Chapter - 1.

1
Threats and Their Sources
Before you install the antivirus, you should first learn more about the threats that you may have to deal with while using a personal computer, so that you can choose the appropriate protection tools and configure them properly. The majority of threats are related to personal computer infection from viruses, Trojan programs or other malware. Computer infection means that malicious code has to be transferred to the computer and then executed there. Any of the following data transfer channels can be used to infect a computer: Internet E-mail Local network Removable drives In addition to the risk of being infected, there are also threats that can be employed remotely and do not require code execution. These threats include phishing (fraudulent attacks designed to trick people into disclosing their bank accounts codes), spam and imposed Internet advertisements. When employed some of these threats can cause money and data loss and in rare cases hardware device malfunction. Although most threats do not cause any direct harm they still decrease computer performance and cause loss of time.

General Requirements of Antivirus Protection

An antivirus product is expected to meet two requirements: It must provide reliable protection against viruses and other threats It must not interfere with the operation of other programs or decrease their performance Unfortunately, these two aspects are contradictory. The complete protection of a computer can only be guaranteed by disconnecting it from all data transmission channels, which will make working on it almost impossible. On the other hand, an antivirus program inevitably consumes some system resources just like any other application and typically higher protection levels require more resources. However the opposite is not correct: an antivirus product consuming a lot of resources will not necessarily provide reliable protection. Both Kaspersky Internet Security 2009 and Kaspersky Anti-Virus 2009 provide reliable protection consuming comparatively little system resources. Furthermore, flexible settings allow users to adjust the level of protection and performance within a broad range.

Protection Components Kaspersky Internet Security 2009 and Kaspersky Anti-Virus 2009 consist of independent components. Each of the components provides protection against a specific type of threat. Kaspersky Anti-Virus 2009 is intended to protect against malware and phishing attacks and consists of the following components: Files and Memory protection scans all accessed files checking them for the presence of viruses. This is the only component that scans files downloaded from LAN or copied from removable media Web Traffic protection scans objects downloaded from the Internet over HTTP and also blocks dangerous script execution. In addition, Web Traffic protection displays a warning dialog when you browse potentially dangerous web sites Email and IM protection scans e-mail messages checking them for the presence of viruses and other malware and also scans instant messengers traffic Proactive Defense analyzes application behavior and blocks suspicious actions that are typical of a virus, for example the self-replication of programs Anti-Phishing blocks access to phishing web sites Kaspersky Internet Security 2009 has wider functionality than Kaspersky Anti-Virus 2009 because of some extra protection components:

Intrusion Prevention System blocks various types of network attacks (e.g., buffer overflow attacks, denial of service attacks and the scanning of ports) Application Filtering regulates application access to system resources in accordance with specified rules Firewall* intercepts all network packets and allows or blocks their transfer in accordance with the defined filtration rules Banner Ad Blocker blocks the downloading of advertisement banners Anti-Dialer blocks unauthorized charged phone calls Parental Control allows automatic access restriction to sites with offensive content for underage users Anti-Spam detects and filters unwanted e-mail messages (spam) *Firewall is a part of the Application Filtering component

Chapter - 1.2
Installation Requirements
Before you start the installation process, you have to make sure that the operating system parameters meet the product requirements. Kaspersky Internet Security 2009 and Kaspersky Anti-Virus 2009 can be installed on computers running the following operating systems: Microsoft Windows XP Service Pack 2 or higher Microsoft Windows XP x64 Edition Service Pack 2 Microsoft Windows Vista (Service Pack 1 is also supported) Installation should be performed with a user account that has administrator privileges Since most antivirus products are incompatible and cannot function on the same computer simultaneously, you should uninstall all other antivirus products on the target computer prior to the installation of Kaspersky Internet Security 2009. However earlier versions of Kaspersky Anti-Virus and Kaspersky Internet Security will be removed automatically during installation of a newer version.

Installation Procedure
To install Kaspersky Internet Security you will need the product distribution package and an activation code or a license key. The activation code is provided together with the product installation files and it is required for Kaspersky Internet Security activation, which is performed during the setup process via the Internet. In some cases activation with an activation code is impossible, for example, when the product is installed on a computer that has no Internet access. In this case Kaspersky Internet Security 2009 can be activated using a license key instead. A license key can be obtained in exchange for an activation code on the Kaspersky Lab activation web site at activation.kaspersky.com. Any computer with Internet access can be used for retrieving a license key. Installation is performed step by step and consists of four essential stages: Selection of protection components to be installed Copying of files and installation of drivers and services Activation Initial configuration. You can watch the Kaspersky Internet Security 2009 installation procedure in the demonstration movie or use the interactive tutorial to perform the installation on your own.

Chapter - 1.3
Purpose and Structure of Updates
Regular downloading of updates is an essential task that is required to ensure the efficient operation of Kaspersky Internet Security. Therefore you are advised to configure the automatic scheduled updates immediately after the antivirus installation. You need to update regularly as many of the components use various lists and databases, which are called threats signatures, and the efficiency of the protection relies on them being up to date.

Threat signatures include the following items: Antivirus database used by the Files and Memory, Email and IM and Web Traffic protection and also by on-demand scan tasks for detecting viruses, Trojans and other malware Signatures of network attacks used by the Intrusion Prevention System to detect network attacks List of URL addresses of phishing sites used by Anti-Phishing and Email and IM protection to warn users about phishing attacks and by Anti-Spam for detecting spam messages List of potentially dangerous web sites used by Email and IM and Web Traffic protection to warn users about unsecure web sites List of prohibited banner masks URL addresses of resources from which advertisement banners are loaded. They are used by the Banner Ad Blocker component List of blocked web sites used by the Parental Control component to restrict access to sites with offensive content for underage users Spam images checksum database used by Anti-Spam to detect spam among messages containing image attachments (GSG technology) Database of typical spam phrases used by Anti-Spam to identify the status of messages based on the text (Recent Terms technology) In addition to the threat signatures the latest version of Kaspersky Internet Security 2009 modules can be downloaded and installed during updating to extend the product functionality or fix critical errors.

Configuration of Automatic Updates

New threat signatures are downloaded via the Internet from the Kaspersky Lab update servers. In most cases the Internet connection parameters are configured automatically. However, if the connection requires authentication on a proxy server, the parameters have to be specified manually in the Update task settings. You can use the interactive tutorial to configure the automatic downloading of updates on your own. Otherwise you can watch the demonstration which shows the configuration procedure.

Chapter - 2.1
Files and Memory Protection Operating Principles
Files and Memory protection is the most important component of Kaspersky Internet Security. It protects files from being infected with viruses, Trojan programs and other malware. As we have previously mentioned, to infect a computer malicious code has to be first transferred to the computer and then executed there. A typical example of infection is the copying and subsequent launch of an infected file from removable media or the local network. Files and Memory protection guards a computer against infection by: Intercepting all file operations Scanning the files being accessed for the presence of malicious code Therefore infection is blocked at the earliest possible stage during an attempt to write malware code to the users computer. However even if the computer already contains infected files (e.g. they were written before Kaspersky Internet Security was installed), they will be scanned and disinfected at any attempt to launch them. Files and Memory protection employs signature-based analysis as the main method for the detection of infected files. Currently this is the most efficient method of virus detection. It detects known viruses using the typical peculiarities of their code (signatures). However signature-based analysis can only be used to detect known viruses and similar viruses with slight modifications. Signature-based analysis is most efficient when the latest signatures are downloaded to a users computer as soon as possible after they are released. Kaspersky Lab is a leader of the antivirus industry in terms of the time it takes to respond to new viruses new versions of threat signatures are released typically every hour. Heuristic analysis can also be used as an additional scanning method. This method does not rely on the frequency of updates. It allows detection of both known and new viruses through launch emulation of a file with subsequent analysis of its behavior. One drawback of this method is in the comparatively high consumption of resources, which is why heuristic analysis is disabled by default in the Files and Memory protection

In some cases there is no way to determine whether a file is infected. These files are classified with suspicious status and the application relocates them to a special storage area Quarantine. Quarantined files are rescanned after each update of threat signatures in order to re-identify their exact status.

Optimization of Scanning
When a personal computer is running it keeps opening and changing existing files, and creating new ones. Files and Memory protection scans all of these files. Thus, Files and Memory protection analyzes the greatest number of objects compared with all of the other components. Therefore configuration of the optimal ratio between thoroughness and speed of scanning performed by the component is very important. To optimize resource consumption, Files and Memory protection scans only files in formats that can be a direct source of infection. Although files in other formats (e.g., plain text) can contain harmful code, they do not pose a direct threat since they cannot be executed or launched. Usually these files are checked during a complete system scan by the on-demand scan tasks. To avoid rescanning the same file several times, Files and Memory protection uses the iSwift and iChecker technologies. The main idea of these technologies is that a file that has not changed since the last scan should be skipped during further scans for a period proportional to the interval between the first and the last scans of that file. For example, if a file has been scanned for ten days and remained clean, then it will be skipped during further scans for five days provided it has not been modified. The difference between iSwift and iChecker is in the way that they check file integrity. iSwift uses NTFS labels to check file integrity while iChecker employs file checksums. Both technologies can be used at the same time.

Using Files and Memory Protection

Files and Memory protection has a flexible system of settings that allows users to customize the thoroughness of scanning and the level of resource consumption. Use the demonstration to examine infected object processing and Files and Memory protection settings. You can also use the interactive tutorial to study the component on your own.

Chapter - 2.2
Purpose and Operating Principles of On-Demand Scan
On-demand scan is a component that scans files upon user request or according to the schedule. The component consists of several on-demand scan tasks; each of them checking a specific group of objects. On-demand scan tasks provide the thorough scanning of objects which are skipped by the Files and Memory protection, thus providing additional protection for the file system. By default on-demand scan tasks check all files irrespective of their format. The main scanning methods are signature-based and heuristic analysis, which have been discussed in the previous section. In addition, on-demand scan tasks perform: Rootkit scan Signature scan of vulnerabilities Rootkits are objects hidden within the file system. As a rule these objects are different kinds of malware which try to hide their presence in the system. Vulnerabilities are usually an accidental programming error, which allow a virus or other malware to perform unauthorized operations on a users computer. Vulnerabilities in various applications can be exploited to infect computers, steal or destroy valuable information, cause operating system crashes and for other undesirable actions. When a signature scan of vulnerabilities is used, the on-demand scan tasks employ a special database to check the current version of the installed executable files and warn users about existing vulnerabilities. Scanning a large number of files or a complete computer scan may take a considerable time and slow down the computer operation. Therefore it is recommended to run these scans at a time when no other resource-intensive applications are used, for example, at night.

On-Demand Scan Tasks

During Kaspersky Internet Security setup the installer automatically creates the following on-demand scan tasks: Scan a template task that users can utilize to create their own custom set of objects to scan

Full Scan the task scanning all system files, RAM and drive boot sectors. A full system scan should be carried out at least once a week. By default the task is launched manually Quick Scan the task used for the detection of viruses that attempt to launch at operating system startup. The scanning scope of this task includes RAM, drive boot sectors and the programs launched automatically at OS startup. By default the task runs once at the first launch of Kaspersky Internet Security and then it is switched to manual launch Quarantine Scan the task for rescanning quarantined files (it is not displayed explicitly in the interface). This task is used to identify the exact status of suspicious files. It starts by default automatically after each threat signature update In addition, Kaspersky Internet Security 2009 integrates itself with the Windows shortcut menu which can be used to manually initiate the scanning of any file or directory.

Full Computer Scan

Full computer scans help to ensure that all files on the computer are clean and contain no potential threat. A full scan is especially important after a virus has been detected by the Files and Memory protection to ensure that all virus copies have been disinfected. Use the demonstration to examine the parameters and examples of a full computer scan. You can also use the interactive tutorial to study the task on your own.

Chapter - 2.3
Email and IM Protection Operating Principles
Email and IM protection is used for the detection and disinfection of viruses transmitted via e-mail. E-mail messages are the main channel used to spread network worms. The mechanism of an infection is quite simple: a user receives a message containing an infected attached file, while the message text is specifically designed to cause the user to launch the attached file. If the worm is launched it sends a new batch of infected messages from the infected computer typically using the addresses from the user address book. These messages can harm users reputation and can also drastically increase network traffic resulting in considerable expense if the Internet service provider charges by the amount of transferred data. Email and IM protection scans messages and attached files while they are being received and disinfects or removes infected objects. Mail scanning is performed using two methods: Interception of POP3 and SMTP traffic. This method allows the scanning of unencrypted POP3 and SMTP traffic irrespective of the mail client application which is used to receive e-mails Using the plug-in for the Microsoft Office Outlook application. The plug-in allows the scanning of all e-mails transferred by Microsoft Office Outlook, including messages transferred on secure protocols To decrease the risk of receiving an infected attachment, Email and IM protection uses both signature-based and heuristic analysis methods and scans all attached files without exception, including archives. Email and IM protection also provides additional security by scanning ICQ and MSN messages for links to dangerous web sites. Using Email and IM Protection Typically Email and IM protection requires no special configuration settings and interacts with the user only when viruses are detected. However when e-mail messages are transferred via nonstandard ports, then appropriate modifications of Email and IM protection settings is needed. Use the demonstration to examine the settings of Email and IM protection and to see it in operation. Otherwise you can use the interactive tutorial to study the component on your own.

Chapter - 2.4
Web Traffic Protection Operating Principles
Web Traffic protection scans all objects downloaded by users via the HTTP protocol providing protection against virus and Trojan infection while using the Internet.

The requirement to scan HTTP traffic is caused by the fact that some web sites can be infected even when their authors are unaware of it, or can be specifically designed to infect their visitors. In addition to some common functions, these sites initiate the download of viruses or Trojan programs to the users computer and then launch them. Web Traffic protection provides web browsing security, performing three types of scans: It scans all downloaded objects using signature-based and heuristic analysis to detect viruses It checks the addresses of the web sites being browsed and prompts the user to warn them when opening a site which belongs to the list of potentially unsafe resources It blocks execution of dangerous scripts transferred for execution to the operating system, (Windows Scripting Host service) including the scripts executed by browsers Use the interactive tutorial to examine the settings of Web Traffic protection and its features on your own, alternatively you can watch a demonstration of Web Traffic protection component and its performance.