The Advanced Setup window (click Setup from the main menu and then click Enter entire advanced setup tree., or press F5 on your keyboard) contains additional update options. Click Update from the Advanced Setup tree. The Update server: drop-down menu should be set to Choose automatically. To configure advanced update options such as the update mode, proxy server access, LAN connections and creating virus signature copies (ESET NOD32 Antivirus Business Edition), click the Setup. button.
4. Work withESET NOD32 Antivirus
4.1 Antivirus and antispyware protection Antivirus protection guards against malicious system attacks by controlling file, email and Internet communication. If a threat with malicious code is detected, the Antivirus module can eliminate it by first blocking it, and then cleaning, deleting or moving it to quarantine. 4.1.1 Realtime file system protection 4.1.1.1.2 Scan on (Eventtriggered scanning)
By default, all files are scanned upon opening, creation or execution. We recommend that you keep the default settings, as these provide the maximum level of realtime protection for your computer. The Diskette access option provides control of the diskette boot sector when this drive is accessed. The Computer shutdown option provides control of the hard disk boot sectors during computer shutdown. Although boot viruses are rare today, we recommend that you leave these options enabled, as there is still the possibility of infection by a boot virus from alternate sources. 4.1.1.1.3 Advanced scan options
Realtime file system protection controls all antivirusrelated events in the system. All files are scanned for malicious code at the moment they are opened, created or run on your computer. Realtime file system protection is launched at system startup. 4.1.1.1 Control setup
More detailed setup options can be found under Antivirus and antispyware > Real-time system protection > Advanced setup. Additional ThreatSense parameters for newly created and modified files The probability of infection in newlycreated or modified files is comparatively higher than in existing files. That is why the program checks these files with additional scanning parameters. Along with common signaturebased scanning methods, advanced heuristics are used, which greatly improves detection rates. In addition to newlycreated files, scanning is also performed on selfextracting files (.sfx) and runtime packers (internally compressed executable files). By default, archives are scanned up to the 10th nesting level and are checked regardless of their actual size. To modify archive scan settings, deselect the Default archive scan settings option. Additonal ThreatSense parameters for executed files By default, advanced heuristics are not used when files are executed. However, in some cases you may want to enable this option (by checking the Advanced heuristics on file execution option). Note that advanced heuristics may slow the execution of some programs due to increased system requirements. 4.1.1.2 Cleaning levels

Realtime protection does not detect and clean infiltrations 4.1.1.3 When to modify realtime protection configuration Make sure that no other antivirus programs are installed on your computer. If two realtime protection shields are enabled at the same time, they may conflict with each other. We recommend that you uninstall any other antivirus programs on your system. Realtime protection does not start If realtime protection is not initiated at system startup (and the Automatic realtime file system protection startup option is enabled), itmay be due to conflicts with other programs. If this is the case, please consult ESETs Customer Care specialists. 4.1.2 Host Intrusion Prevention System (HIPS)
Realtime protection is the most essential component of maintaining a secure system. Therefore, please use caution when modifying its parameters. We recommend that you only modify its parameters in specific cases. For example, if there is a conflict with a certain application or realtime scanner of another antivirus program. After installation of ESET NOD32 Antivirus, all settings are optimized to provide the maximum level of system security for users. To restore the default settings, click the Default button located at the bottomright of the Real-time file system protection window (Advanced Setup window > Antivirus and antispyware > Real-time file system protection). 4.1.1.4 Checking realtime protection
To verify that realtime protection is working and detecting viruses, use a test file from eicar.com. This test file is a special harmless file detectable by all antivirus programs. The file was created by the EICAR company (European Institute for Computer Antivirus Research) to test the functionality of antivirus programs. The file eicar.com is available for download at http://www.eicar.org/download/eicar.com 4.1.1.5 What to do if realtime protection does not work
Host Intrusion Prevention System (HIPS) protects your system from malware or any unwanted activity attempting to negatively affect the security of your computer. It utilizes advanced behavioral analysis coupled with the detection capabilities of network filter to monitor running processes, files and registry keys, actively blocking and preventing any such attempts. 4.1.3 Email client protection

4.1.7.4

Extensions
An extension is part of the file name delimited by a period. The extension defines the type and content of the file. This section of the ThreatSense parameter setup lets you define the types of files to scan. By default, all files are scanned regardless of their extension. Anyextension can be added to the list of files excluded from scanning. If the Scan all files option is unchecked, the list changes to show all currently scanned file extensions. Using the Add and Remove buttons, you can enable or prohibit scanning of desired extensions. To enable scanning of files with no extension, select the Scan extensionless files option. Excluding files from scanning is sometimes necessary if the scanning of certain file types prevents the program which is using the extensions from running properly. For example, it may be advisable to exclude the.edb,.eml and.tmp extensions when using the Microsoft Exchange servers. 4.1.7.5 Limits
The Limits section allows you to specify the maximum size of objects and levels of nested archives to be scanned: Maximum object size: Defines the maximum size of objects to be scanned. The given antivirus module will then scan only objects smaller than the size specified. We do not recommend changing the default value, as there is usually no reason to modify it. This option should only be changed by advanced users who have specific reasons for excluding larger objects from scanning. Maximum scan time for object (sec.): Defines the maximum time value for scanning an object. If a user-defined value has been entered here, the antivirus module will stop scanning an object when that time has elapsed, regardless of whether the scan has finished. Archive nesting level: Specifies the maximum depth of archive scanning. We do not recommend changing the default value of 10; under normal circumstances, there should be no reason to modify it. If scanning is prematurely terminated due to the number of nested archives, the archive will remain unchecked. Maximum size of file in archive: This option allows you to specify the maximum file size for files contained in archives (when they are extracted) that are to be scanned. If this causes scanning an archive to be prematurely terminated, the archive will remain unchecked.
An infiltration is detected
Infiltrations can reach the system from various entry points; webpages, shared folders, via email or from removable computer devices (USB, external disks, CDs, DVDs, diskettes, etc.). If your computer is showing signs of malware infection, e.g., it is slower, often freezes, etc., we recommend that you do the following: Open ESET NOD32 Antivirus and click Computer scan Click Smart scan (for more information, see section 4.1.4.1.1, Smart scan) After the scan has finished, review the log for the number ofscanned, infected and cleaned files.

The list of available update servers is accessible via the Update server dropdown menu. To add a new update server, click Edit. in the Update settings for selected profile section and then click the Add button. Authentication for update servers is based on the Username and Password generated and sent to you after purchase. 4.2.1.1 Update profiles
Update profiles can be created for various update configurations and tasks. Creating update profiles is especially useful for mobile users, who can create an alternative profile for Internet connection properties that regularly change. The Selected profile drop-down menu displays the currently selected profile, set to My profile by default. To create a new profile, click the Profiles. button and then click the Add. button and enter your own Profile name. When creating a new profile, you can copy settings from an existing one by selecting it from the Copy settings from profile drop-down menu.
Offer computer restart if necessary If necessary, restart computer without notifying
The default option is Offer computer restart if necessary. Selection of the most appropriate option depends on the workstation where the settings will be applied. Please be aware that there are differences between workstations and servers e.g., restarting the server automatically after a program upgrade could cause serious damage. 4.2.1.2.2 Proxy server
In the profile setup you can specify the update server from a list of available servers, or a new server can be added. The list of existing update servers is accessible via the Update server: dropdown menu. To add a new update server, click Edit in the Update settings for selected profile section and then click the Add button. 4.2.1.2 Advanced update setup
To access the proxy server setup options for a given update profile: Click Update in the Advanced Setup tree (F5) and then click the Setup. button to the right of Advanced update setup. Click the HTTP Proxy tab and select one of the three following options: Use global proxy server settings Do not use proxy server Connection through a proxy server (connection defined by the connection properties)
To view the Advanced update setup, click the Setup. button. Advanced update setup options include configuration of Update mode, HTTP Proxy, LAN and Mirror. 4.2.1.2.1 Update mode
Selecting the Use global proxy server settings option will use the proxy server configuration options already specified within the Miscellaneous > Proxy server branch of the Advanced Setup tree.

Accessing the Mirror via system shares First, a shared folder should be created on a local or a network device. When creating the folder for the Mirror, you must provide write access for the user who will save update files to the folder and read access for all users who will update ESET NOD32 Antivirus from the Mirror folder. Next, configure access to the Mirror in the Advanced update setup section (Mirror tab) by disabling the Provide update files via internal HTTP server option. This option is enabled by default in the program install package. If the shared folder is located on another computer in the network, you must specify authentication data to access the other computer. To specify authentication data, open ESET NOD32 Antivirus Advanced Setup (F5) and click the Update branch. Click the Setup. button and then click the LAN tab. This setting is the same as for updating, as described in section 4.2.1.2.3, Connecting to LAN. After the Mirror configuration is complete, proceed to theworkstations and set \\UNC\PATH as the update server. Thisoperation can be completed using the following steps: Open ESET NOD32 Antivirus Advanced Setup and click Update Click Edit. next to the Update server and add a new server using the \\UNC\PATH format. Select this newlyadded server from the list of update servers
Updates can be triggered manually by clicking Update virus signature database in the primary window displayed after clicking Update from the main menu. Updates can also be run as scheduled tasks. To configure a scheduled task, click Tools > Scheduler. By default, the following tasks are activated in ESET NOD32 Antivirus: Regular automatic update Automatic update after dialup connection Automatic update after user logon
Each of the aforementioned update tasks can be modified to meet your needs. In addition to the default update tasks, you can create new update tasks with a userdefined configuration. For more details about creating and configuring update tasks, see section 4.3, Scheduler. 4.3 Scheduler Scheduler is available if Advanced mode in ESET NOD32 Antivirus is activated. Scheduler can be found in the ESET NOD32 Antivirus main menu under Tools. Scheduler contains a list of all scheduled tasks and configuration properties such as the predefined date, time, and scanning profile used.

NOTE: For proper functioning, the path to the Mirror folder must be specified as aUNC path. Updates from mapped drives may not work.
By default, the following scheduled tasks are displayed in Scheduler: Regular automatic update Automatic update after dialup connection Automatic update after user logon Automatic startup file check after user logon Automatic startup file check after successful update of the virus signature database Since Update is one of the most frequently used scheduled tasks, we will explain how to add a new update task. From the Scheduled task: dropdown menu, select Update. Click Next and enter the name of the task into the Task name: field. Select the frequency of the task. The following options are available: Once, Repeatedly, Daily, Weekly and Event triggered. Based on the frequency selected, you will be prompted with different update parameters. Next, define what action to take if the task cannot be performed or completed at the scheduled time. The following three options are available: Wait until the next scheduled time Run task as soon as possible Run task immediately if the time since its last execution exceeds specified interval (the interval can be defined using the Task interval scroll box)
To edit the configuration of an existing scheduled task (both default and user-defined), rightclick the task and click Edit. or select the desired task you wish to modify and click the Edit. button. 4.3.1 Purpose of scheduling tasks
Scheduler manages and launches scheduled tasks with predefined configuration and properties. The configuration and properties contain information such as the date and time as well as specified profiles to be used during execution of the task. 4.3.2 Creating new tasks
In the next step, a summary window with information about the current scheduled task is displayed; the option Run task with specific parameters should be automatically enabled. Click the Finish button. A dialog window will appear, allowing you to select profiles to be used for the scheduled task. Here you can specify a primary and alternative profile, which is used in case the task cannot be completed using the primary profile. Confirm by clicking OK in the Update profiles window. The new scheduled task will be added to the list of currently scheduled tasks. 4.4 Quarantine The main task of quarantine is to safely store infected files. Files should be quarantined if they cannot be cleaned, if it is not safe or advisable to delete them, or if they are being falsely detected by ESET NOD32 Antivirus. You can choose to quarantine any file. This is advisable if a file behaves suspiciously but is not detected by the antivirus scanner. Quarantined files can be submitted for analysis to ESETs Threat Lab.

If you have quarantined a suspicious file that was not detected by the program, or if a file was incorrectly evaluated as infected (e.g., by heuristic analysis of the code) and subsequently quarantined, please send the file to ESETs Threat Lab. To submit a file from quarantine, rightclick the file and select Submit for analysis from the context menu.
In each section, the displayed information can be directly copied to the clipboard by selecting the entry and clicking on the Copy button. To select multiple entries, the CTRL and SHIFT keys can be used. 4.5.1 Log maintenance
The Logging configuration of ESET NOD32 Antivirus is accessible from
the main program window. Click Setup > Enter entire advanced setup tree. > Tools > Log files. You can specify the following options for log files: Delete records automatically: Log entries older than the specified number of days are automatically deleted Optimize log files automatically: Enables automatic defragmentation of log files if the specified percentage of unused records has been exceeded Minimum logging verbosity: Specifies the logging verbosity level. Available options: Diagnostic records Logs information needed for finetuning of the program and all records above Informative records Records informative messages including successful update messages plus all records above Warnings Records critical errors and warning messages Errors Only Error downloading file messages are recorded, plus critical errors Critical warnings Logs only critical errors (error starting Antivirus protection, etc)
highlight any element which is currently under the active area of the mouse cursor. The highlighted element will be activated after a mouse click. To decrease or increase the speed of animated effects, select the Use animated controls option and move the Speed slider bar to the left or right. To enable the use of animated icons to display the progress of various operations, select the Use animated icons for progress indication option. If you want the program to sound a warning if an important event takes place, select the Use sound signal option.
The User interface features also include the option to passwordprotect the ESET NOD32 Antivirus setup parameters. This option is located in the Settings protection submenu under User interface. In order to provide maximum security for your system, it is essential that the program be correctly configured. Unauthorized modifications could result in the loss of important data. To set a password to protect the setup parameter, click Set password
4.6 User interface The user interface configuration options in ESET NOD32 Antivirus allow you to adjust the working environment to fit your needs. These configuration options are accessible from the User interface branch of the ESET NOD32 Antivirus Advanced Setup tree. In the User interface elements section, the Advanced mode option gives users the ability to allow toggling to Advanced mode. Advanced mode displays more detailed settings and additional controls to ESET NOD32 Antivirus. The Graphical user interface option should be disabled if the graphical elements slow the performance of your computer or cause other problems. The graphical interface may also need to be turned off for visually impaired users, as it may conflict with special applications that are used for reading text displayed on the screen. If you wish to deactivate the ESET NOD32 Antivirus splashscreen, deselect the Show splash-screen at startup option. At the top of the ESET NOD32 Antivirus main program window is a Standard menu which can be activated or disabled based on the Use standard menu option. If the Show tooltips option is enabled, a short description of any option will be displayed if the cursor is placed over the option. The Select active control element option will cause the system to

Alerts and notifications

The Alerts and notifications setup section under User interface allows you to configure how threat alerts and system notifications are handled in ESET NOD32 Antivirus. The first item is Display alerts. Disabling this option will cancel all alert windows and is only suitable for a limited amount of specific situations. For most users, we recommend that this option be left to its default setting (enabled). To close popup windows automatically after a certain period of time, select the option Close messageboxes automatically after (sec.). If they are not closed manually, alert windows are automatically closed after the specified time period has expired. Notifications on the Desktop and balloon tips are informative only,
and do not require or offer user interaction. They are displayed in the notification area at the bottom right corner of the screen. To activate displaying Desktop notifications, select the Display notifications on desktop option. More detailed options notification display time and window transparency can be modified by clicking the Configure notifications. button. To preview the behavior of notifications, click the Preview button. To configure the duration of the balloon tips display time, see the option Display balloon tips in taskbar (for sec.).
While there is a chance this may occasionally disclose some information about you or your computer (usernames in a directory path, etc.) to ESETs Threat Lab, this information will not be used for ANY purpose other than to help us respond immediately to new threats. By default, ESET NOD32 Antivirus is configured to ask before submitting suspicious files for detailed analysis to ESETs Threat Lab. Files with certain extensions such as.doc or.xls are always excluded. You can also add other extensions if there are particular files that you or your organization wants to avoid sending. The ThreatSense.Net setup is accessible from the Advanced Setup tree, under Tools > ThreatSense.Net. Select the Enable ThreatSense. Net Early Warning System option to activate and then click the Advanced setup. button.
Click Advanced setup. to enter additional Alerts and notification setup options that include the Display only notifications requiring users interaction. This option allows you to turn on/off displaying of alerts and notifications that require no user interaction. Select Display only notifications requiring users interaction when running applications in full screen mode to suppress all noninteractive notifications. From the Minimum verbosity of events to display drop-down menu you can select the starting severity level of alerts and notification to be displayed. The last feature in this section allows you to configure the destination of notifications in a multi-user environment. The On multi-user systems, display notifications on the screen of the user: field allows you to define who will receive important notifications from ESET NOD32 Antivirus. Normally this would be a system or network administrator. This option is especially useful for terminal servers, provided that all system notifications are sent to the administrator. 4.7 ThreatSense.Net The ThreatSense.Net Early Warning System keeps ESET immediately and continuously informed about new infiltrations. The bidirectional ThreatSense.Net Early Warning System has a single purpose to improve the protection that we can offer you. The best way to ensure that we see new threats as soon as they appear is to link to as many to as many of our customers as possible and use them as our Threat Scouts. There are two options: 1. You can decide not to enable the ThreatSense.Net Early Warning System. You will not lose any functionality in the software, and you will still receive the best protection that we offer. 2. You can configure the ThreatSense.Net Early Warning System to submit anonymous information about new threats and where the new threatening code is contained. This file can be sent to ESET for detailed analysis. Studying these threats will help ESET update its threat detection capabilities. The ThreatSense.Net Early Warning System will collect information about your computer related to newlydetected threats. This information may include a sample or copy of the file in which the threat appeared, the path to that file, the filename, the date and time, the process by which the threat appeared on your computer and information about your computers operating system.

Suspicious files

The Suspicious files tab allows you to configure the manner in which threats are submitted to ESETs Threat Lab for analysis. If you find a suspicious file, you can submit it for analysis to our Threat Labs. If it is a malicious application, its detection will be added to the next virus signature update. File submission can be set to occur automatically, or select the Ask before submitting option if you wish to know which files have been sent for analysis and confirm the submission.
If you do not want any files to be submitted, select the Do not submit for analysis option. Selecting not to submit files for analysis does not affect submission of statistical information which is configured in its own setup (see section 4.7.2, Statistics). When to submit By default, the As soon as possible option is selected for suspicious files to be sent to ESETs Threat Lab. This is
recommended if a permanent Internet connection is available and suspicious files can be delivered without delay. Select the During update option for suspicious files to uploaded to ThreatSense.Net during the next update. Exclusion filter The Exclusion filter allows you to exclude certain files/folders from submission. For example, it may be useful to exclude files which may carry confidential information, such as documents or spreadsheets. The most common file types are excluded by default (.doc, etc.). You can add to the list of excluded files if desired. Contact email Your Contact email [optional] can sent with any suspicious files and may be used to contact you if further information is required for analysis. Please note that you will not receive a response from ESET unless more information is needed. 4.7.2 Statistics
information are sent to ESETs virus lab directly from the program.
The ThreatSense.Net Early Warning System collects anonymous information about your computer related to newly detected threats. This information may include the name of the infiltration, the date and time it was detected, the ESET security product version, your operating system version and the location setting. The statistics are typically delivered to ESETs servers once or twice a day. Below is an example of a statistical package submitted: # utc_time=20050414 07:21:28 # country=Slovakia # language=ENGLISH # osver=5.1.2600 NT # engine=5417 # components=2.50.2 # moduleid=0x4e4f4d41 # filesize=28368 # filename=C:\Documents and Settings\Administrator\ Local Settings\Temporary Internet Files\Content.IE5\ C14J8NS7\rdgFR1463[1].exe When to submit You can define when the statistical information will be submitted. If you choose to submit As soon as possible statistical information will be sent immediately after it is created. This setting is suitable if a permanent Internet connection is available. If the During update option is selected, statistical information will be submitted collectively during the next update.

Network connections The Description window contains a list of processes and applications communicating over the network. The communication protocol used is shown in the Navigation window (TCP or UDP) along with the remote address to which the application is connecting. You can also check DNS assigned IP addresses. The Details window contains additional information about items selected in the Description window such as the file size or its hash. Important Registry Entries Contains a list of selected registry entries often related to various problems with your system such as specifying startup programs, browser helper objects (BHO), etc. In the Description window you may find which files are related to specific registry entries. You may see additional details in the Details window. Services The Description window contains a list of files registered as Windows Services. You may check the way the service is set to start along with specific details about the file in the Details window. Drivers The list of drivers installed on the system. Critical files The Description window displays content of critical files related to the Microsoft Windowsoperating system. System information Contains detailed information about hardware and software along with information about set environmental variables and user rights. File details A list of important system files and files in the Program Files folder. Additional information specific to the files can be found in the Description and Details windows. About Information about ESET SysInspector 5.4.1.3 Compare
The Compare feature allows you to compare two existing SysInspector logs in order to highlight common to both logs. This feature is useful if you want to keep track of changes to the system and may allow you to detect the activity of malicious code. After launching, ESET SysInspector creates a new log, which is displayed in a new window. Navigate to File > Save Log to save a log to a file. Log files can later be opened and viewed. To open an existing log, click File > Open Log. In the main program window, ESET SysInspector always displays one log at a time. If you are comparing two logs, its important to compare a currently active log to a log saved in a file. To compare logs, use the option File > Compare Log and choose Select file. The selected log will be compared to the active one in the main program windows. The resulting, so called comparative log will display only differences between those two logs. NOTE: If you compare two log files, select File > Save Log, and save it as a.zip file, both files are saved. If you later open this file, the contained logs are automatically compared. Next to the displayed items, SysInspector shows symbols identifying differences between the compared logs. Items marked by a can only be found in the active log and were not present in the opened comparative log. Items marked by a on the other hand, were present only in the opened log and are missing in the active one. Description of all symbols that can be displayed next to items: new value, not present in the previous log tree structure section contains new values removed value, present in the previous log only

To open SysInspector in ESET NOD32 Antivirus, click Tools > SysInspector. The management system in the SysInspector window is similar to that of computer scan logs, or scheduled tasks. All operations with system snapshots - create, view, compare, remove and export - are accessible within one or two clicks. The SysInspector window contains basic information about the created snapshots such as create time, short comment, name of the user that created the snapshot and snapshot status. To Compare, Add. or Remove snapshots, use the corresponding buttons located below the list of snapshots in the SysInspector window. Those options are also available from the context menu. To view the selected system snapshot, use the View context menu option. To export the selected snapshot to a file, right-click it and select Export. A detailed description of the available options is shown below: Compare - Allows you to compare two existing logs. This feature is useful if you want to track changes between the current log and an older log. For this option to take effect you must select two snapshots to be compared. Add Creates a new record. Before that you must enter a short comment about the record. To see the snapshot creation progress (of the currently generated snapshot) in percent, see the Status column.
+ c:\windows\system32\khbekhb.dll - c:\windows\system32\advapi32.dll [.] In this example the module khbekhb.dll was marked by a +. When the script runs, it will recognize the processes using that specific module and end them. 03) TCP connections This section contains information about existing TCP connections. Example: 03) TCP connections: - Active connection: 127.0.0.1:30606 -> 127.0.0.1:55320, owner: ekrn.exe - Active connection: 127.0.0.1:50007 -> 127.0.0.1:50006, - Active connection: 127.0.0.1:55320 -> 127.0.0.1:30606, owner: OUTLOOK.EXE - Listening on *, port 135 (epmap), owner: svchost.exe + Listening on *, port 2401, owner: fservice.exe Listening on *, port 445 (microsoft-ds), owner: System [.] When the script runs, it will locate the owner of the socket in the marked TCP connections and stop the socket, freeing system resources. 04) UDP endpoints This section contains information about existing UDP endpoints. Example: 04) UDP endpoints: - 0.0.0.0, port 123 (ntp) + 0.0.0.0, port 3702 - 0.0.0.0, port 4500 (ipsec-msft) - 0.0.0.0, port 500 (isakmp) [.] When the script runs, it will isolate the owner of the socket at the marked UDP endpoints and stop the socket. 05) DNS server entries This section contains information about the current DNS server configuration. Example: 05) DNS server entries: + 204.74.105.85 - 172.16.152.2 [.] Marked DNS server entries will be removed when you run the script. 06) Important registry entries This section contains information about important registry entries. Example: 06) Important registry entries: * Category: Standard Autostart (3 items) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - HotKeysCmds = C:\Windows\system32\hkcmd.exe - IgfxTray = C:\Windows\system32\igfxtray.exe HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Google Update = C:\Users\antoniak\AppData\Local\

Google\Update\GoogleUpdate.exe /c * Category: Internet Explorer (7 items) HKLM\Software\Microsoft\Internet Explorer\Main + Default_Page_URL = http://thatcrack.com/ [.] The marked entries will be deleted, reduced to 0-byte values or reset to their default values upon script execution. The action to be applied to a particular entry depends on the entry category and key value in the specific registry. 07) Services This section lists services registered within the system. Example: 07) Services: - Name: Andrea ADI Filters Service, exe path: c:\ windows\system32\aeadisrv.exe, state: Running, startup: Automatic - Name: Application Experience Service, exe path: c:\windows\system32\aelupsvc.dll, state: Running, startup: Automatic - Name: Application Layer Gateway Service, exe path: c:\windows\system32\alg.exe, state: Stopped, startup: Manual [.] The services marked and their dependant services will be stopped and uninstalled when the script is executed. 08) Drivers This section lists installed drivers. Example: 08) Drivers: - Name: Microsoft ACPI Driver, exe path: c:\windows\ system32\drivers\acpi.sys, state: Running, startup: Boot - Name: ADI UAA Function Driver for High Definition Audio Service, exe path: c:\windows\system32\drivers\ adihdaud.sys, state: Running, startup: Manual [.] When you execute the script, the drivers selected will be unregistered from the system and removed. 09) Critical files This section contains information about files critical to proper function of the operating system. Example: 09) Critical files: * File: win.ini - [fonts] - [extensions] - [files] - MAPI=1 [] * File: system.ini - [386Enh] - woafont=dosapp.fon - EGA80WOA.FON=EGA80WOA.FON [] * File: hosts - 127.0.0.1 localhost - ::1 localhost
[] The selected items will either be deleted or reset to their original values. 5.4.1.5.3 How to execute Service scripts

5.5.2.1

Folders
Temporary folder Working directory for files required during ESET SysRescue compilation. ISO folder Folder where the resulting.iso file is saved after the compilation is completed. The list on this tab shows all local and mapped network drives together with the available free space. If any of the folders here are located on a drive with insufficient free space, we recommend that you select another drive with more free space available. Otherwise compilation may exit prematurely due to insufficient free disk space. External applications Allows you to specify additional programs that will be run or installed after booting from a SysRescue medium. Include external applications Allows you to add external programs to the SysRescue compilation Selected folder Folder in which programs to be added to the SysRescue disk are located 5.5.2.2 ESET Antivirus
Mark all desired items, then save and close the script. Run the edited script directly from the SysInspector main window by selecting the Run Service Script option from the File menu. When you open a script, the program will prompt you with the following message: Are you sure you want to run the service script %Scriptname%? After you confirm your selection, another warning may appear, informing you that the service script you are trying to run has not been signed. Click Run to start the script. A dialog window will confirm successful execution of the script. If the script could only be partially processed, a dialog window with the following message will appear: The service script was run partially. Do you want to view the error report? Select Yes to view a complex error report listing the operations that were not executed. Your script was not recognized as valid and will not be run if you see the following message: Are there any issues with the script consistency (damaged heading, corrupt section title, empty line missing between sections etc.)? You can either reopen the script file and correct the errors within the script or create a new service script. 5.5 ESET SysRescue ESET SysRescue (ESR) is a utility which enables you to create a bootable disk containing ESET NOD32 Antivirus 4 (EAV). The main advantage of ESET Recovery CD is that EAV runs independent of the host operating system, while it has direct access to the disk and the entire file system. This makes it possible to remove those infiltrations that normally could not be deleted, e.g., when the operating system is running, etc. 5.5.1 Minimum requirements

6. Glossary

6.1 Types of infiltrations An Infiltration is a piece of malicious software trying to enter and/or damage a users computer. 6.1.1 Viruses infiltration not falling under any specific class of infiltration. Since this is a very broad category, it is often divided into many subcategories: Downloader A malicious program with the ability to download other infiltrations from the Internet. Dropper A type of trojan horse designed to drop other types ofmalware onto compromised computers. Backdoor An application which communicates with remote attackers, allowing them to gain access to a system and to take control of it. Keylogger (keystroke logger) A program which records each keystroke that a user types and sends the information to remote attackers. Dialer Dialers are programs designed to connect to premiumrate numbers. It is almost impossible for a user to notice that a new connection was created. Dialers can only cause damage to users with dialup modems, which are no longer regularly used. Trojan horses usually take the form of executable files with the extension.exe. If a file on your computer is detected as a trojan horse, it is advisable to delete it, since it most likely contains malicious code. Examples of wellknown trojans are: NetBus, Trojandownloader. Small.ZL, Slapper 6.1.4 Rootkits
A computer virus is an infiltration that corrupts existing files on your computer. Viruses are named after biological viruses, because they use similar techniques to spread from one computer to another. Computer viruses mainly attack executable files and documents. To replicate, a virus attaches its body to the end of a target file. In short, this is how a computer virus works: after execution of the infected file, the virus activates itself (before the original application) and performs its predefined task. Only after that is the original application allowed to run. A virus cannot infect a computer unless a user, either accidentally or deliberately, runs or opens the malicious program by him/herself. Computer viruses can range in purpose and severity. Some of them are extremely dangerous because of their ability to purposely delete files from a hard drive. On the other hand, some viruses do not cause any damage they only serve to annoy the user and demonstrate the technical skills of their authors. It is important to note that viruses (when compared to trojans or spyware) are increasingly rare because they are not commercially enticing for malicious software authors. Additionally, the term virus is often used incorrectly to cover all types of infiltrations. This usage is gradually being overcome and replaced by the new, more accurate term malware (malicious software). If your computer is infected with a virus, it is necessary to restore infected files to their original state i.e., to clean them by using an antivirus program. Examples of viruses are: OneHalf, Tenga, and Yankee Doodle. 6.1.2 Worms