KASPERSKY LAB. Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition ADMINISTRATOR S GUIDE

Transcription

1 KASPERSKY LAB Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition ADMINISTRATOR S GUIDE

2 K A S P E R S K Y A N T I - V I R U S 6. 0 F O R W I N D O W S S E R V E R S E N T E R P R I S E E D I T I O N Administrator s Guide Kaspersky Lab Revision date: July, 2008

3 Contents CHAPTER 1. INTRODUCTION General Anti-Virus information Real-time protection and on-demand scan About threats detectable by Anti-Virus About infected and suspicious objects and objects that may potentially contain malicious code Obtaining information about Anti-Virus Sources of information to research on your own Contacting the Sales Department Contacting the Technical Support service Discussing Kaspersky Lab's applications at the web forum CHAPTER 2. WORKING WITH ANTI-VIRUS CONSOLE IN MMC AND ACCESS TO ANTI-VIRUS FUNCTIONS About the Anti-Virus console in MMC Advanced configuration after installation of the Anti-Virus Console in MMC on another computer Adding Anti-Virus users to the KAVWSEE Administrators group on the protected server Allowing network connections for Anti-Virus management service on the server running Microsoft Windows Server Enabling network connections for the Anti-Virus ММС Console in Microsoft Windows XP SP Enabling network connections for the Anti-Virus ММС Console in Microsoft Windows XP SP2 or Microsoft Windows Vista Starting the Anti-Virus console from the Start menu Anti-Virus icon in the notification area of the task tray Anti-Virus console window Distribution of access permissions to Anti-Virus functions About access permissions to Anti-Virus functions Configuring access rights to the Anti-Virus functions Starting and stopping... 38

4 4 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition CHAPTER 3. GENERAL ANTI-VIRUS SETTINGS About general Anti-Virus settings Configuring general Anti-Virus settings CHAPTER 4. IMPORTING AND EXPORTING ANTI-VIRUS SETTINGS About importing and exporting settings Exporting settings Importing settings CHAPTER 5. TASK MANAGEMENT Categories of Anti-Virus tasks Creating a task Saving task after changing its settings Renaming tasks Deleting tasks Starting/pausing/resuming/stopping tasks manually Managing task schedules Configuring task schedules Enabling and disabling scheduled launch Viewing task statistics Using a different user account to launch a task About using accounts to launch tasks Specifying the user account for running tasks CHAPTER 6. REAL-TIME PROTECTION About real-time protection tasks Configuring Real-time file protection task Protection area in the Real-time file protection task Configuring security settings for a selected node Selecting protection mode Real-time file protection task statistics Configuring the Script monitoring task Script monitoring task statistics CHAPTER 7. BLOCKING ACCESS FROM COMPUTERS IN THE REAL-TIME FILE PROTECTION TASK About blocking access from computers to the protected server Enabling or disabling automatic blocking of access from computers... 88

5 Contents Configuring settings of automatic access blocking from computers Excluding computers from automatic blocking (Trusted computers) Preventing virus outbreaks Viewing the list of computers to which access to the server is prohibited Blocking access from computers: Blocking access from a computer manually Unblocking access from a computer Viewing blocking statistics CHAPTER 8. TRUSTED ZONE About Anti-Virus trusted zone Adding exclusions to the trusted zone Adding process to the list of trusted processes Disabling the real-time file protection task for the time of backup copying Adding exclusion rules Applying a trusted zone CHAPTER 9. ON-DEMAND SCAN About on-demand scan tasks Configuring on-demand tasks Scan scope in the on-demand scan tasks Configuring security settings for the selected node Running a background on-demand scan task On-demand scan task statistics CHAPTER 10. UPDATING ANTI-VIRUS BASES AND APPLICATION MODULES About updating Anti-Virus bases About updating application modules Schemes for updating bases and application modules of the Anti-Virus applications used within the organization Updating tasks Configuring updating tasks Selecting the update source, configuring the connection with the update source and regional settings Configuring Updating application modules task settings Configuring Download updates task settings Updating task statistics Rolling back Anti-Virus database updates

6 6 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Rolling back application modules update CHAPTER 11. ISOLATION OF SUSPICIOUS OBJECTS. USING QUARANTINE About isolation of suspicious objects Viewing quarantined objects Sorting quarantined objects Filtering quarantined objects Scanning quarantined objects. The Scan Quarantine task settings Restoring objects from quarantine Quarantining files Deleting objects from quarantine Sending suspicious object to Kaspersky Lab for analysis Configuring quarantine settings Quarantine statistics CHAPTER 12. BACKUP COPYING OF OBJECTS BEFORE DISINFECTION/DELETION; USING BACKUP STORAGE About backup copying of objects before disinfection / deletion Viewing files stored in Backup Sorting files in Backup Filtering files in Backup Restoring files from Backup Deleting files from Backup Configuring backup storage settings Backup storage statistics CHAPTER 13. EVENT REGISTRATION Methods of event registration Task execution reports About task execution reports Viewing summary reports. Summary reports' status Sorting reports Viewing detailed report about task execution Exporting information from a detailed report into a text file Deleting reports Report and event log detail level settings System audit log Sorting events in System audit log

7 Contents Filtering events in System audit log Deleting objects from System audit log Anti-Virus statistics Anti-Virus event log in Event Viewer CHAPTER 14. INSTALLING AND DELETING LICENSE KEYS About Anti-Virus license keys View installed keys info Key installation Deleting keys CHAPTER 15. CONFIGURING NOTIFICATIONS Methods for notifying the administrator and users Notification settings CHAPTER 16. ANTI-VIRUS COMMAND LINE COMMANDS Displaying Anti-Virus command help. KAVSHELL HELP Anti-Virus service startup or shutdown. KAVSHELL START, KAVSHELL STOP Scanning selected area. KAVSHELL SCAN Starting the Scan my computer task. KAVSHELL FULLSCAN Managing the specified task in asynchronous mode. KAVSHELL TASK Starting and stopping real-time protection tasks. KAVSHELL RTP Starting Anti-Virus bases update task. KAVSHELL UPDATE Rollback of the Anti-Virus bases update. KAVSHELL ROLLBACK Installing and deleting keys. KAVSHELL LICENSE Enabling, configuring and disabling the tracking log. KAVSHELL TRACE Enabling and disabling dump file creation. KAVSHELL DUMP Importing settings. KAVSHELL IMPORT Exporting settings. KAVSHELL EXPORT CHAPTER 17. RETURN CODES CHAPTER 18. MANAGING ANTI-VIRUS AND VIEWING ITS STATUS Starting and stopping the Anti-Virus service Viewing the server protection status Viewing the Anti-Virus statistics Viewing Anti-Virus details Viewing information about installed keys

8 8 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition CHAPTER 19. CREATING AND CONFIGURING POLICIES About policies Creating a policy Configuring a policy Disabling / resuming scheduled launch of local predefined tasks CHAPTER 20. CONFIGURING ANTI-VIRUS IN THE APPLICATION SETTINGS DIALOG BOX The Application Settings dialog box Configuring general Anti-Virus settings Blocking access from computers Enabling or disabling automatic blocking of access from computers Configuring settings of automatic access blocking from computers Excluding computers from blocking (Trusted computers) Preventing virus outbreaks Viewing the server access blocking list Manually blocking access from computers Unblocking access from computers Managing quarantined objects and configuring the quarantine settings Quarantine functions and configuration tools Configuring quarantine settings Managing files in Backup and configuring backup storage settings Functions of Backup and tools used to control these functions Configuring Backup settings Configuring notifications General information Configuring administrator's and users' notifications on the Notification tab Managing the trusted zone Adding processes to the list of trusted processes Disabling real-time file protection during backup copying Adding exclusions to the trusted zone Applying a trusted zone CHAPTER 21. CREATING AND CONFIGURING TASKS About creating tasks Creating tasks

9 Contents Configuring a task Managing full scans of servers Assigning the "full computer scan" status to an on-demand scan task CHAPTER 22. PERFORMANCE COUNTERS FOR SYSTEM MONITOR About Anti-Virus performance counters Total number of denied requests Total number of skipped requests Number of requests not processed because of lack of system resources Number of requests sent to be processed Average number of file interception dispatcher streams Maximum number of file interception dispatcher streams Number of infected objects in processing queue Number of objects processed per second CHAPTER 23. ANTI-VIRUS SNMP COUNTERS AND TRAPS About Anti-Virus SNMP counters and traps Anti-Virus SNMP counters Performance counters General counters Update counter Real-time protection counters Quarantine counters Backup counters Server access blocking counters Counters for scanned scripts SNMP traps APPENDIX A. DESCRIPTION OF GENERAL ANTI-VIRUS SETTINGS AND SETTINGS OF ITS FUNCTIONS, AND TASKS A.1. Anti-Virus settings A.1.1. Maximum number of processes A.1.2. Number of processed used in real-time protection A.1.3. Number of process for background on-demand scan tasks A.1.4. Task recovery A.1.5. Reports storage period A.1.6. Storage period for events in the system audit log A.1.7. Actions if uninterruptible power supply is used

10 10 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition A.1.8. Event generation thresholds A.1.9. Tracking log settings A Creating Anti-Virus processes memory dump files A.2. Task schedule settings A.2.1. Launch frequency A.2.2. Date when the schedule will be applied and time of the first task launch 355 A.2.3. Schedule disabling date A.2.4. Maximum duration of the task execution A.2.5. Time period (within 24 hours) during which a task will be paused A.2.6. Launching skipped tasks A.2.7. Launch time distribution within a time interval, min A.3. Security settings in the Real-time file protection task and on-demand scan tasks A.3.1. Protection mode A.3.2. Detectable objects A.3.3. Scanning new and modified objects only A.3.4. Scanning composite objects A.3.5. Action to be performed with infected objects A.3.6. Actions to be performed with suspicious objects A.3.7. Actions depending on threat type A.3.8. Excluding objects A.3.9. Excluding threats A Maximum object scan time A Maximum size of a detectable composite object A Use of ichecker technology A Use of iswift technology A.4. Automatic blocking settings for computer access to the server A.4.1. Enabling / disabling of automatic blocking access from computers A.4.2. Actions to be performed with infected objects A.4.3. The trusted computers list A.4.4. Preventing virus outbreaks A.5. Updating task settings A.5.1. Update source A.5.2. FTP server mode for connection to the protected server A.5.3. Update source connection timeout A.5.4. Using and configuring a proxy server

11 Contents 11 A.5.5. Regional settings for optimization of updates downloading (Location of the protected server) A.5.6. The Application Module Updates task settings A.5.7. Updates distribution task settings A.6. Quarantine settings A.6.1. Quarantine folder A.6.2. Maximum quarantine size A.6.3. Free quarantine space threshold A.6.4. Folder for restoration A.7. Backup storage settings A.7.1. Backup storage folder A.7.2. Maximum backup storage size A.7.3. Minimum backup storage free space threshold A.7.4. Folder for restoration APPENDIX B. KASPERSKY LAB B.1. Other Kaspersky Lab Products B.2. Contact Us APPENDIX C. INDEX APPENDIX D. LICENSE AGREEMENT

12 CHAPTER 1. INTRODUCTION This guide contains description of how to use Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition (hereinafter - Anti-Virus). Section 1.1 on pg. 12 contains general information about the Anti-Virus as well as the description of its protection functions and of detectable threats. Part 1 of the user guide, Configuration and Control via MMC, contains a discussion of Anti-Virus control via console installed on a protected server or on a remote workstation. For instructions on how to control the Anti-Virus from the command line of the protected server refer to the Part 2, Control of the Anti-Virus from the command line. Part 3, Configuration and control using Kaspersky Administration Kit, discusses protected of servers with the Anti-Virus installed using the Kaspersky Administration Kit application. Part 4, Anti-Virus counters, contains the description of the Anti-Virus counters for the "System Monitor" application as well as SNMP counters and traps. If you have not found an answer to your question about Anti-Virus in this document, please feel free to refer to other resources containing information about this product (see section 1.2 on pg. 18) General Anti-Virus information Anti-Virus protects servers running Microsoft Windows against threats penetrating computers through file exchange. It is designed to be used in local area networks of medium to large organizations. Anti-Virus users are computer network administrators and specialists responsible for the Anti-Virus protection of networks. You can install the Anti-Virus on servers which perform various functions as detailed below: on terminal servers and printing servers, on application servers and domain controllers as well as on file servers as such servers are more susceptible to virus infections that others due to file exchange with the user workstations. You can control the protection of the server on which the Anti-Virus is installed using various tools: Anti-Virus console in MMC, command line commands, or you can use Kaspersky Administration Kit application for centralized control of protection of multiple servers each with Anti-Virus installed. You can view the Anti-Virus

13 Introduction 13 performance counters for the "System Monitor" application as well as SNMP counters and traps. This chapter contains the following information: about Anti-Virus functions Real-time protection and On-demand scan (see section on pg. 13); about threats which can be detected and disinfected by Anti-Virus (see section on pg. 14); how Anti-Virus detects infected, suspicious and potentially dangerous (riskware) objects (see section on pg. 17) Real-time protection and on-demand scan You can use two Anti-Virus functions to ensure server protection: Real-time protection and On-demand scan. You can enable or disable these functions manually or using a schedule. Real-time protection automatically starts with the Anti-Virus startup by default and continues running in the background mode. The Anti-Virus scans the following objects of the protected server when they are accessed: Files; Alternate file system streams (NTFS-streams); Master boot record and boot sectors of the local hard drives and Removable media. When an application writes a file to a server or reads a file from it, Anti-Virus will intercept this file, scan it for the presence of threats and perform actions you specified if it has detected a threat: attempts to disinfect the file or simply deletes it. Anti-Virus returns the file to the application only if it is not infected or if it has been successfully disinfected. Anti-Virus scans object not only for viruses but also for other types of threats, for example, Trojan horses, adware or spyware. For more details about threats that can be detected and disinfected by the Anti-Virus refer to on pg. 14. Additionally, Anti-Virus continuously monitors attempts to execute scripts VBScript or JScript. created using Microsoft Windows Script (or Active Scripting) technologies on the protected server. The application checks the code of the scripts and automatically prohibits execution of scripts it has found malicious.

14 14 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition The task of real-time Anti-Virus server protection is to ensure maximum server security with the minimum slowdown of the file exchange. An On-demand scan involves one-time complete or selective scan for the object threats on the server. Anti-Virus scans files, server RAM and the startup objects which are rather difficult to restore once they have been corrupted. By default Anti-Virus performs a full computer scan once a week. We recommend to launch full computer scan manually after the periods when the real-time file protection had been disabled About threats detectable by Anti- Virus Anti-Virus can detect hundreds of thousands malware programs in the file system objects. Some of these programs impose a greater threat for the user, others are only dangerous when certain conditions are met. After the Anti-Virus detects a malicious program in an object, it will assign it a certain category characterized by a certain severity level (high, medium or low). The Anti-Virus distinguishes the following malware categories: Note viruses and worms (Virware) Trojan horses (Trojware); other malware; pornware; adware; riskware. You can check the severity level of threats detected in the suspicious objects detected using the Quarantine node (see Chapter 11 on pg. 155); the severity level of threats contained in infected objects - using the Backup storage node (see Chapter 12 on pg. 173). A brief description of the threats is provided below. For a more detailed description of malware programs and their classification please visit Kaspersky Lab's Virus Encyclopedia (

15 Introduction 15 Viruses and worms (Virware) Severity level: high This category includes classic viruses and network worms. Classic virus (class Viruses) infects files of other programs or data. It adds its own code to such files in order to gain control when these files are opened. After it has penetrated the system, a classic virus gets activated when triggered by a certain event and performs its malicious action. Classic viruses differ depending on their environment and method their use for infecting other objects. The term environment refers to areas of a computer, an operating system or an application, penetrated by the virus code. Based on the environment, file, boot, macro and script viruses are distinguished. The term method of infection refers to various methods of implanting the malicious code into the objects being infected. There are numerous types of viruses using various methods of infection. Overwriting viruses write their own code replacing the code of the file they infect and destroying the content of such file. The infected file stops working and cannot be restored. Parasitic viruses modify files' code leaving such files fully or partially operating. Companion viruses do not modify files but create their duplicates. When such infected file is accessed, the control will be overtaken by its duplicate, which is the virus. There are also link viruses which infect object modules (OBJ), viruses which infect compiler libraries (LIB), viruses which infect original text of programs, etc. After it penetrates the system, the code of a network work (Class Worm), similarly to the classic virus code, gets activated and performs its malicious action. The network worm received its name due to its ability to tunnel from one computer to another - to send copies of itself through various information channels. The method of proliferation is the main attribute that differentiates various types of network worms. Network worms can be mail worms, internet pager worms, IRC channels worms, file sharing network worms and other network worms. Other network worms are those worms which distribute copies of themselves in network resources, penetrate operating systems using vulnerabilities in them and in the applications running under them, penetrate public network resources and use other threats. Many network worms can proliferate extremely fast. In addition to the damage they inflict to the infected computer, network worms discredit the owner of such computer, cause additional charges for network traffic and clutter up internet channels. Trojan horses (Trojware) Severity level: high

16 16 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Trojans (classes Trojan, Backdoor, Rootkit and others) perform on computers actions not authorized by the user, for example, they steal passwords, access internet resources, download and install other programs. Unlike classic viruses, Trojans do not proliferate by themselves penetrating files and infecting them. Rather, they are transferred by the "master's" command. However, Trojans may inflict far greater damages compared to a regular virus attack. The most dangerous Trojans are Backdoors - remote administration utilities. When run, these programs install themselves in the system without the user's knowledge and perform hidden monitoring: they erase data from drives, "freeze" the system or transfer information to their developer. Another type of Trojans is Rootkit. Like other Trojans programs Rootkits permeate the system without the user's knowledge. Although they do not perform any malicious actions, they camouflage other malware programs and their activities and thus extend the existence of such programs in the infected system. Rootkits may hide files or processes in the memory of an infected computer or register keys run by malware programs. Rootkits may also conceal hacker's accessing the system. Other malware programs (Malware) Severity level: average Other malware programs do not impose any threat to the computer on which they are executed, yet they can be used to organize network attacks on remote servers, hack other computers, create other viruses or Trojan programs. There are many types of other malware programs. Network attacks (class DoS (Denial-of-Service)) send multiple requests to remote servers which cause these servers to fail. Hoaxes (types BadJoke, Hoax) alarm users with virus-like messages: they can "detect" a virus in a clean file or display a message about disk formatting which will not take place. Encrypting programs (classes FileCryptor, PolyCryptor) encrypt other malware programs to prevent them from being detected during an Anti-Virus scan. Constructors (class Constructor) allow generating original texts of viruses, object modules or infected files. Spam utilities (class SpamTool) collect addresses on the infected computer or turn such computer into a spam sending machine. Pornware (Pornware) Severity level: medium Pornware programs are included into a "not-a-virus" programs class. They have functions which may inflict damage to the user only if special conditions are met. Such programs are associated to the display of porn information to the user. Depending on the behavior of the programs, three types are distinguished: automatic dialers (Porn-Dialer), downloaders (Porn-Downloader) and tools (Porn-Tool).

17 Introduction 17 Porn dialers connect to pay-per-virus pornographic internet resources using a modem, porn downloaders download pornography to the user's computer. Porn tools are programs related to the search and display of pornographic materials (for example, specials instrument panels for browsers and special video players). Adware (Adware) Severity level: medium Adware programs are included into a "not-a-virus" class. They are built-in into other programs without the user's knowledge to display advertising messages in their interface. In many cases adware programs, in addition to displaying advertising messages, gather users' personal information and send it to their developer, change browser's settings (browser home page, search page, security levels, etc.) and create traffic that is not controlled by the user. In addition to violation of the security rules, activities of adware programs may cause direct financial damages. Riskware Severity level: low Riskware programs are included into a "not-a-virus" programs class. Such programs may be legally purchased and used in the daily operations of users, for example, system administrators. Some remote administration programs, such as RemoteAdmin, are considered riskware. It is the user who installs and runs these programs on his or her computer. This differentiates them from the Backdoor programs which install themselves into the system and start monitoring the system without the user's knowledge. Risk programs also include some automatic keyboard layout change programs, IRC clients, FTP servers, utilities for killing and hiding processes About infected and suspicious objects and objects that may potentially contain malicious code Server on which Anti-Virus is installed stores a set of Anti-Virus bases (hereinafter - bases, database). Bases are files containing records that are used to identify the presence of malicious code with hundreds of thousands known potential threats in the detectable objects. Records contain information about the control sections of the threats' code and algorithms used for disinfecting objects in which these threats are contained.

18 18 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition If Anti-Virus detects (in a detectable object) sections of code that fully coincide with the control code sections of a threat based on the information provided in the bases, it will find such object infected, and, if it coincides only partially (in accordance with some conditions) suspicious. Additionally, Anti-Virus detects objects, which may potentially contain malicious code. For this purpose, it uses a heuristic code analyzer. It would not be true to say that the code of such object fully or partially coincides with the code of a known threat, but it does contain some command sequences characteristic of malicious objects, such as opening a file or writing to a file or interception of interrupt vectors. Heuristic analyzer determines for example that a file seems to be infected with an unknown boot virus. If Anti-Virus finds a detectable object infected or suspicious, it will return the name of the threat contained in such object; if Anti-Virus finds that an object may potentially contains malicious code, it will not return the name of the threat contained in this object. Note: Term "objects potentially containing malicious code" is not used in the security setting configuration dialog box or in the Security Settings dialog window and the Task Statistics dialog window: Anti-Virus calls "suspicious" those objects that may potentially contain malicious code and suspicious objects (in which code sections that coincide with the code of known threats have been detected). In other dialog boxes of the Anti-Virus console terms "suspicious objects" and "objects that may potentially contain malicious code" are named differently. Term "suspicious objects" only refers to suspicious objects Obtaining information about Anti-Virus If you have any questions regarding purchasing, installing or using Anti-Virus, you can easily receive answers to them. Kaspersky Lab has many sources of information and you can select the source most convenient to you depending on how urgent and important your question is. You can: find the answer to your question on your own (see section on pg. 19); receive an answer from the Sales Department personnel (see section on pg. 20);

19 Introduction 19 receive a response from a Technical Support specialist if you already have purchased Anti-Virus (see section on pg. 21); discuss your question not only with Kaspersky Lab's specialist but also with other users in the web form section dedicated to Anti-Virus (see section on pg. 22) Sources of information to research on your own You can refer to the following information sources about the application: the Anti-Virus page at the Kaspersky Lab's website; application page at the Support Service (Knowledge Base) website; help system; documentation. The Anti-Virus page at the Kaspersky Lab's website Virus_windows_server_enterprise This page contains general information about the application, its functionality and peculiarities. You can purchase the application or extend the period of its usage in our online store. Application page at the Support Service (Knowledge Base) website This page contains articles published by the Technical Support service specialists. These articles contain useful information, recommendations and answers to frequently asked questions related to the purchase, installation and use of the application. These answers are grouped by topics, such as, for example, "Working with key files", "Configuring base updates" or "Troubleshooting". The articles may answer questions which are related not only to this particular application, but also to other Kaspersky Lab's products; they also may contain general Technical Support service news. Help system The application's distribution kit includes a complete help file. Complete help file contains information on managing the computer protection using Anti-Virus console in MMC: view the protection status, scan vari-

20 20 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition ous areas of the computer and perform other tasks. It also contains information about managing the application from the command line, use Anti-Virus efficiency counters as well as SNMP counters and traps. In order to open the complete help file, select the Display help command from the Help menu in the Anti-Virus console. If you have any questions regarding an individual application window, you can refer to the context help. In order to open the context help, press the Help button or <F1> key in the window you need help on. Documentation The set of documents supplied with the application contains most of the information required for its operation. The set contains the following documents: Typical usage schemes. This document discusses the use of Anti- Virus in the enterprise network. Comparison with Kaspersky Anti-Virus 6.0 for Windows Servers. This document lists the characteristics of the Anti-Virus which differentiates it from Kaspersky Anti-Virus 6.0 for Windows Servers. Installation Guide contains Anti-Virus installation requirements to the computer, Anti-Virus installation and activation instructions as well as instructions on verifying its operability and initial setup. Administration Guide (this document) discusses how to work with the Anti-Virus console in MMC, manage Anti-Virus from the Kaspersky Administration Kit application and from the command line, use Anti-Virus efficiency counters as well as counters and traps for the SNMP protocol. Files with these documents in PDF format are included into the Anti-Virus distribution kit. Alternatively you can download files with these documents from the Anti- Virus page of the Kaspersky Lab's website. After you have installed the Anti-Virus console you can open the Administrator's Guide from the Start menu Contacting the Sales Department If you have questions regarding selecting or purchasing Anti-Virus or extending the period of its use, you can phone Sales Department specialists in our Central Office in Moscow at:

21 Introduction (495) , +7 (495) , +7 (495) The service is provided in Russian or English. You can also send your questions to the Sales Department specialists by at In the Sales Department you can obtain an advice on managing the enterprise network protection, application network deployment or joint use of the application with other programs Contacting the Technical Support service If you already purchased the application you can obtain information about it from the Technical Support service by phone or via internet. The Technical Support service specialists will answer your questions regarding the installation and the use of the application and will help you eliminate the consequences of the activities of malware and you computer had already been infected. Technical support by phone If you have a problem requiring urgent help, you can call the Technical Support service located in our Moscow office at: +7 (495) , +7 (495) or +7 (495) We provide technical support to Kaspersky Lab's users around the clock in Russian and English. If you wish to talk to an expert specializing exclusively in Kaspersky Anti- Virus 6.0 for Windows Servers Enterprise Edition, call during business hours, from 10:00 am until 6:30 pm Moscow time (GMT +3). Provide to the Technical Support service specialist the application's activation code or the key serial number (you can view it in the Keys node of the Anti-Virus console in the properties of the key installed). An request to the Technical Support service (for registered users only) You can ask your question to the Technical Support Service specialists by filling out a Helpdesk web form at You can send your question in Russian, English, German, French or Spanish.

22 22 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition In order to send an message with your question, you must indicate the client number obtained during the registration at the Technical Support service website along with your password. Note If you are not yet a registered user of Kaspersky Lab's applications you can fill out a registration form on page: During the registration you must provide the application's activation code or the key serial number (you can view it in the Keys node of the Anti-Virus console in the properties of the key installed). You will receive a Technical Support service specialist's response to your e- mail at the address you have specified in your question and in your Personal Cabinet Describe the problem you have encountered in the request web form with as much detail as possible. Specify the following in the mandatory fields: Request type. Questions most frequently asked by users are grouped into special topics, for example "Product installation/removal problem" or "Virus scan/removal problem". If you have not found an appropriate topic, select "General Question". Product name: Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition. Request text: Describe the problem you have encountered with as much detail as possible. Client number and password. Enter the client number and the password which you have received during the registration at Technical Support service website. address. The Technical Support service specialists will use this address to send their answer to your question Discussing Kaspersky Lab's applications at the web forum If your question does not require an urgent answer, you can discuss it with Kaspersky Lab's specialists and other users of Kaspersky Lab's Anti-Virus applications in our forum located at

23 Introduction 23 In this forum you can view topics published earlier, leave your comments, create new topics and use the search engine. For example, you can discuss various scenarios of Anti-Virus deployment in your organization and its configuration options.

24 PART 1. CONFIGURATION AND CONTROL VIA MMC This part contains the following information: Starting the Anti-Virus console in ММС, granting access to Anti-Virus functions, description of the console window appearance (see Chapter 2 on pg. 25); Configuring general Anti-Virus settings (see Chapter 3 on pg. 40); Importing and exporting Anti-Virus settings and its individual functional components (see Chapter 4 on pg. 44); A concept of task in the Anti-Virus, types of tasks, operations performed with tasks, configuring a task schedule, viewing task statistics, launching a task under a different account (see Chapter 5 on pg. 48); Configuring a real-time task settings (see Chapter 6 on pg. 62); Blocking access from computers to the server during Real-time file protection tasks (see Chapter 7 on pg. 87); Trusted zone (see Chapter 8 on pg. 99); Updating the Anti-Virus bases and application modules (see Chapter 10 on pg. 136); Using quarantine for isolation of suspicious objects (see Chapter 11 on pg. 155); Backing up files before disinfection or deletion and using Backup (see Chapter 12 on pg. 173); Registration of events and Anti-Virus statistics (see Chapter 13 on pg. 185); Installing and deleting license keys (see Chapter 14 on pg. 209); Configuring notifications (see Chapter 15 on pg. 214).

25 CHAPTER 2. WORKING WITH ANTI-VIRUS CONSOLE IN MMC AND ACCESS TO ANTI- VIRUS FUNCTIONS This chapter contains the following information: about the Anti-Virus console in MMC (see 2.1 on pg. 25); advanced configuration after the installation of the Anti-Virus Console in MMC onto another computer (see 2.2 on pg. 26); starting the Anti-Virus console from the Start menu (see 2.3 on pg. 31); functions of the Anti-Virus icon in the notification area of the protected server's task tray (see 2.4 on pg. 32); appearance of the Anti-Virus console window (see 2.5 on pg. 34); distribution of access permissions to Anti-Virus functions (see 2.6 on pg. 34); starting and stopping the Anti-Virus service (2.7 on pg. 38) About the Anti-Virus console in MMC The Anti-Virus console is an isolated snap-in added to the MMC console (Microsoft Management Console). After the installation of the Anti-Virus console the installer saves the.msc file (file name) to the Anti-Virus folder and adds the Anti-Virus snap-in to the list of isolated Microsoft Windows snap-ins. You can open the Anti-Virus console on the protected server by starting it from the Start menu or from the shortcut menu of the Anti-Virus icon in the task tray by starting the msc-file with the snap-in or adding the Anti-Virus snap-in to the existing MMC console as a new element in the tree.

26 26 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition You can launch msc-file of Anti-Virus snap-in or add Anti-Virus snap-in to the existing MMC console as a new element in the tree. In Microsoft Windows 64- byte version you can add Anti-Virus snap-in only in MMC 32-byte version (MMC32): open MMC using the shell with command: mmc.exe /32. You can manage the Anti-Virus via the MMC installed on the protected server or on any other computer within the network. After you have installed the Anti-Virus console onto another computer you must perform advanced configuration as described in section 2.2 on pg. 26. You can add several Anti-Virus snap-ins to a single console opened in the authorizing mode in order to use it for managing protection of multiple servers on which Anti-Virus is installed Advanced configuration after installation of the Anti-Virus Console in MMC on another computer If you installed the Anti-Virus Console in MMC onto another computer rather than on the protected server, you must perform the following actions in order to remotely control Anti-Virus on the protected server: add Anti-Virus users to the KAVWSEE Administrators group on the protected server (see section on pg. 27); if the protected server is running Microsoft Windows Server 2008, allow network connections for the Anti-Virus management service kavfsgt.exe on this computer (see on pg. 28); if remote computer is running Microsoft Windows XP SP1, disable on it Windows Firewall to allow network connections for the Anti-Virus Console installed on it (see section on pg. 29). for the Anti-Virus Console on a computer running Microsoft Windows XP SP2 or Microsoft Windows Vista: if during Console installation you have not enabled the checkbox to Allow network connections for Kaspersky Anti-Virus Console, then allow manually network connections for the console in the firewall on that computer (see section on pg. 29).

27 Working with Anti-Virus Console in MMC and Access to Anti-Virus Functions Adding Anti-Virus users to the KAVWSEE Administrators group on the protected server In order to manage Anti-Virus via the Anti-Virus console in MMC installed on another computer the Anti-Virus users must have full access to the Anti-Virus management service (Kaspersky Anti-Virus Management) on the protected server. By default only users included into the group of local administrators on the protected server have access to this service. Note To learn which services Anti-Virus registers refer to document Kaspersky Anti- Virus 6.0 for Windows Servers Enterprise Edition. Installation Guide. You can grant the right to access the Anti-Virus management service to the accounts of the following types: accounts registered locally on the computer on which Anti-Virus console in installed. In order to establish a connection, an account with the same data shall be locally registered on the protected server; account registered in the domain in which the computer with the Anti- Virus console installed is registered. In order to establish a connection the protected server must be registered within the same domain or within a domain that is in trust relationship with this domain. During the installation Anti-Virus registers KAVWSEE Administrators group on the protected server. Users of this group are granted access to the Anti-Virus management service. You can grant or disallow users access to the Anti-Virus management service by adding them to the KAVWSEE Administrators group or removing them from this group. In order to allow or disallow access to the Anti-Virus management service: 1. On the protected server select Start Settings Control Panel. Select Administrative Tools Computer Management in the Control panel window. 2. In the Computer Management console expand the Local users and groups node and then expand the Groups node. 3. Double click the KAVWSEE Administrators group and perform the following actions in the Properties window: in order to allow the user to remotely manage Anti-Virus using the console, add this user to the KAVWSEE Administrators group;

28 28 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition in order to disallow the user to remotely manage Anti-Virus using the console, remove this user from the KAVWSEE Administrators group. 4. Press OK in the Properties dialog box Allowing network connections for Anti-Virus management service on the server running Microsoft Windows Server 2008 In order to establish connections between console and Anti-Virus management service it is necessary to allow network connections through the Firewall for Kaspersky Anti-Virus management service on the protected server. To allow network connections for Kaspersky Anti-Virus management service: 1. On the protected server running Microsoft Windows Server 2008 select Start Control Panel Security Windows Firewall. 2. In the Windows Firewall settings dialog window click Change settings. 3. In the list of predefined exceptions on the Exceptions tab check the flags: COM + Network access, Windows Management Instrumentation (WMI) and Remote Administration. 4. Press the Add Program button. 5. Specify kavfsgt.exe file in the Add a Program dialog window. It is located in the folder that you have specified as a destination folder during Anti-Virus console in MMC installation. By default the full path to the file is as follows: in Microsoft Windows 32-byte version: %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus 6.0 For Windows Servers Enterprise Edition\kavfsgt.exe; in Microsoft Windows 64-byte version: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Anti-Virus 6.0 For Windows Servers Enterprise Edition\kavfsgt.exe. 6. Press the ОК button. 7. Press the ОК button in the Windows Firewall settings dialog window.

29 Working with Anti-Virus Console in MMC and Access to Anti-Virus Functions Enabling network connections for the Anti-Virus ММС Console in Microsoft Windows XP SP1 If the computer with the installed Anti-Virus Console runs Microsoft Windows XP SP1, you will have to disable Windows firewall on that host to allow network connections for the console: 1. On the computer with the installed Anti-Virus Console in ММС select Start Control Panel Network Connections. 2. Open the context menu of a network connection (e.g., Local Area Connection) and select its Properties. 3. Use the <Network connection name>: Properties dialog to disable on the Advanced tab the Protect my Internet connection checkbox. 4. Press the ОК button Enabling network connections for the Anti-Virus ММС Console in Microsoft Windows XP SP2 or Microsoft Windows Vista The Anti-Virus console in MMC on the remote computer uses the DCOM protocol in order to receive information about Anti-Virus events (objects scanned, tasks completed, etc.) from the Anti-Virus management service on the protected server. If the computer with the installed console runs Microsoft Windows XP SP 2 or Microsoft Windows Vista, you will have to allow network connection via the firewall on this computer in order to open connections between the console and the Anti-Virus management service. Perform the following steps: make sure that anonymous remote access to COM applications is allowed (but not remote launch and activation of COM applications) and

30 30 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition in the Windows firewall open TCP port 135 and allow network connections for the executable file kavfsrcn.exe of Anti-Virus remote management process. The client computer on which the Anti-Virus console in MMC is installed uses port TCP 135 in order to access the protected server and to receive the server response. In order to grant anonymous access to COM applications: 1. On the computer with the Anti-Virus MMC console installed open the Component Services console. To do that select Start Run, type dcomcnfg and press the OK button. 2. Expand the Computers node in the Component Services console of the computer, open the shortcut menu of the My Computer node and select the Properties command. 3. In the COM Security of the Properties dialog box, press the Edit Limits button in the Access Permissions group of settings. 4. Make sure that the Allow remote access box is checked for the ANONYMOUS LOGON user in the Access Permission dialog box. 5. Press the OK button. In order to open TCP port 135 in the Windows firewall and allow network connections for the executable file of Anti-Virus remote management process: 1. Close Anti-Virus MMC console on the remote computer. 2. Perform one of the following actions: in Microsoft Windows XP SP2 or higher select Start Control Panel Windows Firewall. in Microsoft Windows Vista select Start Control Panel Windows Firewall and click Change settings in Windows Firewall dialog window. 3. In Windows Firewall dialog window (or Windows Firewall settings) press the Add port button on the Exceptions tab. 4. In the Name field specify the part name RPC (TCP/135) or enter another name, for example Anti-Virus DCOM and specify port number (135) in the Port name field. 5. Select TCP protocol. 6. Press the OK button. 7. Press the Add program button on the Exceptions tab.

31 Working with Anti-Virus Console in MMC and Access to Anti-Virus Functions Specify file kavfsrcn.exe in the Add a program dialog box. It is stored in the folder that you specified as the destination folder during the installation of the Anti-Virus console in MMC. By default the full path to the file is as follows: in Microsoft Windows 32-byte version: %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Admins Tools\kavfsrcn.exe; in Microsoft Windows 64-byte version: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Admins Tools\kavfsrcn.exe. 9. Press the OK button. 10. Press OK in the Windows Firewall (Windows Firewall settings) dialog box. Note In order to apply the new connection settings: if the Anti-Virus console was opened while you were configuring the connection between the protected server and the computer with the console installed, close the console, wait for seconds (until the Anti-Virus remote management process kavfsrcn.exe is completed) and then run it again Starting the Anti-Virus console from the Start menu Make sure that Anti-Virus console is installed on the computer. In order to start the Anti-Virus console from the Start menu: 1. select Start Programs Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Administration Tools Kaspersky Anti-Virus ММС Console. Note If you plan to add other snap-ins to the Anti-Virus console, open the console in the authoring mode, select Start Programs Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Administration Tools, open the shortcut menu on the Kaspersky Anti-Virus console and select Author.

32 32 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition If you started the Anti-Virus console on the protected server, the console window (see Figure 1) will open. Figure 1. The Anti-Virus console window 2. If you started the Anti-Virus console on a remote computer rather than on the protected server, connect to the protected server: open the shortcut menu on the Anti-Virus snap-in name, select command Connect to another computer, then select Another computer in the Select computer dialog box and specify the network name of the protected server in the entry field. If the account that you used to log on to Microsoft Windows does not have the access right to the Anti-Virus Management Service at the server, specify a different account that has such rights. For details on which accounts you can grant access to the Anti-Virus Management Service refer to section on pg Anti-Virus icon in the notification area of the task tray Each time Anti-Virus is automatically starts after the server restart, the Anti- Virus icon will be displayed in the notification area of the task tray. It is displayed

33 Working with Anti-Virus Console in MMC and Access to Anti-Virus Functions 33 by default if during Anti-Virus installation you included Task tray application component into the set of the installed components. The Anti-Virus icon may have one of the two statuses: Active (color) if any real-time protection task (Real-time file protection or Script Monitoring) is currently in progress (for details about realtime task protection refer to section 6.1 on pg. 62) Inactive (black and white) - if the Real-time file protection task or the Script Monitoring is not being performed at the moment. To open the shortcut menu shown on Figure 2, right-click the Anti-Virus icon. Figure 2. Shortcut menu of the Anti-Virus menu The shortcut menu includes the following commands: Command Open Kaspersky Anti-Virus Console About the program Hide Description If Anti-Virus console is installed at the computer, you can open it. Opens the About the program window with information about the Anti-Virus. If you are registered as Anti-Virus user, then the About the program window would contain information about urgent updates installed. Hides the Anti-Virus icon in the notification area of the task panel. In order to display the Anti-Virus icon, select Programs Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Tray Application. You can enable or disable the display of the Anti-Virus icon after Anti-Virus automatically starts following the server restart (see section 3.2 on pg. 40).

34 34 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition 2.5. Anti-Virus console window Anti-Virus console window (see Figure 3) includes the console tree and the result panel. The console tree displays the Anti-Virus functional components and the result panel - information about the node selected. Figure 3. Anti-Virus console If run from the Start menu, the Anti-Virus console will contain the taskpad (from an.msc file saved when Anti-Virus is installed). If you added the Anti-Virus utility to the MMC console yourself, the console will not contain the taskpad Distribution of access permissions to Anti-Virus functions This section contains the following information: On access permissions to Anti-Virus features (see on pg. 35); Granting access permissions to Anti-Virus features (see on pg. 36).

35 Working with Anti-Virus Console in MMC and Access to Anti-Virus Functions About access permissions to Anti- Virus functions By default access to all Anti-Virus functions is granted to the users of the Administrators group and users of group KAVWSEE Administrators created on the protected server during Anti-Virus installation. Users who have access to Anti-Virus function Managing permissions can grant access to Anti-Virus functions to other users registered on the protected server or included into the domain. If a user is not registered in the Anti-Virus users' list, he cannot view the Anti- Virus console. You can grant an Anti-Virus user (or a group of users) access permissions to: All Anti-Virus functions (full control); To All Anti-Virus functions except the user permissions management function (modification); only for viewing functional Anti-Virus components, general Anti-Virus settings, settings of its functions and tasks, statistics and user rights (reading). You also can perform advanced configuration of the access permissions: allow or disallow access to individual Anti-Virus functions. Functions, access to which can be modified, are listed in the Table 1. Function Table 1 Distribution of access permissions to Anti-Virus functions Description Read statistics Viewing the status of the functional Anti-Virus components and statistics of the tasks in progress Task status management Anti-Virus task starting/stopping/pausing/resuming Task management Read settings Creating and deleting on-demand scan tasks Viewing general Anti-Virus and task settings; Viewing report, notification and System audit log settings; Exporting Anti-Virus settings

36 36 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Function Modify settings Quarantine and Backup management View reports Manage reports Key management Read permissions Manage permissions Description Viewing and changing general Anti-Virus and task settings; Importing and exporting Anti-Virus settings; Viewing and changing task settings; Viewing and changing the report, notification and System audit log settings Placing objects into quarantine; Removing objects from the quarantine and removing files from Backup restoration of objects from Backup and quarantine Viewing summary and detail reports about task execution in the Reports nodes and events in the System audit log node Deleting reports and purging the system audit log Installing and removing keys Viewing the list of the Anti-Virus users Adding and deleting Anti-Virus users; Modifying user access permissions to Anti-Virus functions Configuring access rights to the Anti- Virus functions In order to add or delete a user (a group) or to change the access permissions of a user (a group): 1. Right-click the Anti-Virus utility in the console tree and select Modify user permissions. The Permissions dialog box (see Figure 4) will open:

37 Working with Anti-Virus Console in MMC and Access to Anti-Virus Functions 37 Figure 4. The Permissions dialog box 2. Perform the following in the Permissions dialog box. in order to add a user (a group) to the list of Anti-Virus users, press the Add button and select users or groups you wish to add; to grant to the added user (group) access permissions to Anti-Virus functions, select the user (group) under heading Group or user names and check the Allow box for further actions o o o Full control to grant access to all Anti-Virus functions; Read to grant access to functions Statistics reading, Settings reading, Report reading and Right reading; Modification to grant access to all Anti-Virus functions except function Right modification. In order to perform advanced permission configuration (Special permissions ), press the Advanced button, then select the required user or group and press the Modify button in the Advanced security settings, and then in the Permission entries dialog box (see Figure 5) check the Allow or the Deny box next to the functions access to which you wish to allow or prohibit. (The list of func-

38 38 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition tions and their brief description is provided in Table 1). Then press the OK button. Figure 5. The Permission Entry dialog box 3. Press the OK button in the Permissions dialog box Starting and stopping By default the Anti-Virus service starts automatically during the operating system startup. The Anti-Virus service controls the processes in which real-time protection, on-demand scan and updating tasks are being executed. By default when the Anti-Virus services is started, tasks Real-time file protection, Script Monitoring and Scan at system startup and Application integrity control as well as other tasks that are scheduled to start At application startup will be started. If you stop the Anti-Virus service, execution of all tasks will be interrupted. After you restart the Anti-Virus service, interrupted tasks will not be resumed automatically. Only those tasks scheduled to start At application startup will be restarted.

39 Working with Anti-Virus Console in MMC and Access to Anti-Virus Functions 39 Note You can start and stop the Anti-Virus service only if you are a member of the group of local administrators on the protected server. In order to start or stop an Anti-Virus service, open the shortcut menu of the Anti- Virus snap-in in the console tree and select one of the following commands: Stop, to stop the Anti-Virus service; Start, to start the Anti-Virus service. You also can start and stop the Anti-Virus service using the Microsoft Windows Services snap-in.

40 CHAPTER 3. GENERAL ANTI- VIRUS SETTINGS This chapter contains the following information: about general Anti-Virus settings (see 3.1 on pg. 40); configuring general Anti-Virus settings (see 3.2 on pg. 40). Discussion of general Anti-Virus settings is provided in A.1 on pg About general Anti-Virus settings General Anti-Virus settings establish the general conditions of the Anti-Virus operation. They allow controlling of the number of working processes used by the Anti-Virus, enable Anti-Virus task recovery after an abnormal termination, maintain the tracking log, enable creating the memory dump file of the Anti-Virus processes in case of an abnormal termination, turn on or off the display of the Anti-Virus icon after Anti-Virus automatically starts following the server restart, etc Configuring general Anti-Virus settings This section contains a description of configuring Kaspersky Anti-Virus general settings. For description of the general settings refer to section A.1 on pg In order to configure Kaspersky Anti-Virus general settings: 1. Open the shortcut menu of the Anti-Virus snap-in in the console tree and select Properties. 2. Using the following tabs modify the values of the general Anti-Virus settings as per your requirements: On the General tab (see Figure 6): o Specify the maximum number of working processes that Anti- Virus can start (see A.1.1 on pg. 340);

41 General Anti-Virus settings 41 o o o Specify the fixed number of processes to run real-time protection tasks (see A.1.2 on pg. 341); Specify the number of working processes to run background scan tasks (see A.1.3 on pg. 342); Specify the number of task recovery attempts after their abnormal termination (see A.1.4 on pg. 343). Figure 6. The Properties dialog box, General tab On the, Additional tab (see Figure 7): o o Indicate whether you wish the Anti-Virus icon to be displayed in the notification area of the server's task tray each time Anti- Virus starts after the server restart (for more details about Anti- Virus icon refer to section 2.4 on pg. 32); Specify how many days summary and detailed reports about the execution of tasks displayed in the Store reports node will be stored, (see A.1.5 on pg. 344);

42 42 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition o o o Specify how many days information in the Storage of system audit log node will be stored (see A.1.6 on pg. 344); Specify the actions of Anti-Virus when running on an uninterruptible power supply see A.1.7 on pg. 345); Specify the maximum number of days after which events Database is obsolete, Database is outdated, Full computer scan has not been performed for a long time will be created (see A.1.8 on pg. 346); Figure 7. The Properties dialog box, Additional tab On the, Malfunction diagnosis tab (see Figure 8): o o Enable or disable creation of the tracking log; if required configure the log settings (see A.1.9 on pg. 346); Enable or disable creation of the Anti-Virus process memory dump files (see A.1.10 on pg. 351).

43 General Anti-Virus settings 43 Figure 8. The Properties dialog box, Malfunction diagnosis tab 3. After you have configured the values of the required Anti-Virus settings, press the OK button.

44 CHAPTER 4. IMPORTING AND EXPORTING ANTI-VIRUS SETTINGS This chapter contains the following information: about importing and exporting the Anti-Virus settings (see 4.1 on pg. 44); exporting settings (see 4.2 on pg. 45); importing settings (see 4.3 on pg. 46) About importing and exporting settings If you wish to set up common values of the Anti-Virus settings on several protected servers you can configure the Anti-Virus settings on one of the servers, export them into the configuration file in XML format and then import them from this file to the Anti-Virus installed on all other servers. You can save into the configuration file all Anti-Virus settings or settings of individual functional components. When you are exporting all Anti-Virus settings, the Anti-Virus will save into the file the general settings and the settings of the following functional components: Real-time file protection; Script monitoring; Blocking access from computers; On-demand scan; Anti-Virus bases and module updates; Quarantine; Backup storage; Reports;

45 Importing and exporting Anti-Virus settings 45 User accounts permissions; Notifications; Trusted zone. The Anti-Virus does not export settings of group tasks, lists used for blocking access from computers. Anti-Virus exports all passwords used in the application, for example data for the accounts used to launch tasks or connect to the proxy server and saves them in the configuration file in the encrypted format. Yet they can be imported only by Anti-Virus installed on the same computer if it was not re-installed or upgraded. Anti-Virus installed on another computer cannot import them. After the settings have been imported to another computer you will have to enter the passwords manually. If a Kaspersky Administration Kit policy is active at the moment of export, Anti- Virus exports values that had been active before such policy was applied rather than the values used by this policy. Note Imported task settings are not used in the running tasks; they are applied when tasks are started. We recommend that you stop tasks in the functional components before importing settings into them Exporting settings In order to export settings into the configuration file: 1. If you modified settings in the Anti-Virus console, press the Save button before exporting them in order to save their new values. 2. Perform one of the following actions: in order to export all Anti-Virus settings, open the shortcut menu of the Anti-Virus snap-in in the console window and select Export settings; In order to export the settings of an individual functional component, open the shortcut menu of the node of this functional component in the console tree and select Export settings. This will open the greeting window of the settings export wizard. 3. Follow the wizard's instructions: specify the name for the configuration file into which you wish to save the settings and the path to it.

46 46 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Specifying the path you can use system environmental variables; you can t use user s environmental variables. Note If a Kaspersky Administration Kit policy is active at the moment of export, Anti-Virus exports values that had been active before such policy was applied rather than the values used by this policy. 4. Press the OK button in the Export completed box in order to close the settings export wizard Importing settings In order to import settings from the configuration file: 1. Perform one of the following actions: in order to import all Anti-Virus settings, open the shortcut menu of the Anti-Virus snap-in in the console window and select Import settings; In order to import the settings of an individual functional component, open the shortcut menu of the node of this functional component in the console tree and select Import settings. This will open the greeting window of the settings import wizard. 2. Follow the wizard's instructions: specify the configuration file from which you wish to import the settings. Note After you have imported the general settings of the Anti-Virus or its functional components on the server, you will not be able return the old values of these settings. 3. Press the OK button in the Import completed box in order to close the settings import wizard. 4. Press the Update button in the tools panel in the Anti-Virus console to display the imported settings.

47 Importing and exporting Anti-Virus settings 47 Note Anti-Virus does not import passwords (data of the accounts used to launch tasks or to connect to the proxy server) from the file created on another computer or on the same computer after Anti-Virus installed on it has been re-installed or updated. After the importing operation is completed, you will have to enter the passwords manually.

48 CHAPTER 5. TASK MANAGEMENT This chapter contains the following information: Categories of Anti-Virus tasks by the type of their creation and execution (see 5.1 on pg. 48); Creating tasks (see 5.2 on pg. 50); Saving a task after modifying its settings (see 5.3 on pg. 52); Renaming tasks (see 5.4 on pg. 52); Deleting tasks (see 5.5 on pg. 53); Manual starting / pausing / resuming / stopping of tasks (see 5.6 on pg. 53) Managing task schedules (see 5.7 on pg. 53); Viewing task statistics (see 5.8 on pg. 58); Using a different account to start a task (see 5.9 on pg. 59) Categories of Anti-Virus tasks Functions Real-time protection, On-demand protection, Updating and Managing the Anti-Virus keys are implemented as tasks. You can start and stop tasks either manually or using a schedule. By the place of their creation and execution tasks can be local and group. Local tasks can be of two categories:system and user-defined tasks. Local tasks Local tasks are executed only on the protected server for which they are created. Local system tasks are created automatically during the Anti-Virus installation. You can modify settings for all system tasks except tasks Scan Quarantine, Application integrity control and Application database rollback. You cannot rename or delete system tasks. You can launch system and user-defined on-demand scan tasks at the same time.

49 Task management 49 Group tasks Local user-defined tasks. You can add new on-demand scan tasks in the Anti-Virus console in MMC. Using the administration console of the Kaspersky Administration Kit application, you can create new ondemand scan, database update, database update rollback, and update downloading tasks. Such tasks are called user-defined tasks. You can rename, configure and delete user-defined tasks. You can start several user-defined tasks at the same time. Group and global tasks created in the Kaspersky Administration Kit Administration Console are reflected in the Anti-Virus console in MMC. They are all called group tasks in the Anti-Virus console. You can manage group tasks and configure them from the Kaspersky Administration Kit application. In the Anti-Virus console in MMC you can only view the status of group tasks. The Anti-Virus console displays information about the tasks (see example on Figure 9). Figure 9. Real-time protection tasks in the Anti-Virus console window Task management commands are listed in the shortcut menu that opens by right-click on the task name. Task management operations are registered in the system audit log (see 13.3 on pg. 199).

50 50 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition 5.2. Creating a task You can create user-defined tasks in the On-demand scan node. Creation of user-defined tasks is not provided in other functional components of Anti-Virus. In order to create a new on-demand scan task: 1. Right-click the On-demand scan node and select Add task (see Figure 10). Figure 10. An example of creating a task This will open the Create task dialog box (see Figure 11):

51 Task management 51 Figure 11. The Create task dialog box 2. Enter the following information about the task: Name - task name, not more than 100 characters. Description - any additional information about the task, with maximum length 2000 characters. This information will be displayed in the task property dialog box. 3. If you need to run the task in a low-priority process, select Execute task in the background (for more details on Anti-Virus task priorities, see 9.3 on pg. 131). 4. Press the OK button. Task will be created. Line with information about this task will appear in the console window.

52 52 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition 5.3. Saving task after changing its settings You can change settings of a running or of a stopped (paused) task: If you changed settings of a running task, then for real-time protection tasks new values of the settings will be applied immediately after you save them, and for all other tasks - next time the task is started; If you changed the settings of a stopped task, the new values of the settings will be applied after you save them and start the task. To save the changed settings of a task, open the shortcut menu of the task name and select the Save command. Note If after the change of the task settings you select another node in the console tree without first selecting the Save command, a setting saving dialog box will appear. Press Yes in this window to save the task settings or No to leave the node without saving the changes. Settings of the Real-time file protection task are listed in 6.2 on pg. 62. Settings of the Scan My computer task are listed in 9.2 on pg Update task settings are listed in 10.5 on pg Renaming tasks You can rename only user-defined tasks in the Anti-Virus console, but you cannot rename system or group tasks. In order to rename a task: 1. Right-click the task name and select Properties. 2. Enter new task name in the Properties dialog window in the Name field and press the OK button. Task will be created. Operation will be registered in the system audit log (see 13.3 on pg. 199). To learn how to configure security parameters see 5.7 on pg. 53.

53 Task management Deleting tasks You can delete only user-defined tasks in the Anti-Virus console, but you cannot delete system or group tasks. In order to delete a task: 1. Right-click the task name and select Delete. 2. Press the Yes button in the Deleting task dialog box in order to confirm the action. The task will be deleted and the deletion operation will be registered in the system audit log (see 13.3 on pg. 199) Starting/pausing/resuming/stopp ing tasks manually You can pause or resume all tasks except the updating tasks. In order to start/pause/resume/stop a task, right-click the task name and select the command you wish to perform: Start, Pause, Resume or Stop. The operation will be performed. The task status in the result panel will change and the operation will be registered in the system audit log (see 13.3 on pg. 199). Note If you pause and resume an on-demand scan task, Anti-Virus will resume the scan of the object on which the task had been paused Managing task schedules This chapter contains the following information: task schedule configuration (see on pg. 54); enabling / disabling configured task schedule (see on pg. 58). Schedule settings are described in A.2 on pg. 353.

54 54 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Configuring task schedules You can configure the schedule of the local system and user-defined tasks in the Anti-Virus console. You cannot configure the group task schedule settings. Schedule settings are described in A.2 on pg In order to configure the task schedule settings: 1. Right-click the task name the schedule of which you wish to configure and select Properties. 2. Using the Task Properties dialog box (see Figure 12) enable schedule for this task: check the Run by the schedule box. Note Fields with the schedule settings will be unavailable if the launch of this scheduled system task is disabled by the Kaspersky Administration Kit policy (see section 19.4 on pg. 272). 3. Configure the schedule settings in accordance with your requirements. а) Specify the frequency for the task startup (see A.2.1 on pg. 353): select one of the following values in the Frequency list: Every hour, daily, weekly, At application startup, At Anti-Virus database update: o o o If you selected Every hour, specify the number of hours in the Every <number> hours in the Task Start Settings settings group; If you selected Every day, specify the number of hours in the Every <number> days in the Task Start Settings settings group; if you selected Weekly, specify the number of weeks in the Every <number> weeks in the Task Start Settings settings group; Specify weekdays in which the task will be launched (by default the task will be launched on Mondays).

55 Task management 55 Figure 12. An example of dialog box Schedule settings with the Frequency setting assigned value Weekly b) In the Start time field, specify the time that the task will first run. c) In the Start from field, specified that date that the schedule will become effective (see A.2.2 on pg. 355).

56 56 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Note After you have specified the task startup frequency, the time of the first task execution and the date for the schedule to be enabled, information about the calculated time for the next task launch will appear in the top part of the dialog box in the Next launch field. Updated information about the calculated time of the new launch will be displayed each time you open the Task Property of the Schedule dialog box. Value Task launch is prohibited by the policy of the Next launch field is displayed if the parameters of the active policy of Kaspersky Administration Kit prohibit launching of the system tasks on schedule (for more details refer to section 19.4 on pg. 272). 4. Using the Additional tab (see Figure 13) configure the remaining schedule settings in accordance with your requirements.

57 Task management 57 Figure 13. The Schedule settings dialog box, Additional tab a) To specify the maximum duration of the task execution, enter the required number of hours and minutes in the Duration field in the Task stop settings group (see A.2.4 on pg. 356). b) To specify the time period within 24 hours during which the task execution will be paused, enter the From and Until values for the duration in the Pause from until field (see A.2.5 on pg. 357). c) To specify the schedule disabling date, check the End schedule date box and using the Calendar dialog box select the date on which the schedule will be disabled (see A.2.3 on pg. 356). d) To enable the skipped task launch function, check the Run missed tasks box (see A.2.6 on pg. 357).

58 58 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition e) To enable the use of the Randomize the task start setting, check the Randomize the task start within interval and specify the value for this setting in minutes (see A.2.7 on pg. 358). 5. Press the ОК button to save the changes you have made in the Schedule settings dialog box Enabling and disabling scheduled launch After you have configured the task schedule once, you can enable and disable it. After you have disabled the schedule, its settings (startup frequency, startup time, etc.) will not be deleted and you will be able to enable the schedule again, if required. In order to enable or disable the schedule: 1. Right-click the name of the task for which you wish to enable or disable the schedule and select Properties. 2. Perform one of the following actions in the Schedule settings group in the Task Properties dialog box: check the Start according to schedule box to enable the schedule; to disable the schedule uncheck the Start according to schedule box. 3. Press the OK button Viewing task statistics While the task is running you can view in real-time detailed information about the task execution since the task has been launched until the current moment - task execution statistics. If you pause the task, the statistics information will be available in the Statistics dialog box. After the task is completed or stopped you can view this information in the detailed report about the task events (see on pg.191). In order to view the task execution statistics, right-click in the console window on the name of the task statistics for which you wish to view and select Statistics.

59 Task management Using a different user account to launch a task This chapter contains the following information: Using a different account to start a task (see on pg. 59). Specifying the user account for starting the task (see on pg. 60) About using accounts to launch tasks You can specify an account under which a selected task will be launched of any functional Anti-Virus component except the Real-time protection component. By default all tasks except the real-time protection tasks will be executed under the Local system (SYSTEM) account. While performing real-time protection tasks Anti-Virus intercepts the object being scanned when an application calls to it and uses the permissions of that application. You must specify a different account with sufficient access permissions in the following cases: Note In the updating task, if you specified a public folder on a different computer in the network as the update source; If you use a proxy server with in-built Windows NTLM authentication for accessing update sources; In the on-demand scan tasks, if the Local System (SYSTEM) account does not have the access right to any of the objects being scanned (for example to the files in public folders in the network). Under Local System (SYSTEM) account you can launch updating and ondemand scan tasks in which Anti-Virus accesses public folder on a different computer if this computer is registered within the same domain with the protected server. In this case account Local System (SYSTEM) must have access rights to these folders. Anti-Virus will access the computer using rights of account Domain_name\Computer_name$.

60 60 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Specifying the user account for running tasks In order to specify an account for a launch task: 1. Right-click the task name and select the Properties command. 2. Using the Task Properties dialog box open the Run as tab (see Figure 14). Figure 14. The Task Properties dialog box, Run as tab 3. On the Run as tab (see Figure 14) perform the following: a) Select User account.

61 Task management 61 b) Enter the username and the password for the user whose account you wish to use. Note The user that you selected must be registered on the protected server or within the same domain as this server. c) Press the OK button.

62 CHAPTER 6. REAL-TIME PROTECTION This chapter contains the following information: About real-time protection tasks (see 6.1 on pg. 62); Configuring the Real-Time File Protection task (see 6.2 on pg. 62); The Real-Time File Protection task statistics (see 6.3 on pg. 83); Configuring Script monitoring: selecting actions with suspicious scripts (see 6.4 on pg. 85); The Script Monitoring task statistics (see 6.5 on pg. 86) About real-time protection tasks The Anti-Virus provides for two real-time protection system tasks: Real-time file protection and Scripts monitoring. For more details about the Anti-Virus Realtime protection function refer to on pg. 13. By default Real-time protection tasks are automatically started at the Anti-Virus startup. You can stop or restart these tasks and/or configure their schedule. You can also pause or resume real-time protection tasks if you need to interrupt object scan for a short-term access, for example for the purpose of data replication. You can configure the Real-time file protection task - create a protection area and configure the security settings for the selected nodes, configure blocking of access from computers, apply trusted zone (see 6.2 on pg. 62). While the Script monitoring task is running, the Anti-Virus prohibits execution of scripts it considers dangerous. If Anti-Virus detects a suspicious script, it will perform the action that you have selected: allow or disallow its execution. To learn how to allow or disallow execution of suspicious scripts see 6.4 on pg Configuring Real-time file protection task By default system task Real-time file protection has settings described in Table 2. You can modify these settings - that is configure this task.

63 Real-time protection 63 Table 2. Default settings of the Real-time file protection task Parameter Default value Description Protection area Entire server You can limit the protection scope (see on pg. 65). Security settings Protection mode Function Blocking access from computers Common settings for the entire protection area; security level Recommended. When opened and modified Disabled You can do the following for the nodes selected in the server file resources tree: Select a different pre-defined security level (see on pg. 71); Manually modify the security settings (see on pg. 74). You can save the security settings for the selected node as a template to use later for any other node (see on pg. 78). You can select the mode for objects protection, i.e. define the type of access during which the Anti-Virus should check them. To learn how to select the protection mode refer to on pg. 82. For details about object protection modes refer to A.3.1 on pg You can block access from computers to the protected server at the attempt of writing of infected or suspicious objects to the server (see Chapter 7 on pg. 87).

64 64 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Parameter Default value Description Trusted zone Applied If you selected Add to exclusions threats by mask not-a-virus: RemoteAdmin* and Add to exclusions files recommended by Microsoft, remote administration RemoteAdmin programs and files recommended by Microsoft will be excluded. A unified list of exclusions that you can apply to the selected ondemand scan tasks and the Realtime file protection task. Chapter 8 on pg. 99 contains information about the creation and application of trusted zone. In order to configure the Real-time file protection task: 1. Expand the view of the Real-time protection node in the console tree. 2. Select nested node Real-time file protection. The server file resource tree and dialog box Security level (Standard mode) will be displayed in the results panel (see Figure 15). Figure 15. The Real-time file protection task is open

65 Real-time protection If required, configure the task settings. 4. Open the shortcut menu on the task name and select the Save command to the save changes. To learn how to: Start / pause / resume / stop a task manually, see 5.6 on pg. 53. Start a scheduled task, see 5.7 on pg Protection area in the Real-time file protection task This chapter contains the following information: About creation of the protection area in the Real-time file protection task (see on pg. 65); Which pre-defined server areas can be included into the protection area (see on pg. 66); How you can create a protection area: exclude or include individual sever areas from/into it (see on pg. 67); About virtual protection area - drives, folders and files that are connected to the server temporarily and folders and files that are created on the server dynamically by various applications and services (see on pg. 68); How to create a virtual protection area (see on pg. 69) Defining protection scope in the Realtime file protection task If the Real-time file protection task is executed with settings that have default values, Anti-Virus will scan all objects of the server file system. If, based on security requirements, you do not have to scan all objects, you can restrict the protection area. In the Anti-Virus console the protection area is displayed as a server file resource tree that Anti-Virus can scan. Server file resource tree nodes are displayed as follows: The node is included into the protection area. The node is excluded from the protection area.

66 66 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition At least one of the nodes nested in this node is excluded from the protection area or the security parameters of the nested node(s) differ from the security parameters of this node. Note that the parent node will be marked with icon if you select all nested nodes but not the parent node itself. In this case files and folders that do not appear in this node will not be automatically included into the protection area. In order to include them into the protection area you can include their parent node into the protection area. Alternatively you can create their "virtual copies" in the Anti-Virus console and add them to the protection area. The names of virtual nodes of the protection area are displayed in blue color font Pre-defined protection areas Once you open the Real-time file protection task a tree of server file resources will be displayed in the result panel (see Figure 16). Note The tree of file resources will display nodes for which you have reading privilege based on the Microsoft Windows security settings. Figure 16. Example of a server file resource tree in the Anti-Virus console The server file resource tree contains the following pre-defined protection areas:

67 Real-time protection 67 Hard drives. Anti-Virus scans files on the server's hard drives. Removable drives. Anti-Virus scans files on removable media, for example on CDs or USB drives. Network places. Anti-Virus scans files that are written into network folders or read from them by applications running on the server. Anti- Virus does not scan files when such files are called to by applications from other computers. Virtual drives. You can include into the protection area dynamic folders and files and drives that are temporarily connected to the server, for example, common drives of a cluster (create a virtual protection area). Note Virtual drives created using a SUBST command are not reflected in the server file resource tree in the Anti-Virus console. In order to include objects on a virtual drive into the protection area, include a server folder with which this virtual drive is associated into the protection area. Connected network drive will not be reflected in the server file resource tree either. In order to include objects on a network drives into the protection area, specify a path to a folder corresponding to this network drive in UNC format Defining a protection area In order to create protection area: 1. Open the Real-time file protection task. 2. Perform the following actions in the server file resource tree in the result panel: In order to exclude an individual node from the protection area, expand the protection area tree in order to display the required node and uncheck the box next to its name. In order to select only those node that you wish to include into the protection area uncheck the My computer box and then: o o If you wish to include all drives of one type into the protection area, check the box next to the name of the required disk type. If you wish to include an individual disk of a certain type into the protection area, expand the node that contains the list of drives of this type and check the box next to the name of the required drive. (for example, in order to include all removable drives on the server check the Removable drives box).

68 68 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition o If you would like to include into the protection area only a separate folder on the disk, expand the server file resource tree in order to display the folder that you wish to include into the protection area and check the box next to its name. Using the same procedure you can also include files into the protection area. 3. Open the shortcut menu on the task name and select the Save command in order to save the changes in the task. Attention! You can launch task Real-time file protection only if at least one of the server file resources tree nodes is included into the protection area. Note If you specify a complex protection area, for example specify various security parameter values for multiple nodes in the server file resource tree, this may somewhat slowdown the scan of objects the they are accessed About virtual protection area Anti-Virus can scan not only existing folders and files on hard and removable drives, but also drives that are connected to the server temporarily, for example common cluster drives and folders and files that are dynamically created on the server by various applications and services. If you included all server objects into the protection area, all these dynamic nodes will automatically be included into the protection area. However, if you would like to specify special values for the security settings of these dynamic nodes or if you selected for real-time protection not the entire server, but separate areas to include into the protection are dynamic drives, files or folders, you will have to first create them in the Anti-Virus console - that is to specify the virtual protection area. These drives, files and folders being created will exist only in the Anti-Virus console, but not in the file structure of the protected server. If, while creating a protection area, you select all nested folders or files without selecting the parent folder, then all dynamic folders or files which will appear in it will not be automatically included into the protected area. You should create their "virtual copies" in the Anti-Virus console and add them to the protection area. About creation of the virtual protection area in the Real-time file protection task see on pg. 69. About creation of the virtual protection area in the on-demand scan tasks see on pg. 118.

69 Real-time protection Creating virtual protection scopes: adding dynamic drives, folders and files to the protection area In order to add a virtual drive into the protection area: 1. In the console tree expand the Real-time protection node and select the nested Real-time file protection node. 2. Open the shortcut menu in the result panel in the server file resource tree on the Virtual drives node and select a name for the virtual drive being created in the list of available names (see Figure 17). Figure 17. Selecting name for a virtual drive 3. Check box next to the drive added in order to include the drive into the protection area. 4. Open the shortcut menu on the task name and select the Save command in order to save changes in the task.

70 70 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition In order to add a virtual folder or a virtual file into the protection area: 1. In the console tree expand the Real-time protection node and select the nested Real-time file protection node. 2. Right-click the node into which you wish to add a folder or a file in the results panel in the server file resources tree and select Add virtual folder or Add virtual file. Figure 18. Adding a virtual folder 3. In the entry field specify name for folder (file). You can specify file name mask using special symbols * and?. 4. In the line with the name of the folder created (or file created) check box in order to include this folder (file) into the protection area. 5. Open the shortcut menu on the task name and select the Save command to save changes in the task.

71 Real-time protection Configuring security settings for a selected node You can configure settings of the selected node in the server file resource tree as follows: Select one of the pre-defined security levels (minimum, recommended or maximum) see on pg. 71); Manually modify the settings of the node selected (see on pg. 74). You can save the set of security settings of the selected node into a template so that you can use this template later for other nodes (see on pg. 78) Selecting pre-defined security levels in the Real-time file protection task You can apply one of the following pre-defined security levels for the nodes selected in the server file resources tree: a) minimum, b) recommended and c) maximum. Each of these levels has its own set of security settings. Parameter values of the pre-defined security levels are provided in Table 3 on pg. 72. Minimum security level You can set the Maximum Speed security level on the server if, apart from the use of Anti-Virus on the servers and workstations, there are additional computer security measures in your network, for example, firewalls are set up, network user security policies are in place. Recommended Recommended is set by default. This level was admitted by Kaspersky Lab's experts to be sufficient for protection of file servers in most networks. It ensures the optimum combination of the protection quality and the degree of the effect on the performance of the servers being protected. Maximum protection Use this security level if you impose high requirements to the computer security in the network.

72 72 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Table 3. Pre-defined security levels and corresponding security settings Security level/settings Minimum Recommended Maximum Detectable objects (see A.3.2 on pg. 360) Scan of new and modified objects only (see A.3.3 on pg. 362) by extension by format by format Enabled Enabled Disnabled Actions to be performed with infected objects (see A.3.5 on pg. 364) disinfect, delete if disinfection is not possible disinfect, delete if disinfection is not possible disinfect, delete if disinfection is not possible Actions to be performed with suspicious objects (see A.3.6 on pg. 366) Excluding objects (see A.3.8 on pg. 369) Excluding threats (see A.3.9 on pg. 370) Maximum object scan time (see A.3.10 on pg. 371) Maximum size of a detected composite object, MB (see A.3.11 on pg. 372) NTFS streams scan (see A.3.2 on pg. 360) Boot sector scan (see A.3.2 on pg. 360) (quarantine) (quarantine) (quarantine) no no no no no no 60 seconds 60 seconds 60 seconds 8 8 no yes yes yes yes yes yes

73 Real-time protection 73 Security level/settings Minimum Recommended Maximum Scanning composite objects (see A.3.4 on pg. 363) packed objects* SFX archives* packed objects* SFX-archives* packed objects* embedded OLE-objects* embedded OLE-objects* * New and modified only * New and modified only *All objects Note Note that security settings Protection mode, Use ichecker and Use iswift are not included into the set of settings of the pre-defined security levels. By default these settings are enabled. If you change the status of settings Protection mode, Use ichecker or Use iswift, the selected security level will be not be changed. In order to select one of the pre-defined security levels: 1. In the console tree expand the Real-time protection node and select the nested Real-time file protection node. 2. In the server file resource tree select the node for which you wish to choose a pre-defined security level. 3. Make sure that this node is included into the protection area (see on pg. 67). 4. Using the Security level dialog box (see Figure 19) select a security level you wish to apply from the Security level box.

74 74 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 19. The Security level dialog box The dialog box will display the list of the values of security settings corresponding to the security level you selected. 5. Open the shortcut menu on the task name and select the Save command in order to save the changes in the task Configuring security settings manually By default common security settings are used for the entire protection area in the Real-time file protection task. Their values correspond to the values of the predefined security level Recommended. For the default values of the security settings see on pg. 71. You can modify the default values of the security settings by configuring them as common settings for the entire protection area or as different settings for different nodes in the server file resource tree. The scan settings that you configure for the selected node will automatically be applied to all nodes nested into it. However, if you configure security settings for a nested node separately, the security settings of the parent node will not apply to it.

75 Real-time protection 75 In order to configure security settings of the selected node: 1. In the console tree expand the Real-time protection node and select the nested Real-time file protection node. 2. Using the result panel in the server file resource tree select the node for which you wish to configure the security settings. 3. Press the Settings button in the bottom part of the dialog box. The Security settings dialog box will be displayed. Note To learn how to apply a security parameter template to a node, refer to on pg Configure the required security settings of the selected node in accordance with your requirements: Perform the following in the General tab (see Figure 20): o o o Under the Protection scope heading, specify whether the Anti-Virus will scan all protection areas or objects of certain formats or having certain extensions and whether Anti-Virus will scan disk boot sectors and master boot records and alternative NTFS streams (see A.3.2 on pg. 360); Under the Productivity heading specify whether Anti-Virus will scan all objects in the selected area or only new and modified objects (see section A.3.3 on pg. 362); Under the Process compound objects heading, indicate which composite objects will be scanned by the Anti-Virus (see A.3.4 on pg. 363).

76 76 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 20. Dialog box Security settings, the General tab Perform the following on the Actions tab (see Figure 21): o o o Actions to be performed with infected objects (see A.3.5 on pg. 364); Actions to be performed with suspicious objects (see A.3.6 on pg. 366); Actions to be performed with objects depending on the type of threat (see A.3.7 on pg. 368).

77 Real-time protection 77 Figure 21. The Settings dialog box, the Actions tab Perform the following on the Performance tab if necessary (see Figure 22): o Excluding objects (see A.3.8 on pg. 369); o Excluding threats (see A.3.9 on pg. 370); o Maximum object scan time (see A.3.10 on pg. 372); o Maximum size of a composite object to be scanned (see A.3.11 on pg. 372); o Use ichecker technology (see A.3.12 on pg. 373); o Use iswift technology (see A.3.13 on pg. 374).

78 78 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 22. The Settings dialog box, the Performance tab 5. After you have configured the required security settings, open the shortcut menu on the task name and select the Save command in order to save the changes in the task Working with templates in Real-time Protection tasks This section contains the following information: Saving security settings to a template (see on pg. 79); Viewing security settings in a template (see on pg. 80); Applying a template (see on pg. 81); Deleting a template (see on pg. 82).

79 Real-time protection Saving security settings set to a template After you have configured the security settings of any of the nodes in the server file resource tree for the Real-time file protection you can save their values into a template in order to save apply it to any other node. In order to save the set of the security parameter values into a template: 1. In the console tree expand the Real-time protection node and select the nested Real-time file protection node. 2. In the server file resource tree select the node which security settings you wish to save. 3. Press the Settings button in the bottom part of the dialog box. 4. In the General tab of the Protection area settings press the Save to a template button. 5. In the Template properties dialog box (see Figure 23) perform the following: Enter the name of the template into the Template name field. Enter any additional information about the template into the Description field. Figure 23. The Template properties dialog box 6. Press ОК. Template with the set of the parameter values will be saved.

80 80 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Viewing security settings in a template To view security settings in a template that you have created: 1. Expand the Real-time Protection node of the console tree. 2. Open the context menu on the Real-time file protection task and select the Templates command (see Figure 24). Figure 24. The Templates dialog box The Templates dialog box displays a list of templates that you can apply to the Real-time protection task. 3. To view the information and security settings in a template, select the template from the list and click the View button (see Figure 25).

81 Real-time protection 81 Figure 25. The <Template name> dialog box, Settings tab The General tab displays the template name and additional information about a template; The Settings tab lists the security settings saved in the template Applying a template In order to apply template with the set of values of the security settings to the selected node: 1. Save the security settings into the template (see on pg. 79). 2. In the console tree expand the Real-time protection node and select the nested Real-time file protection node. 3. Using the result panel in the server file resource tree, right-click the node to which you wish to apply the template, select Apply template. 4. Select the template you wish to apply in the Templates dialog box.

82 82 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Note 5. Open the shortcut menu on the task name and select the Save command in order to save the changes in the task. If you apply a template to a parent node, the security settings from the template will be also applied to all nested nodes except those for which you have configured security settings separately. In order to apply the security settings from the template to all nested nodes, before you apply the template, you must uncheck the parent node in the server's file resources tree and then - check it again. Apply the template to the parent node. All nested nodes will have the same security settings as the parent node Deleting a template To delete a template: 1. Expand the Real-time Protection node of the console tree. 2. Open the context menu on the Real-time file protection task and select the Templates command (see Figure 24). 3. In the Templates dialog box, select the template from the template list that you want to delete and click the Delete button. 4. Click Yes in the confirmation window. The selected template will be deleted Selecting protection mode You can select the protection mode. For details about this setting refer to A.3.1 on pg In order to select an object protection mode: 1. In the console tree expand node Real-time protection. 2. Open the shortcut menu on the Real-time file protection task and select Properties. 3. Using the Properties dialog box, switch to the General tab (see Figure 26), select protection mode that you wish to set and press the OK button.

83 Real-time protection 83 Figure 26. The Task Properties dialog box, General tab 6.3. Real-time file protection task statistics While the Real-time file protection task is being executed you can view in real time detailed information about the number of objects processed by Anti-Virus since it was started until the current moment - task execution statistics. In order to view the Real-time file protection task statistics: 1. Expand the view of the Real-time protection node in the console tree. 2. Right-click the Real-time file protection task and select Statistics.

84 84 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition The following information about objects processed by Anti-Virus since it was started until the current moment will be displayed in the Task status dialog box. Field Threats detected Infected objects detected Suspicious objects detected Objects not disinfected Objects not quarantined Objects not deleted Objects not scanned Objects not backed up Scan errors Objects disinfected Objects quarantined Description The number of detected threats, for example, if Anti-Virus detects one malicious program in five objects, the value in this field will be incremented by one. Total number of detected infected objects and number of infected objects Total number of detected suspicious objects Number of objects that Anti-Virus did not disinfect it because: а) the type of the threat contained in the object does not provide for disinfection; b) objects of this type cannot be disinfected; c) an error occurred during the disinfection Number of objects that Anti-Virus must have quarantined, but was unable to do it due to an error, for example due to insufficient disk space Number of objects that Anti-Virus attempted to deleted but was unable to do it: for example, access to this object was blocked by another program Number of objects in scan scope that Anti-Virus failed to scan because, for example, access to the object was blocked by another program Number of objects copies of which Anti-Virus attempted to save to Backup but was unable to due to an error Number of objects during processing of which Anti-Virus encountered error. Number of objects disinfected by Anti-Virus Number of objects quarantined by Anti-Virus

85 Real-time protection 85 Objects backed up Objects deleted Password protected objects Corrupted objects Objects scanned Number of files copies of which Anti-Virus saved to Backup Number of objects deleted by Anti-Virus Number of objects (for example archives) that Anti-Virus skipped as they were passwordprotected Number of objects skipped by Anti-Virus as their format is corrupted Total number of objects scanned by Anti-Virus 6.4. Configuring the Script monitoring task By default the Script monitoring system task uses the settings described in Table 4. You can modify the values of these settings to customize the task. Option Default value Description Table 4. Default settings of the Script monitoring task Execution of infected scripts Execution of suspicious scripts Trusted zone Blocked Blocked Applied The list of exclusions is empty The Anti-Virus always blocks execution of scripts, which it recognizes as infected. You can specify the actions, which the Anti-Virus will perform over scripts that it recognizes as suspicious: block or allow their execution. General list of exclusions, which you can use in the Script monitoring task. Chapter 8 on pg. 99 contains information about creation and use of the trusted zone. To configure the Script monitoring task: 1. Expand the Real-time protection node in the console tree.

86 86 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition 2. Open the context menu of the Script monitoring task and select its Properties. The Properties: Script monitoring dialog will open. 3. Use the Actions to be performed on suspicious scripts group of settings to allow or block execution of suspicious scripts: In order to allow execution of suspicious scripts select Allow execution; In order to prohibit execution of suspicious scripts select Block execution. 4. Use the Trusted zone group of settings to enable or disable the trusted zone: To enable the trusted zone, check the Apply trusted zone box; To disable the trusted zone, uncheck the Apply trusted zone box. For details about addition of scripts to the list of trusted zone exceptions, please see section on pg To save the changes press OK in the Settings: Script monitoring dialog box Script monitoring task statistics While the Script monitoring task is being executed you can view in real time information about the number of scripts processed by Anti-Virus since it was started until the current moment - task execution statistics. In order to view the task statistics: 1. In the console tree expand node Real-time protection. 2. Right-click the Script monitoring task and select Statistics. The following information will be displayed in the Statistics dialog box: Field Scripts blocked Dangerous scripts Number of suspicious scripts Processed scripts Description number of prohibited scripts number of malicious scripts detected number of suspicious scripts detected total number of processed scripts

87 CHAPTER 7. BLOCKING ACCESS FROM COMPUTERS IN THE REAL-TIME FILE PROTECTION TASK This chapter contains the following information: about blocking access from computers to the protected server (see 7.1 on pg. 87); enabling / disabling of automatic blocking of access from computers (see 7.2 on pg. 88); configure settings of automatic blocking of access from computers (see 7.3 on pg. 89); excluding computers from the scope of automatic blocking (creating a list of trusted computers) (see 7.4 on pg. 91); preventing virus outbreaks (see 7.5 on pg. 92); viewing the list of computers to which access to the server is prohibited (see 7.6 on pg. 94); manual blocking of access from computers (see 7.7 on pg. 95); unblocking access from computers (see 7.8 on pg. 97); viewing the blocking statistics (see 7.9 on pg. 97) About blocking access from computers to the protected server While the Real-Time File Protection task is executed, you can temporarily block access from infected computers to the protected server. You can block infected computers using two methods:

88 88 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Enable automatic computer blocking. Once any computer makes an attempt to write an infected or a suspicious object onto the protected server, it will temporarily block access from the computer to the files on the server. By default the function of automatic blocking of access from infected computers is disabled. Manually block the infected computer. If you have information that any computer within the local area network is infected, you can manually block access from it to the protected server: add the computer to the blocking list and specify the time during which objects on the protected server will be unavailable to it. You can unblock access from the computer to the server at any time. All operations of blocking or unblocking of access from computers are registered in the system audit log. The list of blocked computers is saved automatically between the Anti-Virus sessions Enabling or disabling automatic blocking of access from computers In order to enable or disable the function of blocking access from computers: 1. Expand the Real-time file protection node in the console tree, then - Real-time protection node in order to display nested node Blocking access from computers. 2. Perform one of the following actions: To enable automatic blocking of access from computers to server, right-click the Blocking access from computers node and select the Enable command. To disable automatic blocking of access from computers to server, right-click the Blocking access from computers node and select the Disable command. 3. Press the ОК button.

89 Blocking Access from Computers in the Real-Time File Protection Task 89 Note If you enable a function of automatic blocking of access from computers, it will be enabled only when the Real-time file protection task is running. Once you disable the automatic blocking function, all computers in the blocking list will be granted access to the files on the server Configuring settings of automatic access blocking from computers This section contains a description of enabling and configuring automatic blocking of access from computers to the server. For description of the blocking settings refer to A.4 on pg In order to configure the settings of automatic blocking of access from computers: 1. Expand the Real-time file protection node in the console tree, then - Real-time protection node in order to display nested node Blocking access from computers. 2. Right-click the Blocking access from computers node and select Properties. 3. On the Blocking access from computers tab in the Properties dialog box, make sure that box Enable blocking the access from computers to the server is checked (see Figure 27).

90 90 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 27. The Blocking access from computers Properties dialog box, the General tab 4. In the Actions on computer settings group check boxes next to actions that the Anti-Virus will perform if a computer attempts to write an infected or a suspicious object on the server (see A.4.2 on pg. 376). 5. If you selected Block access from computer to the server, specify a time period for which you wish to block access from the computers to the server in days, hours or minutes. 6. If you selected Run executable file, press the list button in the Executable file dialog box (see Figure 28), specify the executable file (name and full path to it) and the account under which the file will be executed.

91 Blocking Access from Computers in the Real-Time File Protection Task Press the OK button. Figure 28. The Executable file dialog box 7.4. Excluding computers from automatic blocking (Trusted computers) You can create a list of trusted computers (for more details about this setting refer to A.4.3 on pg. 377). In order to add a computers to the list of trusted computers: 1. Expand the Real-time protection node in the console tree, then Realtime file protection node in order to display nested node Blocking access from computers. 2. Open the shortcut menu on the Blocking access from computers node and select Properties. 3. Using the General tab of the Blocking access from computers Properties dialog box (see Figure 27) make sure that the Enable blocking of access from computers to the server box is checked (see A.4.1 on pg. 375). 4. Check the Do not block specified computers box in the Trusted computers settings group and perform the following actions:

92 92 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition a) Press the Add button. An Add computer dialog box will open (see Figure 29). Figure 29. The Add Computer dialog box b) Specify the computer's network name or IP address: o o o Select Use network computer name and specify the computer's NetBIOS name; Specify the static IP address: select Use network IP address or enter the computer's IP address; Specify a range of IP addresses: select Use IP address range, enter first IP address of the range in the Start IP address and the last IP address in the End IP address field. All computers IP addresses of which are within the specified range will be treated as trusted computers. c) Press the OK button. 5. Press OK in the Properties dialog box Preventing virus outbreaks This section contains a description of enabling and disabling of the function of prevention virus outbreaks. Description of Virus outbreak prevention is provided in A.4.4 on pg. 378.

93 Blocking Access from Computers in the Real-Time File Protection Task 93 In order to enable / disable Virus outbreak prevention: 1. Expand the Real-time protection node in the console tree, then - Realtime file protection node in order to display nested node Blocking access from computers. 2. Open the shortcut menu on the Blocking access from computers node and select Properties. 3. Switch to the Additional tab (see Figure 30) in the Blocking access from computers Properties dialog box. Figure 30. The Blocking access from computers Properties dialog box, the Additional tab 4. Perform one of the following actions on the Additional tab: In order to enable Virus outbreak prevention: a) check the Increase security level if the number of computers exceeds box;

94 94 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition b) indicate the number of computers with blocked access that when reached would cause the Anti-Virus to switch to a higher security level; c) If required, enable the function of restoring the security level when the number of computers with blocked access has decreased to the value indicated Restore security level if the number of computers is lower than. In order to disable Virus outbreak prevention, uncheck the Increase security level if the number of computers exceeds box. 5. Press the OK button Viewing the list of computers to which access to the server is prohibited Attention! Computers in the server access blocking list are not allowed to access the protected server only when the Real-time file protection task is running and the function of automatic blocking of access from computers is enabled. In order to view the list of computers access for which to the protected server is currently prohibited: 1. In the console tree expand the Real-time protection node and select the Real-time file protection node. 2. Open nested node Blocking access from computers (see Figure 31).

95 Blocking Access from Computers in the Real-Time File Protection Task 95 Figure 31. The Blocking access from computers dialog box The result panel will display the following information about computers from which access to the server is prohibited: Field Computer Blocking date Blocking end date Description Information about the computer in the blocking list obtained by Anti-Virus (network name, IP address) Date and time when the access from a computer was blocked displayed using the format specified by the Microsoft Windows regional settings of the computer on which Anti-Virus console is installed Date and time when access to the computer will be unblocked in the format specified by the Microsoft Windows regional settings of the computer on which Anti-Virus console is installed 7.7. Blocking access from computers: Blocking access from a computer manually If you have information that the computer is infected, you can manually block access from it to the protected server.

96 96 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Attention! Computers that are in the access blocking list are not allowed to access the protected server only when the Real-time file protection task is running and the automatic blocking of access from computers is enabled. In order to manually block access from a computer to the server: 1. In the console tree expand the Real-time protection node and select the Real-time file protection node. 2. Make sure that the automatic blocking of access from computers is enabled (see 7.2 on pg. 88). 3. Open the shortcut menu on the Blocking access from computers nested node and select Add to the blocking list. 4. Using the Adding computer to the blocked list dialog box (see Figure 32) specify the network name of the computer whose server access you wish to block. Note In the Computer Name field specify only computers' NetBIOS names; but not DNS addresses. Figure 32. The Adding computer to the blocked list dialog box 5. Perform one of the following actions: select Blocking access from the computer to the server for the period of: and specify the period for which the access from the computer to the server will be blocked;

97 Blocking Access from Computers in the Real-Time File Protection Task 97 select Blocking access from computer to the server until: and specify the date and time when the computer will be unblocked. 6. Press the OK button Unblocking access from a computer You can unblock access from a computer to the protected server at any time. In order to unblock access from a computer: 1. In the console tree expand the Real-time protection node and select the Real-time file protection node. 2. Select nested node Blocking access from computers. 3. In the Blocking access from computers window, in the list of blocked computers right-click the line with information about computers that you wish to unblock and select Allow access from computer Viewing blocking statistics You can view information about the number of computers access from which to the protected server has been blocked since the last time the Anti-Virus was started - blocking statistics. In order to view the blocking statistics: 1. In the console tree expand node Real-time protection. 2. Expand node Real-time file protection. 3. Right-click the Blocking access from computers task and select Statistics (see Figure 33).

98 98 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 33. The Blocking server access statistics dialog box The following information will be displayed in the Statistics dialog box: Field Computers in the blocking list Infection attempts from trusted computers Total number of computers blocked during operation Description The number of computers currently in the access blocking list The number of attempts to write infected or suspicious objects to the server from the trusted computers since the moment when the automatic blocking was enabled The total number of computers automatically added to the blocking list when they attempted to write infected or suspicious objects to the server from the trusted computers since the moment when the automatic blocking was enabled

99 CHAPTER 8. TRUSTED ZONE This chapter contains the following information: about Anti-Virus trusted zone (see section 8.1 on pg. 99); adding exclusions to the trusted zone (see section 8.2 on pg. 101); applying a trusted zone (see section 8.3 on pg. 109) About Anti-Virus trusted zone You can create a unified list of exclusions from the protected (scan) area and, when required, apply these exclusions in the selected on-demand scan tasks and in the Real-time Protection task. This list of exclusions name is trusted zone. The following objects can be located in the Anti-Virus trusted zone: file accessed by the processes of applications susceptible to file interceptions (trusted processes); files accessed during the backup copying operations (files backup operations); objects specified by the user by their location and/or threat in them (exclusion rules). By default the trusted zone is applied in the Real-time file protection and Script monitoring tasks, system tasks and newly created on-demand scan user tasks. Trusted processes (used only in the Real-time file protection task) Some applications on the server may become unstable if files to which they call are intercepted with the Anti-Virus application. Such applications include, for example, system domain controller applications. In order to avoid disruptions of stable operation of such applications, you can disable real-time protection of files to which running processes of these applications call - that is to create a list of trusted processes in the trusted zone. Microsoft Corporation recommends excluding from the real-time protection scope file of some such applications as they are not susceptible to infection. You can view the list of files recommended to be excluded at Microsoft Corporation website Article code: KB

100 100 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition You can apply the trusted zone with the Trusted processes function enabled or without enabling this function. Please note that if the executable process file is modified, for example, if it is updated, Anti-Virus will exclude it from the list of trusted processes. Backup operations (used in the Real-time file protection task only) You can disable real-time protection of files accessed by the backup file copying operation during the time while this task is being executed: Anti-Virus will not scan files opened for reading by the backup copying application with attribute FILE_FLAG_BACKUP_SEMANTICS. You can apply the trusted zone with disabling the real-time file protection for the time the backup copying is carried on or without disabling this function. Exclusion rules (used in the Real-time file protection and Script monitoring tasks and on-demand scanning tasks) You can exclude objects from scan in individual tasks without need for the trusted zone or you can compile a unified list of objects to be excluded from the scan in the trusted zone. You can keep this list and, when required, you can apply exclusions in the tasks of the selected functional components Real-time file protection, Script monitoring and on-demand scanning tasks. You can add to the trusted zone objects by their location on the server, by the name of the threat detected in the object or by both attributes combined. By adding a new exception to the trusted zone you set up a rule for it (attributes using which Anti-Virus will skip objects) and specify to which functional component (Real-time protection and/or On-demand scan) this rules applies. According to the rule you configure Anti-Virus can skip in the tasks of the specified components: specified threats in the specified areas of the server; all threats in the specified areas of the server; specified threats in the entire scan area. If you selected Add to exclusions remote administration programs and Add to exclusions files recommended by Microsoft during the installation of Anti-Virus, these exclusion rules will be applied to the Real-time file protection task and in the system on-demand scan tasks except Scan Quarantine and Application integrity control.

101 Trusted zone Adding exclusions to the trusted zone This chapter contains the following information: adding processes to the list of trusted processes list (see section on pg. 101); disabling the real-time file protection for the time of backup copying (see section on pg. 105); adding exclusion rules (see section on pg. 105) Adding process to the list of trusted processes In order to avoid disruptions of stable operation of applications sensitive to file interceptions, you can disable real-time protection of files to which running processes of these applications call - that is to create a list of trusted processes in the trusted zone. You can add a process to the list of trusted processes using one of the following methods: Note select this process from the list of processes currently running on the protected server; select an executable file of the process regardless of whether the process is currently running. If the executable file of a process has been modified, Anti-Virus excludes this process from the list of trusted processes. In order to add a process to the list of trusted processes: 1. Open the shortcut menu on the Anti-Virus snap-in in the Anti-Virus console in MMC and select the Trusted zone command. 2. On the, Trusted Processes tab in the Trusted zone dialog box (see Figure 34) and enable the Trusted Processes function: check the Do not monitor file activity of the specified processes box.

102 102 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 34. The Trusted zone dialog box, the Trusted Processes tab 3. Add a trusted process from the list of running processes or specify an executable file of the process. In order to add a process from the list of running processes: a) Press the Add button. b) In the Adding a trusted process dialog box (see Figure 35) process the Processes button.

103 Trusted zone 103 Figure 35. The Adding a Adding a trusted process dialog box c) In the Active Processes dialog box (see Figure 36) select the required process and press the OK button. In order to find the required process in the list, you can sort the processes by name, PID or by the path to the executable file of the process. Figure 36. The Active Processes dialog box

104 104 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Note In order to view active processes on the protected server you must be included into the administrator's group of the protected server. The selected process will be added to the list of trusted processes in the Trusted Processes dialog box. In order to select an executable file of the process on the drive of the protected server, perform the following: a) press the Add button on the Trusted Processes tab, b) Press Browse in the Adding a trusted process dialog box and select an executable process file on the local drive of the protected server. Press the OK button. The name of the file and path to it will then be displayed in the Adding a trusted process dialog box. Specifying the path you can use system environmental variables; you can t use user s environmental variables. Note Anti-Virus does not consider a process to be a trusted process if the path to the executable process file is different from the path specified by you in the Path to File field. If you wish a process launched from a file that may be located in any folder to be considered trusted, then enter character * in the Path to file field. Specifying the path you can use environment variables. c) Press the OK button. The name of the selected executable process file will then be displayed in the List of trusted processes in the Trusted processes dialog box. 4. Press OK to save the changes. 5. Make sure that the trusted zone is applied in task Real-time File Protection (see section 8.3 on pg. 109).

105 Trusted zone Disabling the real-time file protection task for the time of backup copying You can disable real-time protection of files accessed by the backup file copying operation during the time while this task is being executed: Anti-Virus will not scan files opened for reading by the backup copying application with attribute FILE_FLAG_BACKUP_SEMANTICS. Note Information about the number of files skipped by Anti-Virus skips during the backup copying operations is not displayed in the Statistics dialog box of the Real-Time File Protection task. In order to disable real-time file protection during the backup copying: 1. Open the shortcut menu on the Anti-Virus snap-in in the Anti-Virus console in MMC and select the Trusted zone command. 2. Perform one of the following actions on the Trusted Processes of the Trusted zone dialog box: in order to disable real-time protection of files accessed by the backup file copying task, check the Do not monitor backup copying file operations box. in order to enable real-time protection of files accessed by the backup file copying task, uncheck the Do not monitor backup copying file operations box. 3. Press OK to save the changes. 4. Make sure that the trusted zone is applied in task Real-time File Protection (see section 8.3 on pg. 109) Adding exclusion rules In order to add an exclusion rule: 1. Open the shortcut menu on the Anti-Virus snap-in in the Anti-Virus console in MMC and select the Trusted zone command. 2. Press the Add button on the Exclusion rules tab of the Trusted Zone dialog box.

106 106 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 37. The Trusted zone dialog box, the Exclusion rules tab The Exclusion rule dialog box will open.

107 Trusted zone 107 Figure 38. The Exlusion rule dialog box 3. Indicate the rule according to which Anti-Virus will exclude the object. Note In order to exclude specified threats within the specified areas check the Object box and the Threats box. In order to exclude all threats within the specified areas check the Object box and uncheck the Threats box. In order to exclude specified threat within the entire scan area, uncheck the Object box and check the Threats box. If you wish to specify the object's location, check the Object box, press the Change button and in the Select Object dialog box (see Figure 39) specify the object that will be excluded from scanning and then press the ОК button: o o o o Predefined Scope. Select in the list one of predefined scanning areas. Disc or folder. Specify the server drive or folder on server or in the local network. File. Specify the file on server or in the local network. File or URL of the script. Select the script on a protected server, in local network or in the Internet.

108 108 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Note You can specify masks for the names of objects using characters? and *. Figure 39. The Select Object dialog box If you wish to specify the name of the threat, press the Change button and add the names of the threats in the List of exclusions (see Figure 40) dialog box (for more details about this setting refer to section A.3.9 on pg. 370).

109 Trusted zone 109 Figure 40. The List of exclusions dialog box 4. In the Exclusion rule dialog window under the Rule application scope heading check the boxes next to the names of the functional components in whose tasks exclusion rules will be applied. 5. Press OK. In order to edit the rule, select the rule you wish to edit in the Trusted zone dialog box, on the Exclusion tab, press the Edit button and make a change in the Exclusion rule dialog box. In order to delete a rule, select the rule you wish to delete in the Trusted zone dialog box, on the Exclusion tab, press the Delete button and confirm the deletion. 6. Press OK in the Trusted zone dialog box Applying a trusted zone By default the trusted zone is applied in the Real-time protection tasks, system tasks and newly created on-demand scan tasks. You can enable or disable the use of trusted zone in individual tasks in the Task Properties dialog box.

110 110 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition After you enable or disable a trusted zone, exclusions in this area will be immediately applied to or removed from the Real-Time File Protection and Script monitoring, and in to/from the on-demand scan tasks - next time the task is launched. In order to apply exclusions to a trusted zone in a task: 1. In the MMC console open the shortcut menu on the task name and check the Apply Trusted zone box on the General tab in the Task Properties dialog box. 2. Press the OK button.

111 CHAPTER 9. ON-DEMAND SCAN This chapter contains the following information: about on-demand scan tasks (see 9.1 on pg. 111); configuring on-demand scan tasks (see 9.2 on pg. 112); execution of the background on-demand scan tasks (see 9.3 on pg. 131); on-demand scan task statistics (see 9.4 on pg. 133) About on-demand scan tasks The Anti-Virus provides for four on-demand scan system tasks: The Scan My Computer task is executed by default on a weekly basis according to the schedule. The Anti-Virus scans all objects of the protected server using security settings with values corresponding to the Recommended level (see on pg. 120). You can modify the settings of the Scan My Computer task. The Scan Quarantine is executed by default according to the schedule after each bases update. The Anti-Virus scans the quarantine folder using settings listed in 11.3 on pg You cannot modify the Scan Quarantine task settings. The Scan at system startup task is executed at the Anti-Virus startup. The Anti-Virus scans the server startup objects, Anti-Virus software modules, boot sectors and master boot records of hard and removable drives, system memory and memory of processes. The Anti-Virus uses the Recommended pre-defined security level (see on pg. 120). You can change the schedule settings or disable the launch of this task. The Application integrity control task is executed according to the schedule at the Anti-Virus startup. The Anti-Virus verifies the authenticity of its executable modules. You cannot modify the Application integrity control task settings. You can change the schedule settings or disable the scheduled launch of this task. Additionally you can create user-defined on-demand scan tasks. For example you can create a task for scanning public access folders on the server. The Anti-Virus may run several on-demand scan tasks at the same time.

112 112 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition For more details on the categories of tasks, provided by the Anti-Virus, according to where they were created or saved refer to 5.1 on pg. 48. For more details about the Anti-Virus Real-time protection and On-demand protection functions refer to on pg. 13. For managing tasks in the Anti-Virus console in MMC refer to Chapter 5 on pg Configuring on-demand tasks You can configure the system on-demand scan task Full computer scan and user-defined on-demand scan tasks. To learn how to create a new user-defined on-demand scan task see 5.2 on pg. 50. In order to configure an on-demand scan task: 1. Expand the On-demand scan node in the console tree. 2. Click the on-demand scan task you wish to configure in order to open it. 3. Configure the task settings: create the scan scope, if required change the safety settings. By default system task Scan My Computer and newly created user-defined tasks have settings listed in Table Open the shortcut menu on the task name and select the Save command in order to save the changes in the task. Table 5. Default settings of the Scan my computers task Parameter Value Configuration instructions Scan scope entire server In server file resource tree the node Shared folders is excluded the Anti- Virus scans public folders following their actual path to the hard drives. You can create a scan area (see on pg. 113).

113 Trusted zone 113 Parameter Value Configuration instructions Security settings common for the entire scan area; matching the Recommended security level You can do the following for the nodes selected in the server file resources tree: Select a different pre-defined security level (see on pg. 120); Manually change security settings (see on pg. 120). You can save security settings as a template to use them later for another node (see on pg. 127). Trusted zone If you selected Add to exclusions threats by mask not-a-virus: RemoteAdmin* and Add to exclusions files recommended by Microsoft, remote administration RemoteAdmin programs and files recommended by Microsoft will be excluded. A unified list of exclusions that you can apply to the selected ondemand scan tasks and the Realtime file protection task. Chapter 8 on pg. 99 contains information about the creation and application of trusted zone Scan scope in the on-demand scan tasks This chapter contains the following information: about defining the scan area (see on pg. 114); about pre-defined areas (see on pg. 114); defining the scan area (see on pg. 116); including the network path to the scan area (see on pg. 117); how to create a virtual scan area - include dynamic drive, folder and file (see on pg. 118).

114 114 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition About defining the scan area in the ondemand scan tasks By default the scan area in the Full computer scan system task or in newly created on-demand scan tasks includes the entire server. You can restrict the scan area by only several areas on the server if there is no need to scan them all according to the security requirements. In the Anti-Virus console the scan area is displayed as a server file resource tree that Anti-Virus can scan. Server file resource tree nodes are displayed as follows: The node is included into the scan area. The node is excluded from the protection area. At least one of the nodes nested in this node is excluded from the scan area or the security parameters of the nested node differ from the security parameters of this node. The names of virtual nodes of the protection area are displayed in blue color font Pre-defined scan scopes In order to view the server file resource tree: 1. Expand the On-demand scan node in the console tree. 2. Select the On-demand scan task for the scan scope you want to view to open it (see Figure 41):

115 Trusted zone 115 Figure 41. An example of server file resource tree in the Anti-Virus console The results panel displays the server file resource tree. You can create a scan scope from the objects displayed there. The server file resource tree contains the following pre-defined areas: My computer: The Anti-Virus scans the entire server. Hard drives. Anti-Virus scans objects on the server's hard drives. You can include into or exclude from the scan area all hard drives, individual disks, folders or files. Removable drives. Anti-Virus scans objects on removable media, for example on CDs or USB drives. You can include into or exclude from the scan area all removable disks, individual disks, folders or files. System memory. Anti-Virus scans system and process memory. Startup objects. Anti-Virus scans objects to which register keys and configuration files refer, for example WIN.INI or SYSTEM. INI and the application's modules that are started automatically at the computers startup. Shared folders. Anti-Virus scans all public folders on the protected server. Network places. You can add network folders or files to the scan area indicating the path to them in UNC (Universal Naming Convention) format. Account that you use to launch the task must have the access right to the folders and files added. By default on-demand scan tasks are ex-

116 116 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition ecuted under the Local system (SYSTEM) account. For more details refer to , pg Virtual drives. You can include into the scan area dynamic drives, folders and files as well as drives connected to the server, for example common cluster drives (create a virtual scan area). For more details refer to , pg Note Virtual drives created using a SUBST command are not displayed in the server file resource tree in the Anti-Virus console. In order to scan objects on a virtual drive, include a server folder with which this virtual drive is associated. Connected network drive will not be reflected in the server file resource tree either. In order to include objects on a network drives into the scan area, specify a path to a folder corresponding to this network drive in UNC format Creating a scan area If you are remotely managing the Anti-Virus on a protected server via the MMC console installed on the administrator's workstation, you must be a member of the local administrators group on the protected server in order to view folders on such server. In order to create a scan area 1. Expand the On-demand scan node in the console tree. 2. Select the on-demand task the scan scope of which you wish to create. The server file resource tree will be displayed in the result panel. By default all areas of the protected server will be included into the scan area. 3. Perform the following actions: In order to select nodes that you wish to include into the scan area uncheck the My computer box in the system on-demand scan task and perform the following: o o if you wish to include all drives of the same type into the scan area, check the box next to the name of the required disk type; if you wish to include an individual disk into the scan area, expand the node that contains the list of drives of this type and check the box next to the name of the required drive. For example, in order to select a removable drive F: expand node All removable drives and check the box for drive F.

117 Trusted zone 117 o If you would like to include into the scan area an individual folder on the disk, expand the server file resource tree in order to display the required folder and check the box next to its name. Using the same procedure you can also include files into the scan area. in order to exclude an individual node from the scan area, expand the server file resource tree in order to display the required node and uncheck the box next to its name. 4. Open the shortcut menu on the task name and select the Save command in order to save the changes in the task. To read about adding to the scan scope: A network drive, folder or file, refer to on pg. 117; A dynamic drive, folder or file, refer to on pg Including network drives, folders or files into the scan area You can add network drives, folders or files to the scan area indicating the path to them in UNC (Universal Naming Convention) format. In order to add the network object to the scan area: 1. Expand the On-demand scan node in the console tree. 2. Select the on-demand scan task to the scan area of which you wish to add the network path. 3. Right-click the Network path node and select the Add network folder or the Add network file command. 4. Enter the path to a network folder or file in UNC format and press <ENTER>. 5. Check the box next to the added network object to include the added network path to the scan area. 6. If required, change the security settings for the added network object (see on pg. 120). 7. Open the shortcut menu on the task name and select the Save command in order to save the changes in the task.

118 118 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Creating a virtual scan scope: adding dynamic disks, folders or files to the scan scope You can include into the scan area dynamic drives, folders and files as well as drives connected to the server, for example common cluster drives (create a virtual scan area). For more details about virtual scan area refer to on pg. 68. You can add dynamic drives, folders or files to the virtual scan area. In order to add a virtual drive into the scan area: 1. Expand the On-demand scan node in the console tree. 2. Select the on-demand scan task in which you wish to create a virtual scan area in order to open the task. 3. In the result panel of the server file resource tree open the shortcut menu on the Virtual drives node and select the name for the virtual drive being created from the list of available names (see Figure 42). Figure 42. Selecting name for a virtual drive being created 4. Check box next to the drive added in order to include the drive into the scan area.

119 Trusted zone Open the shortcut menu on the task name and select the Save command in order to save the changes in the task. In order to add a virtual folder or a virtual file into the scan area: 1. Expand the On-demand scan node in the console tree. 2. Click on the on-demand scan task in which you wish to create a virtual scan area in order to open the task. 3. Open the shortcut menu on the node into which you wish to add a folder or a file in the results panel in the server file resources tree and select Add virtual folder or Add virtual file. Figure 43. Adding a virtual folder 4. In the entry field specify name for folder (file). You can use a folder name mask (file). Use special symbols * and? for the mask. 5. In the line with the name of the folder created (or file created) check box in order to include this folder (file) into the scan area. 6. Open the shortcut menu on the task name and select the Save command in order to save the changes in the task.

120 120 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Configuring security settings for the selected node You can configure security settings in the selected on-demand scan task - either as common settings for the entire scan area or individual settings for individual nodes in the server file resource nodes. The security settings that you configure for the selected node will automatically be applied to all nodes nested into it. However, if you configure security settings for a nested node separately, the security settings of the parent node will not apply to it. You can configure settings of the selected scan area using of the following methods: select one of the three pre-defined security levels (minimum, recommended or maximum) (see on pg. 120); manually change security settings of the selected nodes in the server file resource tree (see on pg. 123). You can save the set of settings of the node into a template so that you could later apply this template to other nodes (see on pg. 127) Selecting pre-defined security levels for on-demand scan tasks You can apply one of the three following security levels for the node selected in the server file resources tree: a) maximum speed, b) recommended and c) maximum protection. Each of these levels has its own pre-defined set of security settings. These settings are provided in Table 6. Maximum Speed You can set the Maximum Speed security level on the server if, apart from the use of Anti-Virus on the servers and workstations, there are additional computer security measures in your local network, for example, firewalls are set up, network user security policies are in place. Recommended The Recommended security level (set by default). This security level was admitted by Kaspersky Lab's experts to be sufficient for scanning servers in most networks. It ensures the optimum combination of the scan quality and speed.

121 Trusted zone 121 Maximum Protection Use the Maximum Protection security level if there are no other computer security measures in your network. To learn how to manually configure security parameters for the selected node in the file resource tree see on pg Table 6. Pre-defined security levels and corresponding security settings Security level/settings Pre-defined security level Maximum Speed Recommended Maximum protection Detectable objects (see A.3.2 on pg. 360) Scan new and modified objects only (see section A.3.3 on pg. 362) by format all objects all objects Enabled Disabled Disabled Actions to be performed with infected objects (see A.3.5 on pg. 364) disinfect, delete if disinfection is not possible disinfect, delete if disinfection is not possible disinfect, delete if disinfection is not possible Actions to be performed with suspicious objects (see A.3.6 on pg. 366) isolate (quarantine) isolate (quarantine) isolate (quarantine) Excluding objects (see A.3.8 on pg. 369) Excluding threats (see A.3.9 on pg. 370) Maximum object scan time (see A.3.10 on pg. 372) no no no no no no 60 sec no no

122 122 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Security level/settings Pre-defined security level Maximum Speed Recommended Maximum protection Maximum composite object size (see A.3.11 on pg. 372) NTFS streams scan (see A.3.2 on pg. 360) Detectable objects (see (see A.3.2 on pg. 360) 8 no no yes yes yes yes yes yes Scanning composite objects (see A.3.4 on pg. 363) SFX-archives* packed objects* embedded OLE-objects* archives* SFX-archives* packed objects* embedded OLE-objects* archives* SFX-archives* mail databases* mail format files* packed objects* embedded OLE-objects* *new and modified objects only *All objects *All objects Note Note that scan settings Use ichecker and Use iswift are not included into the set of settings of the pre-defined security levels. By default these settings are enabled. If you change the state of Use ichecker and Use iswift, the pre-defined security level will not change. In order to select one of the pre-defined security levels: 1. Select the On-demand scan node in the console tree. 2. Select the on-demand scan task in which you wish configure security level.

123 Trusted zone Select the scan area node for which you wish to select the pre-defined security level. 4. Make sure that this node is included into the scan area (see on pg. 114). 5. Using the Security level dialog box (see Figure 44) select a security level you wish to apply. Figure 44. The Security level dialog box The dialog box will display the list of security settings corresponding to the security level you selected. 6. Open the shortcut menu on the task name and select the Save command in order to save the changes in the task Configuring security settings manually In order to configure security settings manually: 1. Select the On-demand scan node in the console tree. 2. Select the on-demand scan task in which you wish configure security level.

124 124 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition 3. Select the scan area node for which you wish to configure the security settings. Make sure that this node is included into the scan area (for more details about defining the scan area refer to on pg. 116). The Security level dialog box will be then displayed in the bottom part of the results panel (see Figure 45). Figure 45. The Security level dialog box Press the Settings button in order to open the Security settings dialog box. Note You can open the Security Settings dialog box for the selected node in the file resource node by right-clicking this node and selecting Properties. 4. In the Security Settings dialog box configure the required security settings for the selected node in accordance with your requirements. In the General tab (see Figure 46) perform the following actions: o Under the Scan scope heading, indicate whether the Anti- Virus will scan all objects in the scan area or only objects with certain formats or extensions and whether it will scan disk boot

125 Trusted zone 125 o o sectors and master boot records and alternative NTFS streams (see A.3.2 on pg. 360); under the Productivity heading specify whether Anti-Virus will scan all objects within the selected area or only new and modified objects (see section A.3.3 on pg. 362); Under the Process compound objects heading, indicate which composite objects will be scanned by the Anti-Virus (see A.3.4 on pg. 363). Figure 46. The Security Settings dialog box of the On-demand scan task, the General tab In the Actions tab (see Figure 47) perform the following actions: o Actions to be performed with infected (see A.3.5 on pg. 364); o o Actions to be performed with suspicious objects (see A.3.6 on pg. 366); Actions to be performed with objects depending on the threat type (see A.3.7 on pg. 368).

126 126 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 47. The Security Settings dialog box of the On-demand scan task, the Actions tab Using the Performance tab (see Figure 48) perform the following actions, if necessary: o Excluding objects (see A.3.8 on pg. 369); o Excluding (see A.3.9 on pg. 369); o Maximum time of the object scan (see A.3.10 on pg. 372); o Maximum composite detectable object size (see A.3.11 on pg. 372); o Using ichecker technology (see A.3.12 on pg. 373); o Using iswift technology (see A.3.13 on pg. 374).

127 Trusted zone 127 Figure 48. The Security Settings dialog box of the On-demand scan task, the Performance tab 5. After you have configured the required security settings, open the shortcut menu on the task name and select the Save command in order to save the changes in the task Working with templates in on-demand scan tasks This section contains the following information: Saving security settings to a template (see on pg. 128); Viewing security settings in a template (see on pg. 129); Applying a template (see on pg. 130); Deleting a template (see on pg. 131).

128 128 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Saving security settings to a template After you have configured settings of any node in the server file resource tree in an on-demand scan task, you can save this set of settings into a template in order to apply it to other node in the same task or other on-demand tasks. In order to save a set of security settings into a template: 1. Select On-demand scan in the console tree. 2. Select on-demand scan task security settings of which you wish to save into the template. 3. In the server file resource tree select a scan area node the set of settings of which you wish to save. 4. In the General tab of the Settings dialog box press the Save to template button. 5. In the Template properties dialog box (see Figure 49) select the following actions: Enter the template name in the Template name field. Enter additional template information in the Description field. Figure 49. The Template properties dialog box 6. Press OK. Template with the set of the parameter values will be saved.

129 Trusted zone Viewing security settings in a template To view security settings in a template that you have created: 1. Open the context menu on the On-demand scan node and select the Templates command (see Figure 50). Figure 50. The Templates dialog box The Templates dialog box displays a list of templates that you can apply to on demand scan tasks. 2. To view the information and security settings in a template, select the template from the list and click the View button (see Figure 51).

130 130 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 51. The <Template name> dialog box, Settings tab The General tab displays the template name and additional information about a template; The Settings tab lists the security settings saved in the template Applying a template In order to apply a template with security settings: 1. First save the security settings to a template (see on pg. 128). 2. Select the On-demand scan node in the console tree. 3. Select an on-demand scan task in which you wish to apply security settings. 4. In the server file resource tree right-click on the node to which you wish to apply the template and select Apply template List of templates. 5. Use the list of templates to select the template to apply.

131 Trusted zone 131 Note 6. To save the changes press OK in the Security Settings dialog box. If you apply a template to a parent node, the security parameters from the template will be also applied to all nested nodes except those for which you have configured security parameters separately. In order to apply the security settings from the template to all nested nodes, before you apply the template, you must uncheck the parent node in the server's file resources tree and then - check it again. Apply the template to the parent node. All nested nodes will have the same security settings as the parent node Deleting a template To delete a template: 1. Open the context menu on the On-demand scan node and select the Templates command (see Figure 50). 2. In the Templates dialog box, select the template from the template list that you want to delete and click the Delete button. 3. Click Yes in the confirmation window. The selected template will be deleted Running a background ondemand scan task By default the processes in which the Anti-Virus tasks are executed are assigned base priority Medium (Normal). You can assign the process that will run an on-demand scan task a Low priority. Demoting the process priority increases the time required to execute the task, but it may have a beneficial effect on the execution speed of the processes of other active applications. Several background tasks can be running in one working process with low priority. You can indicate the maximum number of processes to run background ondemand scan tasks (see A.1.3 on pg. 342). You can specify the task priority when you create it or later in the Task properties dialog box. In order change the priority of an on-demand scan task: 1. Expand the On-demand scan node in the console tree.

132 132 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition 2. Open the shortcut menu on the on-demand scan task the priority of which you wish to change and select Properties. A Scan My Computer Properties dialog box will open (see Figure 52). Figure 52. The Scan My Computer Properties dialog box 3. Perform one of the following actions on the General tab: in order to enable the background task execution mode check the Execute task in the background box; in order to disable the background task execution mode, uncheck the Execute task in the background box. Note If you enable or disable the background mode for a running task, the task priority will not change immediately. Instead it will change next time this task is run.

133 Trusted zone On-demand scan task statistics While an on-demand scan task is being executed you can view information about the number of objects processed by Anti-Virus since it was started until the current moment in the Statistics dialog box. If you pause a task, its statistics will be available in the Statistics dialog box. After the task is completed or stopped you can view the task statistics in the detailed report about the task events (see on pg. 191). In order to view an on-demand scan task statistics: 1. Expand the On-demand scan node in the console tree. 2. Open the shortcut menu the on-demand scan task which statistics you wish to view and select Statistics (see Figure 53). Figure 53. The Task execution status dialog box The following information about objects processed by Anti-Virus since it was started until the current moment will be displayed in the Task execution status dialog box:

134 134 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Field In the Application Integrity Control task Description Modules with breached integrity Total number of modules verified Number of modules with breached integrity If modules with breached integrity are detected, restore Anti-Virus. For instructions see document Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition. Installation Guide. The total number of verified modules. Field in tasks Full computer scan, Scan at the system startup, Scan Quarantine and user-defined on-demand scan tasks: Description Threats detected Infected objects detected Suspicious objects detected Objects not disinfected Objects not quarantined Objects not deleted The number of threats detected; for example, if Anti-Virus detects one malware program in five objects, the value in this field will be incremented by one total number of infected objects detected total number of suspicious objects detected the number of objects that Anti-Virus did not disinfect because: а) the type of the threat contained in the object does not provide for disinfection; b) objects of this type cannot be disinfected; c) an error occurred during the disinfection number of objects that Anti-Virus must have quarantined, but was unable to do it due to an error, for example due to insufficient disk space number of objects that Anti-Virus attempted but was unable to delete, because, for example, access to the object was blocked by another program

135 Trusted zone 135 Field Objects not scanned Objects not backed up Scan errors Objects disinfected Objects quarantined Objects backed up Objects deleted Password protected objects Corrupted objects Objects scanned Description number of objects in scan scope that Anti- Virus failed to scan because, for example, access to the object was blocked by another program number of files copies of which Anti-Virus attempted to save to Backup but was unable to due to an error number of objects during processing of which Anti-Virus encountered error. number of objects disinfected by Anti-Virus number of objects quarantined by Anti-Virus number of files copies of which Anti-Virus saved to Backup number of objects deleted by Anti-Virus number of objects (for example archives) that Anti-Virus skipped as they were passwordprotected number of objects skipped by Anti-Virus as their format is corrupted total number of objects scanned by the Anti- Virus

136 CHAPTER 10. UPDATING ANTI- VIRUS BASES AND APPLICATION MODULES This chapter contains the following information: about updating of the Anti-Virus bases (see 10.1on pg. 136); about updating of the application modules (see 10.2 on pg. 138); schemes for updating bases and application modules of the Anti-Virus applications used within the organization (see 10.3 on pg. 139); description of the updating tasks (see 10.4 on pg. 143); configuring updating tasks: selecting the update source, configuring connection with the update source, specifying the location of the protection server in the update tasks (see on pg. 145); configuring the settings of the Updating application modules task (see on pg. 150); configuring the settings of the Updates distribution task (see on pg. 152); statistics of the updating tasks (see 10.6 on pg. 153); Anti-Virus database update rollback (see 10.7 on pg. 154); application modules update rollback (see 10.8 on pg. 154) About updating Anti-Virus bases Anti-Virus bases stored on the protected server soon become outdated. Kaspersky Lab's Anti-Virus analysts detect hundreds of new threats on a daily basis, create records that identify them and include them into the database updates. (Database updates are one or several files containing records identifying threats that were detected during the time since the previous update was created). In order to maintain protection of servers at the required level, we recommend that

137 Updating Anti-Virus bases and application modules 137 you receive database updates regularly. In order to minimize the server infection risk, download bases updates on a regular basis. By default if, if Anti-Virus database are not updated within a week after the moment the latest installed bases updates were created, a Bases obsolete event occurs and if the bases are not updated within two weeks, a Bases outdated event will occur (information about bases up-to-date status will be displayed in the Statistics node, see section 13.4 on pg. 203) You can specify the number of days before these events occur using general Anti-Virus settings (see 3.2 on pg. 40) and configure administrator notifications about these events (see 15.2 on pg. 216). You can update bases from Kaspersky Lab's FTP or HTTP update servers or from other update sources using Anti-Virus task Application database update. Details about task Application database update see 10.4 on pg You can download updates to each protected server or use one computer as an intermediary by copying all updates onto it and then distributing them to the servers. And if you use Kaspersky Administration Kit application for the centralized administration of protection of computers in a company, you can use Kaspersky Administration Kit administration server as an intermediary for downloading updates. In order to copy bases to the intermediary computer without using them, use the Updates Distribution task. More details about this task see 10.4 on pg You can launch the database update tasks manually or using a schedule (To learn how to configure a task schedule see 5.7 on pg. 53). If the update downloading process is interrupted or results in an error, the Anti- Virus will automatically switch back to using bases with the latest installed updates. If the Anti-Virus bases become corrupted you can manually roll them back to the previously installed updates (see 10.7 on pg. 154). Note If you do not have internet access you can receive update files on diskettes or CD from our partners. You can view information about the partner you have purchased your copy of Anti-Virus from in the properties of the installed key of the Anti-Virus console. You can also call our central office in Moscow at +7 (495) , +7 (495) or +7 (495) for the address of the our partner located closest to you (support is provided in Russian and English).

138 138 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition About updating application modules Kaspersky Lab can issue update packages for Anti-Virus application modules. The update packages can be urgent (or critical) and scheduled. Critical update packages repair vulnerabilities while scheduled packages add new functions or enhance existing functions. Urgent (critical) update packages are uploaded to the Kaspersky Lab's update servers. You can download them automatically and install them by configuring the Application modules update task. Kaspersky Lab does not publish scheduled update packages on the update servers for automatic installation; you can download them from Kaspersky Lab's website. Using the Application modules update task you can receive information about the release of scheduled Anti-Virus updates. You can urgent download updates from the Internet to each protected server or use one computer as an intermediary by copying all updates onto it and then distributing them to the servers. In order to copy and save updates without installing them use the Updates Distribution task. For more details about this task see 10.4 on pg Before you install updates of application modules Anti-Virus creates backup copies of the previously installed modules. If the application modules updating process is interrupted or results in an error, Anti-Virus will automatically return to the use of the previously installed application modules. Additionally, you can roll back application modules manually (see 10.8 on pg. 154). During the installation of downloaded updates Anti-Virus service automatically stops and then restarts. Note If you do not have internet access you can receive update files on diskettes or CD from our partners. You can view information about the partner you have purchased your copy of Anti-Virus from in the properties of the installed key of the Anti-Virus console. You can also call our central office in Moscow at +7 (495) , +7 (495) or +7 (495) for the address of the our partner located closest to you (support is provided in Russian and English).

139 Updating Anti-Virus bases and application modules Schemes for updating bases and application modules of the Anti-Virus applications used within the organization You choice of the update source in the update tasks depends on the bases and application modules update scheme you use within your organization. You can update Anti-Virus bases and modules on the protected servers using the following schemes: download updates directly from the Internet to each protected server (Scheme 1); download updates from the Internet to an intermediary computer and distribute updates to the servers from it. Any computer with the software listed below installed can serve as an intermediary computer: Anti-Virus (one of the protected servers) (Scheme 2); or Kaspersky Administration Kit administration server (Scheme 3). Updating using an intermediary computer will allow to decrease internet traffic and it will also ensure additional security of the servers. Description of the update schemes listed is provided below.

140 140 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Scheme 1. Updating directly from the Internet Configure the Updating application bases (Updating application modules) task on each protected server. Specify Kaspersky Lab's update servers as the update source. Configure task schedule. You can specify other HTTP or FTP servers containing the folder with the update files as the update source. Figure 54. Updating directly from the Internet Scheme 2. Updating from one of the protected servers Updating that uses this scheme (see Figure 55) includes the following steps: Step 1. Copying updates to the selected protected server Configure the Updates distribution task on the selected server. Specify Kaspersky Lab's update servers as the update source. Specify a folder into which updates will be saved: it must be a public folder. Using this task you can receive updates not only for the protected server but also for the computers in the local area network with other Kaspersky Lab's applications of version 6.0 installed (for example, Kaspersky Anti-Virus 6.0 for Windows Workstations). Step 2. Distribution of updates to the rest of protected servers.

141 Updating Anti-Virus bases and application modules 141 Configure the Application database update (Application modules update) task on each protected server. In this task specify a folder on the intermediary computer's drive into which you downloaded updates as the updates source. Figure 55. Updating from one of the protected servers Scheme 3. Updating via Kaspersky Administration Kit administration server If you use Kaspersky Administration Kit application for centralized administration of the Anti-Virus computer protection, you can download updates via the Kaspersky Administration Kit administration server (see Figure 56).

142 142 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 56. Updating via Kaspersky Administration Kit administration server Updating that uses this scheme includes the following steps: Step 1. Downloading updates from the Kaspersky Lab's update servers to the Kaspersky Administration Kit administration server. Configure global task Receiving updates by Administration server. Specify Kaspersky Lab's update servers as the update source. Using this task you can receive updates not only for the protected servers but also for the computers in the local area network with other Kaspersky Lab's applications of version 6.0 installed (for example, Kaspersky Anti-Virus 6.0 for Windows Workstations). Step 2. Distribution of updates to the protected servers Distribute updates on protected serves using one of the following methods: Configure on the Kaspersky Administration Kit Administration Server an Anti-Virus bases (application module) update group task for distributing updates to the protected servers; in the task schedule specify the launch frequency Upon receiving updates by Administration server. The Administration Server will launch the task each time it receives updates (this is the recommended method).

143 Updating Anti-Virus bases and application modules 143 Configure task schedule. You can specify launch frequency option After receiving updates by Administration server. The task will be launched each time the Administration Server receives bases updates. Note You cannot specify launch frequency After receiving updates by Administration server in the Anti-Virus console in MMC. Configure the Application database update (Application modules update) task on each of the protected servers and select the Kaspersky Administration Kit administration server as the update source in this task. Configure task schedule. If you plan to use Kaspersky Administration Kit administration server for distributing updates, install onto each of the protected servers Network Agent, an application component included into the installation package of Kaspersky Administration Kit. It ensures interaction between the Administration Server and Anti-Virus on the protected server. For more details about the Network Agent and its configuration using Kaspersky Administration Kit see document Kaspersky Administration Kit. Administrator's Guide Updating tasks There are four pre-defined system updating tasks in Anti-Virus: Updating database; Updating application modules, Updates distribution and Database rollback (see Figure 57). Figure 57. Updating tasks in the Anti-Virus console window

144 144 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Application database update Anti-Virus copies bases from the update source to the protected server and immediately starts using them in the running real-time security and on-demand scan tasks. By default Anti-Virus starts the Application database update task every hour; it connects with the update source, one of the Kaspersky Lab update servers, by automatically detecting the proxy server settings from the network without authenticating the proxy server when it accesses it. Application modules update Anti-Virus copies updates of its application modules from the update sources to the protected server and installs them. In order to start using installed application modules computer restart may be required. Weekly, Fridays at 16:00 (time in the format established by the regional settings of the protected server), Anti-Virus will run the Application modules update task to check for available patches and upgrades of Anti- Virus modules without downloading them. Updates distribution Anti-Virus downloads database and application module update files and saves them to the specified network or local folder without applying them. Database update rollback The Anti-Virus returns to the use of the bases with previously installed bases. Please, refer to section 10.5 on pg. 144 for details on configuration of update tasks. Note You can stop the updating tasks, however you cannot pause them. For managing tasks in the Anti-Virus refer to 5.6 on pg Configuring updating tasks This section contains a description of how you can perform the following actions in the updating tasks: select the update source, configure connection with the update source, specify the location of the protection server to optimize the updates downloading process (see on pg. 145);

145 Updating Anti-Virus bases and application modules 145 configure the settings of the Updating application modules task (see on pg. 150); configure the settings of the Updates distribution task (see on pg. 152) Selecting the update source, configuring the connection with the update source and regional settings In each updating task you can specify one or several update sources, configure the connection with the sources and specify the location of the protected server for optimization of the updates (regional settings). In order to configure the update settings: 1. Select Update in the console tree. 2. Open the shortcut menu on the update task for which you wish to configure the update source and select Properties. Using the tabs of the Task properties dialog box configure the required update settings based on your requirements. 3. Using the General tab (see Figure 58), select the source from which you wish to receive updates (for more details refer to A.5.1 on pg. 381).

146 146 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 58. The Task properties dialog box, General tab 4. If you select Custom HTTP, FTP-servers or network folders, add one or several user-defined update sources. In order to specify the source, press the Change button and using the Update Servers dialog box (see Figure 59) press the Add button, then using the entry field specify the address of the folder with the update files on FTP- or HTTP- server; specify a local or a network folder in the UNC (Universal Naming Convention) format. Press the OK button. You can enable or disable added user-defined sources: in order to disable a source you added uncheck the box in the list next to it; in order to enable a source; check the box in the list next to it. In order to change the order of Anti-Virus calls to the user-defined files, use the Up and Down buttons to move the selected source to the beginning or to the end of the list depending on whether you wish to use it before or after other sources.

147 Updating Anti-Virus bases and application modules 147 Figure 59. Adding user-defined update sources In order to change path to the source select the source in the list and press the Change button, make the required changes in the entry field and press the <Enter> key. In order to remove a source, select it in the list and press the Delete button. The source will be deleted from the list. 5. In order to use Kaspersky Lab's update servers to download updates if the user-defined sources are unavailable, check the Use Kaspersky Lab's update servers if custom servers or network folders are not accessible. 6. Using the Connection Settings tab (see Figure 60) configure the connection with the update source.

148 148 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 60. The Task properties dialog box, Connection settings tab Perform the following actions: specify the FTP server mode for connection to the protected server (see A.5.2 on pg. 382); if required, change the update source connection timeout (see A.5.3 on pg. 383); if access to the proxy server is required for downloading updates from one of the specified sources, describe the proxy server access settings: o the use of a proxy server for connection to various update sources (see A on pg. 384); o address of a proxy server (see A on pg. 385);

149 Updating Anti-Virus bases and application modules 149 o authentication method when accessing the proxy server (see A on pg. 385). 7. Using the Regional Settings tab (see Figure 61), select from the Location list the country where the protected server is located (for more details about this setting refer to A.5.5 on pg. 387). Figure 61. The Task properties dialog box, the Regional settings tab 8. After you have configured the required settings, press the OK button to save changes.

150 150 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Configuring Updating application modules task settings In order to configure the settings of the Application modules update task: 1. Select Update in the console tree. 2. Right-click the Updating application modules task and select Properties. 3. In the Properties: Application Modules Update specify the updates source and the settings used to connect to it (see instruction in section on pg. 145). 4. On the General tab (see Figure 62) select whether you wish to download and install the updates or only check for their availability (for more details about this setting refer to A on pg. 388).

151 Updating Anti-Virus bases and application modules 151 Figure 62. The Application modules update Properties dialog box, the General tab 5. If you want Anti-Virus to automatically restart the server if restart is required to apply installed application modules, check the Allow system reboot box. 6. If you wish to receive information about the release of scheduled Anti- Virus updates, check the Receive information about available application modules updates box. Kaspersky Lab does not publish scheduled update packages on the update servers for automatic updating; you can download them manually from Kaspersky Lab's website. You can configure administrator notification about event Scheduled Anti-Virus updates available, which will contain the URL of our site from which you can download scheduled updates (for more details about the notification refer to 15.2 on pg. 216). 7. Press OK to save the changes.

152 152 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Configuring Download updates task settings In order to configure Updates distribution task settings: 1. Select Update in the console tree. 2. Right-click the Updates distribution task and select Properties. 3. In the Properties: Updates distribution dialog box (see Figure 63) specify the update source and settings used to connection to it (see instruction in section on pg. 145). Figure 63. The Updates distribution Properties dialog box, the General tab

153 Updating Anti-Virus bases and application modules On the General tab specify the scope of the updates to be downloaded in the specified folder (for more details about this setting refer to A on pg. 389). 5. Specify a local or a network folder into which the Anti-Virus will save the downloaded updates (for more details about this setting refer to A.5.7.2on pg. 390). 6. Press OK to save the changes Updating task statistics While the updating task is running you can view in real time information about the amount of data downloaded since the task has been launched until the current moment - task execution statistics. Information in the Statistics dialog box will be available if you pause. After the task is completed or stopped you can view this information in a detailed report about events in the task (see on pg. 191). In order to view the updating task statistics: 1. Expand the Update node in the console tree. 2. Right-click the required task and select Statistics. The amount of data downloaded by the Anti-Virus as of the current moment (Received data) will be indicated in the Task execution status dialog box for the Application database update and Updates distribution tasks. The Update application modules Task execution status dialog box displays the following information: Field Downloaded data Available critical updates Available planned updates Errors applying updates Description Total amount of downloaded data Number of critical updates available for installation Number of scheduled updates available for installation If the value of this field is not zero, the update was not applied. You can view the name of the update which cased an error when was attempted to apply in the detailed task execution report.

154 154 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Rolling back Anti-Virus database updates Before applying database updates Anti-Virus creates backup copies of the bases currently in use. If the update has been interrupted or has resulted in an error, Anti-Virus will automatically return to the use of the previously installed bases. If you encounter any problems after the database update you can roll the bases back to the previous installed bases by starting the Rollback update task Rolling back application modules update Before you apply updates of application modules Anti-Virus creates backup copies of the version modules currently in use. If the modules updating process has been interrupted or has resulted in an error, Anti-Virus will automatically return to the use of the modules with the latest installed updates. You can roll back application modules manually back to the previously installed updates. In order to roll back the application modules use the Microsoft Windows component Add and remove programs.

155 CHAPTER 11. ISOLATION OF SUSPICIOUS OBJECTS. USING QUARANTINE This chapter contains the following information: about isolation of suspicious objects (see 11.1 on pg. 155); viewing quarantined objects, sorting and filtering objects (see 11.2 on pg. 156); scanning quarantined objects (on-demand or automatically after each bases update (see 11.3 on pg. 160); restoration of objects from quarantine (see 11.4 on pg. 162); manual quarantining of objects (see 11.5 on pg. 166); deletion of quarantined objects (see 11.6 on pg. 166); sending suspicious objects from quarantine to Kaspersky Lab for analysis (see 11.7 on pg. 167); configuring quarantine settings (see 11.8 on pg. 169); quarantine statistics (see 11.9 on pg. 171). Description of the Quarantine settings is provided in section A.6 on pg About isolation of suspicious objects Anti-Virus isolates objects that it finds suspicious by placing them into quarantine - moving them from their original location into a special folder where, for security, they are stored in the encrypted form. (For more details on how Anti-Virus finds objects suspicious see on pg. 17).

156 156 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Viewing quarantined objects You can view quarantined objects in the Quarantine node of the Anti-Virus console. To view quarantined objects, select the Quarantine node from the console tree (see Figure 64). In order to find the required object in the list of quarantined objects, you can sort objects (see on pg. 158) or filter the objects (see on pg. 159). Figure 64. Information about quarantined object in the Quarantine node The following information is displayed in the results panel for each quarantined object:

157 Isolation of suspicious objects. Using quarantine 157 Field Object Result Danger level Description Name of the quarantined object Status of a quarantined object may have the following values: Warning. Object has been found suspicious by the heuristic code analyzer. Suspicious. Object has been found suspicious - partial coincidence of a section of the object's code with a section of the code of a known threat has been detected. Infected. Object has been found infected - full coincidence of a section of the object's code with a section of the code of a known threat has been detected. False alarm. The Anti-Virus placed an object into the quarantine as suspicious or you quarantined such object manually, but based on the result of the quarantined scan using updated bases the Anti-Virus found that the object is not infected. Disinfected. Anti-Virus placed an object to quarantine as suspicious or you quarantined such object manually, but during the quarantine scan using updated database the Anti-Virus found the object infected and disinfected it. You can safely restore the object. Added by the user. Object is quarantined by the user. The threat level indicated how harmful the object is for the server. The severity level depends on the class of the threat contained in the object and may assume the following values (for more information about threat classes refer to on pg. 14). High. The object may contain a threat of the following classes "network worms", "classic viruses", "Trojan horses", or a threat of an undefined class (this class includes new viruses currently not referred to any known class); Medium. The object may contain a threat of class "other malware", "adware" or "pornware"; Low. The object may contain a threat of class "riskware". Information. Object is quarantined by the user.

158 158 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Field Threat type Threat name Date of placement Source path Size User name Description The threat type according to Kaspersky Lab's classification, included into the full name of the threat returned by Anti- Virus when Anti-Virus finds the object suspicious or infected. The threat name according to Kaspersky Lab's classification, included into the full name of the threat in the object returned by Anti-Virus when Anti-Virus finds the object suspicious or infected. You can view the full name of the threat in node Reports. Date when the object was quarantined Full path to the original object location, for example to the folder from which the object was moved to the quarantine folder, file contained in the archive or.pst file in the mail database. Object size This column displays the following data: if the object was isolated by Anti-Virus in the Real-Time File Protection task - the name of the account using which the application accessed the object at the moment of interception; if the object was isolated by Anti-Virus in an on-demand scan task - the name of the account using which the task was executed; if the user quarantined the object manually - the account name of this user Sorting quarantined objects By default the objects in the list of quarantined objects are sorted by the date when they were quarantined in the reverse chronological order. In order to find a required object you may sort objects by the content of the columns with information about the objects. The result of the sorting will be saved if you leave and then open the Quarantine node again or if you close the Anti-Virus console, save the msc file and then open it again from this file.

159 Isolation of suspicious objects. Using quarantine 159 In order to sort objects: 1. Select the Quarantine node in the console tree. 2. In the result panel click the column heading by which you wish to sort the events Filtering quarantined objects To find a required quarantined object you can filter objects in the list - display only those object that satisfy the filtering criteria (filters) that you specify. The result of the filtering will be saved if you leave and then open the Quarantine node again or if you close the Anti-Virus console, save the msc file and then open it again from this file. To specify one or several filters: 1. Open the shortcut menu on the Quarantine node in the console tree and select Filter. The Filter settings dialog box will open (see Figure 65). 2. To add a filter: Figure 65. The Filter settings box a) In the Field name list select a file to which the filter value will be compared.

160 160 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition b) In the Operator list select the filtering condition. The values of the filtering conditions in the list may differ depending on the value you have selected in the Field name list. c) Enter the filter value in the Field value field or select it from the list. d) Press the Add button. The filter you have added will appear in the list of filters in the Filter settings dialog box. Repeat these actions for each filter you wish to add. If you specify several filters they will be combined using logical "AND". In order to delete a filter, select the filter you wish to delete in the filter list and press the Delete button. In order to edit a filter, select the filter in the list displayed in the Filter settings dialog box. Then change the required values in the Field name, Operator or Field value fields and press the Replace button. 3. After you added all filters, press the Apply button. In order to display all objects in the list of guarantied objects again, open the shortcut menu on the Quarantine node in the console tree and select Remove Filter Scanning quarantined objects. The Scan Quarantine task settings By default, each time after the database is updated, the Anti-Virus executes the Scan Quarantine system task. Task settings are described in Table 7 You cannot modify them. You can modify the schedule for the Scan Quarantine task or start it manually. After scanning of the quarantined objects with updated bases the Anti-Virus may find some objects not infected: the status of such objects will change to False alarm. Other objects can be found infected by the Anti-Virus and the Anti-Virus may perform with this objects actions specified by the Scan Quarantine ondemand scan task's settings: disinfect, delete if disinfection is not possible.

161 Isolation of suspicious objects. Using quarantine 161 The Scan quarantine task settings Value Table 7. The Scan quarantine task settings Scan scope Scan settings Parameter Detectable objects (see A.3.2 on pg. 360) Quarantine folder Common for the entire scan area; their values provided in Table 8. Table 8. Scan settings in the Scan quarantine task Value all objects Scanning of new and modified objects only (see section A.3.3 on pg. 362) Actions to be performed with infected objects (see A.3.5 on pg. 364) Actions to be performed with suspicious objects (see A.3.6 on pg. 366) Excluding objects (see A.3.8 on pg. 369) Excluding threats (see A.3.9 on pg. 370) Maximum object scan time (see A.3.10 on pg. 372) Maximum size of the object to be scanned (see A.3.11 on pg. 372) NTFS streams scan (see A.3.2 on pg. 360) Scan of boost sectors (see A.3.2 on pg. 360) Disabled disinfect, delete if disinfection is not possible skip no no no no yes no

162 162 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Parameter Value The use of ichecker technology (see A.3.12 on pg. 373) The use of iswift technology (see A.3.13 on pg. 374) Scanning composite objects (see A.3.4on pg. 363) archives* SFX-archives* packed objects* disabled disabled embedded OLE-object * Scanning New and modified objects only is disabled Restoring objects from quarantine Anti-Virus places suspicious objects into the quarantine folder in the encrypted form to protect the protected server against their possible harmful effect. You can restore any object from the quarantine. This may be required in the following cases: if after the quarantine scan using the updated database the status of the object changed to False alarm or Disinfected; if you consider the object harmless for the server and wish to use it. If you do not wish Anti-Virus to isolate this object during the subsequent scans you can exclude this object from the processing in the Real-time file protection task and in the on-demand scan tasks. In order to do it specify the object as the value of the Excluding objects (by filename) security parameter (see A.3.8 on pg. 369) or Excluding threats (see A.3.9 on pg. 370) in these tasks. When you restore objects you can select where the objects being restored will be saved: to the original location (by default), to a special folder for restored objects on the protected server or to the folder specified by you in the computer on which Anti-Virus console is installed or on another computer in the network. A folder for restoration is designed for storing restored objects on the protected server. You can set special security parameter to scan it. Path to this folder is set by the quarantine settings (see 11.8 on pg. 169).

163 Isolation of suspicious objects. Using quarantine 163 Attention! Restoring objects from the quarantine may lead to computer infection. Note If a quarantined object was contained in a composite object (for example in an archive), the Anti-Virus will not include into this composite object during the restoration, rather it will save separately into a selected folder. You can restore the object and save its copy in the quarantine folder to use it later, for example in order to rescan the object after the database has been updated. You can restore one or several objects. In order to restore objects from the quarantine: 1. Select the Quarantine node in the console tree. 2. Perform one of the following actions in the result panel: in order to restore an object right-click the object you wish to restore and select Restore. in order to restore several objects select the objects you wish to restore using the <Ctrl> key or <Shift> key, right-click one of the selected objects and select Restore. A Object restoration dialog box will open (see Figure 66). Figure 66. The Object restoration dialog box

164 164 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition 3. In the Object restoration dialog box specify folder into which the object being restored will be saved for each of the selected object. (The name of the object is displayed in the Object field in the upper part of the dialog box. If you selected several objects, the name of the first object in the list of selected objects will be displayed). Perform one of the following actions: in order to restore an object to the original location select Restore to the source folder on the server or to selected network folder. in order to restore an object into the folder specified as the folder for restored objects in the quarantine settings (see A.6.4 on pg. 394) select Restore to the server folder for restoration by default; in order to save an object to another folder on a computer on which the Anti-Virus console is installed or in the network folder, select Restore to folder on your local computer or on the network resource and then select the required folder or specify path to it. 4. If you wish to save a copy of the object in the quarantine folder after this objects is restored, uncheck the Delete objects from storage after they are restored box. 5. In order to apply the specified restoration conditions to the rest of the selected objects, check the Apply to all selected objects box. All selected objects will be restored and saved to the location you have specified: if you selected Restore to the source folder on the server or to selected network folder, each of the objects will be saved into its original location if you selected Restore to the server folder for restoration by default or Restore to folder on your local computer or on the network resource - all objects will then be saved into one specified folder. 6. Press the OK button. Anti-Virus will start restoring the first of the selected objects. 7. If an object with this name already exists in the specified location, an Object with such name already exists dialog box will open (see Figure 67):

165 Isolation of suspicious objects. Using quarantine 165 Figure 67. The Object with such name already exists dialog box a) Select one of the following actions: o o o Replace, in order to restore an object instead of the existing one; Rename, to save the restored object under a different name. In the entry field enter a new object's filename and full path to it; Rename by adding suffix, to rename the object by adding a suffix to its filename. Enter suffix into the entry field. b) If you selected several objects to be restored, then in order to apply the selected action Replace or Rename by adding suffix to the rest of the selected objects, check the Apply to all objects box. (If you specified Rename, then the Apply to all objects box will not be available). c) Press the OK button. The object will be restored; information about the restoration operation will be entered into the system audit log. If you did not select option Apply to all objects in the Restoring objects dialog box, this dialog box will open again. Using this dialog box you can specify the location into which next selected object will be saved (see Step 3 of this procedure).

166 166 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Quarantining files You can quarantine files manually. In order to quarantine a file: 1. Right-click the Quarantine node in the console tree and select Add object. 2. In the Open file dialog box select files on the disk that you wish to quarantine and press the OK button. Note If files that you wish to quarantine are stored in one folder then in the Open file dialog box you can select several files using the <Ctrl> or the <Shift >key. The Anti-Virus will quarantine the selected file(s). 3. Perform the following actions in the dialog box with the name of the first selected file (if you wish to apply the action to all selected files, check the Apply to all selected objects box): in order to save the file in the original location press the Save button; in order to delete the file from the original location press the Delete button Deleting objects from quarantine According to settings of the Scan Quarantine task (see 11.3 on pg. 160) Anti- Virus deletes from the quarantine folder objects the status of which has changed to Infected during the quarantine scan using updated database and which Anti- Virus was unable to disinfect. Other objects are not deleted from the quarantine. You can manually delete one or several objects from the quarantine. To delete one or several objects: 1. Select the Quarantine node in the console tree. 2. Perform one of the following actions:

167 Isolation of suspicious objects. Using quarantine 167 in order to delete an object right-click the object you wish to delete and select Delete object. in order to delete several objects select the objects you wish to delete using the <Ctrl> key or <Shift> key, right-click one of the selected objects and select Delete object. 3. In the Confirmation dialog box press the Yes button to confirm the operation Sending suspicious object to Kaspersky Lab for analysis If the behavior of a file gives you a reason to suspect that it contains a threat, and Anti-Virus considers this file clean, you may have encountered a new unknown threat, algorithm for disinfecting which has not yet added to the bases. You can send this file for analysis to the Kaspersky Lab. Kaspersky Lab's Anti- Virus analysts will analyze it and, if they detect a new threat in it, they will add a record identifying it to the bases. It is likely that when you rescan the object after the database has been updated Anti-Virus will find this object infected and will be able to disinfect it. You will not only be able to save the object, but also to prevent the virus outbreak. You can send for analysis only files from quarantine. In the quarantine folder they are stored in the encrypted form and during the transfer they will not be deleted by the Anti-Virus application installed on the mail server. You can send for analysis a quarantined file to which Anti-Virus has assigned status Suspicious or Warning. You cannot send for analysis quarantined files to which Anti-Virus has assigned status Infected. (For more details on how Anti- Virus finds threats in objects see on pg. 17). Note You cannot send a quarantined object for analysis to Kaspersky Lab after it expires. In order to send a file for analysis to the Anti-Virus lab: 1. If the file was not quarantined, first place it into the quarantine (see 11.5 on pg. 166). 2. In the Quarantine node in the list of quarantined objects right-click the file you wish to send for analysis and select Send to Kaspersky Lab.

168 168 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition 3. If a mail client is configured on the computer on which Anti-Virus console is installed, a new e- message will be created. Review it and press the Send button. The To: field will contain Kaspersky Lab's address newvirus@kaspersky.com. The Subject field will contain text "Quarantined object". The body of the message will contain the following text: "This file will be sent to Kaspersky Lab for analysis". The body of the message contains text "File will be sent for analysis to Kaspersky Lab". You can include into the message body any additional information about the file, why you considered it suspicious, how it behaves or how it affects the system. Archive <object name>.cab will be attached to the message. This archive will contain file <uuid>.klq with the object in encrypted form, file <uuid>.txt with information about the object collected by the Anti-Virus and file Sysinfo.txt that contains the following information about the Anti- Virus and the operation system installed on the server: name and version of the operating system; Anti-Virus name and version; release date of the latest installed bases update; serial number of the active key. The specified information is required by the Kaspersky Lab's Anti-Virus analysts in order to perform the analysis of the file faster and more efficiently. However, if you do not wish to transfer this information you can delete Sysinfo.txt file from the archive. 4. If no mail client applications are configured on the computer on which the Anti-Virus console installed, Microsoft Windows internet connection setup wizard will open. You can perform the following operations: create a new account following the instructions of the internet connection setup wizard and send the file from this computer. close the wizard and save the selected encrypted object into a file. You can send this file to Kaspersky Lab using regular ways you send message. In order to save the encrypted object into a file: a) in the dialog box that will open and that will suggest you to save the object (see Figure 68) press the OK button; b) save a folder in the disk of the protected server or a network folder into which you wish to save the file with the object.

169 Isolation of suspicious objects. Using quarantine 169 Figure 68. The dialog box prompting to save a quarantine object to a file Configuring quarantine settings This section contains a discussion of configuration of the quarantine settings. New values of the quarantine settings are applied immediately after they are saved. Description of the quarantine settings and their default values are provided in A.6 on pg In order to configure quarantine settings: 1. Open the shortcut menu on the Quarantine node in the console window and select Properties (see Figure 69):

170 170 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 69. The Quarantine Properties dialog box 2. Using the Quarantine Properties dialog box configure the required quarantine settings as per your requirements: in order to specify the Quarantine folder different from the default folder, select the required folder on the local disk of the protected server or specify its name and full path to it (for more details about this setting see A.6.1 on pg. 391). in order to set the maximum quarantine size check the Maximum quarantine size box and specify the required values in MB in the entry field (see A.6.2 on pg. 392). in order to set the minimum free space in the quarantine, set the Maximum quarantine size parameter, check the Threshold of free space box and specify the required value for the parameter in the entry field (see A.6.3 on pg. 393). in order to specify a different folder for restored objects, select the required folder on the disk in the Restoration settings settings group or enter full path to it (see A.6.4 on pg. 393). 3. Press the OK button.

171 Isolation of suspicious objects. Using quarantine Quarantine statistics You can view information about the number of the quarantined objects - quarantine statistics. In order to view the quarantine statistics right-click the Quarantine node in the console window and select Statistics (see Figure 70). Figure 70. The Statistics dialog box

172 172 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition The Statistics dialog box displays the following information about the number of quarantined objects at the current moment: Field Infected objects Suspicious objects Used quarantine space False alarm objects Objects disinfected Total number of objects Description The number of infected objects a) that received the Infected status after the quarantine check and the Anti-Virus was unable to disinfect or delete them and b) that Anti-Virus quarantined according to the value of the Actions to be performed with objects depending on the threat type parameter. The number suspicious objects and objects that potentially contain malicious code. For more details on how Anti-Virus finds threats in objects see on pg. 17. The total size of date in the quarantine folder The number of objects that received the False alarm status because they were found clean during the quarantine scan using the updated bases The number of objects that received the Disinfected status after the quarantine scan The total number of quarantined objects

173 CHAPTER 12. BACKUP COPYING OF OBJECTS BEFORE DISINFECTION/DELETION; USING BACKUP STORAGE This chapter contains the following information: about backup copying of the objects before disinfection / deletion (see 12.1 on pg. 173); viewing objects in Backup, sorting and filtration of files (see 12.2 on pg. 174); restoration of files from Backup (see 12.3 on pg. 178); deleting files from Backup (see 12.4 on pg. 181); configuring backup storage settings (see 12.5 on pg. 182); blocking statistics (see 12.6 on pg. 183); Description of the backup storage setting is provided in section A.7 on pg About backup copying of objects before disinfection / deletion Before disinfecting or deleting a file with Infected status the Anti-Virus saves it encrypted copy in the special folder - backup storage. Anti-Virus also places into Backup encrypted copies of files with the status Suspicious and Potentially containing malicious code if you selected Delete as the action to be performed with suspicious objects in the security settings of the Real-time file protection task or an on-demand scan task. If the object is a part of a composite object (for example, if it is included into an archive), then Anti-Virus will save such composite object entirely in the backup storage.

174 174 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition You can restore files from Backup either to the original folder or to another folder on the protected server or another computer in the local area network. You can restore the file from Backup, for example, if an infected file contained important information, but during the disinfection of this file Anti-Virus was unable to maintain its integrity and therefore the information became unavailable. Attention! Restoring files from Backup may lead to computer infection Viewing files stored in Backup You can view files stored in the Backup folder only using the Anti-Virus console in Backup node. You cannot view them using Microsoft Windows file management tools. In order to view the files in Backup, select Backup node in the console tree (see Figure 71). In order to find the required object in the list you can sort objects (see on pg. 176) or filter the objects (see on pg. 176). Figure 71. Information about files in Backup of Anti-Virus console The following information about a file stored in Backup will be displayed in the result panel: Field Object Description Name of the file a copy of which is saved to Backup

175 Backup copying of objects before disinfection/deletion; Using Backup storage 175 Field Result Danger level Threat type Threat name Description File status based on the presence/absence of threat. Infected. File has been found infected - full coincidence of a section of the object's code with a section of the code of a known threat has been detected. Suspicious. File has been found suspicious - partial coincidence of a section of the object's code with a section of the code of a known threat has been detected. Potentially containing malicious code. File was detected by the heuristic analyzer. For more details on how Anti-Virus finds threats in objects see on pg. 17. The threat level indicated how harmful the object is for the server. The severity level depends on the class of the threat contained in the object and may assume the following values: High. The file may contain a threat of the following types "network worms", "classic viruses", "Trojan horses", or a threat of an undefined class (this class includes new viruses currently not referred to any known class); Medium. The file may contain a threat of type "other malware", "adware" or "pornware"; Low. The file may contain a threat of type "riskware". For more details about threats detectable by Anti-Virus see on pg. 14. The threat type according to Kaspersky Lab's classification, included into the full name of the threat returned by Anti-Virus when Anti-Virus finds the file infected. You may view the full name of a threat contained in the object in the Reports node in the detailed report about the task execution. The threat name according to Kaspersky Lab's classification, included into the full name of the threat returned by Anti-Virus when Anti-Virus finds the file infected. You may view the full name of a threat contained in the object in the Reports node in the detailed report about the task execution.

176 176 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Field Date of placement Source path Size User name Description Date and time when the file was saved in the Backup folder Full path to the original folder - folder into which the file was located before Anti-Virus saved its copy in Backup File size This column displays the following data: if the file was backed up by Anti-Virus in the Real-Time File Protection task - the name of the account using which the application accessed the file at the moment of interception; if the object was backed up by Anti-Virus in an ondemand scan task - the name of the account using which the task was executed. To learn how to configure Backup settings see 12.5 on pg Sorting files in Backup By default files in Backup are sorted by the date they were saved in the reverse chronological order. In order to find the required file you can sort files by the content of any column in the result panel. The result of the sorting will be saved if you leave and then open Backup node again or if you close the Anti-Virus console, save the msc file and then open it again from this file. In order to sort files in Backup: 1. Select Backup node in the console tree. 2. In the file list of Backup click heading of the column based on which you wish to sort the objects Filtering files in Backup In order to find a required file in Backup you can filter files - display in Backup node only those files which satisfy the filtering criteria you have specified (filters).

177 Backup copying of objects before disinfection/deletion; Using Backup storage 177 The result of the filtering will be saved if you leave and then open Backup node again or if you close the Anti-Virus console, save the msc file and then open it again from this file. In order to filter files in Backup: 1. Right-click Backup node in the console tree and select Filter. The Filter settings dialog box will open (see Figure 72). 2. To add a filter: Figure 72. The Filter settings dialog box a) In the Field name select a field with the values of which the values of the filter you have specified will be compared to when matching. b) In the Operator list select the filtering condition. The values in the list of the filtering conditions may differ depending on the value you have selected in the Field name field. c) Enter or select the filter value in the Filter value field. d) Press the Add button. The filter you have added will appear in the list of filters in the Filter settings dialog box. Repeat these actions for each filter you wish to add. If you specify several filters they will be combined using logical "AND".

178 178 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition In order to delete a filter, select the filter you wish to delete in the filter list and press the Delete button. In order to edit a filter, select it in the filter list in the Filter settings dialog box, modify the required values in the Field name, Operator or Field value fields and press the Replace button. 3. After you have added all filters, press the Apply button. Only files selected by the filters you have specified will then be displayed in the list. In order to display all files included in the list of objects stored in Backup, open the shortcut menu on Backup node in the console tree and select Remove Filter Restoring files from Backup Anti-Virus stores files in the Backup folder in the encrypted form to protect the protected server against their possible harmful effect. You can restore any file from Backup. You may need to restore an object in the following cases: Attention! if the original file that appeared to be infected contained important information and during the disinfection Anti-Virus was unable to maintain its security and the information in the file became unavailable; if you consider the file not dangerous for the server and wish to use it. If you do not wish Anti-Virus to consider this file infected (suspicious) during the subsequent scans you can exclude it from the processing in the Real-time file protection task and in the on-demand scan tasks. Specify file as parameter Excluding objects (see A.3.8 on pg. 369) or Excluding threats (see A.3.9 on pg. 370). Restoring files from Backup may lead to computer infection. When you restore a file you can select where it will be saved: to the original folder (by default), to a special folder for restored objects on the protected server or to the folder specified by you in the computer on which Anti-Virus console is installed or on another computer in the network. A folder for restoration is designed for storing restored objects on the protected server. You can set special security parameter to scan it. Path to this folder is set by Backup settings (see 12.5 on pg. 182). By default when Anti-Virus is restoring a file it deletes its copy from Backup. You can save a file copy in Backup after it is restored.

179 Backup copying of objects before disinfection/deletion; Using Backup storage 179 In order to restore files from backup storage: 1. Select Backup node in the console tree. 2. Perform one of the following actions: in order to restore one file, right-click the file you wish to restore in the list of files in Backup and select Object restoration. in order to restore several files select the objects you wish to restore in the list using the <Ctrl> key or <Shift> key, right-click one of the selected objects and select Object restoration. 3. In the Object restoration dialog box (see Figure 73) specify the folder into which the restored file will be saved. The name of the file is displayed in the Object field in the upper part of the dialog box. If you selected several files, the name of the first file in the list of selected objects will be displayed). Figure 73. The Object restoration dialog box Perform one of the following actions: in order to save a file being restored on the protected server, select: o o Restore to the source folder on the server or to selected network folder if you do not wish to restore the file into the original folder; Restore to the server folder for restoration by default - if you wish to restore the file into the folder that you specified

180 180 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition as the folder for restored objects in the settings of Backup (see 12.5 on pg. 182); In order to save the restored file into a different folder select Restore to folder on your local computer or on the network resource heading and select the required folder (on the computer on which Anti-Virus console is installed or a network folder) or specify path to it. 4. If you wish to save a copy of a file in the Backup folder after this objects is restored, uncheck the Delete objects from storage after they are restored box. 5. If you selected several files to be restored, then in order to apply the selected saving conditions to the rest of the selected objects, check the Apply to all selected objects box. All selected files will be restored and saved to the location you have specified: if you selected Restore to the source folder on the server or to selected network folder, each of the files will be saved into its original location if you selected Restore to the server folder for restoration by default or Restore to folder on your local computer or on the network resource - all objects will then be saved into one specified folder. 6. Press the OK button. Anti-Virus will start restoring the first of the selected files. 7. If a file with this name already exists in the specified location, an Object with such name already exists dialog box will open (see Figure 74). Figure 74. The Object with such name already exists dialog box Perform the following actions:

181 Backup copying of objects before disinfection/deletion; Using Backup storage 181 a) Select the condition for saving the restored file: o o o Replace, in order to restore a file instead of the existing one; Rename the object to save the restored file under a different name. In the entry field enter a new filename and full path to it; Rename by adding suffix, to rename the file by adding a suffix to its filename. Enter suffix into the entry field. b) If you wish to apply the selected action Replace or Rename by adding suffix to other selected files, specify folder Apply to all objects. (If you specified Rename, then the Apply to all objects box will not be available). c) Press the OK button. The object will be restored. Information about the restoration operation will be registered in the system audit log. If you selected several files to be restored and did not select option Apply to all objects in the Restoring objects dialog box, this dialog box will open again. Using this dialog box you can specify the folder into which next selected object will be saved (see Step 3 of this procedure) Deleting files from Backup In order to delete one or several files from Backup: 1. Select Backup node in the console tree. 2. Perform one of the following actions: in order to delete one file, right-click the file you wish to delete in the list of objects and select Delete object; in order to delete several files select the files you wish to delete using the <Ctrl> key or <Shift> key, right-click one of the selected files and select Delete object. 3. In the Confirmation dialog box press the Yes button to confirm the operation. The selected files will be deleted.

182 182 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Configuring backup storage settings This section contains a discussion of how to configure Backup settings. Description of Backup settings and their default values are provided in A.7 on pg The new values of Backup settings are applied immediately once you save them. In order to configure Backup settings: 1. Right-click Backup node in the console tree and select Properties (see Figure 75). Figure 75. The Backup Properties dialog box 2. Perform the following in the Backup Properties dialog box: in order to specify the folder-location of Backup, select the required folder on the local drive of the protected server or enter full path to it in the Backup folder field (for more details about this setting refer to A.7.1 on pg. 395);

183 Backup copying of objects before disinfection/deletion; Using Backup storage 183 in order to set the maximum backup storage size check the Maximum storage size box and specify the required values in MB in the entry field (see A.7.2 on pg. 395); in order to set the free space threshold for the backup storage set the Maximum storage size setting, check the Threshold of free space box and specify the minimum free space value for the backup storage in megabytes (see section A.7.3 on pg. 396); in order to specify a folder for restored objects, select the required folder on the local drive of the protected server in the Restoration settings settings group or enter the folder name and the full path to it in the Restore to folder (see A.7.4 on pg. 397). 3. Press the OK button Backup storage statistics You can view the information about the current status of Backup - Backup statistics.

184 184 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition In order to view Backup statistics right-click Backup node in the console tree and select View Statistics (see Figure 76): Figure 76. The Backup statistics dialog box On the Backup statistics dialog box displays the following information about the current status of Backup: Field Used storage space Total number of objects Description The amount of data in the Backup folder The current total number of objects in Backup

185 CHAPTER 13. EVENT REGISTRATION This chapter contains the following information: about the methods of Anti-Virus event registration (see 13.1 on pg. 185); task execution reports: viewing, deletion, configuration (see 13.2 on pg. 186); system audit log: viewing, purging (see 13.3 on pg. 199); Anti-Virus statistics - information about the current status of Anti-Virus, its functional components and tasks being executed (see 13.4 on pg. 203); event log of Anti-Virus in Microsoft Windows MMC console "Event viewer" (see 13.5 on pg. 207) Methods of event registration Events in the Anti-Virus are classified as related to the object processing in tasks and related to the Anti-Virus management - the latter include such events as Anti-Virus startup, creation and deletion of tasks, starting tasks, modifying task settings, etc. Anti-Virus registers events as follows: It creates reports about task execution. Report about execution of tasks contains information about the current status of the task and events that occurred during its execution (see 13.2 on pg. 186); It maintains system audit log; this log is used to register events related to the Anti-Virus management (see 13.3 on pg. 199); It gathers statistics of its work- information about the current status of functional components and about tasks currently being executed (see 13.4 on pg. 203); It maintains the event log in the Microsoft Windows Event Viewer. The log registers events important for diagnosing failures (see 13.5 on pg. 207).

186 186 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition If a problem occurs during Anti-Virus operation (for example, Anti-Virus or its individual task terminates abnormally or does not start), you can create a tracking log and Anti-Virus process memory dump and send files with this information for analysis to Kaspersky Lab's Technical Support Service in order to diagnose the problem encountered. Details about creating the tracking log and memory dump see 3.2 on pg Task execution reports This chapter contains the following information: about task execution reports (see on pg. 186); viewing summary reports (see on pg. 187); sorting summary reports in the list (see on pg. 191); viewing summary reports in the tasks (see on pg. 191); export of information from the detailed report into a text file (see on pg. 196); deleting tasks (see on pg. 196); changing the information detail level for reports about execution of tasks of individual functional components and in the event log (see on pg. 197) About task execution reports In the Reports node you can view summary and detailed reports about Anti- Virus task execution. A summary report is a line with information about the task state and the general status of processed objects from the Anti-Virus security point of view. The Detailed report contains task performance statistics (information about each object processed by Anti-Virus since the task was started and task settings). By default reports are stored for unlimited time. In detailed reports about tasks executed during the current moment, event records created over 30 days ago will be deleted. Summary reports about tasks will be deleted 30 days after completion of the task. Using Anti-Virus settings you can change the report storage time or disable the function of automatic deletion of reports in order to store them indefinitely (see Chapter 3 on pg. 40) You also can manually delete a selected report.

187 Event registration Viewing summary reports. Summary reports' status In order to view the summary task performance report: 1. Select Reports in the console tree (see Figure 77). Figure 77. The list of reports in the result panel 2. In the result panel find the required task report (in order to quickly find the report in the list you can filter or sort the records by any column). To learn how to view a detailed report about the task execution, see on pg The following information about the task execution will be contained in the report: Field Report status Task name Description Summary characteristics obtained based on the task statistics; reflects the general status of the processed objects from the Anti-Virus security point of view. By the importance level, the reports statuses can be information, warning or critical. The statuses of the scan and update tasks report are described in tables below. The name of the task which report you are viewing.

188 188 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Field Task type Category Task status Completion time Description Task type, corresponds to the functional component in which the task is created (real-time file protection, script monitoring, on-demand scan, scan quarantine objects, application integrity control, application database update, application modules update, updates distribution, database update rollback). Anti-Virus task category: system, user-defined or group task. For more details about task categories see 5.1 on pg. 48. Current task status: Running, Completed, Paused, Failed or Interrupted by user, Resuming. If the task has been completed by the current moment, the date and the time of its completion will be displayed in this column. If the task is running at the moment, this field will remain empty. Severity level Report status No threats found Some objects have not been processed Corrupted objects found Table 9. On-demand scan task reports' statuses Report status description Anti-Virus scanned all objects in this area. Anti-Virus has found all objects in this area not infected. Anti-Virus found all scanned objects clean; one or several objects were skipped, for example, they were excluded from the scan by the security settings or were being used by other applications at the moment they were accessed. Some objects, such as Microsoft Windows system files may be in use at the moment they are access. Anti-Virus will not scan them and the task will complete with status Some objects were not processed. Anti-Virus found all scanned objects clean; one or several objects in the selected area were skipped: Anti-Virus was unable to read these objects as their format is corrupted.

189 Event registration 189 Severity level Report status Suspicious objects found Report status description Anti-Virus has found one or several suspicious objects. To learn which objects exactly are suspicious refer to the detailed report about task execution (see on pg. 191). Infected objects found Anti-Virus has found threats in one or several objects. To learn which exactly objects contain threats refer to the detailed report about the task execution (see (see on pg. 191). Processing errors Critical errors Anti-Virus has found all scanned objects clean. An Anti-Virus error occurred during the scan of one or several objects. Note: Object during the processing of which an Anti-Virus error occurred may contain a threat. We recommend that you quarantine this object and rescan it in the quarantine after the database has been completed (see 11.3 on pg. 160). If the task is repeated, refer to Kaspersky Lab's Technical Support Service. Detailed information on how you can contact the Technical Support Service - see section on pg. 21. Task execution failed. You can see the information on error cause in the detailed report on task execution. Severity level Table 10. Statuses of the bases update and update downloading task reports Report status Report status description No errors found Anti-Virus downloaded and successfully applied updates.

190 190 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Severity level Report status Critical errors Report status description An error occurred while the updates were downloaded or when they were applied. You can view the name of the update which was not applied and what caused this error in the detailed report about the task execution. Severity level Report status Table 11. Statuses of the application modules update task reports Report status description No errors found Critical update is available Planned update is available Anti-Virus downloaded and successfully applied updates. Critical updates of Anti-Virus modules published. Scheduled updates of Anti-Virus modules published. Critical and planned updates are available Both critical and scheduled updates of Anti- Virus modules published. Installation of downloaded updates is in progress It is necessary to restart the computer to complete the update Critical errors Anti-Virus downloaded and successfully is installing them. Restart server to apply the updates. An error occurred while the updates were downloaded or when they were applied. You can view the name of the update which was not applied and what caused this error in the detailed report about the task execution.

191 Event registration Sorting reports By default reports are displayed in the list in the reverse chronological order. You can sort reports by any column. The result of the sorting will be saved if you leave and then select the Reports node again or if you close the Anti-Virus console, save the msc file and then open it again from this file. In order to sort objects: 1. Select Reports in the console tree. 2. In the information panel, click on the column heading by which you wish to sort the reports Viewing detailed report about task execution You can view information about all events occurred in the task since it was launched in the report about task execution. For example you can learn in which of the processed objects the threat was detected. In order to view the detailed report about task execution: 1. Select Reports in the console tree. 2. In the list of report right-click the summary report on events you wish to view in the task report and select View report. Dialog box Detailed report contains the Events tab with information about events occurred in the task, the Statistics tab that displays the time of the task launch and completion as well as its statistics and the Settings tab with the task's settings. The Events tab contains the following information about events in the task (see Figure 78):

192 192 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 78. An example of a detailed Real-time file protection task report Field Event importance level Object Event Event time Description By the importance level events in the detailed reports are information, important and critical. Name of the processed object and path to it. Event type and additional information about the event This column (in the Script monitoring task) also displays PID identifier of the process performed by the script intercepted by Anti-Virus. Date and time of the event occurrence. In addition to the above fields, the detailed analysis about tasks Real-time file protection and Script monitoring contains the Username field. Field Computer Description Computer name from which the application accessed the object.

193 Event registration 193 User name Username of the account under which the application accessed the object. If the object was accessed by an application running under the Local system (SYSTEM) account, then this column contains record <domain> <computer name>$. In the Real-time File Protection task the Anti-Virus registers value localhost as the computer name rather than the network name of the protected server if an application running on the protected server accesses the object. To view task statistics, open the Statistics tab in the Detailed report dialog box (see Figure 79). Figure 79. The Detailed report dialog box, Statistics tab

194 194 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition To view task settings, open the Settings tab in the Detailed report dialog box (see. Figure 80). Figure 80. The Detailed report dialog box, Settings tab While you are viewing a detailed report, you can apply one or several filters in order to find the required event on the Events tab. To specify one or several filters: 1. Press the Filter button in the bottom part of the Detailed report dialog box. The Filter settings dialog box will open (see Figure 81).

195 Event registration In order to add a filter: Figure 81. The Filter settings dialog box a) In the Field name list select a field to which the filter value will be compared. b) In the Operator list select the filtering condition. The values of the filtering conditions in the list may differ depending on the value you have selected in the Field name field. c) Enter the filter value in the Field value field or select it from the list of possible values. d) Press the Add button. The filter you have added will appear in the list of filters in the Filter settings dialog box. Repeat these actions for each filter you wish to add. In order to delete a filter, select it in the filter list and press the Delete button. In order to edit a filter, select the filter in the list in the Filter settings dialog box. Then change the required values in the Field name, Operator or Field value field and press the Replace button. 3. After you added all filters, press the Apply button. The list of objects in the Detailed report will display only objects selected based on the filters.

196 196 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition In order to display all objects, press the Remove filter button in the bottom part of the Detailed report dialog box Exporting information from a detailed report into a text file In order to export information from a detailed report into a text file: 1. Select Reports from the console tree. 2. In the report list open a shortcut menu on the summary report about the task whose events you wish to view in the detailed report and select the View Report command. 3. In the bottom part of the Detailed Report dialog box press the Export button and in the Browse dialog box specify the name of the file into which you wish to save information from the detailed report and the encoding system you wish to use (Unicode or ANSI) Deleting reports By default the reports are stored for a limited time (you can change the report storage period using the common Anti-Virus setting Report storage time, see 3.2 on pg. 40). In the Reports node you can delete reports about completed tasks. To delete one or several reports: 1. Select Reports in the console tree. 2. Perform one of the following actions: in order to delete one report, right-click the report you wish to delete in the list of reports and select Delete; in order to delete several reports select the reports you wish to delete using the <Ctrl> key or <Shift> key, right-click one of the selected reports and select Delete. In the Confirmation dialog box press Yes to confirm the operation. Selected reports will be deleted. The selected reports will be deleted.

197 Event registration Report and event log detail level settings Using the settings described below you can specify which events will be registered in the Detailed reports about task execution of individual functional Anti- Virus components and which events will be registered in the Event log. For information about Anti-Virus Event log refer to 13.5 on pg Based on the level of importance Anti-Virus events associated with task execution can be of three types: information, important and critical. Information events, for example No threats detected or No errors reflect the results of the Anti-Virus operation. Important events, such as Update source connection error may affect Anti-Virus functionality. Critical events may lead to the disruption of the Anti-Virus security of the protected server. Such events include, for example, Module integrity breached, Threat detected or Internal task error. The detail level in the detailed reports about task events and in the Event log corresponds to the level of importance of events registered in the log. You can set one of three detail levels ranging from the Information level in which you register events of all importance levels to Critical level in which only critical events are registered. By default level Important events (only important and critical events) is set for all components except the Update component for which the Information event level is set. Additionally you can manually specify individual events that will be registered in detailed reports and in the event log. In order to set the detail level of events in the detailed reports about task execution and in the event log: 1. Right-click the Report node in the console tree and select Properties. 2. In the Component list in the Reports Properties (see Figure 82) select the Anti-Virus functional component for which you wish to set the event detail level.

198 198 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 82. The Reports Properties dialog box 3. Perform one of the following actions: in order to set the detail level in Detailed reports about events in the tasks of the selected functional components, select the required level in the Level of detail list; Boxes next to the events in the list of events which will be included into the reports and the event log in accordance with the detail level selected will be checked. in order to enable or disable registration of certain events of a functional component, select User-defined settings in the Level of detail list and perform the following actions in the component's event list:

199 Event registration 199 o o 4. Press OK. in order to enable registration of an event in detailed reports about task execution, check the Reports box associated with this event; in order to disable registration of an event in detailed reports uncheck the corresponding Reports box. in order to enable registration of an event in the event log, check the Event log box associated with this event; in order to disable registration of an event in the event log - uncheck the corresponding Event log box System audit log Anti-Virus performs System audit log of non-task related events such as launching Anti-Virus, starting and stopping tasks, modifying task settings, creating and deleting on-demand scan tasks, etc. Records about these events are displayed in the System audit log node. Anti-Virus will automatically delete records about events created more than 30 days ago from the System audit log. To store the records indefinitely you can change the record storage period or disable the record deletion function (see 3.2 on pg. 40). In order to view events in the system audit log, select the System audit log node in the console tree (see Figure 83): Figure 83. The System audit log node The results panel displays the following information about events:

200 200 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Field Event Task name User name Event time Component Computer Description Event description that includes the type of event and additional information about it. Based on the importance level events can be information, important and critical. Name of Anti-Virus task connected with task execution. If an event is requested by an Anti-Virus user this user's login will be displayed. If the action was not requested by a user, but was started by Anti-Virus itself, for example a scheduled on-demand scan task, this column will contain record <domain> <computer name>$ which will match the System account. Event registration time in the time zone of the protected server in the format set by the Microsoft Windows server regional settings. Anti-Virus functional component in the operation of which the event occurred. The functional Anti-Virus component in the operation of which the event has occurred. If the event is not associated with the operation of individual component, but is related to Anti-Virus operation in general, for example starting Anti- Virus, record Application will then be contained in this column. Computer name that access to the server has been blocked or allowed(only for Blocking access from computers function). You can perform the following actions with events in the System audit log node: sort events (see on pg. 200); filter events (see on pg. 201); delete events (see on pg. 202) Sorting events in System audit log By default, events in the System audit log node are displayed in the reverse chronological order.

201 Event registration 201 In order to find an event in the list you can sort the events by any column with information. The result of the sorting will be saved if you leave and then select the System audit log node again or if you close the Anti-Virus console, save the msc file and then open it again from this file. In order to sort events: 1. Select System audit log in the console tree. 2. In the result panel click the column heading by which you wish to sort the events in the list Filtering events in System audit log In order to find an event in the system audit log you can filter events- display in the list only those events that satisfy the filtering criteria (filters) that you have specified. The result of the filtering will be saved if you leave and then select the System audit log node again or if you close the Anti-Virus console, save the msc file and then open it again from this file. In order to filter events in System audit log: 1. Right-click the System audit log node in the console tree and select Filter. The Filter settings dialog box will open (see Figure 84). Figure 84. The Filter settings dialog box

202 202 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition 2. To add a filter: a) In the Field name select a file to which the filter value will be compared. b) In the Operator list select the filtering condition. The values of the filtering conditions in the list may differ depending on the value you have selected in the Field name field. c) Enter the filter value in the Filter value field or select it from the list of possible values. d) Press the Add button. The filter you have added will appear in the list of filters in the Filter settings dialog box. Repeat these actions for each filter you wish to add. If you specify several filters they will be combined using logical "AND". In order to delete a filter, select the filter you wish to delete in the filter list in the left part of the dialog box and press the Delete button. In order to edit a filter, select it in the list of filters in the Filter settings dialog box. Then change values in the Field name, Operator or Field value fields and press the Replace button. 3. After you added all filters, press the Apply button. Only events selected by the filters you have specified will then be displayed in the event list. In order to display all events again, open the shortcut menu on the System audit log node in the console tree and select Remove filter Deleting objects from System audit log By default the Anti-Virus stores events in the system audit log for unlimited time. You can limit the event storage period (see Event storage period in the system audit log setting in 3.2 on pg. 40). You can manually delete all events from the system audit log. In order to delete all events from the system audit log: 1. Right-click the System audit log node in the console tree and select Clear. 2. In the Confirmation dialog box press Yes to confirm the operation.

203 Event registration Anti-Virus statistics Anti-Virus statistics information about the current status of Anti-Virus, its functional components and tasks being executed. In order to view Anti-Virus statistics select the Statistics node in the console tree. The following Anti-Virus information will be displayed in the result panel: link to Anti-Virus website; Anti-Virus version and its installation date; information about the active key: serial number, type, expiration date and information about soon expiration: before the key expiration not less than 14 days; before the key expiration less than 14 days, but not less than 7 days; before the key expiration less than 7 days. You can modify the administrator s notification about soon key expiration (see 15.2 on pg. 216). the status and the settings of the Anti-Virus functional components and the statistics of the tasks being executed (see description in Table 12). By default information in the Statistics node is updated every minute. You can also update the information in the Statistics node manually. In order to update information in the Statistics node manually, open the shortcut menu in the Statistics node and select the Update command.

204 204 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Table 12. Information about Anti-Virus functional components in the Statistics node Component/Task Information in the Statistics node Real-time file protection task Task status: IN PROGRESS - the task is in progress; STOPPED - the task is paused or stopped; Task statistics: Threats detected - the number of threat detected since the time the task was started; Preventing virus outbreaks: Activated the level protected in the Real-time file protection task was increased in accordance with the Virus outbreak protection settings (for more details, see A.4.4 on pg. 378); Not activated the Virus outbreak prevention mode is not applied by Anti-Virus. Objects scanned the number of objects scanned since the time the task was last started. If the task is started, the Advanced hyperlink will open the Task execution statistics dialog box (see 6.3 on pg. 83). Blocking access from computers Status of automatically blocking access from computers: the function of blocking access from computers is enabled; the Details hyperlink opens the Statistics dialog box (see 7.9 on pg. 97); Function of blocking access from computers is enabled. Blocking statistics: Computers in the blocking list - the number of computers that are currently included into the block list;

205 Event registration 205 Component/Task Script monitoring task Database updating task Information in the Statistics node Task status: IN PROGRESS - the task is in progress; STOPPED - the task is paused or stopped; Task statistics: Threats detected - the number of threat detected since the time the task was started; Objects scanned - number of scripts processed since the task was last started; Scripts blocked - the number of malicious or suspicious scripts that Anti-Virus detected and blocked since the task had started; If the task is started, the Details hyperlink will open the Task execution statistics dialog box (see 6.5 on pg. 86). General status of the Anti-Virus database on the protected server: databases are up-to-date; databases are obsolete; databases are outdated. For more details on the bases status see 10.1 on pg Database release date - date and time that the current databases were created; Databases records count total number of entries in the databases currently in use.

206 206 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Component/Task Quarantine Information in the Statistics node General quarantine status (displayed if the Maximum quarantine size and the Minimum free space in quarantine settings are applied): the maximum quarantine size has not been reached; the minimum free quarantine space value has not been reached; the maximum quarantine size has not been reached; but the minimum free quarantine space value has been reached; maximum quarantine size has been reached. When the total size of Quarantine reaches the number selected in the settings, Anti-Virus notifies the administrator of this (if notifications are configured for those events). To learn how to configure notifications, see Chapter 15 on pg To learn how to configure quarantine settings see 11.8 on pg Quarantine statistics: Quarantined objects - the number of objects currently quarantined; Size - the amount of data in the quarantine folder The Details link opens dialog box Quarantine statistics (see 11.9 on pg. 171).

207 Event registration 207 Component/Task Backup storage Information in the Statistics node General status of Backup (displayed if the values of the Maximum backup storage size and the Minimum backup storage free space settings values are specified): the maximum size of Backup has not been reached; the minimum size of the free space in Backup has not been reached; the maximum backup storage size has not been reached; but the minimum free backup storage space value has been reached; the maximum backup storage size has been reached. When the total size of Backup reaches the number selected in the settings, Anti-Virus notifies the administrator of this (if notifications are configured for those events). Anti-Virus will continue placing objects into Backup. To learn how to configure notifications, see Chapter 15 on pg To learn how to configure backup storage settings see 12.5 on pg Backup statistics: Backup objects - the number of objects currently in Backup; Size - the amount of used space in Backup The Details link opens dialog box Backup storage statistics (see 12.6 on pg. 183) Anti-Virus event log in Event Viewer You can view Anti-Virus event log using the Microsoft Windows MMC Event Viewer. In this console Anti-Virus registers events important for the Anti-Virus security of the protected server and diagnostics of Anti-Virus failures. You can select which events to record in the event log: by event types.

208 208 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition by detail levels. The detail level corresponds to the level of the event importance in which it is registered (informational, important, or critical events). The most detailed is the Information level, which registers events of all importance level; the least detailed is the Critical level which registers critical events only (Important events is the default). By default, for all components except the Update component the Important events detailed level is selected (only important and critical components are registered); for the Update component the Information events level is selected. To learn how to select events for registration in the Event log see on pg. 197 In order to view the Event log: 1. Add to the MMC Event Viewer. If you control the server protection remotely from the administrator's station, specify the protected server as the computer to be controlled by the utility. 2. Select the Kaspersky Anti-Virus node in the Viewing events console tree (see Figure 85). Figure 85. Information about Anti-Virus events in Event Viewer

209 CHAPTER 14. INSTALLING AND DELETING LICENSE KEYS This chapter contains the following information: About Anti-Virus license keys (see 14.1 on pg. 209); View license key info (see 14.2 on pg. 210); Key installation (see 14.3 on pg. 212); Deleting keys (see 14.4 on pg. 213) About Anti-Virus license keys A key is a text file with the extension.key. It contains information Anti-Virus use rights and restrictions. When the key is written, its limit date, a date after which the key becomes invalid, for example (for example, December 31, 2010, if the key is written in 2007) is set, as well as the key validity period in days (for example, 365 days). Kaspersky Lab writes license keys with various validity periods. When you install a key, Anti-Virus calculates the expiration date of the key validity period. This date arrives after the length of time in the validity period has elapsed since key installation, but no later than the date that the key expires. During this time, you have access to the following features: Anti-Virus protection; Regularly database updates; Critical Anti-Virus patches; Possibility to install scheduled Anti-Virus upgrades. During this period, Kaspersky Lab or one of its partners will provide you with technical support, if provided for by the terms of the key. After the expiration date of the key, Anti-Virus stops performing its functions. Depending on the type of key, you will not be able to use either the Anti-Virus module and database update feature or all Anti-Virus features. There are three types of Anti-Virus keys: beta, trial, and commercial.

210 210 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Beta Trial Beta keys are free. They are only given out during Anti-Virus beta-testing. After the expiration date of the key, Anti-Virus stops performing all of its functions. Trial keys are also free. They are designed for trying out Anti-Virus. A trial key has a short lifespan. After the expiration date of the key, Anti-Virus stops performing all of its functions. You can only install one trial key for Anti-Virus. Commercial After the expiration date of a commercial license key, Anti-Virus continues performing all of its functions except for updates. It scans the server using databases installed prior to the license key expiration date. It will not detect threats that Kaspersky Lab specialists added to the database after the key expired and will not disinfect files infected with those threats. Technical Support is also only provided for the key validity period. You can purchase and install two keys at the same time, one as the active key and the other as a backup. The Active key becomes effective as soon as you install it, and the backup key will become active automatically when the active key expires. Anti-Virus key can have a usage restriction according to the number of servers View installed keys info To view information on the keys installed: 1. In the console tree, select the License keys node. 2. Open the context menu in the results panel on the bar with information on the key that you want to view and select Properties. The <Serial number> Properties dialog box will open (see Figure 86).

211 Installing and deleting license keys 211 Figure 86. The Key Properties dialog box, General tab The General tab in the <Serial number> Properties dialog box displays the following information: Field Serial number Created Key type Validity period Expiration date Description Key serial number Key write date Key type (beta, trial, or commercial). For more details on key types, see 14.1 on pg Term of the key in days, set when the key is written Expiration date of the key; Calculated by Anti-Virus when the key is installed; comes when the validity period of the key has elapsed since the time it was activated, but not later than the date when the key expires

212 212 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Application License objects Technical support availability Anti-Virus application name A restriction provided by the key (if any) Information on whether Kaspersky Lab or one of its partners will provide you with technical support provided to customers by the terms of the key. The Additional tab in the <Serial number> Properties dialog box displays information on the customer, as well as contact information for Kaspersky Lab or the retailer where you purchased Anti-Virus Key installation To install a key: 1. Open the context menu on the License keys node in the console tree and click Install key. 2. Specify the file name of the key and the path to the file in the Adding a key dialog box (Figure 87). Figure 87. The Adding a key dialog box This dialog box displays on the key described in the table below. 3. If you install the key as a backup, select Add as a reserve key. 4. Click the OK button.

213 Installing and deleting license keys 213 The Adding a key dialog box displays the following information about the license key being installed: Field Number Type Usage restriction Restriction type Expiration date Description Key serial number. Key type (beta, trial, or commercial). For more details, see 14.1 on pg Restriction objects count. Restriction objects. The expiration key is calculated by the Anti-Virus after the key installation; it is the date of the expiration of the key validity period since the moment of its activation, but not later than date on which the key becomes invalid. For more details refer to section 14.1 on pg Deleting keys You can delete the installed key. If you delete an active key and a backup key is installed, such backup key will automatically become active. Warning: If you delete the installed key, you can restore it only by re-installation from the key file. To delete an installed license key: 1. In the console tree, select the License keys node. 2. Open the context menu in the results panel on the bar with information on the key that you want to delete and select Delete key. 3. Click the Yes button in the confirmation dialog box to confirm that you wish to delete the key.

214 CHAPTER 15. CONFIGURING NOTIFICATIONS This chapter contains the following information: Methods for notifying the administrator and users (see 15.1 on pg. 214); Configuring notifications (see 15.2 on pg. 216) Methods for notifying the administrator and users Anti-Virus can be used to notify the administrator and users that access the protected server of events in Anti-Virus operation and status of Anti-Virus protection on the server. The administrator can retrieve information on selected types of events; LAN users that access the protected server can receive information about events of Threat detected and Computer has been added to the blocking list.types; terminal server users can receive information about events of Threat detected type. In the Anti-Virus MMC Console, you can configure notifications for the administrator or users using several methods. These methods are described in the tables that follow. Notification method Default settings Description Table 13. User notification methods Terminal service windows Microsoft Windows NET SEND Configured based on events of Threat detected type Configured based on events of Threat detected and Computer has been added to the blocking list types If the protected server is terminal, you can use this method to notify terminal users of the server. This notification method uses Microsoft Windows NET SEND. Before using this notification method, make sure that NET SEND is enabled on the protected server and the LAN user workstations (disabled by default).

215 Configuring notifications 215 Notification method Microsoft Windows NET SEND Run executable file Default settings Not enabled Not enabled Table 14. Administrator notification methods Description This notification method uses Microsoft Windows NET SEND. Before configuring this notification method, make sure that NET SEND is enabled on the protected server and the computer that serves as the administrator's workplace (if the ^ is managing Anti-Virus remotely). NET SEND is disabled by default. This notification method runs a specified executable file when triggered by an event. The executable file must be saved on a local drive of the protected server. When specifying the path to executable file, you can use environmental variables. notification Not enabled This notification method uses s to transmit notifications. You can create the message text for individual event types. It can include a field with information about the event. The message text used by default for user notifications is given in the following table.

216 216 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Table 15. Default message text for user notifications Task Event type Message text Real-time file protection Real-time file protection, Blocking access from computers Threat detected Computer has been added to the blocking list Kaspersky Anti-Virus blocked access to %OBJECT% on computer %FROM_COMPUTER% at %EVENT_TIME% Reason: %EVENT_TYPE%. Threat type: %VIRUS_TYPE%: %VIRUS_NAME%. User name: %USER_NAME%. Computer name: %USER_COMPUTER% Kaspersky Anti-Virus on computer %FROM_COMPUTER%: %EVENT_TYPE%. Computer name: %USER_COMPUTER%. Blocking time: %EVENT_TIME%. Reason: attempt to upload infected or suspicious files. Contact the system administrator for your network Notification settings Event notification settings give you a choice of method to configure and message text to compose. To configure event notification settings: 1. Open the context menu on the Anti-Virus name in the interface in the console tree and select Notifications. The Notifications dialog box will open (see Figure 88).

217 Configuring notifications 217 Figure 88. The Notifications dialog box 2. On the Notifications tab in the Notifications dialog box, select the events and specify the method notification for them: To specify the method of notifying the administrator, take the following steps: a) Select the event for which you want to select a notification method from the Event type list; b) In the Notify administrators group settings, select the checkbox next to the notification methods that you want to configure. To specify the method of notifying users, take the following steps: a) From the Event type list select types of events (Threat detected and Computer has been added to the blocking list) about which you wish to notify users on whose computers such events may occur;

218 218 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition b) In the Notify users group settings, select the checkbox next to the notification methods that you want to configure. Note You can compose a single message text for several event types: After you have selected a notification method for one event type, select the other event types for which you want to use the same message text using the <Ctrl> and <Shift> keys. 3. To compose the message text, click Message text in the desired settings group and enter the text to be displayed in the event message in the Message text dialog box. To add fields with information on the event, click Macro... and select the desired fields from the list of those available. Fields with information on events are described in Table 16. In order to restore the default text of the message for this event, press the Default button. 4. To configure the administrator notification methods for selected events, click Settings in the Notifications dialog box and configure the selected methods in the Additional settings dialog box. For notifications, open the tab (see Figure 89) and specify the addresses of the recipients (delimit addresses with a semi-column), the name or network address of the SMTP server, and the port in the appropriate fields. If necessary, specify the text that will be displayed in the Subject and From fields. The text in the Subject field can also include a field with information about the event (see Table 16).

219 Configuring notifications 219 Figure 89. The Settings dialog box, tab If you want to use user account authentication when connecting with the SMTP server, select Require SMTP authentication in the Authentication settings group and specify the name and password for the user whose user account will be authenticated. For notifications using Messaging Service, create a list of recipient computers for the notifications on the Messaging Service tab (see Figure 90). For each computer that you want to add, click the Add button and enter its network name in the input field. Do not use an IP address for computers in this field.

220 220 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 90. The Settings dialog box, Messaging Service tab To run an executable file, select the file on a local drive of the protected server that will be executed on the server triggered by the event or enter the full path to it on the Executable file tab (see Figure 91). Enter the username and password under which the file will be executed. Specifying the path to the executable file you can use system environmental variables; you can not use user s environmental variables.

221 Configuring notifications 221 Figure 91. The Settings dialog box, Executable file tab If you want to limit the number of messages for one event type over a period of time, on the Additional tab (see Figure 92), select from Do not send the same notification more than and specify the needed number of times and time span.

222 222 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition 5. Click the OK button. Figure 92. The Settings dialog box, Additional tab Field %EVENT_TYPE% %EVENT_TIME% %EVENT_SEVERITY% %OBJECT% Description Event type Table 16. Field with information about events Time that the event occurred Severity level Object name (in real-time protection and ondemand scan tasks) The Application module update task includes the name of the update and the address of the web page with information on the update.

223 Configuring notifications 223 Field %VIRUS_NAME% %VIRUS_TYPE% %USER_COMPUTER% %USER_NAME% %FROM_COMPUTER% %REASON% %ERROR_CODE% %TASK_NAME% Description Threat name according to Kaspersky Lab classification; included in the full name of the threat that Anti-Virus returns (in real-time protection and on-demand scan tasks) Threat type according to Kaspersky Lab classification; included in the full name of the threat that Anti-Virus returns (in real-time protection and on-demand scan tasks) In a Real-time file protection task, the computer name for the user that accessed the object on the server In a Real-time file protection task, the name of the user that accessed the object on the server Name of the protected server where the notification originated Reason event occurred (some events do not have this field) Error code (Events Internal error Tasks) Task name (only for events related to task performance)

224 PART 2. MANAGING ANTI- VIRUS FROM THE COMMAND LINE This section contains the following information: Description of commands for administering Anti-Virus from the command prompt (see Chapter 16 on pg. 225); Description of return codes (see Chapter 17 on pg. 245).

225 CHAPTER 16. ANTI-VIRUS COMMAND LINE COMMANDS You can perform basic Anti-Virus management commands from the command line of the protected server if you included the Command line utility into the list of installed features during Anti-Virus installation. Using command line commands you can manage only those functions which are accessible to you based on the rights assigned to you in Anti-Virus (for more details about access to Anti-Virus functions refer to section on pg. 35). Some of Anti-Virus commands are executed in the synchronous mode that is if control returns to the console only after the command is completed, other commands are executed in the asynchronous mode: control returns to the console immediately after the command is started. In order to interrupt command execution in synchronous mode, press <Ctrl+C>. Follow the following rules when entering Anti-Virus commands: enter modifiers and commands using upper and lower case; delimit modifiers with the space character; if the name of the file (folder) path to which you specify as the value of the modifier contains the space character, provide the path to the file (folder) in quotes, for example "C:\TEST\test cpp.exe"; in the filename or path masks use only one placeholder and enter it only at the end of the path to a folder to a file, for example "C:\Temp\Temp*\", "C:\Temp\Temp???.doc", "C:\Temp\Temp*.doc". The list of Anti-Virus commands is provided in Table 17. Anti-Virus command return codes are listed in Chapter 17 on pg. 245.

226 226 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Command Description Table 17. Anti-Virus commands KAVSHELL HELP (16.1) KAVSHELL START (16.2) KAVSHELL STOP (16.2) KAVSHELL SCAN (16.3) KAVSHELL FULLSCAN (16.4) KAVSHELL TASK (16.5) KAVSHELL RTP (16.6) KAVSHELL UPDATE (16.7) KAVSHELL ROLLBACK (16.8) KAVSHELL LICENSE (/ADD, /DEL) (16.9) KAVSHALL TRACE (16.10) KAVSHELL DUMP (16.11) displays Anti-Virus command help starts Anti-Virus service stops Anti-Virus service creates and launches an temporary on-demand scan task with the scan scope and security settings set by the command modifiers starts the Scan My Computer system task starts/pauses/resumes/stops the selected task in the asynchronous mode/returns the current task status/task statistics starts or stops all real-time protection tasks starts Anti-Virus bases update task with settings specified using command modifiers rolls back bases to the previous version manages keys enables or disables the tracking log, manages settings of the tracking log enables or disables the process memory dump in case of abnormal termination of processes KAVSHELL IMPORT (16.12) imports general Anti-Virus settings, functions, and tasks from a configuration file created beforehand KAVSHELL EXPORT (16.13) exports all Anti-Virus settings and existing tasks to a configuration file

227 Anti-Virus command line commands Displaying Anti-Virus command help. KAVSHELL HELP In order to obtain the list of all Anti-Virus commands, enter one of the following commands: KAVSHELL KAVSHELL HELP KAVSHELL /? To see an overview of a command and its syntax, enter one of the following commands: KAVSHELL HELP <command> KAVSHELL <command> /? KAVSHELL HELP command examples KAVSHELL HELP SCAN view detailed information about command KAVSHELL SCAN Anti-Virus service startup or shutdown. KAVSHELL START, KAVSHELL STOP In order to start Anti-Virus service use command KAVSHELL START. Note By default during Anti-Virus startup tasks Real-time file protection, Script monitoring, Scan at the system startup and Application integrity control and other tasks the schedule of which provides for the launch frequency At the application startup will be started. In order to stop Anti-Virus service use command KAVSHELL STOP.

228 228 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Scanning selected area. KAVSHELL SCAN In order to start a task for scanning specific areas of the protected server use command KAVSHELL SCAN. The task settings (scan scope and security settings) are specified by the command modifiers. The on-demand scan task launched using KAVSHELL SCAN command is a temporary task. It is displayed in the Anti-Virus console in MMC only during its execution (you cannot view task settings in the Anti-Virus console). The task performance report is generated at the same time. It is displayed in the Report node of the Anti-Virus console. As with on-demand scan tasks created in the Anti-Virus console, policies of Kaspersky Administration Kit application can be applied to tasks created and launched using SCAN command (Details about the use of Kaspersky Administration Kit for managing Anti-Virus see Part 3 on pg. 251). Command KAVSHELL SCAN is executed in the synchronous mode. Specifying the paths in on-demand scan tasks, you can use environmental variables. If you use environmental variable specified for user, execute KAVSHELL SCAN command with the rights of this user. In order to start an existing on-demand scan task created in the Anti-Virus console from the command line use KAVSHELL TASK (see 16.5 on pg. 233). KAVSHELL SCAN command syntax KAVSHELL SCAN [scan scope /MEMORY /SHARED /STARTUP /REMDRIVES /FIXDRIVES /MYCOMP] [/L:< path to file with the list of scan scopes>] [/F<A C E>] [/NEWONLY] [/AI:<DISINFECT DISINFDEL DELETE REPORT AUTO>] [/AS:<QUARANTINE DELETE REPORT AUTO>] [/DISINFECT /DELETE] [/E:<ABMSPO>] [/EM:< masks >] [/ES:<size>] [/ET:<number of seconds>] [/NOICHECKER][/NOISWIFT][/W:<path to report file>] [/ALIAS:<task name alias>] KAVSHELL SCAN command examples KAVSHELL SCAN Folder4 D:\Folder1\Folder2\Folder3\ C:\Folder1\ C:\Folder2\3.exe \\another server\shared\ F:\123\*.fgb /SHARED /AI:DISINFDEL /AS:QUARANTINE /FA /E:ABM /EM: *.xtx;*.fff;*.ggg;*.bbb;*.info /NOICHECKER /NOISWIFT /W:log.log KAVSHELL SCAN /L:scan_objects.lst /W:report.log

229 Anti-Virus command line commands 229 Modifier Description Scan scope. Mandatory modifier. <files> <folders> <network path> /MEMORY /SHARED /STARTUP /REMDRIVES /FIXDRIVES /MYCOMP /L: <path to file with the list of scan scopes> Specifies the scan scope - the list of files, folders, network paths and pre-defined areas. Specify network paths to the UNC format (Universal Naming Convention). In the following example folder Folder4 is specified without a path - it is located in the folder from which you launch command KAVSHELL: KAVSHELL SCAN Folder4 Scan objects in RAM Scan shared folders on the server Scan startup objects Scan removable drives Scan hard drives Scan all areas of protected server File name with the list of scan scopes including full path to the file. Delimit scan areas in the files using line breaks. You can specify pre-defined scan areas as shown as follows in this example of a file with a scan scope list: C:\ D:\Docs\*.doc E:\My Documents /STARTUP /SHARED Detectable objects (File types). If you do not specify values for this modifier, Anti-Virus will scan objects by their format. /FA /FC Scan all objects Scan objects by format (by default). Anti-Virus scans only objects format of which are included into the list of formats of infectable objects.

230 230 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Modifier /FE /NEWONLY Description Scan objects by extension. Anti-Virus scans only objects with extensions included into the list of extensions of infectable objects. Scan only new and modified objects (for more details about this setting see section A.3.2 on pg. 360). If you do not provide this modifier, Anti-Virus will scan all objects. /AI: Actions to be performed with infected objects. If you do not specify values for this modifier, Anti-Virus will only perform the Skip action. DISINFECT DISINFDEL DELETE REPORT AUTO Skip, delete if disinfection is not possible Disinfect, delete if disinfection is not possible Delete Report only Perform the recommended action /AS: Actions with suspicious objects (actions) If you do not specify values for this modifier, Anti-Virus will perform the Skip action. QUARANTINE DELETE REPORT AUTO Quarantine Delete Report only Perform the recommended action Exclusions /E:ABMSPO Excludes composite objects of the following types: A archives; B databases; M plain mail; S SFX-archives; P packed objects; O embedded OLE objects.

231 Anti-Virus command line commands 231 Modifier /EM:<"masks"> /ET:<number of seconds> /ES:<size> Description Exclude files by mask. You can specify several masks, for example, EM:"*.txt;*.png; C\Videos\*.avi". Stop processing object if it continues longer than the number of seconds specified by value <number of seconds> There is no time restriction by default. Do not scan compound objects larger than the size (in MB) specified by value <size> Anti-Virus scans all sizes of objects by default. Additional settings (Options) /NOICHECKER /NOISWIFT /ALIAS:<task alias> Disable the use of ichecker (enabled by default) Disable the use of iswift (enabled by default) Enables you to assign an on-demand scan task a temporary name by which the task can be accessed during its execution, for example in order to view its statistics using TASK command. The task name alias must be unique among the aliases of tasks of all functional components of Anti-Virus. If this modifier is not specified, temporary name scan_<kavshell_pid> is used, for example scan_1234. The task name is also assigned automatically as Scan objects (<date and time>) for example Scan objects 8/16/2007 5:13:14 PM. Report settings

232 232 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Modifier /W:<path to report file> Description If you specify this modifier, Anti-Virus will save the task report file with the named specified by the modifier's value. The report file contains the task execution statistics, time when it was started and completed (stopped) and information about events in this task. The report registers events specified by the settings of the reports and event log in the Anti-Virus console (for more details refer to section on pg. 197). You can specify either the absolute or the relative path to the report file. If you specify only file name without specifying path to it, then the report file will be created in the current folder. Restart of the command with the same settings of record into the report will overwrite the existing report. You can view the report file while the scan task is being executed. Report about the task is also displayed in the Report node of Anti-Virus console. If Anti-Virus fails to create the report file, it will not stop the command from executing and will not display an error message Starting the Scan my computer task. KAVSHELL FULLSCAN Use command KAVSHELL FULLSCAN in order to start the system on-demand scan task Scan my computer with settings set in the Anti-Virus Console in MMC. Specifying the paths in on-demand scan tasks, you can use environmental variables. If you use environmental variable specified for user, execute KAVSHELL SCAN command with the rights of this user. KAVSHELL FULLSCAN command syntax KAVSHELL FULLSCAN [/W:<path to report file>]

233 Anti-Virus command line commands 233 KAVSHELL FULLSCAN command examples KAVSHELL FULLSCAN /W:fullscan.log perform the on-demand scan task Scan my computer, save report about the task events in fullscan.log file in the current folder. Modifier /W:<path to report file> Description If you specify this modifier, Anti-Virus will save the task report file with the named specified by the modifier's value. The report file contains the task execution statistics, time when it was started and completed (stopped) and information about events in this task. The report registers events specified by the settings of the reports and event log in the Anti-Virus console (for more details refer to section on pg. 197). You can specify either the absolute or the relative path to the report file. If you specify only file name without specifying path to it, then the report file will be created in the current folder. Restart of the command with the same settings of record into the report will overwrite the existing report with the same name. You can view the report file while the scan task is being executed. Report about the task is also displayed in the Report node of Anti-Virus console. If Anti-Virus fails to create the report file, it will not stop the command from executing and will not display an error message Managing the specified task in asynchronous mode. KAVSHELL TASK Using KAVSHELL TASK command you can manage the specified task: run, pause, resume and stop the specified task and view the current task status and statistics. The command is performed in asynchronous mode.

234 234 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition KAVSHELL TASK command syntax KAVSHELL TASK [<task name alias> </START /STOP /PAUSE /RESUME /STATE /STATISTICS >] KAVSHELL TASK command examples KAVSHELL TASK KAVSHELL TASK on-access /START KAVSHELL TASK user-task_1 /STOP KAVSHELL TASK scan-computer /STATE Modifier Without modifiers <task alias> /START /STOP /PAUSE /RESUME /STATE /STATISTICS Description Returns the list of all existing Anti-Virus tasks. The list contains the following fields: alias, task category (system, user-defined or group) and the current task status. Instead of the task name, in the SCAN TASK command, use its Task alias, an additional short-form name that Anti-Virus assigns to tasks. To view Anti-Virus task aliases enter the command KAVSHELL TASK without any modifiers. Starts the specified task in asynchronous mode Stops the specified task Pauses the specified task Resumes the specified task in asynchronous mode Returns the current task status (Running, Completed, Paused, Stopped, Completed with an error, Starting, Resuming) Retrieve task statistics - information on the number of objects processed from the time the task started until now

235 Anti-Virus command line commands Starting and stopping real-time protection tasks. KAVSHELL RTP Using the KAVSHELL RTP command you can start or stop all real-time protection tasks. KAVSHELL RTP command syntax KAVSHELL RTP {/START /STOP} KAVSHELL RTP command examples KAVSHELL RTP /START start all real-time protection tasks. Modifier /START /STOP Description starts all real-time protection tasks. stops all real-time protection tasks Starting Anti-Virus bases update task. KAVSHELL UPDATE Using the KAVSHELL UPDATE command you can start the Anti-Virus bases update command in the synchronous mode. An Anti-Virus bases update task run using a KAVSHELL UPDATE command is a temporary task. It is displayed in the Anti-Virus console in MMC only during its execution. At the same time a report about the task execution is registered; it is displayed in the Reports node of the Anti-Virus console. Kaspersky Administration Kit application policies may be applied to updating tasks created and launched using the KAVSHELL UPDATE command and to the updating tasks created in the Anti-Virus console. (for details about managing Anti-Virus on servers using Kaspersky Administration Kit, see Part 3 on pg. 251). Specifying the path to the update source in this task, you can use environmental variables. If you use user s environmental variables, execute KAVSHELL UPDATE command with the rights of this user.

236 236 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition In order to interrupt KAVSHELL UPDATE task execution, press <Ctrl+C>. KAVSHELL UPDATE command syntax KAVSHELL UPDATE < Path to update source /AK /KL> [/NOUSEKL] [/PROXY:<address>:<port>] [/AUTHTYPE:<0-2>] [/PROXYUSER:<user name>] [/PROXYPWD:<password>] [/NOPROXYFORKL] [/USEPROXYFORCUSTOM] [/NOFTPPASSIVE] [/TIMEOUT:<sec>] [/REG:<>] [/W:<path to report file>] [/ALIAS:<task alias>] KAVSHELL UPDATE command examples KAVSHELL UPDATE start a user-defined bases update task; KAVSHELL UPDATE \\Server\bases start the bases update task, update files are stored in network folder \\Server\bases; KAVSHELL UPDATE ftp://dnl-ru1.kaspersky-labs.com/ W:c:\update_report.log start the update task from the folder on the FTP-server ftp://dnl-ru1.kaspersky-labs.com/; record all task events into report file c:\update_report.log. KAVSHELL UPDATE /KL /PROXY:proxy.company.com:8080 /AUTHTYPE:1 /PROXYUSER:inetuser /PROXYPWD: download Anti-Virus bases updates from Kaspersky Lab's update server; connect to the updates sources via a proxy server (proxy server address: proxy.company.com, port: 8080); use in-built Microsoft Windows authentication (NTLM-authentication) under account (username: inetuser; password: ) to access the server. Modifier Description Updates sources (mandatory modifier). Specify one or several sources. Anti- Virus will contact the sources in the order they are listed. Delimit the sources with a space. <Path to the update source> <URL> <FTP> User-defined update source. Path to the network folder in the UNC format. User-defined update source. HTTP server address on which folder with updates is located. User-defined update source. FTP server address on which folder with updates is located. <Local update folder> User-defined update source. Folder on the protected server. /AK Kaspersky Administration Kit server as the update source.

237 Anti-Virus command line commands 237 Modifier /KL /NOUSEKL Description Kaspersky Lab's update servers as the update sources. Do not use Kaspersky Lab updating servers if other update sources are not available (used by default) Proxy server settings /PROXY:<address>:< port> /AUTHTYPE:<0-2> /PROXYUSER:<user name> /PROXYPWD:<passw ord> /NOPROXYFORKL Network name or IP address of the proxy server and its port. If you do not specify this modifier, Anti-Virus will automatically detect settings of the proxy server used in the local area network. This modifier specifies the authentication method for access to the proxy server: 0 in-built Microsoft Windows NTLM-authentication; Anti-Virus will contact proxy server under the Local system (SYSTEM) account; 1 in-built Microsoft Windows NTLM-authentication; Anti-Virus will contact proxy server under account with login name and password specified by modifiers /PROXYUSER and /PROXYPWD; 2 authentication by login name and password specified by specified modifiers /PROXYUSER and /PROXYPWD (basic authentication). If authentication is not required for accessing proxy server, there is no necessity to specify this modifier. Username that will be used for accessing proxy server. If you specify the value of modifier /AUTHTYPE:0, then the /PROXYUSER:<user name> and /PROXYPWD:<password> modifiers will be ignored. Username that will be used for accessing proxy server. If you specify the value of modifier /AUTHTYPE:0, then /PROXYUSER:<user name> и /PROXYPWD:<password> modifiers will be ignored. If you specify modifier /PROXYUSER and omit modifier /PROXYPWD, the password will be considered to be blank. Do not use proxy server settings for connecting with Kaspersky Lab's update servers (used by default)

238 238 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Modifier /USENOPROXYFOR CUSTOM Description Use proxy server settings for connecting with local update sources. If not specified, value Do not use proxy server settings to connect to the local update sources. For more details about these settings see section A on pg General FTP and HTTP server settings /NOFTPPASSIVE /TIMEOUT:<number of seconds> If you specify this modifier, Anti-Virus will use the active FTP server mode to connect to the protected server. If you do not specify this modifier, Anti-Virus will use the passive FTP server mode, if possible. FTP or HTTP server connection timeout. If you do not specify this modifier, Anti-Virus will use the default value: 10 sec. You can only use integers as the value for this modifier. /REG:<code iso3166> Regional settings. This modifier is used when receiving updates from Kaspersky Lab's update servers. Anti- Virus optimizes the downloading of updates to the protected server by selecting the update server closest to it. As the value of this modifiers specify the literal code of the location country of the protected server in accordance with standard ISO , for example /REG: gr or /REG:RU. If you omit this code or specify the code of a country that does not exist, Anti-Virus will detect the location of the protected server based on the regional settings of the computer on which Anti-Virus console is installed (for Microsoft Windows 2003 Server and above - by the value of variable Location). /ALIAS:<task alias> This modifier will allow you to assign the task a temporary name by which you cold access it during its execution. For example you can view task statistics using the TASK command. The task alias must be unique among the task aliases of all functional components of Anti- Virus. If this modifier is not specified, the temporary name update_<kavshell_pid> is used, for example scan_1234. In the Anti-Virus console the task will be automatically assigned name Update-bases (<date time>), for example, Update-bases 8/16/2007 5:41:02 PM.

239 Anti-Virus command line commands 239 Modifier /W:<path to report file> Description If you specify this modifier, Anti-Virus will save the task report file with the named specified by the modifier's value. The report file contains the task execution statistics, time when it was started and completed (stopped) and information about events in this task. The report registers events specified by the settings of the reports and event log in the Anti-Virus console (for more details refer to section on pg. 197). You can specify either the absolute or the relative path to the report file. If you specify only file name without specifying path to it, then the report file will be created in the current folder. Restart of the command with the same settings of record into the report will overwrite the existing report with the same name. You can view the report file while the on-demand scan task is being executed. Report about the task is also displayed in the Report nodes of Anti-Virus console. If Anti-Virus cannot generate a report file, it will not terminate the commands and will not display an error message Rollback of the Anti-Virus bases update. KAVSHELL ROLLBACK Using the KAVSHELL ROLLBACK you can perform the Anti-Virus database rollback system task - that is to roll back the Anti-Virus bases to the previously installed version. The command is performed synchronously. Command syntax: KAVSHELL ROLLBACK

240 240 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Installing and deleting keys. KAVSHELL LICENSE Using the KAVSHELL LICENSE command you can install and delete Anti-Virus keys. KAVSHELL FULLSCAN command syntax KAVSHELL LICENSE [/ADD:<path to key file> [/R] /DEL:<serial number>] KAVSHELL SCAN command examples KAVSHELL LICENSE /ADD:С:/License.key install key from the file KAVSHELL LICENSE view information about installed keys; KAVSHELL LICENSE /DEL: remove installed key with serial number Modifier Without modifiers /ADD:<path to key file> Description Command returns the list of installed keys. It contains the following information about the key: serial number of the key; key type (beta, commercial, or trial); key expiration date; whether the key is a backup key. If the value specified is * the key is installed as the backup key. Installs key from a file path to which is specified by the value of the /ADD modifier. Include the key file name and the full path to it. Specifying the path to the key you can use system environmental variables; you can not use user s environmental variables. /R Key /R is an additional key to /ADD. It specifies that the key being installed is the backup key. /DEL:<serial number> deletes the key with serial number specified by the value of /DEL.

241 Anti-Virus command line commands Enabling, configuring and disabling the tracking log. KAVSHELL TRACE Using the KAVSHELL TRACE command you can enable and disable the tracking log of all Anti-Virus subsystems and set the log detail level "on the fly". KAVSHELL TRACE command syntax KAVSHELL TRACE </ON /F:<path to log file folder> [/S:<maximum log size in megabytes>] [/LVL:debug info warning error critical] /OFF> If the tracking log being maintained and you would like to change its settings, enter the KAVSHELL TRACE command with modifier /ON and specify settings of the log with values of modifiers /S and /LVL. Modifier /ON /F:<folder with tracking log files> /S: <the maximum log file size in megabytes> Description Enables the tracking log. This modifier specifies full path to the folder in which the tracking log files will be saved (mandatory modifier). If you specify a path to a non-existent folder, no tracking logs will be created. You can specify network paths but you cannot specify paths to folders on network drives of the protected server. If the name of the folder path to which you specify as the value of the modifier contains the space character, provide the path to this folder in quotes, for example /F: C\Trace Folder. Specifying the path to the tacking log file you can use system environmental variables; you can not use user s environmental variables. This modifier sets the maximum size of a single file of the track log. As soon as the log file reaches the maximum level, Anti-Virus will start recording information into a new file; the previous log file will be saved. If you do not specify the value of this modifier, the maximum size of one log file will be 50 MB.

242 242 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Modifier /LVL:<debug info warning error critical> /OFF Description This modifier sets the detail level of the log from the maximum (debug information) which records all events into the log to the minimum (critical) which records only critical events. If you do not specify this modifier, then events with the Debug information detail level will be recorded into the log. This modifier disables the tracking log. KAVSHELL TRACE command examples: KAVSHELL TRACE /ON /F: C:\Trace Folder /S:200 enable keeping the tracking log with detail level Debug information and the maximum log file size of 200 MB, save the log file to folder C:\Trace Folder. KAVSHELL TRACE /ON /F: C:\Trace Folder /LVL:warning enable keeping the tracking log with detail level Important events, save the log file to folder C:\Trace Folder: KAVSHELL TRACE /OFF disable keeping the tracking log Enabling and disabling dump file creation. KAVSHELL DUMP Using the KAVSHELL DUMP command you can enable or disable creation of memory snapshots (dumps) of Anti-Virus processes in case of their abnormal termination. Additionally you can take memory snapshots of the Anti-Virus processes in progress at any time. KAVSHELL DUMP command syntax KAVSHELL DUMP [/ON {/F:<folder with dump files>} /SNAPSHOT {/F:< folder with dump files>} /OFF] KAVSHELL DUMP command examples KAVSHELL DUMP /ON /F: C:\Dump Folder enables you to create a dump; saves a dump file into folder C:\Dump Folder; KAVSHELL DUMP /SNAPSHOT /F:C:/Dumps /P:1234 take a snapshot of the memory of process with ID 1234 into folder C:/Dumps. KAVSHELL DUMP /OFF disable creation of dump.

243 Anti-Virus command line commands 243 Modifier /ON {/F:<path to folder with dump files>} /SNAPSHOT Description Enables creation of the process memory dump in case of its abnormal termination. This is a mandatory modifier. It specifies path to the folder in which the dump file will be saved. If you specify a path to a non-existent folder, no dump files will be created. You can use the network path to the folder, but you cannot use a network drive. Specifying the path to the dump file you can use system environmental variables; you can not use user s environmental variables. Takes a snapshot of the memory of the specified Anti- Virus process in progress and saves the dump file into the folder the path to which is specified by modifier /F. /P PID process identifier is displayed in the Microsoft Windows Task Manager. /OFF Disables creation of the process memory dump in case of its abnormal termination Importing settings. KAVSHELL IMPORT Using the KAVSHELL IMPORT command, you can import Anti-Virus settings, functions, and tasks from a configuration file to Anti-Virus on the protected server. You can create a configuration file using the KAVSHELL EXPORT command. Command syntax for KAVSHELL IMPORT KAVSHELL IMPORT <name of config file and path to file> Examples of the KAVSHELL IMPORT command KAVSHELL IMPORT Server1.xml Modifier <name of config file and path to file> Description Name of the configuration file used to import settings. Specifying path to the file you can use system environmental variables; you can not use user s environmental variables.

244 244 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Exporting settings. KAVSHELL EXPORT Using the KAVSHELL EXPORT command, you can export all Anti-Virus settings and existing tasks to a configuration file in order to later import them into Anti- Virus on other servers. Command syntax for KAVSHELL EXPORT KAVSHELL EXPORT <name of config file and path to file> Examples of the KAVSHELL EXPORT command KAVSHELL EXPORT Server1.xml Modifier <name of config file and path to file> Description Name of the configuration file in which the settings will be saved You can assign any extension to the configuration file. Specifying path to the file you can use system environmental variables; you can not use user s environmental variables.

245 CHAPTER 17. RETURN CODES The following tables describe the return codes for Anti-Virus commands. Return code for the commands KAVSHELL SCAN and KAVSHELL FULLSCAN Return code Description 0 Operation completed successfully 1 Operation canceled -2 Service not running -3 Permissions error -4 Object not found (will with list of scan scopes not found) -5 Invalid command syntax scan scope not defined -80 Infected objects found -81 Suspicious objects found -82 Processing errors detected -83 Unchecked objects found -84 Corrupted objects found -99 Unknown error -301 Invalid license key Return code for the commands KAVSHELL START and KAVSHELL STOP Return code Description 0 Operation completed successfully -3 Permissions error -5 Invalid command syntax

246 246 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Return code Description -6 Invalid operation (for example, the Anti-Virus service is already running or already stopped) -7 Service not registered -8 Service is forbidden to start -9 Attempt to start server under another user account failed (by default the Anti-Virus service runs under the SYSTEM user account). -99 Unknown error Return codes for the command KAVSHELL TASK Return code Description 0 Operation completed successfully -2 Service not running -3 Permissions error -4 Object not found (task not found) -5 Invalid command syntax -6 Invalid operation (for example, task not running, already running, or cannot be paused) -99 Unknown error -301 Invalid license key 401 Task not running (for modifier /STATE) 402 Task already running (for modifier /STATE) 403 Task already paused (for modifier /STATE) -404 Error executing operation (change in task status led to it crashing)

247 Return codes 247 Return codes for the command KAVSHELL LICENSE Return code Description 0 Operation completed successfully -2 Service not running -3 Insufficient privileges to perform operation -4 Object not found (modifier with specified serial number not found) -5 Invalid command syntax -6 Invalid operation (license key not installed) -99 Unknown error -301 Invalid license key -303 License key is for a different application Return codes for the command KAVSHELL UPDATE Return code Description 0 Operation completed successfully 200 All objects are up-to-date (database or program components are current) -2 Service not running -3 Permissions error -5 Invalid command syntax -99 Unknown error -206 Extension files are missing in the specified source or have unknown format -209 Error connecting to the update source -232 Anti-Virus was not authenticated when connecting to the proxy server -234 Error connecting to Kaspersky Administration Kit

248 248 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Return code Description -235 Anti-Virus was not authenticated when connecting to the update source -301 Invalid license key Return codes for the command KAVSHELL ROLLBACK Return code Description 0 Operation completed successfully -2 Service not running -3 Permissions error -99 Unknown error -221 Backup copy of database not found or corrupted -222 Backup copy of database corrupted Return codes for the command KAVSHELL RTP Return code Description 0 Operation completed successfully -2 Service not running -3 Permissions error -4 Object not found (one of the real-time protection tasks or all real-time protection tasks not found) -5 Invalid command syntax -6 Invalid operation (for example, the task is already running or already stopped) -99 Unknown error -301 Invalid license key

249 Return codes 249 Return codes for the command KAVSHELL DUMP Return code Description 0 Operation completed successfully -2 Service not running -3 Permissions error -4 Object not found (path specified as path to the dump file folder not found; process with specified PID not found) -5 Invalid command syntax -6 Invalid operation (attempt of KAVSHELL DUMP/OFF execution if dump file creation is already disabled) -99 Unknown error Return codes for the command KAVSHELL TRACE Return code Description 0 Operation completed successfully -2 Service not running -3 Permissions error -4 Object not found (path specified as path to the Tracking logs folder not found) -5 Invalid command syntax -6 Invalid operation (attempt of KAVSHELL TRACE/OFF execution if write traces is already disabled) -99 Unknown error Return codes for the command KAVSHELL IMPORT Return code Description 0 Operation completed successfully -2 Service not running -3 Permissions error

250 250 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Return code Description -4 Object not found (importable configuration file not found) -5 Invalid syntax -99 Unknown error 501 Operation completed successfully; however, while executing the command and error/comment was generated. For example, Anti-Virus did not import the settings of one of the functional components -502 File being imported is missing or has an unrecognized format -503 Incompatible settings (configuration file exported from a different application or a later and incompatible version of Anti-Virus) Return codes for the command KAVSHELL EXPORT Return code Description 0 Operation completed successfully -2 Service not running -3 Permissions error -5 Invalid syntax -10 Unable to create a configuration file (for example no access to the folder specified in the path to the file) -99 Unknown error 501 Operation completed successfully, however an error/comment occurred during the command execution, for example, Anti-Virus did not export parameters of some functional component

251 PART 3. CONFIGURING AND MANAGING APPLICATION USING KASPERSKY ADMINISTRATION KIT If your organization uses Kaspersky Administration Kit for centralized management of the Anti-Virus applications, you can control the Anti-Virus on the protected servers and configure it using the Kaspersky Administration Kit Administration Console. This section contains the following information: Managing Anti-Virus and viewing its status (see Chapter 18 on pg. 252); Creating and configuring policies (see Chapter 19 on pg. 261); Configuring Anti-Virus in the Application settings dialog box see Chapter 20 on pg. 274); Creating and configuring tasks (see Chapter 21 on pg. 303).

252 CHAPTER 18. MANAGING ANTI- VIRUS AND VIEWING ITS STATUS This chapter contains the following information: starting and stopping the Anti-Virus service (18.1 on pg. 252); viewing the server protection status (see 18.2 on pg. 253); viewing the Anti-Virus statistics (see 18.3 on pg. 255); viewing the Anti-Virus details (see 18.4 on pg. 257); viewing information about installed keys (see 18.5 on pg. 258) Starting and stopping the Anti- Virus service The Anti-Virus service starts automatically at the operating system startup. This service is used to control the processes in which real-time protection, on-demand scan and updating tasks are executed. By default when the Anti-Virus services is started, tasks Real-time file protection, Script Monitoring, Scan at the system startup and Application integrity control as well as other tasks that are scheduled to start At the application start will be started. If you stop the Anti-Virus service, execution of all tasks will be terminated. After you restart the Anti-Virus service, the terminated tasks will not be resumed automatically. Only those tasks scheduled to start At the application startup will be restarted. In order to start or stop the Anti-Virus service: 1. In the Administration Console tree open the Groups node and select the group including the protected server. 2. In the results panel open the context menu of the line containing information about the protected server and select its Properties.

253 Managing Anti-Virus and viewing its status In the Properties: <computer name> dialog use the Applications tab to select Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition in the list of installed applications and press the Properties button. 4. In the Application settings dialog open the General tab. 5. Perform one of the following actions: in order to start the Anti-Virus service, press the Start button; in order to stop the Anti-Virus service, press the Stop button. 6. Press the OK button Viewing the server protection status You can view the protection status of the selected server in the Administration Console: the status of the Real-time file protection and the Script Monitoring tasks, the overall status of the server from the point of view of the Anti-Virus security and its accessibility. In order to view the protection status of the selected server: 1. Expand the Groups node in the Administration Console tree and select a group to which the protected server belongs. 2. In the result panel right-click the line with the information about the protected server and select Properties. 3. Switch to the Protection tab in the <Computer name> Properties dialog box that will open (see Figure 93).

254 254 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 93. The <Computer name> Properties dialog box, the Protection tab The Protection tab displays the following information about the protected server: Field Real-time protection status Description Displays the real-time protection status - Enabled - if the Real-time file protection or the Script monitoring task is enabled. If the Real-time protection task is enabled, the real-time protection status reflects the security level used in the task. Recommended the security settings used by the task match the pre-defined Recommended level; Maximum protection the security settings used by the task match the pre-defined Maximum protection level; Maximum speed the security settings used by the task match the pre-defined Maximum speed level; User-defined the security settings used by the task match the Other security level.

255 Managing Anti-Virus and viewing its status 255 For more information about pre-defined security levels see on pg. 71. Last full scan date Viruses found Computer status Date and time of the last execution of an on-demand scan that has the "full computer scan task" status. The total number of malware programs (names of threats) detected on the protected server (counter of detected threats) since the moment when the Anti-Virus was installed or since the moment the counter was last reset. In order to reset a counter, press the Reset the threat counter button. The server status from the Anti-Virus security point of view. For more details about computer statuses refer to the Kaspersky Lab's Technical Support website, Article code Viewing the Anti-Virus statistics You can view the following statistical information about the Anti-Virus on the selected protected server in the Administration Console: the number of Anti-Virus processes, number of records in the Anti-Virus bases installed, creation date of the latest bases updates installed and the information about the operation of individual functional components of the Anti-Virus and about task execution. Note If you wish to view Anti-Virus statistics in real-time, open port UDP in Windows firewall of the computer on which the Administration server is installed. In order to view the Anti-Virus statistics: 1. Expand the Groups node in the Administration Console tree and select a group to which the protected server belongs. 2. Right-click the line with the information about the protected server in the result panel and select Properties. 3. Select Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition in the list of installed Anti-Virus applications on the Applications tab of the Computer Settings (Properties) dialog box and press the Statistics button. The Statistics dialog box will open (see Figure 94).

256 256 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 94. The Statistics dialog box The following information will be displayed in the Statistics dialog box: Field Database release time (UTC) Number of active processes Database records count Quarantine statistics Real-time file protection statistics Blocking access to the server statistics Description UTC (Coordinated Universal Time) date and time of the creation of the latest installed bases update by Kaspersky Lab. The number of Anti-Virus processes currently used to execute real-time protection, on-demand scan and updating tasks The total number of records in the Anti-Virus bases installed on the server Information about the current quarantine status (for more details see 11.9 on pg. 171) Information about the Real-time file protection task (for details see 6.3 on pg. 83) Information on the number of computers whose access to the protected server has been blocked since the last time Anti-Virus was started (for more details, see 7.9 on pg. 97).

257 Managing Anti-Virus and viewing its status 257 On-demand scan statistics Script monitoring statistics Backup statistics Information about the Real-time file protection task (for details see 9.4 on pg. 133) Information about the number of scripts processed by the Anti-Virus since the moment the Script monitoring task was started until the current moment (for details see 6.5 on pg. 86) Information about the current backup storage status (for more details see 12.6 on pg. 183). Note Information about task Real-time file protection, Script monitoring and ondemand scan tasks will be displayed only while the corresponding task is being performed Viewing Anti-Virus details You can view information about the Anti-Virus and its bases. To view information about the Anti-Virus: 1. In the Administration Console tree open the Groups node and select the group including the protected server. 2. In the results panel open the context menu of the line containing information about the protected server and select its Properties. 3. In the Properties: <computer name> dialog use the Applications tab to select Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition in the list of installed applications and press the Properties button. 4. In the Application settings dialog open the General tab. The following is displayed on the General tab (see Figure 103): general information about the Anti-Virus: version number; installation date and time; date and time of the last Anti-Virus modules update; Anti-Virus service status (started/stopped);

258 258 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition information about the Anti-Virus bases: date and time of the creation of the bases updates installed (in the format specified in the regional settings of the computer on which the Administration Console is installed); the total number of records in the Anti-Virus bases; date and time of the latest update Viewing information about installed keys In order to view information about the installed keys: 1. In the Administration Console tree open the Groups node and select the group including the protected server. 2. In the results panel open the context menu of the line containing information about the protected server and select its Properties. 3. In the Properties: <computer name> dialog use the Applications tab to select Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition in the list of installed applications and press the Properties button. 4. In the Application settings dialog open the Licenses tab (see Figure 95).

259 Managing Anti-Virus and viewing its status 259 Figure 95. The Application Settings dialog box, the Licenses tab The following Information about installed keys will be displayed on the License tab: Field Serial number Type Activation date Expiration date Description Key serial number Key type (for beta testing, trial or commercial key). For more details about key types refer to section 14.1 on pg. 209). Key installation date (only for active keys) The key expiration date is calculated by Anti-Virus after the key installation (only for active keys); it is the date of the expiration of the key validity period since the moment of its activation, but not later than the date on which the key becomes invalid.

260 260 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition License period Limit computer count Days remaining before the license key expires. Restrictions provided for by the key (if any)

261 CHAPTER 19. CREATING AND CONFIGURING POLICIES This chapter contains the following information: about policies (see 19.1 on pg. 261); creating a policy (see 19.2 on pg. 262); configuring a policy (see 19.3 on pg. 268); disabling schedules for launching local system tasks (see 19.4 on pg. 272) About policies You can create global Kaspersky Administration Kit policies for managing protection on several servers where Anti-Virus is installed. The Policy enforces the Anti-Virus settings, functions and tasks specified in it on all the protected servers for one administration group. Note You cannot create protection/scan scopes using policies in the Real-time file protection and on-demand scan tasks. You can create several policies for one administration group and enforce them in turns. In the Administration Console, the policy currently active for a group has the status active. Information on policy enforcement is logged in the Anti-Virus system audit log. You can view it in the Anti-Virus console in MMC under the System audit log node. Of all the methods for enforcing policies, you can only use the Do not modify settings method, which does not involve saving values of the settings determined by the policy in Anti-Virus. You cannot use Enforce mandatory settings or Enforce all settings policy enforcement methods. Using the Do not modify settings policy enforcement method, Anti-Virus will enforce the settings that you selected while the policy is active instead of the values for those settings in place before the policy is enforced. Anti-Virus will not enforce the settings with their checkbox select in the policy properties. After the

262 262 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition policy is no longer active, the values replaced by the policy will take values used before the policy was enforced. While the policy is active, the settings in the Application settings dialog box of Administration Console marked with the icon in the Anti-Virus console in MMC; are locked for editing. The remaining settings (which are marked with the icon in the policy) can be edited in the Anti-Virus console in MMC and the Application settings dialog box in Administration Console. If the policy defines settings for any of the real-time protection tasks and such task is not running, the settings determined by the policy will be enforced immediately. If the task is not running, the settings will be enforced after it is started. If the policy defines settings for other Anti-Virus tasks, those settings will not be applied in tasks currently running when the policy becomes active and will be enforced the next time the task is run Creating a policy The process of creating a policy involves two steps: 1. You create a policy using a policy creation wizard. Using the windows of the wizard, you can configure settings for Bases Updating, Application Modules Updating, Real-time File Protection, and On-demand Scan tasks. 2. Using Policy Properties dialog box you can configure settings of the remaining tasks and the Anti-Virus settings. Using dialog box Policy Properties you can modify settings of the updating task, on-demand scan tasks and the Real-time file protection tasks configured using the policy creation wizard. For details on the configuring a policy that you have created, see 19.3 on pg In order to create a policy for a group of servers on which the Anti-Virus is installed: 1. Expand the Groups node in the Administration Console tree, then expand the administration group for the servers of which you wish to create a policy. 2. Select command Create Policy from the shortcut menu of nested node Policies. This will open a policy creation wizard window. 3. Enter the name for the policy being created in the entry field of the Policy name window. (The name cannot contains the following characters * < : >? \ / ).

263 Creating and Configuring Policies Select Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition under heading Application in the Applications window. 5. Select one of the following statuses of the policy in the Create policy window: Active, if you wish that the policy is applied immediately after it is created. If an active policy already exists in the group, this existing policy will become inactive and the policy you are creating will be activated. Inactive, if you do not wish to apply a policy you are creating immediately. In this case you will be able to activate the policy at a later time. Using the windows of policy creation wizard configure settings for Bases Updating, Application Modules Updating, Real-time File Protection and On-demand Scan tasks based on your requirements. 6. In the Real-time file protection window (see Figure 96), select the object protection mode for Real-time file protection tasks and select one of the preset security levels or configure the security settings manually (A.3 on pg. 359). Check the Apply trusted zone flag if for Real-time file protection task you wish to exclude objects, described in the Anti-Virus trusted zone, from the scan scope (for more details about trusted zone see section 8.1 on pg. 99; for more details about adding exclusions to the trusted zone in Kaspersky Administration Kit see section 20.7 on pg. 296).

264 264 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 96. The Real-time file protection window 7. In the On-Demand Scan window (see Figure 97), select one of the preset security levels or configure the security settings manually in the ondemand scan tasks(a.3 on pg. 359). Check the Apply trusted zone flag if for on-demand scan tasks you wish to exclude objects, described in the Anti-Virus trusted zone, from the scan scope (for more details about trusted zone see section 8.1 on pg. 99; for more details about adding exclusions to the trusted zone in Kaspersky Administration Kit see section 20.7 on pg. 296).

265 Creating and Configuring Policies 265 Figure 97. The On-demand scan window 8. In the Update dialog box (see Figure 98) configure settings for the Application Databases Update and Application Modules Update. 9. Perform the following actions in the Settings dialog box: a) select an update source (see A.5.1 on pg. 381);

266 266 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 98. The Update dialog box b) Press the LAN settings button. Configure the required connection settings in the Connection Settings dialog box: o o o change the FTP server mode for the connection with the protected server and the connection timeout value (see A.5.2 on pg. 382); configure the proxy server access settings for connecting to the update source (see A.5.4 on pg. 383); specify the location of the protected server(s) on the Regional Settings tab to optimize downloading of the updates (see A.5.5 on pg. 387). c) in order to configure settings of the Application modules update task press the Settings button under heading Application modules update and configure the settings of the application modules updating in the Application Modules Update Configuration dialog box (see Figure 99): o select whether you want the task to download and install the application module updates or only check if updates are available. (See A on pg. 388);

267 Creating and Configuring Policies 267 Figure 99. The Product modules update settings dialog box o o If you want Anti-Virus to automatically restart the server upon completion of the task (if this is required in order to apply the installed application modules), check the Allow system reboot box. If you want to obtain information about Anti-Virus module upgrades, select Receive information about available application modules updates. Kaspersky Lab does not publish upgrade packages on update servers for automatically download, but you can download them yourself from the Kaspersky Lab website. You can configure administrator notifications about event Anti-Virus module routine update available containing the address of the Kaspersky Lab site where you can download scheduled updates (for more information on configuring notifications, see 15.2 on pg. 216). Note Settings of the Updates distribution task can be configured a later time in the Policy Properties dialog box. 10. Press the Finish button in the final window. The policy created will be displayed in the list of policies provided in the Policies node of the selected administration group. Now you can configure other settings of the Anti-Virus, its functions and tasks in the Policy Properties dialog box.

268 268 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Configuring a policy You can configure general Anti-Virus setting of the Anti-Virus, settings its functions and tasks for the administration group servers in the Properties dialog box of the existing policy. Note You cannot create a protection (scan) area for the Real-time file protection task and on-demand scan tasks using a policy. In order to configure settings in the Policy Properties dialog box: 1. Expand the Groups node in the Administration Console tree, then expand the administration group the policy settings of which you wish to configure, then expand nested node Policies. 2. Right-click the policy the settings of which you wish to configure and select Properties. 3. Configure the required policy settings in the <Policy name> Properties dialog box (see Figure 100).

269 Creating and Configuring Policies 269 Figure 100. An example of the Policy Properties dialog box You can configure the policy settings using the following tabs: Settings Security settings in the Real-time file protection task: protection mode (see setting description in section A.3.1 on pg. 359); security settings (common for the entire protection area): you can select a predefined security level (see description in section on pg. 71) or configure security settings manually (as well as the MMC console - see instructions on pg. 75). Tab Real-time file protection

270 270 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Settings settings of automatic access blocking from computers (see instructions on pg. 281); excluding computers from blocking (Trusted computers) (see instructions on pg. 282); preventing virus outbreaks (see instructions on pg. 283). Allowed or blocked execution of suspicious scripts (please refer to section 6.1 on pg. 62 for details about the option); Trusted zone use (please refer to Chapter 8 on pg. 99 for details). Managing the list of trusted processes (same as in dialog box Application settings, see section 20.7 on pg. 296); disabling real-time protection of files, accessed using backup copying operations (same as in the Application settings dialog box, see section on pg. 298); creation and application of the trusted zone exclusions (see section 20.7 on pg. 296). Security settings in the on-demand scan tasks (common for the entire protection area): you can select a pre-defined security level (see description in section on pg. 120) or configure the security settings manually (same as in the MMC console - see instructions on pg. 124) Tab Blocking access from computers Script monitoring Trusted zone On-demand scan

271 Creating and Configuring Policies 271 Settings Settings of updating tasks Updating Bases and Updating Application select the update source (for more details about this setting refer to A.5.1 on pg. 381); configure the update source connection settings and specify location of the protected server for optimization of the updates (the Configure LAN button) (same as in the MMC console, see instructions on pg. 147); configure settings of the Application module update task (the Configure button) (same as in the MMC console, see instructions on pg. 150); Updates distribution task settings select the update source (for more details about this setting refer to A.5.1 on pg. 381); configure the update source connection settings and specify location of the protected server for optimization of the updates (the Configure LAN button) (same as in the MMC console, see instructions on pg. 147); configure settings of the Downloading updates task (same as in the MMC console, see instructions on pg Disabling actions of the system task schedule (see 19.4 on pg. 272) Quarantine settings Backup storage settings General Anti-Virus settings Configuring notifications about the Anti-Virus events to be sent to the administrator and the users Tab Update Updates distribution System tasks Quarantine Backup Enforcement and Additional Notification

272 272 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Settings Configuring reports Configuring notifications about the Anti-Virus events to be sent to the administrator and the users Tab Reports Events 4. After you have configured the required policy settings, press the OK button to save changes Disabling / resuming scheduled launch of local predefined tasks Using policies you can disable the scheduled launch for the following local predefined tasks for all servers of the same administration group: Real-time file protection; Script monitoring; on-demand scan tasks Scan My Computer, Scan Quarantine, Scan at the System Startup and Application integrity control; updating tasks Application Bases Update, Application Modules Update and Updates distribution. Note If you exclude the protected server from the administration group, the system task schedule will be automatically disabled. In order to disable the scheduled launch of the Anti-Virus system task on the group's servers: 1. Expand the Groups node in the Administration Console, expand the required group and select the Policies node in it. 2. Right-click the policy name, using which you wish to disable the scheduled launch of Anti-Virus predefined tasks on the group's servers, in the results panel and select Properties. 3. Open the Predefined tasks tab in the Policy Properties dialog box (see Figure 101).

273 Creating and Configuring Policies 273 Note Figure 101. The Properties dialog box, the Predefined tasks tab 4. Uncheck the box next to the name of the system task whose scheduled launch you wish to disable. In order to re-enable the system task schedule, check the box next to its name. 5. Press the OK button. If you disable the scheduled launch of predefined tasks, you can launch them manually either from the Anti-Virus console in MMC or from the Kaspersky Administration Kit administration console.

274 CHAPTER 20. CONFIGURING ANTI-VIRUS IN THE APPLICATION SETTINGS DIALOG BOX This chapter contains the following information: configuring Anti-Virus settings (see 20.2 on pg. 276); blocking access from computers (see 20.3 on pg. 279); managing quarantined objects and configuring the quarantine settings (see 20.4 on pg. 288); managing objects stored in Backup and configuring Backup settings (see 20.5 on pg. 291); configuring notifications about the Anti-Virus events to be sent to the administrator and the users (see 20.6 on pg. 293); managing the trusted zone (see 20.7 on pg. 296). To learn how to open the Application settings dialog box see 20.1 on pg The Application Settings dialog box Using the Application Settings dialog box you can perform remote management of the Anti-Virus or configure it on the selected protected server. In order to open the Application Settings dialog box: 1. Expand the Groups node in the Administration Console tree and select a group to which the protected server belongs. 2. Right-click the line with the information about the protected server in the result panel and select Properties. 3. Select Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition in the list of installed applications (see Figure 102) on the Ap-

275 Configuring Anti-Virus in the Application Settings Dialog BOx 275 plications tab of the <Computer name> Properties dialog box and press the Properties button. Figure 102. The list of Anti-Virus applications in the <Computer name> Properties dialog box An Application Settings dialog box will open (see Figure 103).

276 276 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 103. The Application Settings dialog box, the General tab Note While the Kaspersky Administration Kit policy is active, the settings marked with the icon in the Application settings dialog box of Administration Console are locked for editing Configuring general Anti-Virus settings In order to configure general Anti-Virus settings: 1. Open the Application Settings dialog box (see 20.1 pg. 274). Change general Anti-Virus settings on the following tabs to meet your needs. On the Performance tab (see Figure 104):

277 Configuring Anti-Virus in the Application Settings Dialog BOx 277 o o o o Specify the maximum number of processes that Anti-Virus can run (see A.1.1 on pg. 340); Specify the fixed number of processes to run real-time protection tasks (see A.1.2 on pg. 341); Specify the maximum number of processes for background ondemand scan tasks (see A.1.3 on pg. 342); Specify the number of task recovery attempts after their abnormal termination (see A.1.4 on pg. 343); Figure 104. The Application Settings dialog box, the Performance tab Perform the following on the Additional tab (see Figure 105): o specify whether you want the Anti-Virus icon to be displayed in the server task notification area each time when Anti-Virus automatically restarts after the server restart (for more details about Anti-Virus icon see section 2.4 on pg. 32).

278 278 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition o o o o Specify how many days summary and detailed task performance reports will be saved as displayed in the Anti-Virus console in MMC in the Reports nodes (see A.1.5 on pg. 344); Specify how many days information will be saved as displayed in the Anti-Virus console in MMC in the System audit log nodes (see A.1.6 on pg. 344); Specify the Anti-Virus actions when the server is running on an uninterruptible power supply (see A.1.7 on pg. 345); specify the maximum number of days after which events Database is obsolete, Database is outdated, Full computer scan has not been performed for a long time (see A.1.8 on pg. 346) will be triggered; Figure 105. The Application Settings dialog box, the Additional tab On the Malfunction diagnostics tab (see Figure 106): o enable or disable the writing to traces; if writing to traces is enabled, configure the log settings (see A.1.9 on pg. 346);

279 Configuring Anti-Virus in the Application Settings Dialog BOx 279 o enable or disable creation of Anti-Virus process memory dump files (see A.1.10 on pg. 351). Figure 106. The Application settings dialog box, Malfunction diagnosis tab 2. After you have configured the required Anti-Virus settings, press the OK button Blocking access from computers You can manage blocking access from computers and prevention of virus outbreaks in the Application settings dialog box (for more details see section 7.1 on pg. 87). You can perform the following operations: enable or disable automatic blocking from computers (see on pg. 280);

280 280 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition configure settings of blocking access from computers (see on pg. 281); add computers to the list of computers excluded from blocking (see on pg. 282); enable automatic switching to a higher security level if the number of blocked computers reaches the threshold value (function Prevention of virus outbreaks) (see on pg. 283); view the access blocking list (see on pg. 285); manually block access from computers (see on pg. 286); open access from computers (see on pg. 287) Enabling or disabling automatic blocking of access from computers For more details about the function automatic blocking of access from computers refer to section A.4.1 on pg Note If you enable a function of automatic blocking of access from computers, it will be enabled only when the Real-time file protection task is running. In order to enable or disable the function of blocking access from computers : 1. Open the Application Settings dialog box (see section 20.1 on pg. 274). 2. Perform one of the following actions on the Blocking access from computers tab (see Figure 107): in order to enable the function of automatic blocking from computers check the Enable blocking the access from computers to the server box; in order to disable the function of automatic blocking from computers uncheck the Enable blocking the access from computers to the server box.

281 Configuring Anti-Virus in the Application Settings Dialog BOx 281 Figure 107. The Application Settings dialog box, tab Blocking access from computers Configuring settings of automatic access blocking from computers In order to configure settings of automatic access blocking from computers 1. Open the Application Settings dialog box (see 20.1 on pg. 274). 2. Switch to the Blocking access from computers tab and make sure that the Enable blocking the access from computers to the server is checked (see A.4.1 on pg. 375). 3. In the Actions on computer settings group select actions that the Anti- Virus will perform if a computer attempts to write an infected or a suspicious object on the server (see A.4.2 on pg. 376). If you selected Block access from computer to the server, specify a time period for which you wish to block access from the specified computers to the server in days, hours or minutes.

282 282 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition If you selected Run executable file, press the list button in the Executable file dialog box (see Figure 108), specify the executable file (name and full path to it) and the account under which the file will be executed. Figure 108. The Executable file dialog box 4. Press the OK button in the Application Settings dialog box Excluding computers from blocking (Trusted computers) In order to add computers to the list of computers excluded from blocking (see A.4.3 on pg. 377): 1. Open the Application Settings dialog box (see 20.1 on pg. 274). 2. Switch to the Blocking access from computers tab and make sure that the Enable blocking the access from computers to the server box is checked (see A.4.1 on pg. 375). 3. Check the Do not block specified computer box in the Trusted computers settings group and perform the following actions: a) Press the Add button and specify the computer in the Blocking access from computers dialog box (see Figure 109). Perform one of the following actions: o select Use network computer name and specify the computer's NetBIOS name;

283 Configuring Anti-Virus in the Application Settings Dialog BOx 283 o o specify the unique IP address: select Use network IP address or enter the computer's IP address; specify the range of IP addresses: select Use IP address range. Enter first IP address of the range in the IP address field and the last IP address in the End IP address field. All computers whose IP addresses are within the specified range will be treated as trusted computers. Figure 109. The Add Computer dialog box b) Press the OK button. 4. Press the OK button in the Application Settings dialog box Preventing virus outbreaks You can use the Virus outbreak prevention function - when this function is disables Anti-Virus will automatically increase the security level when the number of blocked computers reaches the threshold value. Description of Virus outbreak prevention is provided in A.4.4 on pg In order to enable / disable the Virus outbreak prevention function: 1. Open the Application Settings dialog box (see 20.1 on pg. 274). 2. Switch to the Blocking access from computers tab and make sure that the Enable blocking the access from computers to the server box is checked. 3. Press the Additional button.

284 284 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition 4. Perform one of the following actions in the Additional dialog box (see Figure 110). In order to enable the Virus outbreak prevention function: a) check the Increase security level if the number of computers exceeds box; b) indicate the number of blocked computers in the blocking list that, when reached, would cause the Anti-Virus to switch to the higher security level; c) enable or disable the function of the restoring the security level once the number of computers access from which to the server is blocked decreases and reaches the specified value. Specify the number of computers in the Restore security level if the number of computers is lower than field. In order to disable the Virus outbreak prevention function, uncheck the Increase security level if the number of computers exceeds box. 5. Press the OK button. Figure 110. The Additional dialog box 6. Press the OK button in the Application Settings dialog box.

285 Configuring Anti-Virus in the Application Settings Dialog BOx Viewing the server access blocking list Attention! Computers that are in the server blocking list are not allowed to access the protected server only when the Real-time file protection task is running and the automatic access blocking feature is enabled. In order to view the list of computers access from which to the protected server is currently blocked: 1. Open the Application Settings dialog box (see 20.1 on pg. 274). 2. Press the Blocking list button on the Blocking access from computers tab (see Figure 111). Figure 111. The Blocking list of server access dialog box The Blocking list of server access dialog box contains the following information on computers that currently are blocked from accessing the protected server: Field Computer Blocking date Description Information about the computer in the blocking list obtained by Anti-Virus (network name, IP address) Date and time when the access from a computer was blocked; it is displayed using the format specified by the

286 286 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Microsoft Windows regional settings of the computer on which the Administration Console is installed. Blocking end date Date and time when the computer will be unblocked; it is displayed using the format specified in the Microsoft Windows regional settings of the computer on which the Administration Console is installed Manually blocking access from computers If you have information that any computer in the local network is infected, you can temporarily block access from it to the protected server: Attention! Computers that are in the server blocking list are not allowed to access the protected server only when the Real-time file protection task is running and the automatic access blocking feature is enabled. In order to block access from a computer to the server: 1. Open the Application Settings dialog box (see 20.1 on pg. 274). 2. Press the Blocking list button on the Blocking access from computers tab. 3. Press the Block computer button in the Blocking dialog box. 4. Using the Blocking access from computer dialog box (see Figure 112) specify the network name of the computer access from which you wish to block. Note In the Computer Name field specify only computers' network NetBIOS names; do not specify DNS addresses.

287 Configuring Anti-Virus in the Application Settings Dialog BOx 287 Figure 112. The Blocking access from computer dialog box Note Please specify network name of computer that should be added to the blocking list. 5. After this perform one of the following actions: select Blocking access from the computer to the server for the period of and specify the period for which the access from the computer to the server will be blocked; select Block access from computer to the server until and specify the date and time when the computer will be unblocked. Note Specify the date and time relative to the current date and time of the protected server. 6. Press the OK button. 7. Press the OK button in the Application Settings dialog box Unblocking access from computers In order to unblock access from a computer: 1. Open the Application Settings dialog box (see 20.1 on pg. 274). 2. Press the Blocking list of server access button on the Blocking access from computers tab.

288 288 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition 3. Select a computer you wish to unblock in the list of blocked computers in the Blocking list of server access dialog box and press the Unblock computer button. In order to unblock all blocked computers press the Unblock all button. 4. Press the OK button. 5. Press the OK button in the Application Settings dialog box Managing quarantined objects and configuring the quarantine settings Quarantine functions and configuration tools The table provided below lists the functions of the quarantine and the administration tools using which you can control these functions. Quarantine function Table 18. Quarantine functions and configuration tools Kaspersky Administration Kit Administration Console Anti-Virus console in MMC Viewing, sorting, removing objects yes (see Kaspersky administration Kit. Administrator's Guide) yes Filtering objects no yes Sending suspicious quarantined objects to the Anti-Virus lab for analysis no yes Placing objects into quarantine manually no yes

289 Configuring Anti-Virus in the Application Settings Dialog BOx 289 Quarantine function Restoring objects from quarantine Scanning quarantined objects Configuring quarantine settings Viewing quarantine statistics Kaspersky Administration Kit Administration Console yes (only to the original location) yes Start task Scan Quarantine. yes See on pg yes See Viewing Anti-Virus Statistics, 18.3 on pg. 255 Anti-Virus console in MMC Yes yes yes yes Configuring quarantine settings You can configure quarantine settings in the Application settings dialog box of the selected protected server. For information about isolation of the suspicious objects is provided in 11.1 on pg In order to configure the quarantine settings: 1. Open the Application Settings dialog box (see 20.1 on pg. 274). 2. If required, modify the quarantine settings on the Quarantine tab: in order to specify a different folder as the quarantine location, select the required folder on the disk using the Quarantine folder field or enter full path to it (see A.6.1 on pg. 391); in order to restrict the maximum size of the quarantine, check the Maximum quarantine size box and specify the required value of this setting in megabytes (see A.6.2 on pg. 392); in order to specify a threshold of the minimum free space in the quarantine, check the Maximum quarantine size box, check the Threshold of free space box and specify the required value for this setting in megabytes (see A.6.3 on pg. 393);

290 290 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition in order to specify a different folder as the destination folder for object restoration, select the required folder on the disk using the Restoration settings settings group or enter full path to this folder (see A.6.4 on pg. 394). Figure 113. The Application Settings dialog box, the Quarantine tab 3. Press the OK button.

291 Configuring Anti-Virus in the Application Settings Dialog BOx Managing files in Backup and configuring backup storage settings Functions of Backup and tools used to control these functions The table provided below lists the functions of Backup and the administration tools using which you can control these functions. Backup storage functions Table 19. Backup storage functions Kaspersky Administration Kit Administration Console Anti-Virus Console in MMC viewing, sorting, removing objects yes yes filtering files no yes restoring objects from Backup configuring Backup settings viewing Backup statistics yes (only to the original location) yes See on pg. 291 yes See Viewing Anti- Virus Statistics, 18.3 on pg yes yes yes Configuring Backup settings You can configure backup storage settings in the Application settings dialog box of the selected protected server. For information about creating backup copies of objects before attempting to disinfect or delete them see 12.1 on pg. 173.

292 292 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition In order to configure Backup settings: 1. Open the Application Settings dialog box (see 20.1 on pg. 274) and switch to Backup tab. 2. Configure the required settings of Backup on Backup tab (see Figure 114): in order to specify a different folder as Backup folder, select the required folder on the disk using the Backup folder field or enter full path to it (see A.7.1 on pg. 395); in order to change the maximum size of Backup, check the Maximum storage size box and specify the required value of this setting in megabytes (see A.7.2 on pg. 396); in order to change the threshold of the minimum free space in Backup, check the Maximum storage size box, make sure that the Threshold of free space box is checked and specify the required value for this setting in megabytes (see A.7.3 on pg. 396); in order to specify a different folder as the destination folder for object restoration, select the required folder on the disk in the Restoration settings settings group or enter full path to it (see A.7.4 on pg. 397).

293 Configuring Anti-Virus in the Application Settings Dialog BOx 293 Figure 114. The Application Settings dialog box, the Backup tab 3. Press the OK button Configuring notifications This section contains the following information: General information on notification settings through Administration Console (see on pg. 293); Configuring administrator and user notification settings on the Notification tab (see on pg. 295) General information Using the Kaspersky Administration Kit Administration Console you can configure notifications for the administrator and the users about the events related to

294 294 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition the operation of the Anti-Virus and the status of the Anti-Virus protection of the protected server: the administrator can receive information about events of selected types; users of the local network who access the protected server can receive information about events of types Threat detected and Computer added to the blocking list; terminal server users can receive information about events of the Threat detected type. You can configure notifications about the Anti-Virus events either for a single server using the Application Properties dialog box of the selected server or for a group of servers using the Policy Properties dialog box. You can configure notifications in these dialog boxes using the Event tab or on the Notification tab. you can configure notifications to the administrator about events of selected types on the Events tab (standard tab of the Kaspersky Administration Kit application). For the description of notification methods you can configure and how you can do it see document Kaspersky Administration Kit. Administrator's Guide; You can configure both administrator's and users' notifications on the Notification tab. For information about the methods of notifications you can configure on the Notification tab, see 15.1 on pg To learn how to configure notifications on the Notification tab see on pg Notifications about events of some types can only be configured on one of the tabs while notifications about events of other types - on both of them. Note If you configure notifications about events of one type using two tables (both Events and Notification, the administrator will receive notifications about these events twice.

295 Configuring Anti-Virus in the Application Settings Dialog BOx Configuring administrator's and users' notifications on the Notification tab In order to configure notifications: 1. Open the Application Settings dialog box (see 20.1 on pg. 274) and switch to the Notification tab. 2. Using the Notification tab (see Figure 115) configure notifications about the types of required types and press the OK button. Configuring notifications on the Notification tab is similar to the process of configuring notifications in the Notifications dialog box of the Anti-Virus Console in MMC. Details on the configuring notifications using the Notification tab see 15.2 on pg Figure 115. The Application Settings dialog box, the Notification tab

296 296 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Managing the trusted zone This section contains the following information: adding processes to the list of trusted processes list (see section on pg. 296); disabling real-time file protection for the time of backup copying (see section on pg. 298); excluding threats (see section on pg. 299); applying of a trusted zone (see section on pg. 302). For more details about Anti-Virus trusted zone see section 8.1 on pg Adding processes to the list of trusted processes Using the Kaspersky Administration Kit Administration Console you can add executable files of processes on the disk of the protected server to the trusted zone; note that you cannot add processes from the list of active processes on the server. For more details about Anti-Virus trusted zone refer to section 8.1 on pg. 99. In order to add a process to the list of Anti-Virus trusted processes: 1. Open the Application Settings dialog box (see 20.1on pg. 274) and switch to the Trusted zone tab (see Figure 116). 2. Enable the List of trusted processes function: check the Do not monitor file activity of the specified processes box.

297 Configuring Anti-Virus in the Application Settings Dialog BOx 297 Figure 116. The Application Settings dialog box, the Trusted zone tab 3. In order to select an executable file of the process on the drive of the protected server, perform the following: a) Press the Add button in the Trusted zone tab; b) Press Browse in the Add trusted process dialog box and select an executable process file on the local drive of the protected server. The filename and the path to this file will be displayed in the Add trusted process dialog box. c) Press the OK button. The name of the selected executable process file will then be displayed in the List of trusted processes in the Trusted zone tab. 4. Press OK to save the changes.

298 298 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Disabling real-time file protection during backup copying You can disable real-time file protection for files accessed during the backup copying. Anti-Virus will scan files which the backup copying application opens for reading with the FILE_FLAG_BACKUP_SEMANTICS attribute. In order to disable real-time file protection during the backup copying: 1. Open the Application Settings dialog box (see section 20.1 on pg. 274) and switch to the Trusted zone tab (see Figure 117). Figure 117. The Application Settings dialog box, the Trusted zone tab 2. In order to disable real-time protection of files accessed by the backup file copying task, check the Do not check files backup operations box. 3. Press OK to save the changes.

299 Configuring Anti-Virus in the Application Settings Dialog BOx Apply trusted zone exclusions in the selected tasks and policies (see section on pg. 302) Adding exclusions to the trusted zone You can add to the trusted zone objects to be excluded from the scan. For more details about the trusted zone refer to section 8.1 on pg. 99. In order to an exclusion: 1. Open the Application Settings dialog box (see section 20.1 on pg. 274) and switch to the Trusted zone tab (see Figure 118). 2. Press the Add button under the Exclusions heading. Figure 118. The Application Settings dialog box, Trusted zone tab An Exclusion rule dialog box will open.

300 300 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 119. The Exclusion rule dialog box 3. Specify the rule using which Anti-Virus will exclude the object. Note In order to exclude specified threats within the specified folders or files check the Object box and the Threats box. In order to exclude all threats within the specified folders or files, check the Object box and uncheck the Threats box. In order to exclude specified threat within the entire scan area, uncheck the Object box and check the Threats box. If you wish to specify the object's location, check the Object box, press the Change button and use the Object selection dialog to specify the object that will be excluded from scanning, then press the ОК button: o o o o Predefined scope. Select in the list one of predefined scanning areas. Disc or folder. Specify the server drive or folder on server or in the local network. File. Specify the file on server or in the local network. File or URL of the script. Select the script on a protected server, in local network or in the Internet.

301 Configuring Anti-Virus in the Application Settings Dialog BOx 301 Note You can use masks or folders' and file's names using characters? and *. Figure 120. The Select Object dialog box If you wish to specify the name of a threat, check the Threats box press the Change button and add names of threats in the Threat Exception List dialog box (for more details about this settings see section A.3.9 on pg. 370). 4. Check boxes next to the names of functional components in whose tasks the exclusion rule will be applied. 5. Press ОК. In order to edit a rule, select the rule you wish to edit on the Trusted Zone tab, press the Modify button and edit it in the Exclusion rule dialog box. In order to delete a rule select it on the Trusted Zone tab, press the Delete button and confirm the operation. 6. Press ОК in the Application Settings dialog box. 7. If required, apply exceptions of the trusted zone in the selected tasks and policies (see section on pg. 302).

302 302 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Applying a trusted zone You can enable or disable the use of a trusted zone in existing policies and in tasks (during task creation or in the Task Settings dialog box). By default a trusted zone is applied in new policies and tasks created. In order to apply a trusted zone to a policy: 1. Expand the Groups node in the Administration Console tree, then expand the administration group the policy settings of which you wish to configure, then expand nested node Policies. 2. Open shortcut menu on the policy the settings of which you wish to configure and select the Properties command. 3. Perform the following actions in the Policy Properties dialog box: in order to apply exclusions: trusted processes, make sure that the Do not monitor file activity of the specified processes flag is checked and set a lock in the List of trusted processes group of settings; in order to apply exclusions: backup copying operations, make sure that the Do not check files backup operations flag is checked and set a lock in the List of trusted processes group of settings; in order to apply user-defined exceptions, set a lock in the Exceptions group of settings. 4. Press the OK button. In order to apply a trusted zone to an existing task: 1. Expand the Groups node in the Administration Console tree and select a group to which the protected server belongs. 2. Open the shortcut menu on the line with the information about the protected server in the result panel and select the Properties command. 3. Open the shortcut menu on the task you wish to configure on the Task tab in the Computer Properties dialog box and select the Properties command. 4. In the Task Properties dialog box on the Settings tab press the Advanced button and check the Take into Account Trusted Zone Rules icon in the Advanced dialog box. You can also apply a trusted zone when you create a task.

303 CHAPTER 21. CREATING AND CONFIGURING TASKS This chapter contains the following information: about tasks that you can create in the Administration Console (see 21.1 on pg. 303); creating tasks (see 21.2 on pg. 303); configuring tasks (see 21.3 on pg. 313) About creating tasks You can create local user, group and global tasks of the following types: on-demand scan; update tasks; bases update rollback; key installation. You create local tasks for the selected protected server on the Tasks tab of the Application Settings dialog box, group tasks are created in the Group tasks node of the selected group and the global tasks are created in the Global tasks node. Note Using policies, you can disable the schedule of local predefined tasks on all protected servers that belong to the same administration group. For general information about tasks in Kaspersky Administration Kit is provided in document Kaspersky Administration Kit. Administrator's Guide Creating tasks In order to create a new task in the Administration Console: 1. Start a task create wizard of the type required:

304 304 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition to create a local task: a) expand the Groups node in the Administration Console and select group to which the protected server belongs; b) right-click the line with the information about the protected server in the result panel and select Properties; c) press the Add button on the Tasks tab, to create a group task: a) select a group for which you wish to create a group task in the Administration Console tree; b) right-click the Group task nested folder and select Create Task; in order to create a global task right-click the Global tasks node in the Administration Console tree and select Create Task. This will open the greeting window of the task creation wizard. 2. Enter the task name in the Task name window of the task creation wizard (maximum 100 characters, characters * < >? \ / : are illegal) We recommend that you include the task's type into its name (for example "On-demand scan of public folders"). 3. Select Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition in the Applications windows under heading Application and then select the type of the task created under the Task type heading. 4. Depending on the type of the task being created, perform one of the following actions: If you are creating an on-demand scan task: a) Define the scan scope in the Configuration dialog box. By default the scan scope include predefined scope My computer (see Figure 121).

305 Creating and Configuring Tasks 305 Figure 121. Task creation wizard configuration window o The My Computer area contains predefined scope areas (Description of these areas see on pg. 114). If, based on security requirements, you do not have to scan the entire server, you can restrict the scan scope and include into it only certain pre-defined areas (scopes) and/or individual drives, folders or files. In order to include only individual areas, drives, folders or files into the scan scope, remove the My Computer area using the Configuration dialog box, then press the Add button and using the Adding objects to the scan scope dialog box specify the objects that will be included into the scan scope: select a pre-defined area in the Predefined scan scope list (see Figure 122); specify the server drive, a folder or a file on the server or in a different computer in the network and the press the OK button.

306 306 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 122. The Adding objects to the scan scope dialog box o o In order to exclude nested folders or files from the scan scope, select the folder (drive) you have added using the Configuration window of the wizard, then press the Configure ondemand scan button and uncheck the Nested Folders (Nested Files) box in the Protection Area Configuration dialog box. Check the Apply trusted zone flag if for task you wish to exclude objects, described in the Anti-Virus trusted zone, from the scan scope (for more details about trusted zone see section 8.1 on pg. 99; for more details about adding exclusions to the trusted zone in Kaspersky Administration Kit see section 20.7 on pg. 296). b) If you plan to use the task you are creating as the full computer scan task, check the Treat task execution as the full server scan box. Kaspersky Administration Kit application will evaluate the server(s) security status based on the result of the execution of tasks with the Full computer scan status rather than based on the Scan My Computer system task execution result. For more details on the assigning of the "full computer scan task" status to an on-demand scan task see 21.4 on pg. 315 c) To assign a Low priority to a process in which a task will run, select Run in the background. By default, processes in which Anti-Virus task run have Average priority. Lowering process priority makes tasks take longer, but it can also have a beneficial impact on the speed of processes from other active applications. If you are creating an updating task, change the task settings/parameters based on your requirements:

307 Creating and Configuring Tasks 307 a) select an update source in the Configuration dialog box (see A.5.1 on pg. 381); Figure 123. The Settings dialog box b) Press the LAN settings button. This will open the Connection settings dialog box (see Figure 124);

308 308 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition Figure 124. The Additional settings dialog box, Connection settings tab c) On the Connection settings tab, take the following steps: o o o change the FTP server mode for the connection with the protected server (see A.5.2 on pg. 382); if necessary, change the connection timeout for the update source (see A.5.3 on pg. 383); configure the proxy server access settings for connecting to the update source (see A.5.4 on pg. 383); d) specify the location of the protected server(s) on the Regional Settings tab to optimize downloading of the updates (see A.5.5 on pg. 387).

309 Creating and Configuring Tasks 309 If you are creating an Application Module update task, configure the required settings of the application module updates in the Updating settings configuration dialog box (see Figure 125): a) select whether you want the task to download and install the application module updates or only check if updates are available. (See A on pg. 388); Figure 125. The Update settings dialog box in the Updating application modules task b) If you selected Download and install critical application modules updates, a server restart may be required to apply the installed application modules. If you wish Anti-Virus to automatically restart the server after the task is completed, check the Allow system reboot box. In order to disable the automatic restart after the task is completed, uncheck the Allow system reboot box. c) If you wish to receive information about release of scheduled Anti-Virus updates check the Receive information about available application modules updates box. Kaspersky Lab does not upload scheduled update packages on the update servers for automatic updating; you can download them from the Kaspersky Lab's website. You can configure administrator's notifications about the Anti-Virus module scheduled updates available event which contain the URL of our website from which you can download scheduled updates

310 310 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition (for more details about configuring notifications see section 15.2 on pg. 216). If you are creating an Updates distribution task, specify the scope of updates in the Updates distribution settings defining dialog box (see A on pg. 389). Figure 126. The Updates distribution settings defining settings dialog box If you are creating a License key installation task, specify the key filename with.key extension and full path to it in the Key filed in the License key installation dialog box (see Figure 127).

311 Creating and Configuring Tasks 311 Figure 127. The License key installation dialog box 5. Configure the required task schedule settings (you can configure the schedule for all types of tasks, except tasks Key Installation and Application Database rollback). Perform the following in the Schedule dialog box (see Figure 128): a) check the Start task according to schedule box to enable the schedule; b) specify the frequency for the task startup (see A.2.1 on pg. 353); select one of the following values in the Execution Frequency list: Hourly, daily, weekly, At Anti-Virus startup, After database update (you can specify the frequency for the task startup Upon receiving updates by the Administration Server in the Application bases update, Application module update and Downloading updates): o o o if you selected Hourly, specify the number of hours in the Every <number> hours in the Task Launch Settings settings group; if you selected Daily, specify the number of days in the Every <number> days in the Task Launch Settings settings group; if you selected Weekly, specify the number of weeks in the Every <number> weeks in the Task Launch Settings set-

312 312 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition tings group; Specify weekdays in which the task will be launched (by default the task will be launched on Mondays). Figure 128. An example of the Schedule dialog box with After receiving updates by Administration server c) specify the time of first task start in the Start time field; specify the date of schedule start in the Start from field (see A.2.2 on pg. 355); d) if required, specify the rest of the schedule settings: press the Additional button and perform the following in the Additional schedule settings dialog box (see Figure 129): Figure 129. The Additional schedule settings dialog box