Kaspersky Endpoint Security 12.1 for Windows
- Čeština (Česká republika)
- Deutsch
- Español (España)
- Español (México)
- Français
- Italiano
- Magyar (Magyarország)
- Nederlands (Nederland)
- Polski (Polska)
- Português (Brasil)
- Português (Portugal)
- Română (România)
- Tiếng Việt (Việt Nam)
- Türkçe (Türkiye)
- Русский
- العربية (الإمارات العربية المتحدة)
- 한국어 (대한민국)
- 简体中文
- 繁體中文
- 日本語(日本)
- Čeština (Česká republika)
- Deutsch
- Español (España)
- Español (México)
- Français
- Italiano
- Magyar (Magyarország)
- Nederlands (Nederland)
- Polski (Polska)
- Português (Brasil)
- Português (Portugal)
- Română (România)
- Tiếng Việt (Việt Nam)
- Türkçe (Türkiye)
- Русский
- العربية (الإمارات العربية المتحدة)
- 한국어 (대한민국)
- 简体中文
- 繁體中文
- 日本語(日本)
- Kaspersky Endpoint Security for Windows Help
- Kaspersky Endpoint Security for Windows
- Installing and removing the application
- Deployment through Kaspersky Security Center
- Installing the application locally using the Wizard
- Remotely installing the application using System Center Configuration Manager
- Description of setup.ini file installation settings
- Change application components
- Upgrading from a previous version of the application
- Remove the application
- Application licensing
- About the End User License Agreement
- About the license
- About the license certificate
- About subscription
- About license key
- About activation code
- About the key file
- Comparison of application functionality depending on license type for workstations
- Comparison of application functionality depending on license type for servers
- Activating the application
- Viewing license information
- Purchasing a license
- Renewing subscription
- Data provision
- Getting started
- About the Kaspersky Endpoint Security for Windows Management Plug-in
- Special considerations when working with different versions of management plug-ins
- Special considerations when using encrypted protocols for interacting with external services
- Application interface
- Getting started
- Managing policies
- Task management
- Configuring local application settings
- Starting and stopping Kaspersky Endpoint Security
- Pausing and resuming computer protection and control
- Creating and using a configuration file
- Restoring the default application settings
- Malware Scan
- Updating databases and application software modules
- Database and application module update scenarios
- Starting and stopping an update task
- Starting an update task under the rights of a different user account
- Selecting the update task run mode
- Adding an update source
- Configuring updates from a shared folder
- Updating application modules
- Using a proxy server for updates
- Last update rollback
- Working with active threats
- Computer protection
- File Threat Protection
- Enabling and disabling File Threat Protection
- Automatic pausing of File Threat Protection
- Changing the action taken on infected files by the File Threat Protection component
- Forming the protection scope of the File Threat Protection component
- Using scan methods
- Using scan technologies in the operation of the File Threat Protection component
- Optimizing file scanning
- Scanning compound files
- Changing the scan mode
- Web Threat Protection
- Mail Threat Protection
- Enabling and disabling Mail Threat Protection
- Changing the action to take on infected email messages
- Forming the protection scope of the Mail Threat Protection component
- Scanning compound files attached to email messages
- Email messages attachment filtering
- Exporting and importing extensions for attachment filtering
- Scanning emails in Microsoft Office Outlook
- Network Threat Protection
- Firewall
- BadUSB Attack Prevention
- AMSI Protection
- Exploit Prevention
- Behavior Detection
- Enabling and disabling Behavior Detection
- Selecting the action to take on detecting malware activity
- Protection of shared folders against external encryption
- Enabling and disabling protection of shared folders against external encryption
- Selecting the action to take on detection of external encryption of shared folders
- Creating an exclusion for protection of shared folders against external encryption
- Configuring addresses of exclusions from protection of shared folders against external encryption
- Exporting and importing a list of exclusions from protection of shared folders against external encryption
- Host Intrusion Prevention
- Remediation Engine
- Kaspersky Security Network
- Encrypted connections scan
- Wipe Data
- File Threat Protection
- Computer control
- Web Control
- Device Control
- Enabling and disabling Device Control
- About access rules
- Editing a device access rule
- Editing a connection bus access rule
- Managing access to mobile devices
- Control of printing
- Control of Wi-Fi connections
- Monitoring usage of removable drives
- Changing the caching duration
- Actions with trusted devices
- Obtaining access to a blocked device
- Editing templates of Device Control messages
- Anti-Bridging
- Adaptive Anomaly Control
- Enabling and disabling Adaptive Anomaly Control
- Enabling and disabling an Adaptive Anomaly Control rule
- Modifying the action taken when an Adaptive Anomaly Control rule is triggered
- Creating an exclusion for an Adaptive Anomaly Control rule
- Exporting and importing exclusions for Adaptive Anomaly Control rules
- Applying updates for Adaptive Anomaly Control rules
- Editing Adaptive Anomaly Control message templates
- Viewing Adaptive Anomaly Control reports
- Application Control
- Application Control functionality limitations
- Receiving information about the applications that are installed on users' computers
- Enabling and disabling Application Control
- Selecting the Application Control mode
- Managing Application Control rules
- Adding a trigger condition for the Application Control rule
- Adding executable files from the Executable files folder to the application category
- Adding event-related executable files to the application category
- Adding an Application Control rule
- Changing the status of an Application Control rule via Kaspersky Security Center
- Exporting and importing Application Control rules
- Viewing events resulting from operation of the Application Control component
- Viewing a report on blocked applications
- Testing Application Control rules
- Application activity monitor
- Rules for creating name masks for files or folders
- Editing Application Control message templates
- Best practices for implementing a list of allowed applications
- Network ports monitoring
- Log Inspection
- File Integrity Monitor
- Password protection
- Trusted zone
- Managing Backup
- Notification service
- Managing reports
- Kaspersky Endpoint Security Self-Defense
- Kaspersky Endpoint Security performance and compatibility with other applications
- Data Encryption
- Encryption functionality limitations
- Changing the length of the encryption key (AES56 / AES256)
- Kaspersky Disk Encryption
- Special features of SSD drive encryption
- Starting Kaspersky Disk Encryption
- Creating a list of hard drives excluded from encryption
- Exporting and importing a list of hard drives excluded from encryption
- Enabling Single Sign-On (SSO) technology
- Managing Authentication Agent accounts
- Using a token and smart card with Authentication Agent
- Hard drive decryption
- Restoring access to a drive protected by Kaspersky Disk Encryption technology
- Signing in with the Authentication Agent service account
- Updating the operating system
- Eliminating errors of encryption functionality update
- Selecting the Authentication Agent tracing level
- Editing Authentication Agent help texts
- Removing leftover objects and data after testing the operation of Authentication Agent
- BitLocker Management
- File Level Encryption on local computer drives
- Encrypting files on local computer drives
- Forming encrypted file access rules for applications
- Encrypting files that are created or modified by specific applications
- Generating a decryption rule
- Decrypting files on local computer drives
- Creating encrypted packages
- Restoring access to encrypted files
- Restoring access to encrypted data after operating system failure
- Editing templates of encrypted file access messages
- Encryption of removable drives
- Viewing data encryption details
- Working with encrypted devices when there is no access to them
- Detection and Response solutions
- KSWS to KES Migration Guide
- Correspondence of KSWS and KES components
- Correspondence of KSWS and KES settings
- Migrating KSWS components
- Migrating KSWS tasks and policies
- Installing KES instead of KSWS
- Migrating the [KSWS+KEA] configuration to [KES+built-in agent] configuration
- Making sure Kaspersky Security for Windows Server was successfully removed
- Activating KES with a KSWS key
- Special considerations for migrating high-load servers
- Example of migration from [KSWS+KEA] to KES
- Managing the application on a Core Mode server
- Managing the application from the command line
- Installing the application
- Activating the application
- Remove the application
- AVP commands
- SCAN. Malware Scan
- UPDATE. Updating databases and application software modules
- ROLLBACK. Last update rollback
- TRACES. Tracing
- START. Start the profile
- STOP. Stopping a profile
- STATUS. Profile status
- STATISTICS. Profile operation statistics
- RESTORE. Restoring files from Backup
- EXPORT. Exporting application settings
- IMPORT. Importing application settings
- ADDKEY. Applying a key file
- LICENSE. Licensing
- RENEW. Purchasing a license
- PBATESTRESET. Reset the disk check results before encrypting the disk
- EXIT. Exit the application
- EXITPOLICY. Disabling policy
- STARTPOLICY. Enabling policy
- DISABLE. Disabling protection
- SPYWARE. Spyware detection
- KSN. Switching between KSN / KPSN
- KESCLI commands
- Scan. Malware Scan
- GetScanState. Scan completion status
- GetLastScanTime. Determining the scan completion time
- GetThreats. Obtaining data on detected threats
- UpdateDefinitions. Updating databases and application software modules
- GetDefinitionState. Determining the update completion time
- EnableRTP. Enabling protection
- GetRealTimeProtectionState. File Threat Protection status
- Version. Identifying the application version
- Detection and Response management commands
- Error codes
- Appendix. Application profiles
- Managing the application through the REST API
- Sources of information about the application
- Contacting Technical Support
- Limitations and warnings
- Glossary
- Active key
- Additional key
- Administration group
- Anti-virus databases
- Archive
- Authentication Agent
- Certificate issuer
- Database of malicious web addresses
- Database of phishing web addresses
- Disinfection
- False alarm
- Infectable file
- Infected file
- IOC
- IOC file
- License certificate
- Mask
- Network Agent
- Normalized form of the address of a web resource
- OLE object
- OpenIOC
- Portable File Manager
- Protection scope
- Scan scope
- Task
- Trusted Platform Module
- Appendices
- Appendix 1. Application settings
- File Threat Protection
- Web Threat Protection
- Mail Threat Protection
- Network Threat Protection
- Firewall
- BadUSB Attack Prevention
- AMSI Protection
- Exploit Prevention
- Behavior Detection
- Host Intrusion Prevention
- Remediation Engine
- Kaspersky Security Network
- Log Inspection
- Web Control
- Device Control
- Application Control
- Adaptive Anomaly Control
- File Integrity Monitor
- Endpoint Sensor
- Kaspersky Sandbox
- Endpoint Detection and Response
- Endpoint Detection and Response (KATA)
- Full Disk Encryption
- File Level Encryption
- Encryption of removable drives
- Templates (data encryption)
- Exclusions
- Application settings
- Reports and storage
- Network settings
- Interface
- Manage Settings
- Updating databases and application software modules
- Appendix 2. Application trust groups
- Appendix 3. File extensions for quick removable drives scan
- Appendix 4. File Types for the Mail Threat Protection attachment filter
- Appendix 5. Network settings for interaction with external services
- Appendix 6. Application events
- Appendix 7. Supported file extensions for Execution prevention
- Appendix 8. Supported script interpreters for Execution prevention
- Appendix 9. IOC scan scope in the registry (RegistryItem)
- Appendix 10. IOC file requirements
- Appendix 1. Application settings
- Information about third-party code
- Trademark notices
Selecting types of detectable objects
To select types of detectable objects:
- In the main application window, click the
button.
- In the application settings window, select General settings → Exclusions and types of detected objects.
- In the Types of detected objects block, select check boxes opposite the types of objects that you want Kaspersky Endpoint Security to detect:
- Viruses and worms;
Subcategory: viruses and worms (Viruses_and_Worms)
Threat level: high
Classic viruses and worms perform actions that are not authorized by the user. They can create copies of themselves which are able to self-replicate.
Classic virus
When a classic virus infiltrates a computer, it infects a file, activates, performs malicious actions, and adds copies of itself to other files.
A classic virus multiplies only on local resources of the computer; it cannot penetrate other computers on its own. It can be passed to another computer only if it adds a copy of itself to a file that is stored in a shared folder or on an inserted CD, or if the user forwards an email message with an attached infected file.
Classic virus code can penetrate various areas of computers, operating systems, and applications. Depending on the environment, viruses are divided into file viruses, boot viruses, script viruses, and macro viruses.
Viruses can infect files by using a variety of techniques. Overwriting viruses write their code over the code of the file that is infected, thus erasing the file's content. The infected file stops functioning and cannot be restored. Parasitic viruses modify files, leaving them fully or partially functional. Companion viruses do not modify files, but instead create duplicates. When an infected file is opened, a duplicate of it (what is actually a virus) is started. The following types of viruses are also encountered: link viruses, OBJ viruses, LIB viruses, source code viruses, and many others.
Worm
As with a classic virus, the code of a worm is activated and performs malicious actions after it infiltrates a computer. Worms are so named because of their ability to "crawl" from one computer to another and to spread copies via numerous data channels without the user's permission.
The main feature that allows differentiating between various types of worms is the way they spread. The following table provides an overview of various types of worms, which are classified by the way in which they spread.
Ways in which worms spread
Type
Name
Description
Email-Worm
Email-Worm
They spread via email.
An infected email message contains an attached file with a copy of a worm, or a link to a file that is uploaded to a website which may have been hacked or created exclusively for that purpose. When you open the attached file, the worm is activated. When you click the link, download, and then open the file, the worm also starts performing its malicious actions. After that, it goes on spreading copies of itself, searching for other email addresses and sending infected messages to them.
IM-Worm
IM client worms
They spread through IM clients.
Usually, such worms send messages that contain a link to a file with a copy of the worm on a website, making use of the user's contact lists. When the user downloads and opens the file, the worm activates.
IRC-Worm
Internet chat worms
They spread via Internet Relay Chats, service systems which allow communicating with other people over the Internet in real time.
These worms publish a file with a copy of themselves or a link to the file in an Internet chat. When the user downloads and opens the file, the worm activates.
Net-Worm
Network worms
These worms spread over computer networks.
Unlike other types of worms, a typical network worm spreads without the user's participation. It scans the local network for computers that contain programs with vulnerabilities. To do this, it sends a specially formed network packet (exploit) which contains the worm code or a part of it. If a "vulnerable" computer is on the network, it receives such a network packet. When the worm completely penetrates the computer, it activates.
P2P-Worm
File sharing network worms
They spread over peer-to-peer file sharing networks.
To infiltrate a P2P network, the worm copies itself into a file sharing folder which is usually located on the user's computer. The P2P network displays information about this file so that the user may "find" the infected file on the network like any other file, and then download and open it.
More sophisticated worms emulate the network protocol of a specific P2P network: they return positive responses to search queries and offer copies of themselves for download.
Worm
Other types of worms
Other types of worms include:
- Worms that spread copies of themselves over network resources. By using the functions of the operating system, they scan available network folders, connect to computers on the Internet, and attempt to obtain full access to their disk drives. Unlike the previously described types of worms, other types of worms activate not on their own, but when the user opens a file that contains a copy of the worm.
- Worms that do not use any of the methods described in the previous table to spread (for example, those that spread over cell phones).
- Trojans (including ransomware);
Subcategory: Trojans
Threat level: high
Unlike worms and viruses, Trojans do not self-replicate. For example, they penetrate a computer via email or a browser when the user visits an infected web page. Trojans are started with the user's participation. They begin performing their malicious actions right after they are started.
Different Trojans behave differently on infected computers. The main functions of Trojans consist in blocking, modifying, or destroying information, and disabling computers or networks. Trojans can also receive or send files, run them, display messages on the screen, request web pages, download and install programs, and restart the computer.
Hackers often use "sets" of various Trojans.
Types of Trojan behavior are described in the following table.
Types of Trojan behavior on an infected computer
Type
Name
Description
Trojan-ArcBomb
Trojans – "archive bombs"
When unpacked, these archives grow in size to such an extent that the computer's operation is impacted.
When the user attempts to unpack such an archive, the computer may slow down or freeze; the hard disk may become filled with "empty" data. "Archive bombs" are especially dangerous to file and mail servers. If the server uses an automatic system to process incoming information, an "archive bomb" may halt the server.
Backdoor
Trojans for remote administration
They are considered the most dangerous type of Trojan. In their functions, they are similar to remote administration applications that are installed on computers.
These programs install themselves on the computer without being noticed by the user, allowing the intruder to manage the computer remotely.
Trojan
Trojans
They include the following malicious applications:
- Classic Trojans. These programs perform only the main functions of Trojans: blocking, modifying or destroying information, and disabling computers or networks. They do not have any advanced features, unlike the other types of Trojans that are described in the table.
- Versatile Trojans. These programs have advanced features typical of several types of Trojans.
Trojan-Ransom
Ransom Trojans
They take the user's information "hostage", modifying or blocking it, or impact the computer's operation so that the user loses the ability to use information. The intruder demands a ransom from the user, promising to send an application to restore the computer's performance and the data that had been stored on it.
Trojan-Clicker
Trojan clickers
They access web pages from the user's computer, either by sending commands to a browser on their own or by changing the web addresses that are specified in operating system files.
By using these programs, intruders perpetrate network attacks and increase website visits, increasing the number of displays of banner ads.
Trojan-Downloader
Trojan downloaders
They access the intruder's web page, download other malicious applications from it, and install them on the user's computer. They can contain the file name of the malicious application to download, or receive it from the web page that is accessed.
Trojan-Dropper
Trojan droppers
They contain other Trojans which they install on the hard drive and then install.
Intruders may use Trojan Dropper–type programs for the following goals:
- Install a malicious application without being noticed by the user: Trojan Dropper–type programs display no messages, or display fake messages which inform, for example, of an error in an archive or an incompatible version of the operating system.
- Protect another known malicious application from detection: not all anti-virus software can detect a malicious application within a Trojan Dropper–type application.
Trojan-Notifier
Trojan notifiers
They inform an intruder that the infected computer is accessible, sending the intruder information about the computer: IP address, number of opened port, or email address. They connect with the intruder via email, FTP, accessing the intruder's web page, or in another way.
Trojan Notifier–type programs are often used in sets that are made of several Trojans. They notify the intruder that other Trojans have been successfully installed on the user's computer.
Trojan-Proxy
Trojan proxies
They allow the intruder to anonymously access web pages by using the user's computer; they are often used for sending spam.
Trojan-PSW
Password-stealing-ware
Password-stealing-ware is a kind of Trojan that steals user accounts, such as software registration data. These Trojans find confidential data in system files and in the registry and send it to the "attacker" by email, via FTP, by accessing the intruder's web page, or in another way.
Some of these Trojans are categorized into separate types that are described in this table. These are Trojans that steal bank accounts (Trojan-Banker), steal data from users of IM clients (Trojan-IM), and steal information from users of online games (Trojan-GameThief).
Trojan-Spy
Trojan spies
They spy on the user, collecting information about the actions that the user makes while working at the computer. They may intercept the data that the user enters at the keyboard, take screenshots, or collect lists of active applications. After they receive the information, they transfer it to the intruder by email, via FTP, by accessing the intruder's web page, or in another way.
Trojan-DDoS
Trojan network attackers
They send numerous requests from the user's computer to a remote server. The server lacks resources to process all requests, so it stops functioning (Denial of Service, or simply DoS). Hackers often infect many computers with these programs so that they can use the computers to attack a single server simultaneously.
DoS programs perpetrate an attack from a single computer with the user's knowledge. DDoS (Distributed DoS) programs perpetrate distributed attacks from several computers without being noticed by the user of the infected computer.
Trojan-IM
Trojans that steal information from users of IM clients
They steal account numbers and passwords of IM client users. They transfer the data to the intruder by email, via FTP, by accessing the intruder's web page, or in another way.
Rootkit
Rootkits
They mask other malicious applications and their activity, thus prolonging the applications' persistence in the operating system. They can also conceal files, processes in an infected computer's memory, or registry keys which run malicious applications. The rootkits can mask data exchange between applications on the user's computer and other computers on the network.
Trojan-SMS
Trojans in the form of SMS messages
They infect cell phones, sending SMS messages to premium-rate phone numbers.
Trojan-GameThief
Trojans that steal information from users of online games
They steal account credentials from users of online games, after which they send the data to the intruder by email, via FTP, by accessing the intruder's web page, or in another way.
Trojan-Banker
Trojans that steal bank accounts
They steal bank account data or e-money system data; send the data to the hacker by email, via FTP, by accessing the hacker's web page, or by using another method.
Trojan-Mailfinder
Trojans that collect email addresses
They collect email addresses that stored on a computer and send them to the intruder by email, via FTP, by accessing the intruder's web page, or in another way. Intruders may send spam to the addresses they have collected.
- Malicious tools;
Subcategory: Malicious tools
Danger level: medium
Unlike other types of malware, malicious tools do not perform their actions right after they are started. They can be safely stored and started on the user's computer. Intruders often use the features of these programs to create viruses, worms, and Trojans, perpetrate network attacks on remote servers, hack computers, or perform other malicious actions.
Various features of malicious tools are grouped by the types that are described in the following table.
Features of malicious tools
Type
Name
Description
Constructor
Constructors
They allow creating new viruses, worms, and Trojans. Some constructors boast a standard window-based interface in which the user can select the type of malicious application to create, the way of counteracting debuggers, and other features.
Dos
Network attacks
They send numerous requests from the user's computer to a remote server. The server lacks resources to process all requests, so it stops functioning (Denial of Service, or simply DoS).
Exploit
Exploits
An exploit is a set of data or a program code that uses vulnerabilities of the application in which it is processed, performing a malicious action on a computer. For example, an exploit can write or read files, or request "infected" web pages.
Different exploits use vulnerabilities in different applications or network services. Disguised as a network packet, an exploit is transmitted over the network to numerous computers, searching for computers with vulnerable network services. An exploit in a DOC file uses the vulnerabilities of a text editor. It may start performing the actions that are preprogrammed by the hacker when the user opens the infected file. An exploit that is embedded in an email message searches for vulnerabilities in any email client. It may start performing a malicious action as soon as the user opens the infected message in this email client.
Net-Worms spread over networks by using exploits. Nuker exploits are network packets that disable computers.
FileCryptor
Encryptors
They encrypt other malicious applications to conceal them from the anti-virus application.
Flooder
Programs for "contaminating" networks
They send numerous messages over network channels. This type of tools includes, for example, programs that contaminate Internet Relay Chats.
Flooder-type tools do not include programs that "contaminate" channels that are used by email, IM clients, and mobile communication systems. These programs are distinguished as separate types that are described in the table (Email-Flooder, IM-Flooder, and SMS-Flooder).
HackTool
Hacking tools
They make it possible to hack the computer on which they are installed or attack another computer (for example, by adding new system accounts without the user's permission or by erasing system logs to conceal traces of their presence in the operating system). This type of tools includes some sniffers which feature malicious functions, such as password interception. Sniffers are programs that allow viewing network traffic.
Hoax
Hoaxes
They alarm the user with virus-like messages: they may "detect a virus" in an uninfected file or notify the user that the disk has been formatted, although this has not happened in reality.
Spoofer
Spoofing tools
They send messages and network requests with a fake address of the sender. Intruders use Spoofer-type tools to pass themselves off as the true senders of messages, for example.
VirTool
Tools that modify malicious applications
They allow modifying other malware programs, concealing them from anti-virus applications.
Email-Flooder
Programs that "contaminate" email addresses
They send numerous messages to various email addresses, thus "contaminating" them. A large volume of incoming messages prevents users from viewing useful messages in their inboxes.
IM-Flooder
Programs that "contaminate" traffic of IM clients
They flood users of IM clients with messages. A large volume of messages prevents users from viewing useful incoming messages.
SMS-Flooder
Programs that "contaminate" traffic with SMS messages
They send numerous SMS messages to cell phones.
- Adware;
Subcategory: advertising software (Adware);
Threat level: medium
Adware displays advertising information to the user. Adware programs display banner ads in the interfaces of other programs and redirect search queries to advertising web pages. Some of them collect marketing information about the user and send it to the developer: this information may include the names of the websites that are visited by the user or the content of the user's search queries. Unlike Trojan-Spy–type programs, adware sends this information to the developer with the user's permission.
- Auto-dialers;
Subcategory: legal software that may be used by criminals to damage your computer or personal data.
Danger level: medium
Most of these applications are useful, so many users run them. These applications include IRC clients, auto-dialers, file download programs, computer system activity monitors, password utilities, and Internet servers for FTP, HTTP, and Telnet.
However, if intruders gain access to these programs, or if they plant them on the user's computer, some of the application's features may be used to violate security.
These applications differ by function; their types are described in the following table.
Type
Name
Description
Client-IRC
Internet chat clients
Users install these programs to talk to people in Internet Relay Chats. Intruders use them to spread malware.
Dialer
Auto-dialers
They can establish phone connections over a modem in hidden mode.
Downloader
Programs for downloading
They can download files from web pages in hidden mode.
Monitor
Programs for monitoring
They allow monitoring activity on the computer on which they are installed (seeing which applications are active and how they exchange data with applications that are installed on other computers).
PSWTool
Password restorers
They allow viewing and restoring forgotten passwords. Intruders secretly implant them on users' computers with the same purpose.
RemoteAdmin
Remote administration programs
They are widely used by system administrators. These programs allow obtaining access to the interface of a remote computer to monitor and manage it. Intruders secretly implant them on users' computers with the same purpose: to monitor and manage remote computers.
Legal remote administration programs differ from Backdoor-type Trojans for remote administration. Trojans have the ability to penetrate the operating system independently and install themselves; legal programs are unable to do so.
Server-FTP
FTP servers
They function as FTP servers. Intruders implant them on the user's computer to open remote access to it via FTP.
Server-Proxy
Proxy servers
They function as proxy servers. Intruders implant them on the user's computer to send spam under the user's name.
Server-Telnet
Telnet servers
They function as Telnet servers. Intruders implant them on the user's computer to open remote access to it via Telnet.
Server-Web
Web servers
They function as web servers. Intruders implant them on the user's computer to open remote access to it via HTTP.
RiskTool
Tools for working at a local computer
They provide the user with additional options when working at the user's own computer. The tools allow the user to hide files or windows of active applications and terminate active processes.
NetTool
Network tools
They provide the user with additional options when working with other computers on the network. These tools allow restarting them, detecting open ports, and starting applications that are installed on the computers.
Client-P2P
P2P network clients
They allow working on peer-to-peer networks. They can be used by intruders for spreading malware.
Client-SMTP
SMTP clients
They send email messages without the user's knowledge. Intruders implant them on the user's computer to send spam under the user's name.
WebToolbar
Web toolbars
They add toolbars to the interfaces of other applications to use search engines.
FraudTool
Pseudo-programs
They pass themselves off as other programs. For example, there are pseudo-anti-virus programs which display messages about malware detection. However, in reality, they do not find or disinfect anything.
- Detect other software that can be used by intruders to damage your computer or personal data;
Subcategory: legal software that may be used by criminals to damage your computer or personal data.
Danger level: medium
Most of these applications are useful, so many users run them. These applications include IRC clients, auto-dialers, file download programs, computer system activity monitors, password utilities, and Internet servers for FTP, HTTP, and Telnet.
However, if intruders gain access to these programs, or if they plant them on the user's computer, some of the application's features may be used to violate security.
These applications differ by function; their types are described in the following table.
Type
Name
Description
Client-IRC
Internet chat clients
Users install these programs to talk to people in Internet Relay Chats. Intruders use them to spread malware.
Dialer
Auto-dialers
They can establish phone connections over a modem in hidden mode.
Downloader
Programs for downloading
They can download files from web pages in hidden mode.
Monitor
Programs for monitoring
They allow monitoring activity on the computer on which they are installed (seeing which applications are active and how they exchange data with applications that are installed on other computers).
PSWTool
Password restorers
They allow viewing and restoring forgotten passwords. Intruders secretly implant them on users' computers with the same purpose.
RemoteAdmin
Remote administration programs
They are widely used by system administrators. These programs allow obtaining access to the interface of a remote computer to monitor and manage it. Intruders secretly implant them on users' computers with the same purpose: to monitor and manage remote computers.
Legal remote administration programs differ from Backdoor-type Trojans for remote administration. Trojans have the ability to penetrate the operating system independently and install themselves; legal programs are unable to do so.
Server-FTP
FTP servers
They function as FTP servers. Intruders implant them on the user's computer to open remote access to it via FTP.
Server-Proxy
Proxy servers
They function as proxy servers. Intruders implant them on the user's computer to send spam under the user's name.
Server-Telnet
Telnet servers
They function as Telnet servers. Intruders implant them on the user's computer to open remote access to it via Telnet.
Server-Web
Web servers
They function as web servers. Intruders implant them on the user's computer to open remote access to it via HTTP.
RiskTool
Tools for working at a local computer
They provide the user with additional options when working at the user's own computer. The tools allow the user to hide files or windows of active applications and terminate active processes.
NetTool
Network tools
They provide the user with additional options when working with other computers on the network. These tools allow restarting them, detecting open ports, and starting applications that are installed on the computers.
Client-P2P
P2P network clients
They allow working on peer-to-peer networks. They can be used by intruders for spreading malware.
Client-SMTP
SMTP clients
They send email messages without the user's knowledge. Intruders implant them on the user's computer to send spam under the user's name.
WebToolbar
Web toolbars
They add toolbars to the interfaces of other applications to use search engines.
FraudTool
Pseudo-programs
They pass themselves off as other programs. For example, there are pseudo-anti-virus programs which display messages about malware detection. However, in reality, they do not find or disinfect anything.
- Packed objects whose packing may be used to protect malicious code;
Kaspersky Endpoint Security scans compressed objects and the unpacker module within SFX (self-extracting) archives.
To hide dangerous programs from anti-virus applications, intruders archive them by using special packers or create multi-packed files.
Kaspersky virus analysts have identified packers that are the most popular amongst hackers.
If Kaspersky Endpoint Security detects such a packer in a file, the file most likely contains a malicious application or an application that can be used by criminals to cause harm to your computer or personal data.
Kaspersky Endpoint Security singles out the following types of programs:
- Packed files that may cause harm – used for packing malware, such as viruses, worms, and Trojans.
- Multi-packed files (medium threat level) – the object has been packed three times by one or more packers.
- Multi-packed objects.
Kaspersky Endpoint Security scans compressed objects and the unpacker module within SFX (self-extracting) archives.
To hide dangerous programs from anti-virus applications, intruders archive them by using special packers or create multi-packed files.
Kaspersky virus analysts have identified packers that are the most popular amongst hackers.
If Kaspersky Endpoint Security detects such a packer in a file, the file most likely contains a malicious application or an application that can be used by criminals to cause harm to your computer or personal data.
Kaspersky Endpoint Security singles out the following types of programs:
- Packed files that may cause harm – used for packing malware, such as viruses, worms, and Trojans.
- Multi-packed files (medium threat level) – the object has been packed three times by one or more packers.
- Viruses and worms
- Save your changes.
Types of detectable objects