Kaspersky Internet Security 2012

[ande]

There is so much ways you can configure Kaspersky, by doing that you can improve or reduce protection level and performance, also if you don't know what are you doing you can sometimes restrict internet on computer, unintentionally block application or restrict them access on internet too, and so on.

Kaspersky in its default mode doesn't offer best protection level, and since there are a lot of people that doesn't know how to configure it, they stay unprotected against some threats while having most powerful security !

Since protecting computer from Trojan-Ransom is very important and so little users know how to protect, i decided to start with this one that everyone should apply!

Protect computer from Trojan-Ransom (Winlock) using Application Control

Malware belonging to the Trojan-Ransom family is malware which blocks access to data stored on a computer and comprimises systems to demand a ransom. Such malware is used by cybercriminals to get money.

How to prevent infection

It is very important to secure computer protection against malware belongning to the Trojan-Ransom family. In order to secure computer protection, a user can use the Application Control component from Kaspersky Internet Security 2011. The component registers all actions performed by applications run in the system and controls them according to special rules. These rules control applications' access to system resources.

In order to secure your computer protection, it is required to create a rule that will control applications' access to some registry keys. It is recommended to create rules for the following registry keys:

• *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
• *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
• *SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
• *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
• *\SOFTWARE\Policies\*
• *\SOFTWARE\Policies\*\
• *\SOFTWARE\Policies\*\*
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*\
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*\*

In order to create rules for registry keys mentioned above, perform the following actions:

Step 1. Open the main application window.

Step 2. On the upper right hand corner of the main application window, click Settings.

Step 3. On the upper part of the Settings window, go to the Protection Center tab and then select Application Control.

Step 4. On the right hand part of the Settings window, click on the Identity protection button.

Step 5. On the Digital Identity Protection window on the Identity data tab, select All resources from the drop-down list.

Step 6. On the Identity data tab create a new category with the name AntiWinLock. In order to do this, perform the following actions:

• On the Digital Identity Protection window, select the Identity data resource.
• In the upper part of the Digital Identity Protection window, click the Add category button.
• In the Identity data category window, enter AntiWinLock.
• click the OK button.

Step 7. To make browsing more convenient click on the "-" icon for each category in the Digital Identity Protection window

Step 8. Select the AntiWinLock category.

Step 9. Add to the AntiWinLock category registry keys which are required to be controlled. In order to do so, perform the following actions:

• On the upper left hand corner of the Digital Identity Protection window, click on the Add button.
• From the drop-down menu that will open, select the Registry key item.

• On the User resource window, enter the Name for the rule (it is not obligatory to enter the Name for the rule. When you select the required Path, the name will be specified automatically)
• Enter the Path which will be controlled by Application Control. In order to do this, click on the Browse... button.
• Perform the following actions:

• On the bottom part of the window Select registry object enter the following:

• In the Key field: *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
• In the Value field: Shell

• Click on the OK button.
• On the User resource window, click on the OK button.

Perform the same actions for the rest resources:

2: in the Key field enter *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, in the Value field enter AppInit_DLLs

3: in the Key field enter *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, in the Value field enter Userinit

4: in the Key field enter *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\* (DO NOT enter any data in the Value field of this key. By default, the value "*" will be specified automatically)

5: in the Key field enter *\SOFTWARE\Policies, in the Value field enter *, in the User Resource window in the Name field enter Winlock.policies.Values

6: in the Key field enter *\SOFTWARE\Policies\*, in the User Resource window in the Name field enter Winlock.policies.Keys

7: in the Key field enter *\SOFTWARE\Policies\*, in the Value field enter *, in the User Resource window in the Name field enter Winlock.policies.Sub

8: in the Key field enter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot, in the Value field enter *, in the User Resource window in the Name field enter SafeBoot.Values

9: in the Key field enter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*, in the User Resource window in the Name field enter SafeBoot.Keys

10: in the Key field enter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*, in the Value field enter *, in the User Resource window in the Name field enter SafeBoot.Values.Sub

• Once you have performed the actions described above, ten registry resources will be added to the AntiWinLock category and will be controlled by the Application Control component of Kaspersky Internet Security 2012.
• Click on the OK button.

Step 10. On the left hand part of the Settings window, select the Application Control item.

Step 11. On the right hand part of the Settings window, click on the Applications button.

Step 12. In the Applications window, perform the following actions:

• Select the Low Restricted folder.
• On the upper left hand part of the Applications window, click on the Edit button.
• On the Group rules window, go to the Files and system registry tab.
• Find the AntiWinLock resource.
• For the AntiWinLock resource the option Prompt for action is specified for the actions Read, Write, Delete and Create. Specify the Block option for the actions Read, Write, Delete and Create. In order to do this, perform the following actions:

• right-click the icon of the required action
• select Block from the context menu that will open
• click on the OK button in the Group rules window.

Configure Digital Identity Protection

What is Application Control

The Application Control component logs the actions performed by applications in the system, and manages the applications' activities, based on which group they belong to. A set of rules is defined for each group of applications. These rules manage applications' access to various resources.

Two category of resources - Operating system and Identity data - are defined in Kaspersky Internet Security 2012.

When an application tries to get access to any system resources which belong to this category, Application Control checks the rules defined by Kaspersky Internet Security 2012 for this program and in accordance with the pre-defined rules Application control allows, prompts the user or blocks the application.

Setting the Identity data tab

The category Identity data includes:

• user's files (My Documents folder, cookie files, information about the user's activity);
• registry files, folders and keys which contain the settings and important data of the most frequently used applications: Internet browsers, file managers, mail clients, IM clients, and electronic wallets.

The resources listed above cannot be deleted. However you can disable their protection by clearing the box next to the necessary category. You can also your files, folders or registry keys to protect them with Application Control.

To modify the list of system resources in the Identity Data category, do the following:

• open the main application window
• on the upper right hand part of the window, click on the Settings button
• on the upper left hand part of the Settings window, select Protection Center
• on the left hand part of the Settings window, select Application Control
• on the right hand part of the window, click on the Identity protection button
• on the Digital Identity Protection window on the tab Identity Data in the drop-down list select the required category
• click on the link Add category to add a new category
• on the Identity data category window, specify the required name for the group and click OK

To add an additional resource to the selected or an existing category:

• on the Digital Identity Protection window on the tab Identity Data, click on the Add button
• on the open menu select the required resource type

• File or folder. On the User resource window, click Browse. On the Select file or folder window that will open specify the file or folder.
• Registry key. On the User resource window, click Browse. In the Please specify a registry object window that will open specify the protected registry key.

Once the resource has been added to the protection scope, you can edit or delete the resource using the corresponding links on the bottom part of the tab.

Setting the Operating system tab

Se

The Operating system category includes the following resources:

• registry keys with autorun parameters;
• registry keys with parameters of work on the Internet;
• registry keys which influence system security;
• system files and folders;
• autorun folders.

To modify the list of system resources in the Operating system category, perform the following actions:

• open the main application window
• on the upper right hand part of the window, click on the Settings button
• on the upper left hand part of the Settings window, select Protection Center
• on the left hand part of the Settings window, select Application Control
• on the right hand part of the window, click on the Identity protection button
• go to the Operating system tab and in the drop-down list select the necessary category
• click on the Add button and on the open menu select the required resource type:

• File or folder. On the User resource window, click Browse. On the Select file or folder window that will open specify the file or folder.
• Registry key. On the User resource window, click Browse. In the Please specify a registry object window that will open specify the protected registry key.

• a new resources will be displayed in the Digital Identity Protection window
• on the Digital Identity Protection window, click OK
• on the Settings window, click OK
• close the main application window.

Once the resource is added to the protection scope, it can be edited or deleted with the help of the corresponding buttons.

source: kaspersky.com

[ande]

How to enable/disable protection in Kaspersky Internet Security 2012?

By default, Kaspersky Internet Security 2012 is started automatically at computer startup. After the application is started, all the application components are enabled.

You can disable protection in Kaspersky Internet Security 2012.

When the protection is disabled, work of all protection comnents is disabled.

Kaspersky Lab specialists do not recommend to disable protection. It may result in infection of your computer and data loss. If it is required, you can pause protection for a required period of time.

In Kaspersky Internet Security 2012 there are the following indications of disabled protection:

• grey Kaspersky icon in the Taskbar notification area

• red banner in the main application window (the banner displays protection state of your computer).

In order to disable/enable protection in Kaspersky Internet Security 2012, perform the following actions:

• open the main application window
• on the upper right hand corner of the main application window, click on the Settings button
• on the upper left hand part of the Settings window, select Protection Center
• on the left hand part of the Settings window, select General Settings
• on the right hand part of the Settings window, perform the following:
  • if you want to disable your computer protection, then clear the Enable protection box
  • if you want to enable your computer protection, then check the Enable protection box
• click the OK button in the Settings window
• close the main application window.

Interactive and automatic protection modes in Kaspersky Internet Security 2012

During the application installation you can select the protection mode. Two modes are available:

• Automatic. If any important events occur, Kaspersky Internet Security will automatically perform the action recommended by Kaspersky Lab specialists. Once a threat is detected, the application will attempt to disinfect the object; if it fails, the application will delete it. Suspicious objects will be skipped without processing. Pop-up messages inform the user about new events.
• Interactive. Kaspersky Internet Security informs the user about all malicious and suspicious events. In this mode the user will manually select actions: allow or block activities.

By default, the automatic protection mode is enabled in Kaspersky Internet Security 2012.

How to change the protection mode

How to enable password protection in Kaspersky Internet Security 2012?

How to enable/disable launch of Kaspersky Intnernet Security 2012 at computer startup?

How to enable/disable the option of quick access to Virtual Keyboard in Kaspersky Internet Security 2012?

Guide to Improve Kaspersky 2011/2012 performance

Step A:

After installation --> update and reboot --> Ensure that you take part in KSN --> Do not change any setting/heuristics except pointed below. It is balance between performance and security. Following settings will not weaken you protection, but will give you expected good security (first priority) and great performance. Do not forget to scan each external device before working with it.

Connect to internet (KSN will start working) and run all applications you use including browsers, media players, office, and games --> Make exclusion rules if KIS asks you about PDM detections during game play --> Reboot --> Go to Application Control and make all of them trusted (These all are your applications) --> In Firewall, block permissions of those applications, which have nothing to do with internet (like local media players, defragmenter, junk cleaner, and other such utilities).

In Scan Settings, uncheck both Idle and Regular Rootkit scan --> Change custom scan to High --> click Settings and “Scan only new and changed files”. In Additional tab, select deep scan for heuristics analysis and detailed scan for rootkits.

In Advanced Settings --> Threats & Exclusion --> Exclude all games executables totally. Also exclude any other real-time protection software like WinPatrol, MBAM, SAS etc. --> Do not select concede resources to other applications unless your processor is less than 1.6 GHz --> In Network, select monitor all network ports --> In reports and storage, reduce storage days and size (i.e. 2 days, 2 MB).

Step B:

Now disconnect from internet --> disable Self-Defense and exit KIS --> Go to “C:\ProgramData\Kaspersky Lab\AVP11\Bases\Cache” and delete all files there --> Go to “C:\ProgramData\Kaspersky Lab\AVP11\Data\Updater” and delete Temporary Files folder --> Run KIS, it will take less than 1 minute to recreate its cache (fresh and clean). Do not forget to enable Self-Defense again. You can repeat this step every two weeks/after any patch from KL.

Step C:

Now run Critical Areas Scan. Repeat this scan every two-three days. Then scan your "users" folder and Program Files (+ Program Files (x86)). In Windows folder, scan Fonts, Media, Resources, Cursors, System, and System32 folder. One time scan is enough.

Step D:

Now run CCleaner/your favorite utility to clean junk/temp files --> Disable self-defense and exit KIS --> Defragment your C: Drive --> Reboot --> Enable self-defense.

Step E:

Voila. You are good to go. Do not forget to repeat Step B to D. As you are also taking part in KSN, you are better protected against new threats as well as more organized Application Control list. You can (should) add steps from harlan4096 guide to further enhance your OS/Data security.

source: kaspersky forum

[ande]

System Watcher

The System Watcher component in Kaspersky Anti-Virus/Kaspersky Internet Security 2012 collects data about the actions performed by applications on your computer and gives this information to other components for improved protection.

On the basis of the information collected, the System Watcher component allows you to roll back actions performed by malicious applications. In Kaspersky Lab's 2012 product, information about suspicious actions in the system is collected not only for the current session, but also for previous sessions. This makes it possible to roll back all actions performed by the application if the application is subsequently recognized as malicious.

Rolling back actions after malicious activity is detected in the system can be initiated either by the System Watcher component on the basis of patterns of dangerous behavior, or by Proactive Defense, or by running a virus scan task, or during the operations of File Anti-Virus.

Kaspersky Anti-Virus/Kaspersky Internet Security 2012 includes support for updatable heuristics. Updatable heuristics are a regularly updated set of patterns of dangerous application behavior.

The application of this technology means that upon detection of a new virus or of a new modification to already known malware, it does not update the whole System Watcher module, but instead adds a new pattern to the heuristics database, updating it together with Kaspersky Lab's antivirus databases. This technology allows you to block other malicious software with similar behavior.

The operation mode of Kaspersky Anti-Virus/Kaspersky Internet Security 2012 determines the way that this component reacts when an application's actions coincide with the patterns of dangerous behavior, and also determines whether to roll back a malicious application's actions. After detecting suspicious events in the system, the protection components of Kaspersky Anti-Virus/Kaspersky Internet Security 2012 can request additional information from the System Watcher component.

In the interactive mode of Kaspersky Anti-Virus/Kaspersky Internet Security 2012, you can view incident data collected by the System Watcher component in the form of a report on dangerous activity history, allowing you to make a decision about which action to take in the notification window. When the component detects a potentially dangerous application, a link to the System Watcher report is displayed in the upper part of the notification window with a request to take action.

Kaspersky Internet Security 2012 includes the Applications Activity module, with which you can view information about installed applications and currently launched applications (such as information about an application's status and the level of trust attributed to it by Kaspersky Internet Security 2012).

How to disable/enable the System Watcher component?

By default, the System Watcher component is enabled and runs in the mode designed by Kaspersky Lab specialists, but you can disable it if necessary. To enable/disable System Watcher:

• Open the main application window:

• In the upper-right corner of the window, click Settings.
• In the Settings window, go to the Protection Center tab and select the System Watcher component.
• In the right part of the window, uncheck/check the Enable System Watcher box.
• In the Settings window, click ОK.
• Close the main application window.

The System Watcher component from Kaspersky Internet Security 2012 collects data concerning actions performed by applications on your computer and then collected data are used by other components to provide strong protection of your computer.

In Kaspersky Internet Security 2012 you can configure the System Watcher actions on suspicious application actions detection.

System Watcher uses heuristic analysis to detect actions which partially match to patterns of dangerous activity. If such actions are detected the application will ask a user to select an action to be performed with a suspicious program.

The technology use allows adding new patterns to the existing heuristic databases and, therefore, do not update the whole module. new signatues are added during anti-virus databases update. Heuristic analysis use allows blocking malicious actions of an application according to signatures of heuristic database.

Kaspersky Internet Security 2012 also includes Application Control. The module allows viewing the list of installed and run applications (for example, info concerning application group idenitified by Kaspersky Internet Security 2012)

In order to configure the System Watcher actions on suspicious detection, perform the following actions:

• open the main application window
• on the right upper corner, click Settings
• on the upper part of the Settings window, select Protection Center
• on the left hand part of the Settings window, select System Watcher
• on the right hand part of the Settings window, check the box Enable System Watcher
• on the right part of the Settings window in the Heuristic analysis section, check the box Use updatable patterns of dangerous activity (BSS)
• depending on the selected protection mode, select the required action for the On detecting dangerous activity option:

• Select action automatically (if automatic protection mode is enabled). In this case System Watcher will select automatically select actions specified by Kaspersky Lab specialists
• Prompt for action (if interactive protection mode is enabled). In this case System Watcher will prompt for action: allow or block.
• Select action:

• Move file to Quarantine
• Terminate the malicious application
• Ignore

[*]on the bottom right hand corner, click on the OK button

[*]close the main application window.

What is rollback of malware actions

In Kaspersky Internet Security 2012 you can select actions performed by the System Watcher component on malware detection.

Before the System Watcher component detects and quarantines suspicious programs, they can create or change files or folders in your system, change registry values. Now you can delete files created by malicious programs using rollback.

In order the application will be able to perform malicious actions rollback, all applications actions are registered. Data on applications actions is saved during all computer sessions with Kaspersky Internet Security 2012 enabled. It allows performing rollback of all actions performed by malware.

In Kaspersky Internet Security 2012 you can limit size of data to be stored for rollback. The default limit is 30 MB.

Kaspersky Internet Security 2012 also includes the Application Control module. Using the component you can view a list of installed and launched applications (for example, an application status and group defined by Kaspersky Internet Security 2012).

Select an action performed upon rollback of malware actions

In order to configure the System Watcher actions on suspicious activity detection, perform the following actions:

If System Watcher falsely blocks a non-malicious process, files created by the process will be deleted by Kaspersky Internet Security 2012 automatically.

• Open the main application window.
• On the upper right hand corner of the window, click on the Settings button.
• On the upper part of the Settings window, select Protection Center.
• On the left hand part of the window, select System Watcher.
• On the right hand part of the window in the Rollback of malware actions section, select one of the following actions (depending on selected protection mode):

• Check Select actions automatically (if the automatical protection mode is enabled). In this case Kaspersky Internet Security 2012 will roll back actions performed by malware automatically.

• Check Prompt for action (if the interactive protection mode is enabled). In this case Kaspersky Internet Security 2012 prompts for action to be performed on detected suspicious activity based on patterns of dangerous activity. In order to take the right decision whether to block the suspicious process, you can view a report on actions of the process. In order to open the report window, click on the corresponding link in the displayed notification.
• Check Select action:

• Roll back
• Do not roll back.

[*]Click on the OK button in the Settings window.

[*]Close the main application window.

How to limit stored data

In order to limit data to be stored by System Watcher for rollback, perform the following actions:

• Open the main application window.

• On the upper right hand part of the window, click on the Settings button.

• On the upper part of the Settings window, select Protection Center.

• On the left hand part of the window, select System Watcher.

• On the right hand part of the window in the Rollback of malware actions section, check the box Limit data to be stored for rollback and specify the required parameter in the field.

• On the Settings window, click on the OK button.

• Close the main application window.

[ande]

Here is tutorial on how to create a network rule for applications in Kaspersky Internet Security 2012 :

1.What is Firewall

All network connections on your computer are monitored by Firewall. Firewall assigns a specific status to each connection and applies various rules for filtering of network activity depending on that status, thus, it allows or blocks a network activity. Firewall works based on rules of two types: packet rules and rules for applications.

Packet rules have a higher priority compared to the application rules. If both packet rules and application rules are applied to the same type of network activity, this network activity will be processed using the batch rules. Packet rules are used in order to restrict packets transfering regardless applications.

2. Network rule parameters

While creating a network rule you can specify an action performed by Firewall if it detects the network activity:

• Allow
• Block

The Allow or Block rules can be logged. In order to do this, check the Log events box.

If you want to create a packet rule you need to set network service. Network service contains types of network activities, which are restricted according to a network rule. You can select the type of network activity or specify the name manually.

Network service includes the following parameters:

• Name
• Protocol. Firewall restricts connections via TCP and UDP protocols.
• Direction. Firewall controls connections with the following directions:
  • Inbound (stream). The rule is for network connections created from another computer.
  • Inbound / Outbound. The rule is for inbound and outbound data packets and data streams regardless the direction.
  • Outbound (stream). The rule is only for network connections created by your computer.
• Remote and Local ports. You can specify ports which are used by your and remote computers for TCP and UDP protocols. These ports will be controlled by Firewall.

Address

You can also specify network addresses. You can use an IP address as the network address or specify the network status. In the latter case the addresses will be copied from all networks that are connected and have the specified status at the moment.

You can select one of the following addresses types:

• Any address. The rule will be created for any IP address

• Subnet addresses. The rule will be created for IP addresses of all connected networks which have one of the following statuses:

• Trusted networks
• Local networks
• Public networks

• Addresses from the list. The rule will be created for IP addresses from the specified range of IP addresses. Select one of the address groups. If there are no address groups you want to add, you can create a new group. In order to do this, click the Add link in the lower part of the section and in the Network addresses window that will open specify the addresses.

3.How to create a network rule for application

In order to create packet rule, perform the following actions:

• open the main application window
• on the upper right hand corner of the window, click Settings
• on the upper left hand part of the Settings window, select Protection Center
• on the left hand part of the Settings window, select Firewall
• make sure that the Firewall component is enabled (the Enable Firewall box is checked)
• on the right hand part of the Settings window, click Settings
• on the Firewall window ,go to the Application rules tab
• select the required application from the list and click on the Edit button
• on the Application rules window, go to the Network rules tab
• click on the Add button and specify the required parameters in the Network rule window
• once the required parameters are specified, click on the OK button
• click OK on the Application rules window
• click OK on the Firewall window
• click OK on the Settings window
• close the main application window.

[ande]

If you are using Kaspersky Internet Security 2012 you will notice trial notification/watermark, to remove it do next:

Download KIS2012.7zip

Disable Kaspersky self defense.

Copy settings.ini from KIS2012.7zip to

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\skin\ layout\

Enable self defense, extract skin0 from KIS2012.7zip, rename if you want, go to KIS 2012, settings, advanced settings, appearance, use alternative skin and find skin0 folder, then click OK. Exit KIS2012 from tray and open again !

That's it!

[spudboy]

Thank you for this information, it is very helpful! I am new to KIS and was wondering how you set the firewall to always ask for inbound/outbound application permission like the image below. I have tried setting everything to "prompt for action" but I still do not get asked. All I see are Application prompts, but never any Firewall prompts.

Can you please provide instructions how to get the following prompt for EVERY application attempt at internet access whether it's inbound or outbound?

[ande]

How to change a network rule for groups of applications

Firewall analyzes the activity of each application running on your computer. Depending on the threat rating, every application is included to one of the following groups:

• Trusted. Trusted applications are applications with digital signatures of trusted vendors and applications signatures of those are included to the trusted applications database. Activities of such applications are monitored by Proactive Defense and File Anti-Virus.

Applications of that group are allowed to perform any network activity irrespectively of the network status.

• Low Restricted. Low restricted applications are applications which are without digital signatures of trusted vendors and which are not included to the trusted applications database. Nevertheless, the low risk rating is assigned to such applications.

Applications of that group are allowed to perform any network activity in automatic mode. If you are using the interactive mode, a notification will be displayed on the screen using which you can allow or block a connection, or create an application rule using the Wizard.

• High Restricted. High restricted applications are applications without digital signatures and which are not included to the trusted applications database. The high risk rating is assigned to such applications.

Applications of that group are not allowed to perform network activity in non-interactive mode. If you are using the interactive mode, a notification will be displayed on the screen using which you can allow or block a connection, or create an application rule using the Wizard.

• Untrusted. Untrusted applications are applications without digital signatures and which are not included to the trusted applications database. Very high risk rating is assigned to such applications.

Any network activity is prohibited for the applications of that group.

You can modify rules for a whole group.

Custom rules for individual applications have a higher priority than the rules inherited from a group. If you create an allowed rule for a whole group of applications and a prohibited rule for a certain application from this group, then any network activity of a certain application will be restricted accortding to a rule for this application, because it has a higher priority level.

In order to change rules for a group af applications, perform the following actions:

• open the main application window
• on the upper right hand corner of the main application window, click Settings
• on the upper left hand part of the Settings window, select Protection Center
• on the left hand part of the Settings window, select the Firewall component
• on the right hand part of the Settings window, make sure that Firewall is enabled (the Enable Firewall box is checked)
• on the right hand part of the Settings window, click on the Settings button
• on the Firewall window, go to the Application rules tab
• select the required application group (Trusted, Low Restricted, High Restricted, Untrusted)
• move the mouse cursor on the action icon of the created rule of the required network (Trusted, Local, Public) and right-click the action icon Allow, Block or Prompt for action
• in the context menu select the required action you want to change to (Allow, Block, Prompt for action)
• click on the OK button in the Firewall window
• click on the OK button in the Settings window
• close the main application window.

How to block access to the Internet using Firewall

Kaspersky Internet Security contains a special component, Firewall, to ensure your security on local networks and the Internet. It filters all network activities using rules of two types: rules for applications and packet rules.

In order to block access of an application to the Internet, you can create a rule for an application in Firewall settings. to do this perform the following actions:

• open the main application window
• in the left upper corner click Settings
• in the left upper corner select Protection Center
• in the left part of the Settings window, select the Firewall component
• make sure that the Firewall component is enabled (the Enable Firewall box is checked)
• in the right part of the window click on the Settings button
• in the Firewall window on the Application rules tab, select the required application
• click on the Edit button
• in the Application rules window, go to the Network rules tab
• click on the Add button
• in the Network rule window in the Action section, select Block
• in the Name section, select Web-Browsing
• if you want the results for the network rule to be logged, check the Log events box
• click the OK button
• on the Network rules tab the selected rule with the icon Block appears
• click the OK button in the Firewall window
• click OK in the Settings window
• close the main application window.

[ande]

Interactive and automatic protection modes

During the application installation you can select the protection mode. Two modes are available:

• Automatic. If any important events occur, Kaspersky Internet Security will automatically perform the action recommended by Kaspersky Lab specialists. Once a threat is detected, the application will attempt to disinfect the object; if it fails, the application will delete it. Suspicious objects will be skipped without processing. Pop-up messages inform the user about new events.
• Interactive. Kaspersky Internet Security informs the user about all malicious and suspicious events. In this mode the user will manually select actions: allow or block activities.

By default, the automatic protection mode is enabled in Kaspersky Internet Security 2012.

How to change the protection mode

In order to change the protection mode after the installation, perform the following actions:

• open the main application window
• on the right upper corner of the main application window, click Settings
• on the upper part of the Settings window, select Protection Center
• on the left part of the Settings window, select General Settings
• on the right part of the Settings window in the Interactive protection section:
  • check the Select action automatically box if you want to use the automatic protection mode.
  • if you want to use the interactive protection mode, then uncheck the Select action automatically option.
• if you do not want Kaspersky Internet Security to delete suspicious objects when running in the automatic protection mode, then check the Do not delete suspicious objects option
• click the OK button in the right lower corner of the Settings window
• close the main application window.

[ande]

Proactive Defense

The functionality of the Proactive Defense component is based on controlling and analyzing the behavior of all applications installed on the computer. The 2012 version of the Kaspersky Lab product decides whether an application is dangerous or not on the basis of the actions it performs. In this way, the computer remains protected not only from known viruses, but also from new, as yet uninvestigated viruses.

The following activity by software may refer to dangerous or malicious behavior:

• Activity characteristic of Trojan applications.
• Accessing system resources (such as the system registry).
• The application copying itself to network resources, to the Auto Start directory, or to the system registry with a subsequent link to its copies.
• Interception of data entered through the keyboard.
• Hidden installation of drivers.
• Changes to the operating system kernel.
• Creation of hidden objects and processes with negative process ID values (PID).
• Changes to the HOSTS file.
• Injection into other processes.
• Sending DNS requests.

All of the above-mentioned types of activity are controlled and analyzed by the product through the use of a statistical set of heuristics (models of suspicious application activities). To improve the response time to new threats, support for updatable heuristics is included as a special functionality in Kaspersky Internet Security 2012, in addition to the statistical set of heuristics.

Updatable heuristics are a regularly updated set of patterns (signatures) of dangerous behavior by applications. Upon detection of a new virus or of a new modification to already known malware , this technology does not update the whole Proactive Defense module, but rather adds a new signature to the heuristics database, updating it together with the product's antivirus databases.

In addition to the ability to make regular updates, the heuristics database also supports trial behavior patterns. If Proactive Defense detects application behavior that is considered suspicious according to one of these patterns, a special report is sent to Kaspersky Lab via Kaspersky Security Network (KSN).This occurs if the user confirms agreement to participate in KSN. This feature means that the likelihood of false positives is minimized in the future.

In the 2012 version of Kaspersky Lab products, the reputation services include the Astraea expert system. The purpose of the Astraea expert system is to analyze statistical information about applications and URLs, on the basis of which a verdict is reached regarding any hypothetical danger.

Reputation services are online services containing information about:

• trusted applications and websites (whitelisting).
• suspicious applications and websites (UDS - Urgent Detection System).

Kaspersky Lab’s specialists add information to these services before it becomes available in the form of updates to signature databases. This makes for much faster response times when new threats appear.

If the reputation services have no information about an application, the approximate threat level is calculated. You can then modify the rating that is assigned, thereby affecting the level of rights granted to the application for its operations within the system. In addition, information about modified threat levels is sent via Kaspersky Security Network (KSN).

Proactive Defense analyzes activities executed by an application. If, as a result of activity analysis, the sequence of application actions arouses any suspicion, then that application is determined as a suspicious or a malicious application.

In order to optimize the Proactive Defense component's work, you can specify the range of trusted applications, activities of which will not be scanned by Proactive Defense. Trusted applications may include those with a digital signature or those listed in Kaspersky Security Network database.

For Proactive Defense to view such applications as trusted, perform the following actions:

• open the main application window
• on the upper right hand corner of the main application window, click Settings
• on the upper left hand part of the Settings windows, select Protection Center
• on the left hand hand part of the Settings window, select Proactive Defense
• on the right hand part of the Settings window in the Trusted applications section check the options:

• Applications with digital signatures
• Trusted in Kaspersky Security Network database

• on the lower part of the Settings window, click OK
• close the main application window.

If you want Proactive Defense not to scan an application, then you can add the application to the list of trusted applications.

If an application was blocked by Proactive Defense, you can exclude an application from being scanned by Proactive Defence.

What is Keylogger

If the interactive mode is enabled in the Kaspersky Internet Security 2012 settings and in the Proactive Defense component settings the Prompt for action option is selected, then in some cases the Kaspersky Internet Security 2012 dialog window that will inform you about suspicious activity may appear. The process will be detected as Driver file: kernel mode memory patch.

Keyloggers may send your personal information (logins, passwords, credit card numbers) you enter using your keyboard to a cyber criminal. However, similar actions can be performed not only by malicious programs, but also by some other not malicious applications installed on your computer. Very often these actions are performed by means of hotkeys to access some functions of an application installed on your computer.

In most cases, the process kernel mode memory patch is not malicious. You can add this process to the exclusions list by clicking Add to exclusions.

In the Exclusion rule window you can find the information that the object kernel mode memory patch which is defined as PDM.Keylogger kernel mode memory patch will not be scanned by Proactive Defense. To add the rule click the OK button.

When the object is added to the list of exclusions the notification window that will inform you that Behaviour similar to PDM.Keylogger. Allowed will appear.

How to manually add the kernel mode memory patch object to the list of exclusions

You can also manually add the object kernel mode memory patch to the list of exclusions. For this, perform the following actions:

• Open the main application window.
• In the top right corner of the window click the Settings link.
• In the Settings window go to the Additional tab.
• In the left part of the window select Threats and Exclusions.
• In the right part of the window in the Exclusions section click the Settings button.
• In the Trusted zone window on the Exclusion rules tab click the Add button.

  

• In the Exclusion rule window in the Properties section check the Threats type box.
• In the Rule description section perform the following actions:

• In the Object string click the select object link.
• In the Object name window in the empty field enter kernel mode memory patch and click the OK button.
• In the Treats type string click the enter threat name link.
• In the Threat type window in the empty field enter PDM.Keylogger and click the OK button.
• In the Protection components string click the any link, then click the select component link.
• In the Protection component window check the Proactive defense box and click the OK button.

• In the Exclusion rule window click the OK button.
• In the Trusted zone window click the OK button.
• In the Settings window click the OK button.
• Close the main application window.

What should I do if I suspect that the kernel mode memory patch process is malicious

If you suspect the process is malicious, perform the following actions:

• Run the anti-virus databases update.
• Run your computer full scan.
• Once the scan is complete, export scan report to a file.
• Create a request to Kaspersky Lab Technical Support via the My Kaspersky Account service. Describe your issue in all details and attach the created report file to the request.

A non-malicious program was blocked by Proactive Defense

Kaspersky Internet Security 2012 includes a special component Proactive Defense. The component analyzes applications activity in the system. If the component detects that such activity is suspicious, the application will be identified as a malisious or suspicious program.

If Proactive Defense has blocked a non-suspicious application, you can exclude the application from protection scope of the Proactive Defense component. In order to do this, perform the following actions:

• Open the main application window.
• On the upper right hand part of the window, click on the Settings button.
• On the upper left hand part of the Settings window, select Advanced Settings.
• On the left hand part of the Settings window, select Threats and Exclusions.
• On the right hand part of the Settings window, click on the Settings button in the Exclusions section.
• On the Trusted zone window, go to the Exclusion rules tab.
• Click on the Add button.
• On the Exclusion rule window, check the Object box.
• In the Rule description field, click on the link select object in the Object line.
• On the Object name window, click on the Browse button.
• On the Select folder window, select the application you wish to exclude from being scanned by Proactive Defense and click on the OK button.
• On the Object name window, check the Include subfolders box if you wish to exclude subfolders of the selected applications.
• Click on the OK button.

• On the Exclusion rule window, check the Threats type box.
• In the Rule Description section, click on the enter threat name... link in the Threats type line.
• On the Threats type window, enter the threat type name or mask displayed in the Proactive Defense dialog window when the application was blocked.
• Click on the OK button.
• In the Rule description section, click on the any link in the Protection components line. The link is changed to specified: select components....
• Click on the select components... link.
• On the Protection components window, check the Proactive Defense box and click on the OK button.
• On the Exclusion rule window, click on the OK button.
• On the Trusted zone window, click on the OK button.
• On the Settings window, click on the OK button.
• Close the main application window.

[ande]

Network Attack Blocker

The Network Attack Blocker component in Kaspersky Internet Security 2012 is started automatically when the system starts. The component protects against network attacks. If a network attack is detected Kaspersky Internet Security 2012, then any network activity of the attacking computer will be blocked on the computer.

By default, attacking computer is blocked for 60 mintues.

If a network attack is detected, Kaspersky Internet Security 2012 displays the notification with the information about attacking computer.

You can find descriptions of currently known network attacks in Kaspersky Internet Security 2012 databases. The list of network attacks is updated during anti-virus databases update.

The kltps.exe utility to test efficiency of the Network Attack Blocker

Kaspersky Lab has developed a new utility that sends a harmless UDP-packet to the defined host and port. The packet received on the tested PC will be detected by Network Attack Blocker of Kaspersky Internet Security 2012 as an attack "not-an-attack:KL-Test-Packet" (if Kaspersky Internet Security 2012 is installed on the PC and Network Attack Blocker is enabled).

If you want to view the detailed report, click the link View detailed report. If the pop-up window has closed automatically, then you can open the report from the main application window.

You can download the kltps.exe utility from the following link: kltps.exe

The utility is launched from a command line. To run the command prompt, perform the following:

for OS Windows XP users:

• click Start > Run
• in the Run window in the Open field enter cmd and click OK

for OS Windows Vista/7 users:

• click the Start button
• type cmd.exe in the search line
• in the Start menu in the list of found programs, click the cmd button.

When launching the utility it is mandatory to enter the following parameters of the command line:

• host – IP address or computer name, on which Kaspersky Internet Security 2012 is installed and whose Network Attack Blocker you would like to test)
• port – port number, on which the UDP-package will be sent.

For example: kltps.exe 172.16.1.58 8080, where <kltps> - name of the utility to be launched, <172.16.1.58> - IP address of the computer to be scanned, <8080> - the port which will be used to send an UDP-package.

Before you type a command, make sure that the real path to the utility coincides with the path specified in the command line. For example, you saved the utility in the folder with the path C:\Downloads, but the path in the command line is C:\>. In this case, you are required to type the reql path to the utility in the command line.

To test Network Attack Blocker of Kaspersky Internet Security 2012 the utility must be launched from another PC assigned to the same network. Network Attack Blocker cannot be tested if the utility is run on the same PC, on which any of the above mentioned applications is installed.

[user@nsaneforums]

nice job