Chapter - 3.

1
Protection from Network Attacks Viruses often exploit vulnerabilities in operating system network services or network applications to penetrate a users computer. Prevention of this type of infections is complicated since malicious code may be injected into the body of a running process without being written to file and so the Files and Memory protection will be unable to detect it. A network attack can also be aimed at blocking the operation of network applications instead of infecting a computer. This subtype of attacks is called denial of service attacks (DoS attacks). Denial of service is achieved by generating a vast amount of fabricated requests to the network service or application being attacked. If the number of requests is large enough, the service or application will be unable to handle them. As a result the processing of normal requests will be significantly slowed or even stopped altogether. Intrusion Prevention System detects different types of attacks by scanning network traffic using signatures of network attacks. Attack signatures are included in the list of threat signatures that are regularly updated. By default when an attack is detected, the component blocks any network packet exchange between the attacking computer and the users computer for 1 hour. These measures prevent intruders or viruses from searching for new vulnerabilities and also provide protection against DoS attacks. . Use the demonstration to watch examples of the Intrusion Prevention System operation. You can also use the interactive tutorial to study the component on your own.

Chapter - 3.2
Protection from Hidden Phone Calls
If a modem is used to connect to the Internet, careful control of the numbers it dials is necessary, as some malicious programs initiate calls to high rate phone numbers and as a result force users to pay large telephone bills. Anti-Dialer prompts the user to confirm any number being dialed if the dialing has not been initiated by the user (i.e. it is started automatically) or if the number is not displayed explicitly and so it can be secretly substituted. In this way the component eliminates the risk of any unauthorized dialing of a phone number. A modem connection to an Internet Service Provider (ISP) server is often established automatically. To avoid having to confirm each connection manually, the ISP number should be added to the trusted list of phone numbers, as automatic calls to trusted numbers will not be blocked.

Chapter - 3.3
Protection from Phishing Attacks
A typical phishing attack uses the following mechanism: a user receives a link to a criminal web site intentionally designed to resemble one of the web sites that is regularly visited by the user. A user deceived into thinking the website is genuine can send passwords or other confidential information to criminals, which can then be used to cause material damage. Phishing is most often used to trick people into disclosing the codes for accessing their credit cards, bank accounts and passwords for Internet banking accounts. Anti-Phishing prevents phishing attacks by alerting the user when phishing sites are visited. The list of these sites is included within the threat signatures and regularly updated. Use the demonstration to watch Anti-Phishing in operation. You can also use the interactive tutorial to study the component on your own.

Chapter - 4.1
Purpose and Operating Principles of Anti-Spam Anti-Spam is responsible for the automatic detection and filtration of spam. There is no universally accepted definition for spam; however it is usually defined as anonymous mass mailing unsolicited by recipients. If the amount of spam messages is comparable with the usual amount of e-mails, the sorting of messages into genuine emails and junk can take quite a lot of time.

Intercepting POP3 traffic. In this case appropriate mail sorting rules should be configured in the mail client based on the messages added to each email by the Anti-Spam component to the subject line Using plug-ins for Microsoft Office Outlook, Outlook Express and Thunderbird. In this case the sorting rules are configured directly in the corresponding plug-in A spam, potential spam or not spam status is assigned to each scanned message. The component adds a corresponding notification to the subjects of the messages that receive spam or potential spam status: *!! SPAM+ if a message receives spam status *?? Probable spam] if a message receives potential spam status

The Criteria of Spam Filtering

There is no algorithm that can distinguish spam from normal messages a 100% of the time. This is because the same message can be spam and not spam depending upon its sender and recipients. For example unsolicited mass mailing proposing users should buy a particular medicine is definitely considered to be spam. On the other hand the same message containing the same text being sent by a doctor to his patient is considered as not spam. Furthermore automatic e-mail sorting is complicated because spam senders use various techniques to bypass spam recognition algorithms. E.g., advertisement text can be sent as an image making it impossible to process using filtration criteria based on text analysis. The following criteria are used by the Anti-Spam component to identify a message status in the order that they are listed: List of allowed senders and phrases a message will be recognized as a normal mail if it contains an allowed phrase or the message sender is included in the list of allowed senders List of blocked senders and phrases a message will be recognized as spam if the total rating of prohibited phrases in it reaches 100% or if its sender is included in the list of blocked senders Presence of links to phishing sites in a message is checked. Letters containing such links will be recognized as spam Header analysis (PDB technology) analysis of message headers, checking them for irregularities that are typical of spam Analysis of attached images (GSG technology) spam recognition method which uses the comparison of checksums of the attached images with the checksums of images found in known spam e-mails. The algorithm uses a regularly updated database of spam images Analysis of phrases using regularly updated database (Recent Terms technology) spam detection using a database of phrases typical of spam Self-training iBayes algorithm (text analysis) message text analysis based on frequency of certain words in spam and in normal mail Users can manually adjust the settings of these criteria to make spam detection more accurate.

Using Anti-Spam
To ensure the efficient operation of Anti-Spam it should be trained after the product is installed. It is also recommended that you modify the parameters of the filtration criteria if the status of certain mail is identified incorrectly. Use the demonstration to examine the settings of Anti-Spam and examples of its operation. You can also use the interactive tutorial to study the component on your own.

Chapter - 4.2
Purpose and operating principles of Banner Ad Blocker
As the name implies, Banner Ad Blocker blocks the downloading of advertisement banners. Banners not only distract users while they browse the Internet and produce additional network traffic; they also slow down the system because the demonstration of animated images and flash banners can consume considerable processing resources. Thus, the main task of Banner Ad Blocker is to free users from viewing unnecessary advertisements, decrease network traffic and the overall load on the system.

The operating principle of Banner Ad Blocker is very simple; it compares the addresses of all objects downloaded from the Internet with the masks of prohibited and allowed banners. If an address matches a prohibited mask and it is not included in the list of allowed addresses, then the download of this object will be blocked. Banner Ad Blocker works with all browsers. However when Internet Explorer is used the component offers additional functionality: Adding banners to the black list using the shortcut menu Using heuristic analysis to determine which banners should be blocked. As a rule, banners are not stored on the site on which they are displayed; instead they are downloaded from auxiliary sites designed specifically for advertisement. Thus all images that are not stored on the site being opened are considered as unwanted advertisements when heuristic analysis is used Please note, that the component can block banners both while surfing the web and in applications with built-in adware if the advertisements are loaded via the HTTP protocol. Use the demonstration to examine the Banner Ad Blocker settings and examples of its operation. Otherwise you can use the interactive tutorial to study the component on your own.

Chapter - 4.3
Purpose and Operating Principles of Parental Control
Parental Control restricts access of children and teenagers to certain categories of web sites. The restriction applies first of all to the sites that offer adult content, provoke violence or drug abuse. Since this component is not required for all users, it is disabled by default. Parental Control allows various access restrictions for different users. You can easily switch between restriction levels, by choosing one of Parental Control profiles Child, Teenager or Parent. Restrictions are configured individually for each profile. You can prohibit the viewing of categories of web sites (obscene phrases, adult content, gambling, etc.) and also block or allow individual sites using black and white lists. Please note that the Parent profile has no restrictions, it always has complete access to the Internet. In addition to web site access control Parental Control allows you to specify some general restrictions: The total duration of Internet browsing during a single day The periods during which Internet access is not allowed

Using Parental Control

To start using Parental Control, you should decide which profiles will be used. Then access restrictions and the passwords for switching between profiles should be specified. Furthermore you will have to set a password to stop the Kaspersky Internet Security 2009 components and to modify their settings to prevent children from disabling the restrictions on their own. You can watch the demonstration of Parental Control configuration or examine the component on your own using the interactive tutorial.

Chapter - 5.1
Purpose and Operating Principles of Proactive Defense
Proactive Defense is a behavior analyzer which guards the host system against new viruses that have not yet been added to the antivirus databases. The component analyzes application behavior and prompts the user when potentially unsafe actions are detected. Proactive Defense reacts to such actions as the self replication of an application, hiding drivers, files or processes, operating system core modification and others. If necessary, certain categories of actions can be allowed and specified applications can be excluded from being controlled by Proactive Defense. The list of unsafe actions to which the component reacts can be updated together with threat signatures, but in practice such modifications are extremely rare. Thus it is considered that the list of actions is fixed and Proactive Defense does not depend upon the frequency of updates. Use the demonstration to watch examples of Proactive Defense operation. You can also use the interactive tutorial to examine the component on your own

Chapter - 5.2

Operating Principles of Application Filtering Application Filtering regulates application access to system resources and other applications in accordance with the specified rules. Default access rules do not affect the activity of the operating system and most of the applications running on it, but they are designed to prevent malware from gaining higher privileges if the host computer gets infected with an unknown virus. In this way Application Filtering, just like Proactive Defense, combats viruses that do not yet have a virus signature. The component controls access to files, directories and registry keys. They are compiled in two groups: Operating system files and keys that are essential to the functioning of the operating system Confidential data temporary user files and registry keys of the applications that contain personal data Applications are divided into groups according to the trust level: Trusted their activity is not restricted Low Restricted user confirmation is necessary for low-level access to operating system resources and other applications High Restricted low-level access to operating system resources and other applications is forbidden Untrusted access to all monitored resources is forbidden The initial list of monitored applications is generated automatically during product setup. After the installation Kaspersky Internet Security will use a special algorithm to determine a trust level when each new application is launched. The application access rights to system resources are defined in a table. For each group of applications the appropriate type of access to the corresponding group of resources is specified: Access allowed Access requires user confirmation Access is blocked Users can customize the access mode for individual applications or subgroups of resources. If an application launches a new process the process will inherit all the restrictions of the parent process, this is to ensure that there is no way for an application to evade the restrictions imposed by the Application Filtering module. Using Applications Filtering Usually filtration of application activity requires no user participation. However in some circumstances the trust level of some applications can be incorrectly determined which can result in application error. When this happens you will have to manually change the access rights for the application or modify the trust level. Use the demonstration to examine Application Filtering operation. You can also use the interactive tutorial to study the component on your own. Usually filtration of application activity requires no user participation. However in some circumstances the trust level of some applications can be incorrectly determined which can result in application error. When this happens you will have to manually change the access rights for the application or modify the trust level. Use the demonstration to examine Application Filtering operation. You can also use the interactive tutorial to study the component on your own.

Chapter - 5.3
Firewall Purpose The Firewall is a part of the Application Filtering component; it filters all network activity on the host computer. The firewall intercepts all network packets and allows or blocks them according to the specified filtration rules. The network connections component allows you to monitor network activity of installed applications and the operating system. Many applications connect to the Internet automatically (without an explicit notification) to update their modules, verify licenses, register themselves on the manufactures server and for many other reasons. The Firewall allows you to block this type of activity should you consider it unnecessary. The Firewall not only controls network connection, it also improves protection against new viruses since the filtration rules can sometimes prevent a virus or Trojan program from transferring passwords or other confidential data to the Internet or to an intruder in the local network.

Firewall Settings Network packets filtering is determined by three groups of settings in the Firewall properties: The list of connected networks the level of trust is defined for each network that a computer is connected to and separately for the Internet. The level determines the mode for data packet exchange with other computers in the network it refers to. There are three levels of trust: oTrusted network oLocal network oPublic network Rules for packets general filtration rules for all network packets. Each rule allows or blocks packets matching the parameters which are specified in that rule Application rules rules regulating the network activity of individual applications. They differ from the rules for packets in that they are applied to packets sent or received by a specific application While processing packets, rules are applies in the order in which they appear in the list. First common rules for all networks are applied and then rules for applications are applied. If a rule which allows a packet transmission is higher in the list than a blocking one, then the packet transfer will be permitted; and vice versa. Filtration Rules Parameters Each filtration rule is defined by three groups of parameters: Action of the rule, which can be any of the following values: oAllow packet oBlock packet oProcess in accordance with the application rule Network Service that the rule applies to. It is determined by the following parameters: oProtocol data transfer protocol oDirection (inbound or outbound) and connection type (stream or packet) oLocal ports oRemote ports Addresses to which the rule applies: oAny address oAddresses from the networks with a particular status (Trusted, Local or Public) oAddresses from a specified subnet oA list of IP addresses A rule is applied to a network packet if its parameters match the ones specified in the rule. If some of the rule parameter is not specified, then the parameter is considered to match all packets.

Using Firewall
The default filtration rules are suitable for most applications. However to ensure the correct functioning of some network applications or to restrict the exchange of network packets with certain computers on the local network, you may have to configure additional filtration rules. Use the demonstration to watch how the configuration of Firewall rules is performed. Otherwise you can use the interactive tutorial to examine the component on your own.