totroubleshoot them.Real-time protection is disabledIf real-time protection was inadvertently disabled by auser, it needs to be reactivated. To reactivate real-timeprotection, navigate to Setup > Antivirus andantispyware and click the Enable real-time file systemprotection link (to the right) in the main programwindow. You can alternatively enable the real-time filesystem protection in the Advanced setup window underProtection > Real-Time Protection by selecting theEnable real-time file system protection option.Real-time protection does not detect and cleaninfiltrationsMake sure that no other antivirus programs are installedon your computer. If two real-time protection shields areenabled at the same time, they may conflict with eachother. We recommend that you uninstall any otherantivirus programs that may be on your system.Real-time protection does not startIf real-time protection is not initiated at system startup,it may be due to conflicts with other programs. If this isthe case, please consult ESET‘s Customer Carespecialists.4.1.2 On-demand computer scanIf you suspect that your computer is infected (it behavesabnormally), run an On-demand computer scan toexamine your computer for infiltrations. For maximumprotection, computer scans should be run regularly aspart of routine security measures , not just run when aninfection is suspected. Regular scanning can detectinfiltrations that were not detected by the real-timescanner when they were saved to the disk. This canhappen if the real-time scanner was disabled at the timeof infection, or if the virus signature database is not upto-date.We recommend that you run an On-demand computerscan at least once a month. Scanning can be configuredas a scheduled task from Tools > Scheduler.10


4.1.2.1 Type of scanTwo types of On-demand computer scans are available.Smart scan quickly scans the system with no need forfurther configuration of the scan parameters. Customscan allows you to select any of the predefined scanprofiles, as well as choose specific scan targets.4.1.2.1.1 Smart scanSmart scan allows you to quickly launch a computer scanand clean infected files with no need for userintervention. Its main advantages are easy operationwith no detailed scanning configuration. Smart scanchecks all files in all folders and automatically cleans ordeletes detected infiltrations. The cleaning level isautomatically set to the default value. For more detailedinformation on types of cleaning, see the section onCleaning 12 .4.1.2.1.2 Custom scanCustom scan is optimal if you would like to specifyscanning parameters such as scan targets and scanningmethods. The advantage of running a Custom scan isthe ability to configure the parameters in detail. Differentconfigurations can be saved as user-defined scanprofiles, which can be useful if scanning is repeatedlyperformed with the same parameters.To select scan targets, select Computer scan > Customscan and select specific Scan targets from the treestructure. A scan target can also be more preciselyspecified by entering the path to the folder or file(s) youwish to include. If you are only interested in scanning thesystem without additional cleaning actions, select theScan without cleaning option. Furthermore, you canchoose from three cleaning levels by clicking Setup... >Cleaning.To help you create a scan profile to fit your needs, seethe ThreatSense engine parameters setup 11 section fora description of each parameter of the scan setup.Example: Suppose that you want to create your ownscan profile and the Smart scan configuration is partiallysuitable, but you do not want to scan runtime packers orpotentially unsafe applications and you also want toapply Strict cleaning. In the On-demand ScannerProfiles List window, write the profile name, click theAdd... and confirm by OK. Then adjust the parametersto meet your requirements by setting ThreatSenseEngine and Scan Targets.Performing computer scans with Custom scan isrecommended for advanced users with previousexperience using antivirus programs.4.1.2.2 Scan targetsThe Scan targets tree structure allows you to select filesand folders to be scanned for viruses. Folders may alsobe selected according to a profile's settings.A scan target can be more precisely defined by enteringthe path to the folder or file(s) you wish to include inscanning. Select targets from the tree structure that listsall available folders on the computer.4.1.2.3 Scan profilesYour preferred scan settings can be saved for futurescanning. We recommend that you create a differentprofile (with various scan targets, scan methods andother parameters) for each regularly used scan.To create a new profile, go to Setup > Enter entireadvanced setup tree ... > Protection > Computer Scanand click Edit... next to the list of current profiles.4.1.3 ThreatSense engine parameters setupThreatSense is the name of the technology consisting ofcomplex threat detection methods. This technology isproactive, which means it also provides protectionduring the early hours of the spread of a new threat. Ituses a combination of several methods (code analysis,code emulation, generic signatures, virus signatures)which work in concert to significantly enhance systemsecurity. The scanning engine is capable of controllingseveral data streams simultaneously, maximizing theefficiency and detection rate. ThreatSense technologyalso successfully eliminates rootkits.11


The ThreatSense technology setup options allow you tospecify several scan parameters:File types and extensions that are to be scannedThe combination of various detection methodsLevels of cleaning, etc.To enter the setup window, click Setup > Antivirus andantispyware > Advanced Antivirus and Antispywareprotection setup and then click the Setup... buttonlocated in the System Protection, Real-TimeProtection and Computer Scan wildcards, which all useThreatSense technology (see below). Different securityscenarios could require different configurations. Withthis in mind, ThreatSense is individually configurable forthe following protection modules:System Protection > Automatic startup file checkReal-Time Protection > Real-time file system protectionComputer Scan > On-demand computer scanThe ThreatSense parameters are specifically optimizedfor each module, and their modification can significantlyinfluence system operation. For example, changingsettings to always scan runtime packers, or enablingadvanced heuristics in the real-time file systemprotection module could result in a slower system .Therefore, we recommend that you leave the defaultThreatSense parameters unchanged for all modulesexcept Computer scan.4.1.3.1 ObjectsThe Objects section allows you to define whichcomputer files will be scanned for infiltrations.Files – Provides scanning of all common file types(programs, pictures, audio, video files, database files,etc.).Symbolic links - Scans special type of files that contain atext string that is interpreted and followed by theoperating system as a path to another file or directory.Email files – Scans special files where email messagesare contained.Mailboxes - Scans user mailboxes in the system.Archives – Provides scanning of files compressed inarchives (.rar, .zip, .arj, .tar, etc.).Self-extracting archives – Scans files which arecontained in self-extracting archive files.Runtime packers – Runtime packers (unlike standardarchive types) decompress in memory, in addition tostandard static packers (UPX, yoda, ASPack, FGS, etc.).4.1.3.2 OptionsIn the Options section, you can select the methods usedduring a scan of the system for infiltrations. Thefollowing options are available:Virus signature database – Signatures can exactly andreliably detect and identify infiltrations by name usingthe virus signature database.Heuristics – Heuristics use an algorithm that analyzesthe (malicious) activity of programs. The main advantageof heuristic detection is the ability to detect newmalicious software which did not previously exist, or wasnot included in the list of known viruses (virus signaturesdatabase).Advanced heuristics – Advanced heuristics comprise aunique heuristic algorithm, developed by ESET,optimized for detecting computer worms and trojanhorses written in high-level programming languages.The program's detection ability is significantly higher asa result of advanced heuristics.Adware/Spyware/Riskware – This category includessoftware that collects sensitive information about userswithout their informed consent. This category alsoincludes software which displays advertising material.Potentially unwanted applications – Potentiallyunwanted applications are not necessarily intended tobe malicious, but may affect the performance of yourcomputer in a negative way. Such applications usuallyrequire consent for installation. If they are present onyour computer, your system behaves differently(compared to the way it behaved before theseapplications were installed). The most significantchanges include unwanted pop-up windows, activationand running of hidden processes, increased usage ofsystem resources, changes in search results, andapplications communicating with remote servers.Potentially unsafe applications – Potentially unsafeapplications refer to commercial, legitimate software.The classification includes programs such as remoteaccess tools, which is why this option is disabled bydefault.4.1.3.3 CleaningThe cleaning settings determine the manner in which thescanner cleans infected files. There are 3 levels ofcleaning:No cleaning – Infected files are not cleanedautomatically. The program will display a warningwindow and allow you to choose an action.Standard cleaning – The program will attempt toautomatically clean or delete an infected file. If it is notpossible to select the correct action automatically, theprogram will offer a choice of follow-up actions. Thechoice of follow-up actions will also be displayed if apredefined action could not be completed.12


Strict cleaning – The program will clean or delete allinfected files (including archives). The only exceptions aresystem files. If it is not possible to clean them, you will beoffered an action to take in a warning window.Warning: In the Default Standard cleaning mode, theentire archive file is deleted only if all files in the archiveare infected. If the archive also contains legitimate files, itwill not be deleted. If an infected archive file is detectedin Strict cleaning mode, the entire archive will be deleted,even if clean files are present.4.1.3.4 ExtensionsAn extension is the part of the file name delimited by aperiod. The extension defines the type and content ofthe file. This section of the ThreatSense parameter setuplets you define the types of files to be excluded fromscanning.By default, all files are scanned regardless of theirextension. Any extension can be added to the list of filesexcluded from scanning. Using the Add and Removebuttons, you can enable or prohibit scanning of desiredextensions.Excluding files from scanning is sometimes necessary ifscanning of certain file types prevents the properfunction of a program that is using the extensions. Forexample, it may be advisable to exclude the .log, .cfgand .tmp extensions.4.1.3.5 LimitsThe Limits section allows you to specify the maximumsize of objects and levels of nested archives to bescanned:Maximum size: Defines the maximum size of objects tobe scanned. The antivirus module will then scan onlyobjects smaller than the size specified. We do notrecommend changing the default value, as there isusually no reason to modify it. This option should onlybe changed by advanced users who have specificreasons for excluding larger objects from scanning.Maximum scan time: Defines the maximum timeallotted for scanning an object. If a user-defined valuehas been entered here, the antivirus module will stopscanning an object when that time has elapsed, whetheror not the scan has finished.Maximum nesting level: Specifies the maximum depthof archive scanning. We do not recommend changingthe default value of 10; under normal circumstances,there should be no reason to modify it. If scanning isprematurely terminated due to the number of nestedarchives, the archive will remain unchecked.Maximum file size: This option allows you to specify themaximum file size for files contained in archives (whenthey are extracted) that are to be scanned. If scanning isprematurely terminated as a result of this limit, thearchive will remain unchecked.4.1.3.6 OthersWith Smart Optimization enabled the most optimalsettings are used to ensure the most efficient scanninglevel, while simultanneously maintaining the highestscanning speeds. The various protection modules scanintelligently, making use of different scanning methodseach, applying them to specific file types. The SmartOptimization is not rigidly defined within the product.Quite on the contrary, the ESET Development Teamkeeps it flexible implementing new changes continuoslywhich get then integrated into the ESET securitysolution via the regular updates. Is the SmartOptimization disabled, only the user-defined settings inthe ThreatSense core of the particular modules areapplied when performing a scan.Scan alternative data streams (Computer scan only)Alternate data streams (resource/data forks) used by thefile system are file and folder associations which areinvisible from ordinary scanning techniques. Manyinfiltrations try to avoid detection by disguisingthemsleves as alternative data streams.4.1.4 An infiltration is detectedInfiltrations can reach the system from various entrypoints; webpages, shared folders, email or removablecomputer devices (USB, external disks, CDs, DVDs,diskettes, etc.).If your computer is showing signs of malware infection,e.g., it is slower, often freezes, etc., we recommend thefollowing steps:Open ESET NOD32 Antivirus and click Computer scan.Click Smart scan (for more information, see the Smartscan 11 section).After the scan has finished, review the log for thenumber of scanned, infected and cleaned files.If you only wish to scan a certain part of your disk, clickCustom scan and select targets to be scanned forviruses.As a general example of how infiltrations are handled inESET NOD32 Antivirus, suppose that an infiltration isdetected by the real-time file system monitor, whichuses the Default cleaning level. It will attempt to clean ordelete the file. If there is no predefined action to take forthe real-time protection module, you will be asked toselect an option in an alert window. Usually, the optionsClean, Delete and No action are available. Selecting Noaction is not recommended, since the infected file(s)would be left untouched. An exception to this is whenyou are sure that the file is harmless and has beendetected by mistake.Cleaning and deleting – Apply cleaning if a file has beenattacked by a virus that has attached malicious code to13


it. If this is the case, first attempt to clean the infected filein order to restore it to its original state. If the fileconsists exclusively of malicious code, it will be deleted.4.2.1 Update setupThe update setup section specifies update sourceinformation such as the update servers andauthentication data for these servers. By default, theUpdate server drop-down menu is set to Chooseautomatically to ensure that update files willautomatically download from the ESET server with theleast network traffic.Deleting files in archives – In the Default cleaningmode, the entire archive will be deleted only if it containsinfected files and no clean files. In other words, archivesare not deleted if they also contain harmless clean files.However, use caution when performing a Strictcleaning scan – with Strict cleaning the archive will bedeleted if it contains at least one infected file, regardlessof the status of other files in the archive.4.2 Updating the programRegular updates of ESET NOD32 Antivirus are necessaryto maintain the maximum level of security. The Updatemodule ensures that the program is always up to dateby updating the virus signature database.By clicking Update from the main menu, you can findthe current update status, including the date and time ofthe last successful update and if an update is needed.The primary window also contains the virus signaturedatabase version. This numeric indicator is an active linkto ESET’s website, listing all signatures added during thegiven update.In addition, the option to manually begin the updateprocess – Update virus signature database – isavailable, as well as basic setup options such as theusername and password used to access ESET’s updateservers.NOTE: Your username and password are provided byESET after purchasing ESET NOD32 Antivirus.The list of available update servers is accessible via theUpdate server drop-down menu. To add a new updateserver, click Edit... Then enter the address of the newserver in the Update Server input field and click the Addbutton. Authentication for update servers is based onthe Username and Password generated and sent to youafter purchase.To enable the use of test mode (downloads pre-releaseupdates) click the Setup... button next to AdvancedOptions, select the Enable pre-release updatescheckbox in the dialog and confirm by pressing OK.To delete all temporarily stored update data click theClear button next to Clear update cache. Use thisoption in the case of problems with the update.4.2.2 How to create update tasksUpdates can be triggered manually by clicking Updatevirus signature database in the primary windowdisplayed after clicking Update from the main menu.Updates can also be run as scheduled tasks. To configurea scheduled task, click Tools > Scheduler. By default, thefollowing tasks are activated in ESET NOD32 Antivirus:Regular automatic updateAutomatic update after user logonEach of the aforementioned update tasks can bemodified to meet your needs. In addition to the defaultupdate tasks, you can create new update tasks with a14


user-defined configuration. For more details aboutcreating and configuring update tasks, see the sectiontitled Scheduler 15 .System startup file check4.3 SchedulerThe Scheduler is available if Advanced mode in ESETNOD32 Antivirus is activated. The Scheduler can befound in the ESET NOD32 Antivirus main menu underTools. The Scheduler contains a list of all scheduledtasks and configuration properties such as thepredefined date, time, and scanning profile used.By default, the following scheduled tasks are displayed inthe Scheduler:Regular automatic updateAutomatic update after user logonAutomatic startup file check after user logonAutomatic startup file check after successful update ofthe virus signature databaseLog maintenance (after enabling the Show systemtasks option in the scheduler setup)To edit the configuration of an existing scheduled task(both default and user-defined), right-click the task andclick Edit... or select the desired task you wish to modifyand click the Edit... button.4.3.1 Purpose of scheduling tasksThe Scheduler manages and launches scheduled taskswith predefined configurations and properties. Theconfiguration and properties contain information suchas the date and time as well as specified profiles to beused during execution of the task.4.3.2 Creating new tasksTo create a new task in the Scheduler, click the Add...button or right-click and select Add... from the contextmenu. Five types of scheduled tasks are available:Run applicationUpdateLogs maintenanceOn-demand scanSince Update is one of the most frequently usedscheduled tasks, we will explain how to add a newupdate task.From the Scheduled task drop-down menu, selectUpdate. Enter the name of the task into the Task namefield. Select the frequency of the task from the Run thetask drop-down menu. The following options areavailable: User defined, Once, Repeatedly, Daily,Weekly and Event triggered. Based on the frequencyselected, you will be prompted with different updateparameters. Next, define what action to take if the taskcannot be performed or completed at the scheduledtime. The following three options are available:Wait until the next scheduled timeRun task as soon as possibleRun the task immediately if the time since its lastexecution exceeds specified interval (the interval canbe defined using the Minimum task interval scroll box)In the next step, a summary window with informationabout the current scheduled task is displayed. Click theFinish button.The new scheduled task will be added to the list ofcurrently scheduled tasks.The system, by default, contains essential scheduledtasks to ensure correct product functionality. Theseshould not be altered, and are hidden by default. Tochange this option and make these tasks visible, enterthe Setup > Enter entire advanced setup tree > Tools >Scheduler and select the Show system tasks option.15


4.4 QuarantineThe main task of quarantine is to safely store infectedfiles. Files should be quarantined if they cannot becleaned, if it is not safe or advisable to delete them, or ifthey are being falsely detected by ESET NOD32 Antivirus.You can choose to quarantine any file. This is advisable ifa file behaves suspiciously but is not detected by theantivirus scanner. Quarantined files can be submitted foranalysis to ESET’s Threat Lab.4.5 Log filesThe Log files contain information about all importantprogram events that have occurred and provide anoverview of detected threats. Logging acts as anessential tool in system analysis, threat detection andtroubleshooting. Logging is performed actively in thebackground with no user interaction. Information isrecorded based on the current log verbosity settings. Itis possible to view text messages and logs directly fromthe ESET NOD32 Antivirus environment, as well as toarchive logs.Log files are accessible from the ESET NOD32 Antivirusmain menu by clicking Tools > Log files. Select thedesired log type using the Log drop-down menu at thetop of the window. The following logs are available:1. Detected threats – Use this option to view allinformation about events related to the detection ofinfiltrations.Files stored in the quarantine folder can be viewed in atable which displays the date and time of quarantine, thepath to the original location of the infected file, its size inbytes, reason (e.g., added by user…), and number ofthreats (e.g., if it is an archive containing multipleinfiltrations). The quarantine folder with quarantinedfiles (/Library/Application Support/Eset/cache/esets/quarantine) remains in the system even after uninstallingESET NOD32 Antivirus. Quarantined files are stored in asafe encrypted form and can be restored again afterinstalling ESET NOD32 Antivirus.4.4.1 Quarantining filesESET NOD32 Antivirus automatically quarantines deletedfiles (if you have not cancelled this option in the alertwindow). If desired, you can quarantine any suspiciousfile manually by clicking the Quarantine... button. Thecontext menu can also be used for this purpose – rightclickin the Quarantine window and select Open.4.4.2 Restoring from QuarantineQuarantined files can also be restored to their originallocation. Use the Restore button for this purpose;Restore is also available from the context menu by rightclickingon the given file in the Quarantine window,then clicking Restore. The context menu also offers theoption Restore to, which allows you to restore a file to alocation other than the one from which it was deleted.4.4.3 Submitting file from QuarantineIf you have quarantined a suspicious file that was notdetected by the program, or if a file was incorrectlyevaluated as infected (e.g., by heuristic analysis of thecode) and subsequently quarantined, please send the fileto ESET‘s Threat Lab. To submit a file from quarantine,right-click the file and select Send for analysis from thecontext menu.162. Events – This option is designed for systemadministrators and users to solve problems. Allimportant actions performed by ESET NOD32Antivirus are recorded in the Event logs.3. On-demand computer scan – Results of all completedscans are displayed in this window. Double-click anyentry to view details of the respective On-demandcomputer scan.In each section, the displayed information can be directlycopied to the clipboard by selecting the entry andclicking on the Copy button.4.5.1 Log maintenanceThe logging configuration for ESET NOD32 Antivirus isaccessible from the main program window. Click Setup >Enter entire advanced setup tree... > Tools > Log files.You can specify the following options for log files:Delete old records automatically: Log entries olderthan the specified number of days are automaticallydeletedOptimize log files automatically: Enables automaticdefragmentation of log files if the specified percentage ofunused records has been exceededTo configure the Log Records Default Filter click theEdit... button and select/deselect log types as required.4.6 User interfaceThe user interface configuration options in ESET NOD32Antivirus allow you to adjust the working environmentto fit your needs. These configuration options areaccessible from the User > Interface section of the ESETNOD32 Antivirus Advanced Setup window.In this section, the Advanced mode option gives users


the ability to allow toggling to Advanced mode.Advanced mode displays more detailed settings andadditional controls for ESET NOD32 Antivirus.To enable the startup splash screen functionality selectthe Show splash-screen at startup option.4.6.3 Context MenuThe context menu integration can be enabled in theAdvanced setup window > User > Context Menusection by enabling the Integrate into the contextmenu checkbox.In the Use standard menu section you can select the Instandard mode/In advanced mode options to enablethe use of the standard menu in the main programwindow in the respective display mode(s).To enable the use of tool tips select the Show tooltipsoption. The Show hidden files option allows you to seeand select hidden files in the Scan Targets setup of aComputer Scan .4.6.1 Alerts and NotificationsThe Notifications setup section under User interfaceallows you to configure how threat alerts and systemnotifications are handled in ESET NOD32 Antivirus.Disabling the Display alerts option will cancel all alertwindows and is only suitable in specific situations. Formost users, we recommend that this option be left to itsdefault setting (enabled).4.7 ThreatSense.NetThe ThreatSense.Net Early Warning System keeps ESETimmediately and continuously informed about newinfiltrations. The bidirectional ThreatSense.Net EarlyWarning System has a single purpose – to improve theprotection that we can offer you. The best way to ensurethat we see new threats as soon as they appear is to“link“ to as many of our customers as possible and usethem as our Threat Scouts. There are two options:1. You can decide not to enable the ThreatSense.NetEarly Warning System. You will not lose anyfunctionality in the software, and you will still receivethe best protection that we offer.4.6.2 PrivilegesTo protect the program configuration, you can define alist of privileged users that will have permission to editit.In order to provide maximum security for your system, itis essential that the program be correctly configured.Unauthorized modifications could result in the loss ofimportant data. To set a list of privileged users, simplyselect them from the Users list on the left side and clickthe Add button. To remove a user simply select his/hername in the Privileged Users list on the right side andclick Remove.NOTE: If the list of privileged users is empty, all users ofthe system will have permission to edit the programsettings.2. You can configure the ThreatSense.Net Early WarningSystem to submit anonymous information about newthreats and where the new threatening code iscontained. This file can be sent to ESET for detailedanalysis. Studying these threats will help ESET updateits database of threats and improve the program'sthreat detection ability.The ThreatSense.Net Early Warning System will collectinformation about your computer related to newlydetectedthreats. This information may include a sampleor copy of the file in which the threat appeared, the pathto that file, the filename, the date and time, the processby which the threat appeared on your computer andinformation about your computer‘s operating system.While there is a chance this may occasionally disclosesome information about you or your computer(usernames in a directory path, etc.) to ESET’s ThreatLab, this information will not be used for ANY purposeother than to help us respond immediately to newthreats.The ThreatSense.Net setup is accessible from the17


Advanced Setup window, under Tools > ThreatSense.Net. Select the Enable ThreatSense.Net Early WarningSystem option to activate and then click the Setup...button beside the Advanced Options heading.4.7.1 Suspicious filesThe Suspicious files option allows you to configure themanner in which threats are submitted to ESET‘s ThreatLab for analysis.If you find a suspicious file, you can submit it to ourThreat Labs for analysis. If it is a malicious application, itsdetection will be added to the next virus signaturedatabase update.Submission of Suspicious Files - You can choose tosend these files During Update, meaning they will besubmitted to ESET's Threat Lab during a regular virussignature database update. Alternatively, you canchoose to send them As soon as possible – this settingis suitable if a permanent Internet connection isavailable.If you do not want any files to be submitted, select theDo not submit option. Selecting not to submit files foranalysis does not affect submission of statisticalinformation, which is configured in a separate area.The ThreatSense.Net Early Warning System collectsanonymous information about your computer related tonewly detected threats. This information may includethe name of the infiltration, the date and time it wasdetected, the ESET security product version, youroperating system version and the location setting. Thestatistics are typically delivered to ESET‘s servers once ortwice a day.Below is an example of a statistical package submitted:means. Select the Remote Administrator Server optionto submit files and statistics to the remote administratorserver, which will then submit them to ESET’s ThreatLab. If the option ESET is selected, all suspicious files andstatistical information will be sent to ESET’s virus labdirectly from the program.Exclusion filter – The Exclusion filter allows you toexclude certain files/folders from submission. Forexample, it may be useful to exclude files which maycarry confidential information, such as documents orspreadsheets. The most common file types are excludedby default (.doc, etc.). You can add file types to the list ofexcluded files.Contact email – Your Contact email [optional] can besent with any suspicious files and may be used tocontact you if further information is required for analysis.Please note that you will not receive a response fromESET unless more information is needed.4.7.2 Proxy serverProxy server settings can be configured underMiscellaneous > Proxy server. Specifying the proxyserver at this level defines global proxy server settingsfor all of ESET NOD32 Antivirus. Parameters here will beused by all modules requiring connection to theInternet.To specify proxy server settings for this level, select theUse proxy server check box and then enter the addressof the proxy server into the Proxy server: field, alongwith the Port number of the proxy server.If communication with the proxy server requiresauthentication, select the Proxy server requiresauthentication check box and enter a valid Usernameand Password into the respective fields.# utc_time=2005-04-14 07:21:28# country=“Slovakia“# language=“ENGLISH“# osver=9.5.0# engine=5417# components=2.50.2# moduleid=0x4e4f4d41# filesize=28368# filename=Users/UserOne/Documents/Incoming/rdgFR1463[1].zipSubmission of Anonymous Statistical InformationYou can define when the statistical information will besubmitted. If you choose to submit As soon as possible,statistical information will be sent immediately after it iscreated. This setting is suitable if a permanent Internetconnection is available. If the During update option isselected, all statistical information will be submittedduring the update following its collection.If you would not like to send anonymous statisticalinformation, you can select the Do not submit option.Submission Distribution - You can select how files andstatistical information will be submitted to ESET. Selectthe Remote Administrator Server or ESET option forfiles and statistics to be submitted by any available18


5. Advanced user5.1 Export / import settingsImporting and exporting configurations of ESET NOD32Antivirus is available in Advanced mode under Setup.Both import and export use archive file to store theconfiguration. Import and export are useful if you needto backup the current configuration of ESET NOD32Antivirus to be able to use it later. The export settingsoption is also convenient for users who wish to use theirpreferred configuration of ESET NOD32 Antivirus onmultiple systems - they can easily import configurationfile to transfer the desired settings.5.1.1 Import settingsImporting a configuration is very easy. From the mainmenu, click Setup > Import and export settings, andthen select the Import settings option. Enter the nameof the configuration file or click the ... button to browsefor the configuration file you wish to import.5.1.2 Export settingsThe steps to export a configuration are very similar.From the main menu, click Setup > Import and exportsettings.... Select the Export settings option and enterthe name of the configuration file. Use the browser toselect a location on your computer to save theconfiguration file.19


6. Glossary6.1 Types of infiltrationsAn Infiltration is a piece of malicious software trying toenter and/or damage a user’s computer.6.1.1 VirusesA computer virus is an infiltration that corrupts existingfiles on your computer. Viruses are named afterbiological viruses, because they use similar techniques tospread from one computer to another.Computer viruses mainly attack executable files, scriptsand documents. To replicate, a virus attaches its “body“to the end of a target file. In short, this is how acomputer virus works: after execution of the infectedfile, the virus activates itself (before the originalapplication) and performs its predefined task. Only afterthat is the original application allowed to run. A viruscannot infect a computer unless a user, eitheraccidentally or deliberately, runs or opens the maliciousprogram by him/herself.Computer viruses can range in purpose and severity.Some of them are extremely dangerous because of theirability to purposely delete files from a hard drive. On theother hand, some viruses do not cause any damage –they only serve to annoy the user and demonstrate thetechnical skills of their authors.It is important to note that viruses (when compared totrojans or spyware) are increasingly rare because theyare not commercially enticing for malicious softwareauthors. Additionally, the term “virus” is often usedincorrectly to cover all types of infiltrations. This usage isgradually being overcome and replaced by the new,more accurate term “malware” (malicious software).If your computer is infected with a virus, it is necessaryto restore infected files to their original state – i.e., toclean them by using an antivirus program.Examples of viruses are: OneHalf, Tenga, and YankeeDoodle.6.1.2 WormsA computer worm is a program containing maliciouscode that attacks host computers and spreads via anetwork. The basic difference between a virus and aworm is that worms have the ability to replicate andtravel by themselves – they are not dependent on hostfiles (or boot sectors). Worms spread through emailaddresses in your contact list or exploit securityvulnerabilities in network applications.than other types of malware.A worm activated in a system can cause a number ofinconveniences: It can delete files, degrade systemperformance, or even deactivate programs. The natureof a computer worm qualifies it as a “means of transport“for other types of infiltrations.If your computer is infected with a worm, werecommend you delete the infected files because theylikely contain malicious code.Examples of well-known worms are: Lovsan/Blaster,Stration/Warezov, Bagle, and Netsky.6.1.3 Trojan horsesHistorically, computer trojan horses have been definedas a class of infiltrations which attempt to presentthemselves as useful programs, tricking users intoletting them run. Today, there is no longer a need fortrojan horses to disguise themselves. Their sole purposeis to infiltrate as easily as possible and accomplish theirmalicious goals. “Trojan horse” has become a verygeneral term describing any infiltration not falling underany specific class of infiltration.Since this is a very broad category, it is often divided intomany subcategories:Downloader – A malicious program with the ability todownload other infiltrations from the Internet.Dropper – A type of trojan horse designed to drop othertypes of malware onto compromised computers.Backdoor – An application which communicates withremote attackers, allowing them to gain access to asystem and to take control of it.Keylogger – (keystroke logger) – A program whichrecords each keystroke that a user types and sends theinformation to remote attackers.Dialer – Dialers are programs designed to connect topremium-rate numbers. It is almost impossible for a userto notice that a new connection was created. Dialers canonly cause damage to users with dial-up modems, whichare no longer regularly used.Trojan horses usually take the form of executable files. Ifa file on your computer is detected as a trojan horse, werecommend deleting it, since it most likely containsmalicious code.Examples of well-known trojans are: NetBus,Trojandownloader.Small.ZL, SlapperWorms are therefore much more viable than computerviruses. Due to the wide availability of the Internet, theycan spread across the globe within hours of their release– in some cases, even in minutes. This ability to replicateindependently and rapidly makes them more dangerous20


6.1.4 AdwareAdware is a shortened term for advertising-supportedsoftware. Programs displaying advertising material fallunder this category. Adware applications oftenautomatically open a new pop-up window containingadvertisements in an Internet browser, or change thebrowser’s home page. Adware is frequently bundledwith freeware programs, allowing creators of freewareprograms to cover development costs of their (usuallyuseful) applications.Adware itself is not dangerous – users may only bebothered by the advertisements. The danger lies in thefact that adware may also perform tracking functions (asspyware does).If you decide to use a freeware product, please payparticular attention to the installation program. Theinstaller will most likely notify you of the installation ofan extra adware program. Often you will be allowed tocancel it and install the program without adware.Some programs will not install without adware, or theirfunctionality will be limited. This means that adware mayoften access the system in a “legal” way, because usershave agreed to it. In this case, it is better to be safe thansorry. If there is a file detected as adware on yourcomputer, it is advisable to delete it, since there is a highprobability that it contains malicious code.6.1.5 SpywareThis category covers all applications which send privateinformation without user consent/awareness. Spywareuses tracking functions to send various statistical datasuch as a list of visited websites, email addresses fromthe user‘s contact list, or a list of recorded keystrokes.The authors of spyware claim that these techniques aimto find out more about users’ needs and interests andallow better-targeted advertisement. The problem isthat there is no clear distinction between useful andmalicious applications and no one can be sure that theretrieved information will not be misused. The dataobtained by spyware applications may contain securitycodes, PINs, bank account numbers, etc. Spyware isoften bundled with free versions of a program by itsauthor in order to generate revenue or to offer anincentive for purchasing the software. Often, users areinformed of the presence of spyware during a program‘sinstallation to give them an incentive to upgrade to apaid version without it.6.1.6 Potentially unsafe applicationsThere are many legitimate programs whose function isto simplify the administration of networked computers.However, in the wrong hands they may be misused formalicious purposes. ESET NOD32 Antivirus provides theoption to detect such threats.“Potentially unsafe applications” is the classification usedfor commercial, legitimate software. This classificationincludes programs such as remote access tools,password-cracking applications, and keyloggers (aprogram that records each keystroke a user types).If you find that there is a potentially unsafe applicationpresent and running on your computer (and you did notinstall it), please consult your network administrator orremove the application.6.1.7 Potentially unwanted applicationsPotentially unwanted applications are not necessarilyintended to be malicious, but may affect theperformance of your computer in a negative way. Suchapplications usually require consent for installation. Ifthey are present on your computer, your systembehaves differently (compared to the way it behavedbefore their installation). The most significant changesare:New windows you haven’t seen previously are openedActivation and running of hidden processesIncreased usage of system resourcesChanges in search resultsApplication communicates with remote serversExamples of well-known freeware products which comebundled with spyware are client applications of P2P(peer-to-peer) networks. Spyfalcon or Spy Sheriff (andmany more) belong to a specific spyware subcategory –they appear to be antispyware programs, but in factthey are spyware programs themselves.If a file is detected as spyware on your computer, werecommend deleting it, since there is a high probabilitythat it contains malicious code.21

More magazines by this user
Similar magazines