Page 1
KASPERSKY LAB
Kaspersky® Anti-Virus for Windows
Workstations 6.0
USER GUIDE
Page 2
KASPERSKY ANTI-VIRUS FOR WINDOWS
WORKSTATIONS 6.0
User Guide
© Kaspersky Lab
http://www.kaspersky.com
Revision date: September 2008
Page 3
Table of Contents
CHAPTER 1. THREATS TO COMPUTER SECURITY............................................... 11
1.1. Sources of Threats .............................................................................................. 11
1.2. How threats spread ............................................................................................. 12
1.3. Types of Threats.................................................................................................. 14
1.4. Signs of Infection ................................................................................................. 17
1.5. What to do if you suspect infection ..................................................................... 18
1.6. Preventing Infection............................................................................................. 19
CHAPTER 2. KASPERSKY ANTI-VIRUS FOR WINDOWS WORKSTATIONS 6.0 . 21
2.1. What’s new in Kaspersky Anti-Virus for Windows Workstations 6.0................. 21
2.2. The elements of Kaspersky Anti-Virus for Windows Workstations Defense..... 24
2.2.1. Protection components................................................................................. 24
2.2.2. Virus scan tasks............................................................................................ 26
2.2.3. Program tools................................................................................................ 27
2.3. Hardware and software system requirements ................................................... 28
2.4. Software packages.............................................................................................. 29
2.5. Support for registered users................................................................................ 30
CHAPTER 3. INSTALLING KASPERSKY ANTI-VIRUS FOR WINDOWS
WORKSTATIONS 6.0................................................................................................ 31
3.1. Installation procedure using the Installation Wizard........................................... 32
3.2. Setup Wizard ....................................................................................................... 36
3.2.1. Using objects saved with Version 5.0 .......................................................... 36
3.2.2. Activating the program.................................................................................. 37
3.2.2.1. Selecting a program activation method................................................. 37
3.2.2.2. Entering the activation code .................................................................. 38
3.2.2.3. Obtaining a key file................................................................................. 38
3.2.2.4. Selecting a license key file..................................................................... 38
3.2.2.5. Completing program activation.............................................................. 39
3.2.3. Selecting a security mode ............................................................................39
3.2.4. Configuring update settings.......................................................................... 40
3.2.5. Configuring a virus scan schedule ............................................................... 40
Page 4
4 Kaspersky Anti-Virus for Windows Workstations 6.0
3.2.6. Restricting program access.......................................................................... 41
3.2.7. Configuring Anti-Hacker settings.................................................................. 42
3.2.7.1. Determining a security zone’s status .................................................... 42
3.2.7.2. Creating a list of network applications................................................... 43
3.2.8. Finishing the Setup Wizard .......................................................................... 44
3.3. Installing the program from the command prompt .............................................44
3.4. Procedure for installing the Group Policy Object................................................ 45
3.4.1. Installing the program ................................................................................... 45
3.4.2. Upgrading the program ................................................................................ 46
3.4.3. Uninstalling the program............................................................................... 46
3.5. Upgrading from 5.0 to 6.0 ................................................................................... 47
CHAPTER 4. PROGRAM INTERFACE ....................................................................... 48
4.1. System tray icon .................................................................................................. 48
4.2. The context menu................................................................................................ 49
4.3. Main program window......................................................................................... 50
4.4. Program settings window.................................................................................... 53
CHAPTER 5. GETTING STARTED.............................................................................. 55
5.1. What is the protection status of the computer?.................................................. 55
5.1.1. Protection indicators ..................................................................................... 56
5.1.2. Kaspersky Anti-Virus for Windows Workstations component status.......... 59
5.1.3. Program performance statistics ................................................................... 60
5.2. How to scan your computer for viruses .............................................................. 61
5.3. How to scan critical areas of the computer......................................................... 61
5.4. How to scan a file, folder or disk for viruses ....................................................... 62
5.5. How to train Anti-Spam ....................................................................................... 63
5.6. How to update the program ................................................................................ 64
5.7. What to do if protection is not running ................................................................ 64
CHAPTER 6. PROTECTION MANAGEMENT SYSTEM............................................ 66
6.1. Stopping and resuming protection on your computer ........................................ 66
6.1.1. Pausing protection........................................................................................ 67
6.1.2. Stopping protection....................................................................................... 68
6.1.3. Pausing / stopping protection components and tasks................................. 68
6.1.4. Restoring protection on your computer........................................................ 69
6.1.5. Shutting down the program .......................................................................... 70
Page 5
Table of Contents 5
6.2. Types of malicious programs to be monitored ................................................... 70
6.3. Creating a trusted zone ....................................................................................... 71
6.3.1. Exclusion rules.............................................................................................. 72
6.3.2. Trusted applications...................................................................................... 77
6.4. Starting tasks under another profile.................................................................... 81
6.5. Configuring Scheduled Tasks and Notifications................................................. 82
6.6. Power options...................................................................................................... 84
6.7. Advanced Disinfection Technology .................................................................... 85
CHAPTER 7. FILE ANTI-VIRUS ................................................................................... 86
7.1. Selecting a file security level ............................................................................... 87
7.2. Configuring File Anti-Virus................................................................................... 88
7.2.1. Defining the file types to be scanned ........................................................... 88
7.2.2. Defining protection scope............................................................................. 91
7.2.3. Configuring advanced settings..................................................................... 92
7.2.4. Restoring default File Anti-Virus settings ..................................................... 95
7.2.5. Selecting actions for objects......................................................................... 95
7.3. Postponed disinfection ........................................................................................ 97
CHAPTER 8. MAIL ANTI-VIRUS .................................................................................. 99
8.1. Selecting an email protection level ................................................................... 100
8.2. Configuring Mail Anti-Virus................................................................................ 102
8.2.1. Selecting a protected email group.............................................................. 102
8.2.2. Configuring email processing in Microsoft Office Outlook......................... 104
8.2.3. Configuring email scans in The Bat! .......................................................... 105
8.2.4. Restoring default Mail Anti-Virus settings .................................................. 107
8.2.5. Selecting actions for dangerous email objects .......................................... 107
CHAPTER 9. WEB ANTI-VIRUS ................................................................................ 110
9.1. Selecting the web security level........................................................................ 111
9.2. Configuring Web Anti-Virus............................................................................... 113
9.2.1. Setting a scan method................................................................................ 113
9.2.2. Creating a trusted address list.................................................................... 114
9.2.3. Restoring default Web Anti-Virus settings ................................................. 115
9.2.4. Selecting responses to dangerous objects................................................ 116
CHAPTER 10. PROACTIVE DEFENSE .................................................................... 117
10.1. Proactive Defense settings .............................................................................119
Page 6
6 Kaspersky Anti-Virus for Windows Workstations 6.0
10.1.1. Activity control rules.................................................................................. 121
10.1.2. Office Guard.............................................................................................. 124
10.1.3. Registry Guard.......................................................................................... 126
10.1.3.1. Selecting registry keys for creating a rule ......................................... 128
10.1.3.2. Creating a Registry Guard rule.......................................................... 129
CHAPTER 11. ANTI-SPY............................................................................................ 132
11.1. Configuring Anti-Spy ....................................................................................... 134
11.1.1. Creating Popup Blocker trusted address list ........................................... 134
11.1.2. Banner ad blocking list ............................................................................. 136
11.1.2.1. Configuring the standard banner ad blocking list ............................. 136
11.1.2.2. Banner ad white lists.......................................................................... 137
11.1.2.3. Banner ad black lists.......................................................................... 138
11.1.3. Creating an Anti-Dialer trusted number list.............................................. 138
CHAPTER 12. PROTECTION AGAINST NETWORK ATTACKS............................ 140
12.1. Selecting an Anti-Hacker security level ..........................................................142
12.2. Application rules .............................................................................................. 143
12.2.1. Creating rules manually............................................................................ 145
12.2.2. Creating rules from template.................................................................... 146
12.3. Packet filtering rules ........................................................................................147
12.4. Fine-tuning rules for applications and packet filtering .................................... 149
12.5. Ranking rule priority......................................................................................... 153
12.6. Rules for security zones.................................................................................. 153
12.7. Firewall mode .................................................................................................. 156
12.8. Configuring the Intrusion Detection System................................................... 157
12.9. List of network attacks detected...................................................................... 158
12.10. Blocking and allowing network activity ......................................................... 161
CHAPTER 13. PROTECTION AGAINST UNWANTED E-MAIL ..............................163
13.1. Selecting an Anti-Spam sensitivity level ......................................................... 165
13.2. Training Anti-Spam.......................................................................................... 166
13.2.1. Training Wizard......................................................................................... 167
13.2.2. Training with outgoing emails................................................................... 167
13.2.3. Training using your email client................................................................ 168
13.2.4. Training using Anti-Spam reports ............................................................ 168
13.3. Configuring Anti-Spam .................................................................................... 170
Page 7
Table of Contents 7
13.3.1. Configuring scan settings ......................................................................... 170
13.3.2. Selecting spam filtration technologies...................................................... 171
13.3.3. Defining spam and potential spam factors .............................................. 172
13.3.4. Creating white and black lists manually................................................... 173
13.3.4.1. White lists for addresses and phrases .............................................. 174
13.3.4.2. Black lists for addresses and phrases............................................... 175
13.3.5. Additional spam filtration features ............................................................ 177
13.3.6. Mail Dispatcher ......................................................................................... 179
13.3.7. Actions for spam....................................................................................... 180
13.3.8. Configuring spam processing in Microsoft Office Outlook ...................... 180
13.3.9. Configuring spam processing in Outlook Express (Windows Mail)........ 183
13.3.10. Configuring spam processing in The Bat!.............................................. 184
CHAPTER 14. SCANNING FOR VIRUSES ON THE COMPUTER......................... 187
14.1. Managing virus scan tasks.............................................................................. 188
14.2. Creating a list of objects to scan ..................................................................... 188
14.3. Creating virus scan tasks................................................................................ 190
14.4. Configuring virus scan tasks ........................................................................... 191
14.4.1. Selecting a security level.......................................................................... 192
14.4.2. Specifying the types of objects to scan.................................................... 193
14.4.3. Restoring default scan settings ................................................................ 195
14.4.4. Selecting actions for objects..................................................................... 196
14.4.5. Additional virus scan settings ................................................................... 198
14.4.6. Setting up global scan settings for all tasks............................................. 199
CHAPTER 15. TESTING KASPERSKY ANTI-VIRUS FEATURES ......................... 200
15.1. The EICAR test virus and its variations .......................................................... 200
15.2. Testing File Anti-Virus ..................................................................................... 202
15.3. Testing Virus scan tasks .................................................................................203
CHAPTER 16. PROGRAM UPDATES....................................................................... 205
16.1. Starting the Updater ........................................................................................206
16.2. Rolling back to the previous update................................................................ 207
16.3. Creating update tasks .....................................................................................207
16.4. Configuring update settings ............................................................................ 208
16.4.1. Selecting an update source...................................................................... 209
16.4.2. Selecting an update method and what to update.................................... 211
Page 8
8 Kaspersky Anti-Virus for Windows Workstations 6.0
16.4.3. Configuring connection settings............................................................... 213
16.4.4. Update distribution.................................................................................... 215
16.4.5. Actions after updating the program.......................................................... 216
CHAPTER 17. ADVANCED OPTIONS ...................................................................... 217
17.1. Quarantine for potentially infected objects...................................................... 218
17.1.1. Actions with quarantined objects.............................................................. 219
17.1.2. Setting up Quarantine............................................................................... 221
17.2. Backup copies of dangerous objects.............................................................. 222
17.2.1. Actions with backup copies ...................................................................... 222
17.2.2. Configuring Backup settings .................................................................... 224
17.3. Reports ............................................................................................................ 224
17.3.1. Configuring report settings ....................................................................... 227
17.3.2. The Detected tab ...................................................................................... 227
17.3.3. The Events tab.......................................................................................... 228
17.3.4. The Statistics tab ...................................................................................... 229
17.3.5. The Settings tab........................................................................................ 230
17.3.6. The Macros tab......................................................................................... 231
17.3.7. The Registry tab ....................................................................................... 232
17.3.8. The Phishing Sites tab.............................................................................. 233
17.3.9. The Popup Windows tab .......................................................................... 233
17.3.10. The Banner Ads tab ............................................................................... 234
17.3.11. The Dial Attempts tab............................................................................. 235
17.3.12. The Network Attacks tab ........................................................................ 235
17.3.13. The Banned Hosts tab ........................................................................... 236
17.3.14. The Application Activity tab ....................................................................237
17.3.15. The Packet Filtering tab.......................................................................... 237
17.3.16. The Established Connections tab .......................................................... 238
17.3.17. The Open Ports tab ................................................................................ 240
17.3.18. The Traffic tab......................................................................................... 240
17.4. General information about the program ......................................................... 241
17.5. Managing licenses........................................................................................... 242
17.6. Technical Support ........................................................................................... 244
17.7. Creating a monitored port list.......................................................................... 245
17.8. Checking encrypted connections.................................................................... 247
17.9. Configuring the Kaspersky Anti-Virus for Windows Workstations interface.. 249
17.10. Rescue Disk .................................................................................................. 250
Page 9
Table of Contents 9
17.10.1. Creating a rescue disk............................................................................ 251
17.10.2. Using the rescue disk ............................................................................. 253
17.11. Using additional services .............................................................................. 254
17.11.1. Kaspersky Anti-Virus for Windows Workstations event notifications.... 254
17.11.1.1. Types of events and notification delivery methods......................... 255
17.11.1.2. Configuring email notification .......................................................... 257
17.11.1.3. Configuring event log settings......................................................... 258
17.11.2. Self-Defense and access restriction ......................................................259
17.11.3. Resolving conflicts with other applications ............................................ 261
17.12. Importing and exporting Kaspersky Anti-Virus for Windows Workstations
settings .............................................................................................................261
17.13. Resetting to default settings.......................................................................... 262
CHAPTER 18. WORKING WITH THE PROGRAM FROM THE COMMAND
PROMPT .................................................................................................................. 264
18.1. Activating the application................................................................................. 265
18.2. Managing program components and tasks.................................................... 266
18.3. Anti-virus scans ...............................................................................................269
18.4. Program updates............................................................................................. 273
18.5. Rollback settings ............................................................................................. 274
18.6. Exporting settings............................................................................................ 275
18.7. Importing settings ............................................................................................ 276
18.8. Starting the program........................................................................................ 276
18.9. Stopping the program...................................................................................... 276
18.10. Obtaining a Trace File................................................................................... 277
18.11. Viewing Help.................................................................................................. 277
18.12. Return codes from the command line interface ........................................... 278
CHAPTER 19. MODIFYING, REPAIRING, AND REMOVING THE PROGRAM .... 279
19.1. Modifying, repairing, and removing the program using Installation Wizard... 279
19.2. Uninstalling the program from the command prompt..................................... 281
CHAPTER 20. FREQUENTLY ASKED QUESTIONS............................................... 283
APPENDIX A. REFERENCE INFORMATION........................................................... 285
A.1. List of files scanned by extension..................................................................... 285
A.2. Possible file exclusion masks ........................................................................... 287
A.3. Possible threat exclusion masks ......................................................................288
Page 10
10 Kaspersky Anti-Virus for Windows Workstations 6.0
A.4. Overview of settings in setup.ini ....................................................................... 289
APPENDIX B. KASPERSKY LAB............................................................................... 291
APPENDIX C. LICENSE AGREEMENT .................................................................... 293
Page 11
CHAPTER 1. THREATS TO
COMPUTER SECURITY
As information technology has rapidly developed and penetrated many aspects
of human existence, so the number and range of crimes aimed at breaching
information security has grown.
Cyber criminals have shown great interest in the activities of both state structures
and commercial enterprises. They attempt to steal or disclose confidential
information, which damages business reputations, disrupts business continuity,
and may impair an organization's information resources. These acts can do
extensive damage to assets, both tangible and intangible.
It is not only big companies who are at risk; individual users can also be
attacked. Criminals can gain access to personal data (for instance, bank account
and credit card numbers and passwords), or cause a computer to malfunction.
Some types of attacks can give hackers complete access to a computer, which
can then be used as part of a “zombie network” of infected computers to attack
servers, send out spam, harvest confidential information, and spread new viruses
and Trojans.
In today’s world, it is widely acknowledged that information is a valuable asset
that should be protected. At the same time, information must be accessible to
those who legitimately require it (for instance, employees, clients and partners of
a business). Hence, the need to create a comprehensive information security
system, which must take account of all possible sources of threats, whether
human, man-made, or natural disasters, and use a complete array of defensive
measures, at the physical, administrative and software levels.
1.1. Sources of Threats
A person, a group of people, or phenomena unrelated to human activity can
threaten information security. Following from this, all threat sources can be put
into one of three groups:
• The human factor. This group of threats concerns the actions of people
with authorized or unauthorized access to information. Threats in this
group can be divided into:
• External, including cyber criminals, hackers, internet scams,
unprincipled partners, and criminal organizations.
Page 12
12 Kaspersky Anti-Virus for Windows Workstations 6.0
• Internal, including the actions of company staff and users of
home PCs. Actions taken by this group could be deliberate or
accidental.
• The technological factor. This threat group is connected with technical
problems – use of obsolete or poor-quality software and hardware to
process information. This can lead to equipment failure and often to data
loss.
• The natural-disaster factor. This threat group includes the whole range
of events caused by nature and independent of human activity.
All three threat sources must be accounted for when developing a data security
protection system. This User Guide focuses on the area that is directly tied to
Kaspersky Lab’s expertise – external threats involving human activity.
1.2. How threats spread
As modern computer technology and communications tools develop, hackers
have more opportunities for spreading threats. Let’s take a closer look at them:
The Internet
The Internet is unique, since it is no one’s property and has no
geographical borders. In many ways, this has promoted the development
of web resources and the exchange of information. Today, anyone can
access data on the Internet or create their own webpage.
However, these very features of the worldwide web give hackers the
ability to commit crimes on the Internet, and make the hackers difficult to
detect and punish.
Hackers place viruses and other malicious programs on Internet sites and
disguise them as useful freeware. Furthermore, scripts that run
automatically when you open certain web pages can execute dangerous
actions on your computer, including modifying the system registry,
stealing personal data, and installing malicious software.
By using network technologies, hackers can attack remote PCs and
company servers. These attacks can cause parts of your system to
malfunction, or could provide hackers with complete access to your
system and thereby to the information stored on it. They can also use it as
part of a zombie network.
Lastly, since it became possible to use credit cards and e-money through
the Internet in online stores, auctions, and bank homepages, online
scams have become increasingly common.
Page 13
Threats to Computer Security 13
Intranet
Your intranet is your internal network, specially designed for handling
information within a company or a home network. An intranet is a unified
space for storing, exchanging, and accessing information for all the
computers on the network. This means that if one computer on the
network is infected, the others are at great risk of infection. To avoid such
situations, both the network perimeter and each individual computer must
be protected.
Email
Since the overwhelming majority of computers have email client programs
installed, and since malicious programs exploit the contents of electronic
address books, conditions are usually right for spreading malicious
programs. The user of an infected computer might unknowingly send
infected emails to friends or coworkers who in turn send more infected
emails. For example, it is common for infected file documents to go
undetected when distributed with business information via a company’s
internal email system. When this occurs, more than a handful of people
are infected. It might be hundreds or thousands of company workers,
together with potentially tens of thousands of subscribers.
Beyond the threat of malicious programs lies the problem of electronic
junk email, or spam. Although not a direct threat to a computer, spam
increases the load on email servers, eats up bandwidth, clogs up the
user’s mailbox, and wastes working hours, thereby incurring financial
harm.
In addition, hackers have begun using mass mailing programs and social
engineering methods to convince users to open emails, or click on a link
to certain websites. It follows that spam filtration capabilities are valuable
for several purposes: to stop junk email; to counteract new types of online
scans, such as phishing; to stop the spread of malicious programs.
Removable storage media
Removable media (floppies, CD-ROMs, and USB flash drives) are widely
used for storing and transmitting information.
Opening a file that contains malicious code and is stored on a removable
storage device can damage data stored on the local computer and spread
the virus to the computer’s other drives or other computers on the
network.
Page 14
14 Kaspersky Anti-Virus for Windows Workstations 6.0
1.3. Types of Threats
There are a vast number of threats to computer security today. This section will
review the threats that are blocked by Kaspersky Anti-Virus for Windows
Workstations.
Worms
This category of malicious programs spreads itself largely by exploiting
vulnerabilities in computer operating systems. The class was named for
the way that worms crawl from computer to computer, using networks and
email. This feature allows worms to spread themselves very rapidly.
When a worm penetrates a computer, it scans for the network addresses
of other computers that are locally accessible, and sends a burst of selfmade copies to these addresses. In addition, worms often utilize data
from email client address books. Some of these malicious programs
occasionally create working files on system disks, but they can run
without any system resources except RAM.
Viruses
Viruses are programs that infect other files, adding their own code to them
to gain control of the infected files when they are opened. This simple
definition explains the fundamental action performed by a virus –
infection.
Trojans
Trojans are programs that carry out unauthorized actions on computers,
such as deleting information on drives, making the system hang, stealing
confidential information, and so on. This class of malicious program is not
a virus in the traditional sense of the word, because it does not infect
other computers or data. Trojans cannot break into computers on their
own. They are spread by hackers, who disguise them as regular software.
The damage that they inflict can greatly exceed that done by traditional
virus attacks.
Recently, worms have been the commonest type of malicious program damaging
computer data, followed by viruses and Trojans. Some malicious programs
combine features of two or even three of these classes.
Adware
Adware comprises programs that are included in software, unknown to
the user, which is designed to display advertisements. Adware is usually
built into software that is distributed free. The advertisement is situated in
the program interface. These programs also frequently collect personal
data on the user and send it back to their developer, change browser
Page 15
Threats to Computer Security 15
settings (start page and search pages, security levels, etc.) and create
traffic that the user cannot control. This can lead to a security breach and
to direct financial losses.
Spyware
This software collects information about a particular user or organization
without their knowledge. Spyware often escapes detection entirely. In
general, the goal of spyware is to:
• Trace user actions on a computer;
• Gather information on the contents of your hard drive; in such
cases, this usually involves scanning several directories and the
system registry to compile a list of software installed on the
computer;
• Gather information on the quality of the connection, bandwidth,
modem speed, etc.
Riskware
Riskware includes software that has not malicious features but could form
part of the development environment for malicious programs or could be
used by hackers as auxiliary components for malicious programs. This
program category includes programs with backdoors and vulnerabilities,
as well as some remote administration utilities, keyboard layout togglers,
IRC clients, FTP servers, and all-purpose utilities for stopping processes
or hiding their operation.
Another type of malicious program that is similar to adware, spyware, and
riskware are programs that plug into your web browser and redirect traffic. The
web browser will open different web sites than those intended.
Jokes
Joke software does not do any direct damage, but displays messages
stating that damage has already been done or will be under certain
conditions. These programs often warn the user of non-existent dangers,
such as messages that warn of formatting the hard drive (although no
formatting actually takes place) or detecting viruses in uninfected files.
Rootkits
These are utilities that are used to conceal malicious activity. They mask
malicious programs to keep anti-virus programs from detecting them.
Rootkits modify basic functions of the computer’s operating system to
hide both their own existence and actions that the hacker undertakes on
the infected computer.
Page 16
16 Kaspersky Anti-Virus for Windows Workstations 6.0
Other dangerous programs
These are programs created to, for instance, set up denial of service
(DoS) attacks on remote servers, hack into other computers, and
programs that are part of the development environment for malicious
programs. These programs include hack tools, virus builders, vulnerability
scanners, password-cracking programs, and other types of programs for
cracking network resources or penetrating a system.
Hacker attacks
Hacker attacks can be initiated either by hackers or by malicious
programs. They are aimed at stealing information from a remote
computer, causing the system to malfunction, or gaining full control of the
system's resources. You can find a detailed description of the types of
attacks blocked by Kaspersky Anti-Virus for Windows Workstations in
section 12.9, on pg. 158.
Some types of online scams
Phishing is an online scam that uses mass emailings to steal confidential
information from the user, generally of a financial nature. Phishing emails
are designed to resemble informative emails from banks and well-known
companies to the greatest extent possible. These emails contain links to
fake websites created by hackers to mimic the site of the legitimate
organization. On this site, the user is asked to enter, for example, his
credit card number and other confidential information.
Dialers to pay-per-use websites – type of online scam using
unauthorized use of pay-per-use Internet services, which are commonly
pornographic web sites. The dialers installed by hackers initiate modem
connections from your computer to the number for the pay service. These
phone numbers often have very high rates and the user is forced to pay
enormous telephone bills.
Intrusive advertising
This includes popup windows and banner ads that open when using your
web browser. The information in these windows is generally not of benefit
to the user. Popup windows and banner ads distract the user from the
task and take up bandwidth.
Spam
Spam is anonymous junk email, and includes several different types of
content: adverts; political messages; requests for assistance; emails that
ask one to invest large amounts of money or to get involved in pyramid
schemes; emails aimed at stealing passwords and credit card numbers,
and emails that ask to be sent to friends (chain letters).
Page 17
Threats to Computer Security 17
Spam significantly increases the load on mail servers and the risk of
loosing important data.
Kaspersky Anti-Virus for Windows Workstations uses two methods for detecting
and blocking these threat types:
• Reactive – this method searches for malicious files using a threat
signature database that is regularly updated. At least one virus infection is
necessary to implement this method – in order to add threat signature to
the database and distribute database update.
• Proactive – in contrast to reactive protection, this method is based not on
analyzing the object’s code but on analyzing its behavior in the system.
This method is aimed at detecting new threats that are still not defined in
the signatures.
By employing both methods, Kaspersky Anti-Virus for Windows Workstations
provides comprehensive protection for your computer from both known and new
threats.
Warning:
From this point forward, we will use the term "virus" to refer to malicious and
dangerous programs. The type of malicious programs will only be emphasized
where necessary.
1.4. Signs of Infection
There are a number of signs that a computer is infected. The following events
are good indicators that a computer is infected with a virus:
• Unexpected messages or images appear on the screen, or unusual
sounds are played;
• The CD/DVD-ROM tray opens and closes unexpectedly;
• The computer arbitrarily launches a program without your assistance;
• Warnings pop up on the screen about a program attempting to access the
Internet, even though you initiated no such action;
There are also several typical traits of a virus infection through email:
• Friends or acquaintances tell you about messages from you that you
never sent;
• Your inbox houses a large number of messages without return addresses
or headers.
Page 18
18 Kaspersky Anti-Virus for Windows Workstations 6.0
It must be noted that these signs can arise from causes other than viruses. For
example, in the case of email, infected messages can be sent with your return
address but not from your computer.
There are also indirect indications that your computer is infected:
• Your computer freezes or crashes frequently;
• Your computer loads programs slowly;
• You cannot boot up the operating system;
• Files and folders disappear or their contents are distorted;
• The hard drive is frequently accessed (the light blinks);
• The web browser program (e.g., Microsoft Internet Explorer) freezes or
behaves unexpectedly (for example, you cannot close the program
window).
In 90% of cases, these indirect systems are caused by malfunctions in hardware
or software. Despite the fact that such symptoms rarely indicate infection, we
recommend that, upon detecting them, you are recommended to run a complete
scan of your computer (see 5.2 on pg. 61).
1.5. What to do if you suspect
infection
If you notice that your computer is behaving suspiciously…
1. Don’t panic! This is the golden rule: it could save you from losing
important data.
2. Disconnect your computer from the Internet or local network, if it is on
one.
3. If the computer will not boot from the hard drive (the computer displays
an error message when you turn it on), try booting in safe mode or with
the emergency operating system boot disk that you created when you
installed the operating system.
4. Before doing anything else, back up your work on removable storage
media (floppy, CD/DVD, flash drive, etc.).
5. Install Kaspersky Anti-Virus for Windows Workstations, if you have not
done so already.
6. Update the program’s threat signatures and application modules (see
5.6 on pg. 64). If possible, download the updates off the Internet from a
Page 19
Threats to Computer Security 19
different, uninfected, computer, for instance at a friend’s, an Internet
café, or work. It is better to use a different computer since, when you
connect an infected computer to the Internet, there is a chance that the
virus will send important information to hackers or spread the virus to
the addresses in your address book. That is why if you suspect that
your computer has a virus, you should immediately disconnect from the
Internet. You can also get threat signature updates on floppy disk from
Kaspersky Lab or its distributors and update your signatures using the
disk.
7. Select the security level recommended by the experts at Kaspersky
Lab.
8. Start a full computer scan (see 5.2 on pg. 61).
1.6. Preventing Infection
Not even the most reliable and deliberate measures can provide 100% protection
against computer viruses and Trojans, but following such a set of rules
significantly lowers the likelihood of virus attacks and the level of potential
damage.
One of the basic methods of battling viruses is, as in medicine, well-timed
prevention. Computer prophylactics involve a rather small number of rules that, if
complied with, can significantly lower the likelihood of being infected with a virus
and losing data.
The basic safety rules are given below. By following them, you can avoid virus
attacks.
Rule No. 1: Use anti-virus software and Internet security programs. To do so:
• Install Kaspersky Anti-Virus for Windows Workstations as soon as
possible.
• Regularly update the program’s threat signatures (see 5.6 on pg. 64). You
should update the signatures several times per day during virus
outbreaks. In such situations, the threat signatures on Kaspersky Lab’s
update servers are updated immediately.
• Select the security settings recommended by Kaspersky Lab for your
computer. You will be protected constantly from the moment the computer
is turned on, and it will be harder for viruses to infect your computer.
• Select the settings for a complete scan recommended by Kaspersky Lab,
and schedule scans for at least once per week. If you have not installed
Anti-Hacker, we recommend that you do so to protect your computer
when using the Internet.
Rule No. 2: Use caution when copying new data to your computer:
Page 20
20 Kaspersky Anti-Virus for Windows Workstations 6.0
• Scan all removable storage drives, for example floppies, CDs/DVDs, and
flash drives, for viruses before using them (see 5.4 on pg. 62).
• Treat emails with caution. Do not open any files attached to emails unless
you are certain that you were intended to receive them, even if they were
sent by people you know.
• Be careful with information obtained through the Internet. If any web site
suggests that you install a new program, be certain that it has a security
certificate.
• If you are copying an executable file from the Internet or local network, be
sure to scan it with Kaspersky Anti-Virus for Windows Workstations.
• Use discretion when visiting web sites. Many sites are infected with
dangerous script viruses or Internet worms.
Rule No. 3: Pay close attention to information from Kaspersky Lab.
In most cases, Kaspersky Lab announces a new outbreak long before it
reaches its peak. The likelihood of the infection in such a case is low, and
once you download the threat signature updates, you will have plenty of
time to protect yourself against the new virus.
Rule No. 4: Do not trust virus hoaxes, such as prank programs and emails about
infection threats.
Rule No. 5: Use the Windows Update tool and regularly install Windows
operating system updates.
Rule No. 6: Buy legitimate copies of software from official distributors.
Rule No. 7: Limit the number of people who are allowed to use your computer.
Rule No. 8: Lower the risk of unpleasant consequences of a potential infection:
• Back up data regularly. If you lose your data, the system can fairly quickly
be restored if you have backup copies. Store distribution floppies, CDs,
flash drives, and other storage media with software and valuable
information in a safe place.
• Create a Rescue Disk (see 17.10 on pg. 250) that you can use to boot up
the computer, using a clean operating system.
Rule No. 9: Regularly inspect the list of installed programs on your computer. To
do so, open Install/Remove Programs in the Control Panel, or open the
Program Files directory. You may discover software here that was installed
on your computer without your knowledge, for example, while you were
using the Internet or installing a different program. Programs like these are
almost always potentially dangerous.
Page 21
CHAPTER 2. KASPERSKY ANTI-
VIRUS FOR WINDOWS
WORKSTATIONS 6.0
Kaspersky Anti-Virus for Windows Workstations 6.0 heralds a new generation of
data security products.
What really sets Kaspersky Anti-Virus for Windows Workstations 6.0 apart from
other software, even from other Kaspersky Lab products, is its multi-faceted
approach to data security.
2.1. What’s new in Kaspersky Anti-
Virus for Windows Workstations
6.0
Kaspersky Anti-Virus for Windows Workstations 6.0 has a new approach to data
security. The program’s main feature is that it combines and noticeably improves
the existing features of all the company’s products in one security solution. The
program provides protection against viruses, spam attacks, hacker attacks,
unknown threats, phishing, and rootkits.
You will no longer need to install several products on your computer for overall
security. It is enough simply to install Kaspersky Anti-Virus for Windows
Workstations 6.0.
Comprehensive protection guards all incoming and outgoing data channels. All
of the program’s components have flexible settings that enable Kaspersky AntiVirus for Windows Workstations to adapt to the needs of each user.
Configuration of the entire program can be done from one location.
Let’s take a look at the new features in Kaspersky Anti-Virus for Windows
Workstations.
New Protection Features
• Kaspersky Anti-Virus for Windows Workstations protects you both from
known malicious programs, and from programs still unknown. Proactive
Defense (see Chapter 10 on pg. 117) is the program’s key advantage. It
analyzes the behavior of applications installed on your computer,
Page 22
22 Kaspersky Anti-Virus for Windows Workstations 6.0
monitoring changes to the system registry, tracking macros, and fighting
hidden threats. The component uses a heuristic analyzer to detect and
record various types of malicious activity, with which actions taken by
malicious programs can be rolled back and the system can be restored to
its state prior to the malicious activity.
• The program protects the computer against rootkits and dialers, blocks
banner ads, popup windows, and malicious scripts downloaded from web
pages, and detects phishing sites.
• File Anti-Virus technology has been improved to lower the CPU load and
increase the speed of file scans. iChecker™ and iSwift™ help achieve
this. By operating this way, the program rules out scanning files twice.
• The scan process now runs as a background task, enabling the user to
continue using the computer. If there is a competition for system
resources, the virus scan will pause until the user’s operation is
completed and then resumes at the point where it left off.
• Critical areas of the computer, which if infected would seriously affect
data quality or security, are given their own separate task. This task can
be configured to run automatically every time the system is started.
• Protection for email systems against malicious programs and spam has
been significantly improved. The program scans these protocols for
emails containing viruses and spam:
• IMAP, SMTP, POP3, regardless of which email client you use
• NNTP (virus scan only), regardless of the email client
• Regardless of the protocol (MAPI, HTTP) when using plug-ins
for MS Outlook and The Bat!
• Special plug-ins are available for the most common mail clients, such as
Outlook, Microsoft Outlook Express (Windows Mail), and The Bat! These
place email protection against both viruses and spam directly in the mail
client.
• Anti-Spam now has a training mode, based around the iBayes algorithm,
which learns by monitoring how you deal with email. It also provides
maximum flexibility in configuring spam detection – for instance, you can
create black and white lists of addressees and key phrases that mark
email as spam.
Anti-Spam uses a phishing database, which can filter out emails designed
to obtain confidential financial information.
• The program filters inbound and outbound traffic, traces and blocks
threats from common network attacks, and lets you use the Internet in
Stealth Mode.
Page 23
Kaspersky Anti-Virus for Windows Workstations 6.0 23
• When using a combination of networks, you can also define which
networks to trust completely and which to monitor with extreme caution.
• The user notification function (see 17.11.1 on pg. 254) has been
expanded for certain events that arise during program operation. You can
select the method of notification yourselves for each of these event types:
e-mails, sound notifications, pop-up messages.
• Scanning has been added for data transmitted across secure SSL
connections.
• The program has added self-defense features, including protection
against unauthorized remote administration tools and password-protected
program settings. These features help keep malicious programs, hackers,
and unauthorized users from disabling protection.
• You can also create a rescue disk, with which you can reboot your
operating system after a virus outbreak and scan your computer for
malicious code.
New Program Interface Features
• The new Kaspersky Anti-Virus for Windows Workstations interface makes
the program’s functions clear and easy to use. You can also change the
program’s appearance by using your own graphics and color schemes.
• The program regularly provides you with tips as you use it: Kaspersky
Anti-Virus for Windows Workstations displays informative messages on
the level of protection, accompanies its operation with hints and tips, and
includes a thorough Help section.
New Program Update Features
• This version of the program debuts our improved update procedure:
Kaspersky Anti-Virus automatically checks the update source for updates.
If it finds new updates, Anti-Virus downloads them and installs them on
the computer.
• The program downloads updates incrementally, ignoring files that have
already been downloaded. This lowers the download traffic for updates by
up to 10 times.
• Updates are downloaded from the most efficient source.
• You can choose not to use a proxy server, by downloading program
updates from a local source. This noticeably reduces the traffic on the
proxy server.
• The program has an update rollback feature that can return to the
previous version of the signatures, if the threat signatures are damaged or
there is an error in copying.
Page 24
24 Kaspersky Anti-Virus for Windows Workstations 6.0
• A tool has been added to Updater that copies updates to a local folder to
give other computers on the network access to them. This cuts down on
Internet traffic.
2.2. The elements of Kaspersky
Anti-Virus for Windows
Workstations Defense
Kaspersky Anti-Virus for Windows Workstations is designed with the sources of
threats in mind. In other words, a separate program component deals with each
threat, monitoring it and taking the necessary action to prevent malicious effects
of that threat on the user's data. This makes the Security Suite flexible, with userfriendly options for each of the components to fit the needs of a specific user or a
business as a whole.
Kaspersky Anti-Virus for Windows Workstations includes:
• Protection Components (see 2.2.1 on pg. 24) that comprehensively
defend all channels of data transmission and exchange on your computer
in real-time mode.
• Virus Scan Tasks (see 2.2.2 on pg. 26) that virus-check the computer’s
memory and file system, as individual files, folders, disks, or regions.
• Support Tools (see 2.2.3 on pg. 27) that provide support for the program
and extend its functionality.
2.2.1. Protection components
These protection components defend your computer in real time:
File Anti-Virus
A file system can contain viruses and other dangerous programs.
Malicious programs can remain inactive in your file system for years after
one day being copied from a floppy disk or from the Internet, without
showing themselves at all. But you need only act upon the infected file,
and the virus is instantly activated.
File Anti-virus is the component that monitors your computer’s file system.
It scans all files that are being opened, executed or saved on your
computer and all connected disk drives. Each time a file is accessed,
Kaspersky Anti-Virus intercepts it and scans the file for known viruses. If a
file cannot be disinfected for any reason, it will be deleted, with a copy of
Page 25
Kaspersky Anti-Virus for Windows Workstations 6.0 25
the file either saved in Backup (see 17.2 on pg. 222), or moved to
Quarantine (see 17.1 on pg. 218).
Mail Anti-Virus
Email is widely used by hackers to spread malicious programs, and is one
of the most common methods of spreading worms. This makes it
extremely important to monitor all email.
The Mail Anti-Virus component scans all incoming and outgoing email on
your computer. It analyzes emails for malicious programs, only granting
the addressee access to the email if it is free of dangerous objects.
Web Anti-Virus
By opening various web sites on the Internet, you risk infecting your
computer with viruses installed on it with scripts that are stored on the
web pages. You also risk download a dangerous file to your computer.
Web Anti-Virus is specially designed to combat these risks, by
intercepting and blocking scripts on web sites if they pose a threat, and by
thoroughly monitoring all HTTP traffic.
Proactive Defense
With every new day, there are more and more malicious programs. They
are becoming more complex, combining several types, and the methods
they use to spread themselves change, they become harder and harder
to detect.
To detect a new malicious program before it has time to do any damage,
Kaspersky Lab has developed a special component, Proactive Defense. It
is designed to monitor and analyze the behavior of all installed programs
on your computer. Kaspersky Anti-Virus decides, based on the program’s
actions: is it potentially dangerous? Proactive Defense protects your
computer both from known viruses and from new ones that have yet to be
discovered.
Anti-Spy
Programs that display unwanted advertising (for example, banner ads and
popup windows), programs that call numbers for paid Internet services
without user authorization, remote administration and monitoring tools,
joke programs, etc. have become increasingly common.
Anti-Spy traces and blocks these actions on your computer. For example,
the component blocks banner ads and popup windows, blocks programs
that attempt autodialing, and analyzes web pages for phishing content.
Page 26
26 Kaspersky Anti-Virus for Windows Workstations 6.0
Anti-Hacker
Hackers will use any potential hole to invade your computer, whether it is
an open port, data transmissions between computers, etc.
The Anti-Hacker component protects your computer while you are using
the Internet and other networks. It monitors inbound and outbound
connections, and scans ports and data packets.
Anti-Spam
Although not a direct threat to your computer, spam increases the load on
email servers, fills up your email inbox, and wastes your time, thereby
representing a business cost.
The Anti-Spam component plugs into your computer’s email client
program, and scans all incoming email for spam subject matter. The
component marks all spam emails with a special header. Anti-Spam can
be configured to process spam as you like (auto delete, move to a special
folder, etc.).
2.2.2. Virus scan tasks
In addition to constantly monitoring all potential pathways for malicious
programs, it is extremely important to periodically scan your computer for
viruses. This is necessary to detect malicious programs that were not previously
discovered by the program because, for instance, its security level was set too
low.
Kaspersky Anti-Virus for Windows Workstations configures, by default, the
following virus-scan tasks:
Critical Areas
Scans all critical areas of the computer for viruses. This includes system
memory, programs loaded on startup, boot sectors on the hard drive, and
the Microsoft Windows system directories. The task aims to detect active
viruses quickly without fully scanning the computer.
My Computer
Scans for viruses on your computer with a thorough inspection of all disk
drives, memory, and files.
Page 27
Kaspersky Anti-Virus for Windows Workstations 6.0 27
Startup Objects
Scans for viruses in all programs that are loaded automatically on startup,
plus RAM and boot sectors on hard drives.
There is also the option to create other virus-scan tasks and create a schedule
for them. For example, you can create a scan task for email databases once per
week, or a virus scan task for the My Documents folder.
2.2.3. Program tools
Kaspersky Anti-Virus for Windows Workstations includes a number of support
tools, which are designed to provide real-time software support, expanding the
capabilities of the program and assisting you as you go.
Updater
In order to be prepared for a hacker attack, or to delete a virus or some
other dangerous program, Kaspersky Anti-Virus for Windows
Workstations needs to be kept up-to-date. The Updater component is
designed to do exactly that. It is responsible for updating the Kaspersky
Anti-Virus for Windows Workstations threat signatures and program
modules.
The update distribution feature can save threat signature and application
module updates retrieved from Kaspersky Lab update servers in a local
folder. It then grants other computers on the network access to them to
conserve on Internet bandwidth.
Data Files
Each protection component, virus search task, and program update
creates a report as it runs. The reports contain information on completed
operations and their results. By using the Reports feature, you will remain
up-to-date on the operation of all Kaspersky Anti-Virus for Windows
Workstations components. Should problems arise, the reports can be
sent to Kaspersky Lab, allowing our specialists to study the situation in
greater depth and help you as quickly as possible.
Kaspersky Anti-Virus for Windows Workstations sends all files suspected
of being dangerous to a special Quarantine area, where they are stored in
encrypted form to avoid infecting the computer. You can scan these
objects for viruses, restore them to their previous locations, delete them,
or manually add files to Quarantine. Files that are found not to be infected
upon completion of the virus scan are automatically restored to their
former locations.
The Backup area holds copies of files disinfected and deleted by the
program. These copies are created in case you either need to restore the
Page 28
28 Kaspersky Anti-Virus for Windows Workstations 6.0
files, or want information about their infection. These backup copies are
also stored in an encrypted form to avoid further infection.
You can manually restore a file from Backup to the original location and
delete the copy.
Rescue Disk
Kaspersky Anti-Virus for Windows Workstations can create a Rescue
Disk, which provides a backup plan if system files are damaged by a virus
attack and it is impossible to boot the operating system. By using the
Rescue Disk in such a case, you can boot your computer and restore the
system to the condition prior to the malicious action.
Support
All registered Kaspersky Anti-Virus users can take advantage of our
technical support service. To learn where exactly you can get technical
support, use the Support feature.
Using these links, you can go to a Kaspersky Lab user forum and a list of
frequently asked questions that may help you resolve your issue. In
addition, by completing the form on the site, you can send Technical
Support a message on the error or failure in the operation of the
application.
You will also be able to access Technical Support on-line, and, of course,
our employees will always be ready to assist you with Kaspersky AntiVirus by phone.
2.3. Hardware and software system
requirements
For Kaspersky Anti-Virus for Windows Workstations 6.0 to run properly, your
computer must meet these minimum requirements:
General Requirements:
• 50 MB of free hard drive space
• CD-ROM drive (for installing Kaspersky Anti-Virus for Windows
Workstations 6.0 from an installation CD)
• Microsoft Internet Explorer 5.5 or higher (for updating threat signatures
and program modules through the Internet)
• Microsoft Windows Installer 2.0
Page 29
Kaspersky Anti-Virus for Windows Workstations 6.0 29
Microsoft Windows 98, Microsoft Windows Me, Microsoft Windows NT
Workstation 4.0 (Service Pack 6a):
• Intel Pentium 300 MHz processor or faster (or compatible)
• 64 MB of RAM
Microsoft Windows 2000 Professional (Service Pack 4 or higher), Microsoft
Windows XP Home Edition, Microsoft Windows XP Professional (Service Pack 1
or higher), Microsoft Windows XP Professional x64 Edition:
• Intel Pentium 300 MHz processor or compatible
• 128 MB of RAM
Microsoft Windows Vista, Microsoft Windows Vista x64:
• Intel Pentium 800 MHz 32-bit (x86)/ 64-bit (x64) or faster (or compatible)
• 512 MB of RAM
2.4. Software packages
You can purchase the boxed version of Kaspersky Anti-Virus for Windows
Workstations from our resellers, or download it from Internet shops, including the
eStore section of www.kaspersky.com
If you buy the boxed version of the program, the package will include:
• A sealed envelope with an installation CD containing the program files
• A license key, included with the installation package or on a special
diskette, or an application activation code on the CD slip.
• A User Guide
• The end-user license agreement (EULA)
.
Before breaking the seal on the installation disk envelope, carefully read
through the EULA.
If you buy Kaspersky Anti-Virus for Windows Workstations from an online store,
you copy the product from the Kaspersky Lab website (Downloads → Product
Downloads). You can download the User Guide from the Downloads →
Documentation section.
You will be sent a license key or activation code by email after your payment has
been received.
Page 30
30 Kaspersky Anti-Virus for Windows Workstations 6.0
The End-User License Agreement is a legal agreement between you and
Kaspersky Lab that specifies the terms on which you may use the software you
have purchased.
Read the EULA through carefully.
If you do not agree with the terms of the EULA, you can return your boxed
product to the reseller from whom you purchased it and be reimbursed for the
amount you paid for the program. If you do so, the sealed envelope for the
installation disk must still be sealed.
By opening the sealed installation disk, you accept all the terms of the EULA.
2.5. Support for registered users
Kaspersky Lab provides its registered users with an array of services to make
Kaspersky Anti-Virus for Windows Workstations more effective.
When the program has been activated, you become a registered user and will
have the following services available until the license expires:
• New versions of the program free of charge
• Consultation on questions regarding installation, configuration, and
operation of the program, by phone and email
• Notifications on new Kaspersky Lab product releases and new viruses
(this services is for users that subscribe to Kaspersky Lab news mailings)
Kaspersky Lab does not provide technical support for operating system use and
operation, or for any products other than its own.
Page 31
CHAPTER 3. INSTALLING
KASPERSKY ANTI-VIRUS
FOR WINDOWS
WORKSTATIONS 6.0
There are several ways to install Kaspersky Anti-Virus for Windows
Workstations:
• Local Installation: install the application on a single host. Direct access to
the host in question is required to run and complete the install. A local
install may be performed in one of the two modes below:
• an interactive install using the application Installation Wizard
(see 3.1 on page 32); this mode requires user input for the
install to proceed;
• a non-interactive install run from the command line and not
requiring any user input for the install to proceed (see 3.3,
pg. 44).
• Remote Installation: install the application to networked computers
remotely from an administrator workstation using:
• Microsoft Windows Server 2000/2003 group domain policies
(see 3.4, pg. 45).
It is recommended that all running applications be closed prior to Kaspersky AntiVirus installation (including a remote installation).
In the event that you already have Kaspersky Anti-Virus 5.0 installed, it will be
removed and updated to Kaspersky Anti-Virus 6.0 when the installation
procedure is run (see 3.5, pg. 47 for more detail). Updates to more recent builds
(minor versions) within Kaspersky Anti-Virus 6.0 are transparent.
Page 32
32 Kaspersky Anti-Virus for Windows Workstations 6.0
3.1. Installation procedure using the
Installation Wizard
To install Kaspersky Anti-Virus for Windows Workstations on your computer,
open the Windows Installer file on the installation CD.
Note:
Installing the program with an installer package downloaded from the Internet is
identical to installing it from an installation CD.
An installation wizard will open for the program. Each window contains a set of
buttons for navigating through the installation process. Here is a brief explanation
of their functions:
• Next – accepts an action and moves forward to the next step of
installation.
• Back – goes back to the previous step of installation.
• Cancel – cancels product installation.
• Finish – completes the program installation procedure.
Let’s take a closer look at the steps of the installation procedure.
Step 1. Checking for the necessary system conditions to
install Kaspersky Anti-Virus for Windows
Workstations
Before the program is installed on your computer, the installer checks your
computer for the operating system and service packs necessary to install
Kaspersky Anti-Virus for Windows Workstations. It also checks your computer for
other necessary programs and verifies that your user rights allow you to install
software.
If any of these requirements is not met, the program will display a message
informing you of the fault. You are advised to install any necessary service packs
through Windows Update, and any other necessary programs, before installing
Kaspersky Anti-Virus for Windows Workstations.
Step 2. Installation Welcome window
If your system fully meets all requirements, an installation window will appear
when you open the installer file with information on beginning the installation of
Kaspersky Anti-Virus for Windows Workstations.
Page 33
Installing Kaspersky Anti-Virus for Windows Workstations 6.0 33
To continue installation, click the Next button. You may cancel installation by
clicking Cancel.
Step 3. Viewing the End-User License Agreement
The next window contains the End-User License Agreement which is made
between you and Kaspersky Lab. Carefully read through it, and if you agree to all
the terms of the agreement, select I accept the terms of the License
Agreement and click the Next button. Installation will continue.
To cancel the installation click the Cancel button.
Step 4. Selecting an installation folder
The next stage of Kaspersky Anti-Virus for Windows Workstations installation
determines where the program will be installed on your computer. The default
path is:
• <drive> → Program Files → Kaspersky Lab → Kaspersky Anti-Virus
6.0 for Windows Workstations – for 32-bit systems.
• <drive> → Program Files (х86) → Kaspersky Lab → Kaspersky Anti-
Virus 6.0 for Windows Workstations – for 64-bit systems.
You can specify a different folder by clicking the Browse button and selecting it
in the folder selection window, or by entering the path to the folder in the field
available.
Remember that if you enter the full path to the installation folder manually, its
length must not exceed 200 characters or contain special characters.
To continue installation, click the Next button.
Step 5. Using Saved Installation Settings
In this step, you are prompted to specify whether you wish to use previously
saved security settings, threat signatures, and Anti-Spam databases if these
were in fact saved when a previous Kaspersky Anti-Virus 6.0 installation was
removed from your computer.
Let’s take a closer look at how to use the options described above.
If you have previously installed another version or build of Kaspersky Anti-Virus
for Windows Workstations on your computer and you saved its threat signatures
when you uninstalled it, you can use it in the current version. To do so, check
Threat signatures. The threat signatures included with the program installation
will not be copied to the server.
Page 34
34 Kaspersky Anti-Virus for Windows Workstations 6.0
To use protection settings that you configured and saved from a previous
version, check
You are also advised to use the Anti-Spam base if you saved one when you
uninstalled the previous version of the program. This way, you will not have to
retrain Anti-Spam. To use the base that you already created, check
Spam base.
Protection settings.
Anti-
Step 6. Selecting an installation type
In this stage, you select how much of the program you want to install on your
computer. You have three options:
Complete. If you select this option, all Kaspersky Anti-Virus for Windows
Workstations components will be installed. The installation will
recommence with Step 8. .
Custom. If you select this option, you can select the program components
that you want to install. For more, see Step 7. .
Anti-virus features. This option installs only the components that protect
you against viruses. Anti-Hacker, Anti-Spam and Anti-Spy will not be
installed.
To select a setup type, click the appropriate button.
Step 7. Selecting program components to install
This step occurs only if you select the Custom setup type.
If you selected Custom installation, you can select the components of Kaspersky
Anti-Virus for Windows Workstations that you want to install. By default, all
protection components are selected.
To select the components you want to install, left-click the icon alongside a
component name and select Will be installed on local hard drive from the
opened menu. You will find more information on what protection a selected
component provides, and how much disk space it requires for installation, in the
lower part of the program installation window.
If you do not want to install a component, select Entire feature will be
unavailable item from the context menu. Remember that by choosing not to
install a component you deprive yourself of protection against a wide range of
dangerous programs.
After you have selected the components you want to install, click Next. To return
the list to the default programs to be installed, click Reset.
Page 35
Installing Kaspersky Anti-Virus for Windows Workstations 6.0 35
Step 8. Disabling the Microsoft Windows firewall
You will only take this step if you are installing the Anti-Hacker component of
Kaspersky Anti-Virus for Windows Workstations on a computer with the built-in
firewall enabled.
In this step, Kaspersky Anti-Virus for Windows Workstations asks you if you want
to disable the Windows Firewall, since the Anti-Hacker component of Kaspersky
Anti-Virus for Windows Workstations provides full firewall protection.
If you wish to use Anti-Hacker as your primary browsing security tool, click Next.
The Windows Firewall will be disabled automatically.
If you want to use the Windows Firewall, select
enabled. If you select this option, Anti-Hacker will be installed, but disabled to
avoid program conflicts.
Keep Windows Firewall
Step 9. Searching for other anti-virus programs
In this stage, the installer searches for other anti-virus products installed on your
computer, including Kaspersky Lab products, which could raise compatibility
issues with Kaspersky Anti-Virus for Windows Workstations.
The installer will display on screen a list of any such programs it detects. The
program will ask you if you want to uninstall them before continuing installation.
You can select manual or automatic uninstall under the list of anti-virus
applications detected.
To continue installation, click the Next button.
Step 10. Finishing installing your program
In this stage, the program will ask you to finish installing the program on your
computer.
When initially installing Kaspersky Anti-Virus 6.0, we do not recommend
deselecting
modules enable will allow the installation to be rolled back correctly if errors
occur while installing the application. If you are attempting to install the
application again, we recommend deselecting this checkbox.
If the application is installed remotely via Windows Remote Desktop, we
recommend unchecking the flag
Otherwise the installation procedure might not complete or complete correctly.
Enable Self-Defense before installation. Having protection
Enable Self-Defense before installation.
To continue installation, click the Next button.
Page 36
36 Kaspersky Anti-Virus for Windows Workstations 6.0
Warning!
When Kaspersky Anti-Virus components which intercept network traffic are being
installed current network connections are broken. Most of them will be recovered
in some period of time.
Step 11. Completing the installation procedure
The Complete Installation window contains information on finishing the
Kaspersky Anti-Virus installation process.
To start the setup wizard, click Next (see 3.2, pg. 36 ).
If installation is completed successfully, you will need to restart your computer,
and a message on the screen will tell you so.
3.2. Setup Wizard
The Kaspersky Anti-Virus for Windows Workstations 6.0 Setup Wizard starts
after the program has finished installation. It is designed to help you configure
the initial program settings to conform to the features and uses of your computer.
The Setup Wizard interface is designed like a standard Windows Wizard and
consists of a series of steps that you can move between using the Back and
Next buttons, or complete using the Finish button. The Cancel button will stop
the Wizard at any point.
You can skip this initial settings stage when installing the program by closing the
Wizard window. In the future, you can run it again from the program interface if
you restore the default settings for Kaspersky Anti-Virus for Windows
Workstations (see 17.3 on page 224).
3.2.1. Using objects saved with Version 5.0
This wizard window appears when you install the application on top of Kaspersky
Anti-Virus 5.0. You will be asked to select what data used by version 5.0 you
want to import to version 6.0. This might include quarantined or backup files or
protection settings.
To use this data in Version 6.0, check the necessary boxes.
Page 37
Installing Kaspersky Anti-Virus for Windows Workstations 6.0 37
3.2.2. Activating the program
Before activating the program, make sure that the computer's system date
settings match the actual date and time.
The program is activated by installing a license key that Kaspersky Anti-Virus will
use to check for a license and to determine the expiration date for it.
The license key contains system information necessary for all the program’s
features to operate, and other information:
• Support information (who provides program support and where you can
obtain it)
• Name, number, and expiration date of your license
3.2.2.1. Selecting a program activation method
Depending on whether you have a key for Kaspersky Anti-Virus or need to obtain
one from the Kaspersky Lab server, you have several options for activating the
program:
Activate using the activation code. Select this activation option if you have
purchased the full version of the program and were provided with an
activation code. Using this activation code you will obtain a key file providing
access to the application's full functionality throughout the effective term of
the license agreement.
Activate trial version. Select this activation option if you want to install the
trail version of the program before making the decision to buy a commercial
version. You will be given a free key valid for a term specified in the trial
version license agreement.
Apply existing license key. Activate the application using a Kaspersky Anti-
Virus 6.0 license key file.
Activate later. If you choose this option, you will skip the activation stage.
Kaspersky Anti-Virus for Windows Workstations 6.0 will be installed on your
computer and you will have access to all program features except updates
(you can only update the threat signatures once after installing the program).
The first two activation options use a Kaspersky Lab web server, which requires
an Internet connection. Before activating, make sure to edit your network settings
(see 16.4.3 on pg. 213) in the window that opens when you click LAN settings
(if necessary). For more in-depth information on configuring network settings,
contact your system administrator or ISP.
Page 38
38 Kaspersky Anti-Virus for Windows Workstations 6.0
If you have no Internet connection when installing the program you can activate
the application later (see 17.5 on pg. 242) using its interface or you can use
Internet access of another computer to register at Kaspersky Lab Technical
Support website and get the key using activation code
3.2.2.2. Entering the activation code
You must enter an activation code to activate the program. If you purchase the
program through the Internet, you will receive the activation code by e-mail. If
you purchase a boxed version of the program, you will find the activation code on
the installation CD-ROM envelope.
The activation code is a sequence of numbers and letters separated by dashes
into four sections of five characters each, no spaces. For example, 11AA111AAA-1AA11-1A111. Note that the code must be entered in Latin characters.
Enter your contact information in the lower part of the window: full name, e-mail
address, and country and city of residence. This information might be requested
to identify a registered user if, for example, a key is lost or stolen. If that were to
happen, your contact information will enable you to obtain a new license key.
3.2.2.3. Obtaining a key file
The Settings Wizard connects to Kaspersky Lab servers and sends them your
registration data (the activation code and personal information), which are
inspected on the server.
If the activation code passes inspection, the Wizard receives a key file. If you
install the demo version of the program, the Settings Wizard will receive a trial
key file without an activation code.
The file received will be installed automatically to use the program and you will
see an activation completion window with detailed information on the key being
used.
If the activation code does not pass inspection, you will see a corresponding
message on the screen. If this occurs, contact the software vendors from whom
you purchased the program for information.
3.2.2.4. Selecting a license key file
If you have a license key file for Kaspersky Anti-Virus for Windows Workstations
6.0, the Wizard will ask if you want to install it. If you do, use the Browse button
and select the file path for the key file with the .key extension in the file selection
window.
Page 39
Installing Kaspersky Anti-Virus for Windows Workstations 6.0 39
After you have successfully installed the key, you will see information about the
license in the lower part of the window: name of the person to whom the software
is registered, license number, license type (full, beta-testing, demo, etc.), and the
expiration date for the key.
3.2.2.5. Completing program activation
The Setup Wizard will inform you that the program has been successfully
activated. It will also display information on the license key installed: name of the
person to whom the software is registered, license number, license type (full,
beta-testing, demo, etc.), and the expiration date for the key.
3.2.3. Selecting a security mode
In this window, the Settings Wizard asks you to select the security mode that the
program will operate with:
Basic. This is the default setting and is designed for users who do not have
extensive experience with computers or anti-virus software. It sets all the
program’s components to their recommended security levels and only
informs the user of dangerous events, such as the detection of malicious
code or the execution of dangerous actions.
Interactive. This mode provides more customized defense of your computer’s
data than Basic Mode. It can trace attempts to modify system settings,
suspicious activity in the system, and unauthorized activity on the network.
Each of these activities could be initiated by malicious programs or be a
standard activity for some of the programs you use on your computer. You
will have to decide for each separate case whether those activities should be
allowed or blocked.
If you choose this mode, specify in what contexts it should be used:
Enable Anti-Hacker Training Mode – prompts user for confirmation
when programs installed on your computer attempt to connect to
certain network resources. You can either allow or block that
connection, and configure an Anti-Hacker rule for that program. If
you disable Training Mode, Anti-Hacker runs with minimal
protection settings, meaning that it grants all applications access to
network resources.
Enable Registry Guard – prompts user for a response when
attempts to modify system registry keys are detected.
Page 40
40 Kaspersky Anti-Virus for Windows Workstations 6.0
If the application is installed on a computer running Microsoft
Windows XP Professional x64 Edition, Microsoft Windows Vista,
or Microsoft Windows Vista x64, the interactive mode settings
listed below will not be available.
Enable Extended Proactive Defense – analyzes all suspicious
activity by applications in the system, including browsers opening
with command line settings, injection into application processes,
and window hook interceptors (by default, this option is not
selected).
3.2.4. Configuring update settings
Your computer’s security depends directly on updating the threat signatures and
program modules regularly. In this window, the Setup Wizard asks you to select
a mode for program updates, and to configure a schedule.
Automatically. Kaspersky Anti-Virus checks the update source for updates at
specified intervals. During virus outbreaks, the check frequency may
increase, and decrease when they are gone. If it finds new updates, AntiVirus downloads them and installs them on the computer. This is the default
setting.
Every 2 hours. Updates will run automatically according to the schedule
created. You can configure the schedule by clicking Edit.
Manually. If you choose this option, you will run program updates yourself.
Note that the threat signatures and program modules included with the software
may be outdated by the time you install the program. That is why we recommend
downloading the latest program updates. To do so, click Update now. Then
Kaspersky Anti-Virus for Windows Workstations will download the necessary
updates from the update servers and will install them on your computer.
If you want to configure updates (set up network properties, select the resource
from which updates will be downloaded, set up running task under a certain
account or enable update distribution option), click Settings.
3.2.5. Configuring a virus scan schedule
Scanning selected areas of your computer for malicious objects is one of the key
steps in protecting your computer.
When you install Kaspersky Anti-Virus for Windows Workstations, three default
virus scan tasks are created. In this window, the Setup Wizard asks you to
choose a scan task setting:
Page 41
Installing Kaspersky Anti-Virus for Windows Workstations 6.0 41
Startup objects
By default, Kaspersky Anti-Virus automatically scans Startup objects
when it starts up. You can edit the schedule properties in another window
by clicking Change.
Critical Areas
To automatically scan critical areas of your computer (system memory,
Startup objects, boot sectors, Windows system folders) for viruses, check
the appropriate box. You can configure the schedule by clicking Change.
The default setting for this automatic scan is disabled.
My Computer
For a full virus scan of your computer to run automatically, check the
appropriate box. You can configure the schedule by clicking Change.
The default setting, for scheduled running of this task, is disabled.
However, we recommend running a full virus scan of your computer
immediately after installing the program.
3.2.6. Restricting program access
Kaspersky Anti-Virus gives you the option of password-protecting the program,
since several people with different levels of computer literacy may use the same
computer, and since malicious programs could potentially disable protection.
Using a password can protect the program from unauthorized attempts to disable
protecting or change settings.
To enable password protection, check
complete the Password and Confirm password fields.
Select the area below that you want password protection to apply to:
All operations (other than warning notifications). Request password if the
user attempts any action with the program, except for responses to
notifications on detection of dangerous objects.
Selected operations:
Saving program settings – request password when a user attempts to
save changes to program settings.
Exiting the program – request password if a user attempts to exit the
program.
Stopping / pausing protection components and virus scan tasks –
request password if user attempts to pause or fully disable any
protection component or virus scan task.
Enable password protection and
Page 42
42 Kaspersky Anti-Virus for Windows Workstations 6.0
3.2.7. Configuring Anti-Hacker settings
Anti-Hacker is the Kaspersky Anti-Virus for Windows Workstations component
that guards your computer on local networks and the Internet. At this stage, the
Setup Wizard asks you to create a list of rules that will guide Anti-Hacker when
analyzing your computer’s network activity.
3.2.7.1. Determining a security zone’s status
In this stage, the Setup Wizard analyzes your computer’s network environment.
Based on its analysis, the entire network space is broken down into zones:
Internet – the World Wide Web. In this zone, Kaspersky Anti-Virus for
Windows Workstations operates as a personal firewall. In doing so,
default rules for packet filtering and applications regulate all network
activity to ensure maximum security. You cannot change protection
settings when working in this zone, other than enabling Stealth Mode on
your computer for added safety.
Security zones – certain zones that mostly correspond with subnets that
include your computer (this could be local subnets at home or at work).
These zones are by default average risk-level zones. You can change
the status of these zones based on how much you trust a certain
subnet, and you can configure rules for packet filtering and applications.
All the zones detected will be displayed in a list. Each of them is shown with a
description, their address and subnet mask, and the degree to which any
network activity will be allowed or blocked by Anti-Hacker.
• Internet. This is the default status assigned to the Internet, since when
you are connected to it, your computer is subjected to all potential threat
types. This status is also recommended for networks that are not
protected by any anti-virus programs, firewalls, filters, etc. When you
select this status, the program ensures maximum security while you are
using this zone, specifically:
• blocking any network NetBios activity within the subnet
• blocking rules for applications and packet filtering that allow
NetBios activity within this subnet
Even if you have created a shared folder, the information in it will not be
available to users from subnetworks with this status. Additionally, if this
status is selected for a certain subnetwork, you will not be able to
access files and printers of this subnetwork.
• Local Area Network. The program assigns this status to the majority of
security zones detected when it analyzes the computer’s network
Page 43
Installing Kaspersky Anti-Virus for Windows Workstations 6.0 43
environment, except the Internet. It is recommended to apply this status
to zones with an average risk factor (for example, corporate LANs). If
you select this status, the program allows:
• any network NetBios activity within the subnet
• rules for applications and packet filtering that allow NetBios
activity within this subnet
Select this status if you want to grant access to certain folders or
printers on your computer, but want to block all other outside activity.
• Trusted (allow all connections). This status is given to networks that
you feel are absolutely safe, so that your computer is not subject to
attacks and attempts to gain access to your data while connected to it.
When you are using this type of network, all network activity is allowed.
Even if you have selected Maximum Protection and have created block
rules, they will not function for remote computers from a trusted network.
You can use Stealth Mode for added security when using networks labeled
Internet. This feature only allows network activity initiated from your computer,
meaning that your computer becomes invisible to its surroundings. This mode
does not affect your computer’s performance on the Internet.
We do not recommend using Stealth Mode if you use your computer as a server
(for example, a mail or HTTP server), as the computers that attempt to connect
to the server will not see it as connected.
To change the status of a zone or to enable/disable Stealth Mode, select the
zone from the list, and use the appropriate links in the Rule description box
below the list. You can perform similar tasks and edit addresses and subnet
masks in the Zone Settings window, which you can open by clicking Edit.
You can add a new zone to the list while viewing it. To do so, click Find. AntiHacker will search for available zones, and if it detects any, the program will ask
you to select a status for them. In addition, you can add new zones to the list
manually (if you connect your laptop to a new network, for example). To do so,
use the Add button and fill in the necessary information in the Zone Settings
window.
To delete a network from the list, click the Delete button.
3.2.7.2. Creating a list of network applications
The Setup Wizard analyzes the software installed on your computer and creates
a list of applications that use network connections.
Page 44
44 Kaspersky Anti-Virus for Windows Workstations 6.0
Anti-Hacker creates a rule to control network activity for each such application.
The rules are applied using templates for common network applications, created
at Kaspersky Lab and included with the software.
You can view the list of network applications and their rules in the Anti-Hacker
settings window, which you can open by clicking List.
For added security, we recommend disabling DNS caching when using Internet
resources. DNS caching drastically cuts down on the time your computer is
connected to this valuable Internet resource; however, it is also a dangerous
vulnerability, and by exploiting it, hackers can create data leaks that cannot be
traced using the firewall. Therefore, to increase the degree of security for your
computer, you are advised to disable DNS caching.
3.2.8. Finishing the Setup Wizard
The last window of the Wizard will ask if you want to restart your computer to
complete the program installation. You must restart for Kaspersky Anti-Virus for
Windows Workstations drivers to register.
Some program components will not work until you can restart.
3.3. Installing the program from the
command prompt
To install Kaspersky Anti-Virus 6.0 for Windows Workstations, enter this at the
command prompt:
msiexec / i <package_name>
The Installation Wizard will start (see 3.1 on pg. 32). Once the program is
installed, you must restart the computer.
To install the application non-interactively (without running the Installation
Wizard), enter:
msiexec /i <package_name> /qn
This option will require you to reboot your machine manually once the installation
is complete. To perform an automatic reboot from the command line, enter:
msiexec /i <package_name> ALLOWREBOOT=1 /qn
Please note that an automatic reboot will occur in non-interactive mode (using
the /qn key).
Page 45
Installing Kaspersky Anti-Virus for Windows Workstations 6.0 45
To install the application with an uninstall password, enter:
msiexec /i <package_name> KLUNINSTPASSWD=******, when
performing an interactive installation;
msiexec /i <package_name> KLUNINSTPASSWD=******
/qn, when performing a non-interactive installation without system
reboot;
msiexec /i <package_name> KLUNINSTPASSWD=******
ALLOWREBOOT=1 /qn, when performing a non-interactive installation
with system reboot;
If you install Kaspersky Anti-Virus in the noninteractive mode, you can access
the file setup.ini, which contains the general settings for application installation
(see A.4 on pg. 289), the configuration install.cfg (see 18.8 on pg. 276), and the
license key file. Note that these files must be located in the same folder as the
Kaspersky Anti-Virus installer package.
3.4. Procedure for installing the
Group Policy Object
This feature is supported on computers running Microsoft Windows 2000 or
higher.
Using Group Policy Object Editor, you can install, update, and uninstall
Kaspersky Anti-Virus on enterprise workstations within the domain.
3.4.1. Installing the program
To install Kaspersky Anti-Virus:
1. Create a shared folder on the computer that is the domain controller
and copy the Kaspersky Anti-Virus .msi installer package to it.
You can also copy in the file setup.ini, which contains the general
settings for application installation (see A.4 on pg. 289), the
configuration install.cfg (see 18.7 on pg. 276), and the license key file.
2. Open the Group Policy Object Editor via ММС (for more detailed
information on using Group Policy Object, consult help in Microsoft
Windows Server).
3. Create a new package. To do so, from the console tree, select Group
Policy Object/ Computer Configuration/ Software Settings/
Page 46
46 Kaspersky Anti-Virus for Windows Workstations 6.0
Software installation and use the command New/ Package from the
context menu.
In the window that opens, specify the path to the shared folder with the
Anti-Virus installer (see 1). Select Assign from the Select Deployment
Method dialog box and click OK.
The group policy will be enforced on each workstation the next time the computer
is registered in the domain. Kaspersky Anti-Virus will then be installed on all
computers.
3.4.2. Upgrading the program
To upgrade Kaspersky Anti-Virus:
1. Copy the installer package containing the Kaspersky Anti-Virus update
in .msi format to the shared folder.
2. Open Group Policy Object Editor and created a new package using
the steps given above.
3. Select the new package and select the Properties command from the
context menu. In the package properties window, go to the Upgrades
tab and specify the package that contains the installer for the previous
version of Kaspersky Anti-Virus. To install the Kaspersky Anti-Virus
upgrade and keep your protection settings, select a variant of upgrading
the previous version.
The group policy will be enforced on each workstation the next time the computer
is registered in the domain.
Note that Kaspersky Anti-Virus on computers running Microsoft Windows 2000
Professional cannot be upgraded using Group Policy Object Editor.
3.4.3. Uninstalling the program
To uninstall Kaspersky Anti-Virus:
1. Open Group Policy Object Editor.
2. To do so, from the console tree, select Group Policy Object/ Computer
Configuration/ Software Settings/ Software installation.
Select the Kaspersky Anti-Virus package from the list. Open the context
menu and select the command All Tasks/ Remove.
Page 47
Installing Kaspersky Anti-Virus for Windows Workstations 6.0 47
In the Remove Software dialog box, select Immediately uninstall the
software from users and computers for Kaspersky Anti-Virus to be
uninstalled the next time a computer restarts.
3.5. Upgrading from 5.0 to 6.0
If Kaspersky Anti-Virus 5.0 for Windows Workstations is installed on your
computer, you can upgrade it to Kaspersky Anti-Virus 6.0.
After you start the Kaspersky Anti-Virus 6.0 installation program, you will be
given the choice of first uninstalling the already installed version 5.0. Once the
uninstall process is complete, you must restart your computer, after which
version 6.0 installation will run.
Warning!
When you upgrade Kaspersky Anti-Virus 5.0 to 6.0 from a password-protected
network folder, version 5.0 will be uninstalled and the computer will be restarted
without then installing version 6.0 of the application. This is because the installer
program does not have access privileges to the network folder. To resolve this
problem, only run the installer from a local folder.
Page 48
CHAPTER 4. PROGRAM
INTERFACE
Kaspersky Anti-Virus for Windows Workstations has a straightforward, userfriendly interface. This chapter will discuss its basic features:
• System tray icon (see 4.1 on pg. 48)
• Context menu (see 4.2 on pg. 49)
• Main window (see 4.3 on pg. 50)
• Program settings window (see 4.4 on pg. 53)
In addition to the main program interface, there are plug-ins for the following
applications:
• Microsoft Office Outlook – virus scans (see 8.2.2 on pg. 104) and spam
scans (see 13.3.8 on pg. 180)
• Microsoft Outlook Express (Windows Mail) (see 13.3.9 on pg. 183)
• The Bat! – virus scans (see 8.2.3 on pg. 105) and spam scans
(see 13.3.10 on pg. 184)
• Microsoft Internet Explorer (see Chapter 11 on pg. 132)
• Microsoft Windows Explorer (see 14.2 on pg. 188)
The plug-ins extend the functionality of these programs by making Kaspersky
Anti-Virus for Windows Workstations management and settings possible from
their interfaces.
4.1. System tray icon
As soon as you install Kaspersky Anti-Virus for Windows Workstations, its icon
will appear in the system tray.
The icon is an indicator for Kaspersky Anti-Virus for Windows Workstations
functions. It reflects the state of protection and shows a number of basic
functions performed by the program.
If the icon is active
If the icon is inactive
components (see 2.2.1 on pg. 24) are disabled.
(color), this means that your computer is being protected.
(black and white), this means that all protection
Page 49
Program interface 49
The Kaspersky Anti-Virus for Windows Workstations icon changes in relation to
the operation being performed:
Emails are being scanned.
Scripts are being scanned.
A file that you or some program is opening, saving, or running is
being scanned.
Kaspersky Anti-Virus for Windows Workstations threat signatures
and program modules are being updated.
An error has occurred in some Kaspersky Anti-Virus component.
The icon also provides access to the basics of the program interface: the context
menu (see 4.2 on pg. 49) and the main window (see 4.3 on pg. 50).
To open the context menu, right-click on the program icon.
To open the Kaspersky Anti-Virus for Windows Workstations main window at the
Protection section (this is the default first screen when you open the program),
double-click the program icon. If you single-click the icon, the main window will
open at the section that was active when you last closed it.
4.2. The context menu
You can perform basic protection tasks from the context menu (see Figure 1).
The Kaspersky Anti-Virus for Windows Workstations menu contains the following
items:
Scan My Computer – launches a complete scan of your computer for
dangerous objects. The files on all drives, including removable storage
media, will be scanned.
Virus scan… – selects objects and starts scanning them for viruses. The
default list contains a number of files, such as the My Documents
folder, the Startup folder, email databases, all the drives on your
computer, etc. You can add to the list, select files to be scanned, and
start virus scans.
Page 50
50 Kaspersky Anti-Virus for Windows Workstations 6.0
Figure 1. The context menu
Update – starts program modules and threat signatures update and install
them on your computer.
Network Monitor – view the list of network connections established, open
ports, and traffic.
Activate… – activate the program. You must activate your version of
Kaspersky Internet Security to obtain registered user status which
provides access to the full functionality of the application and Technical
Support. This menu item is only available if the program is not activated.
Settings… – view and configure settings for Kaspersky Anti-Virus for
Windows Workstations.
Open Kaspersky Anti-Virus – open the main program window (see 4.3 on
pg. 50).
Pause Protection / Resume Protection – temporarily disable or enable
protection components (see 2.2.1 on pg. 24). This menu item does not
affect program updates or virus scan tasks.
Exit – close Kaspersky Anti-Virus for Windows Workstations (when this
option is selected, the application will be unloaded from the computer’s
RAM).
If a virus search task is running, the context menu will display its name with a
percentage progress meter. By selecting the task, you can open the report
window to view current performance results.
4.3. Main program window
The Kaspersky Anti-Virus for Windows Workstations main window (see Figure 2)
can be logically divided into two parts:
Page 51
Program interface 51
• the left part of the window, the navigation panel, guides you quickly and
easily to any component, virus scan and update task performance, or the
program’s support tools;
• the right part of the window, the information panel, contains information
on the protection component selected in the left part of the window and
displays settings for each of them, giving you tools to carry out virus
scans, work with quarantined files and backup copies, manage license
keys, and so on.
Figure 2. Kaspersky Anti-Virus for Windows Workstations main window
After selecting a section or component in the left part of the window, you will find
information in the right-hand part that matches your selection.
Page 52
52 Kaspersky Anti-Virus for Windows Workstations 6.0
We will now examine the elements in the main window’s navigation panel in
greater detail.
Main Window Section Purpose
This window mostly informs
you of the protection status of
your computer. The
Protection section is
designed for exactly that.
To see general information on operation of
Kaspersky Anti-Virus, review overall statistics
for program operation, and make sure that all
components are working correctly, select the
Protection section in the navigation area.
You can also enable/disable protection
components here. To view statistics and
settings for a specific protection component,
you need only select the name of the
component about which you want information in
the Protection section.
To scan your computer for
malicious files or programs,
use the special Scan section
in the main window.
This section contains a list of objects that can
be scanned for viruses.
The commonest and most important tasks are
included in the section. These include virus
scan tasks for critical areas, for startup
programs, and a full computer scan.
The Service section includes
additional Kaspersky AntiVirus for Windows
Workstations features.
Here you can update the program, view reports
on the performance of any of the Kaspersky
Anti-Virus for Windows Workstations
components or tasks, work with quarantined
objects and backup copies, review technical
support information, create a Rescue Disk and
manage license keys.
Page 53
Program interface 53
Main Window Section Purpose
The Comments and tips
section accompanies you as
you use the application.
Each element of the navigation panel is accompanied by a special context menu.
The menu contains points for the protection components and tools that help the
user quickly configure them, manage them, and view reports. There is an
additional menu item for virus scan and update tasks that allows you to create
your own task, by modifying a copy of an existing task.
You can change the appearance of the program by creating and using your own
graphics and color schemes.
This section offers tips on raising the security
level of your computer. You will also find
comments on the application’s current
performance and its settings. The links in this
section guide you to take the actions
recommended for a particular section or to view
information in more detail.
4.4. Program settings window
You can open the Kaspersky Anti-Virus for Windows Workstations settings
window from the main window (see 4.3 on pg. 50). To do so, click Settings
upper part of it.
The settings window (see Figure 3) is similar in layout to the main window:
• the left part of the window gives you quick and easy access to the settings
for each of the program components, update and virus scan tasks, and
program tools;
• the right part of the window contains a detailed list of settings for the item
selected in the left part of the window.
When you select any section, component, or task in the left part of the settings
window, the right part will display its basic settings. To configure advanced
settings, you can open second and third level settings windows. You can find a
detailed description of program settings in the appropriate sections hereof.
in the
Page 54
54 Kaspersky Anti-Virus for Windows Workstations 6.0
Figure 3. Kaspersky Anti-Virus for Windows Workstations settings window
Page 55
CHAPTER 5. GETTING STARTED
One of Kaspersky Lab’s main goals in creating Kaspersky Anti-Virus for
Windows Workstations was to provide optimum configuration for each of the
program’s options. This makes it possible for a user with any level of computer
literacy to quickly protect their computer straight after installation.
However, configuration details for your computer, or the jobs you use it for, can
have their own specific requirements. That is why we recommend performing a
preliminary configuration to achieve the most flexible, personalized protection of
your computer.
To make getting started easier, we have combined all the preliminary
configuration stages in one Setup Wizard (see 3.2 on pg. 36) that starts as soon
as the program is installed. By following the Wizard’s instructions, you can
activate the program, configure settings for updates and virus scans, passwordprotect access to the program, and configure Anti-Hacker to match your
network’s properties.
After installing and starting the program, we recommend that you take the
following steps:
• Check the current protection status (see 5.1 on pg. 55) to make sure that
Kaspersky Anti-Virus for Windows Workstations is running at the
appropriate level.
• Train Anti-Spam (see 5.5 on pg. 63) using your emails.
• Update the program (see 5.6 on pg. 64) if the Settings Wizard did not do
so automatically after installing the program.
• Scan the computer (see 5.2 on pg. 61) for viruses.
5.1. What is the protection status of
the computer?
Composite information on your computer’s protection is provided in the main
program window, in the Protection section. The current protection status of the
computer and the general performance statistics of the program are displayed
here.
Protection status displays the current state of protection for your computer
using special indicators (see 5.1.1 on pg. 56). Statistics (see 5.1.2 on pg. 59)
analyses the current program session.
Page 56
56 Kaspersky Anti-Virus for Windows Workstations 6.0
5.1.1. Protection indicators
Protection status is determined by three indicators, each of which reflect a
different aspect of your computer’s protection at any given moment, and indicate
any problems in program settings and performance.
Figure 4. Indicators reflecting the computer protection status
Each indicator has three possible appearances:
– the situation is normal; the indicator is showing that your computer's
protection is adequate, and that there are no problems in the program
settings or performance.
– there are one or more deviations in Kaspersky Anti-Virus for Windows
Workstations performance from the recommended level of performance,
which could affect information security. Please pay heed to the actions
recommended by Kaspersky Lab, which are given as links.
– the computer’s security status is critical. Please follow the
recommendations closely to improve your computer’s protection. The
recommended actions are given as links.
We will now examine protection indicators and the situations that each of them
indicate in more detail.
The first indicator
computer. The three values of this indicator mean the following:
No threats detected
All threats have been neutralized
reflects the situation with malicious files and programs on your
Kaspersky Anti-Virus for Windows Workstations has not detected
any dangerous files or programs on your computer.
Kaspersky Anti-Virus for Windows Workstations has treated all
infected files and programs, and deleted those that could not be
treated.
Page 57
Getting started 57
Threats have been detected
Your computer is at risk of infection. Kaspersky Anti-Virus for
Windows Workstations has detected malicious programs (viruses,
Trojans, worms, etc.) that must be neutralized. To do so, use the
Neutralize all
link. Click the Details link to see more detailed
information about the malicious objects.
The second indicator shows the effectiveness of your computer's protection. The
indicator takes one of the following values:
Signatures released: (date, time)
Both the application and the threat signatures used by Kaspersky
Anti-Virus for Windows Workstations are most recent versions.
Signatures are out of date
The program modules and Kaspersky Anti-Virus for Windows
Workstations threat signatures have not been updated for several
days. You are running the risk of infecting your computer with
new malicious programs that have appeared since you last
updated the program. We recommend updating Kaspersky AntiVirus for Windows Workstations. To do so, use the Update
link.
Signatures are partially corrupted
The threat signature files are partially corrupted. If this occurs, it is
recommended to run program updates again. If you encounter the
same error message again, contact the Kaspersky Lab Technical
Support Service.
Please restart your computer
You must restart your system for the program to run correctly.
Save and close all files that you are working with and use the
Restart computer
Program updates are disabled
link.
The threat signature and program module update service is
disabled. To maintain real-time protection, we recommend
enabling updates.
Signatures are obsolete
Kaspersky Anti-Virus for Windows Workstations has not been
Page 58
58 Kaspersky Anti-Virus for Windows Workstations 6.0
updated for some time. You are putting the data at great risk.
Update the program as soon as possible. To do so, use the
Update link.
Signatures are corrupted
The threat signature files are fully corrupted. If this occurs, it is
recommended to run program updates again. If you encounter the
same error message again, contact the Kaspersky Lab Technical
Support Service.
The third indicator shows the current functionality of the program. The indicator
takes one of the following values:
All protection components are running
Kaspersky Anti-Virus for Windows Workstations is protecting
your computer on all channels by which malicious programs
could penetrate. All protective components are enabled.
Protection is not installed
When Kaspersky Anti-Virus for Windows Workstations was
installed, none of the monitoring components were installed. This
means you can only scan for viruses. For maximum security, you
should install protection components on your computer.
All protection components are paused
All protection components have been paused. To restore the
components, select Resume protection from the context menu
by clicking on the system tray icon.
Some protection components are disabled
One or several protection components is stopped. This could
lead to your computer becoming infected and losing data. You
are strongly advised to enable protection. To do so, select an
inactive component from the list and click
All protection components are disabled
.
Protection is fully disabled. No components are running. To
restore the components, select Resume protection from the
context menu by clicking on the system tray icon.
Page 59
Getting started 59
Some protection components have malfunctioned
One or more Kaspersky Anti-Virus for Windows Workstations
components has internal errors. If this occurs, you are advised to
enable the component or restart the computer, as it is possible
that the component drivers have to be registered after being
updated.
5.1.2. Kaspersky Anti-Virus for Windows
Workstations component status
To determine how Kaspersky Anti-Virus for Windows Workstations is guarding
your file system, email, HTTP traffic, or other areas where dangerous programs
could penetrate your computer, or to view the progress of a virus scan task or
threat signature update, simply open the corresponding section of the main
program window.
For example, to view the current File Anti-Virus status, select File Anti-Virus
from the left-hand panel of the main window, or to see if you are being protected
against new viruses, select Proactive Defense. The right-hand panel will display
a summary of information about the component’s operation.
For protection components, the right-hand panel contains the status bar, the
Status box and the Statistics box.
For the File Anti-Virus component, the status bar appears as follows:
• File Anti-Virus : running – file protection is active for the level selected
(see 7.1 on pg. 87).
• File Anti-Virus : paused – File Anti-Virus is disabled for a set period of
time. The component will resume operation automatically after the
assigned period has expired or after the program is restarted. You can
also resume file protection manually, by clicking the
the status bar.
• File Anti-Virus : stopped – the component has been stopped by the user.
You can resume file protection manually, by clicking the
on the status bar.
• File Anti-Virus : not running – file protection is not available for some
reason.
• File Anti-Virus : disabled (error) – the component encountered an error.
button located on
button located
Page 60
60 Kaspersky Anti-Virus for Windows Workstations 6.0
If a component encounters an error, try restarting it. If restart should result
in an error, review component report which might contain the reason for
the failure. If you are unable to troubleshoot the issue on your own, save
the component report to a file using Action → Save As and contact
Kaspersky Lab Technical Support.
If the component contains several modules, the Status section will contain
information on the status of each of them. For components that do not have
individual modules, their status, security level, and, for some components, the
response to dangerous programs are displayed.
There is no Status box for virus scan and update tasks. The security level, the
action applied to dangerous programs for virus scan tasks, and the run mode for
updates are listed in the Settings box.
The Statistics box contains information on the operation of protection
components, updates, or virus scan tasks.
5.1.3. Program performance statistics
Program statistics can be found in the Statistics box of the main window’s
Protection section, and display general information on computer protection,
recorded from the time that Kaspersky Anti-Virus for Windows Workstations was
installed.
Figure 5. The program’s general statistics box
You can left-click anywhere in the box to view a report with detailed information.
The tabs display:
• Information on objects found (see 17.3.2 on pg. 227) and the status
assigned to them
• Event log (see 17.3.3 on pg. 228)
• General scan statistics (see 17.3.4 on pg. 229) for your computer
• Program performance settings (see 17.3.5 on pg. 230)
Page 61
Getting started 61
5.2. How to scan your computer for
viruses
After installation, the application will without fail inform you with a special notice
in the lower left-hand part of the application window that the computer has not
yet been scanned and will recommend that you scan it for viruses immediately.
Kaspersky Anti-Virus for Windows Workstations includes a task for a computer
virus scan located in the Scan section of the program’s main window.
After selecting the task Critical Areas you will be able to view statistics for the
most recent computer scan and task settings: statistics for the most recent scan
of these areas; task settings; what level of protection was selected, and what
actions are applied to security threats. Here you can also select which critical
areas you want to scan, and immediately scan those areas.
To scan critical areas of your computer for malicious programs,
1. Open main program window and select the task Critical Areas in the
Scan section.
2. Click the Scan button.
Click the Scan button. As a result, the program will start scanning your computer,
and the details will be shown in a special window. When you click the Close
button, the progress window will be hidden, but the scan will not stop.
5.3. How to scan critical areas of
the computer
There are areas on your computer that are critical from a security perspective.
These are targeted by malicious programs which aim to damage your computer’s
hardware, including operating system, processor, memory, etc.
It is extremely important to protect these critical areas so that your computer
keeps running. There is a special virus scan task for these areas, which is
located in the program’s main window in the Scan section.
After selecting the task named Critical Areas, the right-hand panel of the main
window will display the following: statistics for the most recent scan of these
areas; task settings; what level of protection was selected, and what actions are
applied to security threats. Here you can also select which critical areas you want
to scan, and immediately scan those areas.
Page 62
62 Kaspersky Anti-Virus for Windows Workstations 6.0
To scan critical areas of your computer for malicious programs,
1. Open main program window and select the task Critical Areas in the
Scan section.
2. Click the Scan button.
When you do this, a scan of the selected areas will begin, and the details will be
shown in a special window. When you click the Close button, the progress
window will be hidden, but the scan will not stop.
5.4. How to scan a file, folder or disk
for viruses
There are situations when it is necessary to scan individual objects for viruses
but not the entire computer. For example, one of the hard drives, on which your
programs and games, e-mail databases brought home from work, and archived
files that came with e-mail are located, etc. You can select an object for scan
with the standard tools of the Microsoft Windows operating system (for example,
in the Explorer program window or on your Desktop, etc.).
To scan an object,
Place the cursor over the name of the selected object, open the
Windows context menu by right-clicking, and select Scan for viruses
(see Figure 6).
Figure 6. Scanning an object selected using
a standard Windows context-sensitive menu
Page 63
Getting started 63
A scan of the selected object will then begin, and the details will be shown in a
special window. When you click the Close button, the progress window will be
hidden, but the scan will not stop.
5.5. How to train Anti-Spam
One step in getting started is training Anti-Spam to work with your emails and
filter out junk. Spam is junk email, although it is difficult to say what constitutes
spam for a given user. While there are email categories which can be applied to
spam with a high degree of accuracy and generality (for example, mass
emailings, advertisements), such emails could belong in the inbox of some users.
Therefore, we ask that you determine for yourself what email is spam and what
isn’t. Kaspersky Anti-Virus for Windows Workstations will ask you after
installation if you want to train Anti-Spam to differentiate between spam and
accepted email. You can do this with special buttons that plug into your email
client (Microsoft Outlook, Outlook Express (Windows Mail), The Bat!) or using the
special training wizard.
Warning!
This version of Kaspersky Anti-Virus does not provide Anti-Spam plug-ins for
Microsoft Office Outlook running under Microsoft Windows 98.
To train Anti-Spam using the plug-in’s buttons in the email client,
1. Open your computer's default email client (e.g. Microsoft Office
Outlook). You will see two buttons on the toolbar: Spam and Not Spam.
2. Select an accepted email or group of emails that contains accepted
email and click Not Spam. From this point onward, emails from the
addresses in the emails from the senders you selected will never be
processed as spam.
3. Select an email, a group of emails, or a folder of emails that you
consider spam, and click Spam. Anti-Spam will analyze the contents of
these emails, and in the future it will consider all emails with similar
contents to be spam.
To train Anti-Spam using the Training Wizard,
1. Open the application settings window, select the Anti-Spam component
under Protection and click Training Wizard.
2. Follow instructions displayed by the Anti-Spam Training Wizard (see
13.2.1, pg. 167).
When an email arrives in your inbox, Anti-Spam will scan it for spam content and
add a special [Spam] tag to the subject line of spam. You can configure a special
Page 64
64 Kaspersky Anti-Virus for Windows Workstations 6.0
rule in your email client for these emails, such as a rule that deletes them or
moves them to a special folder.
5.6. How to update the program
Kaspersky Lab updates the threats signatures and modules for Kaspersky AntiVirus for Windows Workstations using dedicated update servers.
Kaspersky Lab’s update servers are the Kaspersky Lab Internet sites where the
program updates are stored.
Warning!
You will need a connection to the Internet to update Kaspersky Anti-Virus for
Windows Workstations.
By default, Kaspersky Anti-Virus for Windows Workstations automatically checks
for updates on the Kaspersky Lab servers. If the server has the latest updates,
Kaspersky Anti-Virus for Windows Workstations will download and install them in
the silent mode.
To update Kaspersky Anti-Virus for Windows Workstations manually,
select the Update component in the Service section of the main
program window and click the Update now! button in the right-hand
part of the window.
As a result, Kaspersky Anti-Virus for Windows Workstations will begin the update
process, and display the details of the process in a special window.
5.7. What to do if protection is not
running
If problems or errors arise in the performance of any protection component, be
sure to check its status. If the component status is not running or disabled
(operation error), try restarting Kaspersky Anti-Virus.
If the problem is not solved by restarting the program, we recommend fixing
potential errors using the program restore feature (see Chapter 19, pg. 279).
If the restore procedure does not help, contact Kaspersky Lab Technical
Support. You may need to save a report on component operation or for the entire
application to file and send it to Technical Support for investigation.
Page 65
Getting started 65
To save the report to file:
1. Select the component in the Protection section of the main window of
the program and left-click anywhere in the Statistics box.
2. Click the Save As button and in the window that opens specify the file
name for the component's performance report.
To save a report for all Kaspersky Anti-Virus for Windows Workstations
components at once (protection components, virus scan tasks, support features):
1. Select the Protection section in the main window of the program and
left-click anywhere in the Statistics box.
or
Click All reports
in the report window for any component. Then the
Reports tab will list reports for all program components.
2. Click the Save As button and in the window that opens specify a file
name for the program's performance report.
Page 66
CHAPTER 6. PROTECTION
MANAGEMENT SYSTEM
Kaspersky Anti-Virus for Windows Workstations lets you multi-task computer
security management:
• Enable, disable, and pause (see 6.1 on pg. 66) the program
• Define the types of dangerous programs (see 6.2 on pg. 70) against
which Kaspersky Anti-Virus for Windows Workstations will protect your
computer
• Create an exclusion list (see 6.3 on pg. 71) for protection
• Create your own virus scan and update tasks (see 6.4 on pg. 81).
• Configure a virus scan schedule (see 6.5 on pg. 82).
• Configure productivity settings (see 6.6 on pg. 84) for antivirus protection
6.1. Stopping and resuming
protection on your computer
By default, Kaspersky Anti-Virus boots at startup and protects your computer the
entire time you are using it. The words Kaspersky Anti-Virus 6.0 in the upper
right-hand corner of the screen let you know this. All protection components (see
2.2.1 on pg. 24) are running.
You can fully or partially disable the protection provided by Kaspersky Anti-Virus
for Windows Workstations.
Warning!
Kaspersky Lab strongly recommend that you do not disable protection, since
this could lead to an infection on your computer and consequent data loss.
Note that in this case protection is discussed in the context of the protection
components. Disabling or pausing protection components does not affect the
performance of virus scan tasks or program updates.
Page 67
Protection management system 67
6.1.1. Pausing protection
Pausing protection means temporarily disabling all the components that monitor
the files on your computer, incoming and outgoing email, executable scripts,
application behavior, and Anti-Hacker and Anti-Spam.
To pause a Kaspersky Anti-Virus for Windows Workstations operation:
1. Select Pause protection in the program’s context menu (see 4.2 on
pg. 49).
2. In the Pause Protection window that opens (see Figure 7), select how
soon you want protection to resume:
• In <time interval> – protection will resume this far in the future.
Use the dropdown menu to select the time interval.
• At next program restart – protection will resume if you open
the program from the Start Menu or after you restart your
computer (provided the program is set to start automatically
when you turn on your computer (see 6.1.5 on pg. 70)).
• By user request only – protection will stop until you start it
yourself. To enable protection, select Resume protection from
the program’s context menu.
Figure 7. Pause protection window
Tip:
You can also stop protection on your computer with one of the following
methods:
• Click the
• Select Exit from the context menu. In this case the
program will be unloaded from the computer's memory.
If you pause protection, all protection components will be paused. This is
indicated by:
button in the Protection section.
Page 68
68 Kaspersky Anti-Virus for Windows Workstations 6.0
• Inactive (gray) names of the disabled components in the Protection
section of the main window.
• Inactive (gray) system tray icon.
• The third protection indicator (see 5.1.1 on pg. 56) on your computer,
which shows that
All protection components are paused.
6.1.2. Stopping protection
Stopping protection means fully disabling your components. Virus scans and
updates continue to work in this mode.
If protection is stopped, it can be only be resumed by the user: protection
components will not automatically resume after system or program restarts.
Remember that if Kaspersky Anti-Virus for Windows Workstations is somehow in
conflict with other programs installed on your computer, you can pause individual
components or create an exclusion (see 6.3 on pg. 71) list.
To stop all protection:
1. Open the Kaspersky Anti-Virus settings window and select Protection.
2. Uncheck
After disabling protection, all protection components will stop. This is indicated
by:
• Inactive (gray) names of the disabled components in the Protection
section of the main window.
• Inactive (gray) system tray icon.
• The third protection indicator (see 5.1.1 on pg. 56) on your computer,
which shows that
Enable protection.
All protection components are disabled.
6.1.3. Pausing / stopping protection
components and tasks
There are several ways to stop a protection component, virus scan, or update.
Before doing so, you are strongly advised to establish why you need to stop
them. It is likely that the problem can be solved in another way, for example, by
changing the security level. If, for example, you are working with a database that
you are sure does not contain viruses, simply add its files as an exclusion
(see 6.3 on pg. 71).
Page 69
Protection management system 69
To pause protection components, virus scans, and update tasks:
Select the component or task from the left-hand part of the main window
and click the button on the status bar.
The component/task status will change to paused. The component or
task will be paused until you resume it by clicking the
When you pause a component or task, Kaspersky Anti-Virus statistics for
the current Kaspersky Anti-Virus for Windows Workstations session are
saved and will continue to be recorded after the component or task is
updated.
To stop protection components, virus scans, and update tasks:
Click the
components in the program settings window by deselecting
<component name> in the General section for that component.
The component/task status will then change to stopped (disabled). The
component or task will be stopped until you enable it by clicking the
button. For virus scan and update tasks, you will have the choice of the
following options: continue the task that was interrupted, or restart it from
the beginning.
When you stop a component or task, all the statistics from previous work
are cleared and when the component is started they are recorded over.
button on the status bar. You can also stop protection
button.
Enable
6.1.4. Restoring protection on your
computer
If at some point you paused or stopped protection on your computer, you can
resume it using one of the following methods:
• From the context menu.
To do so, select Resume protection.
• From the program’s main window.
To do so, click the
the main window.
The protection status immediately changes to running. The program’s system
tray icon becomes active (color). The third protection indicator (see 5.1.1 on
pg. 56) will also inform you that
button on the status bar in the Protection section of
All protection components are enabled.
Page 70
70 Kaspersky Anti-Virus for Windows Workstations 6.0
6.1.5. Shutting down the program
If you have to shut down Kaspersky Anti-Virus for Windows Workstations, select
Exit from the program's context menu (see 4.2 on pg. 49). This will close the
program, leaving your computer unprotected.
If network connections that the program monitors are active on your computer
when you close the program, a notice will appear on the screen stating that these
connections will be interrupted. This is necessary for the program to shut down
correctly. The connections are terminated automatically after ten seconds or by
clicking the Yes button. The majority of connections will resume after a brief time.
Note that if you are downloading a file without a download manager when the
connection is terminated, the file transfer will be lost. You will have to download
the file over again.
You can choose not to interrupt the connections by clicking on the No button in
the notice window. If you do so, the program will continue running.
After closing the program, you can enable computer protection again by opening
Kaspersky Anti-Virus for Windows Workstations (Start
Kaspersky Anti-Virus 6.0 for Windows Workstations
Virus 6.0 for Windows Workstations).
You can also resume protection automatically after restarting your operating
system. To enable this feature, select the Protection section in the program
settings window and check
Launch Kaspersky Anti-Virus at startup.
→ Programs →
→ Kaspersky Anti-
6.2. Types of malicious programs to
be monitored
Kaspersky Anti-Virus for Windows Workstations protects you from various types
of malicious programs. Current settings notwithstanding, the application will
always secure your computer against the most dangerous types of malicious
software, such as viruses, Trojans, and hack tools. These programs can do
significant damage to your computer. To make your computer more secure, you
can expand the list of threats that the program will detect by making it monitor
additional types of dangerous programs.
To choose what malicious programs Kaspersky Anti-Virus for Windows
Workstations will protect you from, select the Protection section in the program
settings window (see 4.4 on pg. 53).
Page 71
Protection management system 71
The Malware categories box contains threat types (see 1.1on pg. 11):
Viruses, worms, Trojans, hack tools. This group combines the most
common and dangerous categories of malicious programs. This is the
minimum admissible security level. Per recommendations of Kaspersky Lab
experts, Kaspersky Anti-Virus always monitors this category of malicious
programs.
Spyware, adware, dialers. This group includes potentially dangerous
software that may inconvenience the user or incur serious damage.
Potentially dangerous software (riskware). This group includes programs
that are not malicious or dangerous. However, under certain circumstances
they could be used to cause harm to your computer.
The groups listed above comprise the full range of threats which the program
detects when scanning objects.
If all groups are selected, Kaspersky Anti-Virus for Windows Workstations
provides the fullest possible anti-virus protection for your computer. If the second
and third groups are disabled, the program will only protect you from the
commonest malicious programs. This does not include potentially dangerous
programs and others that could be installed on your computer and could damage
your files, steal your money, or take up your time.
Kaspersky Lab does not recommend disabling monitoring for the second group.
When situations arise when Kaspersky Anti-Virus for Windows Workstations
classifies a program as potentially dangerous that you feel is not, we recommend
configure an exclusion for it (see 6.3 on pg. 71).
6.3. Creating a trusted zone
A trusted zone is a list of objects created by the user, that Kaspersky Anti-Virus
for Windows Workstations does not monitor. In other words, it is a set of
programs excluded from protection.
The user creates a protected zone based on the properties of the files he uses
and the programs installed on his computer. You might need to create such an
exclusion list if, for example, Kaspersky Anti-Virus for Windows Workstations
blocks access to an object or program and you are sure that the file or program
is absolutely safe.
You can exclude files of certain formats from the scan, use a file mask, or
exclude a certain area (for example, a folder or a program), program processes,
or objects according to the status that the program assigns to objects during a
scan.
Page 72
72 Kaspersky Anti-Virus for Windows Workstations 6.0
Warning!
An exclusion object is not scanned when the disk or folder where it is located is
scanned. However, if you select that object specifically, the exclusion rule will not
be applied.
In order to create an exclusion list,
1. Open the application settings window and select the Protection
section.
2. Click the Trusted Zone button in the General section.
3. Configure exclusion rules for objects and create a list of trusted
applications in the window that opens (see Figure 8).
Figure 8. Creating a trusted zone
6.3.1. Exclusion rules
Exclusion rules are sets of conditions that Kaspersky Anti-Virus for Windows
Workstations uses to determine not to scan an object.
You can exclude files of certain formats from the scan, use a file mask, or
exclude a certain area, such as a folder or a program, program processes, or
objects according to their verdict.
Page 73
Protection management system 73
The verdict is the status that Kaspersky Anti-Virus for Windows Workstations
assigns to an object during the scan. A verdict is based on the classification of
malicious and potentially dangerous programs found in the Kaspersky Lab Virus
Encyclopedia.
Potentially dangerous software does not have a malicious function but can be
used as an auxiliary component for a malicious code, since it contains holes and
errors. This category includes, for example, remote administration programs, IRC
clients, FTP servers, all-purpose utilities for stopping or hiding processes,
keyloggers, password macros, autodialers, etc. These programs are not
classified as viruses. They can be divided into several types, e.g. Adware, Jokes,
Riskware, etc. (for more information on potentially dangerous programs detected
by Kaspersky Anti-Virus for Windows Workstations, see the Virus Encyclopedia
at www.viruslist.com
). After the scan, these programs may be blocked. Since
several of them are very common, you have the option of excluding them from
the scan. To do so, you must specify the verdict assigned to that program as an
exclusion mask.
For example, imagine you use a Remote Administrator program frequently in
your work. This is a remote access system with which you can work from a
remote computer. Kaspersky Anti-Virus for Windows Workstations views this sort
of application activity as potentially dangerous and may block it. To keep the
application from being blocked, you must create an exclusion rule that specifies
not-a-virus:RemoteAdmin.Win32.RAdmin.22 as the verdict.
When you add an exclusion, a rule is created that several program components
(File Anti-Virus, Mail Anti-Virus, Web Anti-Virus, Proactive Defense) and virus
scan tasks can later use. You can create exclusion rules in a special window that
you can open from the program settings window, from the notice about detecting
the object, and from the report window.
To add exclusions on the Exclusion Rule tab:
1. Click on the Add button in the Exclusion mask tab.
2. In the window that opens (see Figure 9), click the exclusion type in
the Properties section:
Object – exclusion of a certain object, directory, or files that match a
certain mask from scans.
Verdict – excluding an object from the scan based on its status from
the Virus Encyclopedia classification.
Page 74
74 Kaspersky Anti-Virus for Windows Workstations 6.0
Figure 9. Creating an exclusion rule
If you check both boxes at once, a rule will be created for that object with
a certain status according to Virus Encyclopedia classification. In such a
case, the following rules apply:
• If you specify a certain file as the Object and a certain status in
the Verdict section, the file specified will only be excluded if it is
classified as the threat selected during the scan.
• If you select an area or folder as the Object and the status (or
verdict mask) as the Verdict, then objects with that status will
only be excluded when that area or folder is scanned.
3. Assign values to the selected exclusion types. To do so, left-click in
the Rule description section on the specify
link located next to the
exclusion type:
• For the Object type, enter its name in the window that opens
(this can be a file, a particular folder, or a file mask (see A.2 on
pg. 288). Check
Include subfolders for the object (file, file
mask, folder) to be recursively excluded from the scan. For
example, if you assign C:\Program Files\winword.exe as an
exclusion and checked the scan nested folders option, the file
winword.exe will be excluded from the scan if found in any
folder under C:\Program Files.
• Enter the full name of the threat that you want to exclude from
scans as given in the Virus Encyclopedia or use a mask
(see A.3 on pg. 288) for the Verdict.
For some verdicts, you can assign advanced conditions for
applying rules in the Advanced settings field (see A.3 on
Page 75
Protection management system 75
pg. 288). In most cases, this field is filled in automatically when
you add an exclusion rule from a Proactive Defense notification.
You can add advanced settings for the following verdicts,
among others:
o Invader. For this verdict, you can give a name, mask, or
complete path to the object being embed (for example, a .dll
file) as an additional exclusion condition.
o Launching Internet Browser. For this verdict, you can list
browser open settings as additional exclusion settings.
For example, you blocked browsers from opening with
certain settings in the Proactive Defense application activity
analysis. However, you want to allow the browser to open for
the domain www.kasperky.com with a link from Microsoft
Office Outlook as an exclusion rule. To do so, select
Microsoft Office Outlook as the exclusion Object and
Launching Internet Browser as the Verdict, and enter an
allowed domain mask in the Advanced settings field.
4. Define which Kaspersky Anti-Virus for Windows Workstations
components will use this rule. If item any
is selected, this rule will
apply to all components. If you want to restrict the rule to one or
several components, click on any
, which will change to selected. In
the window that opens, check the boxes for the components that
you want this exclusion rule to apply to.
To create an exclusion rule from a program notice stating that it has detected a
dangerous object:
1. Use the Add to trusted zone link in the notification window (see Figure
10).
2. In the window that opens, be sure that all the exclusion rule settings
match your needs. The program will fill in the object name and threat
type automatically, based on information from the notification. To create
the rule, click OK.
Page 76
76 Kaspersky Anti-Virus for Windows Workstations 6.0
Figure 10. Dangerous object detection notification
To create an exclusion rule from the report window:
1. Select the object in the report that you want to add to the exclusions.
2. Open the context menu and select Add to Trusted zone (see Figure
11).
Page 77
Protection management system 77
Figure 11. Creating an exclusion rule from a report
3. The exclusion settings window will then open. Be sure that all the
exclusion rule settings match your needs. The program will fill in the
object name and threat type automatically based on the information
from the report. To create the rule, click OK.
6.3.2. Trusted applications
You can only exclude trusted applications from the scan in Kaspersky Anti-Virus
if installed on a computer running Microsoft Windows NT 4.0/2000/XP/Vista.
Kaspersky Anti-Virus provides the capability to create a list of trusted
applications whose activity, suspicious or otherwise, and file, network, and
system registry access, are not monitored.
For example, you feel that objects and processes used by Windows Notepad are
safe and do not need to be scanned. To exclude objects used by this process
Page 78
78 Kaspersky Anti-Virus for Windows Workstations 6.0
from scanning, add Notepad to the trusted applications list. However, the
executable file and the trusted application process will be scanned for viruses as
before. To fully exclude the application from scanning, you must use exclusion
rules (see 6.3.1 on pg. 72).
In addition, some actions classified as dangerous are perfectly normal features
for a number of programs. For example, keyboard layout toggling programs
regularly intercept text entered on your keyboard. To accommodate such
programs and stop monitoring their activity, you are advised to add them to the
trusted application list.
Excluding trusted applications can also solve potential compatibility conflicts
between Kaspersky Anti-Virus for Windows Workstations and other applications
(for example, network traffic from another computer that has already been
scanned by the anti-virus application) and can boost computer productivity,
which is especially important when using server applications.
By default, Kaspersky Anti-Virus for Windows Workstations scans objects
opened, run, or saved by any program process and monitors the activity of all
programs and the network traffic they create.
You can create a list of trusted applications on the special Trusted applications
tab (see Figure 12). By default the trusted applications list contains a list of
applications that will not be monitored based on Kaspersky Lab
recommendations when you install Kaspersky Anti-Virus. If you do not trust an
application on the list, deselect the corresponding checkbox. You can edit the list
using the Add, Edit, and Delete buttons on the right.
Page 79
Protection management system 79
Figure 12. Trusted application list
To add a program to the trusted application list:
1. Click the Add button on the right-hand part of the Trusted
application tab.
2. In the Trusted application window (see Figure 13) that opens, select
the application using the Browse button. A context menu will open,
and by clicking Browse you can go to the file selection window and
select the path to the executable file, or by clicking Applications you
can go to a list of applications currently running and select them as
necessary.
When you select a program, Kaspersky Anti-Virus for Windows
Workstations records the internal attributes of the executable file and
uses them to identify the trusted program during scans.
The file path is inserted automatically when you select its name.
Page 80
80 Kaspersky Anti-Virus for Windows Workstations 6.0
Figure 13. Adding an application to the trusted list
3. Specify which actions performed by this process will not be monitored:
Do not scan opened files – excludes from the scan all files that
the trusted application process.
Do not restrict application activity – excludes from Proactive
Defense monitoring any activity, suspicious or otherwise, that the
trusted application performs.
Do not restrict registry access – excludes from scanning any
accesses of the system registry initiated by the trusted
application.
Do not scan network traffic – excludes from scans for viruses
and spam any network traffic initiated by the trusted application.
You can exclude all the application’s network traffic or encrypted
traffic (SSL) from the scan. To do so, click the all
change to encrypted
. In addition you can restrict the exclusion by
link. It will
assigning a remote host/port. To create a restriction, click any
which will change to selected
, and enter a value for the remote
port/host.
,
Note that if
Do not scan network traffic is checked, traffic for
that application will only be scanned for viruses and spam.
However, this does not affect whether Anti-Hacker scans traffic.
Anti-Hacker settings govern analysis of network activity for that
application.
Page 81
Protection management system 81
6.4. Starting tasks under another
profile
Kaspersky Anti-Virus for Windows Workstations 6.0 has a feature that can start
scan tasks under another user profile. This feature is by default disabled, and
tasks are run under the profile under which you are logged into the system.
The feature is useful if for example, you need access rights to a certain object
during a scan. By using this feature, you can configure tasks to run under a user
that has the necessary privileges.
Note that this option is not available under Microsoft Windows 98/МЕ.
Program updates may be made from a source to which you do not have access
(for example, the network update folder) or authorized user rights for a proxy
server. You can use this feature to run the Updater with another profile that has
those rights.
To configure a scan task that starts under a different user profile:
1. Select the task name in the Scan section (for virus scans) or the
Service section (for update tasks) of the main window and use the
Settings
2. Click the Customize button in the task settings window and go to the
Additional tab in the window that opens (see Figure 14).
link to open the task settings window.
To enable this feature, check
that you want to start the task as below: user name and password.
Note that if you do not run the task as a user with appropriate privileges, the
scheduled update will be run with the privileges of the current user account. If no
users are currently logged into the computer, running updates under another
user account has not been configured, and updates run automatically, they will
run with the SYSTEM privileges.
Run this task as. Enter the data for the login
Page 82
82 Kaspersky Anti-Virus for Windows Workstations 6.0
Figure 14. Configuring an update task from another profile
6.5. Configuring Scheduled Tasks
and Notifications
Schedule settings are identical for virus scan tasks, application updates, and
Kaspersky Anti-Virus event notifications.
By default, the virus scan tasks created at application install are disabled. Startup
objects are the exception since they are scanned every time Kaspersky AntiVirus is started. Updates are configured to occur automatically by default as
updates become available on Kaspersky Lab update servers.
In the event that you are not satisfied with these settings, you may reconfigure
task schedules. Select a task by name under Virus Scan (for virus scan tasks)
or Service (for updates and update distribution) and open the related settings
window by clicking Settings
To have tasks start according to a schedule, check the automatic task start box
in the Run Mode section. You can edit the times for starting the scan task in the
Schedule window (see Figure 15), that opens when you click Change.
.
Page 83
Protection management system 83
Figure 15. Configuring a task schedule
The primary setting to define is the frequency of an event (task execution or
notification). Select the desired option under Frequency (see Figure 15). Then,
settings for the selected option are to be specified under Schedule Settings. The
following options are available:
Minutes. The time interval between scans or notifications will be several
minutes. Specify the length of time in minutes under schedule settings. It
should not exceed 59 minutes.
Hours. The interval between scans or notifications is several hours. If this
option is selected, specify the time interval under schedule settings: Every N
hours and specify N. Enter Every 1 hour, for instance, if you want the task
to run hourly.
Days. The task is started or the notification is sent at an interval of several
days. Specify the interval in the schedule settings:
• Select Every n days and enter a value for n if you wish to maintain an
interval of several days.
• Select Every Weekday, if you want the task to run daily Monday through
Friday.
• Select Every Weekend to run the task or send notification on Saturdays
and Sundays only.
Use the Time field to specify what time of day the scan task will be run.
Weeks. The task is started or the notification sent on certain days of the
week. If you select this option, put checkmarks next to the days of the week
on which you need the task to run. Enter time of day in the Time field.
Page 84
84 Kaspersky Anti-Virus for Windows Workstations 6.0
Months. The task is started or the notification sent once a month at a
specified time.
Time. Start a task or send a notification at the specified date and time.
At Application Startup. Run task or send notification every time Kaspersky
Anti-Virus starts. A time delay may also be specified relative to the start of
the application for a task to be run.
After each update. The task starts after each threat signature update (this
only applies to virus scan tasks).
If a task cannot run for some reason (an email program is not installed, for
example, or the computer was shut down at the time), the task can be configured
to run automatically as soon as it becomes possible. To do so, check
task if skipped in the schedule window.
Run
6.6. Power options
To conserve the battery of your laptop computer, and to reduce the load on the
central processor and disk subsystems, you can postpone virus scans:
• Since virus scans and program updates sometimes require a fair amount
of resources and can take up time, you are advised to disable schedules
for these tasks, which will help you to save battery life. If necessary, you
can manually update the program yourself (see 5.6 on pg. 64) or start a
virus scan (see 5.2 on pg. 61). To use the battery-saving feature, check
Disable scheduled scans while running on battery power box.
• Virus scans increase the load on the central processor and disk
subsystems, thereby slowing down other programs. By default, if such a
situation arises, the program pauses virus scans and frees up system
resources for user applications.
However, there are a number of programs that can be launched as soon
as the processor’s resources are freed and run in background mode. For
virus scans not to depend on the operation of such programs, uncheck
Concede resources to other applications.
Note that this setting can be configured individually for every virus scan
task. If you choose to do this, the configuration for a specific task has a
higher priority.
Page 85
Protection management system 85
Figure 16. Configuring power settings
To configure power settings for virus scan tasks:
Select the Protection section of the main program window and click
Settings
16).
. Configure power settings in the Advanced box (see Figure
6.7. Advanced Disinfection
Technology
Today's malicious programs can invade the lowest levels of an operating system,
which makes them practically impossible to delete. Kaspersky Anti-Virus 6.0
asks you if you want to run Advanced Disinfection Technology when it detects a
threat currently active in the system. This will neutralize the threat and delete it
from the computer.
After this procedure, you will need to restart your computer. After restarting your
computer, we recommend running a full virus scan. To use Advanced
Disinfection Technology, check
Technology.
To enable/disable advanced disinfection technology:
Select the Protection section of the main program window and click the
Settings
16).
link. Configure power settings in the Additional box (see Figure
Enable Advanced Disinfection
Page 86
CHAPTER 7. FILE ANTI-VIRUS
The Kaspersky Anti-Virus for Windows Workstations component that protect your
computer files against infection is called File Anti-Virus. It loads when you start
your operating system, runs in your computer’s RAM, and scans all files that you
open, save, or execute.
The component’s activity is indicated by the Kaspersky Anti-Virus for Windows
Workstations system tray icon, which looks like this
scanned.
File Anti-Virus by default scans only new or modified files, that is, only files that
have been added or changed since the previous scan. Files are scanned with
the following algorithm:
1. Every time the user or a program accesses each time, the component
intercepts it.
2. File Anti-Virus scans the iChecker™ and iSwift™ databases for
information on the file intercepted. A decision is made whether to scan
the file based on the information retrieved.
The scanning process includes the following steps:
1. The file is analyzed for viruses. Malicious objects are detected by
comparison with the program’s threat signatures, which contain
descriptions of all malicious programs, threats, and network attacks
known to date, with methods for neutralizing them.
2. After the analysis, there are three available courses of action:
a. If malicious code is detected in the file, File Anti-Virus blocks
the file, places a copy of it in Backup, and attempts to disinfect
the file. If the file is successfully disinfected, it becomes
available again. If not, the file is deleted.
b. If code is detected in a file that appears to be malicious but
there is no guarantee, the file is subject to disinfection and is
sent to Quarantine.
c. If no malicious code is discovered in the file, it is immediately
restored.
whenever a file is being
Page 87
File Anti-Virus 87
7.1. Selecting a file security level
File Anti-Virus protects files that you are using at one of the following levels (see
Figure 17):
• High – the level with the most comprehensive monitoring of files opened,
saved, or run.
• Recommended – Kaspersky Lab recommends this settings level. It will
scan the following object categories:
• Programs and files by contents
• New objects and objects modified since the last scan
• Embedded OLE objects
• Low – level with settings that let you comfortably use applications that
require significant system resources, since the scope of files scanned is
reduced.
Figure 17. File Anti-Virus security level
The default setting for File Anti-Virus is Recommended.
You can raise or lower the protection level for files you use by either selecting the
level you want, or changing the settings for the current level.
To change the security level:
Adjust the sliders. By adjusting the security level, you define the ratio of
scan speed to the total number of files scanned: the fewer files are
scanned for viruses, the higher the scan speed.
If none of the set file security levels meet your needs, you can customize the
protection settings. To do so, select the level that is closest to what you need as
a starting point and edit its settings. In such a case, the level will be set at
Custom. Let’s look at an example of when user defined file security levels could
be useful.
Example
:
The work you do on your computer uses a large number of file types, and
some the files may be fairly large. You would not want to run the risk of
Page 88
88 Kaspersky Anti-Virus for Windows Workstations 6.0
skipping any files in the scan because of the size or extension, even if this
would somewhat affect the productivity of your computer.
Tip for selecting a level
Based on the source data, one can conclude that you have a fairly high
risk of being infected by a malicious program. The size and type of the
files being handled is quite varied and skipping them in the scan would
put your data at risk. You want to scan the files you use by contents, not
by extension.
You are advised to start with the Recommended security level and make
the following changes: remove the restriction on scanned file sizes and
optimize File Anti-Virus operation by only scanning new and modified
files. Then the scan will not take up as many system resources so you
can comfortably use other applications.
To modify the settings for a security level:
Click the Settings button in the File Anti-Virus settings window. Edit the
File Anti-Virus settings in the window that opens and click OK.
As a result, a fourth security level will be created, Custom, which
contains the protection settings that you configured.
:
7.2. Configuring File Anti-Virus
Your settings determine how File Anti-Virus will defend your computer. The
settings can be broken down into the following groups:
• Settings that define what file types (see 7.2.1 on pg. 88) are to be
scanned for viruses
• Settings that define the scope of protection (see 7.2.2 on pg. 91)
• Settings that define how the program responds to dangerous objects
(see 7.2.5 on pg. 95)
• Additional settings for File Anti-Virus (see 7.2.3 on pg. 92)
The following sections will examine these groups in detail.
7.2.1. Defining the file types to be scanned
When you select file types to be scanned, you establish what file formats, sizes,
and what drives will be scanned for viruses when opened, executed, or saved.
Page 89
File Anti-Virus 89
To make configuration easier, all files are divided into two groups: simple and
compound. Simple files, for example, .txt files, do not contain any objects.
Compound objects can include several objects, each of which may in turn
contain other objects. There are many examples: archives, files containing
macros, spreadsheets, emails with attachments, etc.
The file types scanned are defined in the File types section (see Figure 18).
Select one of the three options:
Scan all files. With this option selected, all file system objects that are
opened, run, or saved will be scanned without exceptions.
Scan programs and documents (by contents). If you select this group of
files, File Anti-Virus will only scan potentially infected files – files that a virus
could imbed itself in.
Note:
There are a number of file formats that have a fairly low risk of having
malicious code injected into them and subsequently being activated. An
example would be .txt files.
And vice versa, there are file formats that contain or can contain
executable code. Examples would be the formats .exe, .dll, or .doc. The
risk of injection and activation of malicious code in such files is fairly
high.
Before searching for viruses in a file, its internal header is analyzed for the
file format (txt, doc, exe, etc.). If the analysis shows that the file format
cannot be infected, it is not scanned for viruses and is immediately returned
to the user. If the file format can be infected, the file is scanned for viruses.
Scan programs and documents (by extension). If you select this option,
File Anti-Virus will only scan potentially infected files, but the file format will
be determined by the filename’s extension. Using the extension link, you can
review a list of file extensions (see A.1 on pg. 285) that are scanned with this
option.
Tip:
Do not forget that someone could send a virus to your computer with an
extension (e.g. .txt) that is actually an executable file renamed as a .txt file. If
you select Scan programs and documents (by extension), the scan would
skip such a file. If
Scan programs and documents (by contents) is
selected, the extension is ignored, and analysis of the file headers will uncover
that the file is an .exe file. File Anti-Virus would scan the file for viruses.
Page 90
90 Kaspersky Anti-Virus for Windows Workstations 6.0
Figure 18. Selecting the file types scanned for viruses
In the Productivity section, you can specify that only new files and those that
have been modified since the previous scan should be scanned for viruses. This
mode noticeably reduces scan time and increases the program’s performance
speed. To select this mode, check Scan new and changed files only. This
mode applies to both simple and compound files.
In the Compound files section, specify which compound files to scan for
viruses:
Scan all/only new archives – scans .zip, .cab, .rar, and .arj archives.
Scan all/only new installation packages – scans self-extracting archives for
viruses.
Scan all/only new embedded OLE objects – scans objects imbedded in
files (for example, Microsoft Office Excel spreadsheets or macros imbedded
in a Microsoft Office Word file, email attachments, etc.).
You can select and scan all files, or only new files, for each type of compound
file. To do so, left-click the link next to the name of the object to toggle its value.
Page 91
File Anti-Virus 91
If the Productivity section has been set up only to scan new and modified files,
you will not be able to select the type of compound files to be scanned.
To specify compound files that should not be scanned for viruses, use the
following settings:
Extract archives in background if larger than... MB. If the size of a
compound object exceeds this restriction, the program will scan it as a single
object (by analyzing the header) and will return it to the user. The objects
that it contains will be scanned later. If this option is not checked, access to
files larger than the size indicated will be blocked until they have been
scanned.
Do not process archives larger than... MB. With this option checked, files
larger than the size specified will be skipped by the scan.
7.2.2. Defining protection scope
By default, File Anti-Virus scans all files when they are used, regardless of where
they are stored, whether it be a hard drive, CD/DVD-ROM, or flash drive.
You can limit the scope of protection. To do so:
1. Select File Anti-Virus in the main window and go to the component
settings window by clicking Settings
2. Click the Settings button and select the Protection Scope tab (see
Figure 19) in the window that opens.
The tab displays a list of objects that File Anti-Virus will scan. Protection is
enabled by default for all objects on hard drives, removable media, and network
drives connected to your computer. You can add to and edit the list using the
Add, Edit, and Delete buttons.
If you want to protect fewer objects, you can do so using the following methods:
• Specify only folders, drives, and files that need to be protected.
• Create a list of objects that do not need to be protected (see 6.3 on pg.
71).
• Combine methods one and two – create a protection scope that excludes
a number of objects.
.
Page 92
92 Kaspersky Anti-Virus for Windows Workstations 6.0
Figure 19. Defining the scope of protection
You can use masks when you add objects for scanning. Note that you can only
enter masks will absolute paths to objects:
• C:\dir\*.* or C:\dir\* or C:\dir\ - all files in folder C:\dir\
• C:\dir\*.exe - all files with the extension .exe in the folder C:\dir\
• C:\dir\*.ex? – all files with the extension .ex? in the folder C:\dir\, where ?
can represent any one character
• C:\dir\test – only the file C:\dir\test
In order for the scan to be carried out recursively, check
Warning!
Remember that File Anti-Virus will scan only the files that are included in the
protection scope created. Files not included in that scope will be available for use
without being scanned. This increases the risk of infection on your computer.
Include subfolders.
7.2.3. Configuring advanced settings
As additional File Anti-Virus settings, you can specify the file system scanning
mode and configure the conditions for temporarily pausing the component.
Page 93
File Anti-Virus 93
To configure additional File Anti-Virus settings:
1. Select File Anti-Virus in the main window and go to the component
settings window by clicking the Settings link.
2. Click the Customize button and select the Additional tab in the window
that opens (see Figure 20).
Figure 20. Configuring additional File Anti-Virus settings
The file scanning mode determines the File Anti-Virus processing conditions.
You have following options:
• Smart mode. This mode is aimed at speeding up file processing and
return them to the user. When it is selected, a decision to scan is made
based on analyzing the operations performed with t he file.
For example, when using a Microsoft Office file, Kaspersky Anti-Virus
scans the file when it is first opened and last closed. All operations in
between that overwrite the file are not scanned.
Smart mode is the default.
• On access and modification – File Anti-Virus scans files as they are
opened or edited.
• On access – only scans files when an attempt is made to open them.
• On execution – only scans files when an attempt is made to run them.
Page 94
94 Kaspersky Anti-Virus for Windows Workstations 6.0
You might need to pause File Anti-Virus when performing tasks that require
significant operating system resources. To lower the load and ensure that the
user regains access to files quickly, we recommend configuring the component
to disable at a certain time or while certain programs are used.
To pause the component for a certain length of time, check
On schedule and
in the window that opens (see Figure 21) click Schedule to assign a time frame
for disabling and resuming the component. To do so, enter a value in the format
HH:MM in the corresponding fields.
Figure 21. Pausing the component
To disable the component when working with programs that require significant
resources, check
On applications startup and edit the list of programs in the
window that opens (see Figure 22) by clicking Applications.
To add an application to the list, use the Add button. A context menu will open,
and by clicking Browse you can go to the standard file selection window and
specify the executable file the application to add. Or, go to the list of applications
currently running from the Applications item and select the one you want.
To delete an application, select it from a list and click Delete.
You can temporarily disable the pause on File Anti-Virus when using a specific
application. To do so, uncheck the name of the application. You do not have to
delete it from the list.
Page 95
File Anti-Virus 95
Figure 22. Creating an application list
7.2.4. Restoring default File Anti-Virus
settings
When configuring File Anti-Virus, you can always return to the default
performance settings. Kaspersky Lab considers them to be optimal and has
combined them in the Recommended security level.
To restore the default File Anti-Virus settings:
1. Select File Anti-Virus in the main window and go to the component
settings window by clicking Settings
2. Click the Default button in the Security Level section.
If you modified the list of objects included in the protected zone when configuring
File Anti-Virus settings, the program will ask you if you want to save that list for
future use when you restore the initial settings. To save the list of objects, check
Protected Zone in the Restore Settings window that opens.
.
7.2.5. Selecting actions for objects
If File Anti-Virus discovers or suspects an infection in a file while scanning it for
viruses, the program’s next steps depend on the object’s status and the action
selected.
File Anti-Virus can label an object with one of the following statuses:
• Malicious program status (for example, virus, Trojan).
Page 96
96 Kaspersky Anti-Virus for Windows Workstations 6.0
• Potentially infected, when the scan cannot determine whether the object
is infected. This means that the program detected a sequence of code in
the file from an unknown virus or modified code from a known virus.
By default, all infected files are subject to disinfection, and if they are potentially
infected, they are sent to Quarantine.
To edit an action for an object:
select File Anti-Virus in the main window and go to the component
settings window by clicking Settings
. All potential actions are displayed in
the appropriate sections (see Figure 23).
Figure 23. Possible File Anti-Virus actions with dangerous objects
If the action selected was When it detects a dangerous object
Prompt for action
Block access
File Anti-Virus issues a warning
message containing information about
what malicious program has infected
or potentially infected the file, and
gives you a choice of actions. The
choice can vary depending on the
status of the object.
File Anti-Virus blocks access to the
object. Information about this is
recorded in the report (see 17.3 on
pg. 224). Later you can attempt to
disinfect this object.
Page 97
File Anti-Virus 97
If the action selected was When it detects a dangerous object
Block access
Disinfect
Block access
Disinfect
Delete if disinfection fails
Block access
Disinfect
Delete
Before disinfecting or deleting the object, Kaspersky Anti-Virus for Windows
Workstations creates a backup copy before it attempts to treat the object or
delete it, in case the object needs to be restored or an opportunity arises to treat
it.
File Anti-Virus will block access to the
object and will attempt to disinfect it. If
it is successfully disinfected, it is
restored for regular use. If disinfection
fails, the file will be assigned the status
of potentially infected, and it will be
moved to Quarantine (see 17.1 on
pg. 218). Information about this is
recorded in the report. Later you can
attempt to disinfect this object.
File Anti-Virus will block access to the
object and will attempt to disinfect it. If
it is successfully disinfected, it is
restored for regular use. If the object
cannot be disinfected, it is deleted. A
copy of the object will be stored in
Backup (see 17.2 on pg. 222).
File Anti-Virus will block access to the
object and will delete it.
7.3. Postponed disinfection
If you select Block access as the action for malicious programs, the objects
will not be treated and access to them will be blocked.
If the actions selected were
Block access
Disinfect
all untreated objects will also be blocked.
Page 98
98 Kaspersky Anti-Virus for Windows Workstations 6.0
In order to regain access to blocked objects, they must be disinfected. To do so:
1. Select File Anti-Virus in the main window of the program and left-click
anywhere in the Statistics box.
2. Select the objects that interest you on the Detected tab and click the
Action → Treat all button.
Successfully disinfected files will be returned to the user. Any that cannot be
treated, you can delete or skip it. In the latter case, access to the file will be
restored. However, this significantly increases the risk of infection on your
computer. It is strongly recommended not to skip malicious objects.
Page 99
CHAPTER 8. MAIL ANTI-VIRUS
Mail Anti-Virus is Kaspersky Anti-Virus for Windows Workstations’ component for preventing incoming and outgoing email from transferring dangerous objects. It starts running when the operating system boots up, stays active in your system memory, and scans all email on protocols POP3, SMTP, IMAP, MAPI NNTP, as well as encrypted connections (SSL) for POP3 and IMAP (SSL).
The component’s activity is indicated by the Kaspersky Anti-Virus for Windows
Workstations system tray icon, which looks like this
whenever an email is
being scanned.
The default setup for Mail Anti-Virus is as follows:
1. Mail Anti-Virus intercepts each email received or sent by the user.
2. The email is broken down into its parts: email headers, its body, and
attachments.
3. The body and attachments of the email (including OLE attachments) are
scanned for dangerous objects. Malicious objects are detected using
the threat signatures included in the program, and with the heuristic
algorithm. The signatures contain descriptions of all the malicious
programs known to date and methods for neutralizing them. The
heuristic algorithm can detect new viruses that have not yet been
entered in the threat signatures.
4. After the virus scan, you have the following available courses of action:
• if the body or attachments of the email contain malicious code,
Mail Anti-Virus will block the email, place a copy of the infected
object in Backup, and try to disinfect the object. If the email is
successfully disinfected, it becomes available to the user again.
If not, the infected object in the email is deleted. After the virus
scan, special text is inserted in the subject line of the email
stating that the email has been processed by Kaspersky AntiVirus for Windows Workstations.
• If code is detected in the body or an attachment that appears to
be, but is not definitely. malicious, the suspicious part of the
email is sent to Quarantine.
1
and
1
Emails sent with MAPI are scanned using a special plug-in for Microsoft Office
Outlook and The Bat!
Page 100
100 Kaspersky Anti-Virus for Windows Workstations 6.0
• If no malicious code is discovered in the email, it is immediately
made available again to the user.
A special plug-in (see 8.2.2 on pg. 104) is provided for Microsoft Outlook that can
configure email scans more exactly.
If you use The Bat!, Kaspersky Anti-Virus for Windows Workstations can be used
in conjunction with other anti-virus applications. The rules for processing email
traffic (see 8.2.3 on pg. 105) are configured directly in The Bat! and supersede
the Kaspersky Anti-Virus for Windows Workstations email protection settings.
Warning!
This version of Kaspersky Anti-Virus does not provide Mail Anti-Virus plug-ins for
64-bit mail clients.
When working with other email programs, including Outlook Express (Windows
Mail), Mozilla Thunderbird, Eudora, Incredimail, Mail Anti-Virus scans email on
SMTP, POP3, IMAP, MAPI, and NNTP protocols.
Note that emails transmitted on IMAP are not scanned in Thunderbird if you use
filters that move them out of your Inbox.
8.1. Selecting an email protection
level
Kaspersky Anti-Virus for Windows Workstations protects your email at one of
these levels (see Figure 24):
High – the level with the most comprehensive monitoring of incoming and
outgoing emails. The program scans email attachments, including
archives, in detail, regardless of how long the scan takes.
Recommended – Kaspersky Lab experts recommend this level. It scans the
same objects as High, with the exception of attachments or emails that
will take more than three minutes to scan.
Low – the security level with settings that let you comfortably use resource-
intensive applications, since the scope of email scanning is limited.
Thus, only your incoming email is scanned on this level, and in doing so
archives and objects (emails) attached are not scanned if they take
more than three minutes to scan. This level is recommended if you have
additional email protection software installed on your computer.
Loading...