Professional Documents
Culture Documents
5. Advanced
................................................................17
user
Launch the installer and the installation wizard will guide you
1. ESET NOD32 Antivirus through the basic setup. After agreeing to the End User
License Agreement, you can choose from the following
As the popularity of Unix-based operating systems increases, installation types:
malware authors are developing more threats to target Linux Typical installation 4
users. ESET NOD32 Antivirus offers powerful and efficient Custom installation 4
protection against these emerging threats. ESET NOD32
Antivirus also includes the ability to deflect Windows threats, 2.1 Typical installation
protecting Linux users as they interact with Windows users
and vice versa. Although Windows malware does not pose a Typical installation mode includes configuration options that
direct threat to Linux, disabling malware that has infected a are appropriate for most users. These settings provide
Linux machine will prevent its spread to Windows-based maximum security combined with excellent system
computers through a local network or the Internet. performance. Typical installation is the default option and is
recommended if you do not have particular requirements for
1.1 System requirements specific settings.
For optimal performance of ESET NOD32 Antivirus, your The ThreatSense.NET Early Warning System helps ensure that
system should meet the following hardware and software ESET is immediately and continuously informed of new
requirements: infiltrations in order to quickly protect our customers. The
system allows new threats to be submitted to the ESET Threat
ESET NOD32 Antivirus: Lab, where they are analyzed, processed and added to the
System requirements virus signature database. By default, the Enable ThreatSense.
NET Early Warning System option is selected. Click Setup... to
Processor 32bit, 64bit AMD, Intel
modify detailed settings for submitting suspicious files. (For
architecture
more information see ThreatSense.NET 16 ).
System Debian and RedHat based distributions
(Ubuntu, OpenSuse, Fedora, Mandriva, The next step in the installation process is to configure the
RedHat etc.) detection of Potentially unwanted applications. Potentially
kernel 2.6.x unwanted applications are not necessarily malicious, but can
GNU C Library 2.3 or newer often negatively affect the behavior of your operating system.
GTK+ 2.6 or newer These applications are often bundled with other programs and
LSB 3.1 compatibility recommended may be difficult to notice during the installation process.
Memory 512 MB Although these applications usually display a notification
Free disk space 100 MB during installation, they can easily be installed without your
consent.
3. If you would like to evaluate ESET NOD32 Antivirus before The Standard mode provides access to features required for
making a purchase, select the Activate Trial License option. common operations. It does not display any advanced options.
Fill in your name and Email address to activate ESET NOD32
Antivirus for a limited time. Your test license will be emailed Toggling to Advanced mode adds the Tools option to the main
to you. Trial licenses can only be activated once per menu. The Tools option allows you to access the submenus
customer. for Log files, Quarantine and Scheduler.
If you do not have a license and would like to buy one, click NOTE: All remaining instructions in this guide take place in
the Purchase License option. This will redirect you to the Advanced mode.
website of your local ESET distributor.
Standard mode:
2.4 On-demand computer scan
5
Advanced mode: If you need assistance, you can contact ESET Customer Care
support on the ESET website. ESET Customer Care will respond
quickly to your questions and help determine a resolution.
6
Add... - excludes objects from detection. Enter the path to
4.1.1.1.1 Scan on (Event triggered scanning) an object (you can also use wildcards * and ?) or select the
By default, all files are scanned upon File opening, File folder or file from the tree structure.
creation or File execution. We recommend that you keep the Edit... - enables you to edit selected entries
default settings, as these provide the maximum level of Real- Remove - removes selected entries
time protection for your computer. Default - cancels all exclusions.
4.1.1.1.2 Advanced scan options 4.1.1.2 When to modify Real-time protection configuration
In this window you can define object types to be scanned by Real-time protection is the most essential component of
the ThreatSense engine and enable/disable Advanced maintaining a secure system. Use caution when modifying the
heuristics as well as modify settings for archives and file Real-time protection parameters. We recommend that you
cache. only modify these parameters in specific cases. For example, a
situation in which there is a conflict with a certain application
We do not recommend changing the default values in the or Real-time scanner of another antivirus program.
Default archives settings section unless needed to resolve a
specific issue, as higher archive nesting values can impede After installing ESET NOD32 Antivirus, all settings are
system performance. optimized to provide the maximum level of system security for
users. To restore the default settings, click the Default button
You can toggle ThreatSense Advanced heuristics scanning for located at the bottom-left of the Real-Time Protection
executed, created and modified files separately by clicking the window (Setup > Enter application preferences ... >
Advanced heuristics checkbox in each of the respective Protection > Real-Time Protection).
ThreatSense parameters sections.
4.1.1.3 Checking Real-time protection
To provide the minimum system footprint when using Real- To verify that Real-time protection is working and detecting
time protection, you can define the size of the optimization viruses, use the eicar.com test file. This test file is a special,
cache. This behavior is active when you are using the Enable harmless file detectable by all antivirus programs. The file was
clean file cache option. If this is disabled, all files are scanned created by the EICAR institute (European Institute for
each time they are accessed. Files will not be scanned Computer Antivirus Research) to test the functionality of
repeatedly after being cached (unless they have been antivirus programs.
modified), up to the defined size of the cache. Files are
scanned again immediately after each virus signature database
4.1.1.4 What to do if Real-time protection does not work
update.
In this chapter, we describe problem situations that may arise
Click Enable clean file cache to enable/disable this function. when using Real-time protection, and how to troubleshoot
To set the amount of files to be cached simply enter the them.
desired value in the input field next to Cache size.
Rea l-tim e protection is disa bled
Additional scanning parameters can be set in the ThreatSense If Real-time protection was inadvertently disabled by a user, it
Engine Setup window. You can define what type of Objects will need to be reactivated. To reactivate Real-time protection,
should be scanned, using which Options and Cleaning level, as navigate to Setup > Antivirus and antispyware and click the
well as defining Extensions and file-size Limits for Real-time Enable real-time file system protection link (to the right) in
file system protection. You can enter the ThreatSense engine the main program window. Alternatively, you can enable the
setup window by clicking the Setup... button next to Real-time file system protection in the Advanced setup
ThreatSense Engine in the Advanced Setup window. For more window under Protection > Real-Time Protection by selecting
detailed information about ThreatSense engine parameters the Enable real-time file system protection option.
see ThreatSense engine parameter setup 9 .
7
4.1.2.1 Type of scan
Two types of On-demand computer scans are available. Smart
scan quickly scans the system with no need for further
configuration of the scan parameters. Custom scan allows you
to select any of the predefined scan profiles, as well as choose
specific scan targets.
We recommend that you run an On-demand computer scan at The Scan targets tree structure allows you to select files and
least once a month. Scanning can be configured as a folders to be scanned for viruses. Folders may also be selected
scheduled task from Tools > Scheduler. according to a profile's settings.
8
The ThreatSense technology setup options allow you to
specify several scan parameters:
File types and extensions that are to be scanned
The combination of various detection methods
Levels of cleaning, etc.
To help you create a scan profile to fit your needs, see the The ThreatSense parameters are specifically optimized for
ThreatSense engine parameters setup 9 section for a each module, and their modification can significantly influence
description of each parameter of the scan setup. system operation. For example, changing settings to always
scan runtime packers, or enabling advanced heuristics in the
Example: Suppose that you want to create your own scan Real-time file system protection module could result in a
profile and the Smart scan configuration is partially suitable, slower system . Therefore, we recommend that you leave the
but you do not want to scan runtime packers or potentially default ThreatSense parameters unchanged for all modules
unsafe applications and you also want to apply Strict cleaning. except Computer scan.
In the On-demand Scanner Profiles List window, type the
profile name, click the Add button and confirm by clicking OK. 4.1.3.1 Objects
Then adjust the parameters to meet your requirements by
setting ThreatSense Engine and Scan Targets. The Objects section allows you to define which computer files
will be scanned for infiltrations.
9
4.1.3.2 Options 4.1.3.4 Extensions
In the Options section, you can select the methods used An extension is the part of the file name delimited by a period.
during a scan of the system for infiltrations. The following The extension defines the type and content of the file. This
options are available: section of the ThreatSense parameter setup lets you define
the types of files to be excluded from scanning.
Heuristics Heuristics use an algorithm that analyzes the
(malicious) activity of programs. The main advantage of By default, all files are scanned regardless of their extension.
heuristic detection is the ability to detect new malicious Any extension can be added to the list of files excluded from
software which did not previously exist, or was not included scanning. Using the Add and Remove buttons, you can enable
in the list of known viruses (virus signatures database). or prohibit scanning of desired extensions.
Advanced heuristics Advanced heuristics is comprised of a
unique heuristic algorithm, developed by ESET, optimized Excluding files from scanning is sometimes necessary if
for detecting computer worms and trojan horses written in scanning certain file types prevents the program from
high-level programming languages. The program's detection functioning properly. For example, it may be advisable to
ability is significantly higher as a result of advanced exclude the .log, .cfg and .tm p extensions.
heuristics.
Potentially unwanted applications These applications are 4.1.3.5 Limits
not necessarily intended to be malicious, but may affect the
The Limits section allows you to specify the maximum size of
performance of your computer in a negative way. Such
objects and levels of nested archives to be scanned:
applications usually require consent for installation. If they
are present on your computer, your system behaves
Maximum Size: Defines the maximum size of objects to be
differently (compared to the way it behaved before these
scanned. The antivirus module will then scan only objects
applications were installed). The most significant changes
smaller than the size specified. We do not recommend
include unwanted pop-up windows, activation and running
changing the default value, as there is usually no reason to
of hidden processes, increased usage of system resources,
modify it. This option should only be changed by advanced
changes in search results, and applications communicating
users who have specific reasons for excluding larger objects
with remote servers.
from scanning.
Potentially unsafe applications these applications refer to
Maximum Scan Time: Defines the maximum time allotted
commercial, legitimate software that can be abused by
for scanning an object. If a user-defined value has been
attackers, if it was installed without user's knowledge. The
entered here, the antivirus module will stop scanning an
classification includes programs such as remote access tools,
object when that time has elapsed, whether or not the scan
which is why this option is disabled by default.
has finished.
Maximum Nesting Level: Specifies the maximum depth of
4.1.3.3 Cleaning
archive scanning. We do not recommend changing the
The cleaning settings determine the manner in which the default value of 10; under normal circumstances, there
scanner cleans infected files. There are 3 levels of cleaning: should be no reason to modify it. If scanning is prematurely
terminated due to the number of nested archives, the
No cleaning Infected files are not cleaned automatically. archive will remain unchecked.
The program will display a warning window and allow you Maximum File Size: This option allows you to specify the
to choose an action. maximum file size for files contained in archives (when they
Standard cleaning The program will attempt to are extracted) that are to be scanned. If scanning is
automatically clean or delete an infected file. If it is not prematurely terminated as a result of this limit, the archive
possible to select the correct action automatically, the will remain unchecked.
program will offer a choice of follow-up actions. The choice
of follow-up actions will also be displayed if a predefined If you wish to disable the scanning of specific folders
action could not be completed. controlled by the system (/ proc and /sys), select the Exclude
Strict cleaning The program will clean or delete all system control folders from scanning option (this option is
infected files (including archives). The only exceptions are not available for startup scan).
system files. If it is not possible to clean them, you will be
offered an action to take in a warning window. 4.1.3.6 Others
With Smart Optimization enabled, settings are optimized to
W a rning : In the Default Standard cleaning mode, the entire
ensure the most efficient level of scanning without
archive file is deleted only if all files in the archive are infected.
compromising scanning speed. The various protection
If the archive also contains legitimate files, it will not be
modules scan intelligently, making use of different scanning
deleted. If an infected archive file is detected in Strict cleaning
methods. Smart Optimization is not rigidly defined within the
mode, the entire archive will be deleted, even if clean files are
product. The ESET Development Team is continuously
present.
implementing new changes which then get integrated into
your ESET NOD32 Antivirus via the regular updates. If Smart
Optimization is disabled, only the user-defined settings in the
ThreatSense core of the particular module are applied when
performing a scan.
10
Scan alternative data streams (On-demand scanner only)
Alternate data streams used by the file system are file and
folder associations which are invisible from ordinary scanning
techniques. Many infiltrations try to avoid detection by
disguising themselves as alternative data streams.
11
license email and let the program to Choose automatically the
4.2.1 Upgrading to a new build Update Server, the update will be successful.
For maximum protection, it is important to use the latest build
of ESET NOD32 Antivirus. To check for a new version, click To enable the use of test mode (downloads pre-release
Update from the main menu on the left. If a new build is updates) click the Setup... button next to Advanced Options
available, a message that says A new version of the product is and select the Enable pre-release updates checkbox. To
a va ila ble! will be displayed at the bottom of the window. disable system tray notifications displaying after each
Click Learn more... to display a new window containing the successful update, select the Do not display notification
version number of the new build and the changelog. about successful update checkbox.
Click Download to download the latest build. Click Close to To delete all temporarily stored update data, click the Clear
close the window and download the upgrade later. button next to Clear Update Cache. Use this option if you are
experiencing difficulty while updating.
If you clicked Download, the file will be downloaded to your
downloads folder (or the default folder set by your browser). 4.2.3 How to create update tasks
When the file has finished downloading, launch the file and Updates can be triggered manually by clicking Update virus
follow the installation directions. Your username and signature database in the primary window displayed after
password will be automatically transferred to the new clicking Update from the main menu.
installation. It is recommended to check for upgrades
regularly, especially when installing ESET NOD32 Antivirus via Updates can also be run as scheduled tasks. To configure a
CD/DVD. scheduled task, click Tools > Scheduler. By default, the
following tasks are activated in ESET NOD32 Antivirus:
4.2.2 Update setup
The update setup section specifies update source information Regular automatic update
such as the update servers and authentication data for these Automatic update after user logon
servers. By default, the Update Server drop-down menu is set
to Choose automatically to ensure that update files will Each of the update tasks can be modified to meet your needs.
automatically download from the ESET server with the least In addition to the default update tasks, you can create new
network traffic. update tasks with a user-defined configuration. For more
details about creating and configuring update tasks, see the
Scheduler 12 section.
4.3 Scheduler
4.3.1 Purpose of scheduling tasks The system, by default, contains essential scheduled tasks to
ensure correct product functionality. These should not be
The Scheduler manages and launches scheduled tasks with altered, and are hidden by default. To change this option and
predefined configurations and properties. The configuration make these tasks visible, enter the Setup > Enter application
and properties contain information such as the date and time preferences ... > Tools > Scheduler and select the Show
as well as specified profiles to be used during execution of the system tasks option.
task.
4.3.3 Creating user-defined task
4.3.2 Creating new tasks
Date and time of the User-defined task has to be entered in
To create a new task in the Scheduler, click the Add task... year-extended cron format (a string comprising 6 fields
button or right-click and select Add... from the context menu. separated by white space):
Five types of scheduled tasks are available: minute(0-59) hour(0-23) day of month(1-31) month(1-
12) year(1970-2099) day of week(0-7)(Sunday = 0 or 7)
Run application
Update Example:
30 6 22 3 2012 4
Log maintenance
On-demand computer scan Special characters supported in cron expressions:
System startup file check asterisk (*) - expression will match for all values of the field;
e.g. asterisk in the 3rd field (day of month) means every day
hyphen (-) - defines ranges; e.g. 3-9
comma (,) - separates items of a list; e.g. 1,3,7,8
slash (/) - defines increments of ranges; e.g. 3-28/5 in the
3rd field (day of month) means 3rd day of the month and
then every 5 days.
4.4 Quarantine
Files stored in the quarantine folder can be viewed in a table Log files are accessible from the ESET NOD32 Antivirus main
which displays the date and time of quarantine, the path to menu by clicking Tools > Log files. Select the desired log type
the original location of the infected file, its size in bytes, using the Log drop-down menu at the top of the window. The
reason (e.g., added by user) and number of threats (e.g., if it following logs are available:
is an archive containing multiple infiltrations). The quarantine
folder with quarantined files ( /va r/opt/eset/esets/ca che/ 1. Detected threats Use this option to view all information
qua ra ntine) remains in the system even after uninstalling ESET about events related to the detection of infiltrations.
NOD32 Antivirus. Quarantined files are stored in a safe 2. Events This option is designed for system administrators
encrypted form and can be restored again after installing ESET and users to solve problems. All important actions
NOD32 Antivirus. performed by ESET NOD32 Antivirus are recorded in the
Event logs.
If you wish to automatically scan quarantined files after each 3. Computer scan Results of all completed scans are
virus signature database update, select the Rescan displayed in this window. Double-click any entry to view
quarantined files after every update option in the Setup > details of the respective On-demand computer scan.
Enter application preferences ... > Tools > Quarantine.
In each section, the displayed information can be directly
copied to the clipboard by selecting the entry and clicking on
4.4.1 Quarantining files
the Copy button.
ESET NOD32 Antivirus automatically quarantines deleted files
(if you have not canceled this option in the alert window). If 4.5.1 Log maintenance
desired, you can quarantine any suspicious file manually by
clicking the Quarantine... button. The context menu can also The logging configuration for ESET NOD32 Antivirus is
be used for this purpose right-click in the Quarantine accessible from the main program window. Click Setup > Enter
window, choose file you want to quarantine and click the application preferences ... > Tools > Log Files. You can specify
Open button. the following options for log files:
4.4.2 Restoring from Quarantine Delete old log records automatically - log entries older than
the specified number of days are automatically deleted.
Quarantined files can also be restored to their original Optimize log files automatically - enables automatic
location. Use the Restore button for this purpose; Restore is defragmentation of log files if the specified percentage of
also available from the context menu by right-clicking on the unused records has been exceeded.
given file in the Quarantine window, then clicking Restore.
The context menu also offers the option Restore to..., which To configure the Log Records Default Filter click the Edit...
allows you to restore a file to a location other than the one button and select/deselect log types as required.
from which it was deleted.
14
4.5.2 Log filtering
Logs store information about important system events. The
log filtering feature allows you to display records about a
specific type of event.
4.6.1 Alerts and notifications In order to provide maximum security for your system, it is
The Alerts and Notifications section allows you to configure essential that the program be correctly configured.
how threat alerts and system notifications are handled in ESET Unauthorized modifications could result in the loss of
NOD32 Antivirus. important data. To set a list of privileged users, simply select
them from the Users list on the left side and click the Add
Disabling the Display alerts option will cancel all alert windows button. To remove a user, simply select their name from the
and is only suitable in specific situations. For most users, we Privileged Users list on the right side and click Remove.
recommend that this option be left to its default setting
(enabled). NOTE: If the list of privileged users is empty, all users of the
system will have permission to edit the program settings.
15
4.6.3 Context menu The ThreatSense.NET setup is accessible from the Advanced
The context menu integration can be enabled in the Setup > Setup window, under Tools > ThreatSense.NET. Select the
Enter application preferences ... > User > Context Menu Enable ThreatSense.NET Early Warning System option to
section by enabling the Integrate into the context menu activate and then click the Setup... button beside the
check box. Advanced Options heading.
6. Glossary
5.1.1 Import settings
Importing a configuration is very easy. From the main menu,
click Setup > Import and export settings ... and then select
6.1 Types of infiltrations
the Import settings option. Enter the name of the
An Infiltration is a piece of malicious software trying to enter
configuration file or click the Browse... button to browse for
and/or damage a users computer.
the configuration file you wish to import.
6.1.1 Viruses
5.1.2 Export settings
A computer virus is an infiltration that corrupts existing files
The steps to export a configuration are very similar. From the
on your computer. Viruses are named after biological viruses,
main menu, click Setup > Import and export settings ... Select
because they use similar techniques to spread from one
the Export settings option and enter the name of the
computer to another.
configuration file. Use the browser to select a location on your
computer to save the configuration file.
17
Computer viruses mainly attack executable files, scripts and
documents. To replicate, a virus attaches its body to the end 6.1.3 Trojan horses
of a target file. In short, this is how a computer virus works: Historically, computer trojan horses have been defined as a
after execution of the infected file, the virus activates itself class of infiltrations which attempt to present themselves as
(before the original application) and performs its predefined useful programs, tricking users into letting them run. Today,
task. Only after that is the original application allowed to run. there is no longer a need for trojan horses to disguise
A virus cannot infect a computer unless a user, either themselves. Their sole purpose is to infiltrate as easily as
accidentally or deliberately, runs or opens the malicious possible and accomplish their malicious goals. Trojan horse
program. has become a very general term describing any infiltration not
falling under any specific class of infiltration.
Computer viruses can range in purpose and severity. Some of
them are extremely dangerous because of their ability to Since this is a very broad category, it is often divided into
purposely delete files from a hard drive. On the other hand, many subcategories:
some viruses do not cause any damage they only serve to
annoy the user and demonstrate the technical skills of their Downloader A malicious program with the ability to
authors. download other infiltrations from the Internet.
Dropper A type of trojan horse designed to drop other
It is important to note that viruses (when compared to trojans
types of malware onto compromised computers.
or spyware) are increasingly rare because they are not
Backdoor An application which communicates with
commercially enticing for malicious software authors.
remote attackers, allowing them to gain access to a system
Additionally, the term virus is often used incorrectly to cover
and to take control of it.
all types of infiltrations. This usage is gradually being
Keylogger (keystroke logger) A program which records
overcome and replaced by the new, more accurate term
each keystroke that a user types and sends the information
malware (malicious software).
to remote attackers.
Dialer Dialers are programs designed to connect to
If your computer is infected with a virus, it is necessary to
premium-rate numbers. It is almost impossible for a user to
restore infected files to their original state i.e., to clean them
notice that a new connection was created. Dialers can only
by using an antivirus program.
cause damage to users with dial-up modems, which are no
longer regularly used.
Examples of viruses are: OneHa lf, Teng a and Ya nkee Doodle.
Trojan horses usually take the form of executable files. If a
file on your computer is detected as a trojan horse, we
6.1.2 Worms
recommend deleting it, since it most likely contains
A computer worm is a program containing malicious code that malicious code.
attacks host computers and spreads via a network. The basic
difference between a virus and a worm is that worms have the Examples of well-known trojans are: N etBus,
ability to replicate and travel by themselves they are not Troja ndow nloa der.Sm a ll.ZL, Sla pper.
dependent on host files (or boot sectors). Worms spread
through email addresses in your contact list or exploit security 6.1.4 Adware
vulnerabilities in network applications.
Adware is a shortened term for advertising-supported
Worms are therefore much more viable than computer software. Programs displaying advertising material fall under
viruses. Due to the wide availability of the Internet, they can this category. Adware applications often automatically open a
spread across the globe within hours of their release in some new pop-up window containing advertisements in an Internet
cases, even in minutes. This ability to replicate independently browser, or change the browsers home page. Adware is
and rapidly makes them more dangerous than other types of frequently bundled with freeware programs, allowing creators
malware. of freeware programs to cover development costs of their
(usually useful) applications.
A worm activated in a system can cause a number of
inconveniences: It can delete files, degrade system Adware itself is not dangerous users may only be bothered
performance, or even deactivate programs. The nature of a by the advertisements. The danger lies in the fact that adware
computer worm qualifies it as a means of transport for other may also perform tracking functions (as spyware does).
types of infiltrations.
If you decide to use a freeware product, please pay particular
If your computer is infected with a worm, we recommend you attention to the installation program. The installer will most
delete the infected files because they likely contain malicious likely notify you of the installation of an extra adware
code. program. Often you will be allowed to cancel it and install the
program without adware.
Examples of well-known worms are: Lovsa n/Bla ster, Stra tion/
W a rezov, Ba g le and N etsky.
18
Some programs will not install without adware, or their
functionality will be limited. This means that adware may 6.1.7 Potentially unwanted applications
often access the system in a legal way, because users have Potentially unwanted applications are not necessarily
agreed to it. In this case, it is better to be safe than sorry. If intended to be malicious, but may affect the performance of
there is a file detected as adware on your computer, it is your computer in a negative way. Such applications usually
advisable to delete it, since there is a high probability that it require consent for installation. If they are present on your
contains malicious code. computer, your system behaves differently (compared to the
way it behaved before their installation). The most significant
6.1.5 Spyware changes are:
This category covers all applications which send private
information without user consent/awareness. Spyware uses new windows you havent seen previously are opened
tracking functions to send various statistical data such as a list activation and running of hidden processes
of visited websites, email addresses from the users contact increased usage of system resources
list, or a list of recorded keystrokes. changes in search results
application communicates with remote servers.
The authors of spyware claim that these techniques aim to
find out more about users needs and interests and allow
better-targeted advertisement. The problem is that there is no
clear distinction between useful and malicious applications
and no one can be sure that the retrieved information will not
be misused. The data obtained by spyware applications may
contain security codes, PINs, bank account numbers, etc.
Spyware is often bundled with free versions of a program by
its author in order to generate revenue or to offer an incentive
for purchasing the software. Often, users are informed of the
presence of spyware during a programs installation to give
them an incentive to upgrade to a paid version without it.
19