Zone authentication

The longtime development experience of our experts is demonstrated by the entirely new architecture of ESET Smart Security, which guarantees maximum detection with minimum system requirements. This robust security solution contains modules with several advanced options. The following list offers you a brief overview of these modules. Antivirus & antispyware
Low Layer Network Communication Scanning
This module is built upon the ThreatSense scanning engine, which was used for the first time in the awardwinning NOD32 Antivirus system. ThreatSense is optimized and improved with the new ESET Smart Security architecture. Feature Improved Cleaning Description The antivirus system now intelligently cleans and deletes most detected infiltrations without requiring user intervention. Computer scanning can be launched in the background without slowing down performance. Core optimization processes keep the size of update files smaller than in version 2.7. Also, the protection of update files against damage has been improved. It is now possible to scan incoming email not only in Microsoft Outlook but also in Outlook Express, Windows Mail, Windows Live Mail and Mozilla Thunderbird. Direct access to file systems for high speed and throughput. Blocked access to infected files Optimization for the Windows Security Center, including Vista.

IPv6 Support

Executable File Monitoring
File Scanning Integrated with HTTP(s) and POP3(s)

Background Scanning Mode

Intrusion Detection System

Smaller Update Files

Popular Email Client Protection

Other Minor Improvements

Interactive, Policybased, Learning, Automatic and Automatic mode with exceptions
Users can select whether the Personal firewall actions will be executed automatically or if they want to set rules interactively. Communication in Policybased mode is handled according to rules predefined by the user or the network administrator. Learning mode automatically creates and saves rules and is suitable for initial configuration of the firewall. Supersedes the Integrated Windows Firewall and interacts with the Windows Security Center to monitor security status. ESET Smart Security installation turns off the Windows firewall by default.

Document protection

The Document protection serves to scan Microsoft Office documents before they are opened and files downloaded automatically by Internet Explorer, such as Microsoft ActiveX elements. The new Self Defense technology protects ESET Smart Security components against deactivation attempts. The user interface is now capable of working in the non-graphical mode, which allows for keyboard control of ESET Smart Security. The increased compatibility with screenreading application lets sight-impaired people control the program more efficiently.

Realtime file system protection controls all antivirusrelated events in the system. All files are scanned for malicious code at the moment they are opened, created or run on your computer. Realtime file system protection is launched at system startup. 4.1.1.1 Control setup
More detailed setup options can be found under Antivirus and antispyware > Real-time system protection > Advanced setup. Additional ThreatSense parameters for newly created and modified files The probability of infection in newlycreated or modified files is comparatively higher than in existing files. That is why the program checks these files with additional scanning parameters. Along with common signaturebased scanning methods, advanced heuristics are used, which greatly improves detection rates. In addition to newlycreated files, scanning is also performed on selfextracting files (.sfx) and runtime packers (internally compressed executable files). By default, archives are scanned up to the 10th nesting level and are checked regardless of their actual size. To modify archive scan settings, deselect the Default archive scan settings option. Additonal ThreatSense parameters for executed files By default, advanced heuristics are not used when files are executed. However, in some cases you may want to enable this option (by checking the Advanced heuristics on file execution option). Note that advanced heuristics may slow the execution of some programs due to increased system requirements. 4.1.1.2 Cleaning levels
The Realtime file system protection checks all types of media, and control is triggered by various events. Using ThreatSense technology detection methods (as described in section 4.1.6, ThreatSense engine parameter setup), real-time file system protection may vary for newly created files and existing files. For newly created files, it is possible to apply a deeper level of control. To provide the minimum system footprint when using realtime protection, files which have already been scanned are not scanned repeatedly (unless they have been modified). Files are scanned again immediately after each virus signature database update. This behavior is configured using Smart optimization. If this is disabled, all files are scanned each time they are accessed. To modify this option, open the Advanced Setup window and click Antivirus and antispyware > Realtime file system protection from the Advanced Setup tree. Then click the Setup. button next to ThreatSense engine parameter setup, click Other and select or deselect the Enable Smart optimization option. By default, Realtime protection launches at system startup and provides uninterrupted scanning. In special cases (e.g., if there is a conflict with another Realtime scanner), the realtime protection can be terminated by deselecting the Start Realtime file system protection automatically option.

The realtime protection has three cleaning levels (to access, click the Setup. button in the Real-time file system protection section and then click the Cleaning branch). The first level displays an alert window with available options for each infiltration found. You must choose an action for each infiltration individually. This level is designed for more advanced users who know which steps to take in the event of an infiltration. The default level automatically chooses and performs a predefined action (depending on the type of infiltration). Detection and deletion of an infected file is signaled by an information message located in the bottom right corner of the screen. However, an automatic action is not performed if the infiltration is located within an archive which also contains clean files, and it is not performed on objects for which there is no predefined action. The third level is the most aggressive all infected objects are cleaned. As this level could potentially result in the loss of valid files, we recommend that it be used only in specific situations.

4.1.1.1.1

Media to scan
By default, all types of media are scanned for potential threats. Local drives Controls all system hard drives Removable media Diskettes, USB storage devices, etc. Network drives Scans all mapped drives We recommend that you keep the default settings and only modify them in specific cases, such as when scanning certain media significantly slows data transfers. 4.1.1.1.2 Scan on (Eventtriggered scanning)
If Realtime protection does not detect and clean infiltrations 4.1.1.3 When to modify realtime protection configuration Make sure that no other antivirus programs are installed on your computer. If two realtime protection shields are enabled at the same time, they may conflict with each other. We recommend that you uninstall any other antivirus programs on your system. Realtime protection does not start If realtime protection is not initiated at system startup (and the Automatic realtime file system protection startup option is enabled), it may be due to conflicts with other programs. If this is the case, please consult ESETs Customer Care specialists. 4.1.2 Email client protection
Realtime protection is the most essential component of maintaining a secure system. Therefore, please be careful when modifying its parameters. We recommend that you only modify its parameters in specific cases. For example, if there is a conflict with a certain application or realtime scanner of another antivirus program. After installation of ESET Smart Security, all settings are optimized to provide the maximum level of system security for users. To restore the default settings, click the Default button located at the bottom-right of the Real-time file system protection window (Advanced Setup > Antivirus and antispyware > Real-time file system protection). 4.1.1.4 Checking realtime protection

When the Personal firewall switches to another profile, a notification will appear in the lower right corner near the system clock. 4.2.3 Block all network traffic: disconnect network In the Zone and rule setup window, an overview of either rules or zones is displayed (based on the currently selected tab). The window is divided into two sections. The upper section lists all rules in a shortened view. The lower section displays details about the rule currently selected in the upper section. At the very bottom are the buttons New, Edit, and Delete (Del), which allow you to configure rules. Connections can be divided into incoming and outgoing connections. Incoming connections are initiated by a remote computer attempting to establish connection with the local system. Outgoing connections work in the opposite way the local side contacts a remote computer. If a new unknown communication is detected, you must carefully consider whether to allow or deny it. Unsolicited, unsecured or unknown connections pose a security risk to the system. If such a connection is established, we recommend that you pay particular attention to the remote side and the application attempting to connect to your computer. Many infiltrations try to obtain and send private data, or download other malicious applications to host workstations. The Personal firewall allows you to detect and terminate such connections. 4.2.5.1 Creating a new rule
The only option for blocking all network traffic is to click Block all network traffic: disconnect network. All inbound and outbound communication is blocked by the Personal firewall with no warning displayed. Use this option only if you suspect critical security risks requiring disconnection of the system from the network.
Disable filtering: allow all traffic
When installing a new application which accesses the network or when modifying an existing connection (remote side, port number, etc.), a new rule must be created.
The Disable filtering option is the opposite of blocking all network traffic. If selected, all Personal firewall filtering options are turned off and all incoming and outgoing connections are permitted. It has the same effect as no firewall being present. 4.2.5 Configuring and using rules
Rules represent a set of conditions used to meaningfully test all network connections and all actions assigned to these conditions. With the Personal firewall, you can define what action to take if a connection defined by a rule is established. To access the rule filtering setup, navigate to Advanced Setup (F5) > Personal firewall > Rules and zones. To display the current configuration, click Setup. in the Zone and rule editor section (if the Personal firewall is set to Automatic mode, these settings are not available). To add a new rule, verify that the Rules tab is selected. Then, click the New button in the Zone and rule setup window. Clicking on this button opens a new dialog window to specify a new rule. The upper part of the window contains three tabs: General: Specify a rule name, the direction of the connection, the action, the protocol and the profile in which the rule will apply.

To view the Advanced update setup, click the Setup. button. Advanced update setup options include configuration of Update mode, HTTP Proxy, LAN and Mirror.
Selecting the Use global proxy server settings option will use the proxy server configuration options already specified within the Miscellaneous > Proxy server branch of the Advanced Setup tree.
Select the Do not use proxy server option to specify that no proxy server will be used to update ESET Smart Security. The Connection through a proxy server option should be selected if a proxy server should be used to update ESET Smart Security and is different from the proxy server specified in the global settings (Miscellaneous > Proxy server). If so, the settings should be specified here: Proxy server address, communication Port, plus Username and Password for the proxy server, if required. This option should also be selected if the proxy server settings were not set globally, but ESET Smart Security will connect to a proxy server for updates. The default setting for the proxy server is Use global proxy server settings. 4.4.1.2.3 Connecting to the LAN
Select the System account (default) option to use the system account for authentication. Normally, no authentication process takes place if there is no authentication data supplied in the main update setup section. To ensure that the program authenticates using a currently loggedin user account, select Current user. The drawback of this solution is that the program is not able to connect to the update server if no user is currently logged in. Select Specified user if you want the program to use a specific user account for authentication. Warning: When either Current user or Specified user is selected, an error may occur when changing the identity of the program to the desired user. We recommend inserting the LAN authentication data in the main update setup section. In this update setup section, the authentication data should be entered as follows: domain_name\user (if it is a workgroup, enter workgroup_name\name) and password. When updating from the HTTP version of the local server, no authentication is required. 4.4.1.2.4 Creating update copies Mirror
When updating from a local server with an NTbased operating system, authentication for each network connection is required by default. In most cases, a local system account does not have sufficient rights to access the Mirror folder (the Mirror folder contains copies of update files). If this is the case, enter the username and password in the update setup section, or specify an existing account under which the program will access the update server (Mirror). To configure such an account, click the LAN tab. The Connect to LAN as section offers the System account (default), Current user, and Specified user options.

After configuration of the Mirror is complete, go to the workstations and add a new update server in the format http://IP_address_of_ your_server:2221. To do this, follow the steps below: Open ESET Smart Security Advanced Setup and click the Update branch. Click Edit to the right of the Update server drop-down menu and add a new server using the following format: http://IP_ address_of_your_server:2221. Select this newlyadded server from the list of update servers.
Accessing the Mirror via system shares First, a shared folder should be created on a local or a network device. When creating the folder for the Mirror, you must provide write access for the user who will save update files to the folder and read access for all users who will update ESET Smart Security from the Mirror folder. Next, configure access to the Mirror in the Advanced update setup section (Mirror tab) by disabling the Provide update files via internal HTTP server option. This option is enabled by default in the program install package. If the shared folder is located on another computer in the network, you must specify authentication data to access the other computer. To specify authentication data, open ESET Smart Security Advanced Setup (F5) and click the Update branch. Click the Setup. button and then click the LAN tab. This setting is the same as for updating, as described in section 4.4.1.2.3, Connecting to LAN. After the Mirror configuration is complete, proceed to the workstations and set \\UNC\PATH as the update server. This operation can be completed using the following steps: Open ESET Smart Security Advanced Setup and click Update Click Edit. next to the Update server and add a new server using the \\UNC\PATH format. Select this newlyadded server from the list of update servers
NOTE: For proper functioning, the path to the Mirror folder must be specified as a UNC path. Updates from mapped drives may not work.
4.4.1.2.4.2 Troubleshooting Mirror update problems In most cases, problems during an update from a Mirror server are caused by one or more of the following: incorrect specification of the Mirror folder options, incorrect authentication data to the Mirror folder, incorrect configuration on local workstations attempting to download update files from the Mirror, or by a combination of the reasons above. Below is an overview of the most frequent problems which may occur during an update from the Mirror: ESET Smart Security reports an error connecting to Mirror server Likely caused by incorrect specification of the update server (network path to the Mirror folder) from which local workstations download updates. To verify the folder, click the Windows Start menu, click Run, insert the folder name and click OK. The contents of the folder should be displayed. ESET Smart Security requires a username and password Likely caused by incorrect authentication data (username and password) in the update section. The username and password are used to grant access to the update server, from which the program will update itself. Make sure that the authentication data is correct and entered in the correct format. For example, Domain/Username, or Workgroup/ Username, plus the corresponding Passwords. If the Mirror server is accessible to Everyone, please be aware that this does not mean that any user is granted access. Everyone does not mean any unauthorized user, it just means that the folder is accessible for all domain users. As a result, if the folder is accessible to Everyone, a domain username and password will still need to be entered in the update setup section. ESET Smart Security reports an error connecting to the Mirror server Communication on the port defined for accessing the HTTP version of the Mirror is blocked. 4.4.2 How to create update tasks

Files stored in the quarantine folder can be viewed in a table which displays the date and time of quarantine, the path to the original location of the infected file, its size in bytes, reason (added by user), and number of threats (e.g., if it is an archive containing multiple infiltrations). 4.6.1 Quarantining files
ESET Smart Security automatically quarantines deleted files (if you have not cancelled this option in the alert window). If desired, you can quarantine any suspicious file manually by clicking the Quarantine. button. If this is the case, the original file is not removed from its original location. The context menu can also be used for this purpose rightclick in the Quarantine window and select Add. 4.6.2 Restoring from Quarantine
In the next step, a summary window with information about the current scheduled task is displayed; the option Run task with specific parameters should be automatically enabled. Click the Finish button. A dialog window will appear, allowing you to select profiles to be used for the scheduled task. Here you can specify a primary and alternative profile, which is used in case the task cannot be completed using the primary profile. Confirm by clicking OK in the Update profiles window. The new scheduled task will be added to the list of currently scheduled tasks. 4.6 Quarantine The main task of quarantine is to safely store infected files. Files should be quarantined if they cannot be cleaned, if it is not safe or advisable to delete them, or if they are being falsely detected by ESET Smart Security. You can choose to quarantine any file. This is advisable if a file behaves suspiciously but is not detected by the antivirus scanner. Quarantined files can be submitted for analysis to ESETs Threat Lab.
Quarantined files can also be restored to their original location. Use the Restore feature for this purpose; this is available from the context menu by rightclicking on the given file in the Quarantine window. The context menu also offers the option Restore to, which allows you to restore a file to a location other than the one from which it was deleted. NOTE: If the program quarantined a harmless file by mistake, please exclude the file from scanning after restoring and send the file to ESET Customer Care. 4.6.3 Submitting file from Quarantine
If you have quarantined a suspicious file that was not detected by the program, or if a file was incorrectly evaluated as infected (e.g., by heuristic analysis of the code) and subsequently quarantined, please send the file to ESETs Threat Lab. To submit a file from quarantine, rightclick the file and select Submit for analysis from the context menu.

ESET SysInspector divides various types of information into several basic sections called nodes. If available, you may find additional details by expanding each node into its subnodes. To open or collapse a node just double-click the name of the node or click or next to the name of the node. As you browse through the tree structure of nodes and subnodes in the Navigation window you may find various details for each node shown in the Description window. If you browse through items in the Description window, additional details for each item may display in the Details window. Below are descriptions of the main nodes in the Navigation window and related information in the Description and Details windows. Running processes This node contains information about applications and processes running at the time the report was generated. The Description window displays details for each process, such as dynamic libraries used by the process and their location in the system, the name of the applications vendor, the risk level of the file, etc. The Details window contains additional information about items selected in the Description window such as the file size or its hash. NOTE: An operating system is comprised of several important kernel processes which run continually in order to provide basic functions vital to other applications. In certain cases, such processes are displayed in ESET SysInspector as a file path beginning with \??\. These symbols indicate a safe and accurate configuration.
tree structure section contains new values removed value, present in the previous log only
tree structure section contains removed values value / file has been changed tree structure section contains modified values / files the risk level has decreased / it was higher in the previous log the risk level has increased / it was lower in the previous log The explanation section displayed in the left bottom corner describes all symbols and also displays the names of logs which are being compared.
Remove Removes entries from the list Show Displays the selected snapshot. Alternatively, you can doubleclick the selected entry. Export. Saves the selected entry in an.xml file (as well as a.zip version) 5.4.1.5 Service script
Service script is a tool that directly influences the operating system and installed applications, allowing users to execute scripts that remove problematic components in the system, including viruses, remnants of viruses, blocked files, virus records in the registry, etc. The script is stored in a text file generated from a pre-existing.xml file. The data in the.txt script file is ordered simply and legibly, for ease of use. The script will initially exhibit neutral behavior. In other words, it will not have any impact on the system while in its original form. The user needs to edit the script for it to have any effect. Warning: This tool is intended for advanced users only. Incorrect use may result in damage to programs or the operating system. 5.4.1.5.1 Generating Service scripts

For the rescue CD/DVD/USB to work effectively, you must start your computer from the ESET SysRescue boot media. Boot priority can be modified in the BIOS. Alternatively, you can invoke the boot menu during computer startup - usually using one of the F9 - F12 keys depending on the version of your motherboard/BIOS. After booting up, ESS will start. Since ESET SysRescue is used only in specific situations, some protection modules and program features present in the standard version of ESS are not needed; their list is narrowed down to Computer scan, Update, and some sections in Setup. The ability to update the virus signature database is the most important feature of ESET SysRescue, we recommend that you update the program prior starting a Computer scan. 5.5.3.1 Using ESET SysRescue
Suppose that computers in the network have been infected by a virus which modifies executable (.exe) files. ESS is capable of cleaning all infected files except for explorer.exe, which cannot be cleaned, even in Safe mode. This is because explorer.exe, as one of the essential Windows processes, is launched in Safe mode as well. ESS would not be able to perform any action with the file and it would remain infected. In this type of scenario, you could use ESET SysRescue to solve the problem. ESET SysRescue does not require any component of the host operating system, and is therefore capable of processing (cleaning, deleting) any file on the disk.

6. Glossary

6.1 Types of infiltration An Infiltration is a piece of malicious software trying to enter and/or damage a users computer. 6.1.1 Viruses infiltration not falling under any specific class of infiltration. Since this is a very broad category, it is often divided into many subcategories: Downloader A malicious program with the ability to download other infiltrations from the Internet. Dropper A type of trojan horse designed to drop other types ofmalware onto compromised computers. Backdoor An application which communicates with remote attackers, allowing them to gain access to a system and to take control of it. Keylogger (keystroke logger) A program which records each keystroke that a user types and sends the information to remote attackers. Dialer Dialers are programs designed to connect to premiumrate numbers. It is almost impossible for a user to notice that a new connection was created. Dialers can only cause damage to users with dialup modems, which are no longer regularly used. Trojan horses usually take the form of executable files with the extension.exe. If a file on your computer is detected as a trojan horse, it is advisable to delete it, since it most likely contains malicious code. Examples of wellknown trojans are: NetBus, Trojandownloader. Small.ZL, Slapper 6.1.4 Rootkits

A computer worm is a program containing malicious code that attacks host computers and spreads via a network. The basic difference between a virus and a worm is that worms have the ability to replicate and travel by themselves they are not dependent on host files (or boot sectors). Worms spread through email addresses in your contact list or exploit security vulnerabilities in network applications. Worms are therefore much more viable than computer viruses. Due to the wide availability of the Internet, they can spread across the globe within hours or even minutes of their release. This ability to replicate independently and rapidly makes them more dangerous than other types of malware. A worm activated in a system can cause a number of inconveniences: It can delete files, degrade system performance, or even deactivate programs. The nature of a computer worm qualifies it as a means of transport for other types of infiltrations. If your computer is infected with a worm, we recommend you delete the infected files because they likely contain malicious code. Examples of wellknown worms are: Lovsan/Blaster, Stration/ Warezov, Bagle, and Netsky. 6.1.3 Trojan horses
Adware is a short for advertisingsupported software. Programs displaying advertising material fall under this category. Adware applications often automatically open a new popup window containing advertisements in an Internet browser, or change the browsers home page. Adware is frequently bundled with freeware programs, allowing their creators to cover development costs of their (usually useful) applications. Adware itself is not dangerous users will only be bothered with advertisements. Its danger lies in the fact that adware may also perform tracking functions (as spyware does). If you decide to use a freeware product, please pay particular attention to the installation program. The installer will most likely notify you of the installation of an extra adware program. Often you will be allowed to cancel it and install the program without adware. Some programs will not install without adware, or their functionality will be limited. This means that adware may often access the system in a legal way, because users have agreed to it. In this case, it is better
Historically, computer trojan horses have been defined as a class of infiltrations which attempt to present themselves as useful programs, thus tricking users into letting them run. But it is important to note that this was true for trojan horses in the pasttoday, there is no longer a need for them to disguise themselves. Their sole purpose is to infiltrate as easily as possible and accomplish their malicious goals. Trojan horse has become a very general term describing any
to be safe than sorry.If there is a file detected as adware on your computer, it is advisable to delete it, since there is a high probability that it contains malicious code. 6.1.6 Spyware

DoS attacks

This category covers all applications which send private information without user consent/awareness. Spyware uses tracking functions to send various statistical data such as a list of visited websites, email addresses from the users contact list, or a list of recorded keystrokes. The authors of spyware claim that these techniques aim to find out more about users needs and interests and allow bettertargeted advertisement. The problem is that there is no clear distinction between useful and malicious applications and no one can be sure that the retrieved information will not be misused. The data obtained by spyware applications may contain security codes, PINs, bank account numbers, etc. Spyware is often bundled with free versions of a program by its author in order to generate revenue or to offer an incentive for purchasing the software. Often, users are informed of the presence of spyware during a programs installation to give them an incentive to upgrade to a paid version without it. Examples of wellknown freeware products which come bundled with spyware are client applications of P2P (peertopeer) networks. Spyfalcon or Spy Sheriff (and many more) belong to a specific spyware subcategory they appear to be antispyware programs, but in fact they are spyware programs themselves. If a file is detected as spyware on your computer, it is advisable to delete it, since there is a high probability that it contains malicious code. 6.1.7 Potentially unsafe applications
DoS, or Denial of Service, is an attempt to make a computer or network unavailable for its intended users. The communication between afflicted users is obstructed and can no longer continue in a functional way. Computers exposed to DoS attacks usually need to be restarted in order to work properly. In most cases, the targets are web servers and the aim is to make them unavailable to users for a certain period of time. 6.2.2 DNS Poisoning
Using DNS (Domain Name Server) poisoning, hackers can trick the DNS server of any computer into believing that the fake data they supplied is legitimate and authentic. The fake information is cached for a certain period of time, allowing attackers to rewrite DNS replies of IP addresses. As a result, users trying to access Internet websites will download computer viruses or worms instead of their original content. 6.2.3 Worm attacks
A computer worm is a program containing malicious code that attacks host computers and spreads via a network. The network worms exploit security vulnerabilities in various applications. Due to the availability of the Internet, they can spread all over the world within a few hours of their release. In some cases, even in minutes. Most worm attacks (Sasser, SqlSlammer) can be avoided by using default security settings in the firewall, or by blocking unprotected and unused ports. Also, it is essential that your operating system is updated with the most recent security patches. 6.2.4 Port scanning

In the context of Antispam solutions and email clients, rules are tools for manipulating email functions. They consist of two logical parts: 1. Condition (e.g., an incoming message from a certain address) 2. Action (e.g., deletion of the message, moving it to a specified folder) The number and combination of rules varies with the Antispam solution. These rules serve as measures against spam (unsolicited email). Typical examples: 1. Condition: An incoming email message contains some of the words typically seen in spam messages 2. Action: Delete the message 1. Condition: An incoming email message contains an attachment with an.exe extension 2. Action: Delete the attachment and deliver the message to the mailbox 1. Condition: An incoming email message arrives from your employer 2. Action: Move the message to the Work folder.
Serverside control is a technique for identifying mass spam based on the number of received messages and the reactions of users. Each message leaves a unique digital footprint based on the content of the message. The unique ID number tells nothing about the content of the email. Two identical messages will have identical footprints, while different messages will have different footprints. If a message is marked as spam, its footprint is sent to the server. If the server receives more identical footprints (corresponding to a certain spam message), the footprint is stored in the spam footprints database. When scanning incoming messages, the program sends the footprints of the messages to the server. The server returns information on which footprints correspond to messages already marked by users as spam.
We recommend that you use a combination of rules in Antispam programs in order to facilitate administration and to more effectively filter spam. 6.3.4.1 Bayesian filter
Bayesian spam filtering is an effective form of email filtering used by almost all Antispam products. It is able to identify unsolicited email with high accuracy and can work on a peruser basis. The functionality is based on the following principle: The learning process takes place in the first phase. The user manually marks a sufficient number of messages as legitimate messages or as spam (normally 200/200). The filter analyzes both categories and learns, for example, that spam usually contains the words rolex or viagra, and legitimate messages are sent by family members or from addresses in the users contact list. Provided that a sufficient number of messages are processed, the Bayesian filter is able to assign a specific spam index to each message in order to determine whether it is spam or not. The main advantage of a Baysesian filter is its flexibility. For example, if a user is a biologist, all incoming emails concerning biology or relative fields of study will generally receive a lower probability index. If a message includes words that would normally qualify it as unsolicited, but it is sent by someone from the users contact list, it will be marked as legitimate, because senders from a contact list decrease overall spam probability. 6.3.4.2 Whitelist