web anti-virus - kaspersky lab | antivirus protection | internet
TRANSCRIPT
Internet Security 2012
Web Anti-Virus
Kaspersky Internet Security 2012
1 | 18
Table of Contents Web Anti-Virus .............................................................................................................................. 2
What is Web Anti-Virus .............................................................................................................. 2Enabling/disabling Web Ant-Virus ............................................................................................. 2Working algorithm of Web Anti-Virus ......................................................................................... 2Security levels of Web Anti-Virus .............................................................................................. 3Customizing security level ......................................................................................................... 4Web Anti-Virus actions on detected threats ............................................................................. 16
Kaspersky Internet Security 2012
2 | 18
Web Anti-Virus What is Web Anti-Virus Surfing the Internet you may be at risk of getting a virus infection. Such malicious programs can penetrate your computer during download of free programs or while browsing the information on the knowingly safe sites which have undergone a hacker attack before your visit. More than that network worms can penetrate your computer even before you open a web-page or download a file – directly during the connection establishment. Web Anti-Virus has been specially designed to prevent such infections. This component protects the information which gets onto your computer by HTTP, HTTPS and FTP protocols and also prevents dangerous scripts execution.
Enabling/disabling Web Ant-Virus The Web Anti-Virus component is enabled by default. To enable or disable Web Anti-Virus, perform the following actions:
1. Open the main application window.
2. In the top right corner of the window click the Settings button.
3. In the left part of the Settings window under Protection Center select Web Anti-Virus. 4. In the right part of the Settings window:
► Uncheck the Enable Web Anti-Virus box, to disable the component. ► Check the Enable Web Anti-Virus box, to enable the component.
5. In the Settings window click the Apply button.
Working algorithm of Web Anti-Virus Web Anti-Virus has the following working algorithm:
1. Each web-page or file, the user/program addresses to, is intercepted and analyzed by Web Anti-Virus. Recognition of malicious objects is based on the anti-virus bases and the heuristic analyzer.
Kaspersky Internet Security 2012
3 | 18
2. If a web page or an object to each the user addresses contains a malicious code then access to the page/object is blocked. A corresponding notification message explaining that the required object or page is infected is displayed on the screen.
If a file or a web page does not contain a malicious code such objects/pages are immediately returned to the user. Scripts are scanned by the following algorithm:
1. Each executable script is intercepted by Web Anti-Virus and analyzed for a malicious code.
2. If the script contains any malicious code, then Web Anti-Virus blocks the script and notifies the user of it with a special message.
3. If no malicious code is detected in the script, such script is executed. Web Anti-Virus only intercepts the scripts based on Microsoft Windows Script Host technology. Security levels of Web Anti-Virus Web Anti-Virus can work in several modes – security levels. A security level is a set of predefined parameters of Web Anti-Virus which provides a level of data security that are received and transferred by HTTP, HTTPS and FTP protocols. Kaspersky Lab experts have developed three security levels:
► If no HTTP security tools – firewall or proxy-server – are installed on your computer, use High security level.
Kaspersky Internet Security 2012
4 | 18
► If you work in the protected environment (for example, a firewall is installed on your computer and you connect to the Internet via a corporate proxy-server), then set a Low security level.
► Recommended is the optimal security level as it rationally uses system resources and provides secure protection. This security level suits most cases.
Select a security level which best suits your situation. In order to change the security level, simply drag the vertical slider to the needed position. If you have already added some changes to the predefined settings you can always roll back to the default Web Anti-Virus settings by clicking the Default level button.
Customizing security level Checking suspicious and phishing URLs by Web Anti-Virus Web Anti-Virus scans web traffic for viruses and checks if the links are included in the list of suspicious web-address and to the list of phishing1
To make sure the settings are active, in the Web Anti-Virus window click the Settings button and see that on the General tab under Kaspersky URL Advisor the following boxes are checked:
web addresses.
► Check if URLs are listed in the database of suspicious URLs. This box enables/disables the option to check whether links are included in the list of suspicious web addresses from the black list. The list is created by Kaspersky Lab's specialists.
► Check web page for phishing. The lists of phishing addresses are included in to KIS 2012 distribution kit. Since the link to a phishing site may be received not only in an email message but in any other way, for
1 Phishing is a specific form of cybercrime. Phishing attacks are made the following way: the criminal creates an almost 100 percent perfect replica of a chosen financial institution’s website, then attempts to trick the user in to disclosing their personal details – username, password, PIN etc. – via a form on the fake website, allowing the criminal to use the details to obtain money.
Kaspersky Internet Security 2012
5 | 18
example, in the text of an ICQ message, Web Anti-Virus component traces the attempts of accessing a phishing site at the level of HTTP traffic scan, and blocks them.
Additionally to the analysis based on the refilled phishing databases, heuristic analysis is added to Web Anti-Virus. Heuristic Analysis allows to evaluate the information about an internet resource, for example presence of signs typical of phishing resources in the URL addresses. As a result, if these signs are detected, the resource is defined as phishing and access to it is blocked, even if the resource is not yet added to the phishing database. To enable the heuristic analysis for scan of web pages for phishing, click the Additional button in the Heuristic Analysis section, check the corresponding box and set the required detail level of scan.
Heuristic Analyzer Heuristic Analysis allows to trace activity of an objects in the system. If the tool finds the activity suspicious, then most probably the objects will be defined as malicious or suspicious, even if its malicious code is not known to virus analysts. Upon detection of a suspicious object, KIS 2012 will notify you of it and offer to apply a corresponding action to the detected object.
Kaspersky Internet Security 2012
6 | 18
You can select one of the three scanning levels of the heuristic analysis: ► light scan; ► medium scan; ► deep scan.
The higher the detail level, the more resources and time the scan takes, and the higher is the probability of threat detection. By default, heuristic analysis is enabled and the detail level is set to medium. To enable heuristic analyzer, on the General tab in the Heuristic Analysis section check the Use Heuristic Analysis box. In the field below specify the required level by moving the horizontal slider to the necessary position. Uncheck the Use Heuristic Analysis box, if you do not want to use this method.
Blocking dangerous scripts Web Anti-Virus will scan all scripts processed in Microsoft Internet Explorer, as well as any other WSH scripts (JavaScript, Visual Basic Script, etc.) launched when the user works on the computer, including the Internet. Execution of any dangerous script will be blocked. If you want Web Anti-Virus to scan and block dangerous scripts, perform the following actions:
1. Open the application settings window.
2. In the left part of the window under Protection Center select the Web Anti-Virus component.
3. In the right part of the window click the Settings button.
4. In the Web Anti-Virus window on the General tab in the Additional section check the Block dangerous scripts in Microsoft Internet Explorer box.
Kaspersky Internet Security 2012
7 | 18
5. Click OK to save the made changes.
Scan optimization To detect malicious code more efficiently, Web Anti-Virus buffers fragments of objects downloaded from the Internet. When Web Anti-Virus scans objects downloaded by HTTP and FTP traffic, the user may experience a delay while accessing the file. This delay is caused by the operational algorithm of Web Anti-Virus: first, all fragments are saved into cache memory, then are analyzed for viruses and then depending on the analysis result are either returned to the user or blocked. To accelerate access to the object, we suggest limiting the caching time for web object fragments downloaded from the Internet. When the specified time expires each downloaded fragment of a file is given to the user not scanned, and the object is scanned by Web Anti-Virus, when it is fully copied. Disabling limitation of the caching time leads to enhanced efficiency of the anti-virus scan but at the same time slows down access to the object. To limit traffic caching time or to disable this limitation, perform the following actions:
1. Open the application settings window.
2. In the left part of the window under Protection Center select the Web Anti-Virus component.
3. In the right part of the window click the Settings button. The Web Anti-Virus window opens.
4. To set the restriction, on the General tab in the Additional section check the Limit traffic caching time to 1 sec to optimize scan box. If you need to disable restriction, uncheck the box.
Kaspersky Internet Security 2012
8 | 18
Kaspersky URL Advisor Web Anti-Virus in Kaspersky Internet Security 2012 includes Kaspersky URL Advisor. This module checks if links located on the webpage belong to the list of suspicious and phishing web addresses. You can
► create a list of web addresses whose content will not be checked for the presence of suspicious or phishing URLs;
► create a list of web sites whose content must be scanned; ► completely exclude scan of URLs.
The best improvements of Kaspersky URL Advisor implemented in KIS 2012 are the following:
1. Providing users with the additional information about the web resources thus helping to make the right decision on whether to visit a web resource or not.
2. Storing a considerable amount of information about web resources in the “cloud”. This information helps to define more exactly malicious and phishing sites.
KIS 2012 features expanded URL Advisor compatibility with browsers. The following browsers are now fully supported:
► Internet Explorer 6, 7, 8 and 9; ► Mozilla FireFox 2.x, 3.x and 4.x; ► Google Chrome 7.x and 8.x.
The URL Advisor module can function in two modes: check links on all web sites except the sites added to exclusions, or check only web sites specified in the list. To create a list of websites whose content will not be scanned for the presence of suspicious or phishing URLs, on the Safe Surf tab in the Kaspersky URL Advisor section uncheck the Check URLs box.
Kaspersky Internet Security 2012
9 | 18
In order Kaspersky URL Advisor would check all web sites, except those added to exclusions, perform the following actions:
1. In the Web Anti-Virus window in the Kaspersky URL Advisor section check the Check URLs box.
2. Select the All but the exclusions variant and click the Exclusions button.
3. In the Exclusions window create the list of web addresses whose contents should not scanned for suspicious or phishing links.
4. Click the OK button in the Exclusions window. For Kaspersky URL Advisor to scan only the sites specified by you, perform the following actions:
1. On the Safe Surf tab in the Kaspersky URL Advisor section check the Only web sites from the list box and click the Specify button.
Kaspersky Internet Security 2012
10 | 18
2. In the Checked URLs window create the list of web addresses whose content should be scanned for suspicious or phishing links.
3. Click the OK button in the Checked URLs window.
4. In the Web Anti-Virus window click the OK button to save the made changes. The Kaspersky URL Advisor options mentioned above can be set either in the Web Anti-Virus window or in the module settings widow opened in the web browser. To open the module settings window from the web browser window, click the button with the Kaspersky Internet Security 2012
icon from the tool panel of the browser.
Kaspersky Internet Security 2012
11 | 18
Blocking access to dangerous sites You can block access to websites which have been defined suspicious or phishing by Kaspersky URL Advisor. If Web Anti-Virus cannot draw a clear conclusion on the safety of the website to which a link leads, you will be prompted to load this website in Safe Run (only in Microsoft Internet Explorer, Mozilla Firefox and Google Chrome). When activated in Safe Run, malicious objects do not pose any threat to your computer. To block access to dangerous web sites, perform the following actions:
1. Open the application settings window.
2. In the left part of the window under Protection Center select the Web Anti-Virus component.
3. In the right part of the window click the Settings button. The Web Anti-Virus window will open.
4. In the Web Anti-Virus window on the Safe Surf tab in the Blocking Dangerous Websites section check the Block dangerous websites box.
5. Click the OK button, to save the made changes.
Controlling access to regional web domains Depending on the user's choice, Web Anti-Virus in Geo Filter mode can block or allow access to websites on the grounds of their belonging to regional web domains. This allows you, for example, to block access to websites which belong to regional domains with a high risk of infection.
Kaspersky Internet Security 2012
12 | 18
To allow or block access to web sites which belong to specified domains, perform the following actions:
1. Open the application settings window.
2. In the left part of the window under Protection Center select the Web Anti-Virus component.
3. In the right part of the window click the Settings button. The Web Anti-Virus window will open.
4. In the Web Anti-Virus window on the Geo Filter tab check the Enable filtering by regional domains box and specify in the list of controlled domains below which domains should be allowed or blocked, and for which ones the application should request access permission using a notification. For this:
1) Select a domain which should be allowed, blocked or prompted for action. 2) Click the button Allow, Block or Prompt. The corresponding icon will appear in the
Access column.
By default, access is allowed for regional domains that match your location. Access permission request is set for other domains by default.
5. Click the OK button.
Creating the list of trusted URLs You can create a list of web addresses whose content you trust unconditionally. In this case Web Anti-Virus will not analyze information from these URL addresses for dangerous objects. You can use this option, for example, if Web Anti-Virus prevents download of a file from a known web site. To create the list of trusted URLs, perform the following actions:
1. In the right part of the Web Anti-Virus settings window click the Settings button.
Kaspersky Internet Security 2012
13 | 18
2. In the Web Anti-Virus window on the Trusted URLs tab check the Do not scan web traffic from trusted URLs box and create the list of trusted addresses whose content you trust. For this:
1) Click the Add button. 2) In the Address mask (URL) window enter an address, whose content you trust. For
example, kaspersky.com. 3) Click the OK button.
If you want to exclude an address from the trusted list, you do not have to delete an address from the list, unchecking an address will be sufficient.
3. In the Web Anti-Virus window click the OK button.
Controlling access to online banking services When working with online banking, your computer needs an especially reliable protection, since leakages of confidential information may lead to financial losses. Web Anti-Virus automatically determines which web resources are online banking services. For guaranteed identification of a web resource as online banking service, you can specify its URL in the list of banking websites. To configure control of access to online banking services, perform the following actions:
1. In the right part of the Web Anti-Virus settings window click the Settings button.
2. In the Web Anti-Virus window on the Online Banking tab check the Enable control box.
Kaspersky Internet Security 2012
14 | 18
3. You will be prompted to start the Certificate Installation Wizard that you can use to install a Kaspersky Lab certificate for scanning encrypted connections. Click Next, to continue.
4. In the Security Warning window click the Yes button.
Kaspersky Internet Security 2012
15 | 18
5. Wait till work of the wizard is over and click the Finish button.
6. If necessary, create a list of resources that KSI 2012 should identify as online banking services. For this:
1) Click the Add button. 2) In the Address mask (URL) window enter an address that should be identified as
online banking service. 3) Click the OK button.
If you want to exclude an address from the trusted list, you do not have to delete an address from the list, unchecking an address will be sufficient.
Kaspersky Internet Security 2012
16 | 18
7. In the Web Anti-Virus window click the OK button.
8. In the Settings window click the OK button. Web Anti-Virus actions on detected threats The Action on threat detection section allows you to select an action to be performed by Web Anti-Virus if scanning web traffic reveals that it contains malicious code. By default the section contains the following options:
► If automatic protection mode is enabled the application decides on its own what action to perform upon a threat detection. In this case, check the Select action automatically box. Kaspersky Internet Security 2012 will automatically apply an action recommended by Kaspersky Lab.
Kaspersky Internet Security 2012
17 | 18
► If interactive protection mode is enabled, then you can decide yourself what action the application should perform upon a detected threat. In this case, check the Prompt for action box. Kaspersky Internet Security 2012 will inform you of all dangerous or suspicious events in the system and will prompt for an allowing or blocking action.
► Block download (Web Anti-Virus blocks access to the object and displays a message on the screen informing that the required object is infected.)
► Allow download (Web Anti-Virus allows you to download the object. Once the object is downloaded onto your computer, it will be scanned by File Anti-Virus and Proactive Defense).
Kaspersky Internet Security 2012
18 | 18
To modify an action that Web Anti-Virus should perform upon threat detection:
1. If the automatic protection mode is set, in the right part of the component settings window in the Action on threat detection section select an action: ► Select action automatically ► Block download ► Allow download
2. If the interactive protection mode is set, in the right part of the component settings window in the Action on threat detection section select an action: ► Prompt for action ► Block download ► Allow download
3. Click the OK button, to save the made changes.