Zone authentication

The longtime development experience of our experts is demonstrated by the entirely new architecture of ESET Smart Security, which guarantees maximum detection with minimum system requirements. This robust security solution contains modules with several advanced options. The following list offers you a brief overview of these modules. Antivirus & antispyware
Low Layer Network Communication Scanning
This module is built upon the ThreatSense scanning engine, which was used for the first time in the awardwinning NOD32 Antivirus system. ThreatSense is optimized and improved with the new ESET Smart Security architecture. Feature Improved Cleaning Description The antivirus system now intelligently cleans and deletes most detected infiltrations without requiring user intervention. Computer scanning can be launched in the background without slowing down performance. Core optimization processes keep the size of update files smaller than in version 2.7. Also, the protection of update files against damage has been improved. It is now possible to scan incoming email not only in Microsoft Outlook but also in Outlook Express, Windows Mail, Windows Live Mail and Mozilla Thunderbird. Direct access to file systems for high speed and throughput. Blocked access to infected files Optimization for the Windows Security Center, including Vista.

IPv6 Support

Executable File Monitoring
File Scanning Integrated with HTTP(s) and POP3(s)

Background Scanning Mode

Intrusion Detection System

Smaller Update Files

Popular Email Client Protection

Other Minor Improvements

Interactive, Policybased, Learning, Automatic and Automatic mode with exceptions
Users can select whether the Personal firewall actions will be executed automatically or if they want to set rules interactively. Communication in Policybased mode is handled according to rules predefined by the user or the network administrator. Learning mode automatically creates and saves rules and is suitable for initial configuration of the firewall. Supersedes the Integrated Windows Firewall and interacts with the Windows Security Center to monitor security status. ESET Smart Security installation turns off the Windows firewall by default.

Document protection

The Document protection serves to scan Microsoft Office documents before they are opened and files downloaded automatically by Internet Explorer, such as Microsoft ActiveX elements. The new Self Defense technology protects ESET Smart Security components against deactivation attempts. The user interface is now capable of working in the non-graphical mode, which allows for keyboard control of ESET Smart Security. The increased compatibility with screenreading application lets sight-impaired people control the program more efficiently.

Trusted zone detection occurs after ESET Smart Security installation and whenever your computer connects to a new network. Therefore, there is usually no need to define the Trusted zone. By default, a dialog window displays upon detection of a new zone which allows you to set the protection level for that zone.
The Advanced Setup window (click Setup from the main menu and then click Enter entire advanced setup tree., or press F5 on your keyboard) contains additional update options. Click Update from the Advanced Setup tree. The Update server: drop-down menu should be set to Choose automatically. To configure advanced update options such as the update mode, proxy server access, LAN connections and creating virus signature copies (ESET Smart Security Business Edition), click the Setup. button.
fields and click OK. This password will be required for any future modifications to ESET Smart Security settings.
Warning: An incorrect trusted zone configuration may pose a security risk to your computer. NOTE: By default, workstations from a Trusted zone are granted access to shared files and printers, have incoming RPC communication enabled, and also have remote desktop sharing available. 3.4 Proxy server setup If you use a proxy server to control Internet connections, it must be specified in Advanced Setup. To access the Proxy server configuration window, press F5 to open the Advanced Setup window and click Miscellaneous > Proxy server from the Advanced Setup tree. Select the Use proxy server option, and then fill in the Proxy server (IP address) and Port fields. If needed, select the Proxy server requires authentication option and then enter the Username and Password.
If this information is not available, you can try to automatically detect proxy server settings by clicking the Detect proxy server button. NOTE: Proxy server options for various update profiles may differ. If this is the case, configure the different update profiles in Advanced Setup by clicking Update from the Advanced Setup tree. 3.5 Settings protection ESET Smart Security settings can be very important for your organizations security. Unauthorized modifications can endanger network stability and protection. To password protect the settings, from the main menu click Setup > Enter entire advanced setup tree. > User interface > Access setup, select the Password protect settings option and click the Set password. button. Enter a password in the New password and Confirm new password
4. Work with ESET Smart Security
4.1 Antivirus and antispyware protection Antivirus protection guards against malicious system attacks by controlling file, email and Internet communication. If a threat with malicious code is detected, the Antivirus module can eliminate it by first blocking it, and then cleaning, deleting or moving it to quarantine. 4.1.1 Realtime file system protection By default, all files are scanned upon opening, creation or execution. We recommend that you keep the default settings, as these provide the maximum level of realtime protection for your computer. The Diskette access option provides control of the diskette boot sector when this drive is accessed. The Computer shutdown option provides control of the hard disk boot sectors during computer shutdown. Although boot viruses are rare today, we recommend that you leave these options enabled, as there is still the possibility of infection by a boot virus from alternate sources. 4.1.1.1.3 Advanced scan options

The realtime protection has three cleaning levels (to access, click the Setup. button in the Real-time file system protection section and then click the Cleaning branch). The first level displays an alert window with available options for each infiltration found. You must choose an action for each infiltration individually. This level is designed for more advanced users who know which steps to take in the event of an infiltration. The default level automatically chooses and performs a predefined action (depending on the type of infiltration). Detection and deletion of an infected file is signaled by an information message located in the bottom right corner of the screen. However, an automatic action is not performed if the infiltration is located within an archive which also contains clean files, and it is not performed on objects for which there is no predefined action. The third level is the most aggressive all infected objects are cleaned. As this level could potentially result in the loss of valid files, we recommend that it be used only in specific situations.

4.1.1.1.1

Media to scan
By default, all types of media are scanned for potential threats. Local drives Controls all system hard drives Removable media Diskettes, USB storage devices, etc. Network drives Scans all mapped drives We recommend that you keep the default settings and only modify them in specific cases, such as when scanning certain media significantly slows data transfers. 4.1.1.1.2 Scan on (Eventtriggered scanning)
If Realtime protection does not detect and clean infiltrations 4.1.1.3 When to modify realtime protection configuration Make sure that no other antivirus programs are installed on your computer. If two realtime protection shields are enabled at the same time, they may conflict with each other. We recommend that you uninstall any other antivirus programs on your system. Realtime protection does not start If realtime protection is not initiated at system startup (and the Automatic realtime file system protection startup option is enabled), it may be due to conflicts with other programs. If this is the case, please consult ESETs Customer Care specialists. 4.1.2 Email client protection
Realtime protection is the most essential component of maintaining a secure system. Therefore, please be careful when modifying its parameters. We recommend that you only modify its parameters in specific cases. For example, if there is a conflict with a certain application or realtime scanner of another antivirus program. After installation of ESET Smart Security, all settings are optimized to provide the maximum level of system security for users. To restore the default settings, click the Default button located at the bottom-right of the Real-time file system protection window (Advanced Setup > Antivirus and antispyware > Real-time file system protection). 4.1.1.4 Checking realtime protection

Web browsers
ESET Smart Security also contains the Web browsers feature, which allows you to define whether the given application is a browser or not. If an application is marked as a browser, all communication from this application is monitored regardless of the port numbers involved. The Web browsers feature complements the HTTP checking feature, as HTTP checking only takes place on predefined ports. However, many Internet services utilize changing or unknown port numbers. To account for this, the Web browser feature can establish control of port communications regardless of the connection parameters.

4.1.3.1.1

Address management
The list of applications marked as web browsers is accessible directly from the Web browsers submenu of the HTTP branch. This section also contains the Active mode submenu, which defines the checking mode for Internet browsers. Active mode is useful because it examines transferred data as a whole. If it is not enabled, communication of applications is
This section enables you to specify HTTP addresses to block, allow or exclude from checking. The buttons Add, Edit, Remove and
monitored gradually in batches. This decreases the effectiveness of the data verification process, but also provides higher compatibility for listed applications. If no problems occur while using it, we recommend that you enable active checking mode by selecting the checkbox next to the desired application.
detected infiltrations. The cleaning level is automatically set to the default value. For more detailed information on types of cleaning, see section 4.1.6.3, Cleaning. 4.1.4.1.2 Custom scan
Custom scan is an optimal solution if you wish to specify scanning parameters such as scan targets and scanning methods. The advantage of Custom scan is the ability to configure the parameters in detail. The configurations can be saved to user-defined scan profiles, which can be useful if scanning is repeatedly performed with the same parameters. To select scan targets, select Computer scan > Custom scan and select an option from the Scan targets dropdown menu or select specific targets from the tree structure. A scan target can also be more precisely specified by entering the path to the folder or file(s) you wish to include. If you are only interested in scanning the system without additional cleaning actions, select the Scan without cleaning option. Furthermore, you can choose from three cleaning levels by clicking Setup. > Cleaning. Performing computer scans with Custom scan is suitable for advanced users with previous experience using antivirus programs. 4.1.4.2 Scan targets

On-demand computer scan

If you suspect that your computer is infected (it behaves abnormally), run an Ondemand computer scan to examine your computer for infiltrations. From a security point of view, it is essential that computer scans are not just run when an infection is suspected, but regularly as part of routine security measures. Regular scanning can detect infiltrations that were not detected by the realtime scanner when they were saved to the disk. This can happen if the realtime scanner was disabled at the time of infection, or if the virus signature database is not up-to-date. We recommend that you run an Ondemand computer scan at least once a month. Scanning can be configured as a scheduled task from Tools > Scheduler. 4.1.4.1 Type of scan
The Scan targets drop-down menu allows you to select files, folders and devices (disks) to be scanned for viruses. By profile settings Selects targets set in the selected scan profile Removable media Selects diskettes, USB storage devices, CD/DVD Local drives Selects all system hard drives Network drives Selects all mapped drives No selection Cancels all selections
Two types of On-demand computer scan are available. Smart scan quickly scans the system with no need for further configuration of the scan parameters. Custom scan allows you to select any of the predefined scan profiles, as well as choose specific scan targets.

4.1.4.3

Scan profiles
Your preferred scan parameters can be saved for future scanning. We recommend that you create a different profile (with various scan targets, scan methods and other parameters) for each regularly used scan. To create a new profile, open the Advanced Setup window (F5) and click Ondemand computer scan > Profiles. The Configuration profiles window has a drop-down menu of existing scan profiles and the option to create a new one. To help you create a scan profile to fit your needs, see section 4.1.6, ThreatSense engine parameters setup for a description of each parameter of the scan setup. Example: Suppose that you want to create your own scan profile and the Smart scan configuration is partially suitable, but you dont want

4.1.4.1.1

Smart scan
Smart scan allows you to quickly launch a computer scan and clean infected files with no need for user intervention. Its main advantages are easy operation with no detailed scanning configuration. Smart scan checks all files on local drives and automatically cleans or deletes

In the Zone and rule setup window, click the Zones tab and create a new zone using the name of the zone authenticated by the server. Then click Add IPv4 address and select the Subnet option to add a subnet mask that contains the authentication server. Click the Zone authentication tab and select the IP addresses/ subnets in the zone will become valid after a successful authentication of the server in the network option. With this option selected, the zone will become invalid if authentication is unsuccessful. To select a Personal firewall profile to be activated after a successful zone authentication, click the Profiles. button. If you select the Add addresses/subnets of the zone to the Trusted Zone option, the addresses/subnets of the zone will be added to the Trusted zone after an authentication is successful (recommended).
A good example of adding a new rule is allowing your Internet browser to access the network. The following must be provided in this case: On the General tab, enable outgoing communication via the TCP and UDP protocol Add the process representing your browser application (for Internet Explorer it is iexplore.exe) on the Local tab On the Remote tab, enable port number 80 only if you wish to allow standard Internet browsing activities. Editing rules

4.2.5.2

To modify an existing rule, click the Edit button. All parameters (see section 4.2.5.1, Creating new rules for descriptions) can be modified. Modification is required each time any of the monitored parameters are changed. In this case, the rule cannot fulfill the conditions and the specified action cannot be applied. In the end, the given connection may be refused, which can result in problems with operation of the application in question. An example is a change of network address or port number for the remote side. 4.2.6 Configuring zones
There are three authentication types available: 1) Using ESET authentication server Click Setup. and specify a server name, server listening port and a public key that corresponds to the private server key (see section 4.2.6.1.2, Zone authentication Server configuration). The server name can be entered in the form of an IP address, DNS or NetBios name. The server name can be followed by a path specifying the location of the key on the server (e.g., server_name_/directory1/ directory2/authentication). Enter multiple servers, separated by semicolons, to serve as alternate servers if the first one is unavailable. The public key can be a file of one of the following types: PEM encrypted public key (.pem) - This key can be generated using the ESET Authentication Server (see section 4.2.6.1.2, Zone

The ESET Smart Security Personal firewall saves all important events in a log file, which can be viewed directly from the main menu. Click Tools > Log files and then select ESET Personal firewall log from the Log dropdown menu. The log files are an invaluable tool for detecting errors and revealing intrusions into your system, and should be given appropriate attention. ESET Personal firewall logs contain the following data: Please be careful when creating new rules and only allow connections which are secure. If all connections are allowed, then the Personal firewall fails to accomplish its purpose. These are the important parameters for connections: Remote side: Only allow connections to trusted and known addresses Local application: It is not advisable to allow connections for unknown applications and processes Port number: Communication on common ports (e.g., web traffic port number 80) should be allowed under normal circumstances Date and time of event Name of event Source Target network address Network communication protocol Rule applied, or name of worm, if identified Application involved User
A thorough analysis of this data can help detect attempts to compromise system security. Many other factors indicate potential security risks and allow you to minimize their impact: too frequent connections from unknown locations, multiple attempts to establish connections, unknown applications communicating or unusual port numbers used. 4.3 Antispam protection Unsolicited email called spam ranks among the greatest problems of electronic communication. It represents up to 80 percent of all email communication. Antispam protection serves to protect against this problem. Combining several efficient principles, the Antispam module provides superior filtering.
One important principle in spam detection is the ability to recognize unsolicited email based on predefined trusted addresses (whitelist) and spam addresses (blacklist). All addresses from your contact list are automatically added to the whitelist, as well as all other addresses you mark as safe. The primary method used to detect spam is the scanning of email message properties. Received messages are scanned for basic Antispam criteria (message definitions, statistical heuristics, recognizing algorithms and other unique methods) and the resulting index value determines whether a message is spam or not. ESET Smart Security 4 supports Antispam protection for Microsoft Outlook, Outlook Express, Windows Mail, Windows Live Mail and Mozilla Thunderbird. 4.3.1 Selflearning Antispam
Reclassified messages are automatically moved to the SPAM folder, but the sender email address is not added to the Blacklist. Similarly, messages can be classified as not spam. If messages from the Junk Email folder are classified as not spam, they are moved to their original folder. Marking a message as not spam does not automatically add the sender address to the Whitelist. 4.4 Updating the program Regular updating of ESET Smart Security is the basic premise for obtaining the maximum level of security. The Update module ensures that the program is always up to date in two ways by updating the virus signature database and by updating system components. By clicking Update from the main menu, you can find the current update status, including the date and time of the last successful update and if an update is needed. The primary window also contains the virus signature database version. This numeric indicator is an active link to ESETs website, listing all signatures added within the given update. In addition, the option to manually begin the update process Update virus signature database is available, as well as basic update setup options such as the username and password to access ESETs update servers. Use the Product activation link to open a registration form that will activate your ESET security product and send you an email with your authentication data (username and password).

Accessing the Mirror via system shares First, a shared folder should be created on a local or a network device. When creating the folder for the Mirror, you must provide write access for the user who will save update files to the folder and read access for all users who will update ESET Smart Security from the Mirror folder. Next, configure access to the Mirror in the Advanced update setup section (Mirror tab) by disabling the Provide update files via internal HTTP server option. This option is enabled by default in the program install package. If the shared folder is located on another computer in the network, you must specify authentication data to access the other computer. To specify authentication data, open ESET Smart Security Advanced Setup (F5) and click the Update branch. Click the Setup. button and then click the LAN tab. This setting is the same as for updating, as described in section 4.4.1.2.3, Connecting to LAN. After the Mirror configuration is complete, proceed to the workstations and set \\UNC\PATH as the update server. This operation can be completed using the following steps: Open ESET Smart Security Advanced Setup and click Update Click Edit. next to the Update server and add a new server using the \\UNC\PATH format. Select this newlyadded server from the list of update servers
NOTE: For proper functioning, the path to the Mirror folder must be specified as a UNC path. Updates from mapped drives may not work.
4.4.1.2.4.2 Troubleshooting Mirror update problems In most cases, problems during an update from a Mirror server are caused by one or more of the following: incorrect specification of the Mirror folder options, incorrect authentication data to the Mirror folder, incorrect configuration on local workstations attempting to download update files from the Mirror, or by a combination of the reasons above. Below is an overview of the most frequent problems which may occur during an update from the Mirror: ESET Smart Security reports an error connecting to Mirror server Likely caused by incorrect specification of the update server (network path to the Mirror folder) from which local workstations download updates. To verify the folder, click the Windows Start menu, click Run, insert the folder name and click OK. The contents of the folder should be displayed. ESET Smart Security requires a username and password Likely caused by incorrect authentication data (username and password) in the update section. The username and password are used to grant access to the update server, from which the program will update itself. Make sure that the authentication data is correct and entered in the correct format. For example, Domain/Username, or Workgroup/ Username, plus the corresponding Passwords. If the Mirror server is accessible to Everyone, please be aware that this does not mean that any user is granted access. Everyone does not mean any unauthorized user, it just means that the folder is accessible for all domain users. As a result, if the folder is accessible to Everyone, a domain username and password will still need to be entered in the update setup section. ESET Smart Security reports an error connecting to the Mirror server Communication on the port defined for accessing the HTTP version of the Mirror is blocked. 4.4.2 How to create update tasks

Files stored in the quarantine folder can be viewed in a table which displays the date and time of quarantine, the path to the original location of the infected file, its size in bytes, reason (added by user), and number of threats (e.g., if it is an archive containing multiple infiltrations). 4.6.1 Quarantining files
ESET Smart Security automatically quarantines deleted files (if you have not cancelled this option in the alert window). If desired, you can quarantine any suspicious file manually by clicking the Quarantine. button. If this is the case, the original file is not removed from its original location. The context menu can also be used for this purpose rightclick in the Quarantine window and select Add. 4.6.2 Restoring from Quarantine
In the next step, a summary window with information about the current scheduled task is displayed; the option Run task with specific parameters should be automatically enabled. Click the Finish button. A dialog window will appear, allowing you to select profiles to be used for the scheduled task. Here you can specify a primary and alternative profile, which is used in case the task cannot be completed using the primary profile. Confirm by clicking OK in the Update profiles window. The new scheduled task will be added to the list of currently scheduled tasks. 4.6 Quarantine The main task of quarantine is to safely store infected files. Files should be quarantined if they cannot be cleaned, if it is not safe or advisable to delete them, or if they are being falsely detected by ESET Smart Security. You can choose to quarantine any file. This is advisable if a file behaves suspiciously but is not detected by the antivirus scanner. Quarantined files can be submitted for analysis to ESETs Threat Lab.
Quarantined files can also be restored to their original location. Use the Restore feature for this purpose; this is available from the context menu by rightclicking on the given file in the Quarantine window. The context menu also offers the option Restore to, which allows you to restore a file to a location other than the one from which it was deleted. NOTE: If the program quarantined a harmless file by mistake, please exclude the file from scanning after restoring and send the file to ESET Customer Care. 4.6.3 Submitting file from Quarantine
If you have quarantined a suspicious file that was not detected by the program, or if a file was incorrectly evaluated as infected (e.g., by heuristic analysis of the code) and subsequently quarantined, please send the file to ESETs Threat Lab. To submit a file from quarantine, rightclick the file and select Submit for analysis from the context menu.
In each section, the displayed information can be directly copied to the clipboard by selecting the entry and clicking the Copy button. To select multiple entries, the CTRL and SHIFT keys can be used. 4.7.1 Log maintenance
The Logging configuration of ESET Smart Security is accessible from the main program window. Click Setup > Enter entire advanced setup tree. > Tools > Log files. You can specify the following options for log files: Delete records automatically: Log entries older than the specified number of days are automatically deleted Optimize log files automatically: Enables automatic defragmentation of log files if the specified percentage of unused records has been exceeded Minimum logging verbosity: Specifies the logging verbosity level. Available options: Diagnostic records Logs information needed for finetuning of the program and all records above Informative records Records informative messages including successful update messages plus all records above Warnings Records critical errors and warning messages Errors Only Error downloading file messages are recorded, plus critical errors Critical warnings Logs only critical errors (error starting Antivirus protection, Personal firewall, etc)

At the top of the ESET Smart Security main program window is a Standard menu which can be activated or disabled based on the Use standard menu option. If the Show tooltips option is enabled, a short description of any option will be displayed if the cursor is placed over the option. The Select active control element option will cause the system to highlight any element which is currently under the active area of the mouse cursor. The highlighted element will be activated after a mouse click. To decrease or increase the speed of animated effects, select the Use animated controls option and move the Speed slider bar to the left or right. To enable the use of animated icons to display the progress of various operations, select the Use animated icons for progress indication option. If you want the program to sound a warning if an important event takes place, select the Use sound signal option.
To close popup windows automatically after a certain period of time, select the option Close messageboxes automatically after (sec.). If they are not closed manually, alert windows are automatically closed after the specified time period has expired. Notifications on the Desktop and balloon tips are informative only, and do not require or offer user interaction. They are displayed in the notification area at the bottom right corner of the screen. To activate displaying Desktop notifications, select the Display notifications on desktop option. More detailed options notification display time and window transparency can be modified by clicking the Configure notifications. button. To preview the behavior of notifications, click the Preview button. To configure the duration of the balloon tips display time, see the option Display balloon tips in taskbar (for sec.).
The User interface features also include the option to passwordprotect the ESET Smart Security setup parameters. This option is located in the Settings protection submenu under User interface. In order to provide maximum security for your system, it is essential that the program be correctly configured. Unauthorized modifications could result in the loss of important data. To set a password to protect the setup parameter, click Set password

Click Advanced setup. to enter additional Alerts and notification setup options that include the Display only notifications requiring users interaction. This option allows you to turn on/off displaying of alerts and notifications that require no user interaction. Select Display only notifications requiring users interaction when running applications in full screen mode to suppress all noninteractive notifications. From the Minimum verbosity of events to display drop-down menu you can select the starting severity level of alerts and notification to be displayed. The last feature in this section allows you to configure the destination of notifications in a multi-user environment. The On multi-user systems, display notifications on the screen of the user: field allows you to define who will receive important notifications from ESET Smart Security. Normally this would be a system or network administrator. This option is especially useful for terminal servers, provided that all system notifications are sent to the administrator. 4.9 ThreatSense.Net The ThreatSense.Net Early Warning System keeps ESET immediately and continuously informed about new infiltrations. The bidirectional ThreatSense.Net Early Warning System has a single purpose to improve the protection that we can offer you. The best way to ensure that we see new threats as soon as they appear is to link to as many to as many of our customers as possible and use them as our Threat Scouts. There are two options:

Alerts and notifications

The Alerts and notifications setup section under User interface allows you to configure how threat alerts and system notifications are handled in ESET Smart Security. The first item is Display alerts. Disabling this option will cancel all alert windows and is only suitable for a limited amount of specific situations. For most users, we recommend that this option be left to its default setting (enabled).
1. You can decide not to enable the ThreatSense.Net Early Warning System. You will not lose any functionality in the software, and you will still receive the best protection that we offer. 2. You can configure the ThreatSense.Net Early Warning System to submit anonymous information about new threats and where the new threatening code is contained. This file can be sent to ESET for detailed analysis. Studying these threats will help ESET update its threat detection capabilities. The ThreatSense.Net Early Warning System will collect information

Any comparative log can be saved to a file and opened at a later time. Example: Generate and save a log, recording original information about the system, to a file named previous.xml. After changes to the system have been made, open SysInspector and let it generate a new log. Save it to a file named current.xml. In order to track changes between those two logs, click File > Compare Log. The program will create a comparative log showing differences between the logs. The same result can be achieved if you use the following command line option: SysIsnpector.exe current.xml previous.xml 5.4.1.4 SysInspector as part of ESET Smart Security 4
To generate a script, right-click any item from the menu tree (in the left pane) in the SysInspector main window. From the context menu, select either the Export All Sections To Service Script option or the Export Selected Sections To Service Script option. 5.4.1.5.2 Structure of the Service script
In the first line of the scripts header you can find information about the Engine version (ev), GUI version (gv) and the Log version (lv). You can use this data to track possible changes in the.xml file that generates the script and prevent any inconsistencies during execution. This part of the script should not be altered. The remainder of the file is divided into sections in which items can be edited (denote those that will be processed by the script). You mark items for processing by replacing the - character in front of an item with a + character. Sections in the script are separated from each other by an empty line. Each section has a number and title. 01) Running processes This section contains a list of all processes running in the system. Each process is identified by its UNC path and, subsequently, its CRC16 hash code in asterisks (*). Example: 01) Running processes: - \SystemRoot\System32\smss.exe *4725* - C:\Windows\system32\svchost.exe *FD08* + C:\Windows\system32\module32.exe *CF8A* [.] In this example a process, module32.exe, was selected (marked by a + character); the process will end upon execution of the script. 02) Loaded modules This section lists currently used system modules. Example: 02) Loaded modules: - c:\windows\system32\svchost.exe - c:\windows\system32\kernel32.dll + c:\windows\system32\khbekhb.dll

6.2 Types of remote attacks There are many special techniques which allow attackers to compromise remote systems. These are divided into several categories.

SMB Relay

of options such as Yes, I want to receive information. Use specialized email addresses e.g., one for business, one for communication with your friends, etc. From time to time, change your email address Use an Antispam solution Advertisements
SMBRelay and SMBRelay2 are special programs that are capable of carrying out attacks against remote computers. The programs take advantage of the Server Message Block file sharing protocol, which is layered onto NetBIOS. A user sharing any folder or directory within the LAN most likely uses this file sharing protocol. Within local network communication, password hashes are exchanged. SMBRelay receives a connection on UDP port 139 and 445, relays the packets exchanged by the client and server, and modifies them. After connecting and authenticating, the client is disconnected. SMBRelay creates a new virtual IP address. The new address can be accessed using the command net use \\192.168.1.1. The address can then be used by any of the Windows networking functions. SMBRelay relays SMB protocol communication except for negotiation and authentication. Remote attackers can use the IP address, as long as the client computer is connected. SMBRelay2 works on the same principle as SMBRelay, except it uses NetBIOS names rather than IP addresses. Both can carry out maninthemiddle attacks. These attacks allow remote attackers to read, insert and modify messages exchanged between two communication endpoints without being noticed. Computers exposed to such attacks often stop responding or unexpectedly restart. To avoid attacks, we recommend that you use authentication passwords or keys. 6.2.7 ICMP attacks
Internet advertising is one of the most rapidly growing forms of advertising. Its main marketing advantages are minimal costs and a high level of directness; whats more, messages are delivered almost immediately. Many companies use email marketing tools to effectively communicate with their current and prospective customers. This type of advertising is legitimate, since you may be interested in receiving commercial information about some products. But many companies send unsolicited bulk commercial messages. In such cases, email advertising crosses the line and becomes spam. The amount of unsolicited email has become a problem and it shows no signs of slowing. Authors of unsolicited email often attempt to disguise spam as legitimate messages. 6.3.2 Hoaxes
A hoax is misinformation which is spread across the Internet. Hoaxes are usually sent via email or communication tools like ICQ and Skype. The message itself is often a joke or Urban Legend. Computer Virus hoaxes try to generate fear, uncertainty and doubt (FUD) in the recipients, bringing them to believe that there is an undetectable virus deleting files and retrieving passwords, or performing some other harmful activity on their system. Some hoaxes work by asking recipients to forward messages to their contacts, perpetuating the hoax. There are mobile phone hoaxes, pleas for help, people offering to send you money from abroad, etc. It is often impossible to determine the intent of the creator. If you see a message prompting you to forward it to everyone you know, it may very well be a hoax. There are many websites on the Internet that can verify if an email is legitimate. Before forwarding, perform an Internet search on any message you suspect is a hoax. 6.3.3 Phishing