ESET Online Help

Search English
Select the topic

ThreatSense

ThreatSense is comprised of many complex threat detection methods. This technology is proactive, which means it also provides protection during the early spread of a new threat. It uses a combination of code analysis, code emulation, generic signatures and virus signatures which work in concert to significantly enhance system security. The scanning engine is capable of controlling several data streams simultaneously, maximizing efficiency and detection rate. ThreatSense technology also successfully eliminates rootkits.

ThreatSense engine setup options enable you to specify several scan parameters:

File types and extensions that are to be scanned

The combination of various detection methods

Levels of cleaning, etc.

To enter the setup window, click ThreatSense in the Advanced setup for any module that uses ThreatSense technology (see below). Different security scenarios may require different configurations. With this in mind, ThreatSense is individually configurable for the following protection modules:

Real-time file system protection

Idle-state scanning

Startup scan

Document protection

Email client protection

Web access protection

Computer scan

ThreatSense parameters are highly optimized for each module, their modification can significantly influence system operation. For example, changing parameters to always scan runtime packers, or enabling advanced heuristics in the Real-time file system protection module could result in system slow-down (normally, only newly-created files are scanned using these methods). We recommend that you leave the default ThreatSense parameters unchanged for all modules except Computer scan.

Objects to scan

This section allows you to define which computer components and files will be scanned for infiltrations.

Operating memory—Scans for threats that attack the operating memory of the system.

Boot sectors/UEFI—Scans boot sectors for the presence of malware in the master boot record. Read more about UEFI in the glossary.

Email files—The program supports the following extensions: DBX (Outlook Express) and EML.

Archives—The program supports the following extensions: ARJ, BZ2, CAB, CHM, DBX, GZIP, ISO/BIN/NRG, LHA, MIME, NSIS, RAR, SIS, TAR, TNEF, UUE, WISE, ZIP, ACE, and many others.

Self-extracting archives—Self-extracting archives (SFX) are archives that can extract themselves.

Runtime packers—After being executed, runtime packers (unlike standard archive types) decompress in memory. In addition to standard static packers (UPX, yoda, ASPack, FSG, etc.), the scanner is able to recognize several additional types of packers through the use of code emulation.

Scan options

Select the methods used when scanning the system for infiltrations. The following options are available:

Heuristics—A heuristic is an algorithm that analyzes the (malicious) activity of programs. The main advantage of this technology is the ability to identify malicious software which did not exist or was not covered by the previous versions of the detection engine module. The disadvantage is a (very small) probability of false alarms.

Advanced heuristics/DNA signatures—Advanced heuristics are a unique heuristic algorithm developed by ESET, optimized for detecting computer worms and trojan horses and written in high-level programming languages. The use of advanced heuristics greatly increases the threat detection capabilities of ESET products. Signatures can reliably detect and identify viruses. Utilizing the automatic update system, new signatures are available within a few hours of a threat discovery. The disadvantage of signatures is that they only detect viruses they know (or slightly modified versions of these viruses).

Cleaning

The cleaning settings determine the behavior of ESET Safe Server while cleaning objects. There are 4 levels of cleaning:

ThreatSense has the following remediation (i.e. cleaning) levels.

Remediation in ESET Safe Server

Cleaning level

Description

Always remedy detection

Attempt to remediate the detection while cleaning objects without any end-user intervention. In some rare cases (for example, system files), if the detection cannot be remediated, the reported object is left in its original location.

Remedy detection if safe, keep otherwise

Attempt to remediate the detection while cleaning objects without any end-user intervention. In some cases (for example, system files or archives with both clean and infected files), if detection cannot be remediated, the reported object is left in its original location.

Remedy detection if safe, ask otherwise

Attempt to remediate the detection while cleaning objects. In some cases, if no action can be performed, the end-user receives an interactive alert and must select a remediation action (for example, delete or ignore). This setting is recommended in most cases.

Always ask the end-user

The end-user receives an interactive window while cleaning objects and must select a remediation action (for example, delete or ignore). This level is designed for more advanced users who know which steps to take in the event of a detection.

Exclusions

An extension is the part of a file name delimited by a period. An extension defines the type and content of a file. This section of the ThreatSense setup allows you to define the types of files to scan.

Other

When configuring ThreatSense engine parameters for an On-demand computer scan, the following options in Other section are also available:

Scan alternate data streams (ADS)—Alternate data streams used by the NTFS file system are file and folder associations which are invisible to ordinary scanning techniques. Many infiltrations try to avoid detection by disguising themselves as alternate data streams.

Run background scans with low priority—Each scanning sequence consumes a certain amount of system resources. If you work with programs that place a high load on system resources, you can activate low priority background scanning and save resources for your applications.

Log all objects—The Scan log will show all the scanned files in self-extracting archives, even those not infected (may generate a lot of scan log data and increase the scan log file size).

Enable Smart optimization—With Smart Optimization enabled, the most optimal settings are used to ensure the most efficient scanning level, while simultaneously maintaining the highest scanning speeds. The various protection modules scan intelligently, making use of different scanning methods and applying them to specific file types. If the Smart Optimization is disabled, only the user-defined settings in the ThreatSense core of the specific modules are applied when performing a scan.

Preserve last access timestamp—Select this option to keep the original access time of scanned files instead of updating them (for example, for use with data backup systems).

icon_section Limits

The Limits section enables you to specify the maximum size of objects and levels of nested archives to be scanned:

Object settings

Maximum object size—Defines the maximum size of objects to be scanned. The given antivirus module will then scan only objects smaller than the size specified. This option should only be changed by advanced users who may have specific reasons for excluding larger objects from scanning. Default value: unlimited.

Maximum scan time for object (sec.)—Defines the maximum time value for the scan of files in a container object (such as a RAR/ZIP archive or an email with multiple attachments). This setting does not apply for standalone files. If a user-defined value has been entered and that time has elapsed, a scan will stop as soon as possible, regardless of whether the scan of each file in a container object has finished.
In the case of an archive with large files, the scan will stop no sooner than a file from the archive is extracted (for example, when a user-defined variable is 3 seconds, but the extraction of a file takes 5 seconds). The rest of the files in the archive will not be scanned when that time has elapsed.
To limit scanning time, including bigger archives, use Maximum object size and Maximum size of file in archive (not recommended due to possible security risks).
Default value: unlimited.

Archive scan setup

Archive nesting level—Specifies the maximum depth of archive scanning. Default value: 10.

Maximum size of file in archive—This option enables you to specify the maximum file size for files contained in archives (when they are extracted) that are to be scanned. The maximum value is 3 GB.


note

We do not recommend changing the default values; under normal circumstances, there should be no reason to modify them.