See also:

NetSafeGuard Intrusion Detection System Blueprint

Tony Jan, Lee Coulson and Patrick Tran

Version 6: 24/3/2006

1.0 Introduction

This requirement document contains specifications of an integrated Network Security framework. This framework provides a complete security for computer systems against various computer threats such as virus, internet worms, spywares, intrusion attempts and spamming emails. The current systems available in the market suffer from high false alarm rates, and cannot detect unknown attacks because of the sophisticated and dynamic nature of malicious activities. In this project, we aim to improve the system robustness, and detection accuracy of the decision engine, in order to overcome such inefficiency. Beside this major focus, there are a wide range of supporting services provided to boost the effectiveness of system, in terms of functionalities and usability.

1.1 Scope

The project targets small and medium businesses. A centralized approach will be considered in order to safeguard a number of computers within a network. Initially, Microsoft Windows is the primary operating system focus.

1.2 Overview

The system - now marketed as NetSafeGuard - focuses on detecting various categories of computer threats:

  • Virus threats: compromise security of system (virus, worms, Trojans, security risks)
  • Spyware threats: compromise the privacy of system (spyware, adware)
  • Additional threats: Dialers, Joke programs, remote access, hack tools

1.3 Terminologies

Malware or "malicious software" is defined as the software designed to infiltrate or damage a computer system, without the owner's consent. This is the general term referring to computer threats such as computer viruses, Trojan horses, spyware and adware.

Computer Virus are self-replicating programs which spread by inserting copies of themselves into other executable code or documents, causing great harm to files or other programs on the same computer

Worms are self-propagating computer viruses. Unlike a normal virus, a worm does not insert itself into other programs; rather, it exploit security holes in network server programs, and starts itself running as a separate process. Worms scan the network for computers with vulnerable network services, break in to those computers, and copy themselves onto the target system.

Trojan Horses are closely related to computer viruses. They differ in that they do not attempt to replicate themselves. More specifically, a Trojan Horse performs some undesired -- yet intended -- action while, or in addition to, pretending to do something else.

Spyware differs from viruses and worms in that it does not usually self-replicate. It is designed to exploit infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (some companies often use this data to send you unsolicited targeted advertisements) including financial information such as credit card numbers; monitoring of Web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites.

Adware is software that displays advertisements based on the information it collects from the user's browsing patterns. The advertisement pop-up windows are sometimes shown even if the user is not browsing the Internet. Some companies provide "free" software in exchange for advertising on the display. These classify as "adware" in the sense of advertising-supported software, but not as spyware because they do not operate surreptitiously or mislead the user.

Key Logger is identity theft software which copies the user's keystrokes when entering a password, credit card number, or other useful information, such as chat sessions and bank information. This is then automatically transmitted to the malware creator, enabling credit card fraud and other theft.

Browser Hijacker is software that alters browser settings, such as the home page or search page, add toolbars to the browser, and redirect traffic, often to counterfeit sites.

Dialers cause computers with a modem to dial up a long-distance telephone number instead of the usual ISP. This involves long-distance call or overseas charges and can result in massive telephone bills.

2.0 System Features Summary

The system features are discussed in detail in the next section.

Menu

Function

Notes and sub-functions

Configuration

Protection modes

Real-time protection: at the download time

Off-line protection: triggered manually or by a scheduler.

Detection Engine

  • Compare to signature database
  • Heuristics (AI algorithms)

Scanning

(Viruses, internet worms, Trojan horses, spyware and adware)

(Viruses, internet worms, Trojan horses)

Scanning modes

  • Memory scans
  • Registry scans
  • Drive scans
  • Customized scans (folders and files)
  • Compressed files (depth: 1-4)
  • Exclusion

Corrective actions

  • Remove the detected malware
  • Quarantine
  • Automatically repair the infected file
  • Try to repair then quarantine if unsuccessful
  • Deny access to the infected file
  • Disconnect Internet/network (safe mode)
  • Restart/Reboot the computer

Scheduler

Update schedule

  • Manual update
  • Program start
  • Scheduled update
  • User defined
  • Hourly update

Malware scanning

System-start scans

Scheduled scans (when to scan)

Logging

  • Scanning history
  • System settings and behaviors
  • Software configurations
  • Network settings
  • System events
  • Firewall log

Update

Configurations

  • Direct update
  • Update through a Proxy Server

Tools

Virus Guard

Scanning

(Viruses, internet worms, Trojan horses)

Rescue disk wizard

Browser guard

Detects and removes browser hijacker

  • Script blocking
  • Pop-up blocking
  • Manage browser helper objects (BHO)
  • Manage cookies

System configurations guard

  • Startup settings
  • Registry settings
  • HOSTS file
  • ActiveX kill bits
  • Restricted sites
  • ActiveX controls
  • Browser settings
  • Winsock LSPs

Email Guard

  • Incoming and Outgoing email (attachment) scanning for virus
  • Spam filtering

Network Guard

Firewall

  • Packet filtering
  • Port scanning

Scheduler


Site guard

  • Content filtering
  • Prevent phishing sites (fake sites)
  • Prevent unwanted installation (programs downloaded from the Internet)

Software components

Bug reporting

System crashes.

Help and registration



3.0 System Features Detail

3.1 Threat Detection

3.1.1 Protection modes

There are 2 protection modes for the target system. Different Network security vendors have different strategies for different threats such as virus, worms, spyware. Unlike Symantec Anti-Virus which categorizes spyware programs as "extended threats" and does not offer real-time protection from them as it does for virus; this system will treat spyware as equivalently as virus due to its severity. In particular, the system will both provide real-time and off-line scanning for combating spyware, virus and Internet worms.

a) Real-time protection

This protection mode prevents the installation of malware. In particular, the system scans incoming network data and disk files at download time, and blocks the activity of components known to represent malware.

b) Off-line protection

This protection mode can be triggered periodically or manually to scan the target system to detect any possible malware, and then remove it.

3.1.2 Scanning

This software aims to protect target systems from computer malware and threats such as viruses, internet worms, Trojan horses, spyware, adware, key loggers, browser hijackers and dialers. These threats can be detected by the scanning process. There are several scanning strategies which are associated with corrective actions. At the end of this process, a Security Report will be generated.

Scanning modes
  • Memory scans
  • Registry scans
  • Drive scans
  • Customized scans (folders and files)
Configurations
  • Exclusion: users can provide a white-list of items which will be ignored or excluded during the scanning process.
  • System start scans
  • Scheduled scans
Corrective Actions
  • Remove the detected malware
    • During the scanning process (terminate the running processes, remove registry keys)
    • On reboot (if the removal is refused due to access violation)
  • Quarantine: undo removals
  • Automatically repair the infected file
  • Try to repair then quarantine if unsuccessful
  • Deny access to the infected file

3.1.3 Rescue Disk Wizard

This allows user to scan in the DOS mode when sharing violations, insufficient user access rights, computer system’s areas infected

3.1.4 Browser Script Blocking

Browser Script blocking: enable, response (prompt user, stop suspicious activities and do not prompt)

3.1.5 Prevention Protection

Monitor the changes or interrupt in the system settings. If there is any suspicious action taken place, an alert will be generated. The followings are some commonly monitored sources:

  • Startup settings: programs to be initialized when the system starts.
  • Registry settings
  • HOSTS file
  • ActiveX kill bits
  • Restricted sites
  • ActiveX controls
  • Browser settings (Browser Helper Objects, homepage, search page)
  • Winsock LSPs

3.1.6 Email scanning

  • Incoming and Outgoing email scanning for virus: runs on the POP3/SMTP protocol level, filtering incoming and outgoing e-mail messages, regardless of the e-mail client used without any additional configuration.
  • Spam filtering: allows users to avoid any spam and unwanted advertising emails.
  • Anti-Phishing: avoid malicious e-mails deceiving users into giving away their sensitive information such as personal details and bank account information.
  • Attachment filter: use heuristic email message filter, remove attachments (all executables, all documents, remove some extensions)

3.1.7 Prevent Unwanted Installation

  • Prompt users for the confirmation to download a suspicious file from any website.
  • Scan software downloaded from the Internet such as freeware before starting the installation process.

3.1.8 Detection Engine

  • Compare to signature database: this engine is simple a comparator which observe different system parameters (network traffic, file system, installed programs, behaviors) and compare against the available signatures.
  • Heuristics: Protect the system from unknown viruses by detecting malicious pieces of code for which signatures have not been released yet.
  • Decision tree
  • Neural Network: MLP, RBFNN, GRNN, MPNN, BMPNN
  • Meta learning: combine the results from different algorithms to improve the accuracy
  • Vector support machine
  • Genetic algorithms

3.1.9 Content Filter

This feature assists the browser to assess the suitability of a website to prevent security threats or inappropriate contents such as pornography.

3.1.10 Firewall

Features
  • Packet filtering
  • Port scanning
Options
  • Firewall TCP Security: Enable TCP stateful inspection
  • Firewall DNS security: Enable DNS inspection
  • Firewall fragmented packets security: Enable fragmented packets rejection

3.1.11 Anti spyware and Anti adware

  • Avoid malicious behavior and degradation of system performance such as significant unwanted CPU activity, disk usage, and network traffic. These are symptoms of the infection of spyware and adware.
  • Prevent unwanted toolbars and browser hijackers
  • Pop-up blocker: Pop-up advertisements created by adware
  • Anti Dialer: rules of access to phone modem (phone numbers, application, action)

3.2 Threat Reaction

3.2.1 Logging

  • Scanning history
  • System settings and behaviors
  • Software configurations
  • Network settings
  • System events
  • Firewall log

3.2.2 Update

Features
  • Software updates and upgrades: the software can repair itself if necessary by downloading the damaged or missing files from home servers
  • Virus, spyware, adware, worm signature updates
  • Besides the software updates, the system should be able to trigger the Windows Update feature of the OS so that the OS-related system components such as IE can be updated. These security patches will higher level of the overall system.
Update modes
  • Manual update: users can manually trigger the update process.
  • Program start
  • Scheduled update
  • User defined: Users can manually update a black list of malicious behaviors as well as programs. This in fact adds new signatures into the attack signature database.
  • Hourly update: this is the most frequent update mode in which the software will be updated 24 times a day over the Internet,
Configurations
  • Direct update
  • Update through a Proxy Server

3.2.3 Bug Reporting

When an unknown system failure occurs, the users can send necessary system information to the software provider for further investigation.

3.2.4 Security Reporting

  • Useful statistics such as scanned files, detected malware
  • Graphical visual aids such as colored charts, diagrams and animation.
  • Options to customize graphical features
  • Scanning history
  • Link to the logging module
  • Exportable as HTML or pdf files.

3.3 Other Features

  • Shutdown PC when complete scanning

3.3.1 Damage Mitigation

Connect with the Windows Backup or System Restore to protect the system from being corrupted by malware. In particular, appropriate scheduling scheme will be generated to automate the system backup process.

3.3.2 Help Features

  • Security dictionary: basic definitions, concepts and theories.
  • Software Manual: how to use the software
  • FAQ
  • Link going to software provider’s main website
  • Software Version
  • Registration
    • Free full featured 15 day trial version exclude all updates. After each manual scan would like to see a warning message to register for full version to protect from new spyware updates
    • Count down of how many days left of trial. Once trial is over the software must disable and be unusable without a registration key.
    • The license owners benefit from free virus definition updates and free product upgrades.

4.0 Non-functional Requirements

4.1 Installation

System requirements: a minimum standard hardware requirement to install and run the software. This software focuses on Windows platforms such as Windows 95, 98, Me, NT 4, 2000, XP. It can also support popular browsers such as Internet Explorer, Netscape, Mozillia Firefox and Opera etc.

Post installation: After the installation completes, the user is prompted to restart the machine and a first-run scanning will be required at the start.

4.2 Modularization

The target system is a framework in which several modules are integrated to perform different tasks. These modules can be modified, replaced, upgraded independently without affecting the others operations. New modules can also be added for further functions with minimum requirement of modification of other related modules.

4.3 Re-compiling

This system is considered as a testbed for several experiments in which different modules can be modified and added. Therefore, the users should be able to modify and recompile the system without any difficulties and time wasting. This can be done by designing the system carefully with a reasonable hierarchy of classes, providing general interfaces so that new modules can be written and plugged into the system. Detailed documents on how individual modules can be inherited or re-written should be given.

4.4 Self-Security

The Security system should be able to protect itself from being compromised by the malware. In particular, it avoids some malware from disabling software firewalls and anti-virus software, and/or reduces browser security settings. One example for this purpose is that the software can protect configuration file of itself.

4.4.1 Self Revision of Security Policies

After each scan, the software will compute a threat level of the current system. Base on this level, different strategies will be planned and executed to provide the highest possible security for the system. These strategies include security policies for firewalls, IDS, scanning policies and update policies. For example, a high level of threats would trigger the hourly update features which ensure the defense system can deal with up-to-date attacks.

4.5 No Impact System Performance

  • Normal running: the software scans at the highest speed, this might use up the system resources. However, this use of resources still needs to be affordable.
  • Run as background: The software can run as a background process with a low speed of scanning. It is scheduled to scan for vulnerabilities or whenever the operating system is idle.

4.6 Data Structure Requirements

The software package needs to have a sustainable Data structure for signatures or definitions of computer threats so that new threats can be easily described, added and evaluated. Some examples of data structures which may be used are below:

  • Threat: name, size, file type
  • Events: date and time, source, user, event description
  • Scheduled task: name, start, next, run type, target file extension, analyze, Action for infected files, Action for suspected files, other details - name, type (scan/update), last start, next start, status, schedule for current user
  • Quarantined item: file name, name, suspect with, sent
  • Application: Application title, Executed Name, Version, # of rules, Mode
  • Firewall Log entry: Time/ Date, Up/ Down, Local IP, remote IP, Protocol, Application

4.7 User Interface

  • Basic Interface: for normal users
  • Advanced Interface: for advanced users such as administrator, experts.
  • Easy to navigate to different modules

5.0 Why NetSafeGuard differs from, and out performs others

This framework not only covers a complete range of services provided by other software packages, but also focuses on the “intelligence” of the decision engine. By applying a number of emerging Artificial Intelligent algorithm in detecting unknown attacks, this system aims to improve system robustness, detection accuracy and thereby reduce false alarm rates.

The system can also be dynamically reconfigured to use different AI techniques such as Neural Network, Decision Trees … by using plug-in technology. By this, the system can act as a testbed which facilitates the testing process of different algorithms in the NetSec context.

6.0 Project Outcomes

6.1 Software Package

A Network Security software package will be created which will work in a small and medium business. This software needs to satisfy all of functional as well as non-functional requirements. It should be easy to maintain, readable and re-usable by using some software engineering techniques such as interface, inheritance …

6.2 Documents

All documents involved in a professional software development cycle will be provided. They include

  • Requirements
  • Design: high level design, detail design
  • Source code + comments
  • Testing

7.0 Neural Network based Decision Support System Example

7.1 Overview

Paper One Neural Network Desision Support System

This system reads records from a system log, feed the data into a neural network which was trained with network traffic. The outcome will be input into a risk scoring system which assesses how high the risk level of the network at a certain moment. This is end of the detection process. The next step is to response to a certain level of risk, using an Expert System. This ES takes rules, policies from third party security sources and company rule base. According to the expertise provided by those sources, recommended actions will be suggested.

7.2 Descriptions

There are 3 major components including a NN, a Risk Scoring System (RSS) and an ES. Firstly, NN is trained with some log files retrieved from the specific log servers. These logs contain general information of network connections such as source destination address, protocol and port numbers. The resulting NN is capable of classifying unseen data into different classes (normal or attacks). The classification result from this is then passed to the RSS to compute the Risk Score associated with a network status. This process also uses some methods and formulas provided by the Method Base.

After the score (which represents the risk of the network) has been calculated, it is compared against the risk thresholds configured by an ES. This ES has a system interface which handles the seamless data communication between sub systems. The Knowledge Base of the ES contains rules and facts. These rules are provided by the company rule base such as organizational security policies, company VPN information; while the public standard security information (facts) such as computer virus base, malicious web sites list and spam origination are collected from third party security resources such as Symantec and MacAfee. These sources can be updated dynamically by security expert communities. From these rules and facts, the Inference Engine correlates information and identifies the Risk Level from the computed Risk Score. Base on different risk levels, the ES will then suggest several corrective actions to terminate existing intrusions or prevent future attacks from ever occurring. The risk level and recommended actions will be displayed by a user interface in several graphical forms (such as bar chart or pie chart.) This interface can be accessed by the administrator through a secure internet connection with authentication and secured protocol or via a mobile facility such as PDAs and mobile phones. The accessibility of the system ensures that the relevant authorities are notified as soon as a security issue is identified, regardless of the working hours. In other words, the security violations will be taken into a great account in a timely manner. The later sections of the report examine the details of the major sub-systems such as the Classification component (NN), the RSS and the recommended generator.

8.0 Future Development

8.1 Network Intrusion Detection

This module complements traditional firewalls to detect possible attacks from outside as well as from inside the network. There are 2 separate modules providing this service:

  • Misuse detection: compare observed data with attack signatures of known attacks
  • Anomaly detection: detect significant deviations from normal network behaviors.
  • Those 2 detection processes can incorporate to provide more accurate detection.

8.2 Network Intrusion Prevention

This module complements the Intrusion detection system by providing a number of corrective actions in repose to detected attacks. It can reconfigure the firewall to prevent potential threats from a source.

8.3 Plug-in manager

This manager ensures the sub modules workable when they are plugged in to existing system. This allows the possible highest level of modularization.

8.4 Instant Notification

  • When: infected/ incurable/ suspicious
  • In response to a detected malicious behavior, the related authorities will be notified via a console, email, PDA, mobile phones immediately. Essential information about the events will be provided in those alerts.

8.5 Backing Up

An advanced backing up mechanism will be implemented to avoid system interruption due to virus. The essential parts of operating system and important data specified by the users will be backed up periodically.

9.0 Appendices

9.1 Industry Review

In this section, a number of well-known security software will be considered to determine their features in the form of the menu hierarchy.

9.1.1 Evonsoft.Advanced.Spyware.Remover.Professional

Actions:
  • Scan spyware, adware
  • Infection immunizer
  • Scan system hijacker
Summary
  • Status: program version, reference of infection definitions, database file last updated
  • Options
    • General settings: alarm, confirmation before removing infections (delete or move to quarantine)
    • Start up settings: run at windows startup, launch Live updater
    • Ignore Manager: skip some items during the scan
Spyware Removal
  • Scan report
  • Quarantine Manager
System Anti-Hijack
  • Autorun list: programs run automatically
  • System service
  • System Association
  • Shell extensions
  • Browser settings
  • Browser ActiveX
  • Browser extensions
Tools
  • Process manager
  • Uninstall software
  • Active ports
  • Net snifter
  • Process Dictionary: winamp.exe à General Software: WinAmp Media Player
Scan type
  • Quick scan (Process, Registry, Brower Cookie, Browser activity, File)
  • Full Scan
  • Custom scan
Live update

9.1.2 NeT Firewall (NT Kernel)

Overview: incoming protection (passed), outgoing protection (passed), blocked packets

Password Options: Set password to protect your security policy

Rule wizard: to create new rules

Options
  • Main
    • Start Up: Start Firewall engine on system start up / Start Management Console on user login
    • Management Console window: Show/ Hide Management Console on programs start
    • Management Console Start Up Configuration: Load last/ clear configuration of Firewall
    • Management console shutdown: allow/ block all when close Management Console, Don’t change configuration when close Management Console
  • Advanced
    • Firewall TCP Security: Enable TCP stateful inspection
    • Firewall DNS security: Enable DNS inspection
    • Firewall fragmented packets security: Enable fragmented packets rejection
NeT firewall as
  • Personal Firewall
  • Server Firewall
Network Interfaces
  • NIC 1
    • Log (Entry: in/out, Source IP:Port, Destination IP:Port, Protocol, num, Time first, Time last)
    • Port/Protocol Mapping (Description/Action. ID, Status, Protocol, Source IP, Source Port, Dest. IP, Dest. Port, Mapping IP:Port)
    • ICMP Security (rules: name, type, incoming: yes/no, outgoing: yes/no)
Rules
  • Rule List
    • Description/Action, ID, Status: Allow/Deny, Protocol, Source IP, Source Port, Dest. IP, Dest. Port, Direction, Interface
  • Create New Rule
Active Connection
Log

Aliases: Description, Network computers

Functionality: advertisements

Home Page

9.1.3 Norton anti-virus

Live update: IDS, internet worm protection signatures, virus definition, security response submission, software updates, trusted application list

Options
  • System
    • Auto protect
      • How to auto-protect: Enable, start when Windows starts up, show icon in the tray
      • How to response when a virus is found: automatically repair the infected file, try to repair then quarantine if unsuccessful, deny access to the infected file
      • Which file types to scan for viruses: comprehensive file scanning. Scan files using SmartScan, scan within compressed fileds
      • Bloodhound heuristics (new and unknown virus): highest, default and lowest level of protection
      • Advanced: what to do when facing floppy disks (scan when mounted, shut down), compressed files (display alerts), increase windows start up protection (load auto-protect during system boot)
      • Exclusions
    • Script blocking: enable, response (prompt user, stop suspicious activities and do not prompt)
    • Manual scan
      • Items to scan in addition to files: boot records, master boot records
      • Response: automatically repair the infected file, prompt, try to repair, then quarantine if unsuccessful
      • File types to scan: comprehensive file scanning, using SmartScan, scan within compressed files, active programs and start up files
      • Bloodhound
      • Exclusions
  • Internet
    • Email
      • What to scan: incoming, outgoing
      • Response: Auto repair, prompt, repair then quarantine/ silently quarantine / silently delete if unsuccessful
      • Enable worm blocking, alert when scanning email attachments
      • Advanced: against timeout, display tray icon, display progess indicator when sending emails
    • Internet worm Protection
      • Enable
      • Program Control: program, internet access control
      • General rules, Trojan horse, autoblock rules
    • Instant Messenger
      • AOL, MSN, Yahoo
      • Response: auto repair, prompt, repair then quarantine if unsuccessful
      • Notify the source of an infected file: alert sender
    • Live update
      • Enable
      • Apply updates automatically, prompt me
  • Other
    • Threat categories
      • Virus threats: compromise security of system (virus, worms, Trojans, security risks)
      • Spyware threats: compromise the privacy of system (spyware, adware)
      • Additional threats: Dialers, Joke programs, remote access, hack tools
    • Options
      • Manual scanner, email scanner, instant messenger scanner
      • Delete threat: create backup in quarantine

Status: auto-protect, internet worm protection, email scanning, full system scan, virus definitions, renewal date, automatic live update

Scan for viruses: my computer, removable drives, floppy disks, drives, folders, files

Reports: quarantined items, online virus encyclopedia, activity log

9.1.4 Tauscan v1.7

Scan
Options
  • Misc
    • Memory, archives, Files
    • Update scheduler
  • File types: extension
  • Actions: Prompt For Delete, Delete, Report only, copy to folder
  • Log: create, append, HTML, plain text, location of log file
  • Analyzer: Scan priority
  • Sound: alarm

Database: Trojan database, date

  • Mail, FTP, keylogger, Telnet, Fake, Remote Access, Other, Form, IPX

Log: view the log file

Wizard
Update
Register
Exit

9.1.5 PC Security Suite

Packet filtering, Port scanning, IP/Website protection, email anomaly detection, Advanced Application Protection

Main menu
  • Internet Security (Internet use): High Low Custom
  • Network Security (IP) : High Low Custom
  • Trusted / Blocked Sites and IP Addresses: URL/ IP Address, Net Mask

Applications: Application, Executed Name, Version, # of rules, Mode

Firewall Log: Time/ Date, Up/ Down, Local IP, remote IP, Protocol, Application

Port Tracking: Application, PID, Protocol, Local IP, remote IP

Spyware Scanner
  • Scanning: Memory, Registry, Cookies, Common locations, Selected path
  • Select folders, scan, deleted checked
  • Quarantine: Adware, Hijacker, Spyware, P2P, Browser Helper Object, Toolbar, Commercial RAT, tracking cookie
    • Each item: Name of process, risk: low/high, threat: confidentiality/ productivity/ liability, Advise: delete/ ignore
Anti-Virus
  • Scanning: Memory, boot sector, my computer, user objects
  • Buttons
    • Select user objects
    • Scan options
      • Scan speed (slow, average, fast)
      • Engine
      • Action if virus found (try to repair, then quarantine/ delete if unsuccessful, quarantine, delete, prompt user for each instance, no action)
      • Action if Trojan found (Delete Trojan and remove infected/ all macro code, delete Trojan only, no action)
      • Use heuristic mode (to scan for newer viruses with undocumented signatures)
      • Use system cure (User to repair infectors such as worms, malicious registry entries, key and files)
      • Scan NTFS data stream
      • Filter: scan archives, determine archive by extension, stop at first infection in archive, scan migrated files, skip scanned archive as regular file
    • Scan
    • Update: keep signature up-to-date
Settings
  • Display Main menu: every time this software is launched, when a dial-up connection is established
  • Display alerts: When this software has blocked incoming/ outgoing traffic
  • Email anomaly detection: training period (days), training statistics (training days completed, total emails sent, total email recipients), block all outbound email, enable detection
  • Advanced application settings: applications that may attempt to gain Internet or network access through other applications
Reset to default

Profiles: Home (My Computer), Office (network), remote

Firewall: On/Off, Filter traffic: Allow, filter, deny

Reports
  • Advanced reports
  • HTML port tracking reports
  • HTML firewall log

9.1.6 AntiVir PersonalEdition Classic

Status

Scanner: local drives, local hard disks, removable drives, windows system directory, My documents, manual selection

Guard: Last scanned file, last detection, statistics (number of files, messages, deleted files, repaired files, moved files, renamed files)

Quarantine: Object type, restored, sent, detection, date/time, engine, VDF, Source

Scheduler: name, action, frequency, display mode, activated

  • Complete System scan
  • Daily update
Report

9.1.7 AVG Anti-Virus Professional Single Edition

Test center
  • Actions: Scan computer, Scan selected areas, Check for updates
  • Program settings: test result maintenance (delete after, stored at), test result display (show last, sort), date time format

Event history log: date and time, source, user, event description

Administrator Options
  • User interface: advanced/basic interface, test manager, Control center, scheduler, rescue disk wizard, online registration, submit bug report, language selection, virus vault

Control Center: contains several MODULES

  • Resident shield: on-access antivirus scanning of executable files and documents
    • Enable
    • Scan all files
    • Scan infectable files
    • Scan floppy drives, use heuristic analysis, on-close scanning, scan potentially unwanted programs
    • Excludes
    • General
  • Internal Virus Database
  • Scheduler: tests and updates (name, type: test/update, last start, next start, status, schedule for current user)
  • Update manager
    • Update upon next computer restart
    • Update immediately: prompt, auto, complete at next restart
    • Display information about update process
    • Require confirmation to close running applications
    • General
  • Email scanner
    • Plugins: select, disable
    • Pre-defined test configuration
    • Customize
      • Name, description
      • Check incoming/ outgoing email, certify email, with attachment only
      • Properties: use heuristics analysis, scan inside archives, move password protected archives to the Virus Vault
      • Attachment filter: use heuristic email message filter, remove attachments (all executables, all documents, remove some extensions)
  • License
  • Shell extension: scanning in the Windows Explorer context menu
  • Virus Vault: Virus quarantine, safe storage for infected files

Update: from internet, folder

Language selection

Rescue Disk Wizard: allows to scan in the DOS mode when sharing violations, insufficient user access rights, computer system’s areas infected

Report: damaged executable files, potentially unwanted programs, password protected files, locked files, warning during heuristic analysis, documents containing macros, hidden file extensions

Actions
  • When a virus detected: auto heal, prompt, continue testing
  • When warning displayed: continue scanning, activate scanning windows, display warning informartion

9.1.8 BitDefender Professional

General
  • Status: Enable Virus Shield, antispam, firewall, auto update
  • Registration: enable password protection,
  • Settings: start up, display, alert, user interface
  • Events: type, date, time, description
  • About

Antivirus: has many engines

  • Shield
    • Scan incoming, outgoing emails
    • Scan accessed files
    • Registry control
    • Alert
    • Statistics: last scanned, total scanned, total infected
  • Scan: select drives, settings
  • Scheduler: name, start, next, run type, target file extension, analyze, Action for infected files, Action for suspected files, other details
  • Quarantine: file name, name, suspect with, sent
  • Report
Options
  • Scanning: boot sectors, files (all, executable, user defined extensions, packed programs, email, archives), use heuristic detection, delete incomplete virus bodies, scan riskware, prompt for reboot
  • Action: (infected or suspect file) prompt, disinfect, delete, rename, copy, move files to quarantine
  • Report: show all scanned files, report file
  • Other:
    • Scan with low priority, shutdown PC when complete scanning, submit suspect files to the Lab

Paper One BitDefender Professional

Firewall
  • Status
    • Enabled
    • Block all
    • Statistics
  • Programs: internet access rules (application name, type, direction, action, application)
  • Dial: rules of access to phone modem (phone numbers, application, action)
  • Script: accept/deny domain scripts (ActiveX controls, Java script, applets, VB Scripts) (domain, action).
  • Cookies: direction, domain, actions
Antispam
  • Status
    • Enable
    • Tolerance level: tolerant à aggressive
    • Friends / Spammer list
    • Statistics: received emails, spam
  • Settings
    • Mark subject as spam / phishing
    • Auto add to friend/spam list
    • Limit the dictionary size to 200,000 words
    • Filters: heuristic, Bayesian, friends/spammers list, url, image filters

Update: location, use proxy, auto schedule, prompt

9.1.9 Bkav2006 Pro

Options
  • Select drive
  • Select file types
  • Other options: auto clean, back up before cleaning, auto load at boot time

Schedule: every day, week, month, disable, specific time

Virus list: name, size, file type

Live update
  • Internet connection: use proxy, address, username, password, Port, periodically check for new versions (auto download, prompt)

License: user information, license information

About

9.1.10 ClamWin Free Antivirus

9.1.11 Dr.Web 4.33.1.12050 for Windows

Scheduler: title, next run, path, parameter

Control
  • Status
  • Load mode: auto, manual Options
  • Performance: file list
  • Miscellaneous: system tray, protect configuration file, save “paused” state
  • Trouble shooting: Do not scan local network, removable disks Notification
  • When: infected/ incurable/ suspicious
  • Recipients: send email/ message Scan