File Anti-Virus intercepts all file operations (such as reading, copying, starting) using the klif.sys driver and scans the files being accessed. If the file is infected, the operation is blocked, and the file is either disinfected or deleted by default.
Even if the Mail Anti-Virus and the Web Anti-Virus components are disabled, the user cannot run an infected file received via e mail or downloaded from the Internet because once the file is saved on the hard drive, it will be detected and blocked by the File Anti-Virus. You cannot run the file from an e mail attachment or from a web site without saving it to the hard drive.
So, File Anti-Virus is of primary importance for the file system protection, which at the same time makes it the most important protection component in general.
File Anti-Virus uses the following scanning technologies:
Signature analysis. A virus detection method that uses signatures. A signature is a part of executable code, a checksum or some other binary string, which helps detect whether the file is infected by the corresponding virus. Consecutive file checks against the signatures of known viruses returns the verdict of whether the file is infected in general. This scanning method is very reliable, but only allows detecting the viruses whose signatures have been added in Anti-Virus databases
Heuristic analysis. This scanning method applies only to executable files. Kaspersky Endpoint Security starts the scanned file in a virtual environment, isolated from the operating system, and analyzes its behavior. This method requires more time when compared with the signature analysis, but allows the detection of some new viruses
Check against KSN lists. This method also applies to executable files only. A checksum is calculated for every scanned file, which is compared with the records in the local KSN database. Further, the following alternatives exist:
If neither signature nor heuristic analysis has detected an infection, the decision is made based on the information available in the local KSN cache on the client computer. If the local cache lacks information about this file, access to the file is allowed, and a background request is simultaneously sent to the KSN cloud. If the answer is received that the file is dangerous, File Anti-Virus scans it again. If KSN returns information that the file is harmless or if KSN servers cannot be reached, file scanning is finished
If either signature or heuristic analysis has detected that the file is infected, File Anti-Virus sends the request to KSN. If the local database lacks information about the file, File Anti-Virus will wait for the answer from the KSN cloud. If KSN considers the file to be clean, it is treated as non-infected despite the verdicts of signature and heuristic analysis. If the verdict is reaffirmed or information cannot be received from КSN (connection with KSN servers cannot be established), the file is processed as an infected one
As you can see from the scanning algorithm, the check against the KSN database complements the signature analysis and helps to decrease the probability of false positives.
File Anti-Virus settings that define the protection scope and other scanning parameters are gathered in the Security level group of parameters. In the policy, these parameters have a common lock, that is, they are locked or unlocked together. Considering the importance of the File Anti-Virus, the users should not be allowed to change the scanning parameters and the lock in the Security level area should be closed.
By default, Protection scope of the File Anti-Virus includes:
All removable drives
All hard drives
All network drives
In other words, all drives from which malware can be run. A protection area allows adding individual drives and folders instead of drive groups. However, disabling any standard scan scope considerably decreases the protection level. That is why this group of settings should be modified very cautiously. For example, if Cisco NAC or Microsoft NAP guarantees that all network nodes are protected with Anti-Viruses, All network drives can be removed from the protection scope. In this case, if a file from a network drive is accessed, it will be scanned by the Anti-Virus installed on the computer where the drive is located.
Types of files to be scanned
The File types setting can take one of three values:
Files scanned by format—i.e. files that can contain executable malware code; in this case the file format is determined as the result of the file header analysis rather than by the file extension
Files scanned by extension—i.e. files with extensions characteristic of infected formats
The optimum value for the File Anti-Virus is the middle one. Scanning of all files requires considerably more resources without a dramatic improvement of protection. The scanning based on the file extensions is fraught with skipping a renamed malware object or a non-typical extension may result in opening or even running such a file.
Heuristic analysis parameters are configured in the Scan methods group. Heuristics levels—Light, Medium or Deep—define the period of observing the object in the virtual environment. In the context of the File Anti-Virus operation this means an increased delay when a program is run. Therefore, completely disabling heuristic analysis within the File Anti-Virus component is acceptable.
The Scan only new and changed files option ultimately decreases the number of scans performed by File Anti-Virus. If an object was scanned and has not been modified ever since, it will not be scanned again. Kaspersky Endpoint Security receives information about the changes using iSwift and iChecker technologies, whose settings are located in the Additional tab.
It is not recommended to scan compound files using File Anti-Virus. Unpacking of these files consumes a lot of resources and they do not impose any direct threat. Even if an archive contains a virus, you cannot run any infected file without unpacking it. During unpacking it will be detected and blocked as a regular file. It is sufficient to scan compound files with on-demand scan tasks.
iSwift and iChecker
iSwift and iChecker scanning technologies are responsible for collecting data about the changes made to files. The iSwift technology extracts the data about changes from the NTFS file system. Therefore, the iSwift technology is used for the files located on NTFS drives. The iChecker technology is efficient for executable files located on the drives with non-NTFS file systems, for example, FAT32. The iChecker technology calculates and saves the checksums of the scanned executable files. If the checksum remains the same at the next check, it means that the file has not been changed. Both technologies save information about the file scan date and the version of the databases used for the scanning.
If the Scan only new and changed files option is enabled, the iSwift Technology and iChecker Technology checkboxes are of no importance. Even if you clear them, these technologies will still be used because without them Kaspersky Endpoint Security will not be able to determine which files have already been scanned and which of them have not been changed since the last scanning.
If the Scan only new and changed files setting is disabled, the iSwift Technology and iChecker Technology settings are relevant. In this case, a certain quarantine or a trust period is associated with each file. During the quarantine period the file will be scanned even if it has not been modified, while during the trusted period the file will not be scanned.
The quarantine period is assigned to all files which have not been scanned yet or which have changed since the last scanning. During the quarantine period, the file will not be scanned if it was already scanned with the same database version. For this purpose, the iSwift and the iChecker technologies register the version of the anti-virus databases used for the scanning. In all other cases, standard scanning is performed.
Once the quarantine period is over, the trusted period is assigned to the file. During the trusted period, the file is not scanned if it has not changed. Once the trusted period is over, the file is scanned once again when the necessity arises, and if it is not infected, a new trusted period is assigned, longer than the previous one. In case of any change, the file gets a quarantine period and everything begins from scratch.
When the Scan only new and changed files setting is enabled, the trusted period is not restricted in time. The trusted period expires only if the file is changed.
Disabling the iSwift and iChecker technologies makes no sense in File Anti-Virus. This will either have no effect (if the Scan only new and changed files feature is enabled) or will lead to more scans and a general decrease of the computer performance.
The Scan mode determines the file operations that trigger scanning. It is simpler to describe them in the reverse order of their appearance:
On execution—only executable files are scanned and only when they are started. Copying an infected executable file will remain unnoticed. Switching File Anti-Virus into this mode decreases the security level considerably
On access—files are scanned when they are opened for reading or execution. The user may download malicious code from a website but will not be able to do anything with this file
On access and modification—files are scanned when any operation is performed on them. This is the safest mode, yet the most resource-consuming
Smart mode—the order of operations performed with the file is analyzed. If a file is opened for writing, the scan will be performed after it is closed and all changes to it are made. Intermediate changes made to the file are not analyzed. If a file is opened for reading, it will be scanned once on opening, but will not be rescanned on intermediate read operations until the file is closed
Essentially, Smart mode ensures the same protection as On access and modification, but consumes less resources. Therefore it is recommended for most computers. On access or On execution modes can be used on the computers where efficiency is more important than security, understanding that the probability of infection or virus spreading increases.
Pausing File Anti-Virus
File Anti-Virus can be paused while a resource-consuming operation is performed using the settings in the Pause task area:
By schedule—the schedule (daily only) is set by specifying the time when the File Anti-Virus is to be paused and when it is to resume its normal operation. The time is specified in hours and minutes
At application startup—File Anti-Virus will pause when the specified program loads in the memory and will resume its operation when this program is unloaded from the memory
Standard security levels
The security levels can be managed using the three-position switch: Low, Recommended and High.
If any setting is modified, the security level is changed to Custom. In order to return to the standard level, click the By Default button.
When an infected object is detected, File Anti-Virus can try to disinfect or delete it. Most infected files cannot be disinfected, because they contain nothing but the infected code.
Before a file is disinfected or deleted, its copy is placed into the backup storage. That way, if it contains important information or is deleted because of a false positive, the file can be recovered.
In some cases, it is impossible to say whether the file is definitely infected. If the threat is detected using heuristic analysis, the KSN database, or is similar to a virus signature, it receives the "suspicious" verdict.
Instead of being disinfected, suspicious files are moved from their original location into a separate repository called Quarantine. The files in the quarantine can be rescanned so as to update their status.
If the Roll back malware actions during disinfection option is enabled within the properties of the System Watcher component, after deleting an infected object, Kaspersky Endpoint Security rolls back its actions.
Malware detected by File Anti-Virus should not be left unprocessed. That is why the settings that regulate File Anti-Virus actions should be locked. The optimal choice is to disinfect and if disinfection is impossible, delete infected files.
Exclusions for objects
Sometimes File Anti-Virus erroneously returns the “infected” verdict. Such cases are rare, and usually concern tailor-made software. This problem is reduced by creating exclusion rules for objects.
Exclusions are configured in a separate group of settings, which are used by all protection components. An exclusion rule for objects consists of three attributes:
Object—the name of the file or folder to which the exclusion applies. The name of the object may include environment variables (systemroot, userprofile and others) and also “*” and “?” wildcard characters
Threat type—the name of the threat to be ignored (usually corresponds to a malware name), which can also be specified using wildcard characters
Component—the list of protection components to which the rule applies
Of the three attributes, one of the first two attributes and the third one are mandatory. You can create a full-fledged exclusion rule for a separate file or folder without specifying the threat type—the selected components will ignore any threats in the objects specified. And, conversely, you can create an exclusion rule for some threat types, for example, for the UltraVNC remote administration tool, so that the selected components would not respond to this threat regardless of where it was detected.
All three attributes can also be specified simultaneously. For example, the exclusion list contains a set of rules for widespread remote administration tools: UltraVNC, RAdmin, etc. In these rules, both the threat type and the object (typical location of the executable file) are specified. In this case, Kaspersky Endpoint Security would not respond to the administration tools run from Program Files, but if the user runs UltraVNC from another folder, Kaspersky Endpoint Security would consider it a threat.
Exclusions for applications
Security level settings can be adjusted so as to achieve the optimal performance-reliability balance for an average computer. But if the computer runs resource-consuming programs, their operation can be slowed down by the File Anti-Virus. This is especially true for the programs that perform numerous file operations, for example, backup copying or defragmentation. To avoid slowdowns, special measures can be taken.
The first thing to do is to configure an exclusion so that File Anti-Virus ignores file operations performed by the program. When adding exclusions under Trusted applications, within the Exclusions for Application window, specify the full or partial path to the executable file of the program and select the action—Do not scan opened files.
If the program has many processes, and the data files are located in one directory, it might be worthwhile to exclude this directory from the File Anti-Virus scan scope: Under Exclusion rules, add the rule, specify the necessary directory as its object, do not specify any threat type, and select File Anti-Virus in the list of components to apply the rule.
If the desired effect cannot be achieved by setting up exclusions, as a last resort, configure pausing File Anti-Virus while the program runs (in the Security Level settings, on the Additional tab).
Exclusion settings should be locked. Users are often unable to properly configure their exclusions and may abuse such an ability and considerably weaken the protection of the computer.
When a policy is applied, all local exclusions are disabled and replaced with centralized ones. The default exclusions configured in the standard policy apply only to the remote administration tools; moreover, they are disabled. Therefore, in order to create a useful set of exclusions, the administrator should find out which exclusions are required to minimize impact to the users, and to set them up in the policy. The best way to do this is to create exclusions in the local Kaspersky Endpoint Security interface and then import them into the policy.