ThreatSense is technology comprised of many complex threat detection methods. This technology is proactive, which means it also provides protection during the early spread of a new threat. It uses a combination of code analysis, code emulation, generic signatures and virus signatures which work in concert to significantly enhance system security. The scanning engine is capable of controlling several data streams simultaneously, maximizing the efficiency and detection rate. ThreatSense technology also successfully eliminates rootkits.
|
|
For details about automatic startup file check, see Startup scan.
|
ThreatSense engine setup options allow you to specify several scan parameters:
•File types and extensions that are to be scanned
•The combination of various detection methods
•Levels of cleaning, etc.
To enter the setup window, click ThreatSense engine parameter setup in the Advanced setup (F5) window for any module that uses ThreatSense technology (see below). Different security scenarios may require different configurations. With this in mind, ThreatSense is individually configurable for the following protection modules:
•Mail transport protection
•On-demand mailbox database protection
•Mailbox database protection
•Hyper-V scan
•Real-time file system protection
•Malware scans
•Idle-state scanning
•Startup scan
•Document protection
•Email client protection
•Web access protection
ThreatSense parameters are highly optimized for each module, and their modification can significantly influence system operation. For example, changing parameters to always scan runtime packers, or enabling advanced heuristics in the Real-time file system protection module could result in a system slow-down (normally, only newly-created files are scanned using these methods). We recommend that you leave the default ThreatSense parameters unchanged for all modules except Computer scan.
This section lets you define which computer components and files will be scanned for infiltration.
Operating memory
Scans for threats that attack the operating memory of the system.
Boot sectors/UEFI
Scans boot sectors for the presence of viruses in the MBR (Master Boot Record). In case of a Hyper-V Virtual Machine, its disk MBR is scanned in read - only mode.
WMI database
Scans whole WMI database, searching for references to infected files or malware embedded as data.
System registry
Scans system registry, all keys and subkeys, searching for references to infected files or malware embedded as data.
Email files
The program supports the following extensions: DBX (Outlook Express) and EML.
Archives
The program supports the following extensions: ARJ, BZ2, CAB, CHM, DBX, GZIP, ISO/BIN/NRG, LHA, MIME, NSIS, RAR, SIS, TAR, TNEF, UUE, WISE, ZIP, ACE, and many others.
Self-extracting archives
Self-extracting archives (SFX) are archives needing no specialized programs – archives – to decompress themselves.
Runtime packers
After being executed, runtime packers (unlike standard archive types) decompress in memory. In addition to standard static packers (UPX, yoda, ASPack, FSG, etc.), the scanner is able to recognize several additional types of packers through the use of code emulation.
|
|
For the Mailbox database protection feature, attached email files (for example .eml files) are scanned regardless of the setting under Objects to scan. This is because Exchange Server parses the attached .eml file before it is submitted for scanning by ESET Mail Security. The VSAPI plug-in gets extracted files from the .eml attachment instead of receiving the original .eml file.
|
|
Select the methods used when scanning the system for infiltrations. The following options are available:
Heuristics
A heuristic is an algorithm that analyzes the (malicious) activity of programs. The main advantage of this technology is the ability to identify malicious software which did not exist, or was not known by the previous detection engine.
Advanced heuristics/DNA signatures
Advanced heuristics consist of a unique heuristic algorithm developed by ESET, optimized for detecting computer worms and Trojan horses and written in high-level programming languages. The use of advanced heuristics greatly increases the threat detection capabilities of ESET products. Signatures can reliably detect and identify viruses. Utilizing the automatic update system, new signatures are available within a few hours of a threat discovery. The disadvantage of signatures is that they only detect viruses they know (or slightly modified versions of these viruses).
|
The cleaning settings determine the behavior of the scanner while cleaning infected files. Real-time protection and other protection modules have the following remediation (i.e. cleaning) levels.
Always remedy detection
Attempt to remediate the detection while cleaning objects without any user intervention. System files are an exception. Such objects are left in their original location if the detection cannot be remediated.
Remedy detection if safe, keep otherwise
Attempt to remediate the detection while cleaning objects without any user intervention. If a detection cannot be remediated for system files or archives (with clean and infected files), the reported object is kept in its original location.
Remedy detection if safe, ask otherwise
Attempt to remediate the detection while cleaning objects. In some cases, if ESET Mail Security cannot perform automatic action, you will be prompted to choose an action (delete or ignore). This setting is recommended in most cases.
Always ask the end-user
No automatic action will be attempted by ESET Mail Security. You will be prompted to choose an action.
|
An extension is the part of a filename delimited by a period. An extension defines the type and content of a file. This section of the ThreatSense parameter setup lets you define the types of files to exclude from scan.
Other
When configuring ThreatSense engine parameters setup for a On-demand computer scan, the following options in Other section are also available:
Scan alternate data streams (ADS)
Alternate data streams used by the NTFS file system are file and folder associations which are invisible to ordinary scanning techniques. Many infiltrations try to avoid detection by disguising themselves as alternate data streams.
Run background scans with low priority
Each scanning sequence consumes a certain amount of system resources. If you work with programs that place a high load on system resources, you can activate low priority background scanning and save resources for your applications.
Log all objects
If this option is selected, the log file will show all the scanned files, even those not infected.
Enable Smart optimization
With Smart Optimization enabled, the optimal settings are used to ensure the most efficient scanning level, while simultaneously maintaining the highest scanning speeds. The various protection modules scan intelligently, making use of different scanning methods and applying them to specific file types. If Smart Optimization is disabled, only the user-defined settings in the ThreatSense core of the specific modules are applied when performing a scan.
Preserve last access timestamp
Select this option to keep the original access time of scanned files instead of updating them (for example, for use with data backup systems).
|
The Limits section allows you to specify the maximum size of objects and levels of nested archives to be scanned:
Default object settings
Enable to use default settings (no limits). ESET Mail Security will be ignoring your custom settings.
Maximum object size
Defines the maximum size of objects to be scanned. The given protection module will then scan only objects smaller than the size specified. This option should only be changed by advanced users who may have specific reasons for excluding larger objects from scanning. Default value: unlimited.
Maximum scan time for object (sec.)
Defines the maximum time value for scanning of an object. If a user-defined value has been entered here, the protection module will stop scanning an object when that time has elapsed, regardless of whether the scan has finished. Default value: unlimited.
Archive scan setup
To modify archive scan settings, deselect Default archive scan settings.
Archive nesting level
Specifies the maximum depth of archive scanning. Default value: 10. For objects detected by Mailbox transport protection, actual nesting level is +1 because archive attachment in an email is considered first level.
|
|
If you have nesting level set to 3, an archive file with nesting level 3 will only be scanned on a transport layer up to its actual level 2. Therefore, if you want to have archives scanned by Mailbox transport protection up to level 3, set the value for Archive nesting level to 4.
|
Maximum size of file in archive
This option allows you to specify the maximum file size for files contained in archives (when they are extracted) that are to be scanned. Default value: unlimited.
|
|
We do not recommend changing the default values; under normal circumstances, there should be no reason to modify them.
|
|