ThreatSense parameters

ThreatSense is technology comprised of many complex threat detection methods. This technology is proactive, which means it also provides protection during the early spread of a new threat. It uses a combination of code analysis, code emulation, generic signatures and virus signatures which work in concert to significantly enhance system security. The scanning engine is capable of controlling several data streams simultaneously, maximizing the efficiency and detection rate. ThreatSense technology also successfully eliminates rootkits.

note_icon_note NOTE

For details about automatic startup file check, see Startup scan.

ThreatSense engine setup options allow you to specify several scan parameters:

File types and extensions that are to be scanned

The combination of various detection methods

Levels of cleaning, etc.

To enter the setup window, click ThreatSense engine parameter setup in the Advanced setup window for any module that uses ThreatSense technology (see below). Different security scenarios may require different configurations. With this in mind, ThreatSense is individually configurable for the following protection modules:

Mail transport protection

On-demand database protection

Mailbox database protection

Hyper-V scan

Real-time file system protection

Idle-state scanning

Startup scan

Document protection

Email client protection

Web access protection

ThreatSense parameters are highly optimized for each module, and their modification can significantly influence system operation. For example, changing parameters to always scan runtime packers, or enabling advanced heuristics in the Real-time file system protection module could result in a system slow-down (normally, only newly-created files are scanned using these methods). We recommend that you leave the default ThreatSense parameters unchanged for all modules except Computer scan.

Objects to scan

This section allows you to define which computer components and files will be scanned for infiltrations.

Operating memory - Scans for threats that attack the operating memory of the system.

Boot sectors - Scans boot sectors for the presence of viruses in the MBR (Master Boot Record). In case of a Hyper-V Virtual Machine, its disk MBR is scanned in read - only mode.

Email files - The program supports the following extensions: DBX (Outlook Express) and EML.

Archives - The program supports the following extensions: ARJ, BZ2, CAB, CHM, DBX, GZIP, ISO/BIN/NRG, LHA, MIME, NSIS, RAR, SIS, TAR, TNEF, UUE, WISE, ZIP, ACE, and many others.

Self-extracting archives – Self-extracting archives (SFX) are archives needing no specialized programs – archives – to decompress themselves.

Runtime packers - After being executed, runtime packers (unlike standard archive types) decompress in memory. In addition to standard static packers (UPX, yoda, ASPack, FSG, etc.), the scanner is able to recognize several additional types of packers through the use of code emulation.

note_icon_note NOTE

For the Mailbox database protection feature, attached email files (for example .eml files) are scanned regardless of the setting under Objects to scan. This is because Exchange Server parses the attached .eml file before it is submitted for scanning by ESET Mail Security. The VSAPI plug-in gets extracted files from the .eml attachment instead of receiving the original .eml file.


Scan options

Select the methods used when scanning the system for infiltrations. The following options are available:

Heuristics - A heuristic is an algorithm that analyzes the (malicious) activity of programs. The main advantage of this technology is the ability to identify malicious software which did not exist, or was not known by the previous virus signatures database.

Advanced heuristics/DNA signatures - Advanced heuristics consist of a unique heuristic algorithm developed by ESET, optimized for detecting computer worms and trojan horses and written in high level programming languages. The use of advanced heuristics greatly increases the threat detection capabilities of ESET products. Signatures can reliably detect and identify viruses. Utilizing the automatic update system, new signatures are available within a few hours of a threat discovery. The disadvantage of signatures is that they only detect viruses they know (or slightly modified versions of these viruses).


The cleaning settings determine the behavior of the scanner while cleaning infected files. There are 3 levels of cleaning:

No cleaning - Infected files will not be cleaned automatically. The program will display a warning window and allow the user to choose an action. This level is designed for more advanced users who know which steps to take in the event of an infiltration.

Normal cleaning - The program will attempt to automatically clean or delete an infected file based on a predefined action (depending on the type of infiltration). Detection and deletion of an infected file is signaled by a notification in the bottom-right corner of the screen. If it is not possible to select the correct action automatically, the program provides other follow-up actions. The same happens when a predefined action cannot be completed.

Strict cleaning - The program will clean or delete all infected files. The only exceptions are system files. If it is not possible to clean a file, the user will be asked what type of action should be taken.

note_icon_warning WARNING

If an archive contains a file or files that are infected, there are two options for dealing with the archive. In the default mode, Normal cleaning, the whole archive will be deleted if all the files it contains are infected. In Strict cleaning mode, the archive will be deleted if it contains at least one infected file, regardless of the status of the other files in the archive.

note_icon_important IMPORTANT

If a Hyper-V host is running on Windows Server 2008 R2, Normal cleaning and Strict cleaning are not supported. Scanning of Virtual Machine disks is done in read-only mode, no cleaning will be performed. Regardless of the cleaning level selected, the scan is always performed in read-only mode.


An extension is the part of a file name delimited by a period. An extension defines the type and content of a file. This section of the ThreatSense parameter setup lets you define the types of files to exclude from scan.


When configuring ThreatSense engine parameters setup for a On-demand computer scan, the following options in Other section are also available:

Scan alternate data streams (ADS) - Alternate data streams used by the NTFS file system are file and folder associations which are invisible to ordinary scanning techniques. Many infiltrations try to avoid detection by disguising themselves as alternate data streams.

Run background scans with low priority - Each scanning sequence consumes a certain amount of system resources. If you work with programs that place a high load on system resources, you can activate low priority background scanning and save resources for your applications.

Log all objects - If this option is selected, the log file will show all the scanned files, even those not infected. For example, if an infiltration is found within an archive, the log will also list clean files contained within the archive.

Enable Smart optimization - With Smart Optimization enabled, the most optimal settings are used to ensure the most efficient scanning level, while simultaneously maintaining the highest scanning speeds. The various protection modules scan intelligently, making use of different scanning methods and applying them to specific file types. If Smart Optimization is disabled, only the user-defined settings in the ThreatSense core of the particular modules are applied when performing a scan.

Preserve last access timestamp - Select this option to keep the original access time of scanned files instead of updating them (for example, for use with data backup systems).