Feature ESET SysRescue

The long-time development experience of our experts is demonstrated by the entirely new architecture of the ESET NOD32 Antivirus program, which guarantees maximum detection with minimum system requirements. Antivirus & antispyware
This module is built upon the ThreatSense scanning engine, which was used for the first time in the awardwinning NOD32 Antivirus system. ThreatSense is optimized and improved with the new ESET NOD32 Antivirus architecture. Feature Improved Cleaning Description The antivirus system now intelligently cleans and deletes most detected infiltrations without requiring user intervention. Computer scanning can be launched in the background without slowing down performance. Core optimization processes keep the size of update files smaller than in version 2.7. Also, protection of update files against damage has been improved. It is now possible to scan incoming mail not only in Microsoft Outlook but also in Outlook Express, Windows Mail, Windows Live Mail and Mozilla Thunderbird.

Document protection

Self Defense

Background Scanning Mode

User interface

Smaller Update Files

1.2 System requirements Popular EMail Client Protection For seamless operation of ESET NOD32 Antivirus, your system should meet the following hardware and software requirements: ESET NOD32 Antivirus: Windows NT4 SP6, 2000, XP 400 MHz 32-bit / 64-bit (x86 / x64) 128MB RAM of system memory 130MB available space Super VGA (800 600) 1 GHz 32-bit / 64-bit (x86 / x64) 512MB RAM of system memory 130MB available space Super VGA (800 600)
Variety of Other Direct access to file systems for high speed Minor Improvements and throughput. Blocking access to infected files Optimization for Windows Security Center, including Vista.

Windows 7, Vista

ESET NOD32 Antivirus Business Edition: Windows NT4 SP6, 2000, 2000 Server, XP,2003 Server 400 MHz 32-bit / 64-bit (x86 / x64) 128MB RAM of system memory 130MB available space Super VGA (800 600) 1 GHz 32-bit / 64-bit (x86 / x64) 512MB RAM of system memory 130MB available space Super VGA (800 600)
Windows 7, Vista, Windows Server 2008
NOTE: AntiStealth and Self Defense are not available on Windows NT4 SP6.

2. Installation

The final step in Typical installation mode is to confirm installation by clicking the Install button.
2.2 Custom installation Custom installation is designed for users who have experience with finetuning programs and who wish to modify advanced settings during installation. After selecting the installation mode and clicking Next, you will be prompted to select a destination location for the installation. By default, the program installs in C:\Program Files\ESET\ESET NOD32 Antivirus\. Click Browse to change this location (not recommended).
If you use a proxy server, it must be correctly configured for virus signature updates to work correctly. If you do not know whether you use a proxy server to connect to the Internet, leave the default setting I am unsure if my Internet connection uses a proxy server. Use the same settings as Internet Explorer (Recommended) and click Next. If you do not use a proxy server, select the I do not use a proxy server option.
Next, Enter your Username and Password. This step is the same as in Typical installation (see section 2.1, Typical installation). After entering your username and password, click Next to proceed to Configure your Internet connection.
To configure your proxy server settings, select I use a proxy server and click Next. Enter the IP address or URL of your proxy server in the Address field. In the Port field, specify the port where the proxy server accepts connections (3128 by default). In the event that the proxy server requires authentication, enter a valid Username and Password to grant access to the proxy server. Proxy server settings can also be copied from Internet Explorer if desired. To do this, click Apply and confirm the selection.
the New password and Confirm new password fields.
Click Next to proceed to Configure automatic update settings. This step allows you to designate how automatic program component updates will be handled on your system. Click Change. to access the advanced settings. If you do not want program components to be updated, select the Never update program components option. Select the Ask before downloading program components option to display a confirmation window before downloading program components. To download program component upgrades automatically, select the Always update program components option.

Toggling to Advanced mode adds the Tools option to the main menu. The Tools option allows you to access the submenus for Log files, Quarantine, Scheduler and SysInspector. NOTE: All remaining instructions in this guide take place in Advanced mode. 3.1.1 Checking operation of the system
To view the Protection status, click the top option from the main menu. A status summary about the operation of ESET NOD32 Antivirus will display in the primary window, and a submenu with two items will appear: Watch Activity and Statistics. Select either of these to view more detailed information about your system.
What to do if the program doesnt work properly
The Standard mode provides access to features required for common operations. It does not display any advanced options.
If the modules enabled are working properly, they are assigned agreen check. If not, a red exclamation point or orange notification icon is displayed, and additional information about the module is shown in the upper part of the window. A suggested solution for fixing the module is also displayed. To change the status of individual modules, click Setup in the main menu and click on the desired module.
3.3 Proxy server setup If you are unable to solve a problem using the suggested solutions, click Help and support to access the help files or search the Knowledgebase. If you still need assistance, you can submit an ESET Customer Care support request. ESET Customer Care will respond quickly to your questions and help determine a resolution. 3.2 Update setup Updating the virus signature database and updating program components are an important part of providing complete protection against malicious code. Please pay attention to their configuration and operation. From the main menu, select Update and then click Update virus signature database in the primary window to check for a newer database update. Username and Password setup. displays a dialog box where the username and password received at the time of purchase should be entered. If the username and password were entered during installation of ESET NOD32 Antivirus you will not be prompted for them at this point. If you use a proxy server to control Internet connections on a system using ESET NOD32 Antivirus, it must be specified in Advanced Setup. To access the Proxy server configuration window, press F5 to open the Advanced Setup window and click Miscellaneous > Proxy server from the Advanced Setup tree. Select the Use proxy server option, and then fill in the Proxy server (IP address) and Port fields. If needed, select the Proxy server requires authentication option and then enter the Username and Password.
If this information is not available, you can attempt to automatically detect proxy server settings by clicking the Detect proxy server button. NOTE: Proxy server options for various update profiles may differ. If this is the case, configure the different update profiles in Advanced Setup by clicking Update from the Advanced Setup tree. 3.4 Settings protection ESET NOD32 Antivirus settings can be very important from the perspective of your organizations security policy. Unauthorized modifications can potentially endanger the stability and protection of your system. To password protect the setup parameters, from the main menu click Setup > Enter entire advanced setup tree. > User interface > Access setup, select the Password protect settings option and click the Set password. button. Enter a password in the New password and Confirm new password fields and click OK. This password will be required for any future modifications to ESET NOD32 Antivirus settings.

Realtime protection does not detect and clean infiltrations 4.1.1.3 When to modify realtime protection configuration Make sure that no other antivirus programs are installed on your computer. If two realtime protection shields are enabled at the same time, they may conflict with each other. We recommend that you uninstall any other antivirus programs on your system. Realtime protection does not start If realtime protection is not initiated at system startup (and the Automatic realtime file system protection startup option is enabled), itmay be due to conflicts with other programs. If this is the case, please consult ESETs Customer Care specialists. 4.1.2 Host Intrusion Prevention System (HIPS)
Realtime protection is the most essential component of maintaining a secure system. Therefore, please use caution when modifying its parameters. We recommend that you only modify its parameters in specific cases. For example, if there is a conflict with a certain application or realtime scanner of another antivirus program. After installation of ESET NOD32 Antivirus, all settings are optimized to provide the maximum level of system security for users. To restore the default settings, click the Default button located at the bottomright of the Real-time file system protection window (Advanced Setup window > Antivirus and antispyware > Real-time file system protection). 4.1.1.4 Checking realtime protection
To verify that realtime protection is working and detecting viruses, use a test file from eicar.com. This test file is a special harmless file detectable by all antivirus programs. The file was created by the EICAR company (European Institute for Computer Antivirus Research) to test the functionality of antivirus programs. The file eicar.com is available for download at http://www.eicar.org/download/eicar.com 4.1.1.5 What to do if realtime protection does not work
Host Intrusion Prevention System (HIPS) protects your system from malware or any unwanted activity attempting to negatively affect the security of your computer. It utilizes advanced behavioral analysis coupled with the detection capabilities of network filter to monitor running processes, files and registry keys, actively blocking and preventing any such attempts. 4.1.3 Email client protection
In the next chapter, we describe problem situations that may arise when using realtime protection, and how to troubleshoot them. Realtime protection is disabled If realtime protection was inadvertently disabled by a user, it needs to be reactivated. To reactivate realtime protection, navigate to Setup > Antivirus and antispyware and click Enable in the Real-time file system protection section of the main program window. If realtime protection is not initiated at system startup, it is probably due to the disabled option Automatic realtime file system protection startup. To enable this option, navigate to Advanced Setup (F5) and click Realtime file system protection in the Advanced Setup tree. In the Advanced setup section at the bottom of the window, make sure that the Automatic realtime file system protection startup checkbox is selected.

Email protection provides control of email communication received through the POP3 protocol. Using the plug-in program for Microsoft Outlook, ESET NOD32 Antivirus provides control of all communications from the email client (POP3, MAPI, IMAP, HTTP). When examining incoming messages, the program uses all advanced scanning methods provided by the ThreatSense scanning engine. This means that detection of malicious programs takes place even before being matched against the virus signature database. Scanning of POP3 protocol communications is independent of the email client used. 4.1.3.1 POP3 checking
The POP3 protocol is the most widespread protocol used to receive email communication in an email client application. ESET NOD32 Antivirus provides protection for this protocol regardless of the email client used. The protection module providing this control is automatically initiated at system startup and is then active in memory. For the module to work correctly, please make sure it is enabled POP3 checking is performed automatically with no need for reconfiguration of the email client. By default, all communication on port 110 is scanned, but other communication ports can be added if necessary. Port numbers must be delimited by a comma. Encrypted communication is not controlled.
available through Setup > Enter entire advanced setup tree > Miscellaneous >Email client integration. Email client integration allows you to activate integration with supported email clients. Email clients that are currently supported include Microsoft Outlook, Outlook Express, Windows Mail, Windows Live Mail and Mozilla Thunderbird. Select the Disable checking upon inbox content change option if you are experiencing a system slowdown when working with your email client. Such a situation may take place when downloading email from Kerio Outlook Connector Store Email protection is activated by clicking Setup > Enter entire advanced setup tree > Antivirus and antispyware > Email client protection and selecting the Enable email client protection option.

4.1.3.1.1

Compatibility
Certain email programs may experience problems with POP3 filtering (e.g., if receiving messages with a slow Internet connection, timeouts may occur due to checking). If this is the case, try modifying the way control is performed. Decreasing the control level may improve the speed of the cleaning process. To adjust the control level of POP3 filtering, from the Advanced Setup tree, navigate to Antivirus and antispyware > Email protection > POP3, POP3s > Compatibility. If Maximum efficiency is enabled, infiltrations are removed from infected messages and information about the infiltration is inserted before the original email subject (the options Delete or Clean must be activated, or Strict or Default cleaning level must be enabled). Medium compatibility modifies the way messages are received. Messages are gradually sent to the email client after the last part of the message is transferred, it will be scanned for infiltrations. However, the risk of infection increases with this level of control. Thelevel of cleaning and the handling of tag messages (notification alerts which are appended to the subject line and body of emails) is identical to the maximum efficiency setting. With the Maximum compatibility level, you are warned by an alert window which reports the receipt of an infected message. No information about infected files is added to the subject line or to the email body of delivered messages and infiltrations are not automatically removed you must delete infiltrations from the email client. 4.1.3.2.1 Appending tag messages to email body

Accessing the Mirror via system shares First, a shared folder should be created on a local or a network device. When creating the folder for the Mirror, you must provide write access for the user who will save update files to the folder and read access for all users who will update ESET NOD32 Antivirus from the Mirror folder. Next, configure access to the Mirror in the Advanced update setup section (Mirror tab) by disabling the Provide update files via internal HTTP server option. This option is enabled by default in the program install package. If the shared folder is located on another computer in the network, you must specify authentication data to access the other computer. To specify authentication data, open ESET NOD32 Antivirus Advanced Setup (F5) and click the Update branch. Click the Setup. button and then click the LAN tab. This setting is the same as for updating, as described in section 4.2.1.2.3, Connecting to LAN. After the Mirror configuration is complete, proceed to theworkstations and set \\UNC\PATH as the update server. Thisoperation can be completed using the following steps: Open ESET NOD32 Antivirus Advanced Setup and click Update Click Edit. next to the Update server and add a new server using the \\UNC\PATH format. Select this newlyadded server from the list of update servers
Updates can be triggered manually by clicking Update virus signature database in the primary window displayed after clicking Update from the main menu. Updates can also be run as scheduled tasks. To configure a scheduled task, click Tools > Scheduler. By default, the following tasks are activated in ESET NOD32 Antivirus: Regular automatic update Automatic update after dialup connection Automatic update after user logon
Each of the aforementioned update tasks can be modified to meet your needs. In addition to the default update tasks, you can create new update tasks with a userdefined configuration. For more details about creating and configuring update tasks, see section 4.3, Scheduler. 4.3 Scheduler Scheduler is available if Advanced mode in ESET NOD32 Antivirus is activated. Scheduler can be found in the ESET NOD32 Antivirus main menu under Tools. Scheduler contains a list of all scheduled tasks and configuration properties such as the predefined date, time, and scanning profile used.
NOTE: For proper functioning, the path to the Mirror folder must be specified as aUNC path. Updates from mapped drives may not work.

To create a new task in Scheduler, click the Add. button or right-click and select Add. from the context menu. Five types of scheduled tasks are available: Run external application System startup file check Create a computer status snapshot Ondemand computer scan Update
4.5 Log files The Log files contain information about all important program events that have occurred and provide an overview of detected threats. Logging acts as an essential tool in system analysis, threat detection and troubleshooting. Logging is performed actively in the background with no user interaction. Information is recorded based on the current log verbosity settings. It is possible to view text messages and logs directly from the ESET NOD32 Antivirus environment, as well as to archive logs. Log files are accessible from the ESET NOD32 Antivirus main menu by clicking Tools > Log files. Select the desired log type using the Log: drop-down menu at the top of the window. The following logs are available: 1. Detected threats Use this option to view all information about events related to the detection of infiltrations. 2. Events This option is designed for system administrators and users to solve problems. All important actions performed by ESET NOD32 Antivirus are recorded in the Event logs. 3. Ondemand computer scan Results of all completed scans are displayed in this window. Doubleclick any entry to view details of the respective Ondemand scan.
Files stored in the quarantine folder can be viewed in a table which displays the date and time of quarantine, the path to the original location of the infected file, its size in bytes, reason (added by user), and number of threats (e.g., if it is an archive containing multiple infiltrations). 4.4.1 Quarantining files
ESET NOD32 Antivirus automatically quarantines deleted files (if you have not cancelled this option in the alert window). If desired, you can quarantine any suspicious file manually by clicking the Quarantine. button. If this is the case, the original file is not removed from its original location. The context menu can also be used for this purpose rightclick in the Quarantine window and select Add. 4.4.2 Restoring from Quarantine
Quarantined files can also be restored to their original location. Use the Restore feature for this purpose; this is available from the context menu by rightclicking on the given file in the Quarantine window. The context menu also offers the option Restore to, which allows you to restore a file to a location other than the one from which it was deleted. NOTE: If the program quarantined a harmless file by mistake, please exclude the file from scanning after restoring and send the file to ESET Customer Care. 4.4.3 Submitting file from Quarantine

The license key is a text file containing information about the purchased product: the owner, number of licenses, and the expiration date. The license manager window allows you to upload and view the content of a license key using the Add button the information contained is displayed in the manager. To delete license files from the list, click Remove. If a license key has expired and you are interested in purchasing arenewal, click the Order button you will be redirected to our online store.

5. Advanced user

This chapter describes features of ESET NOD32 Antivirus which may be useful for more advanced users. Setup options for these features are accessible only in Advanced mode. To switch to Advanced mode, click Change. in the bottom left corner of the main program window or press CTRL + M on your keyboard. 5.1 Proxy server setup
In ESET NOD32 Antivirus, proxy server setup is available in two different sections within the Advanced Setup tree. First, proxy server settings can be configured under Miscellaneous > Proxy server. Specifying the proxy server at this level defines global proxy server settings for all of ESET NOD32 Antivirus. Parameters here will be used by all modules requiring connection to the Internet. To specify proxy server settings for this level, select the Use proxy server checkbox and then enter the address of the proxy server into the Proxy server: field, along with the Port number of the proxy server.
5.2 Export / import settings Importing and exporting configurations of ESET NOD32 Antivirus is available in Advanced mode under Setup. Both import and export use the.xml file type. Import and export are useful if you need to backup the current configuration of ESET NOD32 Antivirus to be able to use it later. The export settings option is also convenient for users who wish to use their preferred configuration of ESET NOD32 Antivirus on multiple systems - they can easily import an.xml file to transfer the desired settings.
If communication with the proxy server requires authentication, select the Proxy server requires authentication checkbox and enter a valid Username and Password into the respective fields. Click the Detect proxy server button to automatically detect and insert proxy server settings. The parameters specified in Internet Explorer will be copied. NOTE: This feature does not retrieve authentication data (username and password), it must be supplied by you. Proxy server settings can also be established within Advanced update setup (Update branch of the Advanced Setup tree). This setting applies for the given update profile and is recommended for laptops, as they often receive virus signature updates from different locations. For more information about this setting, see Section 4.2, Updating the program. 5.2.1 Import settings

Any comparative log can be saved to a file and opened at a later time. Example: Generate and save a log, recording original information about the system, to a file named previous.xml. After changes to the system have been made, open SysInspector and let it generate a new log. Save it to a file named current.xml. In order to track changes between those two logs, click File > Compare Log. The program will create a comparative log showing differences between the logs. The same result can be achieved if you use the following command line option: SysIsnpector.exe current.xml previous.xml 5.4.1.4 SysInspector as a part of ESET NOD32 Antivirus 4
To generate a script, right-click any item from the menu tree (in the left pane) in the SysInspector main window. From the context menu, select either the Export All Sections To Service Script option or the Export Selected Sections To Service Script option. 5.4.1.5.2 Structure of the Service script
In the first line of the scripts header you can find information about the Engine version (ev), GUI version (gv) and the Log version (lv). You can use this data to track possible changes in the.xml file that generates the script and prevent any inconsistencies during execution. This part of the script should not be altered. The remainder of the file is divided into sections in which items can be edited (denote those that will be processed by the script). You mark items for processing by replacing the - character in front of an item with a + character. Sections in the script are separated from each other by an empty line. Each section has a number and title. 01) Running processes This section contains a list of all processes running in the system. Each process is identified by its UNC path and, subsequently, its CRC16 hash code in asterisks (*). Example: 01) Running processes: - \SystemRoot\System32\smss.exe *4725* - C:\Windows\system32\svchost.exe *FD08* + C:\Windows\system32\module32.exe *CF8A* [.] In this example a process, module32.exe, was selected (marked by a + character); the process will end upon execution of the script. 02) Loaded modules This section lists currently used system modules. Example: 02) Loaded modules: - c:\windows\system32\svchost.exe - c:\windows\system32\kernel32.dll

Google\Update\GoogleUpdate.exe /c * Category: Internet Explorer (7 items) HKLM\Software\Microsoft\Internet Explorer\Main + Default_Page_URL = http://thatcrack.com/ [.] The marked entries will be deleted, reduced to 0-byte values or reset to their default values upon script execution. The action to be applied to a particular entry depends on the entry category and key value in the specific registry. 07) Services This section lists services registered within the system. Example: 07) Services: - Name: Andrea ADI Filters Service, exe path: c:\ windows\system32\aeadisrv.exe, state: Running, startup: Automatic - Name: Application Experience Service, exe path: c:\windows\system32\aelupsvc.dll, state: Running, startup: Automatic - Name: Application Layer Gateway Service, exe path: c:\windows\system32\alg.exe, state: Stopped, startup: Manual [.] The services marked and their dependant services will be stopped and uninstalled when the script is executed. 08) Drivers This section lists installed drivers. Example: 08) Drivers: - Name: Microsoft ACPI Driver, exe path: c:\windows\ system32\drivers\acpi.sys, state: Running, startup: Boot - Name: ADI UAA Function Driver for High Definition Audio Service, exe path: c:\windows\system32\drivers\ adihdaud.sys, state: Running, startup: Manual [.] When you execute the script, the drivers selected will be unregistered from the system and removed. 09) Critical files This section contains information about files critical to proper function of the operating system. Example: 09) Critical files: * File: win.ini - [fonts] - [extensions] - [files] - MAPI=1 [] * File: system.ini - [386Enh] - woafont=dosapp.fon - EGA80WOA.FON=EGA80WOA.FON [] * File: hosts - 127.0.0.1 localhost - ::1 localhost
[] The selected items will either be deleted or reset to their original values. 5.4.1.5.3 How to execute Service scripts

5.5.2.1

Folders
Temporary folder Working directory for files required during ESET SysRescue compilation. ISO folder Folder where the resulting.iso file is saved after the compilation is completed. The list on this tab shows all local and mapped network drives together with the available free space. If any of the folders here are located on a drive with insufficient free space, we recommend that you select another drive with more free space available. Otherwise compilation may exit prematurely due to insufficient free disk space. External applications Allows you to specify additional programs that will be run or installed after booting from a SysRescue medium. Include external applications Allows you to add external programs to the SysRescue compilation Selected folder Folder in which programs to be added to the SysRescue disk are located 5.5.2.2 ESET Antivirus

Mark all desired items, then save and close the script. Run the edited script directly from the SysInspector main window by selecting the Run Service Script option from the File menu. When you open a script, the program will prompt you with the following message: Are you sure you want to run the service script %Scriptname%? After you confirm your selection, another warning may appear, informing you that the service script you are trying to run has not been signed. Click Run to start the script. A dialog window will confirm successful execution of the script. If the script could only be partially processed, a dialog window with the following message will appear: The service script was run partially. Do you want to view the error report? Select Yes to view a complex error report listing the operations that were not executed. Your script was not recognized as valid and will not be run if you see the following message: Are there any issues with the script consistency (damaged heading, corrupt section title, empty line missing between sections etc.)? You can either reopen the script file and correct the errors within the script or create a new service script. 5.5 ESET SysRescue ESET SysRescue (ESR) is a utility which enables you to create a bootable disk containing ESET NOD32 Antivirus 4 (EAV). The main advantage of ESET Recovery CD is that EAV runs independent of the host operating system, while it has direct access to the disk and the entire file system. This makes it possible to remove those infiltrations that normally could not be deleted, e.g., when the operating system is running, etc. 5.5.1 Minimum requirements
To create an ESET SysRescue CD, you can select two sources of ESET files to be used by the compiler. EAV folder Files already contained in the folder to which the ESET product is installed on your computer MSI file Files contained in the.msi installer are used Profile You can use one of the following two sources of username and password: Installed EAV Username and password are copied from the currently installed ESET security product From user Username and password entered in the corresponding text boxes below are used NOTE: The ESET security product on the ESET SysRescue CD is updated either from the Internet or from the computer running the ESET SysRescue CD. 5.5.2.3 Advanced
ESET SysRescue (ESR) works in the Microsoft Windows Preinstallation Environment (Windows PE) version 2.x, which is based on Windows Vista. Windows PE is a part of the free package Windows Automated Installation Kit (Windows AIK), and therefore Windows AIK must be installed before creating ESR. Due to the support of the 32-bit version of Windows PE, ESR can be created in the 32-bit version of EAV only. ESR supports Windows AIK 1.1 and later. ESR is available in EAV 4.0 and later. 5.5.2 How to create a rescue CD

If you have selected CD/DVD as your target medium, you can specify additional burning parameters on the Burn tab. Delete ISO file Select this option to delete.iso files after the ESET Rescue CD is created. Deletion enabled Allows you to select fast erasing and complete erasing. Burning device Select the drive to be used for burning. Warning: This is the default option. If a rewritable CD/DVD is used, all data on the CD/DVD will be erased. The Medium section contains information about the current medium inserted in your CD/DVD device. Burning speed Select the desired speed from the drop-down menu. The capabilities of your burning device and the type of CD/DVD used should be considered when selecting the burning speed. 5.5.3 Working with ESET SysRescue
For the rescue CD/DVD/USB to work effectively, you must start your computer from the ESET SysRescue boot media. Boot priority can be modified in the BIOS. Alternatively, you can invoke the boot menu during computer startup - usually using one of the F9 - F12 keys depending on the version of your motherboard/BIOS. After booting up, EAV will start. Since ESET SysRescue is used only in specific situations, some protection modules and program features present in the standard version of EAV are not needed; their list is narrowed down to Computer scan, Update, and some sections in Setup. The ability to update the virus signature database is the most important feature of ESET SysRescue, we recommend that you update the program prior starting a Computer scan. 5.5.3.1 Using ESET SysRescue
Suppose that computers in the network have been infected by a virus which modifies executable (.exe) files. EAV is capable of cleaning all infected files except for explorer.exe, which cannot be cleaned, even in Safe mode. This is because explorer.exe, as one of the essential Windows processes, is launched in Safe mode as well. EAV would not be able to perform any action with the file and it would remain infected. In this type of scenario, you could use ESET SysRescue to solve the problem. ESET SysRescue does not require any component of the host operating system and is therefore capable of processing (cleaning, deleting) any file on the disk.

6. Glossary

6.1 Types of infiltrations An Infiltration is a piece of malicious software trying to enter and/or damage a users computer. 6.1.1 Viruses infiltration not falling under any specific class of infiltration. Since this is a very broad category, it is often divided into many subcategories: Downloader A malicious program with the ability to download other infiltrations from the Internet. Dropper A type of trojan horse designed to drop other types ofmalware onto compromised computers. Backdoor An application which communicates with remote attackers, allowing them to gain access to a system and to take control of it. Keylogger (keystroke logger) A program which records each keystroke that a user types and sends the information to remote attackers. Dialer Dialers are programs designed to connect to premiumrate numbers. It is almost impossible for a user to notice that a new connection was created. Dialers can only cause damage to users with dialup modems, which are no longer regularly used. Trojan horses usually take the form of executable files with the extension.exe. If a file on your computer is detected as a trojan horse, it is advisable to delete it, since it most likely contains malicious code. Examples of wellknown trojans are: NetBus, Trojandownloader. Small.ZL, Slapper 6.1.4 Rootkits

we protect digital worlds
ESET NOD32 Antivirus for MS Exchange Server

Installation

Copyright ESET, spol. s r. o. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical, for any purpose without the express written permission of ESET,spol.sr.o. Information in this document is subject to change without prior notice. Certain names of program products and company names used in this document might be registered trademarks or trademarks owned by other entities. ESET, NOD32 and AMON are trademarks of ESET, spol. s r. o. Microsoft and Windows are registered trademarks of Microsoft Corporation.
ESET, spol. s r. o. Svoradova 1, Bratislava, Slovak Republic http://www.eset.sk/en Technical Support Worldwide: http://www.eset.com/support Technical Support for Europe: http://www.eset.eu/support REV.20071114-002

1. Introduction

ESET NOD32 Antivirus for MS Exchange Server is ESET NOD32 Antivirus version designed for scanning e-mail traffic routed by the MS Exchange Servers. The major differences between the ESET NOD32 Antivirus 2.7 and the ESET NOD32 Antivirus for MS Exchange Server include a module XMON and the absence of IMON and EMON modules. This document describes the XMON module. Before reading this document, please read the ESET NOD32 Antivirus 2.7 user guide first. As of version 2.71, the XMON module provides antivirus protection for MS Exchange Server in two flavors a 32-bit for MS Exchange Server 5.5 SP3 and higher, 2000 SP 1 and higher and 2003 (xmon.dll), and a 64-bit for MS Exchange Server 2007 (xmon64.dll). The XMON module checks the MS Exchange Server email communication via its antivirus interface VSAPI or external Control Center scanning core.
kbox. To activate the XMON service, you need the license file provided by the provider or distributor upon purchase of the program. The license file is entered in the next step. If your License file is valid, click Add and list the license file.
This screen is present in all installation scenarios.
Additional Activation of XMON:
If you have not activated the antivirus protection for MS Exchange server, you can do it additionally by adding the license file in the License manager. For License manager click on ESET NOD32 Antivirus system tools in the ESET NOD32 Antivirus Control Center and choose ESET NOD32 Antivirus system setup/ setup. After adding the license file, XMON will be activated.

2. Installation

If you are running any previous version of the ESET NOD32 Antivirus for Exchange Server, the new one can be installed over (if it is version 2.0 or higher). The installation wizard will help you to install the NOD32 for MS Exchange Server. It displays the following dialog:
If you want to install XMON, check the Activate antivirus protection for MS Exchange Server (XMON) chec-

3. XMON

The Main Window To open the XMON main window, click on the XMON icon in the Control Center window. If the XMON is displayed in grey color, the MS Exchange Server is not present on the local computer or the MS Exchange server version is not supported by XMON. XMON is displayed in grey color also if the XMON module is not activated (it is not set, or the license file has expired). In these cases XMON cannot scan e-mails. If the XMON is displayed in red color; the XMON module is not active. To activate the XMON, check the Activate Control checkbox in the main window. The main XMON window shows the number of scanned, infected and cleaned files (a file is each e-mail message and its attachments). The main window also displays MS Exchange version running on the local server and the virus signature database version (with the date of the last update in the parentheses).

Before XMON deactivation you will be requested to confirm its shutdown. If you really want to turn off XMON, press Yes.
Note: MS Exchange Server communicates with the antivirus scan using the system database registry, which is being checked in approximately one minute intervals. Turning XMON on and off, as well as any change in the settings will take about a minute to take effect.
SETTINGS The left part of the XMON Settings window shows eight possible setting areas of XMON. The setting parameters in each setting area are shown in the right part of the window. The MS Exchange server checks the settings of the XMON module each minute, so the new XMON settings come into effect after a few seconds. Scanner
Active control check box for XMON activation. To activate the XMON, mark the check box. To disable it, uncheck it. Before XMON deactivation you will be requested to confirm its shutdown. Settings enables you to alter the default XMON settings Run NOD32 activates the NOD32 ondemand scanner
The Scanner page shows the following properties: Background scanning if checked, all the messages are scanned in the background. XMON keeps track of what messages it scanned and the version of virus database it used. If you are opening a message not scanned by the most current virus database, XMON scans it before opening it in your e-mail client. The background testing means that XMON keeps scanning all the messages from
the Exchange server, so when you are about to open the message, it has already been scanned. Background scanning can influence system load (scanning is done by each virus signature database update). When scanning the store database in the day mode, the system might be slowed down. In this case we recommend using scheduled scanning outside working hours. By scheduled scanning, the option has to be disabled. Proactive scanning new inbound messages are scanned in the order they are received. If this checkbox is marked and a user opens a message that has not been scanned yet, this message is scanned before the other messages waiting in the scanning queue. Scan plain text message bodies enables scanning plain text messages Scan RTF message bodies enables scanning RTF message bodies. The RTF message bodies may contain macroviruses Scan transported messages When checked, XMON scans also messages that are not stored on the local MS Exchange server and are delivered to other e-mail servers through the local Exchange server. The MS Exchange Server can be set as a gateway and used just to deliver messages to the other e-mail servers. If Scan of the transported messages is turned on, XMON scans also these messages. Repeat scanning button By clicking the Repeat scanning button all the messages stored on the local MS Exchange server are scanned again. Upon each virus database update the XMON scans all the messages stored on the Exchange server again as well. It is useful for example after changing the rules. Default button By clicking the Default button, all the properties on Scanner page are set to default (factory settings).

window will allow you to confirm or reject your selection. By clicking Yes, you will activate the default settings. Detection The Detection page contains the settings of detection methods.
When clicking the Default button, a confirmation
The ThreatSense Scanning Engine options section allows you to set the methods for detection of infiltrations used in XMON module. For highest security level check all of them. Signatures when checked, XMON uses the signature based infiltration detection Heuristics when checked, XMON uses heuristic method based infiltration detection (analysis of file content) Advanced Heuristics when checked, XMON uses Advanced Heuristics based infiltration detection. Advanced Heuristics is a new unique set of ESET NOD32 Antivirus system, among others capable of effective detecting internet worms. Adware/Spyware/Riskware when checked, XMON detects also this kind of bothering malware Potentially unsafe applications - this classification is used for commercial legitimate software. It includes programs such as remote access tools, password-cracking applications, and keyloggers (programs recording all keystrokes). Potentially unwanted applications - Potentially unwanted applications are not necessarily intended
to be malicious, but they may affect the performance of your computer. Such applications usually require consent for installation. If they are present on your computer, your system behaves differently (when compared to the state before their installation). In the Target section check the types of attachments to be scanned (Archives, Self-extracting archives, Runtime archives). When scanning archives the scanning procedure is more time consuming, because the archive must be opened for scanning. Extensions The Extensions page enables you to set which file types should be included in virus scanning.
Remove removes the selected file extension from the list Default restores the default extension list setting Scan extensionless files - adds scanning files without extensions Add a new extension (you can also use wildcards ? and *) and click OK. Actions The Actions page lets you select what actions should be taken upon virus detection. When scan archives option in Detection in the Targets section is activated, this pane contains separate settings for archives and files. The type can be chosen in the pull-down menu.

Scan all files marking this check box, XMON will scan all files types found in message attachments. The file types list will show file types excluded from scanning instead of files included in scanning. Add enables you to add a new file extension to the file extension list. It displays Add new extension window. To add a new extension use alphanumerical characters and wildcards such as ? (represents random character) and * (represents random order of characters).
The When virus is found settings let you select what action should be taken upon virus detection. Clean XMON attempts to clean the virus from the infected file. When the attempt fails, the action selected in the When virus cannot be cleaned settings is executed. No action, mark as infected when selected the Exchange server is notified about the infection and the user cannot open the infected message attachment. Rename attachment/ delete message XMON changes the attachment extension, so that it cannot be opened or run. If the message body contains a virus, the message will be deleted. Delete XMON deletes the infected message or the attachment if only the attachment is infected. The
deletion process can be adjusted in the Deleting setting page. Quarantine when checked, the infected messages will be stored in Quarantine, where it is harmless. Messages stored in Quarantine can be analyzed and cleaned later using a newer virus signature database. When virus cannot be cleaned setting is executed, if Clean option in previous menu is set. Some of the infections cannot be cleaned, because the XMON does not have a cleaning procedure for them, or because they do not contain any useful content except virus (currently the most common case). The When virus cannot be cleaned settings lets you select what action should be taken when attempt to clean an infected message fails. (No action, Mark as infected, Rename attachment/ Delete message, Delete, Quarantine) Rules The Rules settings let you select detailed rules for handling file types. If there is more than one rule for a single file type, the first rule in the list is applied. Rules are prior to extensions set in Extensions settings, meaning that the each file is at first compared to existing rules. It will be scanned only if no rule is applied (or if the respective rule says that it has to be scanned). The number of rules applied is displayed in the Number column.

Modify modifies the selected rule Remove removes the selected rule Move up moves up the selected rule and increases its priority Move down moves down the selected rule and decreases its priority Adding a new rule will open a wizard, which guides you through the process.
Mailbox the rule applies to the name of a mailbox Sender of message the rule applies to a message sent by the selected sender. Subject of message the rule applies to a message with the selected subject line File name mask File name mask enables you to select a certain file selection File size File size enables you to select files from certain size In the strings in the Sender of message and Subject of message it is enough to fill in only a part of a text (if the Match whole words only option is not checked); capital letters are not differentiated (if the option Differentiate capital letters is not checked). When using other than alphanumerical characters, use parentheses and quotes. You can also create conditions using logical operators AND, OR, NOT.
Add enables you to add a new rule
File name mask enables you to select a certain file selection using a mask created from alphanumerical characters and wildcards ? and *, e.g. *.VBS. The rule is applied to files matching this mask. To use more than one mask, separate them by a semicolon.
Rename attachment/ delete message XMON alters the file extension so that it cannot be opened or run
File size limit enables you to select certain size of attachments. The rule will be applied to all attachments with the size exceeding the defined value.
Delete XMON deletes the selected message Mark as infected XMON marks the selected message as infected Quarantine The selected message will be stored in Quarantine Finally, add the rule name and description to be saved in the Exchange server log when the rule is applied.
Rule applies to a name of a mailbox and all other procedures connected with its usage are the same as with the other rules.
Deleting The Deleting page lets you select what action should be made when a message or attached file is selected for deletion.
The Action section lets you select what actions should be taken with files matching the above mentioned search criteria. Scan for viruses as XMON will scan for viruses in selected file No action XMON declares the message to be clean
When deleting message settings lets you select what actions should be taken when the whole message is marked for deletion. Delete message body XMON deletes the body of the infected message. The recipient will receive the empty message and also noninfected attachments Overwrite message body with virus protocol XMON overwrites the message body with a virus protocol or a rule description. Delete whole message XMON deletes the whole message including all attachments When deleting attachments settings lets you select what action should be taken when a message is marked for deletion. Truncate file to zero size XMON truncates the attachment to zero size and lets the recipient see the attachment file name and type. Replace file with virus protocol XMON replaces the infected file with a virus protocol or rule description Delete whole message XMON deletes the whole message along with all its attachments

Note: If you can not open the Deleting selection (it is displayed in grey), it is not supported by your MS Exchange Server version.
Performance The Performance page lets you select performance parameters for XMON.
Use NOD32 Control Center scanner - Unlike all the previous versions that would explicitly use the internal scanning core for antivirus scanning, version 2.71 brings an option to utilize external Control Center scanning core as well. With 32-bit versions of MS Exchange Server this feature is optional and it is possible to select it in the Performance section of the XMON setup. With the 64-bit version of MS Exchange Server it is only possible to utilize the external Control Center scanning core. Therefore this option is automatically selected and grayed out. Number of threads this parameter lets you select how many threads should be used for virus scanning. More threads on multiprocessor machines can increase the scanning rate. MS Exchange server provider recommends using the following formula to determine the number of threads used: Number of physical processors times 2 plus 1 = number of threads used. Time limit (for Exchange 5.5) sets the time interval for running the virus scanner Time limit (for Exchange 2000 and higher) a time limit for scanning an individual file Folder to store temporary files - For the best performance, we recommend that you configure XMON to store temporary files on a physical drive other than the one with the Exchange store. If no folder is specified, XMON will create temporary files in the system temporary folder. Background scan scope option MS Exchange Server 2007 provides a way to actively affect antivirus scanning in the background. Therefore the 64-bit XMON module version offers an option to configure the progress and scope of background scanning. However, this option is not available in 32-bit versions of MS Exchange Server and the XMON module; therefore the appropriate controls are inactive and grayed out Selecting Scan only messages with attachment will limit the background scanning scope only to messages with an attachment. This will also decrease the overall server load while scanning in the background. Please note that not all infected messages necessarily come with an attachment. However, this will, not decrease protection of the messages in the MS Exchange
Server store, as messages are also checked when accessed by the user. Another way to reduce the overall system load is provided by the Scan level option. When enabled, only messages from the specified time interval determined by the date of message receipt will be scanned on the background. It is possible to choose between scanning of all messages regardless the date of receipt, messages received within the last year, 6 months, 3 months, one month or week. Choosing the appropriate background scan level will enable administrators of MS Exchange Server 2007 to tune up the system performance to their needs. Also in this case messages not falling into the specified time interval are not left without antivirus protection, yet they are checked when accessed by the user. Given the high detection efficiency provided by the ESET NOD32 Antivirus for MS Exchange Server scanning core, we recommend the following: After the initial installation of ESET NOD32 Antivirus for MS Exchange Server, let the scanning run in the background with no restrictions. After certain time (1 - 2 days) tune up background scanning according to the estimated frequency of users accessing older messages and the volume of messages received within the specified time interval. Protocol The Protocol settings page lets you select how the virus scanning protocol/log should be assembled. More detailed protocol can contains more information, but it can slow down the server.

Log all files when checked, all scanned files are listed in the scanning log, including noninfected files Synchronous logging when checked, all the log entries are immediately written into the log file without storing them in the log cache Scope This setting lets you select what the scope of logging activities. The more detailed the scope, the more activities are written into the log file Log server version when checked, XMON writes the server version into the log file Log license when checked, XMON writes the XMON license into the log file Log rules when checked, XMON writes the list of currently enabled rules into the log file (only in detailed one)

4.Recommended settings:

Excluding Exchange files from resident protection scanning XMON scans e-mail messages stored in the MS Exchange Server storage. This storage is saved on the server file system as a single file and using non-standard settings in AMON (on-access scanner) while running on the same server, might lead to a collision between XMON and AMON. To avoid the collision make sure that the AMON module is not set to scan.EDB,.TMP and.EML file types. By default, the mentioned extensions are excluded from scanning. It is also recommended to exclude from scanning directories containing following files and directories: %ProgramFiles%\Exchsrvr\MDBData\ %ProgramFiles%\Exchsrvr\Mtadata\ %ProgramFiles%\Exchsrvr\Server_Name.log %ProgramFiles%\Exchsrvr\Mailroot %ProgramFiles%\Exchsrvr\Srsdata %SystemRoot%\System32\Inetsrv %ProgramFiles%\Exchsrvr\IMCData
To exclude these file and directories in AMON module, follow these steps: Click on the Setup button in AMON module Click on the Exclusions tab and then on the Add button In displayed window click on the Folder or File button (depends on what you want to exclude) and browse for required items. Setting the background scanning in the scheduled time Scheduled background scanning can be configured via a special task in the Scheduler/Planner. When scheduling a Background scanning task you can set the launch time, the number of repetitions as well as other parameters available in the Scheduler/Planner.
you can modify its parameters, delete or temporary deactivate the task. If the task is run at the specified time, XMON will allow MS Exchange Server to run background scanning. After the specified timeout has elapsed, XMON will stop MS Exchange Server from scanning in the background. In this interval, it is up to MS Exchange Server to decide whether a background scan will run or not, based on various factors, such as the current system load, the number of active users, etc. Performance monitoring With transition to 64-bit systems, the XMON module has started to support an external Control Center scanning core. This extension applies also to 32-bit version, where the option to utilize the internal scanning core remains. Both approaches to way of utilizing the scanning core have their pros and cons, depending on the systems where they are installed. One of the factors that administrators will consider when choosing between these approaches is the speed of antivirus scanning. Therefore, as of version 2.71 the XMON module can calculate the current performance and report it in the module event log. To log this information, the logging scope must be set to Detailed.

The Background scan task requires one mandatory parameter that specifies the timeout for background scanning. The interval is in hours, within the range from 1 to 32.
After the task has been scheduled, it will appear in the list of scheduled tasks and as with the other tasks,
XMON will log performance information such as number of scanned objects (messages and attachments), scan time in seconds, scanning speed in kB per seconds, etc. in 5-minute intervals.
Likewise logging results, the monitoring results are also written in a 5-minute interval. They are not accumulated and each benchmark is performed from scratch once the results have been logged. Rename infected files It is not recommended to set the default settings for infected files to rename while using the option to scan all files (default settings). All infected files with.EXE or.DOC extension would after renaming have the extensions.VEXE or VDOC, so the Server in MS Windows would not be executed after clicking, but the antivirus system at each scan would recognize the files by their content and rename them further (.VVEXE or.VVDOC, etc.). All messages are scanned in the MS Exchange Server storage upon each virus signature database update, the consequent renaming would slow down your computer. It is recommended to exclude from testing at least files with. VV* extensions (not.V extensions this would include also Visual Basic Script.)