ThreatSense engine parameters setup

ThreatSense is technology comprised of many complex threat detection methods. This technology is proactive, which means it also provides protection during the early spread of a new threat. It uses a combination of code analysis, code emulation, generic signatures and virus signatures which work in concert to significantly enhance system security. The scanning engine is capable of controlling several data streams simultaneously, maximizing the efficiency and detection rate. ThreatSense technology also successfully eliminates rootkits.

ThreatSense engine setup options allow you to specify several scan parameters:

File types and extensions that are to be scanned,
The combination of various detection methods,
Levels of cleaning, etc.

To enter the setup window, click ThreatSense engine parameter setup in the Advanced setup window for any module that uses ThreatSense technology (see below). Different security scenarios may require different configurations. With this in mind, ThreatSense is individually configurable for the following protection modules:

Real-time file system protection,
Idle-state scanning,
Startup scan,
Document protection,
Email client protection,
Web access protection,
Computer scan.

ThreatSense parameters are highly optimized for each module, and their modification can significantly influence system operation. For example, changing parameters to always scan runtime packers, or enabling advanced heuristics in the Real-time file system protection module could result in a system slow-down (normally, only newly-created files are scanned using these methods). We recommend that you leave the default ThreatSense parameters unchanged for all modules except Computer scan.

Objects to scan

This section allows you to define which computer components and files will be scanned for infiltrations.

Operating memory – Scans for threats that attack the operating memory of the system.

Boot sectors – Scans boot sectors for the presence of viruses in the master boot record.

Email files – The program supports the following extensions: DBX (Outlook Express) and EML.

Archives – The program supports the following extensions: ARJ, BZ2, CAB, CHM, DBX, GZIP, ISO/BIN/NRG, LHA, MIME, NSIS, RAR, SIS, TAR, TNEF, UUE, WISE, ZIP, ACE, and many others.

Self-extracting archives – Self-extracting archives (SFX) are archives needing no specialized programs – archives – to decompress themselves.

Runtime packers – After being executed, runtime packers (unlike standard archive types) decompress in memory. In addition to standard static packers (UPX, yoda, ASPack, FSG, etc.), the scanner is able to recognize several additional types of packers through the use of code emulation.

Scan options

Select the methods used when scanning the system for infiltrations. The following options are available:

Heuristics – A heuristic is an algorithm that analyzes the (malicious) activity of programs. The main advantage of this technology is the ability to identify malicious software which did not exist, or was not known by the previous virus signatures database. The disadvantage is a (very small) probability of false alarms.

Advanced heuristics/DNA signatures – Advanced heuristics consist of a unique heuristic algorithm developed by ESET, optimized for detecting computer worms and trojan horses and written in high level programming languages. The use of advanced heuristics greatly increases the threat detection capabilities of ESET products. Signatures can reliably detect and identify viruses. Utilizing the automatic update system, new signatures are available within a few hours of a threat discovery. The disadvantage of signatures is that they only detect viruses they know (or slightly modified versions of these viruses).

Grayware (or PUA - a Potentially Unwanted Application) is a broad category of software, whose intent is not as unequivocally malicious as with other types of malware, such as viruses or trojan horses. It may however install additional unwanted software, change the behavior of the digital device, or perform activities not approved or expected by the user.

Categories that may be considered grayware include: advertising display software, download wrappers, various browser toolbars, software with misleading behavior, bundleware, trackware, registry cleaners or any other borderline software, or software that uses illicit or at least unethical business practices (despite appearing legitimate) and might be deemed undesirable by an end user who became aware of what the software would do if allowed to install.

A Potentially Unsafe Application is one that is in itself legitimate (possibly commercial) software but which might be misused by an attacker. Detection of these types of application can be enabled or disabled by users of ESET software.

There are some situations where a user may feel that the benefits of a potentially unwanted application outweigh the risks. For this reason, ESET assigns such applications a lower-risk category compared to other types of malicious software, such as trojan horses or worms.

Warning - Potential threat found
Potentially unwanted applications - Settings
Potentially unwanted applications - Software wrappers
Potentially unwanted applications - Registry cleaners
Potentially unwanted content

Warning - Potential threat found

When a potentially unwanted application is detected, you can decide which action to take:

1.Clean/Disconnect: This option ends the action and prevents the potential threat from entering your system.
2.Ignore: This option allows a potential threat to enter your system.
3.To allow the application to run on your computer in the future without interruption, click Advanced options and then select the check box next to Exclude from detection.

Potentially unwanted applications - Settings

While installing your ESET product, you can decide whether to enable detection of potentially unwanted applications, as shown below:



Potentially unwanted applications may install adware, toolbars, or contain other unwanted and unsafe program features.

These settings can be modified in your program settings at any time. To enable or disable the detection of Potentially unwanted, unsafe or suspicious applications, follow these instructions:

1.Open your ESET product. How do I open my ESET product?
2.Press the F5 key to access Advanced setup.
3.Click Antivirus and enable or disable options Enable detection of potentially unwanted applications, Enable detection of potentially unsafe applications and Enable detection of suspicious applications according to your preferences. Confirm by clicking OK.

Potentially unwanted applications - Software wrappers

A software wrapper is a special type of application modification that is used by some file-hosting websites. It is a third-party tool that installs the program you intended to download but adds additional software, such as toolbars or adware. The additional software may also make changes to your web browser’s home page and search settings. Also, file-hosting websites often do not notify the software vendor or download recipient that modifications have been made, and often hide options to opt out. For these reasons, ESET classifies software wrappers as a type of potentially unwanted application to allow users to accept the download or not.

Potentially unwanted applications - Registry cleaners

Registry cleaners are programs that may suggest that the Windows registry database requires regular maintenance or cleaning. Using a registry cleaner might introduce some risks to your computer system. Additionally, some registry cleaners make unqualified, unverifiable or otherwise unsupportable claims about their benefits and/or generate misleading reports about a computer system based on the results of a "free scan". These misleading claims and reports seek to persuade you to purchase a full version or subscription, usually without allowing you to evaluate the registry cleaner before payment. For these reasons, ESET classifies such programs as PUA and provides you the option to allow or to block them.

Potentially unwanted content

If PUA detection is enabled in your ESET product, websites that have a reputation for promoting PUAs or that have a reputation for misleading users into performing actions that might have negative implications on their system or browsing experience will be blocked as potentially unwanted content. If you receive a notification that a website you are attempting to visit is categorized as potentially unwanted content, you can click Go Back to navigate away from the blocked web page or click Ignore and continue to allow the site to load.

Please see this ESET Knowledgebase article for an updated version of this help page.

Potentially unsafe applicationsPotentially unsafe applications is the classification used for commercial, legitimate programs such as remote access tools, password-cracking applications and keyloggers (programs that record each keystroke typed by a user). This option is disabled by default.


The cleaning settings determine the behavior of the scanner while cleaning infected files. There are 3 levels of cleaning:

No cleaning – Infected files will not be cleaned automatically. The program will display a warning window and allow the user to choose an action. This level is designed for more advanced users who know which steps to take in the event of an infiltration.

Normal cleaning – The program will attempt to automatically clean or delete an infected file based on a predefined action (depending on the type of infiltration). Detection and deletion of an infected file is signaled by a notification the bottom-right corner of the screen. If it is not possible to select the correct action automatically, the program provides other follow-up actions. The same happens when a predefined action cannot be completed.

Strict cleaning – The program will clean or delete all infected files. The only exceptions are the system files. If it is not possible to clean them, the user is prompted to select an action by a warning window.


If an archive contains a file or files which are infected, there are two options for dealing with the archive. In standard mode (Standard cleaning), the whole archive would be deleted if all the files it contains are infected files. In Strict cleaning mode, the archive would be deleted if it contains at least one infected file, regardless of the status of the other files in the archive.


An extension is the part of a file name delimited by a period. An extension defines the type and content of a file. This section of the ThreatSense parameter setup lets you define the types of files to scan.


When configuring ThreatSense engine parameters setup for a On-demand computer scan, the following options in Other section are also available:

Scan alternate data streams (ADS) – Alternate data streams used by the NTFS file system are file and folder associations which are invisible to ordinary scanning techniques. Many infiltrations try to avoid detection by disguising themselves as alternate data streams.

Run background scans with low priority – Each scanning sequence consumes a certain amount of system resources. If you work with programs that place a high load on system resources, you can activate low priority background scanning and save resources for your applications.

Log all objects – If this option is selected, the log file will show all the scanned files, even those not infected. For example, if an infiltration is found within an archive, the log will list also clean files contained within the archive.

Enable Smart optimization – With Smart Optimization enabled, the most optimal settings are used to ensure the most efficient scanning level, while simultaneously maintaining the highest scanning speeds. The various protection modules scan intelligently, making use of different scanning methods and applying them to specific file types. If the Smart Optimization is disabled, only the user-defined settings in the ThreatSense core of the particular modules are applied when performing a scan.

Preserve last access timestamp – Select this option to keep the original access time of scanned files instead of updating them (for example, for use with data backup systems).

icon_section Limits

The Limits section allows you to specify the maximum size of objects and levels of nested archives to be scanned:

Object settings

Maximum object size – Defines the maximum size of objects to be scanned. The given antivirus module will then scan only objects smaller than the size specified. This option should only be changed by advanced users who may have specific reasons for excluding larger objects from scanning. Default value: unlimited.

Maximum scan time for object (sec.) – Defines the maximum time value for scanning of an object. If a user-defined value has been entered here, the antivirus module will stop scanning an object when that time has elapsed, regardless of whether the scan has finished. Default value: unlimited.

Archive scan setup

Archive nesting level – Specifies the maximum depth of archive scanning. Default value: 10.

Maximum size of file in archive – This option allows you to specify the maximum file size for files contained in archives (when they are extracted) that are to be scanned. Default value: unlimited.


We do not recommend changing the default values; under normal circumstances, there should be no reason to modify them.